App Security Still Dogs Developers, End-User Organizations

Lots of re-used code, cost pressures and long lead times for application software all lead to porous security where application software is concerned, says Chris Eng, Chief Research Officer for Veracode. But an emerging role he calls a "security champion" can help circumvent those problems and make apps safer for everyone.

VMware Plans $2.1bn Carbon Black Acquisition

VMware Plans $2.1bn Carbon Black Acquisition

Carbon Black has announced a definitive agreement to merge with VMware, with the virtualization company paying around $2.1bn for the endpoint protection vendor.

With a view to create a “highly differentiated, intrinsic security cloud,” the deal will see VMware be better positioned to better protect enterprise workloads and clients through Big Data, behavioral analytics and AI.

“By bringing Carbon Black into the VMware family, we are now taking a huge step forward in security and delivering an enterprise-grade platform to administer and protect workloads, applications and networks,” said Pat Gelsinger, CEO, VMware.

The combination of Carbon Black’s solutions with VMware’s security offerings, including AppDefense, Workspace ONE, NSX and SecureState, will create a modern security cloud platform for any application, running on any cloud, on any device, the company said. “This combined offering will provide customers advanced threat detection and in-depth application behavior insight to stop sophisticated attacks and accelerate responses,” a statement read.  

Patrick Morley, CEO of Carbon Black, said in a blog post that this was “a massive opportunity” as there is an “opportunity here for Carbon Black to truly disrupt the security industry — and ultimately help more customers stay safe from cyber-attacks.”

Morley added: “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device – essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating. As a result, VMware approached Carbon Black to deliver on this vision.

“Our product strategy stays the same. Our roadmap stays the same. Our customer support stays the same. The entire product portfolio, cloud and on-premises, is included in the merger – now backed by the extensive global footprint and GTM resources from VMware. In fact, the plan is to invest more aggressively in Carbon Black and leverage our combined strengths to accelerate our growth and execute our vision for our customers.”

Carbon Black will exist as an independent business unit within VMware, and become VMware’s Security Business Unit. Launched in 2007 as Bit9, the company was known as Bit9 & Carbon Black after it acquired Carbon Black in February 2014, and officially assumed the company name Carbon Black in February 2016.

Massachusetts General Hospital Warns of Privacy Incident

Massachusetts General Hospital (MGH) announced that it learned of a privacy incident involving its Department of Neurology. MGH said that it learned on 24 June 2019 of an instance where someone gained unauthorized access to databases related to two computer applications used by its Neurology Department for research studies. Upon taking a closer look, MGH […]… Read More

The post Massachusetts General Hospital Warns of Privacy Incident appeared first on The State of Security.

License Plate "NULL"

There was a DefCon talk by someone with the vanity plate "NULL." The California system assigned him every ticket with no license plate: $12,000.

Although the initial $12,000-worth of fines were removed, the private company that administers the database didn't fix the issue and new NULL tickets are still showing up.

The unanswered question is: now that he has a way to get parking fines removed, can he park anywhere for free?

And this isn't the first time this sort of thing has happened. Wired has a roundup of people whose license places read things like "NOPLATE," "NO TAG," and "XXXXXXX."

South Korea Exits Japanese Intel-Sharing Agreement

South Korea Exits Japanese Intel-Sharing Agreement

The South Korean government has said it will end a crucial intelligence-sharing arrangement with Japan, as a trade dispute between the two wartime foes deepens.

Kim You-geun, deputy director of the presidential National Security Council, said the move was a response to Tokyo’s decision to remove South Korea’s fast-track export status earlier this month.

“Under this situation, we have determined that it would not serve our national interest to maintain an agreement we signed with the aim of exchanging military information which is sensitive to security,” he reportedly told a news conference.

The General Security of Military Information Agreement (GSOMIA) was due for automatic renewal on Saturday. It enables the two Asian giants to directly share vital intelligence on North Korea’s nuclear and missile program.

In response, Japanese defense minister, Takeshi Iwaya has criticized Seoul for conflating trade and security matters.

“North Korea’s repeated missile tests threaten national security and cooperating between Japan and South Korea and with the US is crucial,” he’s reported to have said. “We strongly urge them to make a wise decision.”

Bilateral relations between the countries started to deteriorate after a South Korean court ruled last year that Japanese companies like Mitsubishi must pay compensation for their use of forced labor during Japan’s occupation of the country from 1910-45.

Japan seemed to respond by placing restrictions on the materials needed by South Korean chip-makers like Samsung to build semiconductors. Seoul came back tit-for-tat by removing Japan from a whitelist of trusted trade partners.

Commentators have argued that the spat has worrying echoes of American policy under the Trump administration: more focused on country first at the expense of vital security partnerships on the world stage.

The news could not come at a worse time, given the growing might of China in the region and its burgeoning military alliance with Russia, as well as the continued threat from North Korea.

There is an increasingly cyber-focused dimension to military alliances and warfare today. In 2017, NATO confirmed it was establishing cyber as a legitimate military domain in light of the North Korean WannaCry and Russia NotPetya attacks.

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Cryptocurrency exchange bitFlyer has announced that it is adding Ethereum (ETH) to its Buy/Sell trading platform.

BitFlyer Buy/Sell users in Europe and US will now be able to send and receive ETH while ensuring they adhere to the robust regulatory standards bitFlyer guarantees for Bitcoin (BTC) transactions.

Andy Bryant, co-head and COO, bitFlyer Europe, said: “At bitFlyer, we want to offer not just the most popular coins, but the most respected ones too, which makes ETH a logical choice to expand our service offering. Not only has ETH proved itself as a useful altcoin, particularly in relation to smart contracts, it has an incredibly strong community that surrounds it. We’re committed to offering the best customer experience whilst prioritizing security and regulatory standards, and we’re proud to say Buy/Sell now offers this capability with ETH.”

Hailey Lennon, head of legal and regulatory affairs at bitFlyer USA, explained that crypto-regulation is evolving, and bitFlyer works to ensure that everything listed on its exchange complies with the global regulatory standards. “We’re excited for today’s announcement, adding Ether to our growing portfolio of coins with NYDFS approval, and we’re looking forward to launching more coins in the coming months,” she added.

bitFlyer is the only cryptocurrency exchange to be licensed in Japan, the US and Europe combined.

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian security service (SBU) agents have arrested several nuclear power plant employees in the country after they misguidedly tried to use their facility’s IT systems to mine for cryptocurrency.

Local media reports this week said the incident occurred on July 10 at the plant in Yuzhnoukrainsk in the south of the country.

The workers are said to have hooked up a supercomputer, which was kept air-gapped at the power plant, to the internet. In so doing, it’s claimed they unwittingly disclosed information on the physical security measures in place at the nuclear facility, which is a state secret.

The SBU officers seized unauthorized computer equipment which had been used to build a separate LAN designed to mine for cryptocurrency.

They reportedly took six Radeon RX 470 video cards, extension cords and cabling, various switches, a motherboard, a USB flash drive, a hard drive and even the metal frame on which was mounted the other items.

Equipment was also seized after separate searches were carried out at other parts of the facility, including premises used by a Ukrainian military unit stationed there.

This isn’t the first time such an incident has been discovered. In February 2018 it emerged that engineers at the Russian Federal Nuclear Center had been arrested for trying to mine Bitcoin with one of the country’s largest supercomputers.

“This is a great example of 'trust but verify',” argued Phil Neray, VP of industrial cybersecurity at CyberX. “Even with the strictest policies and regulations in the world, it's all theoretical if you aren't continuously monitoring for unusual or unauthorized activity.”

The news comes as new research from Kaspersky this week revealed human error was behind over half (52%) of cybersecurity incidents detected by the AV vendor in industrial environments last year.

City of London Hit by One Million Cyber-Attacks Per Month

City of London Hit by One Million Cyber-Attacks Per Month

The City of London Corporation has suffered nearly one million cyber-attacks each month for the first quarter of 2019, according to Freedom of Information (FOI) data obtained by Centrify.

The security vendor wanted to find out more about the cyber-risks facing the local authority, which governs the part of the capital housing much of the UK’s financial center.

It found that the governing body was hit by nearly 2.8 million attacks in the first three months of the year: an average of 927,000 per month. That’s up significantly (90%) from the 489,000 per month recorded in April-December 2018.

In total, the City of London suffered 7.2 million attacks from April 2018 to March 2019, of which, the vast majority (6.9 million) were classed as spam.

The second highest category was “spoof mail,” at 244,293 attacks — presumably related to phishing attempts. There were also 17,556 detections of “top malware.”

The findings could either be interpreted as a worrying rise in attacks, or proof that detection methods are getting better.

As well as 10,000 residents, the City of London welcomes millions of annual tourists thanks to attractions like the Tower of London and hundreds of thousands of daily commuters who work in one of the world’s biggest financial hubs.

“The high volume of sensitive public information contained within the systems and databases of organisations like the City of London Corporation make it a top target for cyber-criminals. Malicious email scams such as phishing and malware attacks form a substantial part of the wider cyber threat facing councils across the country, in London and beyond,” warned Centrify VP, Andy Heather.

“With so many attacks taking place every day, it’s vital that all organizations adopt a zero trust approach to user activity, to prevent hackers gaining access to council systems using legitimate log-in details that may have been stolen or purchased on the dark web.”

In 2016 it emerged that the City was being hit by more ransomware attacks than many countries.

Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency

The Ukrainian Secret Service is investigating the case of employees at a nuclear power plant that connected its system online to mine cryptocurrency.

The Ukrainian Secret Service (SBU) launched an investigation after employees at a local nuclear power plant connected some systems of the internal network to the Internet to mine cryptocurrency.

The incident was first reported by the Ukrainian news site UNIAN.

Nuclear power plants are critical infrastructure, such kind of incident could potentially expose high-sensitive information.

The security incident has happened in July at the South Ukraine Nuclear Power Plant at Yuzhnoukrainsk, in the south of the country.

On July 10, agents of the SBU raided the nuclear power plant and discovered the equipment used by the employees to mining cryptocurrency.

The equipment was discovered present in the power plant’s administration offices.

The Ukrainian authorities are currently investigating if any attackers may have had access to exposed systems to information that could threaten national security.

The SBU seized equipment composed of two metal cases containing that included coolers and video cards (Radeon RX 470 GPU), computer components commonly used in mining factories.

“Further, the SBU also found and seized additional equipment[12] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.” reported ZDnet.

The authorities have charged several employees, but at the time, none was arrested.

In February 2018, a similar incident took place in Russia. Russian authorities arrested some employees at the Russian Federation Nuclear Center facility because they were suspected of trying to use a supercomputer at the plant to mine Bitcoin.

In April 2018, an employee at the Romanian National Research Institute for Nuclear Physics and Engineering an employee abused institute’s electrical network to mine cryptocurrency.

Pierluigi Paganini

(SecurityAffairs – nuclear power plant, hacking)

The post Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency appeared first on Security Affairs.

Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches

Cisco provided updates for security advisories for three flaws affecting Cisco Small Business 220 Series Smart Switches patched in early August.

Cisco has updated security advisories for three vulnerability in Cisco Small Business 220 Series Smart Switches that have been patched in early August. The three vulnerabilities were reported by the security researcher Pedro Ribeiro, aka ‘bashis‘, via Cisco’s VDOO Disclosure Program.

According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.

Cisco Small Business 220 Series Smart Switches

One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the security advisory.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the security advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”

The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.

The good news is that Cisco is not aware of attacks exploiting the above issues.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.

Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC).

Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business, hacking)

The post Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches appeared first on Security Affairs.

VMware acquires Carbon Black

VMware and Carbon Black announced that the companies have entered into a definitive agreement by which VMware will acquire Carbon Black in an all cash transaction for $26 per share, representing an enterprise value of $2.1 billion. Following the close of the transaction, VMware will be positioned to provide a highly differentiated, intrinsic security cloud that will better protect enterprise workloads and clients through big data, behavioral analytics and AI. Carbon Black is a leading … More

The post VMware acquires Carbon Black appeared first on Help Net Security.

Quantum computing: The new moonshot in the cyber space race

In 2016, China launched Micius, the world’s first quantum communications enabled satellite. For some, that launch eerily echoed the launch of the Soviet Union’s Sputnik satellite in 1957, which caught the United States off guard and spurred a decades-long contest to regain and maintain global technological and military supremacy. The parallel wasn’t lost on the Chinese. Jian-Wei Pan, the lead researcher on the Micius project, hailed the start of “a worldwide quantum space race.” Indeed, … More

The post Quantum computing: The new moonshot in the cyber space race appeared first on Help Net Security.

What You Need to Know About Cloud Forensics

Cloud computing has transformed the IT industry because services can now be deployed for a fraction of the time. Large cloud computer companies such as Amazon Web Services (AWS), Google Cloud and Microsoft Azure have been spawned by scalable computing solutions. By clicking a button, employees can build or reset a whole computer infrastructure in three different cloud-based models: SaaS software, PaaS and Service Infrastructure (IaaS). These models are three unique challenges to conduct forensic cloud research.

Cloud Computing

Service Models The owner is responsible for all services from networking equipment to the application itself with traditional IT services. Cloud Computing offers these SaaS, PaaS and IaaS solutions to improve the efficiency of computer deployment and management.

Let’s take a closer look at each of these models below.


Partly the operating system and all middleware, runtime, data and applications in cloud computing IaaS environments are the responsibility of the owner. However, the Cloud Provider manages the deployment of the operating system, virtualisation and all hardware, storage and networking equipment for the customer. This model gives the customer the most control over the underlying computing infrastructure. Examples of IaaS include the creation of AWS Elastic Computing Cloud (EC2), Digital Ocean and Rackspace hosts.


PaaS’s responsibility for cloud computing resources is less inclusive. The owner is only responsible for data and apps, but not the key cloud infrastructure, including network, servers, operating systems and storage. This service model is used primarily by applications or software developers. AWS Elastic Beanstalk, Windows Azure and Apache Stratos are examples of PaaS.


SaaS is an all-inclusive cloud hosting environment where the application owner provides a cloud provider with the application and is hosted and administered completely by the cloud service provider. Google Apps, Dropbox and Slack are examples of SaaS. The Cloud Service Provider (CSP) is in full use of these applications and users use the applications largely through a web browser.

Cloud computing and forensics

CSPs are responsible for forensic issues, which are unique to cloud computing. Cloud forensics is a subset of digital forensics that is based on a unique approach to cloud research. CSPs have client data hosting servers worldwide. When there is a cyberincident, law and the laws governing the region pose unique challenges. A court order issued in a jurisdiction in which a data center resides is unlikely to apply to a different host in another country. In modern CSP environments, the customer can select the region in which the data is to be located and carefully selected.

An investigator’s main concern is to ensure that digital evidence is not manipulated by third parties so that it can be accepted at the Court of Justice. In the PaaS and SaaS service models, customers must have access to the logs from the cloud service providers, because they have no hardware control. In some cases, CSPs sometimes intentionally hide customer log details. In other cases, CSPs have policies that do not provide log collection services.

In a cloud environment, maintaining a custody chain is very difficult compared to a traditional forensic environment. In traditional forensics the internal security team can check who performs forensic operations on a machine, while the security team in cloud forensics has no control over the CSP. If they are not trained by a forensic standard, the custody chain can not be held in a court of law.


There are three service models in cloud computing and at least three cloud forensic challenges. Each level of cloud computing service model shares part responsibility with the provider of cloud services. This relationship presents unique challenges in conducting investigations of cloud forensics since any mistake can prevent evidence from being admissible in a court of law.

Since cloud servers can be hosted in several countries, there may also be forensic data. This presents legal jurisdiction challenges. Cloud-based services providers do not always work in your favour, as you cost them time and money for issues which are less relevant to them. These challenges are unique to the cloud forensics subgroup.

Also Read,

Know the Role of Data Forensics

Windows-based Forensic Tools Available for Everyone

An Introduction to Computer Forensics | Digital Forensics

The post What You Need to Know About Cloud Forensics appeared first on .

Facebook phishing surges, Microsoft still most impersonated brand

Vade Secure published the results of its Phishers’ Favorites report for Q2 2019. According to the report, which ranks the 25 most impersonated brands in phishing attacks, Microsoft was by far the top target for the fifth straight quarter. There was also a significant uptick in Facebook phishing, as the social media giant moved up to the third spot on the list as a result of a staggering 176 percent YoY growth in phishing URLs. … More

The post Facebook phishing surges, Microsoft still most impersonated brand appeared first on Help Net Security.

Should you block newly registered domains? Researchers say yes

7 out of 10 newly registered domains (NDRs) are either malicious, suspicious or not safe for work, say Palo Alto Networks researchers, and advise organizations to block access to them with URL filtering. “While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility,” … More

The post Should you block newly registered domains? Researchers say yes appeared first on Help Net Security.

New infosec products of the week: August 23, 2019

YubiKey 5Ci: First security key designed with both USB-C and Lightning connectors This unique dual-connector functionality makes the YubiKey 5Ci the perfect solution for consumers or enterprises looking for strong hardware-backed authentication across iOS, Android, MacOS, or Windows devices. The YubiKey 5Ci is available at a retail price of $70 USD. 400G Triton cyber warfare simulation tool can replicate any attack Mimicking attacks from all over the world, Triton 400 utilizes a comprehensive understanding of … More

The post New infosec products of the week: August 23, 2019 appeared first on Help Net Security.

New cross-industry consortium aims to accelerate confidential computing adoption

The Linux Foundation announced the intent to form the Confidential Computing Consortium, a community dedicated to defining and accelerating the adoption of confidential computing. Companies committed to this work include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent. What is confidential computing? Across industries computing is moving to span multiple environments, from on premises to public cloud to edge. As companies move these workloads to different environments, they need protection … More

The post New cross-industry consortium aims to accelerate confidential computing adoption appeared first on Help Net Security.

Cloud Services Require a Shift in Security Strategy

End-user organizations have their security management tools, but so do cloud service providers, and that forces some hard questions about whose tools will be used to keep everything locked down, says Jesse Rothstein, CTO and Co-Founder of ExtraHop. And he makes the case that better data hygiene can help decrease the chances of a breach.

Regular User Training Most Effective Security Antidote

Social engineering remains the top vulnerability organizations face because humans remain the easiest way to access networks or databases, says Stu Sjouwerman, Founder and CEO of KnowBe4. Regular training sessions coupled with creation of a "human firewall" remain the most effective protections against social engineering and phishing, he adds.

AttackIQ automates the evaluation of Microsoft Defender ATP

AttackIQ, a leader in the continuous security validation market to help organizations achieve cyber resiliency, announced the integration of its AttackIQ Platform with Microsoft Defender Advanced Threat Protection (ATP) to help joint customers and prospects validate the configuration and security coverage provided by the most widely deployed operating system in the world. In addition to the integration, AttackIQ is helping to validate Microsoft Defender ATP in Microsoft’s pre-sales engagements on account of AttackIQ’s differentiated open … More

The post AttackIQ automates the evaluation of Microsoft Defender ATP appeared first on Help Net Security.

SafeGuard Cyber can now secure conversations in WeChat

SafeGuard Cyber, the leading end-to-end platform for social media and digital risk protection, announced a new capability to secure conversations in WeChat, making it one of the only entities to provide security and real-time compliance protection for businesses that use the mobile messaging application. WeChat now has more than one billion daily active users, approximately 80 percent of whom use it for business purposes. Western companies have found WeChat to be a de facto requirement … More

The post SafeGuard Cyber can now secure conversations in WeChat appeared first on Help Net Security.

Manage microservices-based applications with security-focused Istio and Red Hat OpenShift

Red Hat announced the general availability of Red Hat OpenShift Service Mesh to connect, observe and simplify service-to-service communication of Kubernetes applications on Red Hat OpenShift 4, the industry’s most comprehensive enterprise Kubernetes platform. Based on the Istio, Kiali and Jaeger projects and enhanced with Kubernetes Operators, OpenShift Service Mesh is designed to deliver a more efficient, end-to-end developer experience around microservices-based application architectures. This helps to free developer teams from the complex tasks of … More

The post Manage microservices-based applications with security-focused Istio and Red Hat OpenShift appeared first on Help Net Security.

Analytics and Security Prove Effective Security Hybrid

Against the backdrop of consolidation in the SIEM and SOAR sectors, infosec professionals are deploying some combination of analytics and security, according to Haiyan Song, Senior Vice President & General Manager of Security Markets for Splunk. Analytics helps organizations make better decisions and detect anomalies faster, she adds.

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.

Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.

The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.

“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.

An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.

Hy-Vee said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.

The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Deport to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

Time to Get Smarter About Threat Intel

Bad actors move faster than threat intelligence feeds and the infosec pros who monitor them, notes Joakim Kennedy, Threat Intel Manager for Anomali Research. Organizations need to establish a dedicated team to manage threat intel, and an adequate budget. Kennedy also encourages intelligence sharing as part of a stepped-up protection strategy.

Texas ransomware attacks: to pay or not to pay? | TECH(feed)

Nearly two dozen cities in Texas have been hit by a ransomware attack executed by a single threat actor. These attacks beg the question: Is it ever worth it to pay a cyber attacker’s ransom? In this episode of TECH(feed), Juliet discusses the pattern of ransomware attacks on local governments, how municipalities have responded and how to prevent a ransomware attack in the first place.

Make DNS a Cornerstone of Your Cyber Security Arsenal

Better known for their essential role in networking, Domain Name Servers should be tapped as a means to identify - and shut down - suspicious or destructive activity, according to Anthony James, VP of Marketing for Infoblox. He also explains how to combine DNS with DHCP and IP address management to improve an organization's security.

Crackdown on Fake LinkedIn Profiles

Crackdown on Fake LinkedIn Profiles

People have been turning to LinkedIn since 2002 as a way to develop their network of business contacts. The professional social networking site has 645 million users in over 200 countries and territories around the world, who spend an average of 17 minutes on the site per month. 

While using LinkedIn may be preferable to eating stale croissants and swapping business cards at yet another networking breakfast event, it has one major downside: fake profiles.

Fake profiles are typically characterized by poor spelling and grammar, a lack of engagement, a limited number of connections and a suspicious or incomplete work history. 

It’s also not unusual for the photo in a fake profile to depict someone who, if they were really that good looking, would be making a living from modeling underwear on a beach somewhere rather than heading up a small HR team at a recruitment firm in Croydon. 

The faux profiles, which are often duplicated, are used to contact genuine professionals to fish for information such as how to get hired at a particular company. Spam of this type can be a frequent and extremely irritating problem for executives bugged daily by multiple connection requests from fake profiles.

LinkedIn is aware of the problem and has been making a concerted effort to rid the site of its pretenders.

Paul Rockwell, LinkedIn’s head of trust and safety, said: “Our teams are working to keep LinkedIn a safe place for professionals by proactively finding fake profiles then removing them and any content they share. Between January and June 2019, we took action on 21.6 million fake accounts.”

LinkedIn managed to prevent 19.5 million fake accounts from being created by automatically halting the registration process. The other 2 million fake accounts were restricted after the company paired human review with AI, machine learning and reports of fake accounts made by genuine members.  

Automation plays a key part in LinkedIn’s defense against the incoming wave of fakers. According to Rockwell, automated defenses, including AI and machine learning, prevented or took down 98% of all fake accounts. The rest were captured through manual review. 

Rockwell said: “When we stop fake accounts, we start more chances for economic opportunity."

Cisco addressed several vulnerabilities in UCS products

Cisco released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS and IMC).

Cisco has released security fixes to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products.

Most of the flaws affect the Integrated Management Controller (IMC) that is a baseboard management controller that provides embedded server management for Cisco Unified Computing System (UCS) servers.

The critical flaws impacting the CISCO UCS addressed by the tech giant are CVE-2019-1937CVE-2019-1974CVE-2019-1935 and CVE-2019-1938. These flaws could be exploited by remote, unauthenticated attackers to gain elevated privileges, including administrator permissions, on the targeted system.

A remote attacker could exploit the vulnerabilities by sending specially crafted requests and abusing default credentials.

“A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication.” reads the advisory for the CVE-2019-1937 flaw.

“The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.”

Cisco addressed also multiple high-severity vulnerabilities that could be exploited to trigger a denial-of-service (DoS) condition, to execute arbitrary commands with root privileges, obtain sensitive configuration data, elevate privileges, and modify the system configuration,

Some of the flaws addressed by Cisco have been reported by the security researcher Pedro Ribeiro, aka “bashis,” another expert whose identity was not revealed, and some other external researchers.

The good news is that Cisco is not aware of attacks in the wild that have exploited the flaws in UCS and IMC products.

Pierluigi Paganini

(SecurityAffairs – Cisco Unified Computing Products, hacking)

The post Cisco addressed several vulnerabilities in UCS products appeared first on Security Affairs.

Define Your Unique Security Threats with These Tools

It takes only minutes from the first action of an attack with 5 or less steps for an asset to be compromised, according to the 2019 Verizon Data Breach Investigations Report (DBIR).  However, it takes days—an average of 279 days—to identify and contain a breach (Ponemon Institute). And the longer it takes to discover the source, the more money the incident ends up costing the organization.  Luckily, you can reduce your chance of falling victim to these attacks by proactively anticipating your greatest threats and taking measures to mitigate these.

This blog post breaks down two tools to help you determine just that: your most at-risk data, how this data can be accessed, and the attacker’s motives and abilities.  Once you have an understanding of these, it will be much easier to implement countermeasures to protect your organization from those attacks.

I recommend first reading through the DBIR sections pertaining to your industry in order to further your understanding of patterns seen in the principal assets being targeted and the attacker’s motives.  This will assist in understanding how to use the two tools: Method-Opportunity-Motive, by Shari and Charles Pfleeger and Attack Trees, as discussed by Bruce Schneier.

Defining Method-Opportunity-Motive:


Methods are skills, knowledge and tools available to the hacker, which are similar to Tactics, Techniques, and Procedures used by the Military and MITTR. Jose Esteves et. al. wrote, “Although it used to be common for hackers to work independently, few of today’s hackers operate alone. They are often part of an organized hacking group, where they are members providing specialized illegal services….” A hacker’s methods are improved when part of a team, which has a motive and looks for opportunities to attack principle assets.


Opportunities are the amount of time and ability required for an attacker to access their objective.  The 2019 DBIR authors’ note, “Defenders fail to stop short paths substantially more often than long paths.” It’s critical to apply the correct controls to assets and to monitor those tools in order to quickly detect threats.


The motive is the reason to attack; for instance, is the attacker trying to access financial information or intellectual property? The 2019 DBIR notes that most attacks are for financial gains or intellectual property (IP), varying by industry.

Using Attack Trees to Visually Detail Method-Opportunity-Motive:

Bruce Schneier (Schneier on Security) provides an analytics tool for systematically reviewing why and how an attack might occur. After defining what assets are most valuable to an attacker (motive), you can identify the attacker’s objective, referred to as the root node in an attack tree. From here, you can look at all the possible actions an attacker might use to compromise the primary assets (method).  The most probable and timely method shows the most likely path (opportunity).

I like using divergent and convergent thinking described by Chris Grivas and Gerard Puccio to discover plausible motive, opportunity, and methods used by a potential threat actor. Divergent thinking is the generation of ideas, using techniques like brainstorming. Convergent thinking is the limiting of ideas based on certain criteria. Using this process, you and your security team can generate objectives and then decide which objectives pose the greatest threat. You can then use this process again to determine the possible methods, referred to as leaf nodes, that could be used to access the objective. Then, you can apply values, such as time, to visualize possible opportunities and attack paths.

To further your understanding of how to create an attack tree, let’s look at an example:

1.  First, decide what primary assets your company has that an intruder is interested in accessing.

The 2019 DBIR provides some useful categories to determine attack patterns within specific industries.  For this example, let’s look at a financial institution. One likely asset that a threat actor is attempting to access is the email server, so this is our root node, or objective. Again, using divergent and convergent thinking can help a team develop and clarify possible objectives.

2.  After deciding on the objective, the second step in developing an attack tree is to define methods to access the objective.

The 2019 DBIR describes some likely methods threat actors might use, or you can use divergent and convergent thinking. In the example below, I’ve included some possible methods to access the email server.

Attack Tree Visualization

3.  As you analyze the threat, continue working through the tree and building out the methods to develop specific paths to the asset.

The diagram below shows some potential paths to access and harvest information from the email server, using OR nodes, which are alternative paths, and AND nodes, which require combined activities to achieve the objective (this is represented using ). Note that every method that isn’t an AND node is an OR node.

Attack Tree Visualization

4.  The fourth step is to apply binary values to decide what paths the attack is most likely to follow.

For example, I’m going to use likely (l) and unlikely (u) based on the methods my research has shown is available to the attacking team. Then, use a dotted line to show the all likely paths, which are those in which all methods of the path are assigned a likely value.

Attack Tree Visualization

5.  The fifth step is to apply numeric values to the sub-nodes to decide on what path, specifically, the threat actor might attempt.

I’m going to use minutes in this scenario; however, other values such as associated costs or probability of success could also be used. These are subjective values and will vary amongst teams. Paths with supporting data would provide a more accurate model, but Attack Trees are still useful even without objective data.

Attack Tree Visualization

In the above example, I have determined the path with the shortest amount of time to be phishing (credential harvesting), assuming the credentials are the same for the user accounts as they are for admin accounts. Since I have already determined that this path is likely and I now know it takes the shortest amount of time, I can determine that this is the most at-risk and likely path to accessing the email server.  In this example, the least likely path is stolen credentials.

6.  After examining the possible motives, opportunities, and methods, you can decide how you want to protect your assets.

For example, I determined that phishing is likely with the attack tree above, so I might decide to outsource monitoring, detection, and training to a Managed Security Service Provider (MSSP) that can provide this at a lower cost than an in-house staff. I might also consider purchasing software to detect, report, and prevent phishing emails, limiting the possibility of a phishing attempt. If social engineering is determined to be a concern, you could conduct end-user training, look for ways to secure the physical environment (guards, better door locks), or make the work environment more desirable (cafeteria, exercise room, recreation area, etc.)

The models discussed work together to provide ways to determine, analyze, and proactively protect against the greatest threats to your valuable assets. Ultimately, thinking through scenarios using these tools will provide a more thoughtful and cost-effective approach to security.

The post Define Your Unique Security Threats with These Tools appeared first on GRA Quantum.

Fortnite Cheats Get Cheated

Fortnite Cheats Get Cheated

In an Aesop's fable for the digital age, Fortnite players who try to cheat are themselves being duped by ransomware disguised as a game hack.

Research conducted by cloud security specialists Cyren has found that a cheat tool claiming to improve the accuracy of a player's aim (known as an aimbot) is in reality a piece of malware designed to cause data loss. 

Roughly 250 million players of the online video game were targeted by the ransomware, which has the filename "SydneyFortniteHacks.exe" and is known as Syrk. 

Players who download Syrk in the misguided belief that they've stumbled across a sneaky way to up their game end up with a 12MB executable file. When the file is executed, the ransomware beast awakens and starts encrypting images, videos, music and documents stored on the player's computer. The encrypted files are marked with a .syrk file extension.

The unlucky player is then sent a threatening message demanding payment in return for a decryption password. The message includes an email address that the player must contact to discover how to make the payment.

The player is warned that if payment isn't received within two hours, files in their photo folder will be deleted, followed by files on their desktop. To underline the time-sensitive nature of the threat, the menacing message is unsubtly accompanied by a giant countdown clock. 

This nasty little piece of open source ransomware was built with tools readily available on the internet. And, in a doubly deceptive move, its creators built Syrk by reworking an existing piece of ransomware called Hidden-Cry. The source code for Hidden-Cry was shared on Github last year.

Fortunately, the files to decrypt the encrypted files can be found in machines infected with the ransomware. The file dh35s3h8d69s3b1k.exe – the Hidden-Cry decrypting tool – is one of the resources embedded in the main malware. 

The discovery of Syrk follows news earlier this month that Fortnite players had been targeted by malware named Baldr, also hidden in cheat hacks distributed as links via YouTube. The moral of the story is "don't cheat," but with a $30 million prize pool for the recent Fortnite World Cup, it's easy to see how players fall victim to temptation.

19 Cloud Security Best Practices for 2019

Now well into its second decade of commercial availability, cloud computing has become near-ubiquitous, with roughly 95 percent of businesses reporting that they have a cloud strategy. While cloud providers are more secure than ever before, there are still risks to using any cloud service. Fortunately, they can be largely mitigated by following these cloud security best practices:

Protect Your Cloud Data

  1. Determine which data is the most sensitive. While applying the highest level of protection across the board would naturally be overkill, failing to protect the data that is sensitive puts your enterprise at risk of intellectual property loss or regulatory penalties. Therefore, the first priority should be to gain an understanding of what to protect through data discovery and classification, which is typically performed by a data classification engine. Aim for a comprehensive solution that locates and protects sensitive content on your network, endpoints, databases and in the cloud, while giving you the appropriate level of flexibility for your organization.
  2. How is this data being accessed and stored? While it’s true that sensitive data can be stored safely in the cloud, it certainly isn’t a foregone conclusion. According to the McAfee 2019 Cloud Adoption and Risk Report, 21 percent of all files in the cloud contain sensitive data—a sharp increase from the year before1. While much of this data lives in well-established enterprise cloud services such as Box, Salesforce and Office365, it’s important to realize that none of these services guarantees 100 percent safety. That’s why it’s important to examine the permissions and access context associated with data in your cloud environment and adjust appropriately. In some cases, you may need to remove or quarantine sensitive data already stored in the cloud.
  3. Who should be able to share it, and how? Sharing of sensitive data in the cloud has increased by more than 50% year over year.1 Regardless of how powerful your threat mitigation strategy is, the risks are far too high to take a reactive approach: access control policies should be established and enforced before data ever enters the cloud. Just as the number of employees who need the ability to edit a document is much smaller than the number who may need to view it, it is very likely that not everyone who needs to be able to access certain data needs the ability to share Defining groups and setting up privileges so that sharing is only enabled for those who require it can drastically limit the amount of data being shared externally.
  4. Don’t rely on cloud service encryption. Comprehensive encryption at the file level should be the basis of all your cloud security efforts. While the encryption offered within cloud services can safeguard your data from outside parties, it necessarily gives the cloud service provider access to your encryption keys. To fully control access, you’ll want to deploy stringent encryption solutions, using your own keys, before uploading data to the cloud.

Minimize Internal Cloud Security Threats  

  1. Bring employee cloud usage out of the shadows. Just because you have a corporate cloud security strategy in place doesn’t mean that your employees aren’t utilizing the cloud on their own terms. From cloud storage accounts like Dropbox to online file conversion services, most people don’t consult with IT before accessing the cloud. To measure the potential risk of employee cloud use, you should first check your web proxy, firewall and SIEM logs to get a complete picture of which cloud services are being utilized, and then conduct an assessment of their value to the employee/organization versus their risk when deployed wholly or partially in the cloud. Also, keep in mind that shadow usage doesn’t just refer to known endpoints accessing unknown or unauthorized services—you’ll also need a strategy to stop data from moving from trusted cloud services to unmanaged devices you’re unaware of. Because cloud services can provide access from any device connected to the internet, unmanaged endpoints such as personal mobile devices create a hole in your security strategy. You can restrict downloads to unauthorized devices by making device security verification a prerequisite to downloading files.
  2. Create a “safe” list. While most of your employees are utilizing cloud services for above-the-board purposes, some of them will inadvertently find and use dubious cloud services. Of the 1,935 cloud services in use at the average organization, 173 of them rank as high-risk services.1 By knowing which services are being used at your company, you’ll be able to set policies 1.) Outlining what sorts of data are allowed in the cloud, 2.) Establishing a “safe” list of cloud applications that employees can utilize, and 3.) Explaining the cloud security best practices, precautions and tools required for secure utilization of these applications.
  3. Endpoints play a role, too. Most users access the cloud through web browsers, so deploying strong client security tools and ensuring that browsers are up-to-date and protected from browser exploits is a crucial component of cloud security. To fully protect your end-user devices, utilize advanced endpoint security such as firewall solutions, particularly if using IaaS or PaaS models.
  4. Look to the future. New cloud applications come online frequently, and the risk of cloud services evolves rapidly, making manual cloud security policies difficult to create and keep up to date. While you can’t predict every cloud service that will be accessed, you can automatically update web access policies with information about the risk profile of a cloud service in order to block access or present a warning message. Accomplish this through integration of closed-loop remediation (which enforces policies based on a service-wide risk rating or distinct cloud service attributes) with your secure web gateway or firewall. The system will automatically update and enforce policies without disrupting the existing environment.
  5. Guard against careless and malicious users. With organizations experiencing an average of 14.8 insider threat incidents per month—and 94.3 percent experiencing an average of at least one a month—it isn’t a matter of if you will encounter this sort of threat; it’s a matter of when. Threats of this nature include both unintentional exposure—such as accidentally disseminating a document containing sensitive data—as well as true malicious behavior, such as a salesperson downloading their full contact list before leaving to join a competitor. Careless employees and third-party attackers can both exhibit behavior suggesting malicious use of cloud data. Solutions leveraging both machine learning and behavioral analytics can monitor for anomalies and mitigate both internal and external data loss.
  6. Trust. But verify. Additional verification should be required for anyone using a new device to access sensitive data in the cloud. One suggestion is to automatically require two-factor authentication for any high-risk cloud access scenarios. Specialized cloud security solutions can introduce the requirement for users to authenticate with an additional identity factor in real time, leveraging existing identity providers and identity factors (such as a hard token, a mobile phone soft token, or text message) already familiar to end users.

Develop Strong Partnerships with Reputable Cloud Providers

  1. Regulatory compliance is still key. Regardless of how many essential business functions are shifted to the cloud, an enterprise can never outsource responsibility for compliance. Whether you’re required to comply with the California Consumer Privacy Act, PCI DSS, GDPR, HIPAA or other regulatory policies, you’ll want to choose a cloud architecture platform that will allow you to meet any regulatory standards that apply to your industry. From there, you’ll need to understand which aspects of compliance your provider will take care of, and which will remain under your purview. While many cloud service providers are certified for myriad industry and governmental regulations, it’s still your responsibility to build compliant applications and services on the cloud, and to maintain that compliance going forward. It’s important to note that previous contractual obligations or legal barriers may prohibit the use of cloud services on the grounds that doing so constitutes relinquishing control of that data.
  2. But brand compliance is important, too. Moving to the cloud doesn’t have to mean sacrificing your branding strategy. Develop a comprehensive plan to manage identities and authorizations with cloud services. Software services that comply with SAML, OpenID or other federation standards make it possible for you to extend your corporate identity management tools into the cloud.
  3. Look for trustworthy providers. Cloud service providers committed to accountability, transparency and meeting established standards will generally display certifications such as SAS 70 Type II or ISO 27001. Cloud service providers should make readily accessible documentation and reports, such as audit results and certifications, complete with details relevant to the assessment process. Audits should be independently conducted and based on existing standards. It is the responsibility of the cloud provider to continuously maintain certifications and to notify clients of any changes in status, but it’s the customer’s responsibility to understand the scope of standards used—some widely used standards do not assess security controls, and some auditing firms and auditors are more reliable than others.
  4. How are they protecting you? No cloud service provider offers 100 percent security. Over the past several years, many high profile CSPs have been targeted by hackers, including AWS, Azure, Google Drive, Apple iCloud, Dropbox, and others. It’s important to examine the provider’s data protection strategies and multitenant architecture, if relevant—if the provider’s own hardware or operating system are compromised, everything hosted within them is automatically at risk. For that reason, it’s important to use security tools and examine prior audits to find potential security gaps (and if the provider uses their own third-party providers, cloud security best practices suggest you examine their certifications and audits as well.) From there, you’ll be able to determine what security issues must be addressed on your end. For example, fewer than 1 in 10 providers encrypt data stored at rest, and even fewer support the ability for a customer to encrypt data using their own encryption keys.1 Finding providers that both offer comprehensive protection as well as the ability for users to bridge any gaps is crucial to maintaining a strong cloud security posture.
  5. Investigate cloud provider contracts and SLAs carefully. The cloud services contract is your only guarantee of service, and your primary recourse should something go wrong—so it is essential to fully review and understand all terms and conditions of your agreement, including any annexes, schedules and appendices. For example, a contract can make the difference between a company who takes responsibility for your data, and a company that takes ownership of your data. (Only 37.3 % of providers specify that customer data is owned by the customer. The rest either don’t legally specify who owns the data, creating a legal grey area—or, more egregiously, claim ownership of all uploaded data.1) Does the service offer visibility into security events and responses? Is it willing to provide monitoring tools or hooks into your corporate monitoring tools? Does it provide monthly reports on security events and responses? And what happens to your data if you terminate the service? (Keep in mind that only 13.3 percent of cloud providers delete user data immediately upon account termination. The rest keep data for up to a year, with some specifying they have a right to keep it indefinitely.) If you find parts of the contract objectionable, you can try to negotiate—but in the case where you’re told that certain terms are non-negotiable, it is up to you to determine whether the risk presented by accepting the terms as-is is an acceptable one to your business. If not, you’ll need to find alternate means of managing the risk, such as encryption or monitoring, or find another provider.
  6. What happens if something goes wrong? Since no two cloud service providers offer the same set of security controls—and again, no cloud provider delivers 100 percent security—developing an Incident Response (IR) plan is critical. Make sure the provider includes you and considers you a partner in creating such plans. Establish communication paths, roles and responsibilities with regard to an incident, and to run through the response and hand-offs ahead of time. SLAs should spell out the details of the data the cloud provider will provide in the case of an incident, how data will be handled during incidents to maintain availability, and guarantee the support necessary to effectively execute the enterprise IR plan at each stage. While continuous monitoring will offer the best chance at early detection, full-scale testing should be performed on at least an annual basis, with additional testing coinciding with major changes to the architecture.
  7. Protect your IaaS environments. When using IaaS environments such as AWS or Azure, you retain responsibility for the security of operating systems, applications, and network traffic. Advanced anti-malware technology should be applied to the OS and virtual network to protect your infrastructure. Deploy application whitelisting and memory exploit prevention for single-purpose workloads and machine learning-based protection for file stores and general-purpose workloads.
  8. Neutralize and remove malware from the cloud.Malware can infect cloud workloads through shared folders that sync automatically with cloud storage services, spreading malware from an infected user device to another user’s device. Use a cloud security solution program to scan the files you’ve stored in the cloud to avoid malware, ransomware or data theft attacks. If malware is detected on a workload host or in a cloud application, it can be quarantined or removed, safeguarding sensitive data from compromise and preventing corruption of data by ransomware.
  9. Audit your IaaS configurations regularly.  The many critical settings in IaaS environments such as AWS or Azure can create exploitable weaknesses if misconfigured. Organizations have, on average, at least 14 misconfigured IaaS instances running at any given time, resulting in an average of nearly 2,300 misconfiguration incidents per month. Worse, greater than 1 in 20 AWS S3 buckets in use are misconfigured to be publicly readable.1 To avoid such potential for data loss, you’ll need to audit your configurations for identity and access management, network configuration, and encryption. McAfee offers a free Cloud Audit to help get you started.


  1. McAfee 2019 Cloud Adoption and Risk Report


The post 19 Cloud Security Best Practices for 2019 appeared first on McAfee Blogs.

App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security checks.

The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.

RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in south-western Asia.

“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stafanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”

The source code of the RAT is available on GitHub since October 2017.

According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.

The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality can’t be utilized since Google’s recent restrictions only allow the default SMS app to access those messages.

Stafanko pointed out that the AhMyth code inside the app was not obfuscated or protected, making it very easy to be detected, by Google failed it.

The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.

The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13th, 2019, ESET discovered it and alerted Google that quickly removed it.

The malicious app was also distributed via third-party app stores, via a dedicated website, radiobalouch[.]com, via a link promoted via a related Instagram account. The expert discovered that the server was also used for the spyware’s C&C communications. The domain was registered on March 30th, 2019, and after the ESET report, it was taken down by the threat actors.

Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.

“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends in their contact list. If the user declines to grant the contact permissions, the app will work regardless.” continues the report.

After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.  

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.

“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.

Pierluigi Paganini

(SecurityAffairs – ahMyth, spyware)

The post App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice appeared first on Security Affairs.

Alaska is the Most Scammed State in America

Alaska is the Most Scammed State in America

An annual report on cybercrime by the Federal Bureau of Investigation has revealed Alaska to be the most scammed state in America for the second year running. 

With more than $450 million stolen, sunny California lost more money than any other state, but at 21.67 victims per 10,000 residents, Alaska had the highest per capita victim count.

Although more people were scammed in The Last Frontier State than in any other US state, Alaskans lost the least amount of money per person, with each victim being conned out of $2,256.30 on average. 

Across the state, the total number of people targeted by cyber-thieves was 1,606, based on the number of complaints received. Overall, the state's total losses in 2018 from internet scams was a painful $3.62 million. 

At the other end of the scale, the state with the fewest victims per capita for the second year in a row was South Dakota. The Midwestern state, known for the Black Hills into which the faces of four presidents have been carved, had just 5.3 victims per 10,000. 

Nearly $650 million was stolen from people aged 60 and over, who the report showed are the preferred prey for scammers. This age group is particularly vulnerable to confidence/relationship fraud, which occurs when scammers convince victims to send money to someone who appears to be a trustworthy person from a recognized brand, potential romantic partner or long-lost relative. 

The total losses to internet scams across the United States in 2018 exceeded $2.7 billion. 

The statistics are based on a total of 351,936 complaints received in 2018 by the FBI's Internet Crime Complaint Center (IC3). The real totals regarding the number of victims and the amount of money stolen through internet scams could potentially be much higher. 

Many of the scams were executed over social media but most of the money was stolen through the use of fake emails. Business email compromise (BEC) and Email account compromise (EAC) schemes accounted for more than $1 billion in losses. 

Matt Gorham, assistant director of the bureau’s cyber division, said: “The most prevalent crime types reported by victims were nonpayment/nondelivery, extortion and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud and nonpayment/nondelivery."

The Dangers of Using Unsecured Wi-Fi Networks

Isn’t public Wi-Fi great? If you’re having a tea or coffee in a cafe or restaurant you can check your emails and social media.

If you’re waiting for a flight what better way to pass the time than logging onto your favourite website, checking your bank account or even doing a bit of online shopping? And you don’t have to pay a penny or cent. It’s free and you’re not eating into your data allowance. 

Except there’s a problem. Public Wi-Fi is notoriously insecure. Data that travels over a public hotspot network is rarely encrypted. This means that every time you use public Wi-Fi, anybody who is looking can see everything you are doing. They can see the passwords you use, your email address, your name and physical address, phone numbers and any other type of personal information that you might happen to enter into a website. They can certainly see the websites you are visiting. 

This information is gold dust to cyber criminals. It enables them to access and rake through your emails, target you with specific phishing mails, call you with targeted messages and even capture and exploit your payment card details if you happened to buy something online when using public Wi-Fi.

Hackers capture this unencrypted network traffic by interfering with the public Wi-Fi or by creating an ‘evil twin’ fake network which looks legitimate but has actually been set up by the hacker. Because attackers are typically silently observing the public Wi-Fi traffic these attacks are difficult to spot.

  • An attacker could see that a user is accessing a banking site and change the destination account number to a fake website they have set up that emulates the legitimate site.
  • Attackers can also redirect users to making a so called ‘important’ download or update, which actually is a Trojan horse for malware that is planted on your device. 

These attacks can also be easily automated. For instance there are automated tools that look for passwords and write them into a file whenever they see one. There are automated attacks that wait for particular requests, such as accessing, designed to scoop up usernames and passwords.

In the name of self defence

These attacks aren’t theoretical. Hotels are a favorite target, especially during the holidays, but so are shopping malls, airports, cafes and different types of transport stations.

So what can you do to protect yourself? The answer is a virtual private network (VPN) which creates a private tunnel between your device and the internet and encrypts your data. It essentially locks down your network traffic so no one can see what you are doing when you use public Wi-Fi. 

BullGuard VPN for instance uses military grade encryption which would take more than a lifetime to crack. When confronted with this level of protection, hackers simply move on. 

Further it also protects you from other types of snooping whether its companies trying to track your movements or even governments spying on their citizens. In short, you reclaim your privacy and can use the internet with total freedom and safety, even on public Wi-Fi.

About the AuthorSusan Alexandra is a cybersecurity and privacy enthusiast. She writes for publications like GlobalSign, Tripwire, SecurityAffairsSecurityToday and CyberDefenseMagazine. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, feel free to share story ideas to

Pierluigi Paganini

(SecurityAffairs – Wi-Fi, hacking)

The post The Dangers of Using Unsecured Wi-Fi Networks appeared first on Security Affairs.

Android 10: Cheat sheet

Android 10's features will transform some phones into more user-friendly, customizable, and secure environments. Here's what developers, businesses, and users need to know about Google's Android 10.0.

Adwind Spyware-as-a-Service Utility Grid Operators Attacks

A phishing campaign for grid operators uses a PDF attachment to offer spyware.

A campaign aimed at a domestic grid infrastructure that spoofs a PDF attachment to deliver Adwind spyware.

Adwind, a.k.a. JRAT or SockRat, is used in this campaign in a malware-as – a-service model, researchers said. It offers a full set of info-gathering features including screenshots, Chrome, IE and Microsoft Edge harvesting credentials, video and audio recording, photo-taking, stealing files, keylogging, reading emails and stealing VPN certificates.

Critical infrastructure facilities are high-risk targets, and the fact that Adwind is available as a paid service is very concerning,” Bob Noel, vice president of strategic relationships for Plixer, told Threatpost. “Anyone willing to pay can target utilities, and when successful, they have the ability to collect keystrokes, steal passwords, grab screenshots, take pictures from the web camera, record sound, etc. If infected end users have access to critical system information, it could be stolen and used in an attempt to attack the facility.

According to the Cofense researcher Milo Salvia, the phishing e-mail was sent from a hijacked account at Friary Shoes. It simply says,’ A copy of our forwarding notification attached, which you must sign and return,’ with a built-in button that is intended to point to a PDF file.

However, when a victim clicks the button, they are sent back to a malicious web address; in an analysis on Monday Salvia wrote that cyber criminals abuse the Fletcher Specs domain in order to host the malware. Once the victim arrives on the target machine, a payload is automatically downloaded.

The initial payload campaign has a fake PDF file extension to obscure it’s actually a.JAR file. It creates two Java.exe processes in the background, which load two separate Adwind files. According to Salvia, it beacons to its command-and-control (C2) server.

And the researcher has written that he tries to remain hidden from another executable file called takskill.exe which looks for popular antivirus and malware analysis tools and then disables them.

Adwind has made it a hallmark to bypass and disable security tools. A new variant emerged last year, which used a new technology for the injection of Dynamic Data Exchange (DDE) code for anti-virus evasion.

Tricking end users into clicking on malicious links or attachments continues to be the most successful means for bad actors to gain access,” said Noel. “As is true in the case of the Adwind remote access trojan, once malware lands on a device, it often has the ability to disable antivirus and other types of endpoint detection agents loaded on the device.

Also Read,

A Quick Glimpse On The WhatsApp “Spyware” Issue

RatVermin Spyware Campaign: Ukraine Gov Agencies Targeted

MobSTSPY Spyware Finds Its Way Into Google Play

The post Adwind Spyware-as-a-Service Utility Grid Operators Attacks appeared first on .

Texas attackers demand $2.5 million to allow towns to access encrypted data

Crooks behind the attacks against Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The cybercriminals behind the wave of attacks that hit 23 Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The attacks started in the morning of August 16 and security experts investigating the incidents believe that it was a coordinated attack carried out by a single cyber crime gang.

Initially, it was said that at least 23 local government organizations were impacted by the ransomware attacks. The Department of Information Resources (DIR) is currently still investigating them and providing supports to mitigate the attacks, anyway evidence continues to point to a single threat actor.

The State Operations Center (SOC) was the attacks were detected.

According to the Texas Department of Information Resources (DIR) the number of impacted towns has been reduced to 22.

“As of the time of this release, responders have engaged with all twenty-two entities to assess the impact to their systems and bring them back online.” reads an update provided by the DIR.

“More than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”

The city of Keene confirmed the attack and announced it is working with law enforcement to resolve a cyber incident.

Another of the towns hit by the ransomware attack, the City of Borger, confirmed that business and financial operations and services were impacted, although basic and emergency services continued to be operational.

“On the morning of August 16, 2019 the City of Borger was one of more than 20 entities in Texas that reported a ransomware attack.” reads the press release published by the City of Borger.

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments. Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off,”

Keene Mayor Gary Heinrich told NPR the attackers are asking for $2.5 million to unlock the files.

“Well, just about everything we do at City Hall is impacted” Heinrich said.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.”

Unfortunately, ransomware attacks are a big problem for US Government and City Offices, recently some cities in Florida were victims of hackers, including Key Biscayne, Riviera Beach and Lake City.

In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Pierluigi Paganini

(SecurityAffairs – Texas, ransomware)

The post Texas attackers demand $2.5 million to allow towns to access encrypted data appeared first on Security Affairs.

Block newly-registered domains to reduce security threats in your organisation

It’s no secret that there are a lot of websites on the internet hosting malicious content whether they be phishing pages, scams or malware itself. Every day we hear of new attacks, there’s a common denominator of either a user having clicked on a link to a fraudulent website or a site having played host […]… Read More

The post Block newly-registered domains to reduce security threats in your organisation appeared first on The State of Security.

Veracode Now Available on the Digital Marketplace G-Cloud UK

G Cloud Blog Featured Image

There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the Digital Marketplace. This procurement process supports the UK Government's Cloud First policy, as well as its desire to achieve a “Cloud Native” digital architecture.

Strengthening the security posture of your applications is critical in strengthening the security posture of your organization, and the Veracode Platform was created as a cloud-based application security solution because of the multitude of advantages it offers our customers. Not only are you able to avoid the expenses associated with purchasing hardware, procuring software, managing deployment and maintaining systems, you are also able to implement immediately – which means seeing results and value on day one. We’ve now made it even simpler for organizations within the UK to secure their application security portfolio: The Veracode Platform and services are now available for purchase on the Digital Marketplace.

Revolution not Evolution: How the UK Government Created a Cloud First Initiative

In 2010, the UK Government began a revolution that has influenced the way in which nations around the world are conducting business and structuring cybersecurity programs within their own government bodies and organizations. The creation of Government Digital Service (GDS), a consumer-facing portal and link for businesses that simplifies interacting with the government, led way to the adoption of a Cloud First policy for all government technology purchases.

The GDS team was created to more fundamentally rethink how government works in the modern era, with the aim to establish a digital center for the UK government that would bring the talent in-house, rather than relying on vendor expertise to make changes to government web applications and properties. The ultimate goal was to fix and enhance the way that people interact with the government, embed skills and capability across the government so that it could work in a new way, and open up data and APIs so other people could build on government-developed services.

The re-architecting of the government website began with a whiteboard and a heavy focus on user needs. The small team worked together to build a hub that would evoke a response, understanding that leading with imagery was really powerful, and iterated, changed, and improved as they honed in on the users’ needs. At that time, no other government technology had run in an agile fashion.

And then GDS team took it one step further by making all of its GitHub repositories open, because they considered it to be the people’s code, they wanted the people to help make their code better, and they knew it would make recruitment simpler if they could more easily show potential candidates what was under the hood. It allowed for different agencies within the government to work together more openly, which helped to reduce the risks associated with the open source code everyone was using.

The Cloud First Policy

This new approach to development also called for new processes and policies for acquiring software and working with technology vendors. In 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions. By operating in a Cloud Native framework, the government is able to adapt to how they organize their work to take advantage of what’s available in the market and any emerging technologies. This new policy made it mandatory to consider cloud solutions before alternatives, as well as making it necessary to demonstrate why non-cloud technologies would provide better value for the money if opting for an on-premise solution.

Further, the policy states that the government must also consider public cloud first – to consider SaaS models, particularly for enterprise IT and back office functions – and Infrastructure as a Service and Platform as a Service. The GDS team understands that without adapting and adopting technologies and focusing on core outcomes and principles, it won’t be able to meet the expectations of its users, and it won’t be prepared for the changes likely to arise as they manage growing volumes of data, and a proliferation of devices and sensors.

To truly become cloud native, the GDS transformed how it monitors and manages distributed systems to include diverse applications. It continues to deepen the conversations with vendors about the standards that will help them manage these types of technology shifts. Most of all, it continues to ensure it always chooses cloud providers that fit the needs at hand, rather than basing choices on recommendations.

To learn more about Veracode’s offerings on the Digital Marketplace G-Cloud UK, including our application security platform and services, click here.

Visa Adds New Security Capabilities to Detect Fraud and Disrupt Threats

Visa unveiled a suite of new security capabilities designed to help detect fraud and disrupt threats targeting financial institutions and merchants. At its U.S. Security Summit 2019, the multinational financial services corporation announced that the new capabilities will be available to all Visa clients at no additional cost or sign-up. The company specifically highlighted the […]… Read More

The post Visa Adds New Security Capabilities to Detect Fraud and Disrupt Threats appeared first on The State of Security.

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research.

The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr.

Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes.

Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users.

This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

Now the IT security community is arguing that backdoors would also expose countries to the threat of cyber-attacks on election infrastructure — an increasingly important issue as the 2020 Presidential election comes into view.

While 80% agreed with this sentiment, 74% said countries with government-mandated encryption backdoors are more susceptible to nation-state attacks, 72% claimed they don’t reduce the terrorist threat and 70% argued they put countries at a distinct economic disadvantage.

Last month a Senate report revealed that voting infrastructure in all 50 states was most likely compromised by Russian hackers ahead of the 2016 election. It warns that if Russia’s preferred candidate doesn’t win in 2020, it could seek to use this access to de-legitimize the result.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“On a consumer level, people want technology that prioritizes the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.”

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Today, August 8, marks GCSE Results Day and shows a significant drop in the number of students taking Computing and ICT exams, with a clear gender gap also apparent.

The 2019 GCSE results indicated that 68,965 male students and 20,577 female students took Computing and ICT this year, compared to 94,587 (males) and 35,623 (females) in 2018. That represents an overall drop of 40,668 fewer students.

These figures are particularly concerning given the current skills gap that the cybersecurity industry is facing. In fact, global certification association (ISC)2 has estimated that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees

“It’s worrying to see less and less students are taking Computing and ICT subjects at GCSE, said Agata Nowakowska, AVP at Skillsoft. “Last year we saw 9000 fewer students take the exams, this year it’s 40,668 fewer. We need to take action now to turn this around.”

The digital skills gap in industry is fast expanding and already at a level that can't be filled quickly enough, Nowakowska added, and so encouraging more students to take these exams isn’t enough.

“We need to focus on getting them in and keeping them there – encouraging more students to pursue these subjects through to A-Levels, degrees and beyond. The current picture is bleak and goes much deeper than exam numbers.

“The challenge is changing the ingrained unconscious biases that say these subjects are dull, boring or just for boys. Whilst it is of course disappointing to see the gender gap continue in these subjects, what is more concerning is that these results are reflective of the lack of female role models in technology and STEM as a whole. Young girls have claimed in the past that they are put off of subjects such as Computing because they see them as ‘too difficult,’ but a large number of young women have also admitted to regretting not pursing these subjects for longer. There is an opportunity here for a paradigm shift that we are simply not taking."

Nowakowska therefore argued that the onus is on parents, teachers and business leaders to show that there is a place for girls in technology.

“There are so many programs aimed at getting girls interested in these areas, but we need to go further to challenge and eradicate the old fashioned views that are clearly still very much ingrained in the public consciousness.”

Cybersecurity salary, skills, and stress survey

Exabeam is conducting an annual survey to understand skills, compensation trends and workplace trends among SOC and security analysts. All participants will receive the results of the survey. Questions include certifications, security responsibilities, compensation ranges, and perceptions around new tech like machine learning and AI. Completing the survey takes 7 minutes (less if you are a really fast reader). The results of the survey are anonymous. Prizes for participants They will randomly select 10 winners … More

The post Cybersecurity salary, skills, and stress survey appeared first on Help Net Security.

Modifying a Tesla to Become a Surveillance Platform

From DefCon:

At the Defcon hacker conference today, security researcher Truman Kain debuted what he calls the Surveillance Detection Scout. The DIY computer fits into the middle console of a Tesla Model S or Model 3, plugs into its dashboard USB port, and turns the car's built-in cameras­ -- the same dash and rearview cameras providing a 360-degree view used for Tesla's Autopilot and Sentry features­ -- into a system that spots, tracks, and stores license plates and faces over time. The tool uses open source image recognition software to automatically put an alert on the Tesla's display and the user's phone if it repeatedly sees the same license plate. When the car is parked, it can track nearby faces to see which ones repeatedly appear. Kain says the intent is to offer a warning that someone might be preparing to steal the car, tamper with it, or break into the driver's nearby home.

Survey: 84% of Security Pros Said Their Organizations Struggled to Maintain Security Configurations in the Cloud

Headlines continue to suggest that organizations’ cloud environments make for tantalizing targets for digital attackers. Illustrating this point, the 2019 SANS State of Cloud Security survey found “a significant increase in unauthorized access by outsiders into cloud environments or to cloud assets” between 2017 (12 percent) and 2018 (19 percent). These findings beg the question: […]… Read More

The post Survey: 84% of Security Pros Said Their Organizations Struggled to Maintain Security Configurations in the Cloud appeared first on The State of Security.

Smashing Security #142: Mercedes secret sensors, smart cities, and ransomware runs riot

Darknet Diaries host Jack Rhysider joins us to discuss how cities in Texas are being hit by a wave of ransomware, how Mercedes Benz has installed a tracker in your car (but not for the reason you think), the security threats impacting smart cities, and a new feature coming to your Facebook app.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast, hosted by computer security veterans Graham Cluley and Carole Theriault.

Cisco warns about public exploit code for critical flaws in its 220 Series smart switches

Cisco has fixed over 30 vulnerabilities in various solutions, including Cisco UCS Director, Cisco UCS Director Express for Big Data, Cisco IMC Supervisor, and the Cisco 220 Series smart switches. Updates by product Users of Cisco UCS Director and Cisco UCS Director Express for Big Data are advised to upgrade to versions and, respectively, as they fix, among other things: CVE-2019-1938, an API authentication bypass vulnerability that could be triggered by a specially … More

The post Cisco warns about public exploit code for critical flaws in its 220 Series smart switches appeared first on Help Net Security.

Over a Third of Firms Have Suffered a Cloud Attack

Over a Third of Firms Have Suffered a Cloud Attack

Over a third of organizations have already suffered an attack on their cloud systems, yet many are failing to eradicate potential security blind spots, according to a new poll from Outpost24.

The cyber-assessment vendor interviewed 300 attendees at this year’s Infosecurity Europe show in London in June.

It found that while 37% admitted suffering a cloud attack, over a quarter (27%) said they don’t know how quickly they could tell if their cloud data has been compromised.

This lack of visibility into cloud environments also extends to testing: 11% claimed they never run any kind of testing in the cloud, while nearly a fifth (19%) said they only do so annually.

Given these findings it’s perhaps not surprising that nearly half of respondents (42%) said they believe on-premises data is more secure than that hosted in the cloud.

Despite these misgivings, a third (34%) of businesses said that more than half of their products/apps are running in the cloud, while 15% said all their assets were.

Bob Egner, VP at Outpost24, argued that cloud environments offer major cost and scalability benefits, but security can get more complex when firms start to use multiple clouds across different providers.

“Organizations should treat their cloud assets just as they would their on-premises assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture,” he added.

“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security. Ultimately the responsibility of protecting your data and cloud workloads lies with you, the organizations using cloud services.”

Cloud misconfiguration is a particular challenge, with hackers now stepping up efforts to find exposed databases via automated scans. The Cloud Security Alliance recently put this on its “egregious 11” list of top threats to cloud computing.

400G Triton cyber warfare simulation tool can replicate any attack

Telesoft Technologies — a provider of cyber security technologies for high-density cyber environments, including network, government, and large organizations — has announced the release of Triton 400, a cyber warfare simulation tool which can replicate myriad adversarial attack methods. Mimicking attacks from all over the world, Triton 400 utilises a comprehensive understanding of frontline threat intelligence from around the globe to simulate natural and malicious traffic at unprecedented speeds for such a capability. Taking a … More

The post 400G Triton cyber warfare simulation tool can replicate any attack appeared first on Help Net Security.

IT Teams Urged Not to Prioritize Patches Using CVSS

IT Teams Urged Not to Prioritize Patches Using CVSS

Organizations that prioritize patch updates primarily according to compliance requirements and use the Common Vulnerability Scoring System (CVSS) struggle with their vulnerability management programs, according to new research.

Cyber risk firm Kenna Security commissioned the Cyentia Institute to analyze data from its own platform related to the patching challenges facing over 100 organizations.

Perhaps unsurprisingly it found that those with high performing vulnerability management programs tended to use specific tools to prioritize patches based on cyber-risk.

However, those that based their decisions on which vulnerabilities to prioritize based mainly on the CVSS performed worse than those organizations that simply ignored it, the report claimed.

Although the impact was less serious, there was also a correlation between using compliance requirements as a primary driver in prioritizing vulnerabilities and lower coverage rates.

“Compliance is oftentimes a necessary and important method for prioritization but using compliance as the primary remediation tactic correlated with reduction of overall coverage of high-risk vulnerabilities,” Kenna Security CTO, Ed Bellis, told Infosecurity.

“We believe using a remediation strategy that focuses on both the likelihood of the vulnerability being exploited along with the impact of the exploitation (high risk) to be the optimal approach. CVSS and some other methodologies are not a good measure of exploitation likelihood and can result in companies doing much more work or missing high risk vulnerabilities altogether.”

Elsewhere, the report found that companies which dedicate discrete teams to patch specific areas of the technology stack tend to fare better in vulnerability management. Defining service-level agreements (SLAs) for fixing vulnerabilities also improves the speed and overall performance of remediation, it claimed.

Bigger budgets correlated with an increased ability to remediate more bugs at a faster rate.

According to one vendor, over 22,000 vulnerabilities were publicly disclosed last year, a third of which received a CVSSv2 score of 7 or above.

A new Zero-Day in Steam client impacts over 96 million Windows users

A new zero-day vulnerability in the for Windows impacting over 96 million users was disclosed by researcher Vasily Kravets.

A news zero-day flaw in the Steam client for Windows client impacts over 96 million users. The flaw is a privilege escalation vulnerability and it has been publicly disclosed by researcher Vasily Kravets.

Kravets is one of the researchers that discovered a first zero-day flaw in the Steam client for Windows, the issue was initially addressed by Valve, but the researcher Xiaoyin Liu disclosed a bypass to the fix implemented by Valve to re-enable to issue.

Valve did not award Kravets and banned him from it bug bounty program.

Kravets decided to publicly disclose the privilege escalation that could be exploited by attackers run executables using the privilege of Steam Client Service’s  NT AUTHORITY\SYSTEM.

The expert explained that it used the BaitAndSwitch, a technique, that combines creation of links and oplocks to win TOCTOU (time of check\time of use).

The attack scenario sees hackers getting remote code execution privileges by exploiting a vulnerability in a Steam game, a Windows app, or the OS itself, then elevating privileges by triggering this second zero-day to run a malicious payload using SYSTEM permissions.

“As a result any code code could be executed with maximum privileges, this vulnerability class is called «escalation of privileges» (eop) or «local privilege escalation» (lpe). Despite any application itself could be harmful, achieving maximum privileges can lead to much more disastrous consequences.” wrote Kravetz. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done. “

Kravets published the following two PoC videos for this second zero-day flaw in Steam client for Windows. He demonstrated two methods that could be exploited by attackers to gain SYSTEM permissions on any Windows system running an unpatched Steam version.

Pierluigi Paganini

(SecurityAffairs –– Stream client, zero-day)


The post A new Zero-Day in Steam client impacts over 96 million Windows users appeared first on Security Affairs.

DoS attacks against most used default Tor bridges could be very cheap

Researchers explained that carrying out attacks against the most used default Tor bridges would cost threat actors $17,000 per month.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, launching denial-of-service (DoS) attacks against most commonly used default Tor bridges would cost attackers $17,000 per month.

DoS attacks could be used for preventing users to access the popular anonymizing network or to carry out attacks to de-anonymize Tor users with techniques such as traffic correlation.

For a modest sum, threat actors could target Tor bridges saturating their resources and causing significant degradation of network performance.

In a research paper presented at the 2019 USENIX Security Symposium, the experts explained that targeting the entire Tor network with a DoS attack could be very expensive, it would cost millions of dollars each month, but targeted attacks against specific Tor bridges are economically feasible.

“First, we explore an attack against Tor’s most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost $17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost $2.8K/mo. and reduce the median client download rate by 80%.” reads the paper. “Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.”

The experts estimate that the total link capacity across the Tor network ranged from 429 to 575 Gbit/s over the year; for their research, the experts used the average of 512.73 Gbit/s this means that the attacker would spend around $10,000 per hour to use a DoS stresser service to hit each Tor relay. Overall code per month is $7.2 million. 

An attack on Tor’s most commonly used default bridges and flooding them would only cost around $17,000 per month, in this way the attackers could reduce client throughput by 44% and more than double bridge maintenance costs. 

An attack aimed at all scanners in the Tor Flow bandwidth measurement system would cost $2,800 per month and reduce the median client download rate by 80%. 

The expert discovered that threat actors could use Tor to congest itself and such kind of attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

In order to examine the performance of the network’s bridges the experts focused on 25 default bridges that use obfs4 obfuscation protocol2, because most of Tor bridge use default bridges and obfs4.

“To test their performance, we use a modified version of Tor to download a 6 MiB file through each bridge. Surprisingly, we find that only 48% (12/25) of the obfs4 default bridges included in Tor Browser Bundle (TBB) are operational.” continues the experts. “The Tor Browser Bundle (TBB) includes a set of 38 hard-coded default bridges (as of version 8.0.3). Users who cannot directly access Tor relays can configure TBB to connect via one of these default bridges “

To compare against the performance of unlisted bridges, the experts requested 135 unlisted obfs4 bridges from the Tor Project’s bridge authority via its web and email interfaces. 95 of the acquired unlisted bridges were found to be functional.

The researchers estimate that the costs to launch a DoS attack against the 38 default bridges could be of around $31,000 per month. Considering that nation-state actors could be interested in targeting these default Tor bridges, this budget could be a good investment for them.

Experts explained that considering that 90% of bridge traffic passes through default bridges, forcing it to unlisted bridges could have a significant impact on network performance.

Tor bridges attacks

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“On the positive side, we find that Tor’s growth has made it more resilient at least to simple attacks: disrupting the service by na¨ıvely flooding Tor relays using stresser services is an expensive proposition and requires $7.2M/month. Unfortunately, however, several aspects of Tor’s design and rollout make it susceptible to more advanced attacks.” the researchers conclude. “We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month”  

Further technical details on the attack techniques are reported in the interesting analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – Tor bridges, hacking)

The post DoS attacks against most used default Tor bridges could be very cheap appeared first on Security Affairs.

What Is Deep Packet Inspection and How Does It Work?

Also known as DPI, deep packet inspection is a kind of packet filtering that evaluates the data and header of a packet that is transmitted through an inspection unit to weed out any control that is non-compliant; any viruses, spam, or intrusions; and any other defined criteria in order to block that packet from passing through the inspection point.

Deep packet inspection can also be used to redirect a packet to another destination. In other words, deep packet inspection can be used to detect, locate, categorize, reroute, or block any packets that have specific data payloads or code that was not done by conventional packet filtering. This goes beyond examining packet headers.

How Does Deep Packet Inspection Work?

Deep packet inspection is a filter for packets that is applied to Open Systems Interconnection’s application layer. It evaluates the content of a packet that goes through a specific checkpoint. It then uses the rules set up either by the organization, the service provider, or the systems administrator in order to determine what to do with the specific packet in real time.

Unlike other packet inspections that only check the header, deep packet inspection can check the contents of the packet and figure out where it came from. It can then determine what to do with it based on this information.

Deep packet inspection can also work with other applications to redirect network traffic.

Deep Packet Inspection Use Cases

Deep packet inspection can be useful in many ways. It can be used as an intrusion detection layer to help identify attacks that were able to get through the firewall.

For organizations that use laptops, deep packet inspection is an important layer for security in order to block malicious programs from entering the network. It can detect if the laptops are being used for prohibited applications.

Another great use of deep packet inspection for organizations is to identify and prioritize data coming through the network. There can be instances where there is a high volume of traffic within a network. Using DPI, it can identify high-priority messages or data, which will be passed on immediately. This feature is also useful for blocking malicious requests.

And of course, deep packet inspection can be used to prevent data leaks as well, such as from outgoing mail. It can inspect not only data coming into the network but also those leaving. By using particular rules, administrators can stop sensitive data from being transmitted out of the network.

Deep Packet Inspection Techniques

There are several techniques that an organization can use regarding deep packet inspection. These include:

  • Pattern and signature matching. It can analyze a packet using a database of known network attacks.
  • IPS Solutions. They can block detected attacks and unwanted data.
  • Protocol anomalies. Default deny can be used, where protocol definitions determine which content should be allowed through.

Challenges With Deep Packet Inspection

No technology is perfect. Although deep packet inspection has many benefits, it also carries a few challenges.

For one, while it can detect and prevent denial-of-service attacks and other similar situations, it can actually be used to carry out the same types of attacks as well.

Depending on the circumstances, deep packet inspection can actually make maintaining firewalls and other security layers of the network a bit more complicated due to the need to continuously revise and update policies for efficient use.

And since deep packet inspection dedicates resources to the firewall, it can slow down the entire network.

Also Read,

Overview of Network Security Vulnerability Assessment

Discussing Different Aspects of Next-Level Network Security

DOS Attacks and Free DOS Attacking Tools

The post What Is Deep Packet Inspection and How Does It Work? appeared first on .

The transformation of enterprise security from 2017 to 2019

Estimated reading time: 2 minutes

The nature of enterprise security is such that it continuously keeps evolving. Trends change, threats vary and morph into different entities, approaches that seem relevant get outdated in six months or sometimes even lesser. For enterprises looking to stay ahead of the curve when it comes to cybersecurity, staying stagnant is not an option. The need of the hour is to keep abreast of the latest new trends and technologies to stay safe.

Thanks to the speed of transformation, enterprise security has seen multifold changes in the last two years, some due to need and some due to necessity. These changes can be summed up through the following pointers:

A move towards a zero-trust network

More and more organizations are moving towards a zero-trust model where no one and nothing is trusted. Introduced by American market research giant, Forrester Research, the zero-trust network model eliminates the concept of a perimeter and calls for enterprises to inspect all network traffic without any classification of ‘internal’ and ‘external.’. Basically, no user or traffic is considered ‘authorized’ and all access to a specific network is governed by the same set of rules.

The evolution from 4G to 5G

In 2017, enterprise security needed to understand 4G – now, network technology has evolved to such an extent that the world is embracing 5G. It is a trend which enterprises must also embrace but at the same time, be aware of the security tradeoffs. As with the advent of any new technology, cybercriminals will also join the bandwagon to ensure they create chaos and profit. 5G will likely have different types of phones, different networks and a completely different kind of technology which will open up new vulnerabilities – early adopters should be extremely careful.

The rise of cryptojacking

An important trend which has caught the industry’s attention is the dangerous threat of cryptojacking. This is a threat which will only become more widespread as the usage of cryptocurrency increases. It works by hackers sending unsuspecting targeted emails with malicious code in them -or they embed this code into sketchy websites. The attack succeeds if malicious code is accessed by unsuspecting users – this malicious code works in the background, silently mining cryptocurrency. This takes up a lot of computer resources and can often lead to slow system performance.

Spear phishing

While phishing is a tactic that continues to be used, it has an upgraded, even more dangerous avatar, popularly known as spear phishing. In spear phishing, users get meticulously personalized emails from a trusted source or a company you’re familiar with and interact quite often. This could be as scrupulous as an email from a friend, colleague or your boss asking you for access to classified information. Attackers are now closely examining their targets and gathering as much information about them to ensure their email is as believable as possible. This is done by employing Advanced Persistent Threats (APTs) to entire systems, gathering humongous amounts of data about enterprise and customer habits, and then using this data to launch a spear-phishing campaign.

Certainly, enterprise security has seen a lot of changes in the last two years which is a natural state of affairs in this sector. It is important for enterprises to invest in solutions which continue to evolve and stay attuned to the latest cybersecurity trends to ensure they are not lagging behind. Seqrite’s range of enterprise security solutions is continuously updated to enable enterprises to remain safe from the ever-evolving threats in today’s digital age.

The post The transformation of enterprise security from 2017 to 2019 appeared first on Seqrite Blog.

Unlocking the future of blockchain innovation with privacy-preserving technologies

The origins of blockchain as many are familiar with it today can be traced back to the Bitcoin whitepaper, first published in 2008 by Satoshi Nakamoto, which offered a vision of a new financial system underscored by cryptography and trust in code. Throughout the past decade, iterations of this technological infrastructure have gradually built out a diverse industry ecosystem, allowing for use cases that extend beyond cryptocurrencies and peer-to-peer transactions. From smart contracts to asset … More

The post Unlocking the future of blockchain innovation with privacy-preserving technologies appeared first on Help Net Security.

From SmarterChild to Siri: Why AI is the competitive advantage securing businesses

The dream of an AI-influenced world is finally here. After decades of writing about it, AI has reached a point where it’s ingrained into our daily lives. From the days of SmarterChild – for many, the AIM messenger bot was the first foray into AI – to now the ubiquitous presence of the AI-enabled digital assistant such as Siri, the vision of artificial intelligence transforming
 from sci-fi to reality has come to fruition. But instead … More

The post From SmarterChild to Siri: Why AI is the competitive advantage securing businesses appeared first on Help Net Security.

Identifying vulnerable IoT devices by the companion app they use

For better or worse, connected “smart” devices are springing up like mushrooms. There is no doubt that they can be very helpful but, unfortunately, most have a slew of security vulnerabilities that could turn them into a nightmare. Until legislation catches up and manufacturers start caring about implementing security from the start, security researchers are our only hope when it comes to improving IoT security. Consequently, every approach that makes the process of identifying as … More

The post Identifying vulnerable IoT devices by the companion app they use appeared first on Help Net Security.

Identifying evasive threats hiding inside the network

There is no greater security risk to an organization than a threat actor that knows how to operate under the radar. Malicious insiders and external cybercriminals are getting savvier. They are better at blending in without tripping any alerts. They skip over tools and techniques that trigger standard security systems. How can a company tell them apart from the noise created by legitimate logins to the network that day? The answer lies in context. It … More

The post Identifying evasive threats hiding inside the network appeared first on Help Net Security.

Embrace the Chaos: An Emerging Trend in Software Engineering?

What if your job was to break things repeatedly in order to make them work better? Sounds like the dream of every curious six-year old, but it’s actually an emerging software engineering trend based in the transition from devops to devsecops. It’s designed to test systematic limitations with the goal of improving security and performance […]… Read More

The post Embrace the Chaos: An Emerging Trend in Software Engineering? appeared first on The State of Security.

Acronis True Image 2020 replicates local backups in the cloud

Acronis True Image 2020 enables users to automatically replicate local backups in the cloud – making it the first personal solution to automate the 3-2-1 backup rule that data protection experts almost universally recommend. What’s more, the Dual Protection replication feature is just one of more than 100 enhancements and new capabilities incorporated into Acronis True Image 2020 that are designed to further improve its performance, control, and security. “Considering how much we rely on … More

The post Acronis True Image 2020 replicates local backups in the cloud appeared first on Help Net Security.

Zimperium zIPS: Machine learning-based mobile phishing detection solution

Zimperium, the global leader in mobile threat defense (MTD), announced new innovative enhancements to its zIPS anti-phishing protection. zIPS is the first and only on-device, machine learning-based mobile phishing detection solution providing the flexibility to tailor protection and privacy levels by groups. zIPS anti-phishing is available for iOS and Android devices. In 2018, there were 482.5 million attempted phishing attacks, which is more than double the attacks in 2017. The 2018 Verizon Data Breach Investigations … More

The post Zimperium zIPS: Machine learning-based mobile phishing detection solution appeared first on Help Net Security.

InnoAGE SSD: First SSD with native Microsoft Azure Sphere integration

Innodisk unveiled the InnoAGE SSD, the world’s first with native Microsoft Azure Sphere integration. It enables multifunctional management for smart data analysis and updates, data security, and remote control through the cloud. “Our tight-knit collaboration with Microsoft has resulted in real innovation aimed at solving the very real challenges businesses face today,” said Innodisk President Randy Chien. “The InnoAGE SSD is the first and only hybrid solution designed solely with the AIoT architecture in mind, … More

The post InnoAGE SSD: First SSD with native Microsoft Azure Sphere integration appeared first on Help Net Security.

Companies Act to Defend Privacy of Kazakhstanis

Companies Act to Defend Privacy of Kazakhstanis

Google and Mozilla today took action to protect the online security and privacy of internet users in Kazakhstan following credible reports that the Kazakhstan government was intercepting internet traffic within the country.

report published on presented evidence that Kazakhstan’s internet providers were requiring users to download and install a government-issued certificate on all devices and in every browser in order to access the internet.

Once a user downloads the certificate, the government is able to intercept account information and passwords belonging to that user and can decrypt and read everything the user types and posts. This style of attack is known as a man-in-the-middle (MitM).

The HTTPS connections targeted by Kazakhstan’s government read like the list of websites an anxious parent might search when trying to track down their unruly teenager. They include Instagram, Facebook, Twitter, YouTube, Google Hangouts and Russian social network OK.RU. 

The Censored Planet reported stated that “although the interception is not yet occurring country-wide, it appears the government is both willing and potentially capable of widespread HTTPS interception in the near future.”

Browser companies Google and Mozilla deployed technical solutions within Chrome and Firefox to block the Kazakhstan government’s ability to intercept internet traffic within the country. 

Marshall Erwin, senior director of trust and security at Mozilla, said: “Protecting our users and the integrity of the web is the reason Firefox exists.” 

Speaking on behalf of Chrome, Parisa Tabriz, senior engineering director, said: “We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data.”

What the Kazakhstan government lacks in subtlety when it comes to spying on the online activity of its citizens, it makes up for in persistence. 

The Kazakhstan government put in a request with Mozilla back in 2015 to have a root certificate included in the company’s trusted root store program. The request was denied when Mozilla discovered that the government intended to use the certificate to intercept users’ data. 

Undeterred, the government tried to force its citizens to manually install the certificate, but its ruse failed when organizations took legal action.  

China is Spying on Cancer Research

China is Spying on Cancer Research

The healthcare industry has many ailments: financial pressures, a lack of skilled healthcare providers, uncertainties around reform and, in many cases, an increasingly unhealthy populace. But that’s not all it has to deal with.

A new report, Beyond Compliance: Cyber Threats and Healthcare, released today by intelligence-led security company FireEye has highlighted common cyber-threats to healthcare organizations. 

The report identifies cyber-espionage as being one of the top three most-common threats. Making up the triad of terror are data theft and disruptive and destructive threats. 

An interesting finding made by FireEye was the large number of healthcare-associated databases observed for sale online between October 1, 2018, and March 31, 2019. 

The databases – the majority of which could be bought for under $2,000 – contained personally identifiable information (PII) and protected health information (PHI), such as patients' ZIP codes, email addresses, driver’s licenses and health insurance details associated with healthcare institutions in the US, the UK, Canada, Australia and India. Some data sets were on sale for as little as $200.

Luke McNamara, a principle analyst at FireEye Intelligence, said: “The large number of data sets being sold and the low prices you can purchase the sets for shows how ubiquitous access to them is.”

The report acknowledged that “buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common" and predicted that this scenario was unlikely to change given the data’s "utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.” 

Thefts of valuable research and mass records were observed being carried out by nation-states as well as by individuals. 

FireEye witnessed the deployment of multiple advanced persistent threat (APT) attack campaigns by several different countries, including China, Vietnam and Russia. China attracted special mention in the report for showing a particular interest in mining data linked to cancer research.  

Asked if China was the biggest culprit when it came to cyber-espionage, McNamara said: “I think so, from what we have seen over the years. They have shown the most concerted interest in the space. 

“There are well-known groups like APT 32 from Vietnam who targeted the UK and many one-offs, but China by far makes up most of the activity.”  

Healthcare organizations will continue to be attractive targets for cyber-criminals because of the nature and quantity of the data with which they are associated. At least with this report, they have some idea of what’s lurking in the shadows. 

McNamara said: “By putting this report out there we hope to get organizations to understand the range of threats out there.”

Romania is going to exclude Huawei from its 5G Network

Romania will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

Romania could be the last state in order of time to ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

The document was signed by Romania’s Klaus Iohannis and President Donald Trump during the visit of the Romanian President to Washington.

The two states “seek to avoid the security risks that accompany Chinese investment in 5G telecommunications networks”.

Iohannis is worried by the Huawei’s possible participation in the building of the country’s 5G network, he added that the Supreme Council of National Defence (CSAT) would discuss it.

“The Romanian and American delegations also signed a memorandum of understanding on Tuesday establishing the conditions that service providers will have to fulfil to be part of the network.” reads the AFP press.

“These include the obligation not to be under the control of a third country’s government, according to Romanian news website G4Media.”

Romanian Government decided to adopt the “5G strategy for Romania” in June, the technological revolution will create 250,000 jobs and will bring in 4.7 billion euros ($5.2 billion).

The Romanian Government is going to launch a call for tenders for the country’s 5G network in the fourth quarter of this year.

Initially, the government had no intention to ban Huawei but evidently decided to accept the request of President Trump to his allies to exclude the Chinese manufacturer from their infrastructure.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – Huawei, cyberespionage)


The post Romania is going to exclude Huawei from its 5G Network appeared first on Security Affairs.

IDG Contributor Network: Lack of cybersecurity is the biggest economic threat to the world over the next decade, CEOs say

In its 2019 CEO Imperative Study, Ernst & Young surveyed 200 global CEOs from the Forbes Global 2000 and Forbes Largest Private Companies across the Americas, Europe, the Middle East, Africa, and the Asia-Pacific region. Also interviewed were 100 senior investors from global firms that manage at least $100 billion in assets.

However, regardless of their location, CEOs, board directors and institutional investors cited national and corporate gaps in cybersecurity as the biggest threats to business growth and the global economy. Income inequality and job losses stemming from technological change came second and third in the list of threats, while ethics in artificial intelligence and climate change respectively rounded out the top five.

To read this article in full, please click here

Cisco Patches Six Critical Bugs in UCS Gear and Switches

Six bugs found in Cisco’s Unified Computing System gear and its 220 Series Smart switches can allow unauthenticated remote hackers to take over equipment.

China-linked APT41 group targets US-Based Research University

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”


FireEye experts published a detailed report on the evolution of the group’s tactics, techniques, and procedures (TTPs), they found an overlap with other known Chinese espionage operator like BARIUM and the Winnti APT groups.

APT41 leverages several techniques to carry out the initial compromise, including spearphishing, moving laterally from trusted third parties, leveraging stolen credentials.

Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (.chm) files.

The arsenal of the group includes backdoors, credential stealers, keyloggers, and rootkits. The APT41 cyber espionage group also leveraged TeamViewer to deploy its malware into the targets’ compromised environment.

The attack against a publicly-accessible web server at a U.S.-based research university took place on April 2019. The hackers exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to compromise the systems and load additional payloads, including a variant of the China Chop web shell.

The attack involved two additional files, the HIGHNOON backdoor and a rootkit, then within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to send commands to the compromised server.

“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins.” reads the analysis published by FireEye.

Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz post-exploitation tools, reflectively loading Mimikatz 2.0 into memory.

The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.

Summarizing the hackers were able to exploit the vulnerability in vulnerable Confluence system to execute command and deploy custom malware. While Mimikatz failed, the ACEHASH malware allowed the attackers to harvest a single credential from the system. The good news is that FireEye successfully neutralized the attack.

Pierluigi Paganini

(SecurityAffairs – APT41, hacking)

The post China-linked APT41 group targets US-Based Research University appeared first on Security Affairs.

Who’s in Town Denies Instagram Block

Who's in Town Denies Instagram Block

A tracking app has hit back against recent reports that it has been blocked on social media giants Instagram and Facebook.

An article published last Tuesday on the Business Insider website reported that Facebook recently sent a cease-and-desist letter to the company behind the app Who’s in Town and took action to disable the personal Facebook account of the app’s creator Erick Barto. 

Speaking exclusively to Infosecurity Magazine, Barto confirmed that although he had received a cease-and-desist letter from legal firm Perkins Coie representing Facebook, the Who’s in Town app was still very much active. 

Barto said: “The Who’s in Town app is still up and running and statements about Facebook blocking it are untrue. 

“I had a couple of apps in the Facebook developer dashboard that were very old from 2013. They were legacy apps in my account. Facebook closed them and they closed my Facebook account and blocked my personal Instagram account.”

Asked whether What’s in Town would be complying with the cease-and-desist letter, Barto said that the company “would reply, not comply,” in an effort to start a conversation with Facebook about the safe handling of data.

The Who’s in Town app allows users to monitor the movements of people they follow on Instagram. It works by collecting geotag data shared publicly on Instagram and displaying the data in an interactive map.

Barto designed the app to highlight the amount of data people are constantly sharing online and show how easily such data can be collected and misused. With this point now made and a cease-and-desist letter from Facebook hanging over Who’s in Town’s head, you could be forgiven for thinking the outlook for the app is somewhat bleak. According to Barto, this is not the case.   

Barto said: “We want more people to know about it because in the past with other projects we have made we have had more reach. As soon as we feel we have made our point with Who’s in Town we want to propose a solution to the problem, to work with Facebook on how to use data safely.”

Asked if he was nervous about taking Facebook on, Barto said: “Not if the outcome is worth it.”

Difference Between Data at Rest and Data in Transit

When data is actively moving from one location to another either via the internet or a private network, this is known as data in transit, or data in motion. At this state, data is considered to be less secure since it is not within your network. As such, data protection for transit is important to safeguard the data while it is moving from your storage to the cloud, for example.

Data at rest is the exact opposite of data in transit. This is data that is not actively moving and is safely stored somewhere such as a flash drive, laptop, hard drive, etc. Data protection at rest is designed to protect this data. While considered safer, it is still a high-value target for hackers and other people with malicious intent, so it is important to have proper safety measures in place.

Overall, the risk profile of data in transit and data at rest is dependent on what types of security measures are in place. Either way, it is imperative for enterprises and organizations to protect data whether it is at rest or in transit to avoid sensitive information falling into the wrong hands.

What Encryption Does for Data in Transit and Data at Rest

Data in transit and data at rest are both at risk from hackers and malicious programs, so they require protection in both states. There are several ways to protect the data, and encryption plays a major role. It is a popular tool used for data protection and for good reason, as it gets results. It is common practice to encrypt data before it is sent out, so the contents are protected. This can also be done for data at rest as well.

Best Practices

Whether in transit or at rest, if data is left unprotected, this will leave the organization at risk of an attack. There are available data protection systems and solutions to protect data at endpoints and networks.

In addition to encryption, here are other ways you can protect both data in transit and data at rest.

  • Create robust network security controls in order to help data in transit, such as firewalls that help secure networks used to transmit data.
  • Rely more on proactive security than a reactive one.
  • Make use of data protection solutions that have policies that enable user blocking, prompting, and automatic encryption for data in transit sent through email networks or moved from one storage to another.
  • Categorize and classify all types of data in the company. This helps ensure that the appropriate data protection systems and solutions are used on the right files.

When utilizing cloud storage services, it is important to evaluate the vendor to ensure that your data is protected and safe.

Data in transit, when compared to data at rest, may have different risk profiles, but that depends on t he sensitivity of the data and its value. They may then become primary targets of attackers and hackers. This is why a proactive approach to digital security is important to ensure your data’s security.

Also Read,

How to protect your sensitive data

Seven Steps to Data Loss Prevention

Common Sense Ways Of Handling Data, Digital Or Not

The post Difference Between Data at Rest and Data in Transit appeared first on .

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

Data Residency: A Concept Not Found In The GDPR

Are you facing customers telling you that their data must be stored in a particular location?

Be reassured: As a processor of data, we often encounter a discussion about where the data is resident, and we are often facing people certain that their data must be stored in a given country. But the truth is, most people don’t have the right answer to this legal requirement.

To understand the obligations and requirements surrounding data storage, you first need to understand the difference in concepts between “data residency” and “data localization.”

What Are Data Residency and Data Localization?

Data residency is when an organization specifies that their data must be stored in a geographical location of their choice, usually for regulatory, tax or policy reasons. By contrast, data localization is when a law requires that data created within a certain territory stays within that territory.

People arguing that data must be stored in a certain location are usually pursuing at least one of the following three objectives:

  1. To allow data protection authorities to exert more control over data retention and thereby have greater control over compliance.
  2. In the EU, it is seen as means to encourage data controllers to store and process data within the EU or within those countries deemed to have the same level of data protection as in the EU, as opposed to moving data to those territories considered to have less than “adequate” data protection regimes. The EU has issued only 13 adequacy decisions: for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, US (Privacy Shield only) and Uruguay.
  3. Finally, it is seen by some as a tool to strengthen the market position of local data center providers by forcing data to be stored in-country.

However, it is important to note that accessing personal data is considered a “transfer” under data protection law—so even if data is stored in Germany (for example), if a company has engineers in India access the data for customer service or support purposes, it has now “moved” out of Germany. Therefore, you can’t claim “residency” in Germany if there is access by a support function outside the country. Additionally, payment processing functions also sometimes occur in other countries, so make sure to consider them as well. This is an important point that is often missed or misunderstood.

Having understood the concept of data residency and data localization, the next question is, are there data residency or localization requirements under GDPR?

In short: No. GDPR does not introduce and does not include any data residency or localization obligations. There were also no data residency or localization obligations under the GDPR’s predecessor, the Data Protection Directive (95/46/EC). In fact, both the Directive and the GDPR establish methods for transferring data outside the EU.

Having said that, it is important to note that local law may impose certain requirements on the location of the data storage (e.g., Russia’s data localization law, German localization law for health and telecom data, etc.).

So, if there is no data residency or localization requirement under GDPR, can we transfer the data to other locations?

The GDPR substantially repeats the requirements of the Data Protection Directive, which states that you need to have legal transfer means if you move data outside of the EU into a jurisdiction with inappropriate safeguards (see map here). The legal transfer means are:

  • Adequacy— A decision by the EU Commission that a country has adequate protection level;
  • Binding Corporate Rules— Binding internal rules of a company to be approved by data protection authorities;
  • Standard Contractual Clauses / Model Clauses—Individually negotiated contracts between controller and processor
  • Privacy Shield— For US companies only; this is a replacement self-certification program for the Safe Harbor.

I have heard that Privacy Shield and Standard Contractual Clauses are under serious scrutiny? What is this all about?

Following the European Court of Justice decision that the EU-US Safe Harbor arrangement does not provide adequate protection for the personal data of EU data subjects, the EU and US entered into a new arrangement to enable the transfer of data (the Privacy Shield). However, a number of non-governmental organizations and privacy advocates have started legal action to seek decisions that the Privacy Shield and the EU Standard Contractual Clauses do not provide sufficient protection of data subjects’ personal data.

It remains to be seen how the European Court of Justice will decide in these cases. They are expected to rule on these matters by the end of 2019.

I have heard that the Standard Contractual Clauses/Model Clauses might be updated.  What is that all about? 

In order to protect data being transferred outside of the European Union, the Union issued three Standard Contractual Clause templates (for controller to controller transfers and for controller to processor transfers). These have not been updated since they were first introduced in 2001, 2004 and 2010, respectively. However, the European Union’s consumer commissioner, under whom privacy falls, has indicated that the EU is working on an updated version of the Standard Contractual Clauses. It remains to be seen how the Clauses will be modernized and whether the shortcomings, concerns and gripes of existing Standard Contractual Clauses will be addressed to the satisfaction of all parties.

One thing is for certain, however—the data protection space will only get more attention from here on out, and those of us working in this space will have to become more accustomed to complexities such as those surrounding Data Residency.


This blog is for information purposes only and does not constitute legal advice, contractual commitment or advice on how to meet the requirements of any applicable law or achieve operational privacy and security. It is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of applicable privacy laws, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with privacy laws or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.


The post Data Residency: A Concept Not Found In The GDPR appeared first on McAfee Blogs.

How to avoid the security mistakes that cost an estate agency £80,000 in fines

Last month, Life at Parliament View was fined £80,000 by the ICO (Information Commissioner’s Office) after security errors exposed 18,610 customers’ personal data for almost two years.

The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.

This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.

During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.

Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?

Anonymous access

The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.

First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.

That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.

There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.

What are access controls?

Put simply, access controls are measures that restrict who can view data. They consist of two elements:

  1. Authentication: a technique used to verify the identity of a user.
  2. Authorisation: determines whether a user should be given access to data.

To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.

Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:

  • Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
  • Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
  • Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
  • Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.

Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.

Access controls and Cyber Essentials

Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).

Cyber Essentials has two objectives:

  1. To set out five basic cyber security controls that can protect organisations from common cyber attacks.
  2. To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.

Access control is one of the five basic controls outlined in Cyber Essentials, along with secure configuration, boundary firewalls and Internet gateways, patch management, and malware protection.

Find out more about Cyber Essentials >>

The post How to avoid the security mistakes that cost an estate agency £80,000 in fines appeared first on IT Governance Blog.

The Sky Has Already Fallen (you just haven’t seen the alert yet)

Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.

The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.

There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).

This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.

Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.

This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.

In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.

Water, water everywhere and all the boards did shrink,

Water, water everywhere nor any drop to drink.

A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.

We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.

The post The Sky Has Already Fallen (you just haven’t seen the alert yet) appeared first on .

FAKE APPS!—courtesy of Agent Smith

As new mobile malware sweeps the globe, here’s how to keep your device secure.

We’re spending more and more of our lives online and for most of us the door to this digital world is our smartphone. It’s the first thing we look at when we wake up and the last thing we check at night. It’s where we do our banking and shopping, where we hang out with friends, play games to pass the time, post status updates and share photos. It’s where we watch TV, hail cabs and even consult our local doctor.

There’s just one problem: the bad guys know this and they’ve become highly skilled at making money off the back of our reliance on mobile devices. Early this month a new global Android malware campaign called Agent Smith was revealed to have compromised 25 million handsets across the globe including many in the US.

It should be another reminder to users not to take mobile security for granted. Fortunately, with a few easy steps you can make giant strides towards keeping the hackers at bay.

What is Agent Smith?

Remember the malignant agent/virus antagonist to Neo in The Matrix? Well, Agent Smith is the latest in a long line of malware campaigns designed to infect consumers’ mobile devices. It begins life embedded inside legitimate-looking applications like photo apps, gaming titles and/or adult-themed software. These are found more on popular third-party marketplaces such as 9Apps, rather than the official Google Play store, though it showed up there too.

Once a user installs one of these booby-trapped apps, the malware will get to work, exploiting vulnerabilities in the Android operating system. It extracts a list of all the legit apps that the user has installed on their phone and then sets about replacing them with identical-looking but malicious versions.

How does it affect me?

If you’re unlucky enough to have your device infected with Agent Smith, it will then go on to hijack your apps to show unwanted ads – thereby generating the hackers money. Although this doesn’t sound too catastrophic for the victim, there is the potential for the attack to get much worse. Researchers have claimed that the same malware could be used to steal sensitive information like online banking credentials from an infected device.

As of early July, Agent Smith had already infected over 302,000 mobile devices in the US. The number may be even higher today. It’s one of the biggest threats seen so far this year, but it’s by no means the only one. Attackers are always looking for ways to get malware onto consumers’ devices, and in so doing:

  • Steal log-ins for key accounts like online banking
  • Secretly mine for crypto-currency using your device, which can cause it to slow down
  • Flood your screen with pop-up adverts, making it unusable
  • Lock your device with ransomware until a fee is paid
  • Sign your device up to premium rate services which can incur heavy charges

How do I stay safe?

Google is getting better at preventing apps loaded with hidden malware from being published on its official Play Store, but there are still occasions when some sneak through. The hackers behind Agent Smith were found to have hidden malware elements on 11 apps listed on Google Play. Two of them had already reached 10 million downloads by the time Google was notified and they were withdrawn.

App downloads are also only one of several avenues where your mobile device could be at risk of attack. Others include via malicious text or IM messages, public Wi-Fi networks that you might be sharing with hackers, and even lost or stolen devices.

Here’s a quick rundown of some key steps to stay safe:

  • Stick to legitimate stores (Google Play and Apple’s App Store) – you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
  • Read the permissions requested by applications when you install them. If they seem excessive (i.e., a gaming app that wants to access your address book and microphone) then avoid. It’s better to be safe than sorry.
  • Always ensure you’re on the latest version of Android.
  • Don’t log-in to public Wi-Fi, or if you must, don’t use any sensitive accounts (email, banking etc) until you get back onto a private and secure network. Otherwise, use a WiFi VPN, like Trend Micro WiFi Protection.
  • Ensure your device has a remote lock and wipe feature switched on, to sign out of accounts and wipe the device if it is lost or stolen.
  • Don’t brick/jailbreak the device as this can expose it to security risks.
  • Be cautious – you may be more likely to click on phishing links in emails, texts, and via social channels when on the move as you could be distracted and/or in a rush.
  • Run anti-malware on your mobile device, from reputable company like Trend Micro.

How can Trend Micro help?

The last recommendation is non-trivial. Trend Micro offers customers comprehensive anti-malware capabilities via Trend Micro Mobile Security (TMMS), which provides protection from malicious apps via the Mobile App Reputation Service (MARS).

With Agent Smith, there are two malicious parts: the Agent Smith malware itself and the doppelganger apps that it creates on victim devices to replace the legitimate ones. MARS/TMMS detects both. On Google Play, the MARS/TMMS pre-install scan will detect Agent Smith before it installs. (This same function will prevent you from downloading other malicious apps to your device.) Otherwise, both Agent Smith (installed from a 3rd-party store) or the doppelganger apps it creates will trigger the real-time scan in MARS/TMMS and warn you the apps are not safe, so you can delete them from your device.

Among its other features, Trend Micro Mobile Security also:

  • Blocks dangerous websites
  • Checks if public WiFi connections are safe
  • Guards financial and commercial apps
  • Optimizes your device’s performance
  • Protects your kids’ devices with parental controls
  • Protects your privacy on social media
  • Provides lost device protection.

Used in conjunction with Trend Micro Password Manager, for securing and managing your passwords, and Trend Micro WiFi Protection, for keeping you save on public WiFi, Trend Micro Mobile Security can help keep your mobile device—both you and your identity—safe from threats like Agent Smith and countless others.

The post FAKE APPS!—courtesy of Agent Smith appeared first on .

Heimdal Security Is a Finalist for Computing Security Awards 2019 in Three Categories!

Thanks to you and your continuous support, our cybersecurity solutions were nominated and chosen as finalists for the Computing Security Awards 2019 edition! Among other nominees of great renown, we are proud and excited to be chosen among the people who make online security easier to achieve.

We have been deemed finalists in three different award categories:

  • Anti-Malware Solution of the Year, with Thor Vigilance;
  • Network Security Solution of the Year, with Thor Foresight;
  • Anti-Ransomware / Anti-Ddos Solution of the Year, with Thor Foresight;

We want to thank you for your support so far and for walking along with us on this exciting journey. Each time you used one of our cybersecurity solutions or read and shared our blog stories or studies, you helped bring us one step closer to where we are today.

Vote for us

If you want to support us further, please vote for us on each of the categories where we are finalists in. Just click on the ‘Vote for Us!’ button above and you’ll be taken to the Computing Security Awards 2019 portal.

The voting closes on October 8th, so please cast your votes until then. 

After entering your details, you can vote for your favorite solution in each of the categories featured. By following the link above, our products will be automatically selected, but you can change your options, of course, should you wish. We hope not, though! 🙂

After you select your favorites for each award category (scroll down to see the rest), don’t forget to click the ‘Submit’ button. Only then will your answers be recorded.

screenshot of voting process in computing security awards 2019

Don’t forget to click the ‘Submit’ button after voting your faves in each category.

Thank you, everyone, again and fingers crossed!

Vote for us

In any case, we are excited and grateful to have made it this far. Being finalists in this competition overjoys us, and it encourages everyone on our team to keep trying our best.

The post Heimdal Security Is a Finalist for Computing Security Awards 2019 in Three Categories! appeared first on Heimdal Security Blog.

How Your Company Can Prevent a Cyberattack

Capital One’s announcement of a hack that affected more than 100 million people should have you asking not what, but who’s in your wallet. The company estimated a year-one expense ranging from $100-$150 million. Equifax settled recently on a penalty of more than $700 million. Getting cyber wrong is expensive.

Getting cyber wrong–i.e., all the ways that can become manifest–is of course also complex. There will soon be more than 30 billion connected devices “out there’ in consumer hands, on their wrists, in their laps, cars, kitchens, walls, and, yes, at work–in short, IoT is everywhere, our connectables almost always go with us.

Okay, so the obvious metaphor everyone is used to is the vectors of a virus on the move. The president catches a bug in North Korea, and next thing you know everyone at Mar-a-Lago has it. Rachel Maddow catches a cold while fly-fishing on the Housatonic, and next thing you know the whole Democratic establishment has it. Bob from accounting goes on vacation with his laptop, and the next thing you know, millions of customers get hacked.

Bob, you’re fired.

It’s All About Attackable Surface

Tortoises have cyber down pat, both for real and metaphorically. Ever heard about a tortoise getting hacked? The reason you haven’t is because there’s nothing to get.

Tortoises have no finances and, taken as a genus, they rarely have names and social media accounts. When they do have names and Instagram accounts, there’s a hackable human somewhere nearby. Tortoises are not the problem.

If only our employees had the cyber equivalent of what tortoises have. What’s not to like about a having a hard shell? Better, what about one into which one can retract all their vulnerable areas? They also move slow, which in fable allowed at least one of them to beat a hare in a foot race. Among other things, this slowness means fewer clicked links in phishing emails.

Tortoises have a lot of what it takes to be cybersafe–though admittedly in an environment where things have to get done, often quickly, they don’t make the most attractive choice for corporate spirit animal.

Cyber Is a Marathon, Not a Sprint

So, the order of the day is for sure not something like, “Consumers and businesses alike: Be the tortoise!” Not quite. The turtle is to the cybersecurity of your enterprise what campaign slogans like “Make America Great Again” or “Yes We Can” are to the country. I mean, let’s face it, tortoises are not renowned for their earning capacity. That said, they can be inspirational–or at least aspirational. They can help us think about what good cyber looks like.

My marketing department would do a facepalm if I were to recommend courses that you can offer employees to improve their cybersecurity practices, because I own a company that is dedicated to helping companies and individuals stay as safe as possible in our current state of persistent threat. That said, there are some guiding principles of cybersecurity, particularly in the workplace, that I will share with you. They are at the bedrock of our practice, because they work.

Choices? There’s Really Only One

There is a critical mass of options out there for cybersecurity employee training, online and otherwise. By now, we should expect to be seeing puppet shows on the dangers of phishing.

All that aside, the best solution is free. It is creating a culture of cyber threat awareness and best practices. As Peter Drucker once said, “Culture eats strategy for breakfast.”

While I am only going to name one here, there are programs–both for-profit and public advocacy based–that help small and medium-sized businesses learn to be safer and more secure. A non-profit called the National Cyber Security Alliance offers a series of in-person, highly interactive and easy-to-understand workshops based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

For-profit choices are legion. They may offer continuous training programs to help thwart phishing attacks and malware infections. There may be modules to go through for employees, or PowerPoint courses, or quizzes. Other programs cover specific topics, like how to navigate the web without picking up a virus, how to recognize social engineering (a fancy term for the hacking practice of luring in unsuspecting victims with links and offers of this or that slice of paradise), safe mobile practice, safe travel practices, safe email practice, and much more.

Other companies offer training courses as part of the onboarding process, and it should go without saying that at this point in the story arc of cyber insecurity, any enterprise that doesn’t secure employee devices during the onboarding process is courting disaster.

Cybersecurity Is Not a Spectacle Sport

Whether you send daily (or weekly) emails listing the latest threats or you talk about it at all-in meetings, cyber needs to be a part of everyday life to keep your enterprise as safe as possible.

The basic tasks that need to be accomplished:

1.      Phish-proof your employees. Teach employees how to recognize phishing attacks, and what happens when they occur.

2.      Foster good end-user practices. Make sure employees know what good password practices look like. Talk about computer-hygiene practices, and commonsense defenses against the threat of insider attacks.

3.      Change management. Change fosters insecurity, and that’s when we’re most vulnerable to attack. Teach employees how to manage cyber during enterprise-wide change.

And then there is the more technical stuff for your CISO, whether that person is in-house or subcontracted. Don’t have anyone playing this role? Figure it out by Monday.

All of the above is fine and good, but I think principles–creating a culture of cyber awareness–is generally more effective, which is why I favor cyber training that is aimed at minimizing, monitoring, and managing cyber risk.

While there are many products and classes out there, and many of them are no doubt workable solutions, here’s the basics of a cultural (and free) approach:

Minimize exposure.

Employees should never authenticate themselves to anyone unless they are in control of the interaction. Oversharing on social media expands one’s attackable surface. Be a good steward of passwords, safeguard any documents that can be used to hack an account or workstation, and in general stay vigilant. Attacks happen. All the time.

Monitor accounts.

A compromised employee can lead to a compromised company. One way your employees can make sure they haven’t been personally compromised is to check their credit reports religiously, keep track of their credit score, and review major accounts daily. Transaction alerts from financial services institutions and credit card companies can help. Your human resources department may want to explore the possibility of offering a credit and identity monitoring program to employees as an added benefit.

Manage the damage.

When something happens, get on top of it quickly and/or get help from professionals who can help navigate and resolve the situation–whatever it is.

Slow and steady wins this seemingly unwinnable race. Sound paradoxical? It is. Cyber security is a practice, not a product. There is no one way to solve the cybersecurity quagmire, but there are very established routes through it, and you owe it to your company to learn them and teach them to everyone you work with.

The post How Your Company Can Prevent a Cyberattack appeared first on Adam Levin.

Forced Password Reset? Check Your Assumptions

Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.

But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here.

Over the weekend, a follower on Twitter included me in a tweet sent to California-based job search site Glassdoor, which had just sent him the following notice:

The Twitter follower expressed concern about this message, because it suggested to him that in order for Glassdoor to have done what it described, the company would have had to be storing its users’ passwords in plain text. I replied that this was in fact not an indication of storing passwords in plain text, and that many companies are now testing their users’ credentials against lists of hacked credentials that have been leaked and made available online.

The reality is Facebook, Netflix and a number of big-name companies are regularly combing through huge data leak troves for credentials that match those of their customers, and then forcing a password reset for those users. Some are even checking for password re-use on all new account signups.

The idea here is to stymie a massively pervasive problem facing all companies that do business online today: Namely, “credential-stuffing attacks,” in which attackers take millions or even billions of email addresses and corresponding cracked passwords from compromised databases and see how many of them work at other online properties.

So how does the defense against this daily deluge of credential stuffing work? A company employing this strategy will first extract from these leaked credential lists any email addresses that correspond to their current user base.

From there, the corresponding cracked (plain text) passwords are fed into the same process that the company relies upon when users log in: That is, the company feeds those plain text passwords through its own password “hashing” or scrambling routine.

Password hashing is designed to be a one-way function which scrambles a plain text password so that it produces a long string of numbers and letters. Not all hashing methods are created equal, and some of the most commonly used methods — MD5 and SHA-1, for example — can be far less secure than others, depending on how they’re implemented (more on that in a moment). Whatever the hashing method used, it’s the hashed output that gets stored, not the password itself.

Back to the process: If a user’s plain text password from a hacked database matches the output of what a company would expect to see after running it through their own internal hashing process, that user is then prompted to change their password to something truly unique.

Now, password hashing methods can be made more secure by amending the password with what’s known as a “salt” — or random data added to the input of a hash function to guarantee a unique output. And many readers of the Twitter thread on Glassdoor’s approach reasoned that the company couldn’t have been doing what it described without also forgoing this additional layer of security.

My tweeted explanatory reply as to why Glassdoor was doing this was (in hindsight) incomplete and in any case not as clear as it should have been. Fortunately, Glassdoor’s chief information officer Anthony Moisant chimed in to the Twitter thread to explain that the salt is in fact added as part of the password testing procedure.

“In our [user] database, we’ve got three columns — username, salt value and scrypt hash,” Moisant explained in an interview with KrebsOnSecurity. “We apply the salt that’s stored in the database and the hash [function] to the plain text password, and that resulting value is then checked against the hash in the database we store. For whatever reason, some people have gotten it into their heads that there’s no possible way to do these checks if you salt, but that’s not true.”


You — the user — can’t be expected to know or control what password hashing methods a given site uses, if indeed they use them at all. But you can control the quality of the passwords you pick.

I can’t stress this enough: Do not re-use passwords. And don’t recycle them either. Recycling involves rather lame attempts to make a reused password unique by simply adding a digit or changing the capitalization of certain characters. Crooks who specialize in password attacks are wise to this approach as well.

If you have trouble remembering complex passwords (and this describes most people), consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember.

According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint.

Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. has a handy list of your options here, broken down by industry.

“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Glassdoor’s Moisant said the company doesn’t currently offer MFA for its users, but that it is planning to roll that out later this year to both consumer and business users.

Password managers also can be useful for those who feel encumbered by having to come up with passphrases or complex passwords. If you’re uncomfortable with entrusting a third-party service or application to handle this process for you, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop or screen or whatever, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.

Although many readers will no doubt take me to task on that last bit of advice, as in all things security related it’s important not to let the perfect become the enemy of the good. Many people (think moms/dads/grandparents) can’t be bothered to use password managers  — even when you go through the trouble of setting them up on their behalf. Instead, without an easier, non-technical method they will simply revert to reusing or recycling passwords.

Account Takeover Cases Hitting UK Courts Soar 57%

Account Takeover Cases Hitting UK Courts Soar 57%

The number of account takeover (ATO) cases going to court in the UK climbed 57% in the first half of 2019 as cybercrime continues to professionalize, according to KPMG.

The consulting giant’s biannual Fraud Barometer report has been analyzing crime trends in the UK over the past 30 years, specifically major fraud cases being heard in Crown Courts, where charges top £100,000.

It claimed hackers are using a variety of techniques to grab personal identity data which then allows them to hijack victims’ online bank and credit card accounts: across email, SMS and mobile apps.

However, the law is slowly catching up – at least when it comes to bank account takeover.

The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) entered into force in June, and requires banks to repay funds to customers stolen as a result of account takeover,” explained KPMG's UK head of investigations, Roy Waligora. “Whilst this is a very positive step for the customer, we all need to remain vigilant as consumers will continue to bear such costs indirectly.”

ATO is also rife across consumers’ digital lives, of course, with hackers using phishing, credential stuffing and brute forcing techniques to crack everything from email inboxes to Uber and Netflix accounts.

The report also highlighted the continued commercialization of cybercrime, facilitated by the underground economy and dark web-based partnerships.

In one case, a Tyneside man was jailed for 28 months at Newcastle Crown Court after fronting a classic tech support scam designed to trick panicked users into handing over their bank account details.

Victims lost hundreds of thousands of pounds in the international campaign, which used India-based ‘call center’ scammers.

“Although awareness or cyber-criminality has increased, with a fifth of the public believing that cybercrime is the biggest challenge facing the UK today, this hasn’t been enough to stem the tide in account takeovers,” warned Rob Norris, VP enterprise and cybersecurity at Fujitsu.

“While potential attacks are not always easy to spot, a broader education on how to detect fraudulent emails is key not just to consumers’ own finances, but their employers as well; what a consumer intentionally or not exposes themselves to at home, they are also likely to do at work. The finances of consumers and success of businesses depend on this rigorous education.”

Protecting Chrome users in Kazakhstan

When making secure connections, Chrome trusts certificates that have been locally installed on a user's computer or mobile device. This allows users to run tools to inspect and debug connections during website development, or for corporate environments to intercept and monitor internal traffic. It is not appropriate for this mechanism to be used to intercept traffic on the public internet.

In response to recent actions by the Kazakhstan government, Chrome, along with other browsers, has taken steps to protect users from the interception or modification of TLS connections made to websites.

Chrome will be blocking the certificate the Kazakhstan government required users to install:

Common Name
Qaznet Trust Network
SHA-256 Fingerprint
SHA-256 of Subject Public Key Info

The certificate has been added to CRLSet. No action is needed by users to be protected. In addition, the certificate has been added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course.

UK Boardrooms Falling Short on Cyber Expertise

UK Boardrooms Falling Short on Cyber Expertise

More than two-thirds (67%) of UK firms believe security concerns are holding back their efforts to grow through digital innovation, with many blaming a lack of engagement at a board level, according to Ernst & Young (EY).

The global consultancy polled 175 C-suite executives at UK-based organizations, split fairly evenly between business (CEO, CFO, COO etc.) and IT (CIO, CISO) roles, in order to compile its report, Cybersecurity for competitive advantages.

While 42% claimed to be behind their competitors in adoption of new technology, cloud computing and IoT topped the list of tech perceived to pose the greatest risk to the business.

Overcoming these concerns may require closer boardroom alignment and ownership of the problem.

Some 57% of business leaders and half (50%) of technology leaders cited a lack of business sponsorship as the biggest barrier to improving their organization’s cybersecurity.

However, strategic views diverged significantly after that. Most tech leaders (58%) said that giving an individual board member overall responsibility for cybersecurity would have the greatest impact, while the majority (64%) of business leaders said the biggest gains would come from making cybersecurity more of a strategic priority.

Yet unfortunately, over half (57%) of those surveyed don’t currently have a board member with direct expertise in cybersecurity and even more (67%) don’t think one is needed.

EY’s EMEIA advisory cybersecurity leader, Mike Maddison, argued that while direct security experience may not be essential, there needs to be better understanding at a board level of cyber-related risk.

“In recent years, the rate and pace of technological advances, regulatory change, cyber-attacks and data breaches have moved cybersecurity rapidly up the corporate agenda,” he added.

“Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organizations need to start thinking differently about cybersecurity. Business leaders need to make the leap from seeing cybersecurity as only a protective measure, to it also being a strategic value driver.”

Two sectors leading by example are tech, media and telecoms (TMT) and retail. TMT respondents had the highest levels of board awareness, the largest planned investments in cybersecurity and the fewest concerns around security as a barrier to tech adoption, while all retail respondents believe a “cyber-secure” brand is important for competitive advantage.

Thousands credit card numbers of MoviePass customers were exposed online

A security expert discovered that the popular movie ticket subscription service MoviePass has exposed thousands of customer card numbers and personal credit cards.

The security expert Mossab Hussein from cybersecurity firm SpiderSilk, discovered that MoviePass exposed a database containing the credit card data on one of its subdomains. The archive was containing 161 million records and the amount of data continues to grow in real-time.

The researcher discovered that the records in the database were not encrypted.

The database included both data logs and sensitive user data, such as customer card numbers. According to Techcrunch, which analyzed a sample of 1,000 records, data are authentic.

“We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.” reported Techcrunch.


The archive contained more than 58,000 records including card data, and according to the expert, it was growing over time.

The unsecured database also contained customers’ personal credit card numbers and their expiry date, along with billing information (names and postal addresses). In some cases, available data could expose owners to frauds.

Logging data included email addresses and incorrectly typed passwords.

Hussain attempted to report his discovery to MoviePass, but he did receive any reply. The service was taken offline after TechCrunch reported the issue to the company.

TechCrunch reported that security firm RiskIQ first detected the exposed archive in late June, the database may have been exposed for months.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein told TechCrunch. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,”.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post Thousands credit card numbers of MoviePass customers were exposed online appeared first on Security Affairs.

After hacking, data theft, European Central Bank closes its website

On Thursday, the European Central Bank (ECB) confirmed that the BIRD’s Web site was affected by attackers and downsized until the situation was under control.

This compromise may have resulted in the attackers collecting 481 newsletter subscribers ‘ e-mail addresses, names and positions, not their passwords.

Data breach – Malware Injection

The European Central Bank manages the euro and conducts the eurozone monetary policy.

The website of the BIRD, which provides information on how statistical and supervisory reports are produced in the banking sector, is hosted by an external provider and is physically separate from any other external and internal ECB system, according to the Bank.

The breach succeeded in injecting malware onto the external server to aid phishing activities. The external BIRD website has been closed down until further notice. Neither ECB internal systems nor market-sensitive data were affected.

The ECB reports that the violation was found during regular maintenance but it dates back to December 2018, according to Reuters. If it wasn’t for maintenance, who knows how much longer would the compromise be unnoticed.

What happen Next?

The ECB has informed the European Data Protection Supervisor of the infringement and notified the persons whose information has been compromised.

While the information is not so sensitive that it can certainly be easily collected from the websites of different organisations, a list like this is a perfect ready-made tool for spear-phishing.

Indeed, the violation of one of the ECB’s public web sites by 2014 has led to theft of similar information. The apparent aim of these attackers was to hold back the stolen data.

Also Read,

Data Breach Hits Desjardins, 2.7 Million People Affected

Chinese National Indicted For Anthem’s 2015 Massive Data Breach

Airbus Suffers Data Breach, Employees Data Accessed


The post After hacking, data theft, European Central Bank closes its website appeared first on .

Forensics in the Cloud: What You Need to Know

Cloud computing has transformed the IT industry, as services can now be deployed in a fraction of the time that it used to take. Scalable computing solutions have spawned large cloud computing companies such as Amazon Web Services (AWS), Google Cloud and Microsoft Azure. With a click of a button, personnel can create or reset […]… Read More

The post Forensics in the Cloud: What You Need to Know appeared first on The State of Security.

Being a CISO Isn’t Just About Information Security – It’s About Building a Stronger Business Strategy

Gone are the days when being a CISO (or even just ‘the security guy’) was about actual information security or IT security. Even the term IT security is outdated now, as it emphasizes a one-dimensional view of what security is really about. However, I digress… The information security element of CISO is correct, but for […]… Read More

The post Being a CISO Isn’t Just About Information Security – It’s About Building a Stronger Business Strategy appeared first on The State of Security.

Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks

Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.

The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.

What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.

While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:

  • Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
  • Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
  • Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks appeared first on McAfee Blogs.

A fresh, new look for the CMD+CTRL Cyber Range: Part 2

We recently launched a host of new features and improvements in our CMD+CTRL Cyber Range - new metrics, new player report cards, new hints - all with the aim of providing an experience that you’ll remember. Over the next few weeks, we’ll dive into these new features to give you an idea of what to expect. This week we’re detailing seamless event switching and tracking your performance over multiple events.

Chris Young and Ken McCray Recognized on CRN’s 2019 Top 100 Executives List

CRN, a brand of The Channel Company, recently recognized McAfee CEO Chris Young and Head of Channel Sales Operations for the Americas Ken McCray in its list of Top 100 Executives of 2019. This annual list honors technology executives who lead, influence, innovate and disrupt the IT channel.

Over the past year, Young led McAfee into the EDR space, directed the introduction of McAfee’s cloud and unified data protection offerings, and forged a partnership with Samsung to safeguard the Galaxy S10 mobile device. According to CRN, these accomplishments earned Young the number-three spot in CRN’s list of 25 Most Innovative Executives—a subset of the Top 100 list that recognizes executives “who are always two steps ahead of the competition.” Young is no stranger to the Top 100 Executives list: He also earned a place on last year’s list, when his post-spinout acquisitions led to him being named one of the Top 25 Disruptors of 2018.

Based on his work overseeing the launch of McAfee’s alternative route to market channel initiative, Ken McCray was also recognized as one of this year’s Top 100 Executives. The initiative, which has driven incremental bookings as Managed Security Partners and cloud service providers bring new customers on board, earned McCray a spot on the Top 25 IT Channel Sales Leaders of 2019. This has been an accolade-filled year for McCray: In February, he was named one of the 50 Most Influential Channel Chiefs for 2019, based on his division’s double-digit growth and the relationships he built with key cloud service providers.

The Top 100 Executives being recognized drive cultural transformation, revenue growth, and technological innovation across the IT channel. In doing so, they help solution providers and technology suppliers survive—and thrive—in today’s always-on, always-connected global marketplace.

“The IT channel is rapidly growing, and navigating this fast-paced market often challenges solution providers and technology suppliers alike,” said Bob Skelley, CEO of The Channel Company. “The technology executives on CRN’s 2019 Top 100 Executives list understand the IT channel’s potential. They provide strategic and visionary leadership and unparalleled guidance to keep the IT channel moving in the right direction—regardless of the challenges that come their way.”

We at McAfee are proud of the recognition Young and McCray have received, and look forward to seeing our company continue to thrive under their leadership.

The Top 100 Executives list is featured in the August 2019 issue of CRN Magazine and online at

The post Chris Young and Ken McCray Recognized on CRN’s 2019 Top 100 Executives List appeared first on McAfee Blogs.

Cybersecurity in Schools: What Families Need to Know

Reading Time: ~ 3 min.

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure. 

Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.

Unsecured School WiFi

Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.

Weak Cybersecurity Practices

A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.

Targeted Cybersecurity Attacks

Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks. 

Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.

How to Protect Your Student’s Cybersecurity

How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.

Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.

Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.

The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.

The post Cybersecurity in Schools: What Families Need to Know appeared first on Webroot Blog.

The Cybersecurity Playbook: Why I Wrote a Cybersecurity Book

I ruined Easter Sunday 2017 for McAfee employees the world over. That was the day our company’s page on a prominent social media platform was defaced—less than two weeks after McAfee had spun out of Intel to create one of the world’s largest pure-play cybersecurity companies. The hack would have been embarrassing for any company; it was humiliating for a cybersecurity company. And, while I could point the finger of blame in any number of directions, the sobering reality is that the hack happened on my watch, since, as the CMO of McAfee, it was my team’s responsibility to do everything in our power to safeguard the image of our company on that social media platform. We had failed to do so.

Personal accountability is an uncomfortable thing. Defensive behavior comes much more naturally to many of us, including me. But, without accountability, change is hindered. And, when you find yourself in the crosshairs of a hacker, change—and change quickly—you must.

I didn’t intend to ruin that Easter Sunday for my colleagues. There was nothing I wanted less than to call my CEO and peers and spoil their holiday with the news. And, I didn’t relish having to notify all our employees of the same the following Monday. It wasn’t that I was legally obligated to let anyone know of the hack; after all, McAfee’s systems were never in jeopardy. But our brand reputation took a hit that day, and our employees deserved to know that their CMO had let her guard down just long enough for an opportunistic hacker to strike.

I tell you this story not out of self-flagellation or so that you can feel, “Hey, better her than me!” I share this story because it’s a microcosm of why I wrote a book, The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security.

I’m not alone in having experienced an unfortunate hack that may have been prevented had my team and I been more diligent in practicing habits to minimize it. Every day, organizations are attacked the world over. And, behind every hack, there’s a story. There’s hindsight of what might have been done to avoid it. While the attack on that Easter Sunday was humbling, the way in which my McAfee teammates responded, and the lessons we learned, were inspirational.

I realized in the aftermath that there’s a real need for a playbook that gives every employee—from the frontline worker to the board director—a prescription for strong cybersecurity hygiene. I realized that everyone can play an indispensable role in protecting her organization from attack. And, I grasped that common sense is not always common practice.

There’s no shortage of cybersecurity books available for your consumption from reputable, talented authors with a variety of experiences. You’ll find some from journalists, who have dissected some of the most legendary breaches in history. You’ll find others from luminaries, who speak with authority as being venerable forefathers of the industry. And you’ll find more still from technical experts, who decipher the intricate elements of cybersecurity in significant detail.

But, you won’t find many from marketers. So why trust this marketer with a topic of such gravity? Because this marketer not only works for a company that has its origins in cybersecurity but found herself on her heels that fateful Easter Sunday. I know what it’s like to have to respond—and respond fast—when time is not on your side and your reputation is in the hands of a hacker. And, while McAfee certainly had a playbook to act accordingly, I realized that every company should have the same.

So, whether you’re in marketing, human resources, product development, IT or finance—or a board member, CEO, manager or individual contributor—this book gives you a playbook to incorporate cybersecurity habits in your routine. I’m not so naïve as to believe that cybersecurity will become everyone’s primary job. But, I know that cybersecurity is now too important to be left exclusively in the hands of IT. And, I am idealistic to envision a workplace where sound cybersecurity practice becomes so routine, that all employees regularly do their part to collectively improve the defenses of their organization. I hope this book empowers action; your organization needs you in this fight.

Allison Cerra’s book, The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security, is scheduled to be released September 12, 2019 and can be preordered at

The post The Cybersecurity Playbook: Why I Wrote a Cybersecurity Book appeared first on McAfee Blogs.

One simple action you can take to prevent 99.9 percent of attacks on your accounts

There are over 300 million fraudulent sign-in attempts to our cloud services every day. Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology. All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication. Read on to learn about common vulnerabilities and the single action you can take to protect your accounts from attacks.

Animated image showing the number of malware attacks and data breaches organizations face every day. 4,000 daily ransomware attacks. 300,000,000 fraudulent sign-in attempts. 167,000,000 daily malware attacks. 81% of breaches are caused by credential theft. 73% of passwords are duplicates. 50% of employees use apps that aren't approved by the enterprise. 99.9% of attacks can be blocked with multi-factor authentication.

Common vulnerabilities

In a recent paper from the SANS Software Security Institute, the most common vulnerabilities include:

  • Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
  • Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.

What you can do to protect your company

You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. To learn more, read Your Pa$$word doesn’t matter.

MFA is easier than you think

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  1. Misconception that MFA requires external hardware devices.
  2. Concern about potential user disruption or concern over what may break.

Matt Bromiley, SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.

Take a leap and go passwordless

Industry protocols such as WebAuthn and CTAP2, ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often preferred to passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.

Convince your boss

Download the SANS white paper Bye Bye Passwords: New Ways to Authenticate to read more on guidance for companies ready to take the next step to better protect their environments from password risk. Remember, talk is easy, action gets results!

The post One simple action you can take to prevent 99.9 percent of attacks on your accounts appeared first on Microsoft Security.

How Google adopted BeyondCorp: Part 2 (devices)


This is the second post in a series of four, in which we set out to revisit various BeyondCorp topics and share lessons that were learnt along the internal implementation path at Google.

The first post in this series focused on providing necessary context for how Google adopted BeyondCorp. This post will focus on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. Device management provides both the data and guarantees required for making access decisions by securing the endpoints and providing additional context about it.

How do we manage devices?

At Google, we use the following principles to run our device fleet securely and at scale:
  • Secure default settings at depth with central enforcement
  • Ensure a scalable process
  • Invest in fleet testing, monitoring, and phased rollouts
  • Ensure high quality data
Secure default settings

Defense in depth requires us to layer our security defenses such that an attacker would need to pass multiple controls in an attack. To uphold this defensive position at scale, we centrally manage and measure various qualities of our devices, covering all layers of the platform;

  • Hardware/firmware configuration
  • Operating system and software
  • User settings and modifications
We use automated configuration management systems to continuously enforce our security and compliance policies. Independently, we observe the state of our hardware and software. This allows us to determine divergence from the expected state and verify whether it is an anomaly.

Where possible, our platforms use native OS capabilities to protect against malicious software, and we extend those capabilities across our platforms with custom and commercial tooling.

Scalable process

Google manages a fleet of several hundred thousand client devices (workstations, laptops, mobile devices) for employees who are spread across the world. We scale the engineering teams who manage these devices by relying on reviewable, repeatable, and automated backend processes and minimizing GUI-based configuration tools. By using and developing open-source software and integrating it with internal solutions, we reach a level of flexibility that allows us to manage fleets at scale without sacrificing customizability for our users. The focus is on operating system agnostic server and client solutions, where possible, to avoid duplication of effort.

Software for all platforms is provided by repositories which verify the integrity of software packages before making them available to users. The same system is used for distributing configuration settings and management tools, which enforce policies on client systems using the open-source configuration management system Puppet, running in standalone mode. In combination, this allows us to easily scale infrastructure and management horizontally as described in more detail and with examples in one of our BeyondCorp whitepapers, Fleet Management at Scale.

All device management policies are stored in centralized systems which allow settings to be applied both at the fleet and the individual device level. This way policy owners and device owners can manage sensible defaults or per-device overrides in the same system, allowing audits of settings and exceptions. Depending on the type of exception, they may either be managed self-service by the user, require approval from appropriate parties, or affect the trust level of the affected device. This way, we aim to guarantee user satisfaction and security simultaneously.

Fleet testing, monitoring, and phased rollouts

Applying changes at scale to a large heterogeneous fleet can be challenging. At Google, we have automated test labs which allow us to test changes before we deploy them to the fleet. Rollouts to the client fleet usually follow multiple stages and random canarying, similar to common practices with service management. Furthermore, we monitor various status attributes of our fleet which allows us to detect issues before they spread widely.

High quality data

Device management depends on the quality of device data. Both configuration and trust decisions are keyed off of inventory information. At Google, we track all devices in centralized asset management systems. This allows us to not only observe the current (runtime) state of a device, but also whether it’s a legitimate Google device. These systems store hardware attributes as well as the assignment and status of devices, which lets us match and compare prescribed values to those which are observed.

Prior to implementing BeyondCorp, we performed a fleet-wide audit to ensure the quality of inventory data, and we perform smaller audits regularly across the fleet. Automation is key to achieving this, both for entering data initially and for detecting divergence at later points. For example, instead of having a human enter data into the system manually, we use digital manifests and barcode scanners as much as possible.

How do we figure out whether devices are trustworthy?

After appropriate management systems have been put in place, and data quality goals have been met, the pertinent security information related to a device can be used to establish a "trust" decision as to whether a given action should be allowed to be performed from the device.

High level architecture for BeyondCorp

This decision can be most effectively made when an abundance of information about the device is readily available. At Google, we use an aggregated data pipeline to gather information from various sources, which each contain a limited subset of knowledge about a device and its history, and make this data available at the point when a trust decision is being made.

Various systems and repositories are employed within Google to perform collection and storage of device data that is relevant to security. These include tools like asset management repositories, device management solutions, vulnerability scanners, and internal directory services, which contain information and state about the multitude of physical device types (e.g., desktops, laptops, phones, tablets), as well as virtual desktops, used by employees at the company.

Having data from these various types of information systems available when making a trust decision for a given device can certainly be advantageous. However, challenges can present themselves when attempting to correlate records from a diverse set of systems which may not have a clear, consistent way to reference the identity of a given device. The challenge of implementation has been offset by the gains in security policy flexibility and improvements in securing our data.

What lessons did we learn?
As we rolled out BeyondCorp, we iteratively improved our fleet management and inventory processes as outlined above. These improvements are based on various lessons we learned around data quality challenges.

Audit your data ahead of implementing BeyondCorp

Data quality issues and inaccuracies are almost certain to be present in an asset management system of any substantial size, and these issues must be corrected before the data can be utilized in a manner which will have a significant impact on user experience. Having the means to compare values that have been manually entered into such systems against similar data that has been collected from devices via automation can allow for the correction of discrepancies, which may interrupt the intended behavior of the system.

Prepare to encounter unforeseen data quality challenges

Numerous data incorrectness scenarios and challenging issues are likely to present themselves as the reliance on accurate data increases. For example, be prepared to encounter issues with data ingestion processes that rely on transcribing device identifier information, which is physically labeled on devices or their packaging, and may incorrectly differ from identifier data that is digitally imprinted on the device.

In addition, over reliance on the assumed uniqueness of certain device identifiers can sometimes be problematic in the rare cases where conventionally unique attributes, like serial numbers, can appear more than once in the device fleet (this can be especially exacerbated in the case of virtual desktops, where such identifiers may be chosen by a user without regard for such concerns).

Lastly, routine maintenance and hardware replacements performed on employee devices can result in ambiguous situations with regards to the "identity" of a device. When internal device components, like network adapters or mainboards, are found to be defective and replaced, the device's identity can be changed into a state which no longer matches the known inventory data if care is not taken to correctly reflect such changes. 

Implement controls to maintain high quality asset inventory

After inventory data has been brought to an acceptable correctness level, mechanisms should be put into place to limit the ability for new inaccuracies to be introduced. For example, at Google, data correctness checks have been integrated into the provisioning process for new devices so that inventory records must be correct before a device can be successfully imaged with an operating system, ensuring that the device will meet required data accuracy standards before being delivered to an employee.

Next time
In the next post in this series, we will discuss a tiered access approach, how to create rule-based trust and the lessons we’ve learned through that process.

In the meantime, if you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers.

Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).

New Ransomware Attack – Texas Government agencies become Victim

Still, Ransomware attacks become a problem on local governments, and Texas discovers this first-hand. On the morning of August 16, 23 government entities reported a ransomware attack. Most were “smaller local governments,” and the State of Texas networks and systems were not hit by the Department of Information Resources.

It appears all entities that were actually or potentially impacted have been identified and notified,” DIR said. “Responders are actively working with these entities to bring their systems back online.

Texas did not name the institutions because of “security concerns.” The culprits had not been identified by security teams. However, the evidence indicated to date that a “single threat actor” was simultaneously attacking all these entities.

At this time, the evidence gathered indicates the attacks came from one single threat actor,” DIR officials said on Saturday.

Ransomware attacks usually come from criminal organizations, which are hoping to make rapid profits, even though hostile countries have reportedly used ransoms to fill their coffers. Municipal governments are sometimes primary objectives because they do not always have the resources to fight and avoid payments.

The incident is treated as a high priority. Besides, providing support to several state agencies, the case is also covered by the Homeland Security Department, the FBI, FEMA, and other federal security partners.

The attack could nevertheless spur some action. In many cases, ransomware aggressors exploit old vulnerabilities or workers who do not understand the hazards of phishing attacks (sometimes with the use of NSA tools). These are times that emphasize the importance of both modernizing government networks and educating people to prevent ransomware from infecting systems.

Also Read,

Beware of 10 Past Ransomware Attacks

Massive Ransomware Attack On Israeli Websites Foiled

Data Resolution LLC Battles Ryuk Ransomware Attack

The post New Ransomware Attack – Texas Government agencies become Victim appeared first on .

Surveillance as a Condition for Humanitarian Aid

Excellent op-ed on the growing trend to tie humanitarian aid to surveillance.

Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies will work as planned in a chaotic conflict setting. And last, that the ethics of consent don't apply for people who are starving.

OpenSAT19 Workshop

The workshop is for developers to share their experiences with Speech Activity Detection (SAD), Automated Speech Recognition(ASR), and Keyword Search (KWS) algorithms or systems when applied to the data

Are you taking your enterprise mobility management seriously?

Estimated reading time: 2 minutes

A stark contrast to yesteryears with strict office hours, today’s business trends are permitting employees flexibility when it comes to office hours, remote working and devices through which they can work from.

It is in this context, many leading enterprises all over the world have adapted to a Bring Your Own Device (BYOD) policy – employees can use their own devices (phones, tablets, laptops, etc.) to connect to enterprise networks and work on their deliverables.

And, employees love BYOD because –

  • Own device familiarity
  • Increased productivity
  • Ability to work in a preferred location

From an employer perspective, the cost of procuring new devices for each employee is saved which leads to higher cost savings for an enterprise.

The flipside to this otherwise brilliant arrangement is the security lapse that may occur if BYOD policy is not formulated properly. A weak BYOD policy significantly opens enterprise networks to cybersecurity challenges considering traditional enterprise security norms on devices do not apply anymore. This can snowball into a disaster!

Mentioned below are some of the common risks if enterprise mobility is jeopardized.

  1. The Risk of Data Loss

The risk of data loss rises exponentially when it comes to employees using their own devices to access and work in the business networks. Enterprises, typically are not able to deploy the same level of data controls on personal devices as they can on enterprise devices. This leaves personal devices susceptible to data loss through malware, ransomware and various other threats.

  1. Insecure usage

Personal devices are prone to be used in plenty of insecure ways if unsolicited users gain access to them- something which is difficult to do for enterprise devices in a conventional business security ecosystem. Personal devices connecting to potentially risky public Wi-Fi networks (airports, public restaurants, etc.) or shared within other people can cause huge risks to business-critical data.

  1. Personal & professional data on the same devices

An increasingly grey area in the context of BYOD, since personal devices contain both personal and professional data and are used for both professional and personal purposes, important business details are threatened. Humans commit mistakes – for instance, sending professional information accidentally to unwanted users.

  1. Increased risk of sabotage

All enterprises face the risk of sabotage by disgruntled employees – it is a serious risk with enterprises addressing it through various means. For companies permitting BYOD, the risk of sabotage through angry or dissatisfied employees is high. A former employee may still have access to company data on his/her device – leaking it to competitors or any other sources could create havoc for the company.

  1. Lost devices

Mobile devices facilitated by businesses operating in the business network can be safeguarded from a plethora of threats by applying policies such as frequent backups, encryption, etc. However, the same may always not be true for personal devices which make it a big risk in cases when employees report a theft of personal devices.

  1. Unrestricted access

All enterprises have content policies which regulate the kind of content their employees can access. While this can still be easier to regulate and moderate on work devices, it may not be possible on personal devices allowing employees to access and view all kinds of content. This opens up wider enterprise threats in the form of malware, ransomware, etc. which is notoriously hidden in unrestricted content.

The key to managing BYOD is deploying an Enterprise Mobility Management solution which understands and addresses the aforementioned risks. Enterprises can consider Seqrite mSuite which increases the productivity of enterprises by mobilizing the workforce while ensuring that critical data remains absolutely secure.

The post Are you taking your enterprise mobility management seriously? appeared first on Seqrite Blog.


When traveling, it is very easy to forget where you are when discussing business with colleagues. That airport, taxi, restaurant or hotel lobby may have individuals nearby eavesdropping on your conversation. When discussing confidential information, agree to hold off on the conversation until you can be assured of privacy. Also, be careful not to share sensitive information with strangers you meet.

Polymorphic Refers to a Malware’s Ability to Change

When it comes to malicious programs, polymorphic refers to a malware’s ability to change itself and its identifiable features in order to avoid detection. Many types of malware can take a polymorphic form, including viruses, trojans, keyloggers, bots, and many more. This technique involves continuously changing characteristics such as file name or encryption keys, so they become unrecognizable by common detection tools.

Polymorphic refers to a malware’s ability to evade pattern-matching detection techniques, which many security solutions rely on, including antivirus programs. While it can change some of its characteristics, the primary purpose of the malware remains the same. A virus, for example, would continue to infect other devices even if its signature has changed. Worst of all, even if the new signature is detected and added into a security database, the polymorphic malware can simply change again and continue avoiding detection.

Polymorphic Malware Examples

It has been found that 97% of all malware infections today make use of polymorphic techniques. New waves of tactics have been coming in since the past decade. Popular examples of how polymorphic refers to a malware’s ability to infiltrate systems are:

Storm Worm Email

There was an infamous spam email initially sent in 2007. The subject line read, “230 dead as storm batters Europe.” This email became responsible for 8% of all malware infections in the world at one point. The email’s attachment installed a win32com service, along with a trojan, once opened, which essentially transformed the computer into a bot. The reason this malware was so difficult to detect is because the malware morphed every 30 minutes, which is part of the reason that polymorphic refers to a malware’s ability to morph.

CryptoWall Ransomware

Polymorphic refers to a malware’s ability to get into your computer and stay there undetected by changing its characteristics every now and then. What made the CryptoWall Ransomware even more dangerous and difficult to detect is that it essentially changed for every user it infected, making it unique for everyone.

Threat of Polymorphic Malware

Many malware today make use of a certain polymorphic capability that renders traditional antivirus solutions quite helpless. These programs, along with firewalls and IPS, used to be enough to secure one’s device, but this advancement now beats these precautions. Many prevention methods are failing to stop polymorphic attacks, which is part of the reason that polymorphic refers to a malware’s ability to be flexible when inside a system

Best Practices Against Polymorphic Malware

Polymorphic refers to a malware’s ability to change itself. In this case, in order to protect your devices and your company, you will need to use a layered approach to security that combines people, processes, and technology. Here are best practices you can use to protect against polymorphic malware:

Update your software

This is a straightforward way to keep yourself protected. Keep all programs and tools used in the company updated. Manufacturers usually release critical security updates to patch known vulnerabilities. Using outdated software only makes your systems more open to attacks.

Password maintenance

When it comes to passwords, each employee should be required to use strong ones that contain both upper- and lower-case characters, numbers, and symbols. They should also regularly change their passwords as well.

Report suspicious emails

If an employee receives a suspicious email, this should be reported at once. Do not open emails from unknown or suspicious senders, and never open their attachments.

Use behavior-based detection tools

Polymorphic refers to a malware’s ability to change some of its characteristics in order to avoid detection by conventional tools. But you can use behavior detection in order to pinpoint threats in real time. These tools rely on patterns rather than the software itself, so it is a good defense against polymorphic malware.

Also Read,

Understanding What Is Malware Analysis

Pale Moon Archive Server Infected With Malware

WannaHydra – The Latest Malware Threat For Android Devices


The post Polymorphic Refers to a Malware’s Ability to Change appeared first on .

Climbing the Vulnerability Management Mountain: Taking the First Steps Towards Enlightenment

Just as you would map a hike or climb by creating waypoints you plan to hit each day, you must plan your vulnerability management process by creating similar goals. We call these goals Maturity Levels, from ML0 to ML5, as we defined them in the last blog. You have your asset inventory from an open-source […]… Read More

The post Climbing the Vulnerability Management Mountain: Taking the First Steps Towards Enlightenment appeared first on The State of Security.

Texas Government Agencies Hit by Ransomware

The local governments and agencies from twenty-three Texas towns were hit by a coordinated ransomware campaign last week. 

The Texas Department of Information Resources (DIR) became aware of the ransomware campaign after being contacted by the municipal governments of several towns that were unable to access critical files. The DIR has yet to identify the affected government entities and is currently working with the Texas Military Department as well as the Texas A&M Cyberresponse and Security Operation Center to investigate the attack and restore critical services where possible. 

Although the DIR has released few details about the ransomware campaign, they did confirm that it originated from a single “threat actor.” The ransomware deployed is known is .JSE and typically works by encrypting files and appending the suffix “.jse.” .JSE differs from other ransomware variants and malware in that it doesn’t leave behind a ransom message.

U.S. local governments have increasingly been targeted by ransomware campaigns, including Baltimore, Atlanta and several Florida cities. Municipal governments tend to have lower budgets for IT and cybersecurity support, and are often willing to pay ransom to be able to restore services. 

The post Texas Government Agencies Hit by Ransomware appeared first on Adam Levin.

Introducing the New Veracode Software Composition Analysis

Veracode Software Composition Analysis Announcement

Open source technology empowers developers to make software better, faster, and more efficiently as they push the envelope and delight users with desired features and functionality. This is a trend that is unlikely to fade – at least not in the foreseeable future – and has further fueled our passion for securing the world’s software. This is also why Veracode acquired SourceClear – we had a vision for the impact that integrating our software composition analysis (SCA) technologies would have on our customers’ ability to develop bold, revolutionary software using open source code – without risking their security posture.

Today, our customers have access to an industry-leading, scalable SCA solution that provides unparalleled support for SCA in DevSecOps environments through the cloud-based Veracode Application Security Platform. Veracode SCA offers a unique vulnerable method detection technology that increases the actionability of SCA scan results, as well as the ability to receive continuous alerts on new or updated vulnerabilities without rescanning an application.

Further, our solution relies on a proprietary library and vulnerability database, built using true machine learning and data mining, which has the ability to identify vulnerabilities not available in the National Vulnerability Database (NVD). In addition to CVEs, the database now also includes Reserved CVEs and No-CVEs detected with our data mining and machine learning models. These results are verified by our expert data research team for all supported languages.

Software Composition Analysis for DevSecOps Environments

Veracode SCA offers remediation guidance, SaaS-based scalability, and integration with Continuous Integration tools to provide users with visibility into all direct and indirect open source libraries in use, known and unknown vulnerabilities in those libraries, and how they impact applications, without slowing down development velocity. 

Additionally, it is the only solution in the market that offers two options to start an SCA scan that offers insight into open source vulnerabilities, library versions, and licenses:

Scan via Application Binary Upload

Through the traditional application upload process, you’re able to upload your applications or binaries to the Veracode Application Security Platform so that you can run scans via the UI or an API.

SCA scans continue to run alongside Veracode Static Analysis. During the pre-scan evaluation for static scanning, Veracode executes the SCA scan to review the application’s composition, and the results are delivered while the static scan continues. Bill of materials, scores, policy definition, and open source license detection remain available for those application upload scans.

Veracode has also added language support for applications developed in Golang, Ruby, Python, PHP, Scala, Objective-C, and Swift, in addition to the existing support for Java, JavaScript, Node.js, and .NET applications.

Agent-Based Scanning

Agent-based scanning, integrated within the Veracode Application Security Platform, enables you to scan your source code repositories directly, either manually from the command line or in a Continuous Integration pipeline. The agent-based scanning process has been enhanced to include more open source license types available for detection in open source libraries. The libraries and vulnerabilities database has been enhanced with an increase of new vulnerabilities detected, and the ability to link project scans with application profiles for policy compliance, reporting, and PDF reports. Customers using Veracode SCA agent-based scanning can conduct:

  • Vulnerable Method Detection: Pinpoint the line of code where developers can determine if their code is calling on the vulnerable part of the open source library. 
  • Auto Pull Requests: Veracode SCA identifies vulnerabilities and makes recommendations for using a safer version of the library. This feature automatically generates pull requests ready to be merged with your code in GitHub, GitHub Enterprise, or GitLab. It provides the fix for you.
  • Container Scanning: Scan Docker containers and container images for open source vulnerabilities in Linux distributions and base libraries. 

Users have the flexibility to use both scanning types for the same application. Agent-based scanning can be used during development, and a traditional binary upload scan can be conducted before the application is put into production. Scan results continue to be assessed against the chosen policy and prompt users to take action based on the results. These actions can be automated with integration to Jenkins (or another Continuous Integration tool) to either break the build because of a failed policy scan, or to simply report the failed policy.

It’s no exaggeration to say that every company is becoming a software company, and the adoption of open source is on the rise. Having clear visibility into the open source components within your application portfolio reduces the risk of breach through vulnerabilities. The new Veracode Software Composition Analysis solution helps our customers confidently use open source components without introducing unnecessary risk. 

To learn more about Veracode Software Composition Analysis, download the technical whitepaper, “Accelerating Software Development with Secure Open Source Software.”

Why Companies Need Endpoint Protection

Endpoint protection, also known as endpoint security, is a security solution that addresses malicious cyber-attacks from endpoint devices, such as zero-day exploits, inadvertent data leaks that result from human error, and other forms of attacks.

Anti-virus solutions alone cannot prevent targeted and persistent attacks, which makes endpoint protection a necessity for almost any organization that handles sensitive and protected data. It is a complementary solution for the entire security system. They provide centrally managed security for workstations, servers, and mobile devices that connect to the organization’s main network.

Endpoint Protection Platforms Used for Enterprise Security

The best and most comprehensive endpoint protection platforms are designed specifically to integrate with other IT security solutions to create a more proactive protection for the organization. This goes beyond just preventing malware attacks, as it also provides data protection capabilities, file encryption, device controls, and data loss prevention to create a comprehensive endpoint protection solution.

How Endpoint Protection Works

Enterprises and organizations are coming to terms with bring-your-own-device models in the office, which essentially means employees can use their own endpoint devices at work, including mobile phones and laptop computers. All these devices connect to the main network, and in creating and enforcing rules using endpoint protection, it is possible to protect sensitive data from unauthorized copying and transfers based on data classification.

Normally, endpoint protection would include network access control functions, which will prevent unauthorized access to the network and sensitive data contained within it. This solution would first evaluate the endpoint device that connects to the network before permitting it access, checking its applications, software, and operating system, making sure that everything is up to date and meets the pre-defined security standards of the organization. If all goes well, it is granted access. But if something is wrong and there is potential for vulnerability, it is denied and the network is not compromised.

In an enterprise environment, endpoint protection is centrally managed.

The rise in bring-your-own-device setups, along with the use of external storage devices, have created a new challenge for maintaining cybersecurity for enterprises. Greater control is necessary with the number of endpoints that can connect to the network itself, since this is a common entry point for malware and other malicious attacks that can result in stolen or compromised data.

Adequate protection is required in order to ensure the security of sensitive data in an enterprise’s network, and this is exactly what endpoint protection offers as a solution.

Related Blogs:

How Safe Is Your Endpoint From Cyber Attack

The Major Reasons for Endpoint Security Failure

Endpoint Security : Why Is Endpoint Protection Good?

The post Why Companies Need Endpoint Protection appeared first on .

Supermarket Chain Notifies Customers of Payment Card Data Incident

A supermarket chain based in the Midwestern United States notified customers of a data incident that potentially involved their payment cards. On 14 August, Hy-Vee revealed it was investigating a security incident that affected its payment systems responsible for processing transactions at its fuel pumps, drive-thru coffee shops and restaurants. Hy-Vee, which operates 245 branches […]… Read More

The post Supermarket Chain Notifies Customers of Payment Card Data Incident appeared first on The State of Security.

20 month prison sentence for British hacker who made fortune helping SIM-swap fraudsters

A teenage British hacker, who previously played a role in the infamous TalkTalk data breach, has been sentenced to 20 months in prison after pleading guilty to selling hacking services and stolen personal data for cryptocurrency.

Read more in my article on the Hot for Security blog.

How Do Threats Align With Detection And Solutions?

There are many different threats targeting many different areas of a corporate network. Have you ever wondered how those threats are stopped? What threats impact which areas of a network? What technology detects and blocks those threats? I wanted to build an interactive graphic to answer those questions.

This interactive infographic can help you understand the full ecosystem of how security works across your network, because just learning about the different threats is not enough. People need to also understand how to detect these threats and ultimately what solutions they can utilize in the different areas of their network to protect themselves and their systems and data. Now you can do all of this in one graphic that will lead you through the whole journey of discovery.

As you can see in the above graphic, the user can select different areas of their network and within each area, you can dive into the different threats targeting that area. Each threat links to our Glossary of Terms with a definition. Below you see the different threats targeting email.

As you select each threat, a pop-up window will show you all the different technologies used to detect this threat. For each technology, you can mouse over the link and a pop-up will explain how that technology works.

Finally, you will also have links to the different Trend Micro solutions that use these technologies to protect your organization from specific threats. This interactive graphic can give you a nice way to link threats to detection/protection technologies to solutions and hopefully will help you better understand the extensive breadth of capabilities to protect your organization. Go ahead and spend some time using this interactive infographic and feel free to share with your friends and colleagues.


The post How Do Threats Align With Detection And Solutions? appeared first on .