The Guardian view on Boris Johnson’s NHS plan: trading patient data | Editorial

Donald Trump has made clear he wants a post-Brexit Britain to let US tech companies and big pharma access medical records

The NHS is a goldmine of patient data which the United States wants to be quarried by some of its biggest companies. Britain’s health service is home to a unique medical dataset that covers the entire population from birth to death. Jeremy Corbyn’s NHS press conference revealed that the US wanted its companies to get unrestricted access to the UK’s medical records, thought to be worth £10bn a year. A number of tech companies – including Google – already mine small parts of the NHS store. Ministers have been treading carefully after an attempt to create a single patient database for commercial exploitation was scrapped in 2016 when it emerged there was no way for the public to work out who would have access to their medical records or how they were using them.

However, such caution might be thrown to the wind if Boris Johnson gets his way over Brexit – and patients’ privacy rights are traded away for US market access. This would be a damaging step, allowing US big tech and big pharma to collect sensitive, personal data on an unprecedented scale. Donald Trump’s officials have already made clear that this is what they are aiming for. In the leaked government records of talks between US and UK trade representatives White House officials state that “the free flow of data is a top priority” in a post-Brexit world. Trump’s team see Brexit as an opportunity “to avoid forcing companies to disclose algorithms”. The US wants the UK to drop the EU’s 2018 data law, in which individuals must be told what is happening with their medical data, even if scrubbed of personal identifiers.

Continue reading...

SEC Xtractor – Experts released an open-source hardware analysis tool

Security and consulting company SEC Consult announced the release of an open-source hardware analysis tool dubbed SEC Xtractor

Security firm SEC Consult announced the release of an open-source hardware analysis tool dubbed SEC Xtractor. The tool was initially designed for internal use, and was then adopted for several research projects over the years.

The tool relies on an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). Both, the firmware and hardware of the tools are completely open-source, this means that researchers can extend their functionalities according to their needs. 

The SEC Xtractor tool was initially used as a memory extraction and UART (Universal Asynchronous Receiver/Transmitter) interface project.

The experts decided to develop the tool for the test of embedded devices (hardware and firmware) because many other tools available on the market did not completely respond to their needs.

SEC Xtractor could be used to dump the content of NAND, NOR, SPI and I2C flash memory without the need for soldering chip.

“Most projects concluded without any solution since the chips couldn’t be inserted without soldering. This can be frustrating for those who do not want to solder SMD. Only commercial tools (that are expensive) can read memory in that way. The problem remains that they cannot read every chip. This means that different tools for different flash chips are needed and that every new part must be implemented.” reads the post published by the company.

SEC Xtractor was developed in C, the JTAG brute forcing component was based on the project JTAGenum and the Xmega Bootloader was used.

“Version 1.31 comes with improvements like a boot button and additional labels three years after the initial hardware version. An open-source bootloader was used to program the device via USB. No external programmer is needed to reflash the ATXmega microcontroller. The black color for the main PCB and the NAND/NOR adapters were chosen because the launch was made during Black Hat Europe 2019 Arsenal.” continues the post.

SEC Xtractor

SEC Consult plans to continue to maintain the tool, it published technical details to build the hardware analysis tool on GitHub.

Pierluigi Paganini

(SecurityAffairs – SEC Xtractor, hacking)

The post SEC Xtractor – Experts released an open-source hardware analysis tool appeared first on Security Affairs.

8 Takeaways: Black Hat Europe’s Closing ‘Locknote’ Panel

Fuzzing, Transparency, Bug Reporting, Security Basics and More Highlighted
Security experts speaking on the ending "locknote" panel at this year's Black Hat Europe highlighted trends from the conference, including the rise of fuzzing, simplification via the cloud, increasing vendor transparency as well as the industry too often still failing to focus on the basics.

Security Affairs newsletter Round 243

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Data of 21 million Mixcloud users available for sale on the dark web
Google warned 12K+ users targeted by state-sponsored hackers
Twitter account of Huawei Mobile Brazil hacked
Clop Ransomware attempts to disable Windows Defender and Malwarebytes
Europol seized 30,506 Internet domain names for IP Infringement
Ohio Election Day cyber attack attempt traced Russian-Owned Company
StrandHogg Vulnerability exploited by tens of rogue Android Apps
TrueDialog database leaked online tens of millions of SMS text messages
A flaw in Microsoft OAuth authentication could lead Azure account takeover
Experts discovered DLL hijacking issues in Kaspersky and Trend Micro solutions
Website of gunmaker Smith & Wesson hit by a Magecart attack
Mozilla removed 4 Avast and AVG extensions for spying on Firefox users
Talos experts found a critical RCE in GoAhead Web Server
Two malicious Python libraries were stealing SSH and GPG keys
China used the Great Cannon DDoS Tool against forum used by Hong Kong protestors
CyrusOne, one of the major US data center provider, hit by ransomware attack
Iran-Linked APT groups target energy, industrial sectors with ZeroCleare Wiper
The evolutions of APT28 attacks
CVE-2019-14899 flaw allows hijacking VPN connections on Linux, Unix systems
OpenBSD addresses authentication bypass, privilege escalation issues
VMware addresses ESXi issue disclosed at the Tianfu Cup hacking competition
Russia-linked Gamaredon group targets Ukraine officials
Vietnam-linked Ocean Lotus hacked BMW and Hyundai networks

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 243 appeared first on Security Affairs.

Week in review: 5G IoT security, efficient password cracking for pentesters, supply chain examination

Here’s an overview of some of last week’s most interesting news and articles: 5G IoT security: Opportunity comes with risks Slowly but surely, 5G digital cellular networks are being set up around the world. It will take years for widespread coverage and use to be achieved, so what better time than now for finding a way to ease into it while keeping security in mind? Cybersecurity company benefits should reduce stress but don’t From start-ups … More

The post Week in review: 5G IoT security, efficient password cracking for pentesters, supply chain examination appeared first on Help Net Security.

US authorities charged Dridex gang members for stealing over $100 Million

US DoJ charged two Russian citizens for deploying the Dridex malware and for their involvement in international bank fraud and computer hacking schemes.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The 10-count indictment charged Yakubets and Turashev with conspiracy, computer hacking, wire fraud, and bank fraud.

The 10-count indictment unsealed today, concerning the distribution of the malware they used to automate the theft of sensitive financial and personal information like banking credentials, as well as for infecting their victims with ransomware in more recent attacks.

The Bugat malware a multifunction malware package designed to automate the theft of confidential personal and financial information.

The malware implements sophisticated evasion techniques, it was improved with new functionalities and its name initially changed in “Cridex,” and later in “Dridex.”

“According to the indictment, Bugat is a malware specifically crafted to defeat antivirus and other protective measures employed by victims.  As the individuals behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called “Cridex,” and later “Dridex,” according to the indictment.” reads the press release published by DoJ. “Bugat malware was allegedly designed to automate the theft of confidential personal and financial information, such as online banking credentials, and facilitated the theft of confidential personal and financial information by a number of methods.  For example, the indictment alleges that the Bugat malware allowed computer intruders to hijack a computer session and present a fake online banking webpage to trick a user into entering personal and financial information.”

According to the indictment, the criminal duo used the stolen banking credentials to make unauthorized transfers from the victims’ bank accounts to bank accounts owned by “money mules.” Then the criminals moved the money to other accounts or withdraw the funds and transport the funds overseas as smuggled bulk cash. 

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said U.S. Attorney Brady. “Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered.  International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.” 

Yakubets is considered the leader of the gang behind the Bugat malware and botnet, the cybercrime group known as Evil Corp, while Turashev allegedly was tasked with other functions, including system administration, management of the internal control panel, and oversight of botnet operations.

“Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft,” the U.S. Treasury Department said in separate press release. “This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.”

The U.S. Department of State’s Transnational Organized Crime (TOC) is offering a reward of up to $5 million as part of its Rewards Program for information that could allow arresting Yakubets.

According to the DoJ, Yakubets is also suspected to provide “direct assistance to the Russian FSB intelligence agency.

“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB.  As a result, Yakubets is also being designated pursuant to E.O. 13694, as amended, for providing material assistance to the FSB.  Additionally, as of 2017, Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.” continues the U.S. Treasury Department.

Prior to working with its accomplices for Evil Corp, Yakubets also collaborated with Evgeniy Bogachev, another popular Russian cybercriminal responsible for the distribution of the infamous Zeus, Jabber Zeus, and GameOver Zeus malware.

According to the complaint, the deployment of the Zeus malware resulted overall in the attempted theft of an estimated $220 million USD, with actual losses of an estimated $70 million USD from victims’ bank accounts. 

The Treasury Department also sanctioned other cyber criminals linked to the Evil Corp gang:

  • Denis Gusev, a senior member of Evil Corp, is also being designated today for his active role in furthering Evil Corp’s activities. Gusev also serves as the General Director for six Russia-based businesses. These entities include Biznes-Stolitsa, OOO, Optima, OOO, -Invest, OOO, TSAO, OOO, Vertikal, OOO, and Yunikom, OOO. 
  • Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy, and Kirill Slobodskoy for carrying out critical logistical, technical, and financial functions such as managing the Dridex malware, supervising the operators seeking to target new victims, and laundering the proceeds derived from the group’s activities. 
  • Aleksei Bashlikov, Ruslan Zamulko, David Guberman, Carlos Alvares, Georgios Manidis, Tatiana Shevchuk, Azamat Safarov, and Gulsara Burkhonova for being part of the network of money mules who are involved in transferring stolen funds obtained from victims’ bank accounts to accounts controlled by members of Evil Corp.

Pierluigi Paganini

(SecurityAffairs – Evil Corp, Dridex)

The post US authorities charged Dridex gang members for stealing over $100 Million appeared first on Security Affairs.

The ever-evolving security landscape in Canada

By Paul, Katigbak Senior vice-president, commercial sales, Dell EMC Canada Today, most organizations – from small businesses to large global enterprises – find themselves in the midst of a digital transformation journey. While at varying stages, these transformations are changing the way we conduct business, and store and manage data. One area of transformation that…

Ransomware at Colorado IT Provider Affects 100+ Dental Offices

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack this week that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s heard from several affected practices that the attackers are demanding $700,000 in bitcoin from some of the larger victims to receive a key that can unlock files encrypted by the ransomware.

Others reported a ransom demand in the tens of thousands of dollars. In previous ransomware attacks, the assailants appear to have priced their ransom demands based on the number of workstation and/or server endpoints within the victim organization. According to CTS, its clients typically have anywhere from 10 to 100 workstations.

Terronez said he’s spoken with multiple other practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with third party companies to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” said dental practitioner based in Las Vegas. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”

Vietnam-linked Ocean Lotus hacked BMW and Hyundai networks

Alleged Vietnamese Ocean Lotus (APT32) hackers breached the networks of the car manufacturers BMW and Hyundai to steal automotive trade secrets.

According to German media, hackers suspected to be members of the Vietnam-linked APT Ocean Lotus (APT32) group breached the networks of the car manufacturers BMW and Hyundai. The intrusion aimed at stealing automotive trade secrets.

“The attack the alleged Vietnamese hacker group began in the spring of 2019. Last weekend, the automobile company from Munich finally took the computers concerned off the grid. Previously, the group’s IT security experts had been monitoring the hackers for months. This is the result of research by the Bayerischer Rundfunk.” reported the Bayerischer Rundfunk (BR). “Also on the South Korean car manufacturer Hyundai, the hackers had it apart.”

The APT32 group, also known as OceanLotus Group, has been active since at least 2012 targeting organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 used both Windows and Mac malware in its campaigns delivered to the victims via watering hole attacks, it leveraged sophisticated techniques to evade detection.

In the recent attacks against the car manufacturers, the attackers managed to deploy in the target network the Cobalt Strike hacking tool “Cobalt Strike”. 

The Cobalt Strike platform was developed for Adversary Simulations and Red Team Operations, but it has also become popular among threat actors over the past years (including APT29 and FIN7).

It is quite easy to find pirated versions of the software that were used by attackers in the wild.

The attackers set up a website that posed as the BMW branch in Thailand, a similar technique was employed in the attack aimed at Hyundai.

Once the staff at BMW has spotted the intrusion, it did not lock out the hackers, instead, it attempted to track them while they attempted lateral movements in the breached networks. BMW finally locked out the attackers at the end of November.

Neither BMW nor Hyundai commented on the report published by the BR media outlet.

Ocean Lotus attackers were linked to other attacks against car vendors, including Toyota AustraliaToyota Japan, and Toyota Vietnam.

Experts believe that the group is interested in stealing intellectual property for its government and help state-owned companies.

The German Federal Office for the Protection of the Constitution also warned of cyber espionage activities carried out by the OceanLotus cyberespionage group. 

“The OceanLotus group has already become important, and we should keep an eye on its evolution, especially because of the target range automotive industry,” said a spokeswoman.

In the summer, the German Association of the Automotive Industry (VDA) sent an e-mail to its members. The subject was: “Warning message from the Federal Office for the Protection of the Constitution about possible cyber attacks on German automobile companies.” 

Pierluigi Paganini

(SecurityAffairs – BMW, cyberespionage)

The post Vietnam-linked Ocean Lotus hacked BMW and Hyundai networks appeared first on Security Affairs.

Russia-linked Gamaredon group targets Ukraine officials

Russia-linked Gamaredon cyberespionage group has been targeting Ukrainian targets, including diplomats, government and military officials.

Russia linked APT group tracked as Gamaredon has been targeting several Ukrainian diplomats, government and military officials, and law enforcement.

The Gamaredon attacks against Ukraine don’t seem to have stopped. In June malware researchers from Cybaze-Yoroi spotted a new suspicious activity potentially linked to the popular APT group.

The hacking campaign confirmed that the Gamaredon operations are still ongoing and the high interest of the Kremlin in infiltrating the East European ecosystem, especially the Ukranian one. The experts at Cybaze confirmed that the infection patterns were similar to the other attacks spotted in early 2019, including the Matryoshka structure and the use of chained SFX archives.

The Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. This summer, CERT-UA reported several attacks attributed to the Gamaredon APT that were aimed at the Ukrainian military and law enforcement.

Back to the present, the threat intelligence firm Anomali reported a new wave of attacks that started in Mid-October 2019 and that targeted individuals and entities in Ukraine, including diplomats, government officials and employees, journalists, law enforcement, military officials and personnel, NGOs, and the Ministry of Foreign Affairs.

State-sponsored hackers launched spear-phishing attackes using weaponized documents.

The bait documents reveal malicious activity from at least September 2019, to November 25, 2019.

“This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019.” reads the report published by Anomaly. “The primary objective of this campaign, was identified in mid-November 2019, appears to be targeting Ukrainian governmental entities. Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector.”

The experts analyzed three different lure documents respectively aimed at the Dnipro Control System and discussing requirements instituted by the Chief of the General Staff regarding organization work to clarify the improvement of visual agitation in areas of subordinate, another produced by the NGO media watchdog Detector Media, and a third targeting the Ministry of Foreign Affairs of Ukraine.

Gamaredon TTPs_Target_Ukraine

The attackers use the Template Injection technique instead of documents embedding malicious VBA macros. The lure documents once opened will automatically download a Document Template (.dot) from a remote location that is executed in background.

The document template (dot) contains VBA macros that are executed in the background, while the VBA macro writes a VBScript file to the startup folder.

When the machine reboots the VBScript file will be executed after sleeping for 181340 milliseconds.

Upon reboot, the VBScript performs an HTTP GET request to fetch an encrypted stage from a dynamic DNS domain. The payload, however, is only sent if the target is deemed of interest.

“A file will only be sent if the actor determines that the now-infected target is worthy of a second-stage payload, otherwise the file deletion continues on its loop to remove evidence of the actor’s activity.” continues the analysis.

The experts from Anomaly believe that the threat actor’s TTPs are aligned with the ones associated with the Russian hacking group Gamaredon.

“Russian-sponsored cyber capabilities have been welldocumented over numerous malicious campaigns found and attributed by the security community, and this activity observed by ATR indicates the risk posed to entities by APT threat groups.” concludes Anomaly. “Governments around the globe utilize campaigns for strategic purposes, and in Russia’s case, sometimes to coincide with armed forces activity.”

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Gamaredon)

The post Russia-linked Gamaredon group targets Ukraine officials appeared first on Security Affairs.

Driving Efficiency and Productivity with Cisco Defense Orchestrator

Network security professionals today clearly understand that there is no longer just one perimeter surrounding the enterprise. Rather, security and network management now extend across multiple, overlapping perimeters, each of which usually has its own firewall and related network equipment.

For security teams and network admins, this translates into the need to oversee and coordinate policy on a potentially large number of separate devices. Cisco Defense Orchestratoris a cloud-based application that enables admins to consistently manage and harmonize policies across a variety of Cisco security products as well as cloud-native tools such as AWS Security Groups.

Users of Cisco Defense Orchestrator shared their experiences with the product on IT Central Station. Their reviews reveal a solution that is appreciated for its simplicity and efficiency. Users also noted that Cisco Defense Orchestrator makes their teams more productive, particularly when managing policies across Cisco ASA, FTD and Meraki MX devices.

The Simplicity of Cisco Defense Orchestrator

Cisco Defense Orchestrator is known for enabling streamlined security policy management across an extended network. As Jairo M., Network and Security Specialist at a small tech services company, explained, “The initial setup was really straightforward. If the person setting this up has knowledge of firewalls and switches, it’s pretty simple. It took about two hours for us to deploy.”

Todd E., CTO at a small tech services company, similarly noted, “In terms of visibility and getting everybody involved, it was simple, scalable, and saved them tons of time, which in turn saved them money. Its effect on firewall builds and daily management of firewalls is that it’s super-simple on new deployments.”

Efficiency in Centralization

IT Central Station members remarked that Cisco Defense Orchestrator has made their teams more efficient. According to Mohamed N., an I.T. Manager at a consumer goods company with over 5,000 employees, “This efficient, time-saving, centralized device manager is easy to deploy and requires minimal administrative IT resources.” Todd E. spoke to this point as well, noting, “The simplicity, efficiency, and effectiveness of it are valuable. It’s efficient, simple, and there’s the visibility on the security side. Deployment is fast. As a security person, I love the visibility and the ease of use when doing my upgrades.”

Team Productivity and Support for ASA, FTD and Meraki MX

Network managers and security teams want to manage security policies across multiple Cisco products, including ASA, FTD and Meraki MX devices. The outcome is consistent security across the network. Isiac S., Network Administrator at a manufacturing company with over 200 employees, praised Cisco Defense Orchestrator in this context. He said, “Its support for ASA, FTD, and Meraki MX helps maintain consistent security.”

Todd E. addressed the team productivity aspects of this capability. He said, “When it comes to making bulk changes across common tasks, like policy management and image upgrades, one of the biggest complaints that I had from a lot of network engineers, was that everything was GUI, that Cisco had gone to GUI. But they can do bulk changes on the CLI. That was a big win for them, being able to do that across all the ASAs without having to log into every single ASA and make changes. They can do a lot of bulk changes on the fly. It’s a huge time-saver.”

Other notable comments on this issue included:

  • “Its support for ASA, FTD, and Meraki MX devices could potentially free up staff to do other work, although I have not tried the FTD or the MX.” – Andreas F., Systems Engineer at a tech services company
  • “The biggest part of ROI is the improvement to the operations. Our clients with CDO are having fewer issues. Things are just not going down. People are more productive.” – Todd E.
  • “The solution has made our security team more productive because it allows us to have more people do the same kind of work, and they take less time doing it. It catches what could have been mistakes on our part.” – A Systems Architect at a university with over 1,000 employees
  • “The solution’s support for ASA, FTD, and Meraki MX devices helps free up staff time for other work.” – Jairo M.
  • “Defense Orchestrator has made my network team more productive, since it’s the network team which manages it.” – Richard B., Network and Data Centre Platform Manager at a manufacturing company with over 1,000 employees
  • “Now, with one simple click, we select the devices and set it to update on a given day, and save different configurations. It’s pretty simple and a great feature for us. Whenever we have found any problems in the devices and we want to create a new policy that applies to ten or 20 companies, we select the devices and we send the same commands to all those devices at once.” – Jairo M.

To read more Cisco Defense Orchestrator reviews, visit IT Central Station.

The post Driving Efficiency and Productivity with Cisco Defense Orchestrator appeared first on Cisco Blogs.

Challenge-based RFPs and open data keys to solving Toronto’s biggest problems, municipal leaders say

When audience members at this week’s Technicity event were asked if they were engaged with the City of Toronto on a procurement basis, out of the roughly 300 people in attendance, very few hands went up. Seeing more hands raised is one of the city’s priorities as it continues to try and connect its divisions…

‘E-Skimming’ Is Real, and It May Already Have Grabbed Your Credit Card Information

I’m going to put my one takeaway tip upfront in this article, because it’s that important: Don’t use a debit card when you’re shopping online. While debit cards provide more protections than they used to, they are still a direct conduit to your actual money–not credit–and as such it’s just a bridge too far in the current environment of scam whack-a-mole we all have to deal with this holiday season.

Now for the news.

You may have heard that the Macy’s website was breached recently. It was an e-skimming attack, and a successful one. Hackers were able to intercept customer credit card information and other sensitive personal data by injecting a bit of rogue code into the Macy’s online shopping cart.

While it’s never good news for a major retailer, especially in the middle of the post-Halloween portion of the ramp-up for the holiday season, Macy’s is by no means alone. Tens of thousands of e-commerce sites have been compromised in similar attacks linked back to a hacking group (or groups) called Magecart.

Even though the threat posed by Magecart has now triggered an FBI warning to small and medium-sized businesses, the number of targeted entities and affected customers is expected to continue to spike this holiday season.

Here’s what businesses need to know.

What is E-skimming?

When we look at a webpage we’re essentially seeing the “skin” of a complex organism. There is a patchwork of files hosted on multiple servers that deliver code written by hundreds, if not thousands, of authors making that webpage look and function the way it does. Every piece of functionality on a site made to be more appealing to customers, or to glean more meaningful data about their behavior, requires the addition of modules, plug-ins, and scripts.

Taken at face value, the ever-expanding universe of plug-in functionality is great for businesses, since only big players have the time or money to acquire custom software. From a security point of view, this very same universe is the stuff of migraine headaches. Each extra line of code included on a site expands its attackable surface, and as we’ve seen most recently with Macy’s, a single compromised file can be used to compromise an entire site.

Enter Magecart.

Magecart’s methods vary (there have been over 40 documented techniques deployed), but the broad strokes are consistent. Once a weak point has been found on an e-commerce site (common methods including phishing, or targeting outdated versions of software with known vulnerabilities), code is inserted to “eavesdrop” on any information entered by a customer, and transmit that information to an offsite server.

The compromised business and the customer are none the wiser, as the attack doesn’t actually interfere with the processing of a payment card, and the first sign of trouble is usually a notification from a credit card company or bank that they suspect a fraudulent transaction.

The holiday season makes it even harder to pinpoint the source of the breach as shoppers are likely to order from many different websites. E-Sklimming is easy to deploy, hard to detect, and extremely lucrative.

How Can Business Owners Avoid Getting Got?

As with any other cybersecurity threat, there’s no one way to stop e-skimming exploits, especially given Magecart’s wide-ranging bag of tricks, but there are a few things we can do to minimize the risk.

  • Stay current with patches and upgrades: It’s important for any business to keep its website up to date, but for commerce sites, it’s mission critical. Every time an e-commerce platform releases a security update, it flashes a beacon to hackers to attack, since any site that hasn’t installed the update is vulnerable.

  • Train employees: Educate employees to better recognize phishing emails, to use strong passwords and be on the lookout for anything that seems out of the ordinary.

  • Practice cyber hygiene: Implement multi-factor authentication and be sure to change the default credentials on any software or hardware.

What Can Consumers Do?

The debit card tip is one that’s worth putting into practice. Otherwise, the best practices here are the same as those we should have in place in general. Basically, practice what I call the Three Ms in my book Swiped.

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit. Be careful when you click.

Monitor your accounts. Set up free transaction monitoring alerts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises-oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

Despite an increase in the number and severity of data breaches affecting businesses, too many companies still haven’t gotten the message.

PCI compliance, the set of standards created by the payment card industry to safeguard customer financial information, has fallen for the second year in a row worldwide, and currently barely 1 in 5 businesses in the Americas are capable of passing an audit.

We’re most likely looking at the twilight of the good old days when any company could spend a minimal amount of money to get a functional shopping cart up and running. Cybersecurity is an investment in your company’s future. E-commerce sites can generate massive amounts of revenue (just ask Amazon), but they can also provide a point of entry for hackers to access a motherlode of financial information.

Let that old chestnut “forewarned is forearmed” be your watchword this holiday season.

The post ‘E-Skimming’ Is Real, and It May Already Have Grabbed Your Credit Card Information appeared first on Adam Levin.

Bernie Sanders Pledges High-Speed Internet for All

Bernie Sanders Pledges High-Speed Internet for All

US presidential candidate Bernie Sanders today released a plan to introduce high-speed internet to every American household if he wins the 2020 election. 

The High-Speed Internet for All proposal suggests giving local and state governments $150bn in grants and aid to create publicly owned broadband networks. Of this funding, $7.5bn would be ring-fenced to "expand high-speed broadband in Indian Country and fully resource the FCC’s Office of Native Affairs and Policy."

In a statement released on his website that will likely strike a chord with voters far younger than he is, Sanders said that the internet must be treated as "a public utility that everyone deserves as a basic human right." If elected as president next year, the Vermont senator said he would roll out the plan by the end of his first term. 

The plan Sanders has drawn up involves antitrust authorities taking action to dismantle the "internet service provider and cable monopolies" that are currently in play in the US and would see the reinstatement of the net neutrality regulation that was repealed in June last year. 

Sanders said the proposal would stop the internet from operating as a "price-gouging profit machine" for service providers. Internet and cable companies would be required to put a stop to hidden fees and be more transparent in disclosing the cost of services.

Earlier today on Twitter Sanders wrote: "The internet as we know it was developed by taxpayer-funded research, using taxpayer-funded grants in taxpayer-funded labs. Our tax dollars built the internet. It should be a public good for all, not another price-gouging profit machine for Comcast, AT&T and Verizon."

With supreme confidence in his own historical significance, Sanders likened his proposal to President Franklin D. Roosevelt's campaign to bring electricity to every rural community in America. In 1933, when Roosevelt first took office, only one in ten farms in rural America was on the grid.

"Just as President Roosevelt fundamentally made America more equal by bringing electricity to every community, urban and rural, over 80 years ago, as president, I will do the same with high-speed internet," Sanders wrote on Twitter today.

In broadband deployment, the United States ranked tenth out of 22 in a 2018 comparison with European countries, and in America's rural communities, more than 31 percent of people are without broadband. 

Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

US and UK authorities have indicted the leader of a notorious cybercrime gang that stole $70m from bank accounts around the world using malware.

Ukrainian-born Russian national Maksim V. Yakubets allegedly headed up an organized crime syndicate that used Bugat malware—also known as Cridex and Dridex—to drain money from the customers of just under 300 organizations in 40 different countries. 

He is further accused of participating in a second scheme involving Zeus malware, which similarly used a botnet and money mules to pilfer bank accounts.   

Yakubets, who is known online primarily as Aqua, is wanted in relation to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present day. 

The 32-year-old was indicted in a US federal court on Thursday along with a fellow alleged cyber-criminal, 38-year-old Igor Turashev from Russia's Yoshkar-Ola-Ola. Turashev is wanted in connection with the deployment of Bugat malware. 

According to the UK's National Crime Agency, the organized crime syndicate of which Yakubets was the ringleader called itself Evil Corp—the nickname given to fictional multi-national conglomerate E Corp in the smash hit TV series Mr. Robot

Yakubets allegedly ran his large-scale criminal organization from the basements of Moscow cafes, employing dozens of people. He is currently thought to be in Russia, where he is known to sport a coiffed hairdo and cruise around in a customized Lamborghini supercar with a personalized number plate that translates to "Thief." 

A reward of $5m—the largest ever to be offered for a cyber-criminal—is being offered under the Transnational Organized Crime Rewards Program for information leading to the arrest or conviction of Yakubets.  

Lynne Owens, director general of the NCA, said: "The significance of this group of cyber-criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions."

FBI Deputy Director David Bowdich said: "The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability."

Six Customers Affected by Ransomware Attack on CyrusOne

Six Customers Affected by Ransomware Attack on CyrusOne

One of the largest data center providers in America has become the victim of a ransomware attack.

Texas company CyrusOne confirmed yesterday that an attack involving REvil (Sodinokibi) ransomware had taken place on Wednesday. Customers of the company's New York data center, located in Wappingers Falls, suffered a loss of service as a result of the incident. 

A CyrusOne spokesperson said: "Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.

"Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going, and we are working closely with third-party experts to address this matter."

The attackers advised CyrusOne that they would decrypt one file encrypted in the ransomware attack as a show of good faith that the remaining hijacked data would be returned upon receipt of payment. 

Exactly how the attackers gained entry to the company's network is currently unknown. The attackers say they have a private key, which they claim is the only way to access the stolen information. 

CyrusOne serves thousands of customers across 48 different data centers located around the world. Among its customers are over 200 Fortune 1,000 companies. The company said that it is currently using backups to help its customers recover lost data.

This incident is not the first time that this particular strain of the Sodinokibi ransomware has been a total pain in the coco de mer. REvil was used to attack Oracle's WebLogic server in April of this year, and since then it has also been deployed against more than 400 American dental practices and over 20 Texas municipalities.

Thomas Hatch, CTO and co-founder at SaltStack, commented: "The response and remediation from CyrusOne have been excellent given its ability to restore data from backups and respond rapidly to the attack. However, this situation highlights that data center and IaaS providers are just as vulnerable to attacks as other companies. While IaaS providers generally create very secure infrastructures, there is still the liability that they can be attacked in this manner."

Researchers say VPN bug affects Linux, Unix systems

Apple, Google and Linux distribution makers are investigating a serious threat to their operating systems after security researchers said this week a vulnerability could allow an attacker to intercept traffic in a virtual private network.

Discovered by a team from the University of New Mexico, the researchers said an attacker able to get into an access point, or an adjacent user, could determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgment numbers in use, allowing the bad actor to inject data into the TCP stream.

“This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel,” the researchers said in a blog.

“This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec, but has not been thoroughly tested against tor, but we believe it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace. It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel.”

The vulnerability has been reported to  Systemd, Google, Apple, OpenVPN, and WireGuard, in addition to Linux distros. Researchers haven’t yet published a detailed paper on their findings because neither a workaround nor patches have yet been issued.

In the meantime they do suggest three mitigations to IT administrators:

1. Turn Linux reverse path filtering on. Many Linux distributions turned it off 12 months ago with the inclusion of a new version of systemd. Most of the distributions tested were vulnerable, particularly those with the new version. However, researchers also admitted the attack works against IPv6, so turning reverse path filtering on isn’t reasonable.

Also, even with reverse path filtering on strict mode the first two parts of the attack can be completed, allowing an attacker to make inferences about active connections.

2. Filter traffic for bogus IP addresses called bogons. According to Wikipedia, bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use.

However, the researchers say, local network addresses used for VPNs and local networks, and some nations, including Iran, use the reserved private IP space as part of the public space.

3. VPN makers could encrypt packet size and timing.  Since the size and number of packets allow the attacker to bypass the encryption provided by the VPN service, the researchers think some sort of padding could be added to the encrypted packets to make them the same size. Also, since the challenge ACK per-process limit allows us to determine if the encrypted packets are challenge ACKs, allowing the host to respond with equivalent-sized packets after exhausting this limit could prevent the attacker from making this inference.

In a blog Colm MacCárthaigh, who works for AWS and helps develop Amazon Linux and the company’s VPN products, noted that his company’s products are not impacted by the vulnerability.

However, he described the attack method as “very impressive” and has warned that it can pose an even more serious threat if combined with DNS spoofing.

“Encrypted DNS queries and replies can be profiled by traffic analysis, and the reply ‘paused’, making it easier to ensure that a DNS spoofing attempt will succeed,” MacCárthaigh wrote. “This is a good reminder that cryptographic protections are best-done end to end; DNSSEC does not help with this attack, because it does not protect traffic between the stub resolver and the resolver. It’s also a good reminder that traffic analysis is still the most effective threat against network encryption.”

So far the following are vulnerable to this type of attack:

  • Ubuntu 19.10 (systemd)
  • Fedora (systemd)
  • Debian 10.2 (systemd)
  • Arch 2019.05 (systemd)
  • Manjaro 18.1.1 (systemd)
  • Devuan (sysV init)
  • MX Linux 19 (Mepis+antiX)
  • Void Linux (runit)
  • Slackware 14.2 (rc.d)
  • Deepin (rc.d)
  • FreeBSD (rc.d)
  • OpenBSD (rc.d)




Data Privacy Event Disclosed by Sunrise Community Health

Sunrise Community Health disclosed a data privacy event that might have affected some patients’ personal and medical information. In the fall of 2019, Sunrise Community Health (“Sunshine”) learned of a data privacy incident through which an unauthorized party gained access to some of its employees’ email accounts. The community health center subsequently launched an investigation […]… Read More

The post Data Privacy Event Disclosed by Sunrise Community Health appeared first on The State of Security.

DevSecOps Challenges From a Security Perspective

The transition from DevOps to DevSecOps requires security professionals to have a whole new understanding of development processes, priorities, tools, and painpoints. It’s no longer feasible for security professionals to get by with a superficial understanding of how developers work. But this understanding can be a significant undertaking for most security pros who haven’t had to be immersed in the development side of the house previously.

In its new report, Building an Enterprise DevSecOps Program, analyst firm Securosis notes of security teams and DevSecOps, “Their challenge is to understand what development is trying to accomplish, integrate with them in some fashion, and figure out how to leverage automated security testing to be at least as agile as development.”

In this same paper, Securosis highlights the questions security professionals ask them most often surrounding DevSecOps, which include “can we realistically modify developer behavior?” “What tools do we start with to ‘shift left’” and “how do we integrate security testing into the development pipeline?” These are all valid and important questions, but Securosis points out that there are also questions security teams should be asking, but aren’t, including:

  • How do we fit — operationally and culturally — into DevSecOps?
  • How do we get visibility into Development and their practices?
  • How do we know changes are effective? What metrics should we collect and monitor?
  • How do we support Development?
  • Do we need to know how to code?

The questions the security team is currently asking are about security tasks in DevSecOps; the questions they aren’t asking are about how to understand and work with the development organization. And those are the questions they should start asking. Where to start? The key development areas security teams need to understand when trying to get a handle on application security include the following:

Process: At the very least understand why development processes have changed over the years, what they are trying to achieve, and make sure security testing embraces the same ideals.

Developer tools: You need to understand the tools developers use to manage the code they are building in order to understand where code can be inspected for security issues.

Code: Security tests are shifting left and looking at code, not fully developed applications. The traditional thinking about security audits needs to shift as well.

Open source: You would be hard-pressed to find an app that isn’t made up primarily of open source code. Understand why, and then work with the development team to help them continue to use open source code, but in a secure way.

How security tools affect developer processes: Make sure the security tools you select integrate with the tools and processes developers already use and don’t slow them down with false positives.

Cultural dynamics: You need to fully understand the development team’s goals and priorities – which are most often centered around speed. That understanding is key to getting developer buy-in and acceptance.

SDLC: It’s best practice to include some kind of security analysis in each phase of the software lifecycle. For instance, threat modeling during design, and software composition analysis during development. In this way, you establish a process-independent AppSec program that will work with varying development processes.

For more details on these development areas and practical advice on building an effective DevSecOps program, check out the full Securosis report.

This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about stalkerware and why it’s on the rise. Also, read about Trend Micro’s selection as a launch partner for the new Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing service, announced during AWS re:Invent 2019.

Read on:

You’re in Safe Hands with Trend Micro Home Network Security

Your home should be a haven that protects you. In the cyber age, however, your router, computers, TVs, game consoles and smart devices are continuously connected to the internet and run the risk of being hacked—usually when you least expect it. This blog is the first of a three-part series outlining how to implement Home Network Security to protect your home.

Amazon Web Services Recognizes Trend Micro as Launch Partner for New Service

With Amazon VPC Ingress Routing, Trend Micro customers will gain benefits which include more flexibility and control traffic routing with transparent deployment and no need to re-architect. Deploying in-line allows customers to be proactive in their network security, which in turn can prevent and disrupt attacks before they can be successful.

What Worries CISOs Most In 2019

Trend Micro’s VP of infrastructure strategies, Bill Malik, recently sat down with a dozen senior IT security leaders to discuss challenges they are currently facing in light of considerable changes in their business environments. These include the high pace of acquisitions balancing executive and team focuses, bring-your-own-device (BYOD) policies and ransomware infections.

Ransomware Attack Hits Major U.S. Data Center Provider

CyrusOne, one of the biggest data center providers in the U.S., has suffered a ransomware attack and is currently working with law enforcement and forensics firms to investigate the attack. CyrusOne is also helping customers restore lost data from backups.

Stalking the Stalkerware

Stalkerware is government-style surveillance software used by individuals to spy on others, which is usually someone you know. With smartphone usage continuing to rise, a whole mini industry has appeared over the past couple of years selling monitoring software, or more treacherously, trojan spyware and code that can hide itself so that you don’t even know it’s on your device.  

The California DMV Is Making $50M a Year Selling Drivers’ Personal Information

The California Department of Motor Vehicles is generating revenue of $50,000,000 a year through selling drivers’ personal information, according to a DMV document obtained by Motherboard. This information includes names, physical addresses, and car registration information. 

Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Trend Micro has followed cyberespionage group TICK (a.k.a. “BRONZE BUTLER” or “REDBALDKNIGHT”) since 2008 but noticed an unusual increase in malware development and deployments towards November 2018 as part of a campaign dubbed “Operation ENDTRADE.”

Iran Targets Mideast Oil with ZeroCleare Wiper Malware

A freshly discovered wiper malware dubbed “ZeroCleare” has been deployed to target the energy and industrial sectors in the Middle East. According to IBM’s X-Force Incident Response and Intelligence Services (IRIS), ZeroCleare was involved in a recently spotted APT attack on an oil and gas company, in which it compromised a Windows machine via a vulnerable driver.

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro has found a new spyware family disguised as chat apps on a phishing website. Trend believes that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign.

Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

In November 2019, Trend Micro analyzed an exploit kit named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During an analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed that these samples were making use of obfuscation tools that made them virtually undetectable.

Trend Micro More Than Doubles Commitment to Underrepresented Persons in Cybersecurity

This week at AWS re:Invent, Trend Micro announced plans to further strengthen its commitment to underrepresented persons by more than doubling its annual time and financial investments to alleviate the skills and diversity gaps in cybersecurity.

Mobile Security: 80% of Android Apps Now Encrypt Network Traffic by Default

Three years ago, Google started its push to tighten network traffic protection from Android devices to web services. The company has provided an update stating that 80% of Android apps have adopted the HTTPS standard by default. HTTPS encrypts network traffic, preventing third parties from intercepting data from apps.

Magecart Sets Sights on Smith & Wesson, Other High-Profile Stores

After incidents in the past few months that saw the threat actor go after customers of online shops and hotel chains, threat actors from the infamous card-skimming group once again took action, this time on Black Friday on a new set of targets: high-profile stores, including firearms vendor Smith & Wesson (S&W).

Out on a Highway Run: Threats and Risks on ITS and Smart Vehicles

The research firm Counterpoint predicted that by 2022, the number of vehicles with embedded connectivity will grow by 270%. The expected increase in technology adoption, however, does not come without risks — from petty showcases of hacks to possibly bigger threats to safety and financial losses.

StrandHogg Android Vulnerability Allows Malware to Hijack Legitimate Apps

Researchers discovered a vulnerability in Android devices that allows malware to hijack legitimate apps. Using this vulnerability (StrandHogg), cybercriminals could trick users into granting permissions to their malicious apps and provide openings for phishing pages.

Ginp Trojan Targets Android Banking App Users, Steals Login Credentials and Credit Card Details

Counterfeit apps were found carrying a new version of the Android banking trojan Ginp (detected by Trend Micro as AndroidOS_Ginp.HRXB) to steal user login credentials and credit card details. ThreatFabric’s analysis of recent Ginp samples showed that it reused some code from Anubis, an Android malware family notorious for its use in cyberespionage activities before being re-tooled as a banking trojan.

What AWS re:Invent announcement did you find the most interesting? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise appeared first on .

VMware addresses ESXi issue disclosed at the Tianfu Cup hacking competition

VMware has addressed a critical remote code execution vulnerability in ESXi that was disclosed recently at the Tianfu Cup hacking competition.

This week VMware has released security updates that fix a critical remote code execution vulnerability in ESXi that was recently disclosed by white hat hackers at the Tianfu Cup hacking competition in China.

The Tianfu Cup 2019 International Cyber ​​Security Competition took place in November, white hat hackers that participated into the competition have earned $545,000 for working zero-day exploits.

Researcher @xiaowei from the 360Vulcan team received the highest reward ($200,000) for a working exploit for the VMware vSphere ESXi product that allowed them to escape from the guest virtual machine to the host. The critical flaw tracked as CVE-2019-5544 has been assigned a CVSS score of 9.8.

The hacker was able to take control of the host operating system in only 24 seconds.

According to VMware, the CVE-2019-5544 flaw is a heap overwrite issue that resides in the OpenSLP open-source implementation of the Service Location Protocol (SLP), which allows the software to locate resources on a network.

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by the company..

“A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution,”

Experts from VMware that were present at the competition received the details of the exploit immediately after the expert demonstrated the attack.

According to VMware, the flaw affects ESXi versions 6.0, 6.5 and 6.7 running on any platform, and the Horizon cloud desktop-as-a-service (DaaS) platform version 8.x.

The company has already patched the issue for ESXi and it is currently working on a fix for Horizon DaaS.

Pierluigi Paganini

(SecurityAffairs – VMWare, hacking)

The post VMware addresses ESXi issue disclosed at the Tianfu Cup hacking competition appeared first on Security Affairs.

Cyber News Rundown: ZeroCleare Malware

Reading Time: ~ 2 min.

ZeroCleare Malware Wiping Systems

IBM researchers have been tracking the steady rise in ZeroCleare deployments throughout the last year, culminating in a significant rise in 2019. This malware is deployed on both 32 and 64-bit systems in highly targeted attacks, with the capability to completely wipe the system by exploiting the EldoS RawDisk driver (which was also used in prior targeted attacks). The malware itself appears to be spreading through TeamViewer sessions and, though the 32-bit variant seems to crash before wiping can begin, the 64-bit variant has the potential to cause devastating damage to the multi-national corporations being targeted.

FTC Scam Threatens Victims with Terrorism Charges

FTC officials recently made an announcement regarding scam letters purporting to be from the commission and the numerous complaints the letters have sparked from the public. Victims of the scam are told that, due to some suspicious activity, they will be personally and financially monitored as well as face possible charges for terrorism. These types of scams are fairly common and have been in use for many years, often targeting the elderly with greater success.

Take back your privacy. Learn more about the benefits of a VPN.

Misreported Data Breach Costs Hospital Millions

Following an April 2017 complaint, the Office of Civil Rights has issued a fine of $2.175 million after discovering that Sentara Hospitals had distributed the private health information for 577 patients, but only reported eight affected. Moreover, it took over a year for the healthcare provider to take full responsibility for the breach and begin correcting their security policies for handling sensitive information. HIPAA violations are extremely time-sensitive and the slow response from Sentara staff could act as a lesson for other organizations to ensure similar events don’t reoccur.

Android Vulnerability Allows Hackers Easy Access

Researchers have identified a new Android exploit that allows hackers access to banking applications by quickly stealing login credentials after showing the victim a legitimate app icon, requesting additional permissions, and then sending the user to their expected app. Even more worrisome, this vulnerability exists within all current versions of AndroidOS and, while not found on the Google Play Store, some illicit downloaders were distributing it.

Smith & Wesson Hit by Magecart

In the days leading up to Black Friday, one of the largest retail shopping days of the year, malicious skimming code was placed onto the computer systems and, subsequently, the website of Smith & Wesson. In a slight break from the normal Magecart tactics, they attackers were masquerading as a security vendor to make their campaign less visible. The card-skimming code was initially placed onto the website on November 27 and was still active through December 2.

The post Cyber News Rundown: ZeroCleare Malware appeared first on Webroot Blog.

Two Russians Indicted Over $100M Dridex Malware Thefts

Russia's FSB Security Service Now Employs One Suspect, Authorities Allege
Two Russian men have been charged with stealing more than $100 million from banks around the world using the notorious Dridex malware, according to an unsealed U.S. indictment that caps off a decade-long investigation led by American and British law enforcement agencies.

Andy Ellis on Risk Assessment

Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year.

I've written about this before.

One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008."

Banking Trojans Are Top Financial Services Threat

Banking Trojans Are Top Financial Services Threat

Banking Trojans represent the biggest potential threat to financial institutions and their customers, and are on the rise, according to new research from Blueliv.

The Spanish threat intelligence firm released data from a recent Twitter poll of over 11,000 users and its newly launched report for the banking sector, Follow the Money.

Nearly a third (31%) of respondents claimed banking Trojans were the biggest threat to financial services firms, followed by mobile malware (28%), a category also increasingly comprised of Trojans designed to access customer accounts.

The bad news is that activity appears to be escalating in this area: Blueliv’s report revealed the firm tracked a three-digit uptick in Trickbot (283%) and Dridex (130%) detections over Q2 and Q3 this year.

The botnets are known to distribute banking Trojans as well as other malware targeting financial services.

The poll also revealed that skills shortages (28%) are the biggest challenge facing banks’ IT security teams as they try to build out programs.

Recent data from (ISC)2 revealed that global skills shortages now exceed four million. In Europe the crisis is particularly acute: shortages have soared by 100% over the past year to reach 291,000.

The poll also highlighted the challenges associated with high volumes of threats and alerts (26%) and poor visibility into threats (20%), which it is claimed are hampering banking cybersecurity teams as they struggle to combat attacks.

“Because they are such high-value targets for cyber-criminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack,” argued Blueliv CEO Daniel Solís.

“Security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Breaches in the financial sector tripled over the five years to 2018, with the average cost of cybercrime in the sector over $18 million, more than any other vertical, according to Accenture.

Microsoft: 44 Million User Passwords Have Been Breached

Microsoft: 44 Million User Passwords Have Been Breached

Tens of millions of Microsoft customers are using log-ins that have previously been breached, putting themselves and their organization at risk of account takeover, the computing giant has revealed.

In a study running from January to March 2019, Microsoft’s threat research team checked over three billion credentials known to have been stolen by hackers, using third-party sources such as law enforcement and public databases.

It found a match for over 44 million Microsoft Services Accounts, used primarily by consumers, and AzureAD accounts, which is more worrying for businesses.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.

“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”

Microsoft claimed that 99.9% of identity attacks can be mitigated by turning on MFA.

The advice is especially important in the context of ongoing credential stuffing attacks. A report from Akamai earlier this year claimed that such attacks are costing the average EMEA firm on average $4 million annually in app downtime, lost customers and extra IT support.

Attacks have already struck far and wide this year, affecting organizations such as TfL, OkCupid, TurboTax and many more.

A 2018 study of around 30 million users found that password reuse was common among over half (52%), while nearly a third (30%) of modified passwords were easy to crack within just 10 guesses.

A Google poll of 3000 computer users released earlier this year found that just a third (35%) use a different password for all accounts, and only a quarter (24%) use a password manager.

UK Card Fraud Losses Now Accounts for Half of Europe

UK Card Fraud Losses Now Accounts for Half of Europe

UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to new findings from FICO.

The predictive analytics firm’s newly launched interactive European Fraud Map reveals that UK card fraud losses hit a record £671 in 2018, up 19% from the previous year.

The figure amounts to almost half the total €1.6 billion (£1.4bn) recorded across the 19 countries included in the map: in Europe plus Ukraine, Russia and Turkey.

The vast majority of the UK’s losses (£506.4m) came from card-not-present (CNP) channels, which are dominated these days by online fraud.

FICO said that the figures can be explained in part by a surge in data breaches, which has flooded underground forums with the identity data needed to carry out CNP scams. Another factor is changes in reporting processes which means more incidents are being recorded.

“The sheer volume of attempted fraud has meant that, although more fraud is being prevented now than ever before, and that it’s being caught earlier in the attack cycle, the total value lost is still on the rise,” said Matt Cox, the firm's vice president for fraud management solutions in Europe.

"Personal information lost in high-profile data breaches means it’s easier than ever for criminals to impersonate individuals and businesses, so we all need to be more vigilant — personally, and as an industry. We’re seeing the continued growth and diversification of social engineering fraud, which uses techniques like vishing, phishing and whaling.”

The UK’s Faster Payments and Europe’s SEPA Instant Credit Transfer initiatives have made speedy seamless payments a reality across the continent — but this is also helping scammers to get away with and launder fraudulently obtained funds before businesses can stop them.

UK police have been forced to go into schools this year warning about the dangers posed by money mule recruiters, as the latter continue to flood social media in a bid to snare cash-strapped teens.

“The key to fighting online fraud lies in establishing practices to protect against data compromise,” said Cox. “Drawing on global networks of loss data and confirmed cases of fraud enables businesses to identify and prevent data breaches significantly earlier, reducing the customer losses and operational pressures that often result from these attacks.”

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.

Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.

CVE-2019-14899 flaw allows hijacking VPN connections on Linux, Unix systems

Researchers discovered a vulnerability tracked as CVE-2019-14899 that can be exploited to hijack active TCP connections in a VPN tunnel

Researchers from the University of New Mexico have discovered a vulnerability, tracked as CVE-2019-14899, that can be exploited by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel.

The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. The experts explained that in this way, it is possible to hijack active connections within the VPN tunnel.

“I’ am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” reads the advisory published by the experts. “Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.”

Another attack scenario sees hackers set up a rogue access point, below an the attack sequence described by the experts:

  • Determining the VPN client’s virtual IP address.
  • Using the virtual IP address to make inferences about active connections.
  • Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session

The CVE-2019-14899 vulnerability affects many Linux distros and Unix operating systems (i.e. Ubuntu, Fedora and Debian, FreeBSD, OpenBSD, macOS, iOS and Android), the team of experts ethically reported the issue to the development teams of the impacted OSs at the time of its discovery.

The experts successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec, but it has not been tested against Tor. Experts believe Tor not vulnerable because it operates in a SOCKS layer and implements authentication and encryption that happens in userspace. Other VPN technologies could be affected by the issue, the vulnerability could be exploited against both IPv4 and IPv6 connections.

Experts pointed out that the attack did not work against any Linux distribution they have tested until the release of Ubuntu 19.10. The researchers noticed that the rp_filter settings were set to “loose” mode. The default settings in d/50-default in the repository were changed from “strict” to “loose” mode on November 28, 2018, this means that the distributions using a version of systemd without modified configurations after this date are now vulnerable.

Possible mitigations include turning reverse path filtering on, using bogon filtering —filtering bogus (fake) IP addresses, or encrypting packet size and timing.

The researchers will publish a paper that will include technical details of the vulnerability.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-14899, hacking)

The post CVE-2019-14899 flaw allows hijacking VPN connections on Linux, Unix systems appeared first on Security Affairs.

December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates

Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home. The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was … More

The post December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates appeared first on Help Net Security.

The hidden risks of cryptojacking attacks

For any business, privacy and security are a constant concern. The variety and velocity of attacks seeking to infiltrate corporate systems and steal vital business and customer information seem never-ending. Given the very public repercussions of certain types of breaches, it can be easy for executives and IT professionals to focus attention on only the most notable attacks. However, numerous industry studies have found that a quiet threat, known as cryptojacking, is rising faster than … More

The post The hidden risks of cryptojacking attacks appeared first on Help Net Security.

OpenBSD addresses authentication bypass, privilege escalation issues

Experts from Qualys Research Labs discovered four high-severity security flaws in OpenBSD, one of which is a type authentication bypass issue.

Researchers from Qualys Research Labs discovered four high-severity security vulnerabilities in OpenBSD, a type authentication bypass issue and three privilege escalation bugs.

The three issued could be exploited by local users or malware to gain privileges of an auth group, root, as well as of other users, respectively.

The OpenBSD development team addressed the flaws less than two days after they were reported by the experts by releasing security patches for OpenBSD 6.5 and OpenBSD 6.6.

The first OpenBSD vulnerability, an authentication bypass issue tracked as CVE-2019-19521, affects the way OpenBSD’s authentication framework parses the username supplied by a user while logging in through smtpd, ldapd, radiusd, su, or sshd services.

“We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.” reads the security advisory published by the experts.

A remote attacker could exploit this vulnerability to access vulnerable services by entering the username as “-schallenge” or “-schallenge: passwd.” The ‘-‘ symbol prefixed to the username tricks OpenBSD into interpreting the value as a command-line option.

The “-schallenge” is interpreted as “-s challenge” and forces the system into ignoring the challenge protocol that eventually allows to bypass the authentication automatically.

“If an attacker specifies a username of the form ‘-option’, they can influence the behavior of the authentication program in unexpected ways,” continues the advisory.

The flaw is exploitable in smtpd, ldapd, and radiusd, but not in sshd or su because the presence of the defense-in-depth mechanisms that hang the connection even after successful authentication bypass.

The second vulnerability tracked as CVE-2019-19520 is a local privilege escalation issue caused by a failed check in xlock. A local attacker can trigger the issue to obtain the privileges of set-group-IDauth” through xlock, which is installed by default. 

The third issue trackers as CVE-2019-19522 is an authentication bypass issue found in the OpenBSD’s authentication protocol.

A local attacker with ‘auth‘ group permission can gain full privileges of the root user due to the incorrect operation of authorization mechanisms via “S/Key” and “YubiKey.” (which is a non-default configuration“)

The last issue tracked as CVE-2019-19519 is caused by a logical error in one of the su’s primary functions, that could be exploited by a local attacker to achieve any user’s login class, often excluding root, by exploiting su’s -L option.

The experts released PoC exploits for each vulnerability in the advisory, OpenBSD users are recommended to install the security patches using syspatch mechanism.

Pierluigi Paganini

(SecurityAffairs – OpenBSD, hacking)

The post OpenBSD addresses authentication bypass, privilege escalation issues appeared first on Security Affairs.

Review: Cyber Smart

Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals. McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and … More

The post Review: Cyber Smart appeared first on Help Net Security.

Has WhatsApp become a potential career assassin? | Afua Hirsch

The app helped connect me to an inspiring sisterhood. But the case of police officer Robyn Williams shows unopened messages can be a legal minefield

We need to talk about WhatsApp. When the little green speech bubble first showed up in my life, I greeted it with awe and wonder. I even wrote a little love letter to its ability to connect with a virtual black sisterhood – the kind that rarely exists in our too-undiverse workplaces in real life – in my first book. It became the perfect platform to share experiences, frustrations, strategies and ideas.

WhatsApp group communities proliferated on my phone – they were education, community and activism all in one place. It was great.

Continue reading...

Nearly half of consumers worry about being tricked by fraudsters this holiday season

There has been a 29% increase in suspected online retail fraud during the start of the 2019 holiday shopping season compared to the same period in 2018, and a 60% increase in suspected e-commerce fraud during the same period from 2017 to 2019, according to iovation. The findings are based on the online retail transactions analyzed for its e-commerce customers between Thanksgiving and Cyber Monday over the last three years. “Among the conclusions from TransUnion’s … More

The post Nearly half of consumers worry about being tricked by fraudsters this holiday season appeared first on Help Net Security.

Top compliance and risk management challenges for financial organizations

Notable regulatory compliance and risk challenges remain high in a number of key areas for U.S. banks and credit unions, according to the results of a Wolters Kluwer survey. Rising risk challenges for financial organizations This year’s survey generated a Main Indicator Score of 95, a 10-point increase from the 2018 score, that was influenced by concerns about the impact of Home Mortgage Disclosure Act (HMDA) rules; cybersecurity, credit and compliance risks; and an increased … More

The post Top compliance and risk management challenges for financial organizations appeared first on Help Net Security.

Exploring the proper use of pseudonymisation related to personal data

In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organizations across Europe. Pseudonymisation and personal data challenges The ENISA “Pseudonymisation techniques and best practices” report, amongst other, especially discusses the parameters that may influence the choice of … More

The post Exploring the proper use of pseudonymisation related to personal data appeared first on Help Net Security.

Cloud Security Alliance launches credentials for auditing cloud computing systems

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced the Certificate of Cloud Auditing Knowledge (CCAK), the only credential for industry professionals that demonstrates expertise in the essential principles of auditing cloud computing systems. Set to be released in the second half of 2020, the CCAK aims to solve the current industry knowledge gap for IT audit … More

The post Cloud Security Alliance launches credentials for auditing cloud computing systems appeared first on Help Net Security.

Staying Safe when Shopping this Holiday Season: Bricks and Clicks Edition

The shopping season is upon us, and like it or not there are lots of individuals who would love to replace your happiness with their sadness. Thus, at this festive time of the year, it is imperative to give some thought and prep time to you and your family’s shopping habits and the security that […]… Read More

The post Staying Safe when Shopping this Holiday Season: Bricks and Clicks Edition appeared first on The State of Security.

Corsa Security encourages an open and collaborative approach to scaling network security

Corsa Security, leaders in scaling network security, has launched a Network Security Ecosystem program to foster an open and collaborative approach between like-minded organizations, and to ensure customers get the best support for their deployment. The cornerstone of the program is the assurance customers get that key security functions have been integrated, tested and certified to work with the Corsa turnkey network security virtualization platform. The Network Security Ecosystem also includes different partnership types for … More

The post Corsa Security encourages an open and collaborative approach to scaling network security appeared first on Help Net Security.

LogMeIn updates its LastPass Identity solution with passwordless login for business customers

LogMeIn announced the next major update to its recently released LastPass Identity solution that introduces new ways for an employee to access their work without needing to type a password. This release marks the next phase in the company’s longer-term strategy to redefine cloud identity and expand LastPass for Business into a complete identity offering. Building on its industry-leading enterprise password management technology, LastPass Identity now delivers a complete passwordless login experience for employees across … More

The post LogMeIn updates its LastPass Identity solution with passwordless login for business customers appeared first on Help Net Security.

CloudKnox Security Platform integrates with AWS IAM Access Analyzer

CloudKnox Security, a leader in identity privilege management for hybrid cloud environments, announced integration of the CloudKnox Security Platform with AWS IAM Access Analyzer, a new capability from Amazon Web Services (AWS) that analyzes resource policies to help administrators and security teams protect their resources from unintended access. AWS IAM Access Analyzer automatically analyzes policies attached to companies’ AWS resources and delivers detailed findings, which feeds the CloudKnox cross-account explorer that visually maps all the … More

The post CloudKnox Security Platform integrates with AWS IAM Access Analyzer appeared first on Help Net Security.

Dynatrace broadens its AI-powered software intelligence platform to support AWS hybrid clouds

Software intelligence company, Dynatrace, announced that it has extended its AI-powered software intelligence platform to support AWS hybrid clouds by providing seamless support across all AWS public regions and Outposts. This gives enterprises complete visibility and precise insights into the performance of applications running in AWS hybrid clouds – in a single platform. “We are thrilled to have Dynatrace’s partnership to provide monitoring for AWS Outposts and the applications that run on them,” said Matt … More

The post Dynatrace broadens its AI-powered software intelligence platform to support AWS hybrid clouds appeared first on Help Net Security.

Novartis leverages AWS’ portfolio of cloud services to build an enterprise-wide data and analytics platform

Amazon Web Services (AWS), an company, announced a multi-year strategic collaboration with Novartis to reimagine this leading pharmaceutical company’s core pharmaceutical manufacturing, supply chain, and delivery operations using AWS’s portfolio of cloud services. This enterprise-wide data and analytics platform is expected to form the foundation for custom solutions powered by AWS AI and ML services to help drive agility, innovation, and cost efficiencies across Novartis global business processes and systems. Core to this collaboration … More

The post Novartis leverages AWS’ portfolio of cloud services to build an enterprise-wide data and analytics platform appeared first on Help Net Security.

Pivot3 provides its HCI software platform to Lenovo DCG to deliver integrated edge computing solutions

Pivot3, a leading provider of intelligent infrastructure solutions, announced that it is providing its hyperconverged infrastructure (HCI) software platform to Lenovo Datacenter Group (DCG) to deliver integrated edge computing solutions optimized for mission-critical Smart City and Safe Campus environments. As part of Lenovo’s ON DEMAND program, Pivot3 and Lenovo have developed fully qualified solutions for edge deployments that are available through Lenovo’s network of channel partners worldwide, a move that strengthens Pivot3’s Internet of Things … More

The post Pivot3 provides its HCI software platform to Lenovo DCG to deliver integrated edge computing solutions appeared first on Help Net Security.

ExtraHop and AWS integration automates response and forensics for cloud workloads

ExtraHop, the leader in cloud-native network detection and response, announced a new integration with Amazon Web Services (AWS) that automates the isolation of compromised Amazon Elastic Compute Cloud (EC2) instances and empowers security operations teams to create a wide range of customizable response automations, from quarantining and blocking to ticketing and tagging. Alongside the new automation capability, ExtraHop Reveal(x) Cloud now offers continuous packet capture in AWS. That reduces the amount of time, effort, and … More

The post ExtraHop and AWS integration automates response and forensics for cloud workloads appeared first on Help Net Security.

ShiftLeft and CircleCI enable orgs to insert security directly into developer pull requests

ShiftLeft, an innovator in automated application security, announced a partnership and deep integration with CircleCI that enables organizations to insert security directly into developer pull requests from code repositories. ShiftLeft Inspect is the first static application security testing (SAST) vendor to partner with CircleCI to provide these capabilities. Today’s organizations are working to insert security as far left in their DevOps process as possible, but many struggle to achieve the speed and accuracy necessary to … More

The post ShiftLeft and CircleCI enable orgs to insert security directly into developer pull requests appeared first on Help Net Security.

Snow Software acquires Embotics to accelerate digital transformation with technology intelligence

Snow Software, the global leader in technology intelligence solutions, announced it has acquired Embotics, a hybrid cloud management company. This acquisition brings together two market leaders, enabling CIOs to understand and manage their full technology stack from software and hardware to infrastructure and applications, regardless of whether they live on-premises, in the cloud or in a hybrid environment. Embotics offers a platform-neutral cloud management solution with one of the quickest time-to-value in the industry. It … More

The post Snow Software acquires Embotics to accelerate digital transformation with technology intelligence appeared first on Help Net Security.

OCTO expands its offering with the acquisition of Nebula Systems

OCTO Telematics, the leading global provider in transforming an IoT Big Data set into actionable intelligence, has acquired the entire share capital of Nebula Systems. Nebula specialises in the development of advanced cloud technologies for the automotive and connected car industries. This means that its proprietary technologies are now available to make vehicle systems and data more accessible, so that a vehicle’s health, status and operation can be monitored, analysed, diagnosed and maintained, faster and … More

The post OCTO expands its offering with the acquisition of Nebula Systems appeared first on Help Net Security.

Panorays raises $15 million to expand its marketing and sales initiatives to accelerate global growth

Panorays, a rapidly growing provider of automated third-party security lifecycle management, has raised $15 million in a Series A funding round led by Oak HC/FT. Dan Petrozzo, partner at Oak HC/FT, will join the company’s Board of Directors. Previous investors Aleph VC and security industry veteran Lane Bess, former CEO of Palo Alto Networks, also participated in the round. “Panorays is reestablishing trust between businesses by facilitating secure partnerships with companies and their third-party vendors,” … More

The post Panorays raises $15 million to expand its marketing and sales initiatives to accelerate global growth appeared first on Help Net Security.

ThousandEyes appoints Matt Piercy as vice president of EMEA sales

ThousandEyes, the Internet and Cloud Intelligence company, announced the hiring of enterprise software veteran Matt Piercy as vice president of EMEA sales to lead executive engagement and strategic partnership initiatives in the region and scale a high-performance, people-centric sales organization. “Optimizing the Digital Experience for customers, partners and employees is a strategic priority for CIOs at high-performing organizations. “The service delivery channels for these important interactions leverage the Internet as a critical dependency, which is … More

The post ThousandEyes appoints Matt Piercy as vice president of EMEA sales appeared first on Help Net Security.

Beware Charity Scams

The holiday season is a time for giving, but it’s also a time for taking–or rather stealing–thanks to scammers who prey on charity. As contributions from Americans grow each year, so too do the opportunities for the legion of cyber Grinches out there.

Since non-profit organizations count on almost a third of their donations during the holiday season, it’s more important than ever for anyone looking to give back to the community to do their homework before opening their hearts and wallets. Here are a few tips:

  • Be careful when you open that email: Phishing scams are on the rise, and they’re only getting more sophisticated. Scammers can make near-perfect imitations of emails and websites from real charities. When in doubt, go directly to the website of the organization rather than clicking any links – and don’t download any attachments!
  •  Check with authorities on charities: is a free website that evaluates charities in the US run by a 501(c)(3) that doesn’t accept donations from the organizations it investigates. Charitywatch and the Better Business Bureau offer similar services to help you make the best choice where you donate.
  • Double check their status: The IRS has a website that lets you check an organization’s tax-exempt status. If the charity you’re considering donating to isn’t on it, it could be a red flag.

  • Take your time and make a record: Scammers are especially effective at creating a sense of urgency: the less time you have to think, the more likely you are to be fooled. Take the time to research an organization, never donate with cash, and keep records of what you gave and to whom.

It’s a sad fact that the giving spirit of the holiday season attracts scammers, but it needn’t keep you from donating to the less fortunate. Keep a clear head and you can be sure that the money you provide gets to a deserving subject rather than lining the pockets of an unscrupulous one. 

The post Beware Charity Scams appeared first on Adam Levin.

Apple Explains Mysterious iPhone 11 Location Requests

KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

I published Tuesday’s story mainly because Apple’s initial and somewhat dismissive response — that this was expected behavior and not a bug — was at odds with its own privacy policy and with its recent commercials stating that customers should be in full control over what they share via their phones and what their phones share about them.

But in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that “provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max).

Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions.

“So users can do things like share a file with someone using AirDrop simply by pointing at another user’s iPhone,” Apple’s statement reads. The company further explained that the location information indicator (a small, upward-facing arrow to the left of the battery icon) appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

“Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” the statement continues. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

Apple’s privacy policy says users can disable all apps and system services that query the user’s location all at once by toggling the main “Location Services” option to “off.” Alternatively, it says, users can achieve the same results by individually turning off all System Services that use location in the iPhone settings.

What prompted my initial inquiry to Apple about this on Nov. 13 was that the location services icon on the iPhone 11 would reappear every few minutes even though all of the device’s individual location services had been disabled.

“It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled,” Apple stated in their initial response. “The icon appears for system services that do not have a switch in Settings” [emphasis added].

Now we know more about at least one of those services. Apple says it plans to include the option of a dedicated toggle in System Services to disable the UWB activity in an upcoming update of its iOS operating system, although it didn’t specify when that option might be available.

The one head-scratcher remaining is that the new iPhone seems to check whether it’s in a country that allows UWB fairly frequently, even though the list of countries where this feature is not yet permitted is fairly small, and includes Argentina, Indonesia and Paraguay. A complete list of countries where iPhones can use UWB is here. The principal remaining concern may be that these periodic checks unnecessarily drain the iPhone 11’s battery.

It is never my intention to create alarm where none should exist; there are far too many real threats to security and privacy that deserve greater public attention and scrutiny from the news media. However, Apple does itself and its users no favors when it takes weeks to respond (or not, as my colleague Zack Whittaker at TechCrunch discovered) to legitimate privacy concerns, and then does so in a way that only generates more questions.

Be Alert this Holiday Season: Payment Security Tips for Businesses

On this blog we explore the challenges around security of payment data during the hectic holiday season and provide tips and best practices to help restaurants better secure their payment data.  The following is a Q & A with Troy Leach, Senior Vice President of the PCI Security Standards Council and Laura Chadwick, Program Director, Technology & Innovation of the National Restaurant Association about the importance of cybersecurity this holiday season.

AT&T, Verizon Subscribers Exposed as Mobile Bills Turn Up on the Open Web

Names, addresses, phone numbers, call and text message records and account PINs were all caught up in a cloud misconfiguration.

FBI Puts $5 Million Bounty On Russian Hackers Behind Dridex Banking Malware

The United States Department of Justice today disclosed the identities of two Russian hackers and charged them for developing and distributing the Dridex banking Trojan using which the duo stole more than $100 million over a period of 10 years. Maksim Yakubets, the leader of 'Evil Corp' hacking group, and his co-conspirator Igor Turashev primarily distributed Dridex — also known as 'Bugat'

US Family Loses Life Savings in Money Mule Email Scam

US Family Loses Life Savings in Money Mule Email Scam

The Federal Bureau of Investigation has issued a warning after a family from Oregon lost their life savings in a business email compromise scam involving money mules.

Aaron Cole and his wife decided to move into a bigger house after welcoming two children into their family. The couple sold their existing home, and the title company told them they would be in touch soon with instructions for making the down payment on their new house. 

Aaron's wife received an email on December 4, 2018, from what appeared to be the title company and sent $122,850 to the account number provided in the message. A few days later, Aaron received a phone call from the title company to inform him it was time to wire the down payment.

An FBI spokesperson said: "The Coles had been the victims of a business email compromise scam and had wired their money to a criminal who had spoofed the title company’s email address and sent them fake wire instructions. Their down payment had been funneled into one account and then broken up and sent to four other banks."

After falling victim to the scam, the Cole family was left in a situation where they couldn't make the down payment on their new house and had fewer than three weeks to vacate their current home. 

"When this happened, I couldn’t come up with the words to tell my wife," said Aaron Cole.

"The equity in the house was our way to move forward. I put myself back 15 years."

Generously, the title company stepped in and offered to cover their down payment in exchange for the Cole family's help in highlighting the problem of business email compromise. 

Last year, the FBI’s Internet Crime Complaint Center (IC3) received more than 20,000 complaints from victims of business email compromise alone. These victims reported losses of more than $1.2bn. 

The cyber-criminals who stole from the Coles were assisted by the actions of money mules—people who knowingly or unwittingly transfer funds on behalf of, or at the direction of, someone else. 

Yesterday the FBI issued an advisory to the general public to be wary of any unsolicited emails or other communications containing a job offer promising easy money or a request to open a bank account in another person’s name or in the name of a business created by someone else. 

Extreme caution was also advised to anyone who receives an electronic request for money from a loved one.

Data Breach at Nebraska Medicine an Inside Job

Data Breach at Nebraska Medicine an Inside Job

Nebraska Medicine has suffered a data breach after an employee accessed patients' medical records for almost three months without authorization or even the thinnest sliver of a legitimate reason. 

A routine audit of the medical record system conducted in October of this year revealed the gross violation of patient privacy, which occurred over the summer of 2019. 

The employee took their first digital stroll through patients' records on July 11. The unauthorized access then continued until October 1, when the audit was carried out. 

After discovering what was going on, Nebraska Medicine took steps to prevent any further unauthorized access from occurring. A particularly effective step was the organization's decision to fire the employee in question the day after the privacy violation was detected. 

Patients whose data had been compromised were notified by letter. Information accessed by the now former Nebraska Medicine employee included names, birth dates, addresses, medical record numbers, Social Security numbers, driver’s license numbers, clinical information, lab imagery, and notes from physicians.

In a statement released on Tuesday, Nebraska Medicine said: "Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access, and to notify affected patients. We have no reason to believe the information accessed has been or will be misused.

"In cases where the Social Security number or driver’s license was accessible, we are offering credit monitoring for a full year, at no cost to the affected patients."

In a letter sent to patients affected by the breach, privacy officer Debra Bishop apologized for the breach and offered assurance that steps had been taken to prevent a similar incident from happening.

Bishop wrote: "This individual no longer works for Nebraska Medicine and no longer has access to Nebraska Medicine systems. To help prevent something like this from happening again, we are continuing to regularly audit our electronic medical record system for potential unauthorized activity, and are retraining staff about appropriate access of patient information."

Nebraska Medicine operates two major hospitals and 40 outpatient clinics in the Omaha area and has an international reputation for providing bone marrow and stem cell transplantation services. In 2006, Nebraska Medicine performed the first "frozen elephant trunk" heart procedure, otherwise known as open stent grafting, in the United States.

Vulnerabilities Discovered in VPN Used by NASA

Vulnerabilities Discovered in VPN Used by NASA

A virtual private network (VPN) used by NASA, Shell, and BT has been found to have multiple vulnerabilities. 

Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019. 

The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.

The discovery comes just two months after the National Security Agency (NSA) and National Security Council (NSC) both issued warnings regarding state-sponsored attacks aimed at exploiting vulnerabilities in VPNs.

Alex Seymour said: "Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. 

"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry."

Aviatrix took swift action to address the issue, releasing a patch, v2.4.10 on November 4.

"Users should install the new patch as soon as possible to ensure there is no exploitation in the wild," said Seymour 

A spokesperson for Immersive Labs said that Aviatrix has been responsive and open to discussion after the vulnerabilities were disclosed and had taken on board advice on how to resolve the issue.

"The changes made to resolve the issue were timely and well implemented. They have kept communication open throughout the disclosure process, remaining positive and showing that they take the security of their customers and product seriously," said the Immersive Labs spokesperson. 

Seymour's suspicions were aroused when he noticed a wordy outpouring after firing up the Aviatrix VPN on a Linux machine. The last two lines of script indicated that two local web servers were started when the VPN was launched.

Weak file permissions set on the installation directory on Linux and FreeBSD made it possible to modify shell scripts that are executed when a VPN connection is established and terminated. When the back-end service executed the "OpenVPN" command, the script was executed with elevated privileges.

Cloud Security and Artificial Intelligence in the Financial Sector

I recently had the honor of testifying before the House Financial Services Committee’s Taskforce on Artificial Intelligence about two critical emerging issues in the financial services sector – cloud and artificial intelligence (AI). Both have incredible potential for energizing the financial sector, but they also raise important security concerns.

Financial services organizations are migrating to the cloud to reduce complexity, cut costs, and focus their capabilities on delivering financial services to their customers. Leveraging the cloud, both large and small institutions benefit from advanced technology that is normally only available to those who can substantially invest in a highly technical workforce.

While cloud providers generally practice strong cyber hygiene, enabling quick responses to vulnerabilities and security incidents, there are also major security challenges with moving to cloud.

Because cloud providers service many clients, a single breach can place multiple organizations’ data at risk. Today, almost all organizations, including financial services, use multiple cloud providers, a trend that is making visibility into operations more challenging. To remediate this situation, organizations need solutions to manage visibility and monitor security between cloud service consumers and providers. Services like McAfee’s MVISION Cloud, a Cloud Access Security Broker (CASB), represent a critical new class of applications that are rapidly being adopted to manage and secure diverse cloud environments.

As with cloud, we must also understand the capabilities, limitations, and risks of AI. Financial services organizations are using AI and machine learning to enable advanced analytics that allows them to better serve and protect customers, while better managing overall cost.

As the new foundation for cyber defense, AI is enabling us to better detect threats and find the so-called “needle in a haystack of needles.” Additionally, AI-based automation is helping alleviate the cybersecurity talent shortage, enabling us to free up human security professionals to focus on the most critical aspects of cyber defense.

Unfortunately, AI can be used by our adversaries. Bad actors can use AI to identify the most vulnerable victims, automate phishing, and evade detection. AI improves their ability to execute attacks and enables content creation for use in social engineering and information warfare, such as deepfake videos. These and many other adversarial uses of AI can and will occur, putting our financial services sector as well as our democracy and civil society at risk.

To properly secure cloud and AI technology in the financial services sector, I recommended the Taskforce consider voluntary collaboration and the use of industry-supported standards and best practices such as the NIST Cybersecurity Framework. When appropriate, existing cybersecurity rules for highly regulated critical infrastructure industries should be updated to reflect the rapid speed of innovation.

While innovations in both cloud and artificial intelligence are and will continue to enhance the cybersecurity of the financial services and cloud sectors, these same innovations will progressively enable cyber hackers.

At McAfee, we look forward to working with Congress to help provide cybersecurity advice as the industry moves towards the adoption of cloud and artificial intelligence technologies.

A transcript of my testimony on the U.S. House Financial Services Committee’s Taskforce on Artificial Intelligence can be found here.


The post Cloud Security and Artificial Intelligence in the Financial Sector appeared first on McAfee Blogs.

Technicity 2019 | Improving the Customer Experience with Government

People have high expectations for the applications they use every day. As municipalities modernize and develop new ways for citizens to engage with their services, the end-user experience must be top of mind. Technology experts and senior city leaders gathered at the Arcadian Court Dec. 4 in Toronto to discuss issues ranging from open data…

Analysis of LooCipher, a New Ransomware Family Observed This Year

Initial Discovery

This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.

The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.

Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.

McAfee Telemetry

Based on the data we manage, we detected LooCipher infections in the following regions:

Campaign Analysis:

Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.

The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:

LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:

The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.

In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.

Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.

Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:

It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.

In the analysis we found a PDB reference:


It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.

BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:

LooCipher decryptor will pop up in the system as well with a specific countdown:

In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:

This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.

If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:

None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.

LooCipher and Network Traffic:

In the encryption process, LooCipher will contact the C2 server and send information about the victim:

The data sent to the server is:

Here, a copy of the network traffic could help the user to know the encryption key used.

Decryptor Fallback Mechanism Implemented by LooCipher

The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:

The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.

I’m Infected by LooCipher. How Can I Get my Files Back?

McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:

So, if you are infected with LooCipher, it is possible get your files back.


LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.

It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.

The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:

  • Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
  • Having a solid backup workflow in the company
  • Implementing best practices in terms of Cybersecurity


We uploaded a YARA rule to detect almost all the samples observed in the wild.

MITRE ATT&CK Coverage:

  • Hooking
  • Defense Evasion
  • Network Service Scanning
  • System Information Discovery
  • Data Compressed

McAfee Coverage:

  • Artemis!02ACC0BC1446
  • Artemis!12AA5517CB7C
  • Artemis!1B1335F20CD0
  • Artemis!362AB3B56F40
  • Artemis!64FCC1942288
  • Artemis!8F421FE340E7
  • Artemis!983EF1609696
  • Artemis!A11724DBE1D6
  • Artemis!A7ABF760411F
  • Artemis!B9246AA9B474
  • Artemis!F0D98A6809C1
  • McAfee-Ransom-O
  • Ransomware-GNY!3B9A8D299B2A
  • Ransomware-GNY!66571E3C8036
  • Ransomware-GNY!9CF3C9E4A9B5
  • Ransomware-GNY!A0609D7AD404
  • Ransomware-GNY!A77FDEFE40BE
  • Ransomware-GNY!A9B6521FF980
  • Ransomware-GNY!D3CE02AD4D75
  • Ransomware-GNY!DC645F572D1F
  • RDN/Generic Downloader.x
  • RDN/Generic.ole































































The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

The Advantages of Next-Generation Firewalls (NGFWs)

Network managers and security teams are facing a double-edged challenge: networks are growing far more complex and expanding across multiple perimeters just as threat vectors become increasingly difficult to detect and threats grow more sophisticated. The Next-Generation Firewall (NGFW) offers a solution. According to Cisco ASA reviews and Cisco Firepower NGFW reviews on IT Central Station, they enable greater visibility into the network and applications while improving threat mitigation.

Visibility into Traffic and the Application Layer

“Before Firepower, we didn’t have any visibility about what attack was happening or what’s going on from the inside to outside or the outside to inside,” explained Ali A., a Technical Manager who uses Cisco Firepower NGFW at a comms service provider with more than 1,000 employees. He added, “After Firepower and the reporting that Firepower generates, I can see what’s going on: which user visits the malicious website, or which user uploaded or downloaded malicious code, and what the name of the code is and from which country. This is very useful and helpful for me to detect what’s going on. It enables me to solve any problem.”

Burak Y., an IT System Administrator who uses Cisco ASA at a transportation company, is dealing with a dynamic IT landscape which requires, in his view, “Security policy, controls, and visibility to be better than ever.” Mohammad R., a Security Officer at a government agency, praised ASA because it “gives us visibility into potential outbreaks as well as malicious users trying to access the site.” Iz, an Assistant Manager (Infrastructure) who uses Cisco Firepower at a small business, commented, “It has improved the security posture and visibility of our traffic.”

Visibility into applications is a critical need for network and security managers. Applications are frequent targets of malicious actors because they present an effective way to gain unauthorized access to data. Hackers also like to disrupt organizations by crippling their apps. To prevent these potentialities, Cisco NGFWs must “support application visibility,” noted a Senior Data Scientist who uses Firepower at a tech services company. He praised Firepower because it can support “application visibility and control.”

Eduardo V., an IT Infrastructure Specialist who uses Cisco Firepower at a transportation company, further addressed this need by saying, “It provides us with application visibility and control. We can see, on the dashboard, all the applications that are most used and which are under some sort of risk or vulnerability.” This matters because, “It helps a lot when we need to check some situation or issue that could be related to any attack or any violation. We can see that there are one or two or three applications that are the top-consuming applications. We can use this information to analyze if there is a deviation or if it’s something that we need to consider as normal behavior and increase the bandwidth on the site.”

Policy Management

IT Central Station members describe the importance of policy management in their selection and use of an NGFW. In this regard, according to David S., owner of a small tech company, “Cisco has better application granularity, a more flexible means of policy creation, and easier to use controls and more powerful reports than its predecessors.” Tony P., a Business Development Executive who uses Cisco ASA, further noted, “The firewall and policy side are easy to use.” A Network & Security Administrator at a financial services firm uses Cisco ASA to enforce security policy.

For Joel S., a Senior Network Engineer who uses Cisco ASA at a retailer with more than 1,000 employees, “Policy rulesets are key. The majority of what I do is create rules and work with the customers to make sure that things are getting in and out of the environment. Eduardo V. shared, “It’s not just the visibility of things, but the management of application behavior is very important. If I see that, for example, Facebook is consuming too much bandwidth, I can make a policy on the console here and deploy it to our remote offices. So the application visibility feature is one of the key parts of the solution.”

Threat Detection and Mitigation

Security managers rely on NGFWs to be their first line of defense against incoming threats and malicious exfiltration of data. As Paul C., a Security Architect who uses Cisco Firepower at a comms service provider with over 10,000 employees, noted, “FTD’s ability to provide visibility into threats is very good, if the traffic is clear.” He added, “You can stop new threats very quickly because you can get the threat intelligence deployed to all your IPSs in less than two hours. Cisco works closely with Talos and anything that Talos finds is provided in the threat intelligence of the FTDs if you have the license.”

To this point, a Regional Manager of Pre Sales at a tech services company was pleased that Cisco ASA “helps us to identify key, persistent threats so we can set policies accordingly.” An IT Manager who uses Cisco ASA with FirePOWER at a construction company spoke to this issue as well, saying he valued it for Intrusion protection. He said, “We were able to determine when we are being attacked. We needed a way to monitor threat protection and not cause latency. The product has the ability to be a consumer of threat intelligence, and be a contributor showing the maturity in threat protection posture.”

To read more Cisco NGFW reviews from real, unbiased users, visit IT Central Station.

The post The Advantages of Next-Generation Firewalls (NGFWs) appeared first on Cisco Blogs.

China used the Great Cannon DDoS Tool against forum used by Hong Kong protestors

China is accused to have used the “Great Cannon” DDoS tool to launch attacks against LIHKG, a forum used by Hong Kong residents to organize protests.

The Great Cannon Distributed Denial of Service (DDoS) tool was used again by the Chinese government, this time it was used to target the LIHKG forum used by Hong Kong protesters to coordinate their protests against the Beijing government.

The last time the Great Cannon was used by the Chinese authorities was in 2017 when it was involved in DDoS attacks on the site, a US-based Chinese media outlet.

The Great Cannon has been used in the past to knock-out two anti-censorship GitHub pages and the (a portal that exposes internet censorship worldwide).

“We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.”” states a report published by Citizen Lab researchers published in 2015. The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.” 

According to a report published by AT&T Cybersecurity, the tool was used again by Chinese authorities to target the LIHKG Hong Kong-based website.

Great Cannon DDoS

“The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from, we identified new attacks likely starting Monday November 25th, 2019.” reads the analysis published by AT&T.

Websites are indirectly serving a malicious javascript file from either:

  • http://push[.]; or
  • http://js.passport[.]

Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code”

The DDoS attacks began on August 31, but later switched to attacking “multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations” implemented by the target website.

According to LIHKG, its platform received a total number of request that exceeded 1.5 billion, the highest record on unique visitors exceeded 6.5 million/hr and the highest record on the total request frequency was 260k/sec in which then lasted for 30 minutes before it is banned.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious Javascript code,” added AT&T.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

Pierluigi Paganini

(SecurityAffairs – Great Cannon, China)

The post China used the Great Cannon DDoS Tool against forum used by Hong Kong protestors appeared first on Security Affairs.

Election Machine Insecurity Story

Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup.

Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across more than 100 precincts. Some machines reported zero votes for him. In a county with the ability to vote for a straight-party ticket, one candidate's zero votes was a near statistical impossibility. Something had gone quite wrong.

Boing Boing post.

Severe Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD

OpenBSD, an open-source operating system built with security in mind, has been found vulnerable to four new high-severity security vulnerabilities, one of which is an old-school type authentication bypass vulnerability in BSD Auth framework. The other three vulnerabilities are privilege escalation issues that could allow local users or malicious software to gain privileges of an auth group,

Lib Dems, Labour and SNP ‘Ahead’ on Election Security

Lib Dems, Labour and SNP 'Ahead' on Election Security

Security researchers are warning UK voters to be on their guard after revealing that most of the country’s political parties still don’t have best practice email security measures in place to mitigate fraud risks.

RedSift analyzed the UK’s main 13 political parties ahead of a tense General Election on December 12, in which the direction of the country could finally be decided after three years of Brexit-related uncertainty.

It found that just three, the Liberal Democrats, Labour and the Scottish National Party (SNP), had a valid DMARC policy. The Domain-based Message Authentication, Reporting and Conformance protocol (DMARC) is recommended by security experts as a key function to help prevent phishing and other spoof email attempts.

While it’s best used in combination with other layered security measures, DMARC does help to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

According to RedSift’s research, the Conservative Party, the Brexit Party and many others are exposing voters to potentially fraudulent email communications.

“This insight into political party cybersecurity is particularly concerning given that the National Cyber Security Centre, an organization that’s part of the UK government, mandated back in 2016 that all government bodies should implement DMARC so all email traffic can be monitored for malicious activity,” argued RedSift co-founder, Randal Pinto. “It’s a sorry state of affairs that three years on, voters still can’t be sure whether political pledges and requests for support are originating from credible candidates.”

Even the three parties that currently have valid DMARC policies in place can do more. They need to upgrade to a p=reject policy so phishing emails don’t end up being received by prospective voters.

The Conservative Party has already caused widespread anger for doctoring footage of opposition candidates on Brexit and changing its official Twitter feed during a televised debate to pose as an official fact-checking source.

“Confidence in politics has taken a dive recently,” argued Pinto. “The Conservative’s ‘factcheckUK’ Twitter scandal hurt the party’s credibility, damaging public trust — akin to the method scammers deploy each time they impersonate emails to elicit action.”

Will Automation be the next big weapon against cyber threats?

Estimated reading time: 2 minutes

The Ponemon Institute recently completed a survey on ‘Staffing the IT Security Function In the Age of Automation’ in an attempt to understand the effect of automation on IT security.

  • 49 % of respondents to this survey felt that automation improved the ability to prioritize threats and vulnerabilities
  • 47% felt it increased the productivity of current security professionals

While these numbers are encouraging,  for advocates of automation in cybersecurity, the other findings are slightly contradictory –

  • 65% of respondents still maintained that human involvement in security remained important in an age of automation
  • 56% felt that the main barrier to adopting automation was the lack of in-house expertise, exemplified by the rapid talent shortage faced by the industry.

Automation, a necessity

For enterprises dealing with cyber threats on a day-to-day basis, automation is not just a concept of the future anymore; it is becoming a necessity. Vast numbers of cyberattacks are also delivered via automated methods by attackers.

To fight against this relentless array of threats, enterprises will have no choice but to turn to incorporate automation in their adoption of AI-based cybersecurity methods.

For such an approach to work though, it is important for CISOs of enterprises to ensure that the entire company is aligned. Like most aspects of any artificial intelligence solution, automation takes time to succeed and will not produce instant results. It works on the basis of good data — the better data it is fed, the better it will get at analyzing data and automating time-consuming manual activities.

Turning Data into Actionable Insights

Enterprises have the capacity to collect vast amounts of data but much of that data may not be actionable due to its sheer scale and size. It is important for data to be correlated and sequenced to match it with threat intelligence, both inside and outside the organization. Furthermore, it is not feasible to assign this task manually.

Automation enables security teams to make sense of data, understand patterns and use the data to garner actionable insights which can help the enterprise understand their threat environment better.

Stopping attacks before they cause damage

Threat mitigation has become an important component of enterprises’ cybersecurity approach due to the fact that threats are many and varied in nature and it is not feasible to block all of them. The focus has shifted to damage prevention and isolation of threats. However, this is an approach which requires automation as manual prevention methods cannot be devised for new threats. In such a scenario, automation tools can identify threats within networks and quickly create response mechanisms to isolate and negate threats.

The human factor

As the results of the survey mentioned at the beginning of this article outlined, automation will never replace cybersecurity completely as the human aspect plays a very important role. Enterprises will continue to require highly specialized cybersecurity employees who will be able to use automation tools effectively to unlock the full value of this powerful tool. Enterprises must continue to invest in the workforce and upskill them in automation.

Seqrite’s vision has driven us to rapidly integrate Artificial Intelligence in our entire product suite. GoDeep.AI which is our proprietary AI-powered malware hunting technology has furthered our already superior enterprise cybersecurity products.

The post Will Automation be the next big weapon against cyber threats? appeared first on Seqrite Blog.