States and the federal government are increasing their scrutiny of cryptocurrencies in an attempt to bring more transparency to a market where buyers and sellers are anonymous and regulatory oversight is light.
Cryptocurrencies such as Bitcoin, Ether, LiteCoin, and Ripple skyrocketed in value last year as investors sought to get in on what many see as the future of global currency – one that for trade and commerce knows no borders. Bitcoin generated massive hype among investors as its value surged more than 1,900% to nearly $20,000 last year, before tumbling back down below $11,000.
If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast
EP27 Show Notes:Recorded 4/13/18 - We just upgraded all our gear, so naturally we had a straight tech meltdown this week and we saved it the best we could. Matt will sound way better next week. Promise. We cover Smart Installer. Again. But that leads down a discussion of security versus convenience that leads to us discussing the process of vuln disclosure - how vendor discussions, release dates, and policies work in the real world.
Seriously, we grounded Matt’s computer for misbehaving with the audio.
The Roundtable01:00 - Nigel: The Reds are playing a quidditch team or something
02:02 - Craig: Technical difficulties explained?
02:35 - Matt: Wrestlemania 34. Yes, that’s actually his thing this week.
06:30 - Joel: Congrats, Joel’s niece, on graduating from USAF basic training. The rest is unimportant.
The Topics07:50 - Speaker line-up for TTRS (Talos Threat Research Summit)
11:00 - Smart Installer - This might be the one that finally makes Matt lose it.
25:35 - How it Works: discovering vulns and working with vendors
The Links:Smart Installer post: https://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.html
TTRS Event info: https://www.ciscolive.com/ustest/learn/programs/talos-threat-research-summit/
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes:
Subscribe via iTunes (and leave a review!)
Check out the Talos Threat Research Blog:
Subscribe to the Threat Source newsletter:
Follow Talos on Twitter:
Give us your feedback and suggestions for topics:
Recent advances in AI are transforming how we combat fraud and abuse and implement new security protections. These advances are critical to meeting our users’ expectations and keeping increasingly sophisticated attackers at bay, but they come with brand new challenges as well.
This week at RSA, we explored the intersection between AI, anti-abuse, and security in two talks.
Our first talk provided a concise overview of how we apply AI to fraud and abuse problems. The talk started by detailing the fundamental reasons why AI is key to building defenses that keep up with user expectations and combat increasingly sophisticated attacks. It then delved into the top 10 anti-abuse specific challenges encountered while applying AI to abuse fighting and how to overcome them. Check out the infographic at the end of the post for a quick overview of the challenges we covered during the talk.
Our second talk looked at attacks on ML models themselves and the ongoing effort to develop new defenses.
It covered attackers’ attempts to recover private training data, to introduce examples into the training set of a machine learning model to cause it to learn incorrect behaviors, to modify the input that a machine learning model receives at classification time to cause it to make a mistake, and more.
Our talk also looked at various defense solutions, including differential privacy, which provides a rigorous theoretical framework for preventing attackers from recovering private training data.
Hopefully you were to able to join us at RSA! But if not, here is re-recording and the slides of our first talk on applying AI to abuse-prevention, along with the slides from our second talk about protecting ML models.
The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) on Data Protection Impact Assessment (“DPIA”) and the prior consultation requirements under Articles 35 and 36 of the EU General Data Protection Regulation (“GDPR”) (the “Recommendation”). The Recommendation aims to provide guidance on the core elements and requirements of a DPIA, the different actors involved and specific provisions.
Key takeaways from the Recommendation are summarized below:
- Why proceed to a DPIA? The Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be understood in light of two central principles of the GDPR, namely the principle of accountability and the risk-based approach.
- When is a DPIA required? The Belgian DPA indicates that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The Belgian DPA refers to the Guidelines of the Article 29 Working Party (“Working Party”) for such assessment and, in particular, to the nine criteria set out in the Guidelines to consider when determining whether the processing of personal data is likely to create a high risk for the rights and freedoms of individuals. According to the Belgian DPA, if two criteria of this list are detected, a DPIA must be conducted.
- When should a DPIA be conducted? The Belgian DPA stresses that the DPIA must be done before any processing of personal data, and is a tool available to help make decisions concerning the processing.
- What are the essential elements of a DPIA? A DPIA must contain the systematic description of the considered processing as well as the purposes of the processing, including at the minimum a clear description of the processing, personal data involved, categories of recipients and retention period of the data, and finally the material (e.g., software, network, papers, etc.) on which the data are saved. The DPIA must also include an evaluation of the necessity and proportionality of the processing activities with regards to the purposes of the processing, taking into account several criteria. Additionally, the DPIA must include a risk assessment of the whole process of the identification, including the analysis and evaluation of those risks. To conduct such an assessment, companies can chose the method as long as it leads to an objective evaluation of the risks. However, the Belgian DPA recommends favoring existing risk management methods. Finally, the DPIA must include the measures anticipated to address those risks, such as the safeguards, security measures and tools implemented to ensure the protection of the data and compliance with the GDPR.
- Prior consultation of the Supervisory Authorities (“SAs”). The Belgian DPA states that the GDPR requires a prior consultation of the SAs only when the residual risk is high. If the risks can be mitigated, then a prior consultation is not mandatory.
The Belgian DPA also makes additional recommendations, including inter alia:
- Similar or joint processing activities. A single DPIA could be used to assess multiple processing operations that are similar in terms of nature, scope, context, purpose and risks.
- Monitoring and review. The controller should, if necessary, conduct a periodic review of the processing activity to assess whether the processing is consistent with the DPIA that was performed. Such a review must at least take place where there is a modification of the risk resulting from the processing operations.
- Preexistent processing. For processing activities prior to May 25, 2018, conducting a DPIA is only required if the risk(s) change after May 25, 2018 (e.g., a new technology is used or personal data are used for another purpose). However, the Belgian DPA recommends, as a best practice, to also conduct DPIAs for existing processing activities if they are likely to result in a high risk to the rights and freedoms of individuals.
Finally, the Recommendation includes annexes:
- Annex 1: The Belgian DPA recommends some minimal characteristics for appropriate risk management.
- Annex 2: The Belgian DPA provides a draft list of processing activities requiring a DPIA. The list includes, inter alia, processing of biometric data for the purpose of identifying individuals in a public area, collecting personal data from third parties for the purpose of making decisions (including to refuse or terminate) regarding a contract to which an individual is party, large-scale processing of personal data from vulnerable individuals (e.g., children), or large-scale processing of personal data where individuals’ behavior is observed, collected, established or influenced in a systematic manner and using automated means, including for advertising purposes.
- Annex 3: The Belgian DPA provides a draft list of processing activities that are exempt from a DPIA, including, inter alia, processing activities by private entities which are necessary to meet their legal obligations, subject to conditions, the processing of personal data for payroll purposes and HR management, and the processing of personal data for client and vendor management purposes, subject to certain conditions.
Video games allow users to become a whole new persona, to experience imaginary worlds, and live out scenarios that are beyond their wildest dreams. One of the most popular video games out there, Minecraft, allows users to build worlds out of cubes and create customized virtual avatars to represent themselves within the game. Only now, special add-ons that are used by players to personalize their avatar have become part of a cyber scheme, as over 50,000 Minecraft accounts have been infected with malware via character skins that were created and uploaded to the game’s official website by fellow users.
Though it is unclear who exactly created the malicious skins, it is believed that the malware does not come from any well-known cybercriminals but rather from inexperienced players looking to exploit others for their own amusement. This malware is not just simple competitive jab either, as its tactics are quite nasty. It has been reported that, once downloaded, the strain can reformat hard drives and delete backup data and system programs.
Now, knowing that fellow gamers are out there trying to sabotage others, what are next steps for Minecraft players? It’s important all users start doing all that they can now in order to avoid infection. You can start by following these proactive security tips:
- Do your homework. Before you download any extra add-ons for games, make sure you read fellow user reviews. Conduct a quick Google scan and see what other users think – has it caused them issues or security strife? When in doubt, don’t download any add-ons (like character skins) that come from an untrustworthy source or seem remotely sketchy.
- Back up your files on an external hard drive. Always make sure your files are backed up on an external hard drive. That way, if your data is deleted in this Minecraft malware attack or others like it, you can restore the data from the backup.
- Use comprehensive security. Whether you’re using the mobile version of Minecraft, or gaming on your computer, it’s important you lock down all your devices with an extra layer of security. To do just that, use a comprehensive solution such as McAfee Total Protection.
The post Game Over! Malicious Minecraft Character Skins Infect Over 50,000 Accounts appeared first on McAfee Blogs.
The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
Security Impact Rating: Medium
The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company's Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
Security Impact Rating: High
Fun Facts: ECS stood up and managed the first security operations center at the White House. Today, ECS manages the world’s largest McAfee installation—employing just about every solution we make—for the U.S. Army.
ECS is more than a McAfee Platinum Partner: they’ve built their entire security solution around McAfee products. The company’s unique offering to Enterprise, military, intelligence and federal civilian combines their award-winning managed services powered by McAfee, and high-level competencies across the Amazon Web Services (AWS) product suite.
ECS has earned service delivery certifications for every McAfee product, participating regularly in betas and trials of new software with active input into the development of new products. Its AWS bona fides are equally ambitious: ECS is an AWS Premier Consulting Partner, an Audited Managed Service Partner, and one of the world’s largest AWS resellers.
For the past 17 years, ECS (formerly InfoReliance) has built a managed-services offering that focuses on delivering custom solutions for clients in regulated industries such as government and defense, but the company also has a large and growing roster of high-profile enterprise and commercial customers. ECS focuses its security solutions around the threat defense lifecycle, applying not only McAfee products but complementary solutions from McAfee Security Innovation Alliance.
“Our choice to provide a single-vendor security platform and deliver McAfee at scale is one of the things that makes us unique,” remarks Andy Woods, Director of Managed Cybersecurity at ECS. “It means our organization can have a depth of expertise that’s frankly unmatched by anyone else in the industry. We also believe it’s the best way to be technology-heavy and people-light, and to automate as much of the cybersecurity lifecycle as we can.”
The McAfee Virtual Network Security Platform (vNSP) and its tight synergy with AWS is a large focus of ECS’s business. Tim Gonda, ECS security engineer and vNSP expert, explains: “We feel it is important to recognize that as part of the AWS shared responsibility model, it is up to us to ensure the security of our virtual networks. We leverage vNSP as a way to augment the security of native AWS capabilities. We are able to establish more flexible controls for protecting our own workloads, as well as providing custom-tailored solutions to our clients.”
In one example of a customer’s virtual private cloud (VPC) deployment, the ECS team launched a vNSP controller into the VPC, and deployed sensors per subnet. The application service also included the lightweight, host-based traffic redirector. “One of the biggest differentiators of vNSP versus other products is that it allows us to monitor internal VPC traffic, as well as traffic leaving the VPC, in an extremely lightweight framework,” Gonda comments. “In this example, we managed the lateral traffic within the VPC, as well as traffic going out to the internet, while providing custom filters and rules looking for specific threats on the wire.”
The application of vNSP with AWS-driven VPCs is just one example of ECS’s fearless innovation in today’s marketplace. Woods notes, “We’re proud of our internally developed intellectual properties, such as our iRamp billing system. We developed one of the very first DXL-enabled technologies within the partner community. We were also early adopters of integrated security through McAfee ePO, born out of a need to support clients in regulated industries.”
Woods concludes, “Our clients are focused on value management of their cybersecurity spend and how we can help them reduce their risk not only today but into the future. We deliver security customized security outcomes for every organization we work with. We’re confident in McAfee’s ability to scale along with core competencies on the endpoint, whether on-premises or in the cloud. The connected infrastructure is a key differentiator for us as we deliver managed services to customers across all verticals. For us, ‘Together is Power’ means being able to solve our clients’ cybersecurity problems in the most powerful manner possible, through a single platform of connected technologies.”
The post McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers appeared first on McAfee Blogs.
Here is a summary of upcoming events and webinars where BH Consulting staff will deliver presentations about issues relating to cybersecurity, data protection, and privacy. Each event listing includes links for more information and registration.
FutureScope: Dublin, 31 May
Irish Times journalist Karlin Lillington will be interviewing Brian from the stage as part of FutureScope. The day-long event takes place at the Convention Centre Dublin. Its aim is to provide a platform for sharing of knowledge and insights between global multinationals, large innovative Irish companies and successful entrepreneurs through keynote presentations and panel discussions. To facilitate better networking, places are limited to 1,200 people. For more details and to sign up for the full event, visit here.
CSA Summit at Infosecurity Europe 2018: London, 5 June
Brian Honan will be taking part in a panel discussion at The Cloud Security Alliance (CSA) Summit in London. The event will take place on Tuesday, June 5, as part of Infosecurity Europe 2018 (see below). BH Consulting is a member of the CSA, which is a global organisation dedicated to defining and raising awareness of best practices in secure cloud computing. To register or learn more about the agenda for the event, go here.
Infosecurity Europe 2018: London, 5-7 June
Brian Honan will moderate two panel discussions at the prestigious Infosecurity 2018 conference in London this June. The three-day event takes place at Olympia London exhibition centre. On Wednesday 6 June, Brian will host a panel discussion on GDPR. By then, the regulation will be in force, and the panel will debate its implications and look at measures to protect privacy better. The following day, Brian will moderate a four-person panel that will consider how business, government and law enforcement can collaborate better to tackle cybercrime. The conference website has a full conference programme and details of exhibits. To book tickets, visit this page.
SANS Security Awareness Summit: South Carolina, 8-9 August
Our senior consultant Dave Prendergast will be speaking at this two-day conference in Charleston, South Carolina this summer. The event’s wide-ranging agenda features a range of speakers from diverse organisations, covering creative ways of developing security awareness programmes. There’s a full agenda in PDF here, and you can click this link to register attendance.
Cyber Security Expo: London, 23 October
Brian has been confirmed for a speaking slot at the Cyber Security EXPO which will take place in London later this year. This is a jobs fair aimed at people looking to find work in the security industry. Registration is not yet open, but you can visit the event website for more information.
We are in the midst of the fourth industrial revolution. Instead of steam machines or textiles, our economy is becoming ever more tied to technology. In order for our digital economy to thrive, we as a collective society need to have trust in our technology. Yet, the technology world has done very little to earn that trust.
During RSA David Duncan, VP, Product Marketing and Mark McGovern, VP, Product Management discussed our state of digital trust and how not improving it will impact the growth of our digital economy. Duncan pointed out that the digital economy is the 5th largest economy in the world. The growth of this economy is essential to our current way of life and a lack of trust caused by a series of preventable breaches and loss of personal data is threatening this growth. It is estimated that the digital economy has lost $3 trillion in growth due to a lack of trust in technology. And when companies don’t earn trust on their own, governments take action. Just look at the slew of new regulations and legislations coming out, especially in Europe. After the Equifax breach, the former CEO was forced to testify in front of Congress, and just recently Mark Zuckerberg was asked to do the same in order to answer questions about breaches in privacy.
As McGovern pointed out during his presentation, the digital economy has us living in a paradox. We want better technology, faster and with more access but we also want to it be more secure. The equation doesn’t add up with the way we think about security. This is why we need a modern approach to things like application security – where security is a function of software quality and is built into the development process. And of course we need to have a modern approach to identity and access management. This means things like single sign-on, advanced authentication, directory services and mobile AppSec. And we need to make use of behavioral analytics so that IAM becomes background and not a nuisance.
We live in a borderless world, our security needs to be borderless too. Otherwise it becomes inconvenient and we cannot build the trust with our customers we so badly need for our economy to continue growing.
During the RSA conference Sam King, general manager of CA Veracode lead an engaging discussion with Art Coviello, former CEO of RSA and Robert Knake, senior fellow for cyber policy at the Council on Foreign Relations and senior research scientist at Northwestern University’s Global Resilience Institute.
While the conversation touched on a variety of topics, the prevailing theme was on the need for a private and public partnership and the how much we can depend on the government for cybersecurity assistance. According to the panelists, the main thing holding the government back from improving overall cybersecurity of our country is a lack of technologist in government. As the questions posed to Mark Zukerberg during his congressional hearing demonstrated, our government officials are not entirely sure how this Internet thing works.
This is exactly why we need a partnership between government and the private sector. Companies know what is needed but do not have the authority or reach to get it done. While government has the authority they require the expertise of the private sector to determine what should be done.
How to respond to state sponsored cyberattacks also came up during the conversation. Should we respond in kind with our own cyberattacks? In our increasingly connected world, what is to say those counter attacks don’t end up impacting our own citizens and critical systems? Questions about the effectiveness of economic sanctions also came up. This seemed to be preferred to the concept of a mutually ensured digital destruction that escalation would create.
During the Q+A with the audience one particularly poignant question arose. After years of deadly shootings we’ve seen a group of individuals come together and protest. Regardless of which side you fall on the gun control debate – you cannot deny that this grassroots effort has been effective at creating change. Private industries are responding to their calls. Do we need a similar grassroots movement to entice the private sector and government to respond to the cyber threats facing our modern world? What will it take to spur citizen activists into action around this issue? It’s a question that keeps going around in my head after leaving this panel.
The panelists left the discussion on a positive note talking about the progress they’ve seen and how protecting our digital society is possible with cooperation from private sectors and government. As this issue becomes more and more relevant, I look forward to seeing how this debate evolves.
You may be familiar with GandCrab ransomware that seems to widely spread via various spam campaigns or social engineering techniques to infect and harvest users’ most important data.This fast-growing malware has infected more than 50,000 victims and targeting mostly the ones from Scandinavia and UK speaking countries, according to a report CheckPoint.
Security researchers recently analyzed a new spam campaign in which malicious actors try to lure victims into clicking a malicious link that will open a binary file and infect users’ system with the GandCrab ransomware.
This phishing campaign has been delivered with the following content (sanitized for your own protection).
Here’s how this email looks like:
From: [Spoof / Forwarded Sender Address]
Job: Banking Opportunities, Greymouth
Dear Hiring Manager
Please review my [link: http: // abuellail [.] Com / resume. php] resume
Email: charlotte.anderson @ abuellail [.] com
If a user clicks on the link received on the email, then he will be redirected to one of the following and compromised web pages (sanitized for your online safety):
test.ritsdb [.] com
ubsms [.] com
test.technostark [.] com
How the infection happens
Basically, the malware is spread via an executable binary file (resume.exe) which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”.
During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services such as:
Http: // ipv4bot.whatismyipaddress. com
Http: / /bot.whatismyipaddress. Com
The main component of GandCrab is “dropped” as a “bhxsew.exe” file in the <Windows appdata> directory. As part of the local data encryption, this malicious file is configured to communicate with the following domains:
zone alarm [.] bit
ransomware [.] bit
GandCrab ransomware is not spread only via spam emails but also seen distributed via an exploit kit campaign called MagnitudeEK which abuses software vulnerabilities found in Windows, Adobe Flash Player, and Silverlight.
As regards to the MagnitudeEK spam campaign, security researchers have seen a flood of subdomains being used via this site:
lieslow [.] faith
Malwarebytes Labs recently found that Magnitude EK, “which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.”
Here’s how the ransom note is displayed on the infected machine:
Source: Malwarebytes Labs blog
According to VirusTotal, 24 antivirus products out of 64 have detected this spam email campaign at the time we write this security alert.
How to stay safe from the GandCrab ransomware
One of the best ways to keep your important data safe from ransomware is to think and act proactively.
To minimize both the risks and the impact of these online threats, we recommend both home users and companies to use and apply these security measures:
- Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
- DO NOT open (spam) or download attachments or links from unknown sources that could infect your computer;
- Use strong and unique passwords and never reuse them for multiple accounts. This security guide comes in handy;
- Consider using a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
- Prevention is the best cure, so make sure you learn as much as possible about how to easily detect spam emails. These free educational resources can help you gain more knowledge in the cybersecurity field;
- Given the rise of new types of malware (the version 2 of GandCrab ransomware is out there and, unfortunately, there’s no decryption tool available) we remind you that security is not just about using a solution or another, it’s also about improving your online habits and being proactive.
Should you need to understand what ransomware is all about, this dedicated guide will help you.
If you’ve been a victim of the GandCrab ransomware, the good news is that there’s a decryption tool available you can use to recover the valuable data locked by ransomware.
*This article features cyber intelligence provided by CSIS Security Group researchers.
The post Security Alert: GandCrab Ransomware Returns with New Waves of Spam Campaigns appeared first on Heimdal Security Blog.
Password re-use weakness enabled attackers to compromise developer's TeamViewer software
Log-in with Facebook? You could be giving away more personal data than you bargained for
I'm home! Home is good. My travel stats for this year - not so good. As I say in the video, I need to fix this so at this stage, I'm saying "no" to pretty much everything in the second half of the year that involves international travel and I'll just do the exceptionally awesome stuff.
But be that as it may, there's a bunch of other stuff to talk about this week including 3 new blog posts. I'm really hoping to push out a bunch more content over the coming weeks whilst I'm at home (I'm not overseas again until June), there's a heap of stuff on the backlog.
Oh - one thing I forgot to mention in the video is that along with having already ordered some decent lighting, I'd really like to do a proper intro / outro on these videos. If you have any great ideas or suggestions along those lines, do drop a comment below.
- The DJI Osmo Mobile 2 gimble is pretty awesome (that's video from a boat on choppy water)
- Thread-hijacking on social media is spam (this is really nasty and my hope with this post is that guilty parties get swiftly directed to it)
- I pushed out a new Pluralsight course on "Modern Web Security Patterns" (these "play by play" courses are great for easy listening)
- Is enumerating resources on a website hacking? (I reckon "it depends", but plenty of people on Twitter disagreed after I pushed this out)
- Terbium Labs is sponsoring my blog this week (catch them at RSA if you're around, there's one more day left over that side of the world)