Monthly Archives: May 2019

Cybersecurity in a 5G World, What You Should Know

These days, it seems that all people can talk about is 5G technology and how it will change the world. For those that don’t really quite understand the magnitude of what 5G means, then you’ve come to the right place.

Today, we will explore the capabilities of 5G technology, various benefits, and how cybersecurity ties into all the hoopla (you didn’t think that we’d forget about cybersecurity, right?).

woman using tablet and computer 5G

What is 5G?

If you do a quick Google search, you’ll probably find a glut of information detailing about 5G and the technical aspects of why this is so good, so we’ll try to keep things as simple as possible.

First off, to keep things simple, the ‘G’ in 5G, 4G, 3G, etc. all stand for “Generation.” Essentially, they are upgraded versions of wireless signal strength and speed at which data can travel.

For newer generations (reminder: the higher the G the better), such as 5G, this type of wireless signal will be capable of pushing data at peak speeds that are more than 20 times faster than 4G.

In terms of latency, which is a fancy term for data communication delays, 5G is more than 100 times faster than 4G.

Pretty much this means that 5G will have virtually zero chance of ever experiencing random drop times or speed slowdowns that plagues 4G networks right now.

If you thought your 4G mobile speed was already lightning fast, then you’re in for quite a ride with 5G.

To help you better understand just how fast 5G can actually be, here is a quick overview of the time it would take for different wireless generations to download a standard HD movie (roughly 3GB file size) according to Lifewire:

  • 3G: 1 hour and 8 minutes
  • 4G: 40 minutes
  • 4G LTE: 27 minutes
  • 5G: 35 seconds

As you can see, the jump in data speeds are quite stark. Add in the fact that the network connection will always be stable and connected, then we have some pretty powerful stuff on our hands.

But do we actually need this kind of ridiculous speed in our lives? The answer is YES!

 

What Will 5G Be Used For?

Now that we understand just how fast 5G actually is, then we can understand why we need this in our lives (no, it isn’t for you to download Netflix movies really fast, although most people will use it for that exact reason).

5G actually will serve a major purpose in our lives and that will come in the form of the Internet of Things (IoT).

IoT is essentially a technology that enables us to connect all of our devices, appliances, vehicles, and even our homes to the internet. Check our previous blog post where we discuss this more in depth.

Wait, but can’t we already connect these items to the internet through 4G? Yes, this is indeed true, but 4G would really be limited to simple data retrieval like updating the weather, downloading new GPS maps, etc.

This is due to the fact that 4G’s maximum throughput (another fancy schmancy term for maximum data flow through the internet and your devices) peaks around 1 Gbps (gigabits per second) while 5G hits the 20 Gbps range.

Why is this even important? Well, this is what makes 5G the true difference maker in taking IoT to a whole different realm of possibilities.

Since 5G has much faster speeds and low latency connections, now we can really make dreams of autonomous driving vehicles, remotely controlled machines, or even online surgeries completed by doctors from around the world. The last one is a bit of a ways away, but it’s certainly within the realm of possibility.

Here’s an example of how South Korea is showcasing its 5G capabilities. The video below shows how companies in the future could begin remotely controlling heavy machinery at dangerous sites with 5G’s low latency and high speeds.

This could forever change how companies operate by enabling true experts to handle complex machines all without leaving their bedroom or even coming close to risking their lives.

Where Does Cybersecurity Fit?

As quick as we can imagine the amazing possibilities that 5G technology could provide, we need to really consider the dangers that come with such power. The biggest elephant in the room for future IoT devices connected by 5G technology will be the threat of cyber hackers.

Imagine a scenario where your loved one is having surgery performed remotely by one of the world’s most accomplished surgeons that is located halfway around the world. This situation could go one of two ways. It would either be a truly world changing event or it could simply be a disaster waiting to happen.

The scary part is that since remote connection only requires a connection to the internet, then this automatically leaves us exposed and vulnerable to cyber attacks. We don’t even want to think of the issues that could spring up if a hacker could maliciously take over a remote surgery in the future.

Now, the even scarier part is that since the rollout of 5G is still in its infancy, the thought of cybersecurity has not really crossed the minds of manufacturers and technology providers.

This could lead to a situation where a major hacking episode will scare everyone straight and bring a high priority red flag towards integrating cybersecurity. But we are here today to argue that cybersecurity needs to be just as important as the underlying technology here.

The issue is that most of these connections and data will be passed through new communications protocols. For instance, data travelling from an automobile will not rely on the same protocols as a simple blog about your favorite travel destinations.

This poses problems for many cybersecurity vendors who are at a disadvantage in protecting this fast growing market.

How Cloudbric Can Help

By leveraging our years of award winning web application security experience, as well as the development of new IoT based threat detection systems, we hope to shift the importance of cybersecurity into the IoT future.

Throughout time the internet has been somewhat disjointed from our lives. Back in the early days of the internet, users had to connect online through dial up services. As we continued to progress with connectivity, the closest the internet has come into our lives is through our mobile phones.

However, the future will be quite different once internet connected automobiles, household appliances, heavy machinery, etc. becomes a much more polished and prominent technology in our lives. This calls for a much higher need for cybersecurity to play a central role to ensure the safety and wellbeing of all users.

Here at Cloudbric, we will be leveraging our new patented deep learning detection and threat filtering system to help monitor data communications for IoT based devices.

Our new solution will be part of a growing suite of solutions at Cloudbric where we are focused on bringing our enterprise security experience to the general user crowd.

In the future, autonomous automobiles and even household appliances will be connected via Cloudbric IoT security platform that filters data in and out of each device. This will not only ensure high performance of each device, but will protect the end users from any harmful spying, remote manipulation of the device itself, and so on.

Conclusion

Whenever people think of 5G technology, their thoughts are extremely short sighted in the fact that they only concern themselves with speed for their mobile phones or PC. However, 5G technology’s true purpose and intention is to bring IoT technology to the forefront.

In other words, 5G will open our eyes to a whole new world of limitless possibilities now that daily appliances and new class of devices will be connected to the internet.

This will make even the wildest of dreams become a reality, such as deploying the world’s best surgeon to perform robotic real time connected surgery from halfway across the world.

Although this opens so many positive doors for mankind, the possibility of cyber threats will certainly play a central role since these devices will need to be connected to the internet at all times. This leaves the IoT appliances and its users vulnerable to cyber attacks.

Allowing the IoT world to flourish and protect its users will be a tough task, but this is where cybersecurity vendors will become a necessity. Security vendors are not without their challenges.

Protecting IoT data communications requires new solution technology that is able to monitor, detect, and block attacks aimed at its protocols. Cloudbric will be one of a handful of companies focusing resources to this endeavor within the next year.

In summary, 5G technology, with its impressive speed, stability, and connectivity, will power our future. As a society, we need to be heavily prepared for the risks involved in having all devices around our lives connected to the internet and even powered remotely by people across the globe.

The time for cybersecurity is now and the ability for vendors to protects users will be the difference maker.

The post Cybersecurity in a 5G World, What You Should Know appeared first on Cloudbric.

What’s Your Defense Strategy? Best Practices for Red Teams, Blue Teams, Purple Teams

English

Want to determine the safety of a car? Perform a crash test. One of the most common ways to test the strength of something, particularly when it comes to technology, is by putting it through a stress test. Naturally, this same principle is a critical component of cybersecurity. One of the most effective ways to try and find your security infrastructure’s weaknesses, and your security team’s ability to detect and respond to attacks, is through red team/blue team tests. Read on to find out the differences between these teams, the emergence of purple teams, and the most effective ways to utilize them.

Red team and blue team tests are named and modeled after military exercises. In order to ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.

 

What is a Red Team?

Red teams are designed to think like attackers, and are brought on specifically to put the organization’s cybersecurity posture to the test, utilizing multiple strategies in order to breach defenses. Some of these approaches include vulnerability assessments, penetration tests, or even social engineering attacks like phishing. Red teams use a variety of tools, such as pen testing solutions like Core Impact, to create the most effective simulation they can.

Though key parties may be informed that a red team campaign is taking place, most employees, including the organization’s IT team, won’t be notified until after the fact, making it as authentic as possible.

Red teams can be internal, which helps set up long term goals and ensures frequent testing. Oftentimes, however, they are hired from an external firm. Having an outside team, like Security Consulting Services, come in can also be ideal since they provide a fresh pair of expert eyes, often seeing vulnerabilities that internal security personnel may miss, simply because internal teams have such frequent exposure to the environment they’re testing.

What is a Blue Team?

Blue teams are in charge of building up an organization’s protective measures, and taking action when needed. This is done in a variety of ways. Regular system hardening procedures include updates, patching, eliminating unused software or features, or changing passwords. Additionally, new security tools can be deployed, like SIEM solutions that help blue teams monitor data logs from different assets for security alerts.

What is a Purple Team?

More recently, the idea of a purple team has become the latest buzzword in the cybersecurity world. While there is some confusion surrounding the usage and definition of the term, it’s best to focus on the ideal it is promoting. Ultimately, the concept of a purple team is the mindset of seeing and treating red and blue teams as symbiotic.  It’s not red teams vs. blue teams, but rather one large team focusing on the one overarching goal: improving security. The key to becoming a purple team comes down to communication.

One of the purposes of a red team is to act as a training function for the blue team. Infiltrating and testing the environment is only part of the job. Measuring and improving the ability to detect and respond to attacks is a key part of living up to the ideal of being a purple team. Red teams must prioritize documentation and education efforts so that blue teams can take appropriate action towards remediation and build up resiliency.

Blue teams, in turn, should view the findings of a red team as a guide for where to focus their efforts, and as a roadmap to find vulnerabilities before the next exercise. In a perfect scenario, red teams wouldn’t find the same vulnerability twice.

Best Practices, No Matter the Color

Operating like a purple team is simply adhering to best practices in order to create an environment that is a stronghold against cyber-attacks. As mentioned above, communication between teams is the most critical element in this, but here are a few other ways to get the most out your red team and blue team exercises:

Have a plan of action.

The planning stages of simulation exercises are just as important as the exercises themselves. There are endless scenarios and methodologies to use when attempting to exploit a system, so it’s vital to limit your scope. Red teams should have set objectives and measurable goals that will provide helpful data for blue teams to analyze. Blue teams should use this data to create their own objectives and goals for remediation.

Always follow up.

While it’s tempting to simply move on to the next task, it’s critical to follow up after every exercise. Retrospectives are a great way for teams to learn from one another and can shed further light on patching and preventing weaknesses. Additionally, fixes themselves must also be verified, so following up with retesting efforts is crucial.

Think outside the box.

Threat actors aren’t following a set of rules when they break into a system. Red teamers can stay within the scope of the exercise while still having the freedom to be equally creative. However, remember to show your work – blue teams can only prevent an attack if they can understand how it was done.

Never stop learning.

Promote a culture of learning and encourage both red and blue teams to stay up to date on the latest tools and tricks to prevent being caught off guard. Hackers are always evolving, and true purple teams evolve right along with them.

 

red-blue-purple-teams-best-practices-blog-header11.jpg

Penetration testing
Big text: 
Blog
Resource type: 
Blogs
Get the Most Out of Your Red Team

Equip your red team with a comprehensive pen testing solution that can safely exploit vulnerabilities. Get a live demo of Core Impact today.

Mr. Coffee with WeMo: Double Roast

McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to investigate and ultimately compromise this smart coffee maker. While researching the device, there was always one attack vector that I had wanted to revisit. It was during the writing of that blog that I was finally able to circle back to it. As it turns out, my intuition was accurate; the second vulnerability I found was much simpler and still allowed me to gain root access to the target.

Recapping the original vulnerability

The first vulnerability modified the “template” section of the brew schedule rule file, which a is unique file that is sent when the user schedules a brew in advance. I also needed to modify the template itself, sent from the WeMo App directly to the coffee maker. During that research I noticed that many of the other fields could be impactful but did not investigate them as thoroughly as the template field.

Figure 1: Brew schedule rule

When the user schedules a brew, an individual rule is added to the Mr. Coffee root crontab. The crontab entry uses the rule’s “id” field to make sure the correct rule is executed at the desired time.

Figure 2: Root crontab entry

Crontab allows for basic scheduling features from the OS level. The user provides both the command to execute as well as timing details down to the minute, as shown in Figure 3.

Figure 3: Crontab syntax

During the initial research, I started to fuzz the rule id field; however, because every rule name that I placed in the malicious schedule was always prepended by the “/sbin/rtng_run_rule”, I could not get anything abnormal to happen. I also noticed that a lot of characters that could be useful for command injection were being filtered.

The following is a list of characters sanitized or filtered on input.

At this point I moved on and ended up finding the template vulnerability as laid out in the previous blog.

Finding an even more simple vulnerability

A few months after disclosing to Belkin, I revisited the steps to achieve this template abuse feature, in preparation for a public disclosure blog. Having the ability to write arbitrary code directly into the root’s crontab is enticing, so I began looking into it again. I needed to find a way to terminate the “rtng_run_rule” and add my own commands to the crontab file by modifying the “id” field. The “rtng_run_rule” file is a shell script that directly calls a Lua script named “rtng_run_rule.lua”. I noticed that I could send the double pipe “||” character but the “rtng_run_rule” wrapper script would never return a failing return code. Next, I looked at the how the wrapper script is handling command line arguments as shown below.

Figure 4: rtng_run_rule wrapper script

At this point I created a new rule: “-f|| touch test”. The “-f” is not a parsed argument, meaning it will take the “Bad option” case, causing the “rtng_run_rule” wrapper script to return “-1”. With the wrapper script returning a failing return code, the “||” (or) statement is initiated, which executes “touch test” and creates an empty file named “test”. Since I still had serial access (I explain in detail in my previous blog how I achieved this) I was able to log in to the coffee maker and find where the “test” file was located. I found it in root’s home directory.

Being able to write arbitrary files and execute commands without the “/” character is still somewhat limiting, as most file paths and web URLs will need forward slashes. I needed to find a way to execute commands that had “/” characters in them. I decided to do this by downloading a file from a webserver I control and executing it in Ash to bypass file path sanitization characters.

Figure 5: Commands allowing for execution of filtered characters.

Let me break this down. The “-f” as indicated before will cause the wrapper script to execute the “||” command. Then the “wget” command will initiate a download from my web server, located at IP address “172.16.127.31.” The “-q” will force wget to only print what it receives, and the “-O -“ tells wget to print to STDOUT instead of a file. Finally, the “| ash” command grabs all the output from STDOUT and executes it as Linux shell commands.

This way I can set up a server that simply returns a file containing necessary Linux commands and host it on my local machine. When I send the rule with the above command injection it will reach out to my local server and execute everything as root. The technique of piping wget into Ash also bypasses all the character filtering so I can now execute any command I want.

Status with Vendor

Belkin did patch the original template vulnerability and released new firmware. The vulnerability explained in this blog was found on the new firmware and, as of today, we have not heard of any plans for a patch. This vulnerability was disclosed to Belkin on February 25th, 2019. In accordance with our vulnerability disclosure policy, we are releasing details of this flaw today in hopes of alerting consumers of the device of the ongoing security findings. While this bug is also within the Mr. Coffee with WeMo’s scheduling function, it is much easier for an attacker to leverage since it does not require any modifications to templates or rehashing of code changes.The following demo video shows how this vulnerability can be used to compromise other devices on the network, including a fully patched Windows 10 PC.

Key takeways for enterprises, consumers and vendors

Devices such as the Mr. Coffee Coffee Maker with WeMo serve as a good reminder of the pros and cons to “smart” IoT. While advances in automation and technology offer exciting new capabilities, they should be weighed against the potential security concerns. In a home setting, consumers should set up these types of devices on a segmented network, isolated from sensitive network traffic and more critical devices. They should implement a strong password policy to make network access more challenging and apply patches or updates for all networked devices whenever available. Enterprises should restrict access to devices such as these in corporate environments or, at a minimum, provide a policy for oversight and management. They should be treated just the same as any other asset on the network, as IoT devices are often unmonitored pivot points into more critical network infrastructure. Network scanning and vulnerability assessments should be performed, in conjunction with a rigorous patching cycle for known issues. While the vendor has not provided a CVE for this vulnerability, we calculated a CVSS score of 9.1 out of 10. This score would categorize this as a critical vulnerability.Finally, as consumers of these products, we need to ask more of the vendors and manufacturers. A better understanding of secure coding and vulnerability assessment is critical, before products go to market. Vendors who implement a vulnerability reporting program and respond quickly can gain consumers’ trust and ensure product reputation is undamaged. One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through analysis and responsible disclosure, we aim to guide product manufacturers toward a more comprehensive security posture.

The post Mr. Coffee with WeMo: Double Roast appeared first on McAfee Blogs.

How McAfee’s Mentorship Program Helped Me Shine in My Career Journey

By: Anshu, Software Engineer

“The mind is not a vessel that needs filling, but wood that needs igniting.”—Mestrius Plutarchus

A mentor isn’t someone who answers your questions, but someone who helps you ask the right ones. After joining the McAfee WISE mentorship program as a mentee, I understood the essence of these words.

WISE is a community committed to providing opportunities for growth and success, increasing engagement, and empowering women at McAfee. Each year, WISE helps women network and find opportunities for their career development.

Joining the McAfee WISE Mentorship Program

The WISE Mentorship Program was introduced to address how women have been underrepresented in the tech sector, especially in cybersecurity.  It’s believed that mentoring can address and improve job satisfaction and retention, which is how the program found its way to India and I learned about it. As an employee at McAfee for over five years, I had the opportunity to learn a lot of new things, but networking was a skillset I needed to hone. I thought this might be my chance to develop my skills, so I enrolled as a mentee.

I was partnered with “Chandramouli” also known as “Mouli” who happened to be the executive sponsor for the WISE India Chapter, as well as one of our IT leaders.

The Mentor-Mentee Relationship

My sessions with Mouli were informal conversations rather than formal sync-ups. We not only discussed the industry and women in tech—but also our personal stories, the books we read and are inspired by. We discovered a common love for badminton, so we started sharing analogies of how we would handle situations at work compared to game and life scenarios.

And the lessons learned were humbling. You win, you lose, you conquer. This thought shifted my perspective to think about how I would react if it was a badminton match. Would I accept defeat even if the opponent was on game point? Would I play differently even if I knew the match was lost? I realized I would fight and fiercely compete. This simple shift started to make me think on my toes daily.

Like many people, I had a fair idea of how I wanted my career to shape up, but with the help of a mentor, I began to steer faster toward my goal. In just one session, we were able to identify areas that were slowing down my development.

Developing My Skills

We noticed that networking was one of my key improvement areas, so we decided to tackle this with baby steps. He assigned small but achievable tasks to me—tasks as simple as creating a LinkedIn profile and connecting with former and current co-workers.

What happened after that was truly amazing. People from all walks of life in the industry, from my school, college, and more, started connecting with me, and it was then when I realized I had made an impression. Now I find it easier to initiate conversations, knowing that people are ready to help and talk about things we mutually love. As small as these strides might be, they helped me not just move ahead, but also provided me with measurable momentum.

Being able to discuss and question the status quo and engage with someone who is more experienced, knows the art of the game, and is a fierce champion for WISE is something I look forward to every month. Thanks to McAfee for giving each one of us this opportunity to help further our careers and to help us dream big.

Interested in joining our team? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post How McAfee’s Mentorship Program Helped Me Shine in My Career Journey appeared first on McAfee Blogs.

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised.

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24th and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm. Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

  • Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
  • Check to see if you’ve been affected. If you’ve used Canva and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential data breaches.
  • Secure your personal data. Use a security solution like McAfee Identity Theft Protection. If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Attention Graphic Designers: It’s Time to Secure Your Canva Credentials appeared first on McAfee Blogs.

Know Your Limitations

At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations."

I thought of this quote today as the debate rages about compromising municipalities and other information technology-constrained yet personal information-rich organizations.

Several years ago I wrote If You Can't Protect It, Don't Collect It. I argued that if you are unable to defend personal information, then you should not gather and store it.

In a similar spirit, here I argue that if you are unable to securely operate information technology that matters, then you should not be supporting that IT.

You should outsource it to a trustworthy cloud provider, and concentrate on managing secure access to those services.

If you cannot outsource it, and you remain incapable of defending it natively, then you should integrate a capable managed security provider.

It's clear to me that a large portion of those running PI-processing IT are simply not capable of doing so in secure manner, and they do not bear the full cost of PI breaches.

They have too many assets, with too many vulnerabilities, and are targeted by too many threat actors.

These organizations lack sufficient people, processes, and technologies to mitigate the risk.

They have successes, but they are generally due to the heroics of individual IT and security professionals, who often feel out-gunned by their adversaries.

If you can't patch a two-year-old vulnerability prior to exploitation, or detect an intrusion and respond to the adversary before he completes his mission, then you are demonstrating that you need to change your entire approach to information technology.

The security industry seems to think that throwing more people at the problem is the answer, yet year after year we read about several million job openings that remain unfilled. This is a sign that we need to change the way we are doing business. The fact is that those organziations that cannot defend themselves need to recognize their limitations and change their game.

I recognize that outsourcing is not a panacea. Note that I emphasized "IT" in my recommendation. I do not see how one could outsource the critical technology running on-premise in the industrial control system (ICS) world, for example. Those operations may need to rely more on outsourced security providers, if they cannot sufficiently detect and respond to intrusions using in-house capabilities.

Remember that the vast majority of organizations do not exist to run IT. They run IT to support their lines of business. Many older organizations have indeed been migrating legacy applications to the cloud, and most new organizations are cloud-native. These are hopeful signs, as the older organizations could potentially  "age-out" over time.

This puts a burden on the cloud providers, who fall into the "managed service provider" category that I wrote about in my recent Corelight blog. However, the more trustworthy providers have the people, processes, and technology in place to handle their responsibilities in a more secure way than many organziations who are struggling with on-premise legacy IT.

Everyone's got to know their limitations.

4 Reasons Your Organization Needs a Data Loss Prevention Strategy

When deciding how to go about protecting your company’s sensitive data, there are plenty of different solutions to choose from, such as endpoint controls, file system controls, or even network traffic inspection. However, the technology is only as effective as the people and processes in charge of configuring, managing, and monitoring it.  That’s why it’s important that technology is not your only method of protecting your data, but instead a way to complement a strategy consisting of internal policies, procedures, and operations. This approach is called Data Loss Prevention (DLP), and should be implemented by every organization, regardless of size.

Why exactly should you consider a DLP strategy?  Here’s four of the main reasons:

1. You have sensitive information.

You have data; every company does. That data is important to your business, your customers, and you. We frequently hear about companies experiencing a data breach and only finding out months, or even years later, that there was a breach.  Take Marriott International, for example.  Marriott acquired a hotel chain called Starwood in 2016. What Starwood and Marriott didn’t know at the time was that Starwood had been breached in 2014. The attacker remained in the system after Marriott and Starwood merged their systems.

It wasn’t until 2018, four years later, that the breach was discovered. If Marriott had implemented an effective DLP strategy, they could have detected and purged the breach sooner through a number of different preventive or investigative procedures.

Your data is sensitive to your business’ success and should only be handled by people that you trust: you and your employees (on a least-privilege basis).

2.  Human error.

Employees can unintentionally leave sensitive data vulnerable. Whether that means they leave file systems vulnerable to unauthorized access, forget to flag an email as sensitive that contains Personally Identifiable Information (PII), or hand their coworker removable media with a list full of Social Security Numbers used for background checks, it should go without saying that humans can make mistakes.

That’s where a thorough DLP strategy can help; if a DLP solution is configured and monitoring your environment according to your policies, you can set enforced rules that prevent these mistakes and generate accurate reports and alerts.  Combine this with employee security training, and you have a chance to fix the potential damage to your business before it happens.

If you lack the resources to set up those configurations, reports, and alerts, you can hire a Managed Security Service Provider (MSSP) to take care of those for you.

3. Malicious Insider threats.

Consider the following scenario:

You hire an individual and they have been performing expertly. They seem to enjoy the job and they haven’t requested a raise in years. Little did you know that when you hired them, they immediately started stealing and selling your data to the highest bidder. This is an extreme scenario, but it does happen. There are organizations and nation-states that will pay top dollar for your sensitive data, and they will gladly target your employees to do it.

Implementing a DLP strategy that includes thorough scenario training can discourage your employees from being persuaded into selling your data, as well as help catch those who do it. With properly trained employees and an effective chain of command, insiders can be reported by their peers at every possible point and be stopped before serious damage is done to your business’ reputation and resulting profits.

4. This is the 21st century of interconnectivity.

We’re connected to everything these days; it’s human nature to crave popularity, which has caused an obsession over online presence that doesn’t always take into account protecting sensitive data. When there’s so many easy ways to send, receive, and view different types of communications from so many devices, it’s easy to blur the line of what belongs on which devices.

We’ve already pointed out that humans make mistakes; why not use a well thought-out DLP strategy and implemented technology to keep an eye on your critical data and tell you when your employees do make those mistakes?  Whether you implement your own monitoring team or contract with an MSSP, a DLP solution will solidify those previously blurred lines of where that data does and doesn’t belong.

In summary, you need a DLP strategy because you have sensitive data, you employ humans who can or might want to sell your data, and even the best policies and procedures can’t stop someone from unknowingly exposing your company’s data. A Data Loss Prevention Strategy written with supporting technologies in mind can mitigate those risks.

Learn more about how Managed Security Services can help keep your data secure.

The post 4 Reasons Your Organization Needs a Data Loss Prevention Strategy appeared first on GRA Quantum.

The Price of Loyalty, almost half of UK Office Workers are willing to sell Company’s Information

A new report released by Deep Secure revealed 45% of office workers surveyed would sell their company's corporate information. Just £1,000 would be enough to tempt 25% of employees to give away company information, while 5% would give it away for free.

59% of staff admitted at some point to have taken company information from a corporate network or devices, which matches up to known industry trends. 

Common Staff Data Exfiltration Tactics
  • Digital; email, uploading to cloud services and copying to external storage (11%)
  • Using steganography or encryption tools to hide exfiltration (8%)
  • Printing information (11%)
  • Handwriting copying information (9%)
  • Photographing information (8%)
Type of Information Taken
  • Personal Work (19%)
  • Customer Information i.e. contact details, confidential market information, sales pipeline  (11%)
  • Company Assets i.e. passwords to subscription services, company benefits (7%)
The Motivation for staff taking Information?
  • Value for their future career success in their next role (12%)
  • To keep a record of their work (12%)
  • Benefit their career (10%)
  • Financial, specifically paid to do so by an outside third party (8.5%)
The Insider Threat and DLP
Often businesses have their heads in the sand when comes to managing their insider threat, although some do turn to sophisticated IT Data Loss Prevention (DLP) solutions as a silver bullet for managing this risk. However, DLP solutions would be infective against the final four bulleted 'Staff Data Exfiltration' methods listed above.  Particularly the use of cyber tools to steal company information digitally has been democratised by the availability of toolkits on the dark web. For example, steganography toolkits, which enable cybercriminals to encode information into an image or text, can be downloaded for free and guarantee an undetectable route for getting information out of the company network.

Deep Secure CEO Dan Turner concluded “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016. Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued. 

The Cost of Staff Data Thefts
The theft of corporate information can hurt business competitiveness and future profit margins, and there are significant financial losses which could be incurred should staff take personal data on mass. UK supermarket giant Morrisons lost a landmark data breach court case in December 2017 took a financial hit after a disgruntled Morrisons' employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. With the GDPR coming into force just over a year ago, the Information Commissioner's Office is now empowered to fine British businesses millions of pounds for mass personal data losses. The Morrisons court case demonstrates UK companies will be brought to book for staff malicious data thefts.

Developer Dilemma: Where Does the Security Knowledge Gap Come From, and How Do We Fix It?

Best ways to help developers code more securely

When a security-related defect is found in code, it’s easy for security teams to jump to conclusions and place the blame on the developers. However, security teams need to change their approach to this issue and start understanding why there is a gap in developers’ security knowledge. Furthermore, how can we overcome that hurdle and provide our developers the tools they need to produce secure software from the start of the coding process?

Recently, Forrester’s Amy DeMartine and Trevor Lyness put together a report, “Show, Don’t Tell, Your Developers How To Write Secure Code,” to demonstrate how to use application security testing to educate developers.

Where Does the Knowledge Gap Come From?

There are a few reasons why developers have a lack of security knowledge; one significant reason is the fact that developers aren’t taught application security in school. Forrester looked at the top 40 computer science programs and found that “none of the top ranked computer science programs in the United States require a class about secure coding or secure application design.” Furthermore, general cybersecurity is offered as an option – rather than as a priority – in many schools. Only one school out of the top 40 requires a general cybersecurity course to obtain a degree in computer science.

Not only is there a lack of formal cybersecurity education, but there’s also a general unawareness about application security trends, for instance, using insecure open source components. There’s no doubt about it – open source code is a huge time-saver for developers, after all, we live in a world where time is money. Rapidly releasing software can be a huge competitive advantage for businesses across multiple industries, and open source components save a large amount of time for coders. Unfortunately, many developers don’t know that open source code is riddled with vulnerabilities that can expose the entire organization to risk. That’s where security professionals come in: they need to be working with developers to ensure they have the knowledge and resources they need to code securely.

When you consider the widespread lack of formal cybersecurity education, paired with a general unfamiliarity of application security trends, it’s no wonder that many development teams are flying blind when it comes to software security.

How Can We Help Developers?

Forrester puts it best when they say, “With the right practices and technology in place, you can encourage and enforce secure coding practices and developer accountability without sacrificing speed or quality.” Many application security solutions today education developers on the job. Forrester emphasizes the importance of choosing a tool that has brief, integratable training modules that fit right into the testing tools that the developers are using.

Another important tool to equip your developers with is a software composition analysis (SCA) tool. Developers aren’t going to stop using open source components any time soon, and it’s crucial that they’re staying on top of all of the most recent open source vulnerabilities that have been discovered. If they happen to be using an insecure component from a vulnerable library, it could mean bad news for your organization if a cyberattacker attempts to exploit it. Veracode Software Composition Analysis alerts your developers of all of the new vulnerabilities that hit the news, and tells them if they’re using the vulnerable component so that they can go in and remediate the vulnerability as soon as possible.

Beyond tools, organizations can adopt practices like red team exercises to put their developers in the role of an attacker. Learning about hacking techniques will help change their mindsets to think about how an attacker might try to penetrate their code, and they’ll keep that in mind as they design applications down the road. Assigning developer security champions puts a security advocate on your product team, without having to convince all of your developers individually to devote themselves to security. A security champion can act as a liaison between your security team and developers, and they can help convey security priorities to their colleagues.

Developers are one of your first lines of defense against a potential cyberattack, and with applications being the most frequent attack vector for companies, getting your development teams to start coding securely should be priority number one. Developers may be responsible for application security, but security professionals need to actively work with them and make sure they have the tools they need to execute the task. Check out Forrester’s April 2019 report, “Show, Don’t Tell, Your Developers How To Write Secure Code,” and get on the path towards creating more secure code.

 

UK Pub Chain ‘Greene King’ Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.

Are Your Employees Using Your Data in the Shadows?

You have superstar employees who run your business like it’s their own. They use new apps to collaborate with coworkers, vendors, and customers to get work done when it needs to get done. They’re moving your business closer and closer to the cloud. Sounds fantastic! Let them do their thing! But what information is being shared? What apps are they using? Are they secure? Are partners or customers receiving sensitive data that’s not encrypted? Here are a few things to keep in mind as your business accelerates to the cloud.

Businesses Are Adopting Cloud Services Faster Than They Are Being Secured

Employees seeking new cloud services can help you transform the way business is done and improve engagement with customers, partners, and other employees. Most employees are first adopters who are trying new apps to do their jobs in the most efficient way possible. But before you know it, your IT department could become overwhelmed with cloud adoption. This means your organization will inevitably deal with shadow IT as your employees begin using unsanctioned cloud services.

Data Could Be Leaked, Leading to Financial, Reputational, IO, and Compliance Exposure

Do you know what your employees are doing with your business’s data? This is where shadow IT becomes a factor. Not all security controls used today were built with the cloud in mind, especially when it comes to BYOD and IoT. On-premises security products alone can’t provide effective visibility and protection in a hybrid IT world. In a recent McAfee survey, we found that the average organization thinks they use 30 cloud services, but in reality they use 1,935. This disparity is shadow IT—and it’s expanding your attack surface. This leaves your company more exposed to cyberthreats through the use of potentially high-risk cloud services without complete IT visibility or control. Don’t let the risk of shadow IT disrupt your business. Visibility into your organization’s cloud adoption and the devices that connect to these services is a critical step for mitigating the risk of data breaches, non-compliance, and loss of reputation due to shadow IT.

Move at the Speed of Business Without Compromising Security

The future of your company depends on growth and flexibility. Don’t pause on innovation and progress. Let your employees use the devices and apps they have and gain peace of mind knowing that your valuable information is secure. You can place security’s architectural control points on the places where employees work—from device to cloud and in between. You can allow restricted usage of services through application control and still prevent data exfiltration. A cloud access security broker (CASB) can help detect and block instances of sensitive data being uploaded to these shadow IT services.

You can accelerate your transformation to the cloud with IT security as a business enabler. Use security operations—with threat intelligence, management, analytics, automation, and orchestration— as the glue to identify the most advanced threats and crossover attacks. A CASB can be integrated seamlessly into IaaS, PaaS, and SaaS environments to secure cloud services as they are being adopted. Let your employees shine and take your business to the next level backed by an IT department tooled with industry-leading visibility and control provided by our CASB solution, McAfee MVISION Cloud.

Watch our video to understand how using McAfee can enable you to accelerate your business, reducing the risk of transformative technologies like the cloud and all the devices employees use to access data.

The post Are Your Employees Using Your Data in the Shadows? appeared first on McAfee Blogs.

Are Your Kids Part of the TikTok App Craze? Here’s What Parents Need to Know

What phone app has over 150 million active users and more than 14 million uploads every day? You might guess Facebook, Instagram, or Snapchat, but you’d be wrong. Meet TikTok — a video app kids are flocking to that is tons of fun but also carries risk.

What Is It?

TikTok is a free social media app that allows users to create and share short 15-second videos set to favorite music. If your child was a fan of Musical.ly, then he or she is probably active on TikTok since Musical.ly shut down last year and moved all of its users to TikTok. Kids love the app because it’s got all the social perks — music, filters, stickers — and the ability to amass likes and shares (yes, becoming TikTok-famous is an aspiration for some).

The Upside

There are a lot of positive things about this app. It’s filling the void of the sorely missed Vine app in that it’s a fun hub for video creation and peer connection. Spending time on TikTok will make you laugh out loud, sing, and admire the degree of creativity so many young users put into their videos. You will see everything from heartfelt, brave monologues, to incredible athletic stunts, to hilarious, random moments in the lives of teens. It’s serious fun.

Another big positive is the app appears to take Digital Wellbeing (tools in the app that encourage screen time), privacy, and online safety seriously. Its resources tab is rich with tips for both parents and kids.

The (Potential) Downside

As with any other social app, TikTok carries inherent risks, as reported by several news sources, including ABC.

For instance, anyone can view your child’s videos, send a direct message, and access their location information. And, while TikTok requires that users are at least 13 years old to use the app and anyone under 18 must have parent’s approval, if you browse the app, you’ll quickly find that plenty of preteens are using it. A predator could easily create a fake account or many accounts to strike up conversations with minors.

Another danger zone is inappropriate content. While a lot of TikTok content is fun and harmless, there’s a fair share of the music that includes explicit language and users posting content that should not be viewed by a young audience.

And, wherever there’s a public forum, there’s a risk of cyberbullying. When a TikTok user posts a video, that content instantly becomes open for public comment or criticism and dialogue can get mean.

Talking Points for Families

Most social media apps have an inherent risk factor because the world wide web is just that — much of the planet’s population in the palm of your child’s hand. Different age groups and kids will use apps differently. So, when it comes to apps, it’s a good idea to monitor how your child uses each app and tailor conversations from there.

  • Download the app. If your child uses TikTok, it’s a good idea to download the app too. Look around inside the community. Analyze the content and the culture. Are the accounts your child follows age appropriate? Are the comments and conversations positive? Does your child know his or her followers? Is your child posting appropriately?
  • Talk about the risks. Spend time with your child and watch how he or she uses TikTok. Let them teach you why they love it. Encourage creativity and fun, but don’t hesitate to point out danger zones and how your child can avoid them.
  • Monitor direct messages. This may seem invasive, but a lot of the safety threats to your child take place behind the curtain of the public feed in direct messages. Depending on the age of your child (and the established digital ground rules of your family) consider requiring access to his or her account.
  • Adjust settings. Make sure to click account settings to ‘private’ so only people your child knows can access his or her content and send direct messages. Also, turn off location services and consider getting comprehensive security software for all family devices.

Apps are where the fun is for kids so you can bet your child will at least check out buzz-worthy platforms like TikTok. They may browse, or they may become content creators. Your best social monitoring tool is to keep an open dialogue with your child. Keep talking with your kids about what’s going on in their digital life — where they hang out, who their friends are, and what’s new.  You may get some resistance but don’t let that stop you from doing all you can to keep your family safe online.

The post Are Your Kids Part of the TikTok App Craze? Here’s What Parents Need to Know appeared first on McAfee Blogs.

The GDPR – One Year Later

A couple of weeks ago, one famous lawyer blogged about an issue frequently discussed these days: the GDPR, one year later.

The sky has not fallen. The Internet has not stopped working. The multi-million-euro fines have not happened (yet). It was always going to be this way. A year has gone by since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective and the digital economy is still going and growing. The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun.”[1]

It’s true that since that publication, the CNIL issued a €50 million fine against Google,[2] mainly for lacking a clear and transparent privacy notice. But even that amount is purely negligible compared to the fact that just three months before that, Google had been hit with a new antitrust fine from the European Union, totaling €1.5 billion.

So, would we say that despite the sleepless nights making sure our companies were ready to comply with privacy, privacy pros are a bit disappointed by the journey? Or what should be our reaction, as privacy pros, when people around us ask, “Is your GDPR project over now?”

Well, guess what? Just like we said last year, it’s a journey and we are just at the start of this voyage. But in a world where cloud has become the dominant way to access IT services and products, it might be useful to highlight a project to which the GDPR gave birth, the EU Cloud Code of Conduct.[3]

Of course, cloud existed prior to the GDPR and many regulators around the world had given guidance well before the GDPR on how to tackle the sensitivity and the risks arising from outsourcing IT services in the cloud.[4] But before the GDPR, most cloud services providers (CSPs) were inclined to attempt to force their customers (the data controllers) to “represent and warrant” that they would act in compliance with all local data laws, and that they had all necessary consents from data subjects to pass data to the CSP processors pursuant to the services. This scenario, although not sensible under EU data protection law, was often successful, as the burden of non-compliance used to lie solely with the customer as controller.

The GDPR changed that in Recital 81, making processors responsible for the role they also play in protecting personal data. Processors are no longer outside the ambit of the law since “the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing.

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.”[5]

With the GDPR, processors must implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access.

And adherence to an approved code of conduct may provide evidence that the processor has met these obligations, which brings us back to the Cloud Code of Conduct. One year after the GDPR, the EU Cloud Code of Conduct General Assembly reached a major milestone in releasing the latest Code version that has been submitted to the supervisory authorities.

The Code describes a set of requirements that enable CSPs to demonstrate their capability to comply with GDPR and international standards such as ISO 27001 and 27018. It also proves that the GDPR has marked a strong shift in the contractual environment.

In this new contractual arena, a couple of things are worth emphasizing:

  • The intention of the EU Cloud Code of Conduct is to make it easier for cloud customers (particularly small and medium enterprises and public entities) to determine whether certain cloud services are appropriate for their designated purpose. It covers the full spectrum of cloud services (SaaS, PaaS, and IaaS), and has an independent governance structure to deal with compliance as well as an independent monitoring body, which is a requirement of GDPR.
  • Compliance to the code does not in any way replace the binding agreement to be executed between CSPs and customers, nor does it replace the right for customer to request audits. It introduces customer-facing versions of policies and procedures that allow customers to know how the CSP works to comply with GDPR duties and obligations, including policies and processes around data retention, audit, sub-processing, and security.

The Code proposes interesting tools to enable CSPs to comply with the requirements of the GDPR. For instance, on audit rights, it states that:

“…the CSP may e.g. choose to implement a staggered approach or self-service mechanism or a combination thereof to provide evidence of compliance, in order to ensure that the Customer Audits are scalable towards all of its Customers whilst not jeopardizing Customer Personal Data processing with regards to security, reliability, trustworthiness, and availability.”[6]

Another issue that often arises when negotiating cloud agreements: engaging a sub-processor is permissible under the requirements of the Code, but it requires—similar to the GDPR—a prior specific or general written authorization of the customer. A general authorization in the cloud services agreement is possible subject to a prior notice to the customer. More specifically, the CSP needs to put in place a mechanism whereby the customer is notified of any changes concerning an addition or a replacement of a sub-processor before that sub-processor starts to process personal customer data.

The issues highlighted above demonstrate the shift in the contractual environment of cloud services.

Where major multinational CSPs used to have a minimum set of contractual obligations coupled with minimum legal warranties, it is interesting to note how the GDPR has been able to drastically change the situation. Nowadays, the most important cloud players are happy to demonstrate their ability to contractually engage themselves. The more influential you are as a cloud player, the more you have the ability to comply with the stringent requirements of the GDPR.

 

[1] Eduardo Ustaran – The Work Ahead. https://www.linkedin.com/pulse/gdpr-work-ahead-eduardo-ustaran/

[2] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

[3] https://eucoc.cloud/en/detail/news/press-release-ready-for-submission-eu-cloud-code-of-conduct-finalized/

[4] https://acpr.banque-france.fr/node/30049

[5] Article 40 of the GDPR

[6] Article 5.6 of the Code

The post The GDPR – One Year Later appeared first on McAfee Blogs.

McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security

As Europe heads to the polls this weekend (May 23-26) to Members of the European Parliament (“MEPs”) representing the 28 EU Member States, the threat of disinformation campaigns aimed at voters looms large in the minds of politicians. Malicious players have every reason to try to undermine trust in established politicians, and push voters towards the political fringes, in an effort to destabilise European politics and weaken the EU’s clout in a tense geopolitical environment.

Disinformation campaigns are of course not a new phenomenon, and have been a feature of public life since the invention of the printing press. But the Internet and social media have given peddlers of fake news a whole new toolbox, offering bad actors unprecedented abilities to reach straight into the pockets of citizens via their mobile phones, while increasing their ability to hide their true identity.

This means that the tools to fight disinformation need to be upgraded in parallel. There is no doubt that more work is needed to tackle disinformation, but credit should also go to the efforts that are being made to protect citizens from misinformation during elections.  The European Commission has engaged the main social media players in better reporting around political advertising and preventing the spread of misinformation, as a complement to the broader effort to tackle illegal content online. The EU’s foreign policy agency, the External Action Service, has also deployed a Rapid Alert System involving academics, fact-checkers, online platforms and partners around the world to help detect disinformation activities and sharing information among member states of disinformation campaigns and methods, to help them stay on top of the game. The EU has also launched campaigns to ensure citizens are more aware of disinformation and improving their cyber hygiene, inoculating them against such threats.

But adding cybersecurity research, analysis and intelligence trade craft to the mix is a vital element of an effective public policy strategy.  And recently published research by Safeguard Cyber is a good example of how cybersecurity companies can help policymakers get to grips with disinformation.

The recent engagement with the European Commission think-tank, the EPSC, and Safeguard Cyber is a good example of how policymakers and cyber experts can work together, and we encourage more such collaboration and exchange of expertise in the months and years ahead.  McAfee Fellow and Chief Scientist Raj Samani told more than 50 senior-ranking EU officials in early May that recent disinformation campaigns are “direct, deliberate attacks on our way of life” that seek to disrupt and undermine the integrity of the election process.  And he urged policy makers that the way to address this is to use cyber intelligence and tradecraft to understand the adversary, so that our politicians can make informed decisions on how best to combat the very real threat this represents to our democracies. In practice this means close collaboration between best-in-class cybersecurity researchers, policymakers and social media players to gain a deeper understanding of the modus operandi of misinformation actors and respond more quickly.

As the sceptre of disinformation is not going to go away, we need a better understanding the actors involved, their motivations and most importantly, the rapidly changing technical tools they use to undermine democracy.  And each new insight into tackling disinformation will be put to good use in elections later this year in Denmark, Norway, Portugal, Bulgaria, Poland and Croatia and Austria.

The post McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security appeared first on McAfee Blogs.

Game Golf Exposure Leaves Users in a Sand Trap of Data Concerns

Apps not only provide users with a form of entertainment, but they also help us become more efficient or learn new things. One such app is Game Golf, which comes as a free app, a paid pro version with coaching tools, or with a wearable analyzer. With over 50,000 downloads on Google Play, the app helps golfers track their on-course performance and use the data to help improve their game. Unfortunately, millions of golfer records from the Game Golf app were recently exposed to anyone with an internet connection, thanks to a cloud database lacking password protection.

According to researchers, this exposure consisted of millions of records, including details on 134 million rounds of golf, 4.9 million user notifications, and 19.2 million records in an activity feed folder. Additionally, the database contained profile data like usernames, hashed passwords, emails, gender, Facebook IDs, and authorization tokens. The database also contained network information for the company behind the Game Golf app, Game Your Game Inc., including IP addresses, ports, pathways, and storage information that cybercrooks could potentially exploit to further access the network. A combination of all of this data could theoretically provide cybercriminals with more information on the user, creating greater privacy concerns. Thankfully, the database was secured about two weeks after the company was initially notified of the exposure.

Although it is still unclear as to whether cybercriminals took a swing at this data, the magnitude of the information exposed by the app is cause for concern. Luckily, users can follow these tips to help safeguard their data:

  • Change your passwords. If a cybercriminal got a hold of the exposed data, they could easily gain access into other online accounts if your login credentials were the same across different platforms. Err on the side of caution and change your passwords to something strong and unique for each account.
  • Check to see if you’ve been affected. If you’ve used the Game Golf app and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential exposures.
  • Secure your online profiles. Use a security solution like McAfee Safe Connect to encrypt your online activity, help protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Game Golf Exposure Leaves Users in a Sand Trap of Data Concerns appeared first on McAfee Blogs.

What Will You Do If You Find That Your Kids Are Sharing Their Troubles and Pains Online?

“Am I fat?”

“I am so depressed. Please help! I have been scoring less, my parents don’t understand me… my brilliant siblings treat me with disdain… my girlfriend has broken up with me….”

“Thanks! That’s why I feel a connect with you- you really get me (no one else does!) ….”

“I am closing my Facebook account for a while. I have fallen but I promise you I will rise again, like the Phoenix and will proudly stand before you once again. For now, I am going away. Please don’t try to contact me.”

“I hate you ********!”

All the above statements are variations of real ones posted on different social media platforms by adolescents. Do spare a few moments thinking about the posts- I spent days. What are your thoughts on these? How do you feel about getting a direct look into the hearts of these innocent and confused children?

It is both saddening and worrying that kids are turning to the Internet to find solutions to their problems. But what propels them to trust strangers?

Why do adolescents overshare online?

  • Embarrassing topics: The would-be adults have many doubts about adult life that they feel shy or scared to discuss with their parents
  • Emotional outbursts: Adolescence is a time for emotional upheavals and the kids find social media the best place to voice their thoughts
  • False sense of privacy: As they are not connecting one-to-one in real life, children feel more comfortable discussing and sharing personal matters with online friends
  • No fear of recrimination: This is one reason why they may not open up to adults at home
  • Peer pressure: If most of their friends are venting on social media, your kids are likely to follow suit

Help! I am losing it!

Rule No. 1 for parents- don’t get worked up. You are not alone. Most parents go through this phase. Here are some tips to help you bond better with your tweens and teens.

  • Be patient. You are the parent- always keep that in mind and don’t lose your cool. It will help you to mark your own space and earn you your child’s trust and respect
  • Be in touch with their online lives. Be proactive and stay updated on the latest in the social media world so that you can interact in them in the same wavelength
  • Monitor screentime and keep them engaged: If your child is withdrawn in real life but spends a lot of time online, you need to know why. Set internet usage limit. Remember, boredom and low self-confidence can lead a child to look for friends online, so ensure they are productively engaged offline.
  • Help them to know their personal boundaries. They need to know and respect the limits you set on sharing
  • LISTEN and listen well and only then offer your suggestions
  • Keep communication channels open. Do not let a wall build up between you
  • Be in touch with child’s friends and ensure your child has plenty of good time with them.

Tips to share with kids:

  1. Think before you lay bare your personal life online: Your blog or page isn’t your diary, for it’s not private. How would you feel if in a few years your seniors, professors or employers read this?
  2. Your online friends are strangers: Think. Do you want to share your deepest concerns or most private details with them? What if they out them? Can you handle the consequences?
  3. Share with real friends instead: Your online friends may not have any sense of loyalty towards you. Better to have one or two dependable real life ones, who you know well.
  4. Keep real identity private and maximize account security for all accounts: This is very important for your online safety. Secure your device with licensed security software and use two-factor authentication to secure accounts.
  5. Do not share passwords with anyone: Some things in life are best kept confined to self- including your passwords. Do not give remote access to your screen to online friends either.

Your parents are always there for you

This is what you need to impress upon your tweens and teens: Even though you may feel we do not understand, we do, for we were of your age once. We understand what you are going through. We may set rules that seem tough or discipline you when needed but that doesn’t mean we do not love you. We do what we think is best for you. And we are always there for you.

Before signing off, let me remind you of our cybersafety mantra that you need to repeat often at home: STOP. THINK. SHARE.

Happy parenting!

The post What Will You Do If You Find That Your Kids Are Sharing Their Troubles and Pains Online? appeared first on McAfee Blogs.

12 dark secrets of encryption

Encryption is fast becoming developer’s go-to solution for whatever data privacy or security worry ails you. Afraid of putting your credit card into a web form? Don’t worry. We’re using encryption. Unsure whether a website is authentic? Encryption has your back. The good news is, encryption algorithms do work some of the time. The math offers some protection against eavesdropping and a solid foundation for trust.

But all magic has its limits and the tricky thing with encryption is that it can be impossible to be certain where those limits are. The math can be so awe inspiring that we can only sit and stare with our mouths agape. It’s easy to get lost and just resign yourself to trusting it will all work out when the calculations are so complex.

To read this article in full, please click here

(Insider Story)

The UK Government Huawei Dilemma and the Brexit Factor

In the last couple of days, Google announced it will be putting restrictions on Huawei’s access to its Android operating system, massively threatening Huawei's smartphone market. Meanwhile, UK based chip designer ARM has told its staff to suspend all business activities with Huawei, over fears it may impact ARM's trade within the United States.  Fuelling these company actions is the United States government's decision to ban US firms with working with Huawei over cybersecurity fears.

The headlines this week further ramps up the pressure on the UK government to follow suit, by implementing a similar ban on the use of Huawei smartphones and network devices within the UK, a step beyond their initial 5G critical infrastructure ban announced last month. But is this really about a foreign nation-state security threat? Or is it more about it geo-economics and international politicking?
Huawei: A Security Threat or an Economic Threat?

Huawei Backdoors
It’s no secret that Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army, and the company was quickly built with the backing of major Chinese state and military contracts. But the US government, secret services and military are also known to invest heavily in Silicon Valley and US tech firms. In recent weeks there have been a number of accusations about deliberate backdoors placed within Huawei devices, implying the usage of Huawei devices could aid Chinese forces in conducting covert surveillance, and with potentially causing catastrophic impacting cyber attacks.
The reality is all software and IT hardware will have a history of exploitable vulnerabilities, and it is pretty much impossible to determine which could be intentionally placed covert backdoors, especially as an advanced and sophisticated nation-state actor would seek to obfuscate any deliberately placed backdoor as an unintentional vulnerability. 

For instance, the following are critical security vulnerabilities reported within tech made by US firms in just the last 9 days, no suggestion any of these are intentionally placed backdoors:
The more usual approach taken by nation-state intelligence and offensive cyber agencies is to invest in finding the unintentional backdoors already present in software and hardware. The discovery of new and completely unknown 'zero-day' security vulnerability is their primary aim. Non-published zero-days vulnerabilities are extremely valuable, clearly, a value lost if they were to inform the vendors about the vulnerability, as they would seek to quickly mitigate with a software patch.

For instance, the United States National Security Agency (NSA) found and exploited vulnerabilities in Windows without informing Microsoft for over five years, creating a specific hacking tool called EternalBlue, which is able to breach networks. The very same tool that was leaked and used within the devasting WannaCry ransomware attack last year. 

The WhatsApp vulnerability reported last week was another public example of this approach, where a private Israeli firm NSO Group found a serious vulnerability within WhatsAppBut instead of informing Facebook to fix it, NSO created a tool to exploit the vulnerability, which it sold to various governments. The ethics of that is a debate for another day.
The Laws which allows Nation-States to Conduct Cyber Surveillance
The United States has significant surveillance powers with the "Patriot Act", the Freedom Act and spying internationally with FISA. China has its equivalent surveillance powers publicly released called the "2017 National Intelligence Law". This law states Chinese organisations are "obliged to support, cooperate with, and collaborate with national intelligence work". But just like Apple, Microsoft and Google, Huawei has categorically said it would refuse to comply with any such government requests, in a letter in UK MPs in February 2019. Huawei also confirmed "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.

The Brexit Factor
There is a lot of geo-politicking and international economics involved with Huawei situation, given the US government are aggressively acting to readdress their Chinese trade deficit. It appears to be more than just a coincidence, the United States government is choosing now to pile on the pressure on its allies to ban Huawei, the world's largest telecommunications equipment manufacturer. Country-wide Huawei bans are extremely good economic news for US tech giants and exporters like Cisco, Google, and Apple, who have been rapidly losing their global market share to cheaper Huawei products in recent years.

To counter the US economic threat to their business foothold within the UK, Huawei is offering a huge carrot in the form of investing billions into UK based research centres, and a big stick in threatening to walk away from the UK market altogether. The has led to the UK government leadership becoming at odds with the MOD, the latter desire to stand shoulder-to-shoulder with the US and other NATO allies, in banning Huawei devices. This tension exploded with a very public spat between Prime Minister Theresa May and the Secretary of Defence, Gavin Williamson last month. The PM continued to defy the MOD's security warnings and Gavin Williamson was fired for allegedly leaking classified documents about the Huawei UK national security threat, an accusation which he vehemently denies.

Why the UK Gov is stuck between a Rock and Hard Place
The UK government continue to be stuck between a rock and a hard place, playing a balancing act of trying to keep both the United States and China happy, in a bid to score lucrative post-Brexit multi-billion-pound trade deals. This status-quo leaves UK Huawei smartphone consumers and UK businesses using Huawei network devices, caught in the middle. However, due to the relentless US pressure causing regular negative mainstream media headlines about the security of Huawei products, the Chinese tech giant may well be driven out of UK markets without a UK government ban.


HUAWEI NEWS AND THREAT INTELLIGENCE IN MAY 2019

Three Veracode Leaders Honored Among CRN’s 2019 Women of the Channel

default background

CRN®, a brand of The Channel Company, has announced it has named three Veracode leaders to its prestigious 2019 Women of the Channel list. The leaders on this annual list are from all areas of the IT channel ecosystem, representing technology suppliers, distributors, solution providers, and other IT organizations. Each honoree is recognized for her contributions to channel advocacy, channel growth and visionary leadership.

This year, Leslie Bois, Vice President of Global Channel and Alliances, Lisa Quinby, Director of Global Field and Channel Marketing, and Robin Montague, Partner Account Director, were all recognized.

CRN editors choose the list from a multitude of channel leadership applicants and select the final honorees based on their professional accomplishments, demonstrated expertise, and ongoing dedication to the IT channel.

“CRN’s 2019 Women of the Channel list honors influential leaders who are accelerating channel growth through mutually-beneficial partnerships, incredible leadership, strategic vision, and unique contributions in their field,” said Bob Skelley, CEO of The Channel Company. “This accomplished group of leaders is driving channel success and we are proud to honor their achievements.”

The 2019 Women of the Channel list will be featured in the June issue of CRN Magazine and is featured online at www.CRN.com/WOTC.

Leslie Bois is responsible for all global indirect channel sales growth, and develops and executes Veracode’s global strategy to build a strong partner network that plays a significant role in the company’s go-to-market efforts. Under her leadership, Veracode’s channel pipeline has grown by three times over the past 12 months, and the company’s international business is growing rapidly in partnership with managed security service providers and partners in emerging markets in Asia, Latin America, Europe and the Middle East. Earlier this year, Bois was also recognized by CRN in its list of 2019 Channel Chiefs.

Lisa Quinby has more than 25 years of technology experience, and oversees a team of regional marketing professionals to drive marketing programs through high-touch integrated marketing to help meet sales objectives, including programs to, through and with partners. She is also responsible for the Veracode Partner Program and all related initiatives.

Robin Montague is responsible for collaborating with Veracode’s largest national partner to set and execute a joint strategy to drive incremental revenue. She enjoys mentoring people new to the channel, and is focused on training and enablement to differentiate Veracode’s partners and meet demand.

For more information on partnering with Veracode, please visit here.

3 Things You Need to Know About Summer Cybersecurity

summer screen time

The summer season is quickly approaching. Users will take to the skies, roads, and oceans to travel throughout the world for a fun family adventure. But just because users take time off doesn’t mean that their security should. So, with the season’s arrival, we decided to conduct a survey so to better understand users’ cybersecurity needs, as well as help them leave their cybersecurity woes behind while having some fun in the sun. That’s why we asked our users what they are most concerned about during the summer, so we can help them protect what really matters. Let’s see what they had to say.

Sharing the Fun

When it comes to vacations, we’re constantly taking and sharing snaps of amazing memories. What we don’t plan on sharing is the metadata embedded in each photo that can give away more than we intended. In fact, from our research we found that people are 3x more likely to be concerned about their Social Security number being hacked than their photos. Given the risk a compromised SSN poses for the potential of identity theft, it’s no surprise that respondents were more concerned about it. However, to keep the summer fun secure, it’s also important to keep travel photos private and only share securely.

Flying Safely and Securely

From a young age, we have been taught to keep our Social Security number close to the chest, and this is evident in how we protect SSNs. As a matter of fact, 88% of people would be seriously worried if their Social Security number was hacked. The best way to keep a Social Security number secure this summer – don’t share it when purchasing plane tickets or managing travel reservations. All you need to provide is a credit card and passport.

Making Smartphone Security #1  

While on the go, travelers are often keenly aware of how exposed they are physically when carrying around credit cards, passports, suitcases, gadgets and more. However, they also need to think about securing their digital life, particularly their handheld devices. To keep personal photos protected while traveling this summer season, smartphone security must be a top priority. With nearly 40% of respondents concerned about sensitive personal photos being hacked, jet setters need to be proactive about security, not reactive. In fact, we’re reminded of just how important this fact is as we enter the month of June, Internet Safety Month. Just like your laptop or router, it’s vital to protect the personal data stored within a smartphone.

In order to help you stay secure this season, let’s put your travel security knowledge to the test.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post 3 Things You Need to Know About Summer Cybersecurity appeared first on McAfee Blogs.

One (Big) Way to Reduce Helpdesk Costs While Increasing Security

English

IT teams handle a great number of tasks that enable an organization to run smoothly. These include handling questions related to technical support for the company’s computer systems, software, and hardware, in addition to performing regular system updates and meeting periodic training needs. Yet research shows that helpdesks are also spending anywhere from 20-50 percent of their time dealing with password requests. Why are helpdesks so bogged down with password management tasks, and how can you free up their time while also prioritizing security?

A Never-Ending To-Do List

Password resets are costly, primarily because they are time-consuming when done manually. Every issue results in a support ticket that must be opened, filled out, and eventually closed. Then there is the act of resetting the password and confirming with the user that everything has been resolved, or if further troubleshooting is necessary. This process can take ten minutes or longer, which, at first, doesn’t seem like much. However, if you multiply that by the number of employees in a large organization, the labor time quickly begins to add up.

Additionally, since helpdesk staff know that lockouts prevent productivity, they tend to drop what they are doing and tend to the issue. Constant disruptions can prevent other tasks from getting done, or done well, simply because of the time it takes to settle back into work and remember where you were in the process.

Self-service password reset solutions like Core Password enable users to securely reset passwords themselves, freeing up helpdesk employee time and allowing them to work on other important IT needs. Additionally, these solutions not only maintain security, but also can improve it by enforcing reliable authentication, and consistent, stronger password policies. Detailed audit trails also help monitor for any abnormal activity, like mulitple resets.

Enabling Immediacy Through Self Service

While the helpdesk team may be shouldering the burden of reset tasks, they aren’t the only ones dealing with the problems that password issues cause. Users who are locked out of critical business applications and resources are severely limited in the work they can accomplish. Having to call the helpdesk or file a ticket puts that work on hold, disrupting the day of the user and using valuable labor time of a helpdesk employee.

 Additionally, these lockouts and reset needs do not always occur during regular business hours. Depending on the industry or organization, helpdesk employees may not be on-call in off hours, meaning the user remains locked out until regular business hours resume. A self-service password reset solution eliminates these problems by allowing the user to reset their own password securely, and then get back to work.

Being locked out of critical applications like email is one thing, but getting locked out of your workstation doesn’t merely reduce productivity, it grinds it to a complete halt. An effective self-service solution needs to provide a way to reset a password even when the user is locked out of the workstation and stuck at the log in screen. Core Password provides several options for solving this problem. This includes a Windows Credential Provider, telephone-based keypad authentication, voice biometric authentication, and mobile phone apps. These solutions also enable users of non-Windows-based applications, like a shop floor terminal or other devices, to take advantage of password self-service.

Calculating Savings for Helpdesk Bandwidth and Budget

Using our budget calculator will provide a high-level overview of potential savings your organization can gain from implementing a self-service password reset solution. Using your own organizational values makes the output more meaningful, allowing you to get an understanding of how your business can benefit from a solution like Core Password.  

Integrating Solutions for Holistic Identity Governance and Administration

IT teams greatly benefit from dedicating less time to constant password management, and employees no longer have to waste time waiting to get back to work. However, even more access management tasks can be streamlined, giving IT teams more time to tend to critical security issues while also ensuring employees have all the access they need to do their jobs.

Core Password is part of Access Assurance Suite, a bundle of robust Identity Governance and Administration (IGA) solutions that improves efficiency while also strengthening  security. See how your organization can benefit with a personalized demo.

 

cs-reduce-help-desk-cost-blogresize.png

Identity and Access Management Password
Big text: 
Blog
Resource type: 
Blogs
What could your savings be?

Get an overview of potential savings your organization can gain from implementing a self-service password reset solution with our budget calculator.

Don’t Let Airbnb Scams Stop Your Summer Travel Plans

With summertime just around the corner, many people are planning vacations to enjoy some much-needed R&R or quality time with family and friends. Airbnb offers users a great alternative to a traditional hotel experience when they are looking to book their summer getaways. However, it appears that cybercriminals have used the popularity of the platform as a means to carry out their malicious schemes. Unfortunately, some Airbnb users are being scammed with fake rentals and account closures, whether they’re planning a trip or not.

While Airbnb stated that its platform was at no point compromised, a number of users have been charged for non-refundable reservations at fake destination homes and have had money taken out of their bank and PayPal accounts. Additionally, some users have had their account credentials changed without their permission, making it difficult to contact customer support about the fraudulent charges. For example, one user had three non-refundable reservations made in Ukraine on her account. Then, the reservations were canceled and her account was deleted all within a few minutes, making it impossible to reach Airbnb’s customer support. Luckily, the user was able to contact the vacation rental platform through the company’s Twitter account and receive a refund for the fraudulent charges.

Airbnb claimed that users’ accounts were accessed with correct login credentials that must have been “compromised elsewhere.” Regardless of how this scam originated, it’s important to take precautions when it comes to your online safety, so you can continue to use platforms like Airbnb to plan fun family vacations without any worries. Use these tips to help you stay secure:

  • Avoid unauthorized sites. Cybercriminals often use fake websites to trick users into giving up their login credentials or financial information. Make sure that the web address doesn’t contain any odd-looking characters or words. For example, “Airbnb-bookings.com” is an invalid web address.
  • Be wary of suspicious emails. If you receive an email asking you to click a link and enter personal data or one that contains a message that has a sense of urgency, proceed with caution. If the email isn’t from a legitimate, recognized Airbnb email address, it’s best to avoid interacting with the message altogether.
  • Be careful where you click. When proceeding with an Airbnb transaction, make sure that you stay on their secure platform throughout the entire process, including the payment. Know that the company will never ask you to wire money or pay a host directly.
  • Report issues. If you experience any suspicious listings, emails, or websites while trying to complete a booking, report this by emailing Airbnb at phishing@airbnb.com.
  • Use a security solution to surf the web safely. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Let Airbnb Scams Stop Your Summer Travel Plans appeared first on McAfee Blogs.

Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement

A much overlooked but essential part in financially motivated (cyber)crime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a process known as money laundering. ’Cleaning’ money in this way allows the criminal to spend their loot with less chance of being caught. In the physical world, for instance, criminals move large sums of cash into offshore accounts and create shell companies to obfuscate the origins of their funds. In the cyber underground where Bitcoin is the equivalent of cash money, it works a bit differently. As Bitcoin has an open ledger on which every transaction is recorded, it makes it a bit more challenging to obfuscate funds.

When a victim pays a criminal after being extorted with ransomware, the ransom transaction in Bitcoin and all additional transactions can then be tracked through the open ledger. This makes following the money a powerful investigative technique, but criminals have come up with an inventive method to make tracking more difficult; a mixing service.

A mixing service will cut up a sum of Bitcoins into hundreds of smaller transactions and mixes different transactions from other sources for obfuscation and will pump out the input amount, minus a fee, to a certain output address. Mixing Bitcoins that are obtained legally is not a crime but, other than the mathematical exercise, there no real benefit to it.

The legality changes when a mixing service advertises itself as a success method to avoid various anti-money laundering policies via anonymity. This is actively offering a money laundering service.

Bestmixer.io

Last year advertisements for new mixing service called Bestmixer.io appeared on several Crypto currency related websites.

Judging by the article It sounded like it offered a service that could be considered money laundering or aid tax evasion.

Bestmixer’s frontpage

Nature of the service

Bestmixer offered a very clear page on why someone should mix their cryptocurrency. On this page Bestmixer described the current anti-money laundering policies and how its service could help evade these policies by making funds anonymous and untraceable. Offering such a service is considered illegal in many countries.

Bestmixer’s explanation page, “why someone should mix bitcoins”.

A closer inspection of the Bestmixer site revealed that its website was hosted in the Netherlands. McAfee ATR contacted the Financial Advanced Cyber Team (FACT) of the Dutch anti-Fraud Agency (FIOD) of Bestmixer.io’s location. FACT is a team that is specialized in investigating the financial component of (cyber)crime.  A yearlong International investigation led to the takedown of Bestmixer’s infrastructure today.

The post Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement appeared first on McAfee Blogs.

Application Security Best Practices

Kudos to you if you are already implementing some level of application security; however, no matter what stage of AppSec maturity your organization is at, your program may still have room for improvement. Since 2006, we’ve been helping customers build out AppSec programs big and small, and in the process, we’ve learned a lot about what works and what doesn’t. To help you take your program to the next level, we’ve put together this guide of AppSec best practices.

The guide outlines a few areas where you can focus to make impactful improvements, including the following:

Take Advantage of Integrations

We recommend fixing vulnerabilities earlier in the SDLC by integrating with Veracode’s plugins, wrappers, and APIs. By installing available plug-ins or leveraging standard Veracode APIs and wrappers, you can establish seamless, reciprocal data exchanges between our platform and your development teams’ IDEs, build systems, bug tracking databases, and other systems. This allows you to ease the friction and silos among teams, reduce context-switch cost for developers, as well as help developers to discover and fix security findings earlier and faster, reducing cost and time.

Shift Left for Security Success 

The more you can make code secure during development, the more you can maximize velocity later by reducing the number of security flaws that developers and operations must fix at the end of the process. By shifting security left, your teams can embed security into the software development process as they create code, checking for and removing vulnerabilities before they emerge instead of after the fact. According to NIST, flaws fixed during coding can reduce costs by as much as six times compared to making the exact same fix in production.

Vary Your Application Testing Methods

A strategy that’s overly reliant on just one testing type can leave software vulnerable while providing organizations with a false sense of security. Don’t believe claims that any single type of test is better than another; each has its own strengths and weaknesses. It takes a balanced approach to properly evaluate and mitigate risks. Understand the scope and coverage of each assessment technology to round out your program.

Always Be Scanning

There’s a strong correlation between how often an organization scans and how quickly they address their vulnerabilities. When creating a scan strategy, it’s important to prioritize frequent scans of small builds over one big scan of a large build. This allows your developers to make gradual, continuous improvements to the security of your software when the code is still fresh in their minds and easier to fix. It’s important to keep in mind scanning is just one piece of the puzzle; you must fix what you find in order to have an effective AppSec program.

Never Stop Learning

AppSec is always evolving, with new solutions and new vulnerabilities popping up regularly. And with the increased speed of development, plus security shifting “left,” developers need to catch security-related defects on their own as often as possible. But, most developers have had no opportunities to learn secure coding, in school or on the job. Education and training can provide some of your greatest security ROI: According to our research, eLearning improved developer fix rates by 19 percent while remediation coaching improved fix rates by 88 percent.  

We know that AppSec isn’t a one-size-fits-all program; however, from our observations, these are some of the common best practices implemented by successful AppSec programs. For more tips on how to strengthen your AppSec program, read our Application Security Best Practices Handbook.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP and several other operating systems, which have not been supported for security updates in years. So why the urgency and what made Microsoft decide that this was a high risk and critical patch?

According to the advisory, the issue discovered was serious enough that it led to Remote Code Execution and was wormable, meaning it could spread automatically on unprotected systems. The bulletin referenced well-known network worm “WannaCry” which was heavily exploited just a couple of months after Microsoft released MS17-010 as a patch for the related vulnerability in March 2017. McAfee Advanced Threat Research has been analyzing this latest bug to help prevent a similar scenario and we are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.

Vulnerable Operating Systems:

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Worms are viruses which primarily replicate on networks. A worm will typically execute itself automatically on a remote machine without any extra help from a user. If a virus’ primary attack vector is via the network, then it should be classified as a worm.

The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.

It’s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.

 

Figure 1: RDP Protocol Sequence

The vulnerability is due to the “MS_T120” SVC name being bound as a reference channel to the number 31 during the GCC Conference Initialization sequence of the RDP protocol. This channel name is used internally by Microsoft and there are no apparent legitimate use cases for a client to request connection over an SVC named “MS_T120.”

Figure 2 shows legitimate channel requests during the GCC Conference Initialization sequence with no MS_T120 channel.

Figure 2: Standard GCC Conference Initialization Sequence

However, during GCC Conference Initialization, the Client supplies the channel name which is not whitelisted by the server, meaning an attacker can setup another SVC named “MS_T120” on a channel other than 31. It’s the use of MS_T120 in a channel other than 31 that leads to heap memory corruption and remote code execution (RCE).

Figure 3 shows an abnormal channel request during the GCC Conference Initialization sequence with “MS_T120” channel on channel number 4.

 

Figure 3: Abnormal/Suspicious GCC Conference Initialization Sequence – MS_T120 on nonstandard channel

The components involved in the MS_T120 channel management are highlighted in figure 4. The MS_T120 reference channel is created in the rdpwsx.dll and the heap pool allocated in rdpwp.sys. The heap corruption happens in termdd.sys when the MS_T120 reference channel is processed within the context of a channel index other than 31.

Figure 4: Windows Kernel and User Components

The Microsoft patch as shown in figure 5 now adds a check for a client connection request using channel name “MS_T120” and ensures it binds to channel 31 only (1Fh) in the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions within termdd.sys.

 

Figure 5: Microsoft Patch Adding Channel Binding Check

After we investigated the patch being applied for both Windows 2003 and XP and understood how the RDP protocol was parsed before and after patch, we decided to test and create a Proof-of-Concept (PoC) that would use the vulnerability and remotely execute code on a victim’s machine to launch the calculator application, a well-known litmus test for remote code execution.

Figure 6: Screenshot of our PoC executing

For our setup, RDP was running on the machine and we confirmed we had the unpatched versions running on the test setup. The result of our exploit can be viewed in the following video:

There is a gray area to responsible disclosure. With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step.

As a patch is available, we decided not to provide earlier in-depth detail about the exploit or publicly release a proof of concept. That would, in our opinion, not be responsible and may further the interests of malicious adversaries.

Recommendations:

  • We can confirm that a patched system will stop the exploit and highly recommend patching as soon as possible.
  • Disable RDP from outside of your network and limit it internally; disable entirely if not needed. The exploit is not successful when RDP is disabled.
  • Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.

 

It is important to note as well that the RDP default port can be changed in a registry field, and after a reboot will be tied the newly specified port. From a detection standpoint this is highly relevant.

Figure 7: RDP default port can be modified in the registry

Malware or administrators inside of a corporation can change this with admin rights (or with a program that bypasses UAC) and write this new port in the registry; if the system is not patched the vulnerability will still be exploitable over the unique port.

McAfee Customers:

McAfee NSP customers are protected via the following signature released on 5/21/2019:

0x47900c00 “RDP: Microsoft Remote Desktop MS_T120 Channel Bind Attempt”

If you have any questions, please contact McAfee Technical Support.

 

The post RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 appeared first on McAfee Blogs.

“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how secure that data really is by inviting a white-hat to try and remotely penetrate our host Geoff’s smartphone. Listen now on Apple Podcasts and learn if one errant click could expose everything, including your deleted photos.  

The post “Hackable?” Puts Smartphones to the Test appeared first on McAfee Blogs.

Endpoint’s Relevance in the World of Cloud

Businesses everywhere are looking to cloud solutions to help expedite processes and improve their data storage strategy. All anyone is talking about these days is the cloud, seemingly dwindling the conversation around individual devices and their security. However, many don’t realize these endpoint devices act as gateways to the cloud, which makes their security more pressing than ever. In fact, there is a unique relationship between endpoint security and cloud security, making it crucial for businesses to understand how this dynamic affects information security overall. Let’s explore exactly how these two are intertwined and how exactly endpoint security can move the needle when it comes to securing the cloud.

Cloudier Skies

Between public cloud, private cloud, hybrid cloud, and now multi-cloud, the cloud technology industry is massive and showing zero signs of slowing down. Adoption is rampant, with the cloud market expected to achieve a five-year compound annual growth rate (CAGR) of 22.5%, with public cloud services spending reaching $370 billion in 2022. With cloud adoption drawing so much attention from businesses, it’s as important as ever that enterprises keep security top of mind.

This need for security is only magnified by the latest trend in cloud tech – the multi-cloud strategy. With modern-day businesses having such a diverse set of needs, many have adopted either a hybrid or multi-cloud strategy in order to effectively organize and store a plethora of data – 74 percent of enterprises, as a matter of fact. This has many security vendors and personnel scrambling to adjust security architecture to meet the needs of the modern cloud strategy. And though all businesses must have an effective security plan in place that compliments their cloud architecture, these security plans should always still consider how these clouds can become compromised through individual gateways, or, endpoint devices.

The Relationship Between Endpoint and Cloud

The cloud may be a virtual warehouse for your data, but every warehouse has a door or two. Endpoint devices act as doors to the cloud, as these mobile phones, computers, and more all connect to whichever cloud architecture an organization has implemented. That means that one endpoint device, if misused or mishandled, could create a vulnerable gateway to the cloud and therefore cause it to become compromised. Mind you – endpoint devices are not only gateways to the cloud, but also the last line of defense protecting an organization’s network in general.

Endpoint is not only relevant in the world of cloud – it has a direct impact on an organization’s cloud – and overall – security. A compromised endpoint can lead to an exposed cloud, which could make for major data loss. Businesses need to therefore put processes into place that outline what assets users put where and state any need-to-knows they should have top of mind when using the cloud. Additionally, it’s equally important every business ensures they make the correct investment in cloud and endpoint security solutions that perfectly complement these processes.

Ensuring Security Strategy Is Holistic

As the device-to-cloud cybersecurity company, we at McAfee understand how important the connection is between endpoint and cloud and how vital it is businesses ensure both are secured. That’s why we’ve built out a holistic security strategy, offering both cloud security solutions and advanced endpoint products that help an organization cover all its bases.

If your business follows a holistic approach to security – covering every endpoint through to every cloud – you’ll be able to prevent data exposures from happening. From there, you can have peace of mind about endpoint threats and focus on reaping the benefits of a smart cloud strategy.

To learn more about our approach to endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper:

 

The post Endpoint’s Relevance in the World of Cloud appeared first on McAfee Blogs.

Veracode Announces New DevOps Penetration Testing Service

DevSecOps can be challenging for many organizations when you consider all the areas of the DevOps process that require security testing. Organizations that begin to shift security “left” often find significant gaps in the security of infrastructure and operational components that are now integrated into the development process. Many of the technologies being used in DevOps are also very new to most organizations and are more recently starting to become “mainstream.” For example, we’re seeing more customers adopting microservices, utilizing cloud storage through Amazon S3, MongoDB, and Elasticsearch, deploying applications using containers, and managing those containers with newer orchestration technology like Kubernetes.

These new technologies allow faster development, but also come with the side effect of introducing a new attack surface and different types of vulnerabilities. Like any new technology, systems within a DevOps environment are often deployed insecurely and misconfigured. This makes the requirement to conduct security testing on the DevOps environment more important than ever. Moreover, what about the developers themselves from a security awareness perspective? What might they be discussing with peers on online forums, leaving in code repositories, or other areas on the Internet that may make their applications and the organization more susceptible to targeted phishing attacks, data leaks, and breaches that we hear about in the news on almost a daily basis?

What Is Veracode DevOps Penetration Testing?

Automating security testing is a key concept when building out a DevOps process and should not be overlooked. However, there is still a need for penetration testing in a DevOps environment. Penetration testing provides something that automation cannot -- the attacker’s perspective.

Building upon our strong application penetration testing service and highly skilled team, Veracode DevOps Penetration Testing provides testing above and beyond the application to include the operations and infrastructure components of applications. Technologies that can be in scope for this type of testing include, but are not limited to:

  • Containers like Docker and Kubernetes orchestration
  • Microservices and related interactions
  • CI tool environments like Hudson and Jenkins
  • Cloud infrastructure (AWS, Azure) and cloud storage databases
  • Network infrastructure related to application deployment and configuration management

The Importance of Open Source Intelligence and DevOps

Veracode DevOps Penetration Testing also provides Open Source Intelligence (OSINT) analysis as part of every DevOps Penetration Test we perform. This analysis identifies misconfigured cloud storage databases such as AWS S3 buckets, Elasticsearch, MongoDB instances, and others. If you haven’t been paying attention to the news, misconfigured cloud storage databases are some of the largest sources of data leaks and breaches we see today*. In addition, we also leverage OSINT techniques to find vulnerabilities in the infrastructure that may leave your organization and applications exposed.

As part of this process, testers will also look into the activities of the developers themselves. Our testing checks to see if developers are practicing proper security measures. For example, we will analyze GitHub repositories looking for exposed credentials, locating sensitive data related to app development, and seeing what’s being discussed about an organization’s applications within popular public developer forums like Stack Overflow.

DevOps and Security Compliance

Security compliance does not magically go away when organizations “shift left.” That’s why Veracode DevOps Penetration Testing can be used to meet compliance requirements for PCI DSS 11.3 as well as GDPR Article 32 in the European Union. This requirement is also important for those organizations that need to comply with GDPR outside of the EU. GDPR Article 32 covers “Security of processing,” which requires that the data controller and processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” **. Penetration testing can help meet this new compliance requirement.

Veracode Is a Complete DevOps Testing Solution

Veracode DevOps Penetration Testing combined with Veracode’s static, dynamic, SCA, and application penetration testing provides the most comprehensive testing available for a DevOps environment in the market today. Contact your Veracode Sales or Services representative for more details on how to get started with your first Veracode DevOps Penetration Testing engagement.

Learn more about Veracode DevOps Penetration Testing here.

 

* https://www.zdnet.com/article/unsecured-server-exposes-data-for-85-percent-of-all-panama-citizens/

https://www.hipaajournal.com/misconfigured-secure-cloud-storage-services/

https://www.scmagazine.com/home/opinions/data-breaches-caused-by-misconfigured-servers/

** http://www.privacy-regulation.eu/en/article-32-security-of-processing-GDPR.htm

How to Get the Best Layered and Integrated Endpoint Protection

Security teams have historically been challenged by the choice of separate next-gen endpoint security technologies or a more integrated solution with a unified management console that can automate key capabilities. At this point it’s not really a choice at all – the threat landscape requires you to have both. The best layered and integrated defenses now include a broad portfolio of advanced prevention technologies, endpoint security controls, and advanced detection/response tools – all within an integrated system that goes beyond alerts and into insights that even a junior analyst can act on.

More Endpoints = More Vulnerabilities

Endpoints are long beyond on-premises servers, PCs, and traditional operating systems. Internet of things devices such as printers, scanners, point-of-sale handhelds, and even wearables are vulnerable and can provide entry points for organized attacks seeking access to corporate networks. Mobile devices—both BYOD and corporate issued—are among the easiest targets for app-based attacks. Per the 2019 McAfee Mobile Threat Report, the number one threat category was hidden apps, which accounted for almost one-third of all mobile attacks.

Many enterprises are unaware of their target-rich endpoint environments, resulting in security teams struggling to maintain complete vigilance. A 2018 SANS Survey on Endpoint Protection and Response revealed some sobering statistics:

  • 42% of respondents report having had their endpoints exploited
  • 84% of endpoint breaches include more than one endpoint
  • 20% didn’t know whether they’d been breached

Endpoint attacks are designed to exploit the hapless user, including web drive-by, social engineering/phishing, and ransomware. Because these attacks rely on human actions, there’s a need for increased monitoring and containment, along with user education.

The latest attacks have the ability to move laterally across your entire environment, challenging every endpoint until a vulnerability is found. Once inside your walls, all endpoints become vulnerable. Modern endpoint security must extend protection across the entire digital terrain with visibility to spot all potential risks.

Less Consoles = Better Efficiency

A 2018 MSA Research report on security management commissioned by McAfee revealed that 55% of organizations struggle to rationalize data when three or more consoles are present. Too many security products, devices, and separate consoles call for a large budget and additional employees who might struggle to maintain a secure environment.

In contrast, single management consoles can efficiently coordinate the defenses built into modern devices while extending their overall posture with advanced capabilities—leaving nothing exposed. With everchanging industry requirements, an integrated endpoint security approach ensures that basic standards and processes are included and up to date.

Why McAfee Endpoint Security

McAfee offers a broad portfolio of security solutions that combine established capabilities (firewall, reputation, and heuristics) with cutting-edge machine learning and containment, along with endpoint detection and response (EDR) into a single-agent all-inclusive management console.

Is it time you took a fresh look at your strategy? Learn more in this white paper: Five ways to rethink your endpoint protection strategy.

The post How to Get the Best Layered and Integrated Endpoint Protection appeared first on McAfee Blogs.

Why AI Innovation Must Reflect Our Values in Its Infancy

In my last blog, I explained that while AI possesses the mechanics of humanness, we need to train the technology to make the leap from mimicking humanness with logic, rational and analytics to emulating humanness with common sense. If we evolve AI to make this leap the impact will be monumental, but it will require our global community to take a more disciplined approach to pervasive AI proliferation. Historically, our enthusiasm for and consumption of new technology has outpaced society’s ability to evolve legal, political, social, and ethical norms.

I spend most of my time thinking about AI in the context of how it will change the way we live. How it will change the way we interact, impact our social systems, and influence our morality.  These technologies will permeate society and the ubiquity of their usage in the future will have far reaching implications. We are already seeing evidence of how it changes how we live and interact with the world around us.

Think Google. It excites our curiosity and puts information at our fingertips. What is tripe – should I order it off the menu? Why do some frogs squirt blood from their eyes? What does exculpatory mean?

AI is weaving the digital world into the fabric of our lives and making information instantaneously available with our fingertips.

AI-enabled technology is also capable of anticipating our needs. Think Alexa. As a security professional I am a hold out on this technology but the allure of it is indisputable. It makes the digital world accessible with a voice command. It understands more than we may want it to – Did someone tell Alexa to order coffee pods and toilet tissue and if not – how did Alexa know to order toilet tissue? Maybe somethings I just don’t want to know.

I also find it a bit creepy when my phone assumes (and gets it right) that I am going straight home from the grocery store letting me know, unsolicited, that it will take 28 minutes with traffic. How does it know I am going home? I could be going to the gym. It’s annoying that it knows I have no intention of working out. A human would at least have the decency to give me the travel time to both, allowing me to maintain the illusion that the gym was an equal possibility.

On a more serious note, AI-enabled technology will also impact our social, political and legal systems. As we incorporate it into more products and systems, issues related to privacy, morality and ethics will need to be addressed.

These questions are being asked now, but in anticipation of AI becoming embedded in everything we interact with it is critical that we begin to evolve our societal structures to address both the opportunities and the threats that will come with it.

The opportunities associated with AI are exciting.  AI shows incredible promise in the medical world. It is already being used in some areas. There are already tools in use that leverage machine learning to help doctors identify disease related patterns in imaging. Research is under way using AI to help deal with cancer.

For example, in May 2018, The Guardian reported that skin cancer research using a convolutional neural network (CNN – based on AI) detected skin cancer 95% of the time compared to human dermatologists who detected it 86.6% of the time. Additionally, facial recognition in concert with AI may someday be commonplace in diagnosing rare genetic disorders, that today, may take months or years to diagnose.

But what happens when the diagnosis made by a machine is wrong? Who is liable legally? Do AI-based medical devices also need malpractice insurance?

The same types of questions arise with autonomous vehicles. Today it is always assumed a human is behind the wheel in control of the vehicle. Our laws are predicated on this assumption.

How must laws change to account for vehicles that do not have a human driver? Who is liable? How does our road system and infrastructure need to change?

The recent Uber accident case in Arizona determined that Uber was not liable for the death of a pedestrian killed by one of its autonomous vehicles. However, the safety driver who was watching TV rather than the road, may be charged with manslaughter. How does this change when the car’s occupants are no longer safety drivers but simply passengers in fully autonomous vehicles. How will laws need to evolve at that point for cars and other types of AI-based “active and unaided” technology?

There are also risks to be considered in adopting pervasive AI. Legal and political safeguards need to be considered, either in the form of global guidelines or laws. Machines do not have a moral compass. Given that the definition of morality may differ depending on where you live, it will be extremely difficult to train morality into AI models.

Today most AI models lack the ability to determine right from wrong, ill intent from good intent, morally acceptable outcomes from morally irreprehensible outcomes. AI does not understand if the person asking the questions, providing it data or giving it direction has malicious intent.

We may find ourselves on a moral precipice with AI. The safeguards or laws I mention above need to be considered before AI becomes more ubiquitous than it already is.  AI will enable human kind to move forward in ways previously unimagined. It will also provide a powerful conduit through which humankind’s greatest shortcomings may be amplified.

The implications of technology that can profile entire segments of a population with little effort is disconcerting in a world where genocide has been a tragic reality, where civil obedience is coerced using social media, and where trust is undermined by those that use mis-information to sew political and societal discontent.

There is no doubt that AI will make this a better world. It gives us hope on so many fronts where technological impasses have impeded progress. Science may advance more rapidly, medical research progress beyond current roadblocks and daunting societal challenges around transportation and energy conservation may be solved.  It is another tool in our technological arsenal and the odds are overwhelmingly in favor of it improving the global human condition.

But realizing its advantages while mitigating its risks will require commitment and hard work from many conscientious minds from different quarters of our society. We as the technology community have an obligation to engage key stakeholders across the legal, political, social and scientific community to ensure that as a society we define the moral guardrails for AI before it becomes capable of defining them, for or in spite of, us.

Like all technology before it, AI’s social impacts must be anticipated and balanced against the values we hold dear.  Like parents raising a child, we need to establish and insist that the technology reflect our values now while its growth is still in its infancy.

The post Why AI Innovation Must Reflect Our Values in Its Infancy appeared first on McAfee Blogs.

3 Ways to Improve Your Online Store’s Cyber Security

If you don’t do your utmost best to ensure that your online store is safe to use, you could end up putting your customers in real danger. From their finances being stolen to their personal data being hacked into, any kind of trouble could befall your site’s users if you do not take cyber security seriously. Make sure, then, that you take it seriously!

When it comes to improving your online store’s cybersecurity measures, the following advice makes for essential reading.

Make your mobile payments safer

One of the most burgeoning e-commerce trends is mobile payment. As stated on Oberlo’s mobile shopping trends article, this is because this kind of transaction process prioritizes comfort, and it makes the buying process a whole lot simpler. You would be foolish not to grant your customers the opportunity to pay for things on your store via their mobile devices.

Allowing this kind of payment to take place does come with its fair share of drawbacks; however, the biggest one being that it isn’t always the safest form of transaction. This doesn’t mean that you can’t strengthen your mobile payment process, though. Some of the measures that you can and should put into place in this instance include:

  • Only ever using a trusted payment platform
  • Ensuring that your payment terminals are NFC-enabled
  • Encrypting your network to ensure sensitive information cannot be sent through it

Switch to HTTPS

In this day and age, if you continue to stick with the HTTP protocol, your online store will be a sitting duck for cyber criminality. If you’re serious about safety, you must switch to HTTPS.

Created initially to safeguard the particularly sensitive elements of e-commerce sites, such as the payment process, HTTPS is now used to protect whole websites. By embracing this protocol, you will be able to be sure that your visitors’ data will remain safe at all conceivable points.

Protect your Admin Panel

Your Admin Panel is the aspect of your store that is least difficult for cybercriminals to crack. All it takes is for you to set a weak password, and hackers can have a field day when it comes to accessing all of the data you store in the backend of your site.

To protect your Admin Panel, you need to:

If they were to encounter trouble with a cybercriminal while using your online store, you can be sure that your customers will not give you a second chance. They will lose trust in you instantly, and more than likely never return to you again — and they’ll tell everybody that they know to avoid your website in the future, too, for good measure. If you don’t take cybersecurity seriously, you could also even find yourself in hot water with the authorities. The impact cyber criminality could have on your online store is something you should want to avoid at all costs, which is why you must put all of the above advice into practice as soon as possible.

The post 3 Ways to Improve Your Online Store’s Cyber Security appeared first on CyberDB.

Breaches and Bugs: How Secure are Your Family’s Favorite Apps?

app safety

app safetyIs your family feeling more vulnerable online lately? If so, you aren’t alone. The recent WhatsApp bug and social media breaches recently have app users thinking twice about security.

Hackers behind the recent WhatsApp malware attack, it’s reported, could record conversations, steal private messages, grab photos and location data, and turn on a device’s camera and microphone. (Is anyone else feeling like you just got caught in the middle an episode of Homeland?)

There’s not much you and your family can do about an attack like this except to stay on top of the news, be sure to share knowledge and react promptly, and discuss device security in your home as much as possible.

How much does your family love its apps? Here’s some insight:

  • Facebook Messenger 3.408 billion downloads
  • WhatsApp 2.979 billion downloads
  • Instagram 1.843 billion downloads
  • Skype 1.039 billion downloads
  • Twitter 833.858 million downloads
  • Candy Crush 805.826 million downloads
  • Snapchat 782.837 million downloads

So, should you require your family to delete its favorite apps? Not even. A certain degree of vulnerability comes with the territory of a digital culture.

However, what you can and should do to ease that sense of vulnerability is to adopt proactive safety habits — and teach your kids — to layer up safeguards wherever possible.

Tips to Help Your Family Avoid Being Hacked

Don’t be complacent. Talk to your kids about digital responsibility and to treat each app like a potential doorway that could expose your family’s data. Take the time to sit down and teach kids how to lock down privacy settings and the importance of keeping device software updated. Counsel them not to accept data breaches as a regular part of digital life and how to fight back against online criminals with a security mindset.

Power up your passwords. Teach your kids to use unique, complex passwords for all of their apps and to use multi-factor authentication when it’s offered.

Auto update all apps. App developers regularly issue updates to fix security vulnerabilities. You can turn on auto updates in your device’s Settings.

Add extra security. If you can add a robust, easy-to-install layer of security to protect your family’s devices, why not? McAfee mobile solutions are available for both iOS and Android and will help safeguard devices from cyber threats.

Avoid suspicious links. Hackers send malicious links through text, messenger, email, pop-ups, or within the context of an ongoing conversation. Teach your kids to be aware of these tricks and not to click suspicious links or download unfamiliar content.

Share responsibly. When you use chat apps like WhatsApp or Facebook Messenger, it’s easy to forget that an outsider can access your conversation. Remind your children that nothing is private — even messaging apps that feel as if a conversation is private. Hackers are looking for personal information (birthday, address, hometown, or names of family members and pets) to crack your passwords, steal your identity, or gain access to other accounts.

What to Do If You Get Hacked

If one of your apps is compromised, act quickly to minimize the fallout. If you’ve been hacked, you may notice your device running slowly, a drain on your data, strange apps on your home screen, and evidence of calls, texts or emails you did not send.

Social media accounts. For Facebook and other social accounts, change your password immediately and alert your contacts that your account was compromised.

Review your purchase history. Check to see if there are any new apps or games installed that you didn’t authorize. You may have to cancel the credit card associated with your Google Play or iTunes account.

Revoke app access, delete old apps. Sometimes it’s not a person but a malicious app you may have downloaded that is wreaking havoc on your device. Encourage your kids to go through their apps and delete suspicious ones as well as apps they don’t use.

Bugs and breaches are part of our digital culture, but we don’t have to resign ourselves to being targets. By sharing knowledge and teaching kids to put on a security mindset, together, you can stay one step ahead of a cybercrook’s digital traps.

The post Breaches and Bugs: How Secure are Your Family’s Favorite Apps? appeared first on McAfee Blogs.

How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. We wanted to provide some information and a quick summary.

This post will cover vulnerability analysis and how McAfee MVISION Mobile can help.

Background

On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. This vulnerability was reportedly exploited in the wild, and it was designated as CVE-2019-3568.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

The CVE-2019-3568 Vulnerability Explained

WhatsApp suffers from a buffer overflow weakness, meaning an attacker can leverage it to run malicious code on the device. Data packets can be manipulated during the start of a voice call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.

A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allows remote code execution via a specially-crafted series of SRTP (secure real-time transport protocol) packets sent to a target phone number.

Affected Versions:

  • WhatsApp for Android prior to v2.19.134
  • WhatsApp Business for Android prior to v2.19.44
  • WhatsApp for iOS prior to v2.19.51
  • WhatsApp Business for iOS prior to v2.19.51
  • WhatsApp for Windows Phone prior to v2.18.348
  • WhatsApp for Tizen prior to v2.18.15.

The Alleged Exploit

An exploit of the vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May, the  Financial Times reported. The reported attack involved using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software could be installed.

How MVISION Mobile can combat CVE-2019-3568 Attacks

To date, the detection technology inside MVISION Mobile has detected 100 percent of zero-day device exploits without requiring an update.

MVISION Mobile helps protect customers by identifying at-risk iOS and Android devices and active threats trying to leverage the vulnerability. It leverages Advanced App Analysis capabilities to help administrators find all devices that are exposed to the WhatsApp vulnerability by identifying all devices that have the vulnerable versions of WhatsApp on them and establish custom policies to address the risk. If the exploit attempts to elevate privileges and compromise the device, MVISION Mobile would detect the attack on the device.

For more information about MVISION Mobile, download our datasheet or visit our web site.

The post How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability appeared first on McAfee Blogs.

New research: How effective is basic account hygiene at preventing hijacking


Every day, we protect users from hundreds of thousands of account hijacking attempts. Most attacks stem from automated bots with access to third-party password breaches, but we also see phishing and targeted attacks. Earlier this year, we suggested how just five simple steps like adding a recovery phone number can help keep you safe, but we wanted to prove it in practice.
We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking. The year-long study, on wide-scale attacks and targeted attacks, was presented on Wednesday at a gathering of experts, policy makers, and users called The Web Conference.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.


Google’s automatic, proactive hijacking protection
We provide an automatic, proactive layer of security to better protect all our users against account hijacking. Here’s how it works: if we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.
If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.


Both device- and knowledge-based challenges help thwart automated bots, while device-based challenges help thwart phishing and even targeted attacks.

If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defense against bots, but protection rates for phishing can drop to as low as 10%. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for.
Given the security benefits of challenges, one might ask why we don’t require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.
If you lose access to your phone, or can’t solve a challenge, you can always return to a trusted device you previously logged in from to gain access to your account.


Digging into “hack for hire” attacks
Where most bots and phishing attacks are blocked by our automatic protections, targeted attacks are more pernicious. As part of our ongoing efforts to monitor hijacking threats, we have been investigating emerging “hack for hire” criminal groups that purport to break into a single account for a fee on the order of $750 USD. These attackers often rely on spear phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target doesn’t fall for the first spear phishing attempt, follow-on attacks persist for upwards of a month.


Example man-in-the-middle phishing attack that checks for password validity in real-time. Afterwards, the page prompts victims to disclose SMS authentication codes to access the victim’s account.

We estimate just one in a million users face this level of risk. Attackers don’t target random individuals though. While the research shows that our automatic protections can help delay, and even prevent as many as 66% of the targeted attacks that we studied, we still recommend that high-risk users enroll in our Advanced Protection Program. In fact, zero users that exclusively use security keys fell victim to targeted phishing during our investigation.



Take a moment to help keep your account secure
Just like buckling a seat belt, take a moment to follow our five tips to help keep your account secure. As our research shows, one of the easiest things you can do to protect your Google Account is to set up a recovery phone number. For high-risk users—like journalists, activists, business leaders, and political campaign teams—our Advanced Protection Program provides the highest level of security. You can also help protect your non-Google accounts from third-party password breaches by installing the Password Checkup Chrome extension.

1 Minute Quick Privacy Ref-ernces

If you have a moment take a look at our 1 minute videos to get caught up on the latest things going on in the privacy community. California Consumer Protection Act – Ben Siegel discusses the California Consumer Protection Act and how some of the advancing Amendments can drastically change the CCPA. Privacy Awareness Ideas […]

The post 1 Minute Quick Privacy Ref-ernces appeared first on Privacy Ref Blog.

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.

WhatsApp

The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.
iOS

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
Android
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.


Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

7 Steps to Strengthen Your Cybersecurity Program Today

Managing a security program in today’s ever-changing cyber threat landscape is no small feat. Many administrators struggle with knowing where to even start. Cybersecurity programs must be continually evaluated and should evolve as cyber threats and company risks change; however, these steps will guide you in the right direction to begin strengthening your security program today.

 1.  Assess your current security program.

The best way to assess a security program is to first choose a framework best for your company. A good framework to follow is the NIST Cybersecurity Framework, which is a comprehensive guide to baseline security requirements and controls any company can implement to strengthen a security program. For companies of all sizes, implementing a security control or practice must be evaluated from a business standpoint to determine if the benefit to the business outweighs the cost of the security control. Following a framework for this evaluation will help you prioritize cybersecurity initiatives and give your organization a clear roadmap for the way you want to develop a cybersecurity program.

2.  Identify what data you have and where it lives.

Data cannot be protected if the custodians don’t know it exists, or where it exists. Identification of the data stored, created, or controlled by a company is crucial to understanding your cybersecurity and data protection priorities. Further, identifying whether sensitive data is stored in cloud services, on hard drives, or in file servers can drastically change the strategy needed in order to protect that data. Even Data Loss Prevention (DLP) tools are less effective if the tool is not focused on the right locations to determine whether data is being accessed or is leaving the protected network in some way. Identifying data locations can also help you to ensure your proprietary or confidential data is moved from less secure locations, such as private cloud storage accounts, to secure, company-controlled environments like an enterprise cloud account.

3.  Implement and enforce policies to combat insider threat.

Policies and procedure are essential to combat the human element of cybersecurity. Employees often do not understand what they can and cannot do with a company’s documents, hardware, and system access if there are no policies in place to guide them. An insider threat isn’t necessarily a nefarious actor out to steal company data; it often presents itself in examples such as a well-meaning employee who shares a document with a partner in an insecure way – exposing the data to unauthorized access.

4.  Implement a security awareness training program.

Continuing with the theme of well-meaning employees, phishing attacks are the cause of data breaches in 98% of the cases reported (Verizon DBIR). Anti-phishing measures can only go so far to detect phishing attacks, so it’s up to the employee to know how to recognize a phishing email, and to know what to do with it. Security awareness training can teach an employee to recognize the signs of phishing emails and may prevent the employees and the company from falling victim to a phishing attack.

5.  Talk to your IT team for multi-factor authentication and anti-phishing measures.

Multi-factor authentication (MFA) is one of the best security controls you can implement to prevent unauthorized access to company systems.  Simply put, MFA works by adding not only something the user knows (i.e. a password) but also something the user has (i.e. a texted code to a cell phone, or better yet, a hardware key an employee has to interact with) to access a system. Many instances of unauthorized system access could have been thwarted by a company’s use of MFA on their critical systems. In addition, as mentioned above, phishing attacks are responsible for a large majority of data breaches and anti-phishing measures should be taken to protect corporate email systems.

6.  Implement a third party vendor risk management program.

Many companies work with third-party vendors and service providers and in some cases, these providers need access into corporate infrastructure and IT systems.  You can invest millions or even billions into your cybersecurity program, but it can be for nothing if a trusted service provider becomes compromised. As is the case in many high-profile breaches, it was the service provider who suffered the breach, in turn causing their partners to suffer the same fate.  Implement a third-party risk management program in which new and existing service providers must show proof of their internal security program practices and controls, before allowing them access into a corporate system.

7.  Implement onboarding and offboarding policies that integrate HR and IT.

When onboarding a new employee, a policy needs to be in place that allows for your HR and IT departments to work together to determine what information the new hire needs access to in order to do their job.  Equally important, you must also have a policy in place for offboarding.  Without proper offboarding policies, former employees or contractors may still be able to access certain IT systems well after the they’ve left the organization. Cases where former contractors or employees retained access to a company’s IT systems for months or even years after that access should have been revoked are not uncommon. And in many cases, an employee leaves a company involuntarily, and decides to use their company access to destroy documents, steal company intellectual property, and can be as destructive as deleting entire servers and infrastructure. Access to systems should be approved by HR (to prevent extra accounts and backdoors from being created without company knowledge), and departed employees should be immediately deprovisioned from all systems.

Implementing any cybersecurity controls or program initiatives requires a company culture shift and executive buy-in. However, organizations, no matter the size, simply cannot afford to ignore security, nor can they wait for a breach to occur before security is taken seriously. The steps outlined in this post will be an excellent start to a strong security program and will help you gain traction for future program changes and improvements.

Download the Checklist to Share.

The post 7 Steps to Strengthen Your Cybersecurity Program Today appeared first on GRA Quantum.

Keys to Scaling Your Application Security Program

It’s best practice to kick off your AppSec inititive by starting small, scanning your most business-critical apps, and addressing the most severe flaws. But it’s also best practice to scale your program to eventually cover your entire app landscape, and all flaws. Why? First, because you can be breached through non-critical apps; JP Morgan was breached through third-party software supporting its charitable road race, and Target was breached through its HVAC vendor’s software. Second, you can be breached through a low-severity vulnerability. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How do you make this transition from few to many, especially with limited security staff and expertise? This is a significant challenge. In fact, we typically see AppSec programs fail for two reasons: Lack of experience in running an application security program, and the inability to hire enough qualified staff to run application security tools at scale. Very few application security managers have run large programs before and have the experience to predict ramp up and adoption. The global shortage of security professionals also makes it difficult to hire enough people to coordinate between development and security teams. The 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.

Yet, we’ve also helped thousands of customers grow and mature their AppSec programs over the past 12 years, and we know there are a few keys to effectively scaling an application security program. These keys include:

The right partner

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise and free your team to focus on managing risk by taking these tasks of their plates:

Addressing the blocking and tackling of onboarding

  • Application security program management
  • Reporting
  • Identifying and addressing barriers to success
  • Work with development teams to ensure they are finding and remediating vulnerabilities

We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.

In fact, data collected for our State of Software Security report found that developers who get remediation coaching from our security experts fix 88 percent more flaws.

Security champions

Another way to scale your AppSec program is to develop and nurture security champions within your development teams. While these developers aren’t (and don’t have to be) security pros, they can act as the security conscience of the team by keeping their eyes and ears open for potential issues. The team can then fix the issues in development or call in your organization’s security experts for guidance. An embedded security champion can effectively help an organization make up for a lack of security coverage or skills by acting as a force multiplier who can pass on security best practices, answer questions, and raise security awareness. Because your security champion speaks the lingo of developers and is intimately involved in your organization’s development projects, he or she can communicate security issues in a way that development teams will understand and embrace.

How can you start developing security champions?

  • Get leadership buy-in. Make sure management, the security team, and the Scrum leaders are willing to invest the time, money, and resources it will take to make security champions effective.
  • Set the standard. Create expectations for what security champions should do and incorporate it into their pre-existing peer review work to minimize disruptions.
  • Track success. Make security a KPI so your organization can evaluate the ROI of the program
  • Provide training. Volunteers can bring passion, but it’s up to your security experts to provide the knowledge your security champions will need to review code for flaws and pass best practices on to the development team.
  • Build community. Make sure security champions have ample opportunity to meet with each other and the security team to discuss specific issues and overall trends.

Cloud-based solution

In addition, a cloud-based application security solution can help you scale your program without a lot of extra cost or hassle compared to an on-premises solution. When an on-premises application security program needs to be scaled, enterprises frequently need to track down more of hard-to-find security specialists, in addition to installing more servers.

Things that usually cost extra in an on-premises solution — features such as integrations, onboarding, upgrades, and maintenance — are all included with a cloud-based solution. This allows your security team to focus on scaling your AppSec efforts without worrying about going over budget.

Learn more

Application security is about more than scanning; the ability to scale your program is a critical factor that can make or break your program. Learn more about AppSec best practices in our new eBook, Application Security: Beyond Scanning.

Fallout from a Fallout

It is often that a data breach reveals other issues that a business is experiencing, but it isn’t every day I see the opposite. When I heard about what was happening at Bethesda Softworks and their online game, I was interested immediately. The background on this is simple enough. Bethesda is a well-known video game […]

The post Fallout from a Fallout appeared first on Privacy Ref Blog.

3 Tips for Protecting Against the New WhatsApp Bug

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.

So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, hackers first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can potentially snoop around the user’s device, likely without the victim’s knowledge.

Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:

  • Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
  • Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
  • Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.

Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

We’ve become aware of an issue that affects the Bluetooth Low Energy (BLE) version of the Titan Security Key available in the U.S. and are providing users with the immediate steps they need to take to protect themselves and to receive a free replacement key. This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.

What is the security issue?

Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key -- within approximately 30 feet -- to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:

  • When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
  • Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

This security issue does not affect the primary purpose of security keys, which is to protect you against phishing by a remote attacker. Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device). This local proximity Bluetooth issue does not affect USB or NFC security keys.

Am I affected?

This issue affects the BLE version of Titan Security Keys. To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement.

Steps to protect yourself

If you want to minimize the remaining risk until you receive your replacement keys, you can perform the following additional steps:

iOS devices:

On devices running iOS version 12.2 or earlier, we recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your key to sign into your Google Account on your device, immediately unpair it. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.

Once you update to iOS 12.3, your affected security key will no longer work. You will not be able to use your affected key to sign into your Google Account, or any other account protected by the key, and you will need to order a replacement key. If you are already signed into your Google Account on your iOS device, do not sign out because you won’t be able to sign in again until you get a new key. If you are locked out of your Google Account on your iOS device before your replacement key arrives, see these instructions for getting back into your account. Note that you can continue to sign into your Google Account on non-iOS devices.

On Android and other devices:

We recommend using your affected security key in a private place where a potential attacker is not within close physical proximity (approximately 30 feet). After you’ve used your affected security key to sign into your Google Account, immediately unpair it. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won’t need to unpair manually. You can also continue to use your USB or NFC security keys, which are supported on Android and not affected by this issue.

How to get a replacement key

We recommend that everyone with an affected BLE Titan Security Key get a free replacement by visiting google.com/replacemykey.

Is it still safe to use my affected BLE Titan Security Key?

It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available.

Cloud 101: Navigating the Top 5 Cloud Management Challenges

Cloud management is a critical topic that organizations are looking at to simplify operations, increase IT efficiency, and reduce costs. Although cloud adoption has risen in the past few years, some organizations aren’t seeing the results they’d envisioned. That’s why we’re sharing a few of the top cloud management challenges enterprises need to be cautious of and how to overcome them.

Cloud Management Challenge #1: Security

Given the overall trend toward migrating resources to the cloud, a rise in security threats shouldn’t be surprising. Per our latest Cloud Risk and Adoption Report, the average enterprise organization experiences 31.3 cloud related security threats each month—a 27.7% increase over the same period last year. Broken down by category, these include insider threats (both accidental and malicious), privileged user threats, and threats arising from potentially compromised accounts.

To mitigate these types of cloud threats and risks, we have a few recommendations to better protect your business. Start with auditing your Amazon Web Services, Microsoft Azure, Google Cloud Platform, or other IaaS/PaaS configurations to get ahead of misconfigurations before they open a hole in the integrity of your security posture. Second, it’s important to understand which cloud services hold most of your sensitive data. Once that’s determined, extend data loss prevention (DLP) policies to those services, or build them in the cloud if you don’t already have a DLP practice. Right along with controlling the data itself goes controlling who the data can go to, so lock down sharing where your sensitive data lives.

Cloud Management Challenge #2: Governance

Many companies deploy cloud systems without an adequate governance plan, which increases the risk of security breaches and inefficiency. Lack of data governance may result in a serious financial loss, and failing to protect sensitive data could result in a data breach.

Cloud management and cloud governance are often interlinked. Keeping track of your cloud infrastructure is essential. Governance and infrastructure planning can help mitigate certain infrastructure risks, therefore, automated cloud discovery and governance tools will help your business safeguard operations.

Cloud Management Challenge #3: Proficiency

You may also be faced with the challenge of ensuring that IT employees have the proper expertise to manage their services in a cloud environment. You may need to decide to either hire a new team that is already familiar with cloud environments or train your existing staff.

In the end, training your existing staff is less expensive, scalable, and faster. Knowledge is key when transforming your business and shifting your operational model to the cloud. Accept the challenge and train your employees, give them hands-on time, and get them properly certified. For security professionals, the Cloud Security Alliance is a great place to start for training programs.

Cloud Management Challenge #4: Performance

Enterprises are continually looking for ways to improve their application performance, and internal/external SLAs. However, even in the cloud, they may not immediately achieve these benefits. Cloud performance is complex and if you’re having performance issues it’s important to look at a variety of issues that could be occurring in your environment.

How should you approach finding and fixing the root causes of cloud performance issues? Check your infrastructure and the applications themselves. Examine the applications you ported over from on-premises data centers, and evaluate whether newer, cloud technologies such as containers or serverless computing could replace some of your application components and improve performance. Also, evaluate multiple cloud providers for your application or infrastructure needs, as each have their own offerings and geographic distribution.

Cloud Management Challenge #5: Cost

Managing cloud costs can be a challenge, but in general, migrating to the cloud offers companies enormous savings. We see organizations investing more dollars in the cloud to bring greater flexibility to their enterprise, allowing them to quickly and efficiently react to the changing market conditions. Organizations are moving more of their services to the cloud, which is resulting in higher spend with cloud service providers.

Shifting IT cost from on-premises to the cloud on its own is not the challenge – it is the unmonitored sprawl of cloud resources that typically spikes cost for organizations. Managing your cloud costs can be simple if you effectively monitor use. With visibility into unsanctioned, “Shadow” cloud use, your organization can find the areas where there is unnecessary waste of resources. By auditing your cloud usage, you may even determine new ways to manage cost, such as re-architecting your workloads using a PaaS architecture, which may be more cost-effective.

Final Thoughts

Migrating to the cloud is a challenge but can bring a wide range of benefits to your organization with a reduction in costs, unlimited scalability, improved security, and overall a faster business model. These days, everyone is in the cloud but that doesn’t mean your business’s success should be hindered by the common challenges of cloud management.

For more on how to secure your cloud environment, check out McAfee MVISION Cloud, a cloud access security broker (CASB) that protects data where it lives with a solution that was built natively in the cloud, for the cloud.

 

The post Cloud 101: Navigating the Top 5 Cloud Management Challenges appeared first on McAfee Blogs.

The iOS Twitter Bug: 3 Tips to Protect Your Location Data

Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media company disclosed a bug that resulted in some Twitter users’ locations being shared with an unnamed Twitter partner.

So, how exactly did this bug disclose the locations of certain Twitter users? The social network accidentally sent advertising partners location data for a process called real-time bidding. This process lets advertisers pay for space based on certain users’ locations. Twitter intended to remove the location data from what it sent to its partners but failed to do so. Affected users include those who had more than one Twitter account on an iOS device. If the user chose to share their precise location on one account, Twitter says it may have collected and shared data for the other account on the same mobile device even if that account had opted out of location sharing. Although the location data was “fuzzed” to only show a ZIP code or city, it is still unclear as to how long this location sharing took place.

According to Twitter, the location data was not retained by the partner and they have fixed the problem to ensure that it doesn’t happen again. And while affected users have already been notified by the social network, there are some steps users can take to help protect their data:

  • Turn off location services. While social media is meant for sharing, there is some information, like your location, that ought to be kept private. If a cybercriminal knows where you are at a specific point in time, they could potentially use that information to your disadvantage. Consider your overall privacy and opt out of sharing your location data with social media platforms.
  • Update, update, update. No matter what type of bug might be affecting a certain platform, it’s always crucial to keep your software up-to-date. Turning on automatic updates will ensure that you are always equipped with the latest patches and security fixes.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection helps to add an extra layer of security in case a bug does expose your device or data.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The iOS Twitter Bug: 3 Tips to Protect Your Location Data appeared first on McAfee Blogs.

ZombieLoad: Researchers discover New Hardware Vulnerability in Modern Intel Processors

A brand new processor hardware vulnerability affecting modern Intel CPUs has been uncovered by Bitdefender researchers  Coined "ZombieLoad side-channel processor", the vulnerability defeats the architectural safeguards of the processor and allows unprivileged user-mode applications to steal kernel-mode memory information processed on the affected computer.


A Concerning Impact on Cloud Services
The new vulnerability can be exploited by attackers to leak privileged information data from an area of the processor's memory meant to be strictly off-limits. This flaw could be used in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system. The flaw has an extremely large impact on cloud service providers and within multi-tenant environments, as potentially a 'bad neighbour' could leverage this flaw to read data belonging to other tenants.

The proof of concept code has been shared privately with the vendor, was said to have been successfully tested on Intel Ivy Bridge, Haswell, Skylake and Kaby Lake microarchitectures by the researchers.


Remediation
Since this vulnerability revolves around a hardware design flaw, microcode patches have been available to remediate the flaw. Currently, Bitdefender and industry partners are working on fixes implemented at the hypervisor level.

Industry Security Patches
Similarities with Meltdown and Spectre
Side channel attacks based on speculative execution was in the news with the identification of Meltdown and Spectre CPU vulnerabilities back in early 2018. Since then, variants of side-channel attacks have been occasionally discovered and partially mitigated via microcode and operating system patches. However, as this is a flaw that stems from a hardware design issue, a general fix to plug the hardware vulnerability is impossible.


Picking and Choosing Your Online Privacy

I’ll admit it. I am old enough that my younger adult days have not been recorded for all to access on the internet. Many of my generation – the X’ers – relish this lucky position when it comes to the intersection of life and the technological innovation time line. Not that the choice was mine, […]

The post Picking and Choosing Your Online Privacy appeared first on Privacy Ref Blog.

WhatsApp Releases Update Following Breach via Remote Code Execution Vulnerability

Veracode WhatsApp Vulnerability May 2019

On Monday, The Financial Times reported that attackers have been exploiting a buffer overflow vulnerability in the popular messaging service WhatsApp. The vulnerability has been fixed, and updates were released on Friday. WhatsApp, owned by Facebook, is urging both iPhone and Android users to update the app as soon as possible.

Veracode’s State of Software Security Volume 9 found that buffer overflow was the 25th most common vulnerability, found in 3 percent of applications. Although not as prevalent as some other flaw categories (like XSS or SQL injection), it is a highly exploitable flaw, and organizations should be aware of it and addressing it quickly. Yet our data also reveals that organizations are taking a troubling amount of time to fix buffer overflow flaws – it took organizations an average of 225 days to address 75 percent of these flaws.

According to theWhatsApp, the vulnerability (CVE-2019-3568) in the VOIP stack allows remote code execution. The RCE vulnerability on WhatsApp is exploited by sending malicious codes to targeted phone numbers. Attackers can exploit the vulnerability by using the WhatsApp calling function to call a user’s mobile phone and then install surveillance software on the device. According to The Financial Times, a user doesn’t need to answer the call to be infected, and the calls seem to disappear from logs.

NSO Group, part-owned by private equity firm Novalpina Capital, is an Israeli company that created Pegasus, the software that is believed to be an integral element for successfully pulling off the attacks. The BBC reports that NSO’s flagship software can gather personal data from a targeted device using the microphone and camera, as well as capturing location data.

WhatsApp has reported the vulnerability to its lead regulator in the Europe Union, Ireland’s Data Protection Commission (DPC), though it is still investigating whether or not any EU user data has been affected as a result of the incident. The company also reported the vulnerability to the US Department of Justice last week.

WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It’s favored for its high level of security and privacy, as messages are encrypted end-to-end. This news adds to a turbulent period at Facebook, which bought WhatsApp in 2014 for $19 billion. Last month, a security research firm revealed 540 million Facebook accounts were publicly exposed, and a co-founder, Chris Hughes, recently advocated in The New York Times that the company should be broken up for fear that it has too much influence and power.

Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy?

If you haven’t given your online privacy much attention lately then things need to change. In our era of weekly data breaches, the ‘I’ve got nothing to hide’ excuse no longer cuts it. In my opinion, ensuring your privacy is protected online is probably more important than protecting your home and car! A sloppy approach to online privacy can have devastating ramifications to your financial health, your career and even your physical wellbeing.

This week is Privacy Awareness Week in Australia – a great reminder to give our online privacy a ‘check-up’ and work out what we can do to ensure the information we share online (and who sees it) is locked down.

What Do We Need to Protect?

When we think about online privacy, we often think about protecting our password and financial data online. But it’s a little more complicated. There are 2 categories of information that we share in our online life that requires protection.

  1. Personally Identifying Information (PII) – this includes our name, birthdate, address and Medicare number
  2. Non-Personally Identifying Information – this includes the information about what we do online. It’s a combination of the websites we visit, what we buy online, our online searches and the pages we like on our social media profiles. Our online activity creates a digital folder about ourselves and many companies just love this data so they can send targeted ads your way. Ever wondered why you receive ads about holiday destinations after a few wishful holiday Google searches?

Without adequate online privacy, all the information about our online activities can be collected and analysed by third parties. In fact, data collected (legally) about you by websites can be very lucrative! Companies, known as data brokers, collect and maintain data on millions on people and charge handsomely for their services!

Why Do I Need To Worry About My Online Privacy?

Just think for a moment about some of the information that is stored about you online…

  • Your PII is stored in the background of probably every online account you have including social media, news and banking
  • Your online banking and superannuation sites contain details of all your accounts and your net worth
  • Your health and taxation records maybe accessible online which may contain sensitive information you would prefer not to be shared
  • If you haven’t disabled location services on your phone, your whereabouts can be tracked by clever parties on a daily basis
  • Your pictures and videos

While some of this information is stored without your control, there are steps you can take to tighten up access.

Now, think about your daily online activity…

  • Anything you order online via your web browser can be recorded
  • Anytime you send an email with sensitive information, there is a risk this will also be shared
  • Anytime you pay on the go using a facility like Apple Pay, your purchase will be tracked
  • Anything you search for, the articles you read, the movie tickets you buy and even your weekly online grocery order can be tracked

If this comes as a shock to you then you’re not alone. Many Aussies have been in the dark about what information is available about them online. But, don’t throw the towel in – there are strategies to tighten up your online privacy.

How To Get Your Online Privacy Under Control

There are a few simple steps you can take to lock down your valuable online information. So, make yourself a nice cuppa and let’s get to work:

  1. Manage Your Passwords

Your online passwords are as important as your house keys. In fact, in many cases, it is the only thing stopping cybercriminals from accessing our vital information that we have saved online. So, if you want to tighten up access to your online banking, your social media platforms and your favourite online shopping sites then you need to think carefully about how you manage your passwords.

Passwords need to be complex and unique with at least 8-10 characters and a combination of letters, numbers and symbols. And each of your online accounts should have a separate password which should be changed regularly. Too hard? Consider a Password Manager which creates and manages complex passwords for each of your online accounts – a complete no brainer!! McAfee’s Total Protection software includes a Password Manager which stores, auto-fills and generates unique passwords for all your online accounts. All you need to do is remember one master password! Easy!

And don’t forget, if one of your online accounts is affected by a data breach, then you need to change that password ASAP. If you have a password manager, simply have it generate another password for you.

  1. Use Public Wi-Fi With Caution

If you are serious about your online privacy then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, please avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly or spend the bulk of your time on the road then consider investing in a VPN. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. McAfee has a great VPN product called Safe Connect. An excellent insurance policy!

  1. Use 2-Factor Authentication

Adding an additional layer of security to protect yourself when accessing your online accounts is another great way of guarding your online privacy. Turn on two-factor authentication for Google, Dropbox, Facebook and whatever other site offers it. For those new to this option, this means that in addition to your password, you will need to provide another form of identification to ensure you are who you say you are. Most commonly, this is a code sent to your mobile phone or generated by a smart phone app.

  1. Keep Your Software Updated

Software updates and patches are often designed to address a security vulnerability so ALWAYS install them so the bad guys can’t take advantage of security hole in your system. If it all becomes to hard, why not automate the updates?

  1. Invest in Security Software for ALL Your Devices

Installing comprehensive security software on all your devices including laptops, tablets and smartphones adds another layer of protection to your vital online information. Check out McAfee’s Total Protection software that will ensure you and your devices are protected against viruses, malware spyware and ransomware.

  1. Consider a Search Engine that Doesn’t Track Your Every Move Online

If you would prefer that your search engines didn’t collect and store the information you enter then consider an alternative ‘privacy focussed’ search engine. Check out DuckDuckGo that doesn’t profile users or track or sell your information to third parties.

  1. Delete All Cookies

Cookies are another way your online activity can be tracked. While some are harmless and used to simply remember things about you such as your login information and language, others known as  tracking cookies remain permanently constantly gathering information about your behaviour and what you click on. So, let’s get rid of them! Head into your web browser’s Privacy settings and clean them out.

So, let’s get our online privacy under control this Privacy Awareness Week. But don’t forget about your kids and elderly relatives too! Proactively managing one’s online privacy needs to be a priority for everyone. Why not start a conversation at the dinner table? Perhaps give the family a daily privacy related task every day during Privacy Awareness Week? For example:

Monday – Clean up your passwords or set up a Password Manager

Tuesday –  Research a VPN

Wednesday – Set up 2 factor authentication

Thursday – Ensure all your software is up to date and set up auto-updates where possible

Friday – Research privacy focussed search engines and delete all cookies

Over to you mums and dads. Would love to hear how you go.

Alex xx

 

 

The post Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy? appeared first on McAfee Blogs.

I am an AI Neophyte

I am an Artificial Intelligence (AI) neophyte. I’m not a data scientist or a computer scientist or even a mathematician. But I am fascinated by AI’s possibilities, enamored with its promise and at times terrified of its potential consequences.

I have the good fortune to work in the company of amazing data scientists that seek to harness AI’s possibilities. I wonder at their ability to make artificial intelligence systems “almost” human. And I use that term very intentionally.

I mean “almost” human, for to date, AI systems lack the fundamentals of humanness. They possess the mechanics of humanness, qualities like logic, rationale, and analytics, but that is far from what makes us human. Their most human trait is one we prefer they not inherit –  a propensity to perpetuate bias.  To be human is to have consciousness. To be sentient. To have common sense. And to be able to use these qualities and the life experience that informs them to interpret successfully not just the black and white of our world but the millions of shades of grey.

While data scientists are grappling with many technical challenges associated with AI there are a couple I find particularly interesting. The first is bias and the second is lack of common sense.

AI’s propensity to bias is a monster of our own making. Since AI is largely a slave to the data it is given to learn from, its outputs will reflect all aspects of that data, bias included. We have already seen situations where applications leveraging AI have perpetuated human bias unintentionally but with disturbing consequences.

For example, many states have started to use risk assessment tools that leverage AI to predict probable rates of recidivism for criminal defendants. These tools produce a score that is then used by a judge for determining a defendant’s sentencing. The problem is not the tool itself but the data that is used to train it. There is evidence that there has historically been significant racial bias in our judicial systems, so when that data is used to train AI, the resulting output is equally biased.

A report by ProPublica in 2016 found that algorithmic assessment tools are likely to falsely flag African American defendants as future criminals at nearly twice the rate as white defendants*. For any of you who saw the Tom Cruise movie, Minority Report, it is disturbing to consider the similarities between the fictional technology used in the movie to predict future criminal behavior and this real life application of AI.

The second challenge is how to train artificial intelligence to be as good at interpreting nuance as humans are. It is straight forward to train AI how to do something like identifying an image as a Hippopotamus. You provide it with hundreds or thousands of images or descriptions of a hippo and eventually it gets it right most if not all the time.

The accuracy percentage is likely to go down for things that are perhaps more difficult to distinguish—such as a picture of a field of sheep versus a picture of popcorn on a green blanket—but  with enough training even this is a challenge that can be overcome.

The interesting thing is that the challenge is not limited to things that lack distinguishing characteristics. In fact, the things that are so obvious that they never get stated or documented, can be equally difficult for AI to process.

For example, we humans know that a hippopotamus cannot ride a bicycle. We inherently know that if someone says “Jimmy played with his boat in the swimming pool” that, except in very rare instances likely involving eccentric billionaires, the boat was a toy boat and not a full-size catamaran.

No one told us these things – it’s just common sense. The common sense aspects of interpreting these situations could be lost on AI. The technology also lacks the ability to infer emotion or intent from data. If we see someone buying flowers we can mentally infer why – a romantic dinner or somebody’s in the doghouse. We can not only guess why they are buying flowers, but when I say somebody’s in the dog house you know exactly what I mean. It’s not that they are literally in the dog house, but someone did something stupid and the flowers are an attempt at atonement.

That leap is too big for AI today. When you add to the mix cultural differences it exponentially increases the complexity. If a British person says put something in the boot it is likely going to be groceries. If it is an American it will likely be a foot. Teaching AI common sense is a difficult task and one that will take significant research and effort on the part of experts in the field.

But the leap from logic, rationale and analytics to common sense is a leap we need AI to make for it to truly become the tool we need it to be, in cybersecurity and in every other field of human endeavor.

In my next blog, I’ll discuss the importance of ensuring that this profoundly impactful technology reflects our human values in its infancy, before it starts influencing and shaping them itself.

*ProPublica, Machine Bias, May 23, 2016

The post I am an AI Neophyte appeared first on McAfee Blogs.

On Mother’s Day, Show Your Love for Your Mom by Introducing Her to Helpful Apps

A mobile chat with my mother usually goes off like this:

Hello! Can you hear me! I am very busy so can’t talk much! I have a question.”

“Umm OK but is your speaker on? Can you please speak a little softly?”

Yes, yes, OK… I know how to operate smartphones. Still smarter than a lot of you! Don’t waste my time; I need to go to the dentist so please book a cab for me.”

Despite pushing 80, my mom has a strong competitive spirit and has taught herself how to operate a smartphone, sign up on social media and listen to music. I have often been ticked off for not being considerate enough to read and like her posts!

The man-phone tussle senior citizens experience

As I drove to her place, I thought about her and all other Moms who are past their middle age. They must be struggling to come to terms with technological progress. It must be so difficult for them- from having the whole neighbourhood dropping in to watch Doordarshan on their new shiny black-and-white TV set to streaming the latest movies on their personal devices! From typing out letters on typewriters to emails on computers- they have a lot on their plate to adjust to.

It occurred to me that I need to help out more and not assume she can pick up the rest herself. I needed to show Mom how she can use her phone for booking cabs, ordering her meds, buying grocery and so on; it would be of immense help to her. She would feel tech-savvy and happy not to be dependent on others. Not wishing to waste a single moment, I made a date with her and took her out to lunch. Over lunch and a leisurely conversation, I introduced her to the several ways apps can make life easier for her.

Mother’s Day Idea

Why not try this idea out on Mother’s Day? Take your Mom out for a picnic or a movie-and-meal; sit, chat and regale each other with your childhood stories- the stories she probably likes the best? Give her your undivided attention- and this may mean keeping your own phone on silent- and instead show her what all she can do with hers?

Apps can indeed make life easier

  • Online grocery- these are really helpful as she can decide and buy and have everything delivered home.
  • Recipe Apps- she is growing old and it will become progressively tougher for her to remember all the recipes and ingredients. You can download apps of her choice of cooking and show her how to navigate through the site. I have one on my mobile that gives me a new salad recipe everyday! Life is so easy, and oh so happily healthy
  • Apps to keep track of doctor’s visits- Many hospitals too have apps that keep records of visits, tests etc. Download if her clinic offers an app service
  • Apps to book cabs: Remember to add your name and that of other family members, so that you receive intimation when she travels
  • Calendar app: Show her how to save birthdays, anniversaries, appointments and reminders so that she is free of the onerous task of remembering petty details
  • e-wallets – She will be able to place orders online without being worried about credit card fraud. That would be very helpful for her
  • e-reader app- If she loves reading, she will bless you for an app that will bring the library into her hands

There are many, many more. Take your pick as per your mom’s interest.

This will be akin to killing three birds with one stone:

  • Make her tech-savvy – Smartphones confuse older generations, with new models offering yet newer features and functionalities. Spend time with your Mom and take her through the new features. Take this opportunity to install mobile security if you already have not.
  • Add a zing to her life- you will have the pleasure of knowing you have somewhat helped to make her life more interesting and engaging, now that she has more free time on hand.
  • Quality bonding time- The more personal attention you give her, the happier she will be- for that’s all she wants from you, your time.

Being an experienced digital user, you know well that not all apps are genuine or safe. Make it a point to download apps only from a verified source, even if you have to pay for it.

Let me sign off with a cybersafety tip – Activate a password manager, like the trusted TrueKey from McAfee, that will remember her passwords and keep them safe for her.

Tip for you: TrueKey is included in McAfee Total Protection and McAfee LiveSafe. One product can cover several devices and so you can use yours to cover your Mom’s phone too. That way you can renew protection without troubling her with these nitty-gritties.

Happy Mother’s Day to all beautiful moms out there! You ladies are superwomen!

The post On Mother’s Day, Show Your Love for Your Mom by Introducing Her to Helpful Apps appeared first on McAfee Blogs.

Saving Summer: 5 Strategies to Help Reign In Family Screen Time Over Break

summer screen time

summer screen timeIt’s the most wonderful time of the year — for teachers and lifeguards. For everyone else (parents) we have a little prep work to do to make sure the summer doesn’t lull our kids into digital comas.

Most of us have learned that given zero limits, kids will play video games, watch YouTube, send snaps, and scroll Instagram into the midnight hours. This ever-present digital lure, combined with the “summer slide,” which is the academic ground kids lose over the summer, means that most parents are hoping to make the most of the summer months need to get proactive — now.

No matter your child’s age, teaching kids to use technology in a healthy way and pick up skills and habits that will make them savvy digital citizens, becomes even more critical in the summer months. Studies show that excess screen time can lead to increased cyberbullying, low self-esteem, depression, isolation, and anxiety in children and teens. Also, the World Health Organization (WHO) has now classified a new form of addiction called “gaming disorder.” That designation means health professionals can now treat dangerous levels of video gaming as a legitimate addiction. (Yes, this is the new normal of parenting).

Warning signs of too much tech:

  • Tantrums or inappropriate resistance to screen limits or refusing to let you see their devices
  • Lack of sleep (which can cause anger outbursts, moodiness, fatigue, and even illness)
  • Isolation and decrease in face-to-face time with friends and family
  • Complaining about family outings and declining invitations to participate in activities
  • Losing interest in physical activity

Tech balance in one family will look different than in another because every family has its own values, dynamic, and parenting styles. You may have to establish ground rules together and make edits over time — that’s okay, stay flexible. The important thing is to set limits and set them together, so your child feels as if he or she is part of the process and learns how and why to self-regulate over time.

summer screen time

Here are some tips for launching your family conversation and getting summer off to a positive, tech-healthy start.

  1. Discuss and agree on limits. Consider what an average day looks like. Where are the critical gaps where connection can happen? Maybe it’s transition times when you pick up your child from camp or a friend’s house. Perhaps it’s the hour after you get home from work, during meals, movie time, or in restaurants. Maybe it’s family outing such as the pool, the zoo, the theatre, roadmap time, or outdoors. Also, setting a device curfew in the summer months is more critical since kids like to take their devices to bed and keep scrolling.Discuss why and when your family should be screen-free and then put your commitment in writing in a Summer Family Media plan (every age range will require different ground rules). The American Academy of Pediatrics’ website has a fun, easy form you can fill out to create your Family Media Plan based on your child’s age.
  2. Pay attention to content: Setting screen limits doesn’t matter much if the content your child views isn’thealthy. A few questions to help assess content:
  • Is the content age-appropriate?
  • Are the apps my child uses interactive and learning-based or mind-numbing or even risky?
  • Do my family’s technology habits require filtering software to help block inappropriate websites?
  • Are the privacy settings on social media and gaming accounts set to restrict what strangers can see and who can send a direct message to my child?
  1. Jump into the fun. Part of teaching kids to understand healthy technology habits is taking the time to meet them where they are in their digital world — their favorite hangouts. When they understand you aren’t limiting screen time to punish them and that technology in itself isn’t bad, they will be more likely to see the benefits of balance and self-regulate in the future. What online games do they play? Consider watching them excel in their craft and cheering them on. Better yet, grab a controller and play along. What social media sites does your child love? Join in on Snapchat and let them teach you how to have fun with photo filters on the app.summer screen time
  2. Be hyper intentional. Zig Ziglar once said that to a child, “love” is spelled T-I-M-E. Under the influence of today’s digital culture, nothing is assumed, and most everything requires intentionality — especially grabbing the quality time we desire. Consider sitting down as a family and creating a summer bucket list of things you’d like to do before summer ends. Maybe it’s more movie nights, more beach time, a family craft or building project, volunteer work, board games, workout time, trips, whatever — be realistic that nothing on your list will happen without serious intention.
  3. From monitoring to mentoring. It’s always a good idea to monitor your child’s online activities. We are big fans of filtering software and understanding what social networks and apps your kids frequent. However, because you likely have more face-to-face with your kids in the summer months, think about ways to mentor them. Talk about current events related to online safety, pay attention to their friend groups on and offline, and use this extra time to reset some digital goals that may have slipped off your radar during the school year. Some possible goals: Set up your own Snapchat account, finally learn to use Twitter, educate yourself on dangerous apps, or let your child teach you how to improve your digital skills. With this extra valuable time over the summer, you can cover some serious ground by talking more about concepts like conflict-management, empathy, resilience, self-awareness, and digital responsibility, which will all help strengthen digital skills.

In your quest to establish summer ground rules that work for your family, don’t overlook the importance of the peer-to-peer connection that technology brings. Technology is the primary channel (like it or not) kids have to build their friendships, stay the loop, and to be affirmed. They need hangout time, and that’s usually online. Keep this in mind as you work together to find the balance that works best for your family.

The post Saving Summer: 5 Strategies to Help Reign In Family Screen Time Over Break appeared first on McAfee Blogs.

Celebrating Mother’s Day: How McAfee Supports Expecting & Working Mothers

Mother. It’s one of the best, hardest, most rewarding, challenging and unpredictable jobs a woman can have.

As we approach Mother’s Day in the U.S, I’m reminded of the immense happiness motherhood brings me. I’m also reminded of my own mother. As a child, I distinctly remember watching her getting ready for work. I remember what it stirred in me. In a word? Pride. My mother’s commitment to her career inspired me. I wanted a career I would be passionate about, and in turn, inspire my own children.

That’s why this Mother’s Day I’m appreciating working for a company where I can be a mother and a business professional in a role I truly love. I’m also reflecting on how critical the strides we’re making in workplace culture, policies, and programs are to better serve working mothers and parents.

In an industry made up of just 24% women, we can’t afford to miss out on the perspectives and innovation we unlock when we ensure our workplace mirrors the world in which we live. And considering our current cybersecurity talent shortage, an inclusive workplace is critical to bridging our workforce gap.

To encourage more women to bring (and keep!) their valuable and highly sought-after skills in the workplace, we can’t just talk a good game when it comes to championing inclusion and diversity; we have to walk the walk. Here are three ways McAfee is doing just that when it comes to supporting mothers:

Supporting You as Your Family Grows

Welcoming a child is an exciting time in your life. We want to help you take the time you need and to celebrate, bond, and adjust to new life with the newest addition to your family. Whether it’s offering extended leave with your new baby, providing the convenience of bringing your kids to the office or flexible working schedules, our parent initiatives recognize, celebrate, and accommodate your life’s big moments.

Offering Comfort and Convenience in the Workplace

Coming back to work after having a baby can be a big transition for many, which is why McAfee helps support mothers returning to the workplace after leave. For example, if you’re a nursing mother who travels throughout the U.S., we offer a Milk Stork delivery program to give you peace of mind and convenience to get your baby’s nourishment delivered in a safe and speedy manner.

In an ever-growing number of McAfee offices we offer Mother’s Rooms to provide a private and convenient way for mothers or mothers-to-be to enjoy a quiet and comfortable space while providing for their infant (and let’s be honest, sometimes that’s the only 20 minutes or so of quiet time a new working mother might have!). And for expecting or new mothers, Stork Parking provides reserved parking spaces. Fun fact: a pregnant woman’s lungs become increasingly compact as the baby grows which means getting from A to B is no longer a simple task. We recognize this at McAfee. We know that the small things count.

Reintroducing Mothers to the Workforce

We know careers aren’t always linear, and parents may choose to pause their careers to care for their families. McAfee’s Return to Workplace program taps into the potential of those who may have taken a career break with the support, guidance, and resources needed to successfully rejoin the workforce. This global initiative was launched in our Bangalore, Cork, and Plano offices last year. I’m proud to share 80 percent of program participants were offered a full-time position at McAfee.

Being a working mother is a strength. It only adds to the varying perspectives and experiences that drive innovative solutions. At McAfee, I’m so proud of the ways we’re recognizing and supporting mothers – and all of our team members – in being successful at home and at the workplace.

To learn more about the ways we support working mothers and our efforts to build an inclusive workplace where all can belong, read our first-ever Inclusion & Diversity Report.

Ready to join a company that helps you achieve your best at work and at home? We’re hiring.

The post Celebrating Mother’s Day: How McAfee Supports Expecting & Working Mothers appeared first on McAfee Blogs.

Zavvi Champions League Final Competition Winner Email Blunder

Like many Zavvi customers this morning, I received an email titled "Congratulations, you're our Mastercard Competition WINNER!" in my inbox. An amazing prize consisting of two tickets to watch Liverpool and Spurs battle it out in the 2019 UEFA Champions League Final in Madrid. The prize also included two nights at a 4-star hotel, flights, transfers and a £250 prepaid card.
Zavvi Winners Email

Obviously, my initial thought it was a phishing email, decent quality and a well-timed attempt given Liverpool and Tottenham Hotspur were confirmed as finalists after very dramatic semi-final matches on the previous nights. I logged into my Zavvi account directly, then reset my password just in case, and after a bit checking with the embedded links within the email, and research on the Zavvi website, I soon established it was a genuine email from Zavvi.

But before embarking on a Mauricio Pochettino style injury-time winning goal celebration, I had a quick scan of my social media feeds, and it quickly became apparent there were many others believing and bragging they had also won this fantastic prize.

Image result for pochettino
Pochettino Celebrating an unbelievable Spurs Comeback in the Semi-Final

So unless the Athletico Madrid stadium has undergone a huge capacity upgrade, it became obvious that someone at Zavvi had made a huge blunder, resulting in personalised competition winner emails to be sent on mass to thousands of Zavvi customers.

UCL Final Ticket Allocation?

This kind of mass emailing replicates the time-tested phishing technique deployed by cybercriminals. But instead of having a malicious web link, a hidden malware-laced attachment, or the opening dialogue of a social engineering scam, it took its recipients on an emotional rollercoaster which ended with them feeling as flat as the Ajax players, after they lost their place in the final following an injury-time strike by Spurs' Brazilian striker Lucas Moura.
Image result for ajax players heartbreak
Zavvi left their customers feeling as flat as Ajax players did last night

What compounded matters was Zavvi keeping relatively stum about the blunder throughout the day. The e-commerce entertainment retail store published an apology mid-morning on their Facebook page, but after 100s of comments by angry customers, they deleted the post a couple of hours later. It took them almost 8 hours before Zavvi finally followed up to the "Congratulations" email, by emailing an apology which offered a mere 15% discount off their website products. I suspect most Zavvi customer won't be too happy about that, especially those that went through the day believing they had won a once in a lifetime competition.
Zavvi Apology Email - Sent almost 8 hours after the Winners Email

Queue the Hardening Enhancements

Posted by Jeff Vander Stoep, Android Security & Privacy Team and Chong Zhang, Android Media Team

[Cross-posted from the Android Developers Blog]

Android Q Beta versions are now publicly available. Among the various new features introduced in Android Q are some important security hardening changes. While exciting new security features are added in each Android release, hardening generally refers to security improvements made to existing components.

When prioritizing platform hardening, we analyze data from a number of sources including our vulnerability rewards program (VRP). Past security issues provide useful insight into which components can use additional hardening. Android publishes monthly security bulletins which include fixes for all the high/critical severity vulnerabilities in the Android Open Source Project (AOSP) reported through our VRP. While fixing vulnerabilities is necessary, we also get a lot of value from the metadata - analysis on the location and class of vulnerabilities. With this insight we can apply the following strategies to our existing components:

  • Contain: isolating and de-privileging components, particularly ones that handle untrusted content. This includes:
    • Access control: adding permission checks, increasing the granularity of permission checks, or switching to safer defaults (for example, default deny).
    • Attack surface reduction: reducing the number of entry/exit points (i.e. principle of least privilege).
    • Architectural decomposition: breaking privileged processes into less privileged components and applying attack surface reduction.
  • Mitigate: Assume vulnerabilities exist and actively defend against classes of vulnerabilities or common exploitation techniques.

Here’s a look at high severity vulnerabilities by component and cause from 2018:

Most of Android’s vulnerabilities occur in the media and bluetooth components. Use-after-free (UAF), integer overflows, and out of bounds (OOB) reads/writes comprise 90% of vulnerabilities with OOB being the most common.

A Constrained Sandbox for Software Codecs

In Android Q, we moved software codecs out of the main mediacodec service into a constrained sandbox. This is a big step forward in our effort to improve security by isolating various media components into less privileged sandboxes. As Mark Brand of Project Zero points out in his Return To Libstagefright blog post, constrained sandboxes are not where an attacker wants to end up. In 2018, approximately 80% of the critical/high severity vulnerabilities in media components occurred in software codecs, meaning further isolating them is a big improvement. Due to the increased protection provided by the new mediaswcodec sandbox, these same vulnerabilities will receive a lower severity based on Android’s severity guidelines.

The following figure shows an overview of the evolution of media services layout in the recent Android releases.

  • Prior to N, media services are all inside one monolithic mediaserver process, and the extractors run inside the client.
  • In N, we delivered a major security re-architect, where a number of lower-level media services are spun off into individual service processes with reduced privilege sandboxes. Extractors are moved into server side, and put into a constrained sandbox. Only a couple of higher-level functionalities remained in mediaserver itself.
  • In O, the services are “treblized,” and further deprivileged that is, separated into individual sandboxes and converted into HALs. The media.codec service became a HAL while still hosting both software and hardware codec implementations.
  • In Q, the software codecs are extracted from the media.codec process, and moved back to system side. It becomes a system service that exposes the codec HAL interface. Selinux policy and seccomp filters are further tightened up for this process. In particular, while the previous mediacodec process had access to device drivers for hardware accelerated codecs, the software codec process has no access to device drivers.

With this move, we now have the two primary sources for media vulnerabilities tightly sandboxed within constrained processes. Software codecs are similar to extractors in that they both have extensive code parsing bitstreams from untrusted sources. Once a vulnerability is identified in the source code, it can be triggered by sending a crafted media file to media APIs (such as MediaExtractor or MediaCodec). Sandboxing these two services allows us to reduce the severity of potential security vulnerabilities without compromising performance.

In addition to constraining riskier codecs, a lot of work has also gone into preventing common types of vulnerabilities.

Bound Sanitizer

Incorrect or missing memory bounds checking on arrays account for about 34% of Android’s userspace vulnerabilities. In cases where the array size is known at compile time, LLVM’s bound sanitizer (BoundSan) can automatically instrument arrays to prevent overflows and fail safely.

BoundSan instrumentation

BoundSan is enabled in 11 media codecs and throughout the Bluetooth stack for Android Q. By optimizing away a number of unnecessary checks the performance overhead was reduced to less than 1%. BoundSan has already found/prevented potential vulnerabilities in codecs and Bluetooth.

More integer sanitizer in more places

Android pioneered the production use of sanitizers in Android Nougat when we first started rolling out integer sanization (IntSan) in the media frameworks. This work has continued with each release and has been very successful in preventing otherwise exploitable vulnerabilities. For example, new IntSan coverage in Android Pie mitigated 11 critical vulnerabilities. Enabling IntSan is challenging because overflows are generally benign and unsigned integer overflows are well defined and sometimes intentional. This is quite different from the bound sanitizer where OOB reads/writes are always unintended and often exploitable. Enabling Intsan has been a multi year project, but with Q we have fully enabled it across the media frameworks with the inclusion of 11 more codecs.

IntSan Instrumentation

IntSan works by instrumenting arithmetic operations to abort when an overflow occurs. This instrumentation can have an impact on performance, so evaluating the impact on CPU usage is necessary. In cases where performance impact was too high, we identified hot functions and individually disabled IntSan on those functions after manually reviewing them for integer safety.

BoundSan and IntSan are considered strong mitigations because (where applied) they prevent the root cause of memory safety vulnerabilities. The class of mitigations described next target common exploitation techniques. These mitigations are considered to be probabilistic because they make exploitation more difficult by limiting how a vulnerability may be used.

Shadow Call Stack

LLVM’s Control Flow Integrity (CFI) was enabled in the media frameworks, Bluetooth, and NFC in Android Pie. CFI makes code reuse attacks more difficult by protecting the forward-edges of the call graph, such as function pointers and virtual functions. Android Q uses LLVM’s Shadow Call Stack (SCS) to protect return addresses, protecting the backwards-edge of control flow graph. SCS accomplishes this by storing return addresses in a separate shadow stack which is protected from leakage by storing its location in the x18 register, which is now reserved by the compiler.

SCS Instrumentation

SCS has negligible performance overhead and a small memory increase due to the separate stack. In Android Q, SCS has been turned on in portions of the Bluetooth stack and is also available for the kernel. We’ll share more on that in an upcoming post.

eXecute-Only Memory

Like SCS, eXecute-Only Memory (XOM) aims at making common exploitation techniques more expensive. It does so by strengthening the protections already provided by address space layout randomization (ASLR) which in turn makes code reuse attacks more difficult by requiring attackers to first leak the location of the code they intend to reuse. This often means that an attacker now needs two vulnerabilities, a read primitive and a write primitive, where previously just a write primitive was necessary in order to achieve their goals. XOM protects against leaks (memory disclosures of code segments) by making code unreadable. Attempts to read execute-only code results in the process aborting safely.

Tombstone from a XOM abort

Starting in Android Q, platform-provided AArch64 code segments in binaries and libraries are loaded as execute-only. Not all devices will immediately receive the benefit as this enforcement has hardware dependencies (ARMv8.2+) and kernel dependencies (Linux 4.9+, CONFIG_ARM64_UAO). For apps with a targetSdkVersion lower than Q, Android’s zygote process will relax the protection in order to avoid potential app breakage, but 64 bit system processes (for example, mediaextractor, init, vold, etc.) are protected. XOM protections are applied at compile-time and have no memory or CPU overhead.

Scudo Hardened Allocator

Scudo is a dynamic heap allocator designed to be resilient against heap related vulnerabilities such as:

  • Use-after-frees: by quarantining freed blocks.
  • Double-frees: by tracking chunk states.
  • Buffer overflows: by check summing headers.
  • Heap sprays and layout manipulation: by improved randomization.

Scudo does not prevent exploitation but rather proactively manages memory in a way to make exploitation more difficult. It is configurable on a per-process basis depending on performance requirements. Scudo is enabled in extractors and codecs in the media frameworks.

Tombstone from Scudo aborts

Contributing security improvements to Open Source

AOSP makes use of a number of Open Source Projects to build and secure Android. Google is actively contributing back to these projects in a number of security critical areas:

Thank you to Ivan Lozano, Kevin Deus, Kostya Kortchinsky, Kostya Serebryany, and Mike Antares for their contributions to this post.

What’s New in Android Q Security

Posted by Rene Mayrhofer and Xiaowen Xin, Android Security & Privacy Team

[Cross-posted from the Android Developers Blog]

With every new version of Android, one of our top priorities is raising the bar for security. Over the last few years, these improvements have led to measurable progress across the ecosystem, and 2018 was no different.

In the 4th quarter of 2018, we had 84% more devices receiving a security update than in the same quarter the prior year. At the same time, no critical security vulnerabilities affecting the Android platform were publicly disclosed without a security update or mitigation available in 2018, and we saw a 20% year-over-year decline in the proportion of devices that installed a Potentially Harmful App. In the spirit of transparency, we released this data and more in our Android Security & Privacy 2018 Year In Review.

But now you may be asking, what’s next?

Today at Google I/O we lifted the curtain on all the new security features being integrated into Android Q. We plan to go deeper on each feature in the coming weeks and months, but first wanted to share a quick summary of all the security goodness we’re adding to the platform.

Encryption

Storage encryption is one of the most fundamental (and effective) security technologies, but current encryption standards require devices have cryptographic acceleration hardware. Because of this requirement many devices are not capable of using storage encryption. The launch of Adiantum changes that in the Android Q release. We announced Adiantum in February. Adiantum is designed to run efficiently without specialized hardware, and can work across everything from smart watches to internet-connected medical devices.

Our commitment to the importance of encryption continues with the Android Q release. All compatible Android devices newly launching with Android Q are required to encrypt user data, with no exceptions. This includes phones, tablets, televisions, and automotive devices. This will ensure the next generation of devices are more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely.

However, storage encryption is just one half of the picture, which is why we are also enabling TLS 1.3 support by default in Android Q. TLS 1.3 is a major revision to the TLS standard finalized by the IETF in August 2018. It is faster, more secure, and more private. TLS 1.3 can often complete the handshake in fewer roundtrips, making the connection time up to 40% faster for those sessions. From a security perspective, TLS 1.3 removes support for weaker cryptographic algorithms, as well as some insecure or obsolete features. It uses a newly-designed handshake which fixes several weaknesses in TLS 1.2. The new protocol is cleaner, less error prone, and more resilient to key compromise. Finally, from a privacy perspective, TLS 1.3 encrypts more of the handshake to better protect the identities of the participating parties.

Platform Hardening

Android utilizes a strategy of defense-in-depth to ensure that individual implementation bugs are insufficient for bypassing our security systems. We apply process isolation, attack surface reduction, architectural decomposition, and exploit mitigations to render vulnerabilities more difficult or impossible to exploit, and to increase the number of vulnerabilities needed by an attacker to achieve their goals.

In Android Q, we have applied these strategies to security critical areas such as media, Bluetooth, and the kernel. We describe these improvements more extensively in a separate blog post, but some highlights include:

  • A constrained sandbox for software codecs.
  • Increased production use of sanitizers to mitigate entire classes of vulnerabilities in components that process untrusted content.
  • Shadow Call Stack, which provides backward-edge Control Flow Integrity (CFI) and complements the forward-edge protection provided by LLVM’s CFI.
  • Protecting Address Space Layout Randomization (ASLR) against leaks using eXecute-Only Memory (XOM).
  • Introduction of Scudo hardened allocator which makes a number of heap related vulnerabilities more difficult to exploit.

Authentication

Android Pie introduced the BiometricPrompt API to help apps utilize biometrics, including face, fingerprint, and iris. Since the launch, we’ve seen a lot of apps embrace the new API, and now with Android Q, we’ve updated the underlying framework with robust support for face and fingerprint. Additionally, we expanded the API to support additional use-cases, including both implicit and explicit authentication.

In the explicit flow, the user must perform an action to proceed, such as tap their finger to the fingerprint sensor. If they’re using face or iris to authenticate, then the user must click an additional button to proceed. The explicit flow is the default flow and should be used for all high-value transactions such as payments.

Implicit flow does not require an additional user action. It is used to provide a lighter-weight, more seamless experience for transactions that are readily and easily reversible, such as sign-in and autofill.

Another handy new feature in BiometricPrompt is the ability to check if a device supports biometric authentication prior to invoking BiometricPrompt. This is useful when the app wants to show an “enable biometric sign-in” or similar item in their sign-in page or in-app settings menu. To support this, we’ve added a new BiometricManager class. You can now call the canAuthenticate() method in it to determine whether the device supports biometric authentication and whether the user is enrolled.

What’s Next?

Beyond Android Q, we are looking to add Electronic ID support for mobile apps, so that your phone can be used as an ID, such as a driver’s license. Apps such as these have a lot of security requirements and involves integration between the client application on the holder’s mobile phone, a reader/verifier device, and issuing authority backend systems used for license issuance, updates, and revocation.

This initiative requires expertise around cryptography and standardization from the ISO and is being led by the Android Security and Privacy team. We will be providing APIs and a reference implementation of HALs for Android devices in order to ensure the platform provides the building blocks for similar security and privacy sensitive applications. You can expect to hear more updates from us on Electronic ID support in the near future.

Acknowledgements: This post leveraged contributions from Jeff Vander Stoep and Shawn Willden

Dissecting Weird Packets

I was investigating traffic in my home lab yesterday, and noticed that about 1% of the traffic was weird. Before I describe the weird, let me show you a normal frame for comparison's sake.


This is a normal frame with Ethernet II encapsulation. It begins with 6 bytes of the destination MAC address, 6 bytes of the source MAC address, and 2 bytes of an Ethertype, which in this case is 0x0800, indicating an IP packet follows the Ethernet header. There is no TCP payload as this is an ACK segment.

You can also see this in Tshark.

$ tshark -Vx -r frame4238.pcap

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  7, 2019 18:19:10.071831000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557253150.071831000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb), Dst: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
    Destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        Address: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        Address: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.4.96, Dst: 52.21.18.219
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0xd98c (55692)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x553f [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.4.96
    Destination: 52.21.18.219
Transmission Control Protocol, Src Port: 38828, Dst Port: 443, Seq: 1, Ack: 1, Len: 0
    Source Port: 38828
    Destination Port: 443
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window size value: 296
    [Calculated window size: 296]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x08b0 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 26210782, TSecr 2652693036
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 26210782
            Timestamp echo reply: 2652693036
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

0000  fc ec da 49 e0 10 38 ba f8 12 7d bb 08 00 45 00   ...I..8...}...E.
0010  00 34 d9 8c 40 00 40 06 55 3f c0 a8 04 60 34 15   .4..@.@.U?...`4.
0020  12 db 97 ac 01 bb e3 42 2a 57 83 49 c2 ea 80 10   .......B*W.I....
0030  01 28 08 b0 00 00 01 01 08 0a 01 8f f1 de 9e 1c   .(..............
0040  e2 2c   

You can see Wireshark understands what it is seeing. It decodes the IP header and the TCP header.

So far so good. Here is an example of the weird traffic I was seeing.



Here is what Tshark thinks of it.

$ tshark -Vx -r frame4241.pcap
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  7, 2019 18:19:10.073296000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557253150.073296000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
    Destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        Address: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        Address: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Length: 56
        [Expert Info (Error/Malformed): Length field value goes past the end of the payload]
            [Length field value goes past the end of the payload]
            [Severity level: Error]
            [Group: Malformed]
Logical-Link Control
    DSAP: Unknown (0x45)
        0100 010. = SAP: Unknown
        .... ...1 = IG Bit: Group
    SSAP: LLC Sub-Layer Management (0x02)
        0000 001. = SAP: LLC Sub-Layer Management
        .... ...0 = CR Bit: Command
    Control field: U, func=Unknown (0x0B)
        000. 10.. = Command: Unknown (0x02)
        .... ..11 = Frame type: Unnumbered frame (0x3)
Data (49 bytes)
    Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
    [Length: 49]

0000  fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02   ...I..8...}..8E.
0010  0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15   ......@.I....`4.
0020  12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec   .......B*W.I....
0030  01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f   .(.o............
0040  a5 4a                                             .J

What's the problem? This frame begins with 6 bytes of the destination MAC address and 6 bytes of the source MAC address, as we saw before. However, the next two bytes are 0x0038, which is not the same as the Ethertype of 0x0800 we saw earlier. 0x0038 is decimal 56, which would seem to indicate a frame length (even though the frame here is a total of 66 bytes).

Wireshark decides to treat this frame as not being Ethernet II, but instead as IEEE 802.3 Ethernet. I had to refer to appendix A of my first book to see what this meant.

For comparison, here is the frame format for Ethernet II (page 664):

This was what we saw with frame 4238 earlier -- Dst MAC, Src MAC, Ethertype, then data.

Here is the frame format for IEEE 802.3 Ethernet.


This is much more complicated: Dst MAC, Src MAC, length, and then DSAP, SSAP, Control, and data.

It turns out that this format doesn't seem to fit what is happening in frame 4241, either. While the length field appears to be in the ballpark, Wireshark's assumption that the next bytes are DSAP, SSAP, Control, and data doesn't fit. The clue for me was seeing that 0x45 followed the presumed length field. I recognized 0x45 as the beginning of an IP header, with 4 meaning IPv4 and 5 meaning 5 words (40 bytes) in the IP header.

If we take a manual byte-by-byte comparative approach we can better understand what may be happening with these two frames. (I broke the 0x45 byte into two "nibbles" in one case.)

Note that I have bolded the parts of each frame that are exactly the same.


This analysis shows that these two frames are very similar, especially in places where I would not expect them to be similar. This caused me to hypothesize that frame 4241 was a corrupted version of frame 4238.

I can believe that the frames would share MAC addresses, IP addresses, and certain IP and TCP defaults. However, it is unusual for them to have the same high source ports (38828) but not the same destination ports (443 and 3339).  Very telling is the fact that they have the same TCP sequence and acknowledgement numbers. They also share the same source timestamp.

Notice one field that I did not bold, because they are not identical -- the IP ID value. Frame 4238 has 0xd98c and frame 4241 has 0xd98d. The perfectly incremented IP ID prompted me to believe that frame 4241 is a corrupted retransmission, at the IP layer, of the same TCP segment.

However, I really don't know what to think. These frames were captured in a Linux 16.04 VirtualBox VM by netsniff-ng. Is this a problem with netsniff-ng, or Linux, or VirtualBox, or the Linux host operating system running VirtualBox?

I'd like to thank the folks at ask.wireshark.org for their assistance with my attempts to decode this (and other) frames as 802.3 raw Ethernet. What's that? It's basically a format that Novell used with IPX, where the frame is Dst MAC, Src MAC, length, data.

I wanted to see if I could tell Wireshark to decode the odd frames as 802.3 raw Ethernet, rather than IEEE 802.3 Ethernet with LLC headers.

Sake Blok helpfully suggested I change the pcap's link layer type to User0, and then tell Wireshark how to interpret the frames. I did it this way, per his direction:

$ editcap -T user0 excerpt.pcap excerpt-user0.pcap

Next I opened the trace in Wireshark and saw frame 4241 (here listed as frame 3) as shown below:


DLT 147 corresponds to the link layer type for User0. Wireshark doesn't know how to handle it. We fix that by right-clicking on the yellow field and selecting Protocol Preferences -> Open DLT User preferences:

Next I created an entry fpr User 0 (DLT-147) with Payload protocol "ip" and Header size "14" as shown:

After clicking OK, I returned to Wireshark. Here is how frame 4241 (again listed here as frame 3) appeared:


You can see Wireshark is now making sense of the IP header, but it doesn't know how to handle the TCP header which follows. I tried different values and options to see if I could get Wireshark to understand the TCP header too, but this went far enough for my purposes.

The bottom line is that I believe there is some sort of packet capture problem, either with the softare used or the traffic that is presented to the software by the bridged NIC created by VirtualBox. As this is a lab environment and the traffic is 1% of the overall capture, I am not worried about the results.

I am fairly sure that the weird traffic is not on the wire. I tried capturing on the host OS sniffing NIC and did not see anything resembling this traffic.

Have you seen anything like this? Let me know in a comment here on on Twitter.

PS: I found the frame.number=X Wireshark display filter helpful, along with the frame.len>Y display filter, when researching this activity.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Avoid a Security Endgame: Learn About the Latest “Avengers” Scam

Marvel Studio’s $2.2 billion box-office hit “Avengers: Endgame” has quickly risen to the second-highest grossing film of all time in its first two weekends. Not surprisingly, cybercriminals have wasted no time in capitalizing on the movie’s success by luring victims with free digital downloads of the film. How? By tempting users with security shortcuts so they can watch the film without worrying about spoilers or sold-out movie tickets.

When a victim goes to download the movie from one of the many scam sites popping up around the web, the streaming appears to begin automatically. What the user doesn’t know is that the footage being streamed is just from the movie’s trailer. Soon after, a message pops up stating that the user needs to create an account to continue with the download. The “free” account prompts the user to create a username and password in advance, which could potentially be useful for cybercriminals due to the common practice of password reuse. Once a victim creates an account, they are asked for billing information and credit card details in order to “verify location” and make sure the service is “licensed to distribute” the movie in the victim’s region. These crooks are then able to scrape the victim’s personal and financial data, potentially leading to online account hacks, stolen funds, identity theft, and more.

Luckily, Marvel fans can protect their online data to avoid a cybersecurity endgame by using the following tips:

  • Look out for potential scam activity. If it seems too good to be true, then it probably is. Be wary of websites promising free movie downloads, especially for movies that are still in theaters.
  • Shield your financial data. Be suspicious of “free downloads” that still require you to fill out billing information. If an unknown website asks for your credit card information or your bank account data, it’s best to avoid the site altogether.
  • Make sure your credentials are unique. With this scam, threat actors could use the login credentials provided by the victim to access their other accounts if they didn’t have a unique login. Avoiding username and password reuse makes it a lot harder for cybercriminals to hack into your other online accounts if they gain access to one.
  • Assemble a team of comprehensive security tools. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Avoid a Security Endgame: Learn About the Latest “Avengers” Scam appeared first on McAfee Blogs.

2019 Verizon DBIR Shows Web Applications and Human Error as Top Sources of Breach

Veracode App Sec Verizon DBIR 2019

According to the 2019 Verizon Data Breach Investigations Report, there was a noticeable shift toward financially motivated crime (80 percent), with 35 percent of all breaches occurring as a result of human error, and approximately one quarter of breaches occurring through web application attacks. These attacks were mostly attributable to the use of stolen credentials used to access cloud-based email.

Another fun fact: social engineering attacks are increasingly more successful, and the primary target is the C-suite. These executives are 12x more likely to be targeted than other members of an organization, and 9x more likely to be the target of these social breaches than previous years. Verizon notes that a successful pretexting attack on a senior executive helps them to hit the jackpot, as 12 percent of all breaches analyzed occurred for financially motivated reasons, and their approval authority and privileged access to critical systems often goes unchallenged.

“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” the Verizon DBIR states. “The increasing success of social attacks such as business email compromises (BECs, which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Retailers Are Most Vulnerable at the Application Layer

The good news for consumers and retailers alike are that the days of POS compromises or skimmers at the gas-pump appear to be numbered, as these card breaches continue to decline in this report. The not-so-good news is that these attacks are, instead, primarily occurring against e-commerce payment applications and web application attacks. Indeed, the report shows that web applications, privilege misuse, and miscellaneous errors make up 81 percent of breaches for retail organizations.

What’s more, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting payment card data to create a profit.

The report notes, “We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.”

Overall, Veracode’s State of Software Security Vol. 9 shows that retail organizations are quick to fix their flaws, ranking second in this regard as compared to other industries. With this in mind, it may mean that retail organizations need to keep a closer eye on third-party software and open source code in their own applications to ensure they’re not the next to sign a cyberattacker’s paycheck.

At Veracode, we help our customers to ensure that every web application in their portfolio is secure through each stage of the SDLC. Check out this case study to learn about how Blue Prism implemented Veracode Verified to ensure the strength of its application security program and protect its most sensitive data.

Quantifying Measurable Security


With Google I/O this week you are going to hear about a lot of new features in Android that are coming in Q. One thing that you will also hear about is how every new Android release comes with dozens of security and privacy enhancements. We have been continually investing in our layered security approach which is also referred to as“ defense-in-depth”. These defenses start with hardware-based security, moving up the stack to the Linux kernel with app sandboxing. On top of that, we provide built-in security services designed to protect against malware and phishing.
However layered security doesn’t just apply to the technology. It also applies to the people and the process. Both Android and Chrome OS have dedicated security teams who are tasked with continually enhancing the security of these operating systems through new features and anti-exploitation techniques. In addition, each team leverages a mature and comprehensive security development lifecycle process to ensure that security is always part of the process and not an afterthought.
Secure by design is not the only thing that Android and Chrome OS have in common. Both operating systems also share numerous key security concepts, including:
  • Heavily relying on hardware based security for things like rollback prevention and verified boot
  • Continued investment in anti-exploitation techniques so that a bug or vulnerability does not become exploitable
  • Implementing two copies of the OS in order to support seamless updates that run in the background and notify the user when the device is ready to boot the new version
  • Splitting up feature and security updates and providing a frequent cadence of security updates
  • Providing built-in anti-malware and anti-phishing solutions through Google Play Protect and Google Safe Browsing
On the Android Security & Privacy team we’re always trying to find ways to assess our ongoing security investments; we often refer to this as measurable security. One way we measure our ongoing investments is through third party analyst research such as Gartner’s May 2019 Mobile OSs and Device Security: A Comparison of Platforms report (subscription required). For those not familiar with this report, it’s a comprehensive comparison between “the core OS security features that are built into various mobile device platforms, as well as enterprise management capabilities.” In this year’s report, Gartner provides “a comparison of the out-of-the-box controls under the category “Built-In Security”. In the second part, called “Corporate-Managed Security, [Gartner] compares the enterprise management controls available for the latest versions of the major mobile device platforms”. Here is how our operating systems and devices ranked:
  • Android 9 (Pie) scored “strong” in 26 out of 30 categories
  • Pixel 3 with Titan M received “strong” ratings in 27 of the 30 categories, and had the most “strong” ratings in the built-in security section out of all devices evaluated (15 out of 17)
  • Chrome OS was added in this year's report and received strong ratings in 27 of the 30 categories.
Check out the video of Patrick Hevesi, who was the lead analyst on the report, introducing the 2019 report, the methodology and what went into this year's criteria.

You can see a breakdown of all of the categories in the table below:


Take a look at all of the great security and privacy enhancements that came in Pie by reading Android Pie à la mode: Security & Privacy. Also be sure to live stream our Android Q security update at Google IO titled: Security on Android: What's Next on Thursday at 8:30am Pacific Time.

On Abusing Email Validation Protocols for Distributed Reflective Denial of Service

Veracode Research Email Validation Protocols DrDoS

Denial of Service (DoS) attacks are still very much in vogue with cybercriminals. They are used for extortion attempts, to attack competitors or detractors, as an ideological statement, as a service for hire, or simply “for teh lulz.” As anti-DoS methods become more sophisticated so do the DoS techniques, becoming harder to stop or take down by turning into distributed (DDoS) among stolen or hacked end-points. Some DDoS methods even use distributed, public systems that aren’t hacked or stolen, but still offer a means for a reflected attack (DrDoS) such as the widespread Network Time Protocol (NTP) DrDoS attacks seen over the past several years.

In the spirit of discovering and exposing potential future cybercrime methods, this research focuses on determining the viability of DrDoS attacks using public-facing email validation protocols. With knowledge of attack anatomy white hats can better understand the threat landscape while building their unique threat models, and if need be, build and configure defenses against such potential protocol abuses. Fortunately, or unfortunately, depending on your reference point, the findings of this research conclude that these types of attacks are likely not to be a widespread threat given the current sets of in-the-wild email server configurations; though this may change in the future as more systems come online and configuration habits shift.

We know what sort of returns we can get for DDoS leveraging SPF in large part through the work of Douglas Otis. However, given other DDoS vectors available (DNS, NTP, etc.) using SPF alone doesn’t have much of a bite. The idea here was to try and also leverage other email validation protocols that may be configured for a mail server also employing SPF, a stacked attack. Following a review of the DomainKeys Identified Mail (DKIM) protocol RFC it was discovered that there are instances where the specification suggests using reply codes: 4xx, 451/4.7.5, and 550/5.7.x specifically. This suggests mail server configurations that may reply to messages that meet, or fail, certain criteria.

However, of the 20 in-the-wild sample servers (located in the United States, France, Germany, Hungary, and Taiwan), zero responded to invalid DKIM headers. As with the DKIM RFC, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol RFC has a configuration suggestion for issuing a 5xy reply code for failed messages as well as a security discussion for External Reporting features of DMARC. Both of these vectors seemed promising for possible exploitation. Of the 20 in-the-wild servers tested, (located in the United States, the United Kingdom, France, Canada, and Switzerland) only four replied with a failure code and zero offered External Reporting services.

While subject to future change, these findings suggest that the current, real-world landscape does not lend itself to leveraging these validation protocols for any serious volume of DrDoS.

We Are Ready on Day One for Our Linux Customers

Our customers look to McAfee to ensure that their enterprises are protected from the changing threat landscape. That’s why we’ve worked with Red Hat, the world’s leading provider of open source solutions for Linux, to ensure that we were part of the entire process leading up to today’s announcement of Red Hat Enterprise Linux 8 (RHEL8). We’ve been working extensively with Red Hat throughout the pre-release process to ensure that you get the threat protection you desire on the day the new operating system is released.

If you’re already one of our McAfee Endpoint Security for Linux customers, this means you can take advantage of vast hardware and virtualization support as well as cloud integration support on whether you’re using on-prem ePO or McAfee MVISION.

McAfee Endpoint Security for Linux 10.6.2 now provides zero-day support for RHEL8. Red Hat Enterprise Linux is a significant proportion of the install base among our customers. It’s important that we provide timely and crucial support for the latest release of RHEL8 so our customers can take advantage of the improvements and efficiencies available on the platform.

McAfee Endpoint Security for Linux 10.6 provides three important features that benefit our customers:

  • Support for Docker containers
  • CPU throttling
  • Centralized management capabilities of native firewall

Container adoption has been rising steadily among our customer base. By supporting McAfee Endpoint Security for Linux on docker containers, our customers can be confident that their container deployments are protected with the same solution that they currently deploy on their servers.

CPU throttling limits the consumption of CPU resources, allowing our customers to efficiently manage when an on-demand scan deploys, thus enhancing the usability of the solution in a low-resource environment.

Centralizing and simplifying management capabilities of native functionality, such as the firewall, through a familiar interface allows administrators to quickly react and enforce firewall policies, reducing the time to deploy and gain operational efficiency.

To learn more about McAfee Endpoint Security, visit our website.

The post We Are Ready on Day One for Our Linux Customers appeared first on McAfee Blogs.

15 Things Every Customer Should Know About Core Impact

English

Just like in any good relationship, it takes time to get to know one another. Even when you’ve been together for a while, you still may learn new things that surprise you. It’s no different when you begin a relationship with a new product or solution. Over time, you will discover new features and tricks you didn’t even know existed. With this in mind, we’ve compiled a list of the top 15 things every customer should know about Core Impact. Take a look and see what you may have been missing.

#1: The Core Impact Customer Community

The Core Impact Customer Community is a place you can go to ask and answer questions about Impact and penetration testing, chat real-time with other Impact users, and take training courses to better leverage Impact for multiple types of testing. It also serves as a repository where you can post or download custom modules. This invaluable community resource exists to empower you to continue to get the most out of Impact.

#2: Flexible Licensing

Did you know that Impact has a flexible licensing model? We have many different license types that enable flexible use of the product, and ensure we can support multiple use cases, including:

  •     Machine-based unlimited licenses for those with a small, rotating team
  •     Named user unlimited licenses for those with dedicated, full time users
  •     Educational and lab licenses for those who want to use Impact in an educational capacity or tightly controlled lab environments

Our goal is to make sure you get the right combination of licenses that will work best for you and your team.

#3: Encrypting Agent Communications

All communication between Impact and its agents is both encrypted and authenticated. These robust protections allow us to provide secure communications between Impact and its agents. Other solutions have a higher risk of potential attackers ‘breaking in’ to the communications or hijacking their agents for nefarious purposes. Perform better, more detailed testing with the peace of mind that your communications will remain secure.

#4: Command and Control Options

Core Impact has a variety of command and control options that you can leverage. Whether connecting to or from a target or hiding the communications in DNS traffic, Impact has a variety of communication methods to better support different ways you might want to test. For example, using the DNS channel allows you to mask and disguise the communications inside DNS packets. All you have to do is select the type of communication you want the agents to use, and then deploy them. Every communication method features encryption and mutual authentication between Impact and its agents.

#5: Self-Terminating Agents

With Impact, you never have to worry about an agent hanging around longer than you want. Impact agents are configured to automatically clean themselves up at a time you set. Plus, Impact gives you the ability to set an expiration time when you deploy an agent, giving you control and minimizing artifacts left by your test. Even if a target is hibernated during a test, and misses the cleanup signal, Impact agents will see that it’s past due and clean itself up. You can pen test with confidence and know that Impact won’t let you be the reason for an incident response.

#6: Rapid Penetration Tests

Another great feature is that Impact can quickly find ‘low hanging fruit’ for you to act upon. Impact’s rapid penetration testing wizards can automatically find common weaknesses, while letting you choose how risky you want to be. This will free up time for you to do more in-depth testing and can even provide a short list of items to quickly prioritize for remediation.

#7: Intelligently Exploit Identities

Were you aware that Impact also enables you to easily leverage identities found during a test? With many identities in any given network, chances are you will come across them during testing. Impact enables you to securely store these identities. With Impact’s central identity store, it’s simple to use these identities to further your testing, allowing you to easily move and get access to more information.

#8: Stealthy PowerShell Attacks

Did you know that Impact can natively leverage PowerShell on remote hosts? Not just that, it can also do it stealthily, without using the PowerShell executable. PowerShell is a very powerful management framework for Windows machines and Impact’s ability to easily interface with it opens state-of-the-art attack methods preferred by advanced adversaries.

#9: Phishing Built for Pen Testers

Impact actually evolved from the suite of tools used by one of the first teams to offer third-party pen testing. In fact, Impact was created by a team of pen testing professionals to help make them more effective and efficient at their job. They recognized that there was great value in standardizing the process of how to conduct a pen test, and built this into their tools. As a result, Impact emphasizes an easy-to-use, repeatable, and consistent methodology.

Impact also has extensive phishing capabilities, built from the beginning with pen testing in mind, so you can do more than just report on who is susceptible to phishing. You can also gather additional information to help plan further testing and exploitation activities. Impact’s phishing functionality is often leveraged to ‘trick’ victims into giving you access to the network. If you are looking for pen testing with focused phishing capabilities, Impact is definitely the solution for you.

#10: A Python Framework

Here is something you may not know either: Impact is actually a Python framework. All modules, exploits, and tools are written in Python and are user customizable. You can write your own modules for things like integrations with third party tools, or modify existing ones to better suit your specific needs. This gives you a significant amount of flexibility to extend and enhance the value of investments you have already made.

#11: Ongoing Logging and Reporting

Another key feature to be aware of is that Impact automatically logs everything you do over the course of your pen test. This includes all the modules you run, all the files you upload or download, and even all the commands you run on remote hosts. Impact automatically captures this input and output, providing an audit trail and ensuring that you do not have to keep your own detailed notes during the test.

Impact also has a powerful and flexible built-in reporting engine that allows you to create reports for any type of audience, whether they are Chief Executives, the Patching Team or even the Audit Team. These reports are also fully customizable and the templates can be saved for future use.

#12: Validating Vulnerability Scans

Impact automatically validates the results of a vulnerability scan. You can import the results from the most vulnerable scanners and Impact will automatically attempt to validate the scanner’s findings by attempting to exploit the vulnerabilities that were reported. You will then get a report of what Impact was and was not able to exploit. Confirming exploitations can help speed up remediation processes by having Impact prioritize the list of vulnerabilities that your scanners are spitting out.

#13: Validating Remediation

With the remediation validation option, you can have Impact automatically re-run a previous pen test that can provide a change report on any differences between the two. Impact will execute exactly as you did on the previous test, including info gathering, exploitation, and pivoting. You can use this to easily test if remediation efforts have been successful rather than having to do the entire test over again, saving tremendous time in re-testing.

#14: Multi-Vector Pivoting

Impact also enables you to pivot from one vector to another, dramatically improving your capabilities and efficiency through multi-vector pivoting. For example, when you exploit a weakness in a web application, you can then leverage it to pivot to the network.  Or you can even leverage Impact to trick victims into giving you access to the network.

#15: Moving from One Host to Another

And last, but definitely not least, Impact makes it easy to pivot from one host to another. It is as simple as a right click. Impact has a wealth of additional features, like the Remote Interface, which you can leverage with the pivoting capabilities to make you more efficient and effective during your testing.

Getting the Most Out of Core Impact

This list will help you more intelligently manage your vulnerabilities and get the most out of Impact.  After all, the more you get to know Core Impact, the more it can do to secure your business.

Penetration testing
Big text: 
Article
Resource type: 
Articles

Top Tips On Cyber Security for SMEs

Guest article by Damon Culbert of Cyber Security Jobs

Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.

Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.

With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:

1. Secure your internet connection
2. Protect from viruses and other malware
3. Control access to your data and services
4. Secure your devices and software
5. Keep your devices and software up to date

All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.

Invest in Software and Hardware
While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.

It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.

Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.

Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.

Compliance
The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.

The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.

Pre-emptive planning
Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.

Plan of Action
The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:

1. Start with the basics: follow the Cyber Essentials Scheme and bake these principles into your daily operations
2. Get an understanding of the risks to your business: check out the NCSC’s ’10 Steps to Cyber Security’ for further detail than the Cyber Essentials
3. Know your business: if you still feel your data isn’t safe, research more comprehensive frameworks like the IASME standard developed for small businesses
4. Once you have a complete security framework in place, develop on the NCSC’s advice with more sophisticated frameworks, such as the NIST framework for cybersecurity.

What Would Yoda Do? 5 Tips to Raising a Mindful Digital Jedi

A Jedi, from the epic Star Wars films, is a warrior who fights for the greater good. Jedi are set apart and rely on a higher, internal power called,The Force to guide them in life and in battle. They possess an acute sense of the world around them and are mindful of how their actions affect the whole of humanity.

The Jedi way is an excellent premise for raising digital kids in this often-precarious galaxy of hyper-connectivity called the internet. And who better to guide our parenting — today on Star Wars Day — than Yoda, the small but mighty Master Jedi known for his wisdom?

Here are a few digital parenting tips from the master himself to help you guide your kids in living the wiser, more mindful Jedi way online.

“To be a Jedi is to face the truth, and choose. Give off light, or darkness, Padawan. Be a candle or the night.”

Practice digital empathy. One of the biggest challenges of parents today is teaching kids how to break through the force field that stands between them and the very real people on the other side of their screens. It’s easy to log on to an electronic device and disconnect from the reality that our words and actions online impact others in either a positive or negative way. It’s easy to view other people as photos, avatars, or game characters instead of individuals with real feelings and unique, often different, perspectives than our own.

Teaching digital empathy, according to Parent Advocate and Author Sue Scheff, author of Shame Nation isn’t always front of mind for parents who grew up in a drastically different social environment. “We can’t relate to our kids’ social lives playing out in the digital world,” says Scheff. “Therefore, we may overlook the need to teach our kids that caring, kindness, and respect extends beyond face-to-face interactions. Yes, even online – or, especially online.”

“You must unlearn what you have learned.”

Find your voice. Media, opinions, news, and faulty algorithms usher an abundance of sketchy concepts into our thinking each day. Teaching kids to be discerning about the content they consume and aligning that with their values — and not that of a YouTube or Instagram celebrity — is serious personal work in today’s culture. The real parenting challenge of our day is teaching kids to think critically about who they are, what they believe, and how to express unique, significant self in everyday life. In her book Raising Humans in a Digital World, Diana Graber, notes a 2016 Stanford study that called young people’s inability to effectively evaluate online information as “bleak” and that, “Our digital natives may be able to flit between Facebook and Twitter while simultaneously uploading a selfie to Instagram and texting a friend. But when they evaluate information that flows through social media channels, they are duped.”

“In a dark place we find ourselves, and a little more knowledge lights our way.”

Unplug for health. Newton’s law of motion states that an object in motion will remain in motion until an external force acts upon it. Applied to screen time: Unless we as parents (the external force) set the limits on screen time, the scrolling, clicking, and uploading will continue — forever. In Yoda’s vintage 1977 wisdom, we are reminded that unplugging isn’t punishment, but a way to refresh, restore, and maintain one’s emotional and physical health. As anxiety and depression among youth continue to be linked to screens, learning as much as we can about monitoring, screen limits, and digital wellbeing (the belief that technology should improve life, not distract from it), is paramount for parents today.

“To answer power with power, the Jedi way this is not. In this war, a danger there is, of losing who we are.”

Avoid digital drama. With a little help, kids can learn how to sidestep much of the digital drama online that tends to spill over into real life. Teaching kids to be positive, trustworthy, empathetic, and refuse to take part in cyberbullying begins with parents who practice those same standards online (kids are watching). Other ways to dodge the drama include using your mute button, balancing screen time, staying out of online arguments, and thinking carefully about the tone of your posts and comments.

“You think Yoda stops teaching, just because his student does not want to hear? A teacher Yoda is.”

Parents: Never quit teaching. This last bit of Yoda wisdom is for especially for parents who feel overwhelmed and under-equipped to raise a digital Jedi. Your kids are not always going to want to hear your input on their online behavior or your warnings about staying safe — so what? A teacher Yoda is. A parent you are. Be encouraged — you’ve got this, and you are the original Jedi Master with future Jedi to guide. Keep learning, guiding, and molding the next generation even when it gets tough. Be unyielding to cultural standards and Jedi-fierce in your commitment to keeping your kids safe and healthy in this digital universe.

The post What Would Yoda Do? 5 Tips to Raising a Mindful Digital Jedi appeared first on McAfee Blogs.

A Team Of Law Enforcers Took Down Major Illegal Merchandise Site

A team of law enforcers from Romania, Netherlands, the United States, Germany, and Europol have taken down the servers linked to Wall Street Market (WSM), a Dark Web website specifically designed for transacting weapons, stolen passwords, drugs, and other illegal substances. This comes right after an alleged theft done by Wall Street Market admins which cost their customers to loss over $14.2 million in Bitcoins and other cryptocurrencies. One of the vocal site admins under the account named Med3l1n blackmailed some users of the site that they need to pay $280 worth of Bitcoins, if not the said admin will disclose illegal transactions to authorities upon discovery that the affected users made a support request unencrypted.

“One of Europol’s initiatives is to create a coordinated law enforcement approach to tackle crime on the dark web with the participation of law enforcement agencies from across EU Member States, operational third parties and other relevant partners, such as Eurojust. To achieve this goal, Europol has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy. The team also aims to enhance joint technical and investigative actions, organise training and capacity-building initiatives, together with prevention and awareness-raising campaigns – a 360° strategy against criminality on the dark web,” said the Europol’s Press Release.

Med3l1n then proceeded with disclosing the IP addresses and username/passwords (including his) of users connected with Dread, an affiliate community site used for communication between dark web netizens. At that moment the real world location of the servers which host WSM was exposed publicly, all types of users with varying goals were able to extract as much information from the site. This “data breach” escalated to a point that WSM users lost contents of their cryptocurrency wallet.

“Of much greater concern to users: The same mod has posted his login credentials to Dread. This gives anyone the ability to sign in to WSM as the mod and access all information pertaining to users and their orders that isn’t encrypted. He also gave the server IP address up,” explained Patrick Shortis, a security researcher.

The law enforcement agencies began their operation since April 30, 2019, and complete shutdown of the site occurred May 2, 2019. The exact URL of WSM was wallstyizjhkrvmj.onion in the Dark Web, which can only be reached through the use of dark web navigation web browser like TOR browser (The Onion Router). Aside from the takedown, the German police members of the team claimed that they were able to place three persons of interest under arrest and confiscated €550,000 in-cash. Apparently, they were drug traffickers who were using WSM to sell their “products”. Aside from that, a similar site named Silkkietie was also taken down, the dark web site was operating for at least 6 years.

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” emphasized Catherine De Bolle, Europol Executive Director.

The post A Team Of Law Enforcers Took Down Major Illegal Merchandise Site appeared first on .

German police arrest three men as they shut dark web marketplace

Arrests in Germany, Brazil and US relate to sale of drugs, stolen data and malicious software

German police have shut down one of the world’s largest illegal online markets in the so-called dark web and arrested the three men allegedly running it, prosecutors said on Friday.

The “Wall Street Market” (WSM) site enabled trade in cocaine, heroin, cannabis and amphetamines as well as stolen data, fake documents and malicious software.

Related: Dark web blamed for rise in drugs sent by post from Netherlands

Continue reading...

Cyber Defense Magazine – May 2019 has arrived. Enjoy it!

Cyber Defense Magazine May 2019 Edition has arrived. We hope you enjoy this month’s editionpacked with over 160+ pages of excellent content.

cyber defense magazine may

Cyber Defense eMagazine for May 2019

cyber defense magazine may 1
cyber defense magazine may 2

Pierluigi Paganini

(SecurityAffairs – Cyber Defense Magazine, hacking)

The post Cyber Defense Magazine – May 2019 has arrived. Enjoy it! appeared first on Security Affairs.

Google CTF 2019 is here



June has become the month where we’re inviting thousands of security aficionados to put their skills to the test...

In 2018, 23,563 people submitted at least one flag on their hunt for the secret cake recipe in the Beginner’s Quest. While 330 teams competed for a place in the CTF Finals, the lucky 10 winning teams got a trip to London to play with fancy tools, solve mysterious videos and dine in Churchill’s old chambers.

This June, we will be hosting our fourth-annual Capture the Flag event. Teams of security researchers will again come together from all over the globe for one weekend to eat, sleep and breathe security puzzles and challenges - some of them working together around the clock to solve some of the toughest security challenges on the planet.

Up for grabs this year is $31,337.00 in prize money and the title of Google CTF Champion.

Ready? Here are the details:


  1. The qualification round will take place online Sat/Sun June 22 and 23 2019
  2. The top 10 teams will qualify for the onsite final (location and details coming soon)
  3. Players from the Beginner's Quest can enter the draw for 10 tickets to witness the Google CTF finals
Whether you’re a seasoned CTF player or just curious about cyber security and ethical hacking, we want you to join us. If you’re just starting out, the “Beginner's Quest” is perfect for you. Sign up to learn skills, meet new friends in the security community and even watch the pros in action. See you there! For the latest announcements, see g.co/ctf, subscribe to our mailing list or follow us on @GoogleVRP.


Using the Human Factor in Cyber Attacks

The Human Factor has a fundamental importance for the success of a cyber attack, for this reason it is important to create a culture of cyber security within organizations.

Every day we see a large number of tools being implemented within enterprises and institutions due to the need to keep their environments more secure, along with this implementation of tools comes a series of responsibilities to make resources be used efficiently and effectively, generating the results expected by the Analysts, Managers, and Management. When we speak of a corporate environment there are a number of tools that we can find, such as Web Application Firewall (WAF), Intrusion Prevention Service (IPS), Antispam, Antivirus, Firewall, Web Filter / Application Control, DLP (Data Loss Prevent) Switches, Routers and etc. Each of these tools has its characteristic and function within the corporate environment, being well configured generate results and metrics that help managers make decisions for environment/business growth, security improvement, and others.

In recent years there has been a significant increase in cyber attacks and attempts to exploit vulnerabilities, attackers have increasingly studied CVEs (Common Vulnerabilities and Exposures) based on this knowledge to try to exploit, invade and exfilt data from companies or individuals. When implementing a security tool within a company, it is necessary to pay attention to some points that go beyond the implementation project, some of these points are maintenance and updating of the tool following the good practices of the manufacturer. A very common error that occurs today and makes many companies vulnerable to attacks is that they only care about the tool in the implementation process, after that the points mentioned above that require constant attention during the tool life cycle inside the company are forgotten and make the environment susceptible to attacks and exploitations.

Some points that make environments vulnerable:

  • Old tools.
  • Outdated tools.
  • Poor resource management.
  • Human factor.

From these points mentioned above, I would like to draw attention to the ‘Human Factor’, due to the technological growth, it became fundamental the importance of creating a culture of security policy in the day to day of the collaborators. Companies are investing more and more in lectures, training and workshops to try to reduce an attack or invasion is caused by the human factor, when we speak of human factor can be exemplified as follows: the attacker sends an email with a supposed advertisement or promotion and in it comes a link that will direct the user to this “promotion”, but when in fact it is a malicious link (this attack is called Phishing), the user may be infected with some Malware and from that machine the attacker has internal access and begins to make lateral movements in an attempt to exploit or compromise the company environment. Every day we see research being done by tool makers showing that most of the attacks that occur still have the human factor, that is, a user who is not prepared to identify some simple types of attacks, such as phishing and that can compromise the entire security of the company.

There are currently three most commonly used types of Phishing attacks:

Mass-Scale Phishing: Attack where fraudsters launch an extensive network of attacks that are not highly targeted

Spear Phishing: Tailor-made for a specific victim or group of victims using personal details.

Whaling: A specialized type of spear phishing that targets a “large” victim of a company, for example CEO, CFO or other executive.

Below we have the anatomy of a phishing attack:

human factor

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Pierluigi Paganini

(SecurityAffairs – Human Factor, cybersecurity)

Twitter: https://twitter.com/zoziel

The post Using the Human Factor in Cyber Attacks appeared first on Security Affairs.

Threat Roundup for April 26 to May 3

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 26 and May 03. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More >>

War Against Fraudsters Looks Winnable, Report Says

War Against Fraudsters Looks Winnable, Report Says

Since 2017, digital ad spending has increased while fraud losses have declined, according to the fourth annual Bot Baseline Report, published by White Ops and the Association of National Advertisers (ANA).

The report found that for the first time more fraud will be stopped than will succeed, suggesting that defenders are gaining ground in the battle against fraudsters, potentially because it has become increasingly more costly for criminals to purchase realistic bot traffic.

According to the report, 2019 saw an improvement in monetary losses. While the 2017 study reported $6.5 billion in losses, this year’s report reflects an 11% decline over the past two years despite digital ad spending having increased by 25.4% between 2017 and 2019.

Only 8% of display advertising impressions were fraudulent, which was a decrease of 9% from 2017, and only 14% of video ads were fake, down from 22% in 2017, the report found.

The report also noted that the majority of fraudulent impressions are actually invalidated by demand-side platforms (DSPs) or supply-side platforms (SSPs), filtered as SIVT before being paid for or invalidated later via clawbacks (the recovery of ad spend after a campaign has run). These measures are estimated to have mitigated nearly $14 billion in fraud losses annually.

“What appears to be a decline in digital ad fraud could be a temporary lull as bad actors sharpen their saws while avoiding detection. Recently, there’s been a spate of malware attacks on online retailers and publishers, where the malware are agnostic to platform and can change characteristics in order to escape detection by pattern- or signature-based defenses,” said Usman Rahim, digital security and operations manager for The Media Trust.

“Make no mistake, today’s malware are engineering feats that require a great deal of skill and collaboration. The economics of attacks is encouraging criminals to band together. Battling these attacks demands the same. This means aligning brands, technology partners and premium publishers with consumers’ needs – in the post-GDPR world, that includes their privacy and safety. More important, it means working together on keeping out bad actors and changing our practices before the regulators force us to.”

Business Intelligence is the Key to Stronger Cybersecurity – Here’s Why

Cybersecurity has been moving further and further towards the top of the corporate agenda for a number of years now, and for very good reason. Yet, how much do we understand about the importance of analytics when staying protected?

According to a recent study by McAfee Labs, 480 new data security threats were discovered every minute in 2018 – and that figure will rise even further by the end of this year. Our growing reliance on mobile devices and public networks has created a staggering amount of new entry points and vulnerabilities, and many businesses are only just waking up to the sheer scale of the issue.

But it certainly isn’t just about quantity. Both the nature of cyber attacks, and approaches hackers use, are continually evolving, which poses a threat to a growing number of companies across a wider span of industries. Product managers, data engineers and business owners alike are facing an increasingly difficult challenge to safeguard their digital infrastructure and keep their data safe from any unwarranted breaches.

Those looking to maximise their defences must invest in every core method of protection in order to stay protected – but perhaps none more so than business intelligence and analytics.

How can analytics help?

 

Big Data Prob

Big_Data_Prob” (CC BY 2.0) by KamiPhuc

We hear a lot of talk about the risks of big data and potential issues with storing sensitive information. Many people don’t realise that companies who have a tight handle on their own data put themselves in a far better position to fend off cyber attacks than those who are not. Data itself isn’t the issue; it’s whether we are in full control of it.

Having access to large amounts of proprietary data can help businesses to analyse patterns, observe irregularities and spot potential weaknesses within a network. Analytics programmes can also help classify the severity and complexity of issues, which helps businesses prioritise the areas that require the most attention. This not only reduces the time it would normally take to detect and resolve an issue, but it’s also a massive advantage when it comes to catching issues ahead of time. Prevention is the best cure, after all.

Making data work for you

 

Data Security

Data Security” (CC BY 2.0) by Visual Content

So, how exactly do you begin to manage and deploy data as part of your cybersecurity strategy? The first step is to simplify BI management to make mining and visualising analytics as easy as possible.

A business intelligence platform is a good starting point if you’re struggling to develop a system that works for your business. Companies such as Sisense offer full-stack approaches that
help build flexible data models across a wide range of sources. This helps to bridge the gap between modern BI tools and any legacy software that you’re still using. The use of embedded analytics also enables companies to integrate reports, dashboards and visualisations with key applications and workflows.

Future-proofing your business

 

UK Gov

GOV.UK Team” (CC BY 2.0) by gdsteam

Of course, cybersecurity and data governance are both ongoing commitments that require continual attention and investment. The evolving nature of cybercrime poses many headaches for the modern business, but it’s also a huge motivation to keep their databases clean, secure and plugged into an efficient BI system at all times.

The task of keeping digital infrastructure safe is always better done ahead of time. It’s no good waiting until you’ve suffered the consequences of a major cyber attack to do something about it. Top companies understand the importance of avoiding major disruption to their operations at all costs – and that’s only possible by updating and improving every aspect of their cybersecurity strategy on a regular basis. If you keep your data protected, it will ultimately protect you.

The post Business Intelligence is the Key to Stronger Cybersecurity – Here’s Why appeared first on .

Feds Bust Up Dark Web Hub Wall Street Market

Federal investigators in the United States, Germany and the Netherlands announced today the arrest and charging of three German nationals and a Brazilian man as the alleged masterminds behind the Wall Street Market (WSM), one of the world’s largest dark web bazaars that allowed vendors to sell illegal drugs, counterfeit goods and malware. Now, at least one former WSM administrator is reportedly trying to extort money from WSM vendors and buyers (supposedly including Yours Truly) — in exchange for not publishing details of the transactions.

The now-defunct Wall Street Market (WSM). Image: Dark Web Reviews.

A complaint filed Wednesday in Los Angeles alleges that the three defendants, who currently are in custody in Germany, were the administrators of WSM, a sophisticated online marketplace available in six languages that allowed approximately 5,400 vendors to sell illegal goods to about 1.15 million customers around the world.

“Like other dark web marketplaces previously shut down by authorities – Silk Road and AlphaBay, for example – WSM functioned like a conventional e-commerce website, but it was a hidden service located beyond the reach of traditional internet browsers, accessible only through the use of networks designed to conceal user identities, such as the Tor network,” reads a Justice Department release issued Friday morning.

The complaint alleges that for nearly three years, WSM was operated on the dark web by three men who engineered an “exit scam” last month, absconding with all of the virtual currency held in marketplace escrow and user accounts. Prosecutors say they believe approximately $11 million worth of virtual currencies was then diverted into the three men’s own accounts.

The defendants charged in the United States and arrested Germany on April 23 and 24 include 23-year-old resident of Kleve, Germany; a 31-year-old resident of Wurzburg, Germany; and a 29-year-old resident of Stuttgart, Germany. The complaint charges the men with two felony counts – conspiracy to launder monetary instruments, and distribution and conspiracy to distribute controlled substances. These three defendants also face charges in Germany.

Signs of the dark market seizure first appeared Thursday when WSM’s site was replaced by a banner saying it had been seized by the German Federal Criminal Police Office (BKA).

The seizure message that replaced the homepage of the Wall Street Market on on May 2.

Writing for ZDNet’s Zero Day blog, Catalin Cimpanu noted that “in this midst of all of this, one of the site’s moderators –named Med3l1n— began blackmailing WSM vendors and buyers, asking for 0.05 Bitcoin (~$280), and threatening to disclose to law enforcement the details of WSM vendors and buyers who made the mistake of sharing various details in support requests in an unencrypted form.

In a direct message sent to my Twitter account this morning, a Twitter user named @FerucciFrances who claimed to be part of the exit scam demanded 0.05 bitcoin (~$286) to keep quiet about a transaction or transactions allegedly made in my name on the dark web market.

“Make it public and things gonna be worse,” the message warned. “Investigations goes further once the whole site was crawled and saved and if you pay, include the order id on the dispute message so you can be removed. You know what I am talking about krebs.”

A direct message from someone trying to extort money from me.

I did have at least one user account on WSM, although I don’t recall ever communicating on the forum with any other users, and I certainly never purchased or sold anything there. Like most other accounts on dark web shops and forums, it was created merely for lurking. I asked @FerucciFrances to supply more evidence of my alleged wrongdoing, but he has not yet responded.

The Justice Department said the MED3LIN moniker belongs to a fourth defendant linked to Wall Street Market — Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil — who was charged Thursday in a criminal complaint filed in the U.S. District Court in Sacramento, California.

Oliviera-Annibale also faces federal drug distribution and money laundering charges for allegedly acting as a moderator on WSM, who, according to the charges, mediated disputes between vendors and their customers, and acted as a public relations representative for WSM by promoting it on various sites.

Prosecutors say they connected MED3LIN to his offline identity thanks to photos and other clues he left behind online years ago, suggesting once again that many alleged cybercriminals are not terribly good at airgapping their online and offline selves.

“We are on the hunt for even the tiniest of breadcrumbs to identify criminals on the dark web,” said McGregor W. Scott, United States Attorney for the Eastern District of California. “The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity. As with defendant Marcos Annibale, forum posts and pictures of him online from years ago allowed us to connect the dots between him and his online persona ‘Med3l1n.’ No matter where they live, we will investigative and prosecute criminals who create, maintain, and promote dark web marketplaces to sell illegal drugs and other contraband.”

A copy of the Justice Department’s criminal complaint in the case is here (PDF).

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.

The post Cyber News Rundown: FBI Phishing Scam appeared first on Webroot Blog.

What is Phishing? Find Out with Gary Davis on the Latest Episode of Tech Nation on NPR

Gary Davis will now be a regular contributor on the Tech Nation podcast!  In this episode, Gary Davis educates that phishing is more than just an innocent-looking email in your inbox and shares tips to avoid getting hooked.

Moira Gunn:   00:00   I’m Moira Gunn, you’re listening to Tech Nation.

Moira Gunn:   00:06   I was surprised to learn that on the internet nearly three quarters of all cyber attacks start with what’s calling a phishing email, or should we say, a fishy email. I was able to speak with regular Tech Nation contributor Gary Davis, the Chief Consumer Security Evangelist at McAfee.

Moira Gunn:   00:26   Now we always hear about phishing.

Gary Davis:     00:27   Yeah.

Moira Gunn:   00:28   It’s P-H-I-S-H-I-N-G.

Gary Davis:     00:31   Yes.

Moira Gunn:   00:32   Phishing.

Gary Davis:     00:33   Phishing with a “p”

Moira Gunn:   00:34   Not like “gone fishing”.

Gary Davis:     00:35   It’s not like gone fishing, but it’s very similar. If you think about how we fish, we put the … The concept is, let’s put a lot of lines in the water and see if we can snag a fish, right?

Moira Gunn:   00:45   Yeah.

Gary Davis:     00:45   So, it’s conceptually fishing, but it’s a different type of fishing.

Moira Gunn:   00:49   It’s phishing for you.

Gary Davis:     00:50   Yes. It’s phishing for the bad guys.

Moira Gunn:   00:52   71% of all cyber attacks start with a phishing email?

Gary Davis:     00:56   Yeah. Yeah. You know, phishing preys on, uh, our nature to, to act on email, right? We get an email, um, and, and quite honestly for, for your listeners, the, where phishing is usually most effective, targeting organizations in particular, is sending something to HR. HR is expecting to get resumes for candidates who are applying for jobs, right? More often than not, those include some sorta malicious payload which will allow them to get behind your firewall, then do something malicious in your company.

Gary Davis:     01:32   So, that’s one of the more popular techniques for, for accessing and trying to get inside a company, but yeah it just, phishing, 71% because, they know what works. They know that, that, that if they write it well enough and it looks like it’s from somebody you know and trust, that you’re gonna do the action they’re looking for, which is gonna la- enable them to get access to the information they’re trying to get access to.

Moira Gunn:   01:56   And, the initial thing they may have asked you for may not seem all that big, like, “Give us all your money,” or-

Gary Davis:     02:03   Yeah.

Moira Gunn:   02:03   “Give us all your passwords,” or, “Give us all your account,” or, “Just click here and we can resolve a fairly benign situation.”

Gary Davis:     02:11   Yeah.

Moira Gunn:   02:11   “Like we need to update the, the month and data on your credit card,” ’cause that frequently happens.

Gary Davis:     02:17   Yeah, yeah.

Moira Gunn:   02:18   You know, that your, your, your, you get a new credit card after a few years, it’s the same everything, it’s just the month and date ab- I was like, “Oh yeah. I guess so, I guess we need to … ”

Gary Davis:     02:26   Yeah.

Moira Gunn:   02:28   And it’s accounting, it’s accounting, from this global firm.

Gary Davis:     02:29   Yeah.

Moira Gunn:   02:31   You know, emailing me and saying you need to update it.

Gary Davis:     02:32   It happened to me a couple of weeks ago. I w- I was in Greece, and I was, went to the, I was staying in the Hilton there, and, you know, the, even though I’d paid using points, they said, “Well, we need a credit card for incidentals.” And they had my credit card on file. Well, typically I’m using a different credit card for, ’cause it’s usually company related, and since I was using points, I was putting it on my personal card. And, and after a little while, they call me, “Hey, look your credit card’s not working.” What do you mean it’s not working?

Gary Davis:     02:59   And, come to find out after I called my bank, it, it’d been such a long time since I accessed the application. You’re right, I got a new credit card, new, uh, expiration date, and I hadn’t updated it. But you’re right, it would be very benign to get, “Oh yeah, I do use that service, um, I should go and change it.” But that’s where d- you, this is where we, we need to change our behaviors, because instead of clicking on that email and just blindly following wherever it leads me, if I was to think, “Well geez, I need to go change my, um, my, my expiration date for Hilton.” I went to my Hilton app, opened that up and changed it in there, instead of trying to follow a link.

Moira Gunn:   03:37   So, they come at you and it’s valid, you have, what you do is you go around the other way-

Gary Davis:     03:43   Exactly.

Moira Gunn:   03:43   Have your own access, in the old days you’d say, “I’m gonna go and see the lady at the bank.”

Gary Davis:     03:46   (laughs)

Moira Gunn:   03:48   “Or the gentleman at the bank.” And now it’s like, no no, don’t go through what informs you-

Gary Davis:     03:53   Exactly.

Moira Gunn:   03:54   Whatever you do.

Gary Davis:     03:55   You think about it, e- every month we get a statement from our bank, right? And I get one from my bank, and, and I am 99.9% sure that that’s a good email. But I have trained myself not to click on that email. Instead I’ll go to my, I’ll login into my bank account, and I’ll look at my account there, because I just, I’ve conditioned myself not to click on links and email. Even if you think it’s from a known good source, because you just never know, that the bad guys are getting so good, it’s what’s called “spoofing”, where you think it’s coming from an organization but they, they’ve changed something ever so slightly that you’re going to someplace you shouldn’t be going.

Gary Davis:     04:33   So, if, if you can just teach yourself or train yourself, when you, when you get an email and you think it’s legitimate and you’re expecting it, and it’s from somebody you’d expect to get a notification from, instead of acting on the email, go directly to the source and interact that way. It’s gonna save you potentially a lot of heartache.

Moira Gunn:   04:51   And to make matters even worse, there’s different kinds of phishing.

Gary Davis:     04:54   Yeah.

Moira Gunn:   04:55   Spear phishing, whale phishing, all have-

Gary Davis:     04:58   Smishing.

Moira Gunn:   04:58   Shmishing.

Gary Davis:     04:58   (laughs)

Moira Gunn:   05:00   Oh my goodness. Okay, let’s go down through them in any order you would like.

Gary Davis:     05:03   Right. Well, well smishing is probably the most, well regular phishing is, is, is simple as sending a bunch of emails out en masse, hoping that somebody’s gonna, you know, take your bait. Um, smishing is actually when they’ll send it to your phone via an SMS or text message. So, imagine getting some sort of account information to your phone, which is not that unlikely. I, almost every place I go now-

Moira Gunn:   05:25   Your, your bill is due.

Gary Davis:     05:26   Yeah, yeah. You click here to pay. “Oh okay, I’m gonna click on it ’cause I, I’m expecting it.” So, getting it on your phone, that’s called smishing. Uh, spear phishing is where you actually do what’s called social engineering, or you try to collect information about a particular group of people, and then use it to target that group.

Gary Davis:     05:44   You know, a good example is, a couple of years ago the, um, I think it was, uh, one of the NBA teams, they had gotten an email from the owner saying, “Oh, send me your user name and password because we got this special thing we wanna do for you.” Well, so they, “Of course, it’s from our owner, it’s got our logo on it.” And we go ahead and send my user name, password, which of course opened up the, the-

Moira Gunn:   06:06   (laughs)

Gary Davis:     06:06   Door, having everybody going doing whatever they want so, but they used a combination of, you know, you know, techniques that use the imagery and the tone and the social engineer- socially engineered information about the players and organization, to go do something like that.

Gary Davis:     06:24   Another, a subset of spear phishing, it’s called whale phishing, and that’s where you, you tend to focus on a high net worth individual, let’s say the CEO or some high level executive in a company using other techniques. So you, let’s say that, you know, that, that they know that the CEO is on vacation, so they, they send an email, spoof the CFO to somebody else in the organization saying, “Well the CEO told me to do this.” So all these mechanics work using high net worth individuals to go do malicious deeds.

Gary Davis:     06:57   Then there’s other types of, of phishing. There’s search engine phishing, where you would basically put up a, a, a fake search site, in order to direct people to your own search results which would in turn take you to fraudulent pages. So there, there are a variety of different techniques around phishing, all of which has the intent of trying to extract information from you, do something that you wouldn’t otherwise do, and/or in a lot of cases they’re trying to install malware on your device of, of some type.

Moira Gunn:   07:30   Now, in all those cases, I guess you could say what we might call the bleeding heart phishing, that’s out there.

Gary Davis:     07:36   It, it happens more than you might know. Whenever there is a, a major event, let’s say there’s a natural disaster, a, um, you know, we saw a lot of traffic around the Boeing Max Eight, when you had those two crashes and there was a lot of pouring out to help those in need, then they would create these fake sites and to lure people and to give them money. Um, that’s another great example.

Gary Davis:     07:59   Big sporting events, the Super Bowl, the World Cup, all these big sporting events see, um, NCAA tournament, all these events, you know, po- everybody knows, or the, the bad guys know that there’s gonna be a lot of attention given to these, so they’re gonna try to leverage those in order to try to get you to do something you wouldn’t wise- you wouldn’t otherwise do.

Gary Davis:     08:20   But that’s a great point, that you almost always try to tie it to something that’s gonna be on your mind, some sort of pop culture reference, that wouldn’t, that wouldn’t, that would motivate you to go do something. And, it’s just, it’s too bad because, you know, people typically are, are engaging with these because they feel like they genuinely wanna help. And then to know that you’re taking of that, our, our good will, I just, uh, it’s just-

Moira Gunn:   08:46   And it’s perfect because you don’t expect anything back.

Gary Davis:     08:48   Yeah. Yeah.

Moira Gunn:   08:48   It’s not like I bought something, where is it? It’s like-

Gary Davis:     08:52   Exactly. Well, in some cases for example, you may have thought, “Well I’m gonna buy tickets to the game,” or the, whatever, where, when you don’t get the tickets that would be, an, a case where that wasn’t true, but you’re right. When it comes to good will, natural disasters, you know, just relief for things that have gone on in the world, you’re right, you’re not expecting anything in return except the, the, the knowledge that you did something good, and that just, it breaks my heart when I hear about things like that.

Moira Gunn:   09:16   You know, this result pre internet, people have been doing this for a long, long, long time.

Gary Davis:     09:21   Yeah. Yeah. Although, the internet has made it very automatic now. I guess the point is the, the barrier to entry to do this has been dramatically reduced, because it’s, it’s, it doesn’t take that much effort to dupe somebody into giving you money that, that, sh- you sh- shouldn’t otherwise be getting.

Moira Gunn:   09:40   And phishing per se isn’t illegal. It’s when you take money for fraudulent ends, that’s when we get into what’s legal and illegal, right?

Gary Davis:     09:48   Well, but by nature phishing it, you’re, you’re trying to access information that you shouldn’t have access to. So I think it’s, it’s, it’s probably out, call it legally gray, but right, and it’s not until you actually give your credit card to a fraudster and something bad happens that, that you-

Moira Gunn:   10:04   When the bad happens-

Gary Davis:     10:05   Yeah.

Moira Gunn:   10:06   They’ve crossed the line.

Gary Davis:     10:07   Yeah. Then they’ll act on it. I, I remember when my identity was stolen way back in the day, um, I remember the, the, the guy who did it lived up in Pennsylvania someplace. And the way it worked back then is, they would, they got a $20,000 credit card, ringing up $18,000 over the course of two days-

Moira Gunn:   10:26   Wow.

Gary Davis:     10:26   And then the bank decided, “Well, we should go check to make sure that this guy is legit.” And, and what they’d used to do, is they would go to electronic goods stores like Best Buy, and they would buy $18,000 worth of electronic goods, then take it to a different Best Buy for cash back. So that’s how they would cash out the, the value of the credit card, knowing that it had a limited life.

Gary Davis:     10:45   And, I remember I, I got a call once, it was from the, the police department in Pennsylvania saying, “We caught the guy, you know, trying to return your goods.” Or, “The goods he bought with your credit card at a Best Buy.”

Moira Gunn:   10:58   (laughs)

Gary Davis:     10:58   And, and, they, and I said, you know, to go, go get the guy. It’s not, it’s just too much work. So, there, there, it’s really hard to motivate law enforcement, ’cause they got other things they gotta focus on. They’ve got, you know, all these other, y- you know, bad criminals doing, you know, physical harm to, to whomever. That, that they…

Moira Gunn:   11:16   And, and much higher ticket items too.

Gary Davis:     11:18   Yeah.

Moira Gunn:   11:19   You know, when they were looking at it, they might have only been looking at five or $600.

Gary Davis:     11:22   Yeah.

Moira Gunn:   11:22   Because they had to go to a lot of Best Buy’s, buy a lot of stuff-

Gary Davis:     11:26   Yeah.

Moira Gunn:   11:26   Return a lot of stuff, going back and forth, it all is pretty small-

Gary Davis:     11:30   Yeah. Exactly.

Moira Gunn:   11:30   In comparison.

Gary Davis:     11:31   Yeah. It’s, ’cause it, the, the identity thief knew not to try to in- to, to return all to one Best Buy, ’cause then that would be a, even a bigger red flag. But you’re right, if I’m a, if I’m loca- local law enforcement, “Eh, it’s just a couple hundred dollars, well I got, you know, drug dealers I gotta go break up, and bad, other bad things. So I’m gonna go focus on that, and really not focus,” so it’s just, it but, you, that doesn’t make you feel like you’re less of a victim.

Gary Davis:     11:55   Nobody wants to be a victim of scam or identity theft. Nobody ever wants to be a victim. We, we, we empathize with victims, ’cause we can put ourselves in their shoes, and it, and that’s unfortunately one of the challenges in our space is, I think a lot of the reasons why people aren’t better about things like password hygiene and, you know, checking their credit history and stuff like that, is because, well they don’t think it’s gonna happen to them, they think it’s gonna happen to somebody else. And because of that, that can be a little bit more relaxing in what I do.

Moira Gunn:   12:24   And it’s not just, uh, your hygiene, you may not be able to prevent it. I was, I stopped off an interstate and bought a couple of things, uh, ah, and gassed up at a little place, but it wasn’t the, one of the really big ones. Just happened to go in there, it was convenient there.

Gary Davis:     12:41   Yeah.

Moira Gunn:   12:41   And we were kind of in the middle of nowhere. And, for some reason, it didn’t take, put this, put this in again. So I put it in again. So, I thought, “Oh they’re probably gonna double charge me.”

Gary Davis:     12:51   Yeah.

Moira Gunn:   12:52   They didn’t double charge me, they took the card and then here I was in Northern California, and within just a few hours, someone in a, in another gas station in San Antonio, Texas, bought $115 worth of towels, shop towels, (laughs) just-

Gary Davis:     13:13   (laughs)

Moira Gunn:   13:13   Windshield wiper stuff, I mean there was just like, “doo doo doo doo doo… [counting up]

Gary Davis:     13:15   Yeah.

Moira Gunn:   13:16   So, $115 worth of that. I don’t know how I could have stopped that.

Gary Davis:     13:21   Uh, you, you can’t. That’s just it. That they’re, part of this is, y- y- we, we can do all we can do to not be a victim online, but I think a big part of the, the educational process is knowing what to do. You know, in that case, knowing to reach out to our credit card immediately and, and stopping any other transactions and, and going through the process. You’re right. There are things like that, that was probably a skimmer, that probably when they scanned it twice, they probably scanned it once for the gas that you actually bought, and there where, you know, you didn’t see it probably going through a different, um, reader.

Moira Gunn:   13:49   And I actually put it in myself.

Gary Davis:     13:50   Oh really? Okay.

Moira Gunn:   13:52   Put it in, take it out, put it in, take it out.

Gary Davis:     13:53   Hmm.

Moira Gunn:   13:53   Yeah.

Gary Davis:     13:56   You’re right.

Moira Gunn:   13:58   They’re always one step ahead.

Gary Davis:     13:59   Well, the, you know, it, it’s, they’re in it to make money, right? It’s a for profit business for lack of a better word. So, they’re always gonna be trying to figure out more effective ways to dupe people into, to, either dupe people or just take advantage of people without their knowledge, and, and do it for as long as they can.

Gary Davis:     14:15   Imagine if you didn’t quickly catch the fact that you were getting charged for stuff in San Antonio, and it went on for a week or so.

Moira Gunn:   14:21   Yeah.

Gary Davis:     14:21   They would just keep on charging, charging, charging, until, you know, either-

Moira Gunn:   14:25   It said no. (laughs)

Gary Davis:     14:26   Yeah. Well, or, or hopefully your bank would it, would realize, “Well hold on, you just used your card in Northern California,” which you would expect, and now that same card is being used to buy something in San Antonio, that, that would, you would think that your, your bank will-

Moira Gunn:   14:39   She travels fast.

Gary Davis:     14:42   (laughs)

Gary Davis:     14:42   Oh yeah.

Moira Gunn:   14:43   But not that fast.

Gary Davis:     14:43   That’s, that’s-

Moira Gunn:   14:43   There you go.

Gary Davis:     14:43   The hypersonic speed for sure.

Moira Gunn:   14:45   Hypersonic. Gary, always a pleasure. Please come back. See you soon.

Gary Davis:     14:49   I’ll do that. Thanks for having me.

Moira Gunn:   14:50   Tech Nation regular contributor Gary Davis is the Chief Consumer Security Evangelist at McAfee, the website where you can check if your email plus password has been compromised is, have I, that’s the letter I, beenpwned.com. With pawned spelled without an A. That’s P-W-N-E-D. So, it’s haveibeenpwned.com, with pawned spelled P-W-N-E-D. And that link will be on the Tech Nation website also.

Moira Gunn:   15:26   Of course when Gary said it during our conversation, he said, “haveibeenpwned.com.” And yes that’s true. Gary is from Texas, and that’s part of his charm.

Moira Gunn:   15:39   For Tech Nation, I’m Moira Gunn.

The post What is Phishing? Find Out with Gary Davis on the Latest Episode of Tech Nation on NPR appeared first on McAfee Blogs.

Are Your Passwords Secure Enough?

Today, we'll take a deep dive into passwords, including what vulnerabilities weak passwords can open up and how to improve authentication security.

Online passwords are sensitive data. When they end up in the wrong hands, your private information is at risk. Since cybercriminals are always searching out new ways to break into those online accounts, you need to watch over the passwords to your accounts as if they were your children.

Since we typically access our accounts on a daily basis, using browsers and online apps for our banking and shopping, we need to periodically take some time to manage them, to ensure the security and strength of our passwords.

Here’s few tips to help you do that:

  • Create unique, strong password of some length for each of your online accounts – and change them often, particularly for the accounts you use for transactions.
  • Use a combination of characters, numbers, and symbols to add complexity to the password’s strength.
  • Whenever you can, enable a two-factor authentication process in your accounts for added security protection.

To further strengthen your online accounts, you should also use a password manager. Trend Micro Password Manager helps you manage all your online passwords and makes it easier to change them easily on a regular basis. It delivers your passwords across all your devices—whether they’re PCs, Macs, Android, or iOS devices—generates ultra-secure passwords, and safeguards them with AES 256-bit encryption, to protect them from hackers and crackers.

Used in conjunction with Trend Micro Pay Guard, which is enabled with every installation of Trend Micro Security (which also bundles Trend Micro Password Manager with every subscription of Trend Micro Maximum Security), you’ll be doing your part to protect yourself from the theft of your passwords, particularly on financial and banking websites.

The post Are Your Passwords Secure Enough? appeared first on .

Nearly Half of US Orgs Not Ready for CCPA

Nearly Half of US Orgs Not Ready for CCPA

In advance of the California Consumer Privacy Act (CCPA) going into effect January 1, 2020, researchers analyzed how prepared US organizations are for the new regulations and found that nearly half of all companies will not be ready to comply with CCPA.

According to research conducted by the International Association of Privacy Professionals (IAPP) and OneTrust, reputation and consumer privacy are the biggest drivers for CCPA compliance, yet only 55% of companies report that they will be ready by the January effective date.

"Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” said Rita Heimes, IAPP research director and data protection officer, said in a press release. “Nevertheless, they seem to think it’s not likely to be replaced by a federal law any time soon.”

Though nearly half of those organizations surveyed will not be ready for the initial effective date, an additional 25% claimed they will be in compliance by the enforceable date of July 1, 2020.

“The CCPA is a major moment for the U.S. privacy landscape, and our research reveals companies that didn’t need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA’s 2020 deadline,” said Kabir Barday, OneTrust CEO and fellow of information privacy (FIP), in the release.

The report did find a correlation between those organizations that are already in compliance with the EU’s General Data Protection Regulation (GDPR) and their readiness for CCPA to take effect.

“GDPR ‘raised the bar’ for data privacy awareness for companies in the US because the regulation put privacy controls in the hands of the consumer,” Jonathan Deveaux, head of enterprise data protection at comforte AG. “CCPA is similar in this regard, as the law will require organizations to provide consumers with legal ‘rights’ based on the data collected.

“Part of the lack of confidence in CCPA readiness for many organizations surrounds the use of data. The vast amounts of data collected and used for monetization and business growth have added to the complexity of managing and securing data. Organizations need to determine what kind of data they have, where it is, how they are using it and who has access to it.”

Senate Passed Fed Cyber Workforce Program Act

Senate Passed Fed Cyber Workforce Program Act

In an effort to address the cybersecurity skills gap and create a more resourceful and effective cybersecurity workforce, the US Senate has passed the Federal Rotational Cyber Workforce Program Act of 2019.  

In 2017 the Government Accountability Office (GAO) determined that the country’s cyber workforce challenges posed high risk and reported that “the federal government needs to expand its cyber workforce planning and training efforts. Federal agencies need to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.”

The act, which was unanimously passed on May 1, is intended “to create a rotational cyber workforce program in which Federal employees in cyber workforce positions can be detailed to another agency to perform cyber functions. This program will enable Federal cyber workforce employees to enhance their cyber skills with experience from executing the cyber missions of other agencies.”

Enabling the mobility of cybersecurity practitioners will allow them to serve in various roles across different entities, which Keenan Skelly, VP of global partnerships at Circadence, said is critical in order for this government to address the cybersecurity skills gap that exists not just in the US but globally.

“Allowing cybersecurity professionals to gain experience in multiple agencies, both government and private sector, will strengthen our overall cybersecurity posture,” Skelly said.

An additional goal of the act is to develop cybersecurity skills so that America can maintain its competitive edge in cybersecurity. As such, the act provides that “the United States Government must also recognize and reward the country’s highest-performing cybersecurity practitioners and teams.”  

Because the concept of rewards is often lost in the job of a cyber defender, Skelly said, “we must encourage and recognize those who go above and beyond.   

“The aptitude for cybersecurity lies not only in the technical fields but across the entire workforce. Most of the best cyber defenders I know started life out as something completely different. We need that diversity of thinking and skill, both technical and soft skills, to combat today’s hackers.”

Is Pornhub Safe? How to Browse Adult Websites Securely

This is a question we get asked a lot and one which is floating all over the internet too, especially on discussion forums where people can stay anonymous if they want: Is Pornhub safe? Is it a safe site to enter? We decided to address it here since we’d rather let people get their facts straight on cybersecurity directly from the industry instead of scraping for half-truths around the web.

So, is Pornhub safe to browse? What should you do and not do when browsing Pornhub? What are the cybersecurity risks associated with browsing Pornhub? Can you get viruses into your computer? How about malware? What about other adult websites, how safe are those?

What can you do to protect your computer when accessing Pornhub or other adult content websites? How about your privacy, who can see what sites you are browsing and how can you hide your activity?

We’ll answer all these questions and more, right below. Keep scrolling and learn how to stay safe when browsing Pornub and other adult websites.

Is Pornhub safe to browse for your cybersecurity?

The short answer is that no, Pornhub is not completely safe to browse, however, whenever, without taking some necessary precautions. That doesn’t mean that Pornhub is a malware or cybercriminal hub bent on causing its users harm on purpose, quite the contrary. However, there can be risks associated with browsing Pornhub which go beyond the website’s control.

Given that its popularity is so high (there were over 33.5 billion visits to Pornhub last year, according to the website’s official data) and that in many cases its visitors are not necessarily tech-savvy, it’s no wonder that Pornhub can attract cybercriminals bent on using this opportunity.

As we said, Pornhub in itself is safe and strives to stay that way, as a huge business employing lots of tech people tasked to keep the website primed. But you can still become a target for cybercriminal groups and hackers while visiting Pornhub and other adult-themed websites (especially less popular ones, with less developed security policies). This is mostly due to the ads displayed on the porn website, over which the website has little control.

Unfortunately, the prevalence of malware on porn websites is very high. According to security researcher Conrad Longmore, there’s a 53% chance of encountering malware while browsing Pornhub. Of course, security employees from Pornhub and similar websites are doing their best to keep it safe for their users and catch malware as fast as possible. But the truth remains that porn sites are still one of the most popular destinations for hackers and uploaders of malicious code.

What Are the Main Cybersecurity Risks of Pornhub?

What can these cybercriminals targeting the visitors of porn sites be after? What are the main risks you are exposed to while browsing?

#1. Computer viruses (Trojans)

Well, for one, to infect your computer with viruses. While the vast majority of viruses you can contract this way are mostly harmless, they can still slow your system significantly, as well as serve as a gateway for more dangerous stuff. These very common viruses to be found on ads displayed on porn websites can be Trojans, for the most part.

Such viruses don’t pose a huge security risk but they can make your computer slower, as well as create more vulnerabilities into your system, which can then be exploited for more dangerous malware to enter.

#2. Adware

Other viruses you can get from the ads displayed on Pornhub or similar websites are adware. This means that once they take root into your computer, they will cause more ads and spammy content to be displayed to you even if you’re not browsing Pornhub anymore.

This is not just annoying since it can also slow down your system, but it can also be privacy-infringing since the ads can be adult content related. If you share your computer with other family members, you probably don’t want indecent ads popping up when other people are using the device.

#3. Malware or Spyware

Other types of malware which you can contract from clicking ads on Pornhub or similar sites are more dangerous. The cybercriminals behind them can be after your data, and considering the nature of the content you are browsing, this can be very sensitive data related to the type of adult content you are interested in, your online behavior and so on.

Sextortion scams are very common. This is when you get an email from hackers claiming to have installed spyware into your computer and filmed you while you were browsing adult websites, recording also everything you have watched and so on. They will also tell you that unless you send them money, they will send this data to your employer, family, friends and so on.

For the most part, these claims are bogus and the hackers are just fishing for the users gullible or scared enough in order to make some easy money. But in some cases, they may be real. Don’t take that chance and make sure you stay safe, first and foremost by having your device protected by a reliable anti-malware solution.

How Safe Are Other Adult Content Websites?

What about other adult websites, besides Pornhub? Are their security risks the same?

Well, for the most part, we should stress again that Pornhub is still overall safe-ish. It’s the content from third parties (ads) that you need to be wary of. The same risks from ads are also true for every other adult-themed site out there, especially those who allow publishers to stream their own content (the ‘tube’ type of porn websites).

This is because such websites make money from allowing advertisers to run embedded ads from traffic networks. In many cases, this embedded content has malicious code included in it. While the host website (the porn website running these ads) removes all ads containing malicious scripts, it can take a while for these risky ads to get detected.

But in the case of lesser-known websites, with fewer employees and less of a security network in place, the risks may actually be greater than with Ponhub. If another website you’d like to browse is also a huge one, well-known and with millions of users, the risks are probably about the same.

If we’re talking about obscure porn websites, then not only they are more likely to get infected with malware from third parties (advertisers) but they may be a front for cyber-criminality in themselves.

How to Protect Your Privacy when Browsing Pornhub?

The issue of safety has two aspects: protecting yourself from viruses, extortion, hackers, and so on, rounded up under the umbrella term ‘cybersecurity’ and the second issue of protecting your privacy from everyone around you.

Let’s start by addressing privacy first.

You may be tempted to browse Pornhub incognito to make sure no one but you knows about it. While this can be a partial solution (not to store search history, cookies and so on), incognito browsing is not really private.

Major browsers like Google Chrome and Mozilla are very upfront about it whenever you open up a new incognito browser window.

browser incognito message

If your main concern is to prevent the people you live with or share a computer with from finding traces of your online activity, then incognito browsing is ok. But your internet service provider or your employer (if you ever get the bright idea of accessing such websites from your workplace’s network) can still find out the list of domains which got accessed from your computer. If people with access to your home network are a bit tech-savvy, they can figure it out too.

Also, as mentioned above, ads are one of the main sources of malicious code on porn websites. While a Chrome extension that works like an ad blocker can keep some of the risk at bay, you should know that ad blockers tend to be automatically disabled once you enter incognito browsing mode. You can manually set exceptions to ensure ad blockers work for incognito browser tabs too, but you need to do a bit of tinkering with it.

What else should you remember about your privacy when browsing Pornhub or other porn websites?

Even while browsing incognito, the website you are browsing will still collect some data about you via cookies. This is entirely normal and, in theory, protects your anonymity (they just store data about user statistics but without personally identifiable information). But if they ever get hacked, or if you install malicious software by clicking on ads while browsing, this data could be at risk of being misused or used to identify you.

The only thing which can completely protect your anonymity while browsing Pornhub and other adult websites is a VPN service. Lots of users opt for one in order to stay more anonymous online.

As for the issue of cybersecurity on adult websites as a whole, beyond privacy, here’s how you can make Pornhub browsing safe.

How to Access Pornhub Safely: 5 Tips

First and foremost, learn more about the dangers of the internet and about strengthening your online safety as a whole. It’s never too late to start educating yourself in cybersecurity for laymen. Just being here and reading this guide to Pornhub safety is a great start.

But beyond being simply aware of online risks, here’s what else you can do to stay safe while browsing Pornhub or other adult websites.

#1. Up your protection with a good anti-malware solution

This should be obvious, but to make sure you stay safe from any malware danger, you need to have an active next-generation anti-virus software. A product like our Thor Vigilance is trained to prevent the latest type of intelligent threats and protect your privacy as well.

#2. Go for a traffic filter-based security product (it’s a must!)

Next, and definitely, more importantly, traffic filtering is the advanced type of protection you most definitely need. This is especially true if you sometimes browse potentially risky websites like adult-themed ones.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

In today’s cybersecurity age, when the methods of hackers are getting more and more sophisticated, traditional anti-virus is not enough anymore. An anti-virus, no matter how good it is, reacts to known threats once they already reach your system. If you’re dealing with an APT (advanced persistent threat) this may be too late.

But a traffic filtering solution, like our Thor Foresight, is based on AI and can intelligently detect threats before they reach your system. Such protective software actively scans incoming traffic and blocks malicious code before it gets a chance to target you. This way, even if you accidentally click on a malicious ad while browsing Pornhub, you’re still safe.

#3. Don’t click on ads while browsing Pornhub

Speaking of ads on Pornhub or other adult websites, don’t click them. While some may be harmless, this is where the dangers associated with porn websites are usually hidden. If you really wish to support your favorite porn website, you can find other ways to do that (like signing up for a premium subscription, for example).

#4. Don’t download anything from adult websites or related pop-ups

If the ads displayed on Pornhub and porn websites, in general, are truly malicious, they will probably try to convince you to download something. They will promise you some more HD content completely free of charge or something similar, on condition that you install some no-name video player, etc. Don’t fall for this trap!

The software such ads are asking you to install is most likely spyware or malware. Don’t install anything and close all browser windows immediately if you are prompted to start a download.

#.5 Don’t buy anything (or enter credit card info) from 3rd parties

Under no circumstances should you enter your credit card info while browsing less-known, shady porn websites. You can buy a subscription from the major adult website you are browsing (like Pornhub and similar sites) if you want, this is safe.

But if you start browsing the independent websites of publishers or other websites you reached starting from your initial browsing, be mindful not to enter any sensitive information like credit card data. You may be tempted by a special access offer (either for a major discount or completely free, but only if you create a member account, which also asks for credit card info). Don’t fall for it!

The post Is Pornhub Safe? How to Browse Adult Websites Securely appeared first on Heimdal Security Blog.

Credit Union Sues Fintech Giant Fiserv Over Security Claims

A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that “baffling” security vulnerabilities in the company’s software are “wreaking havoc” on its customers. The credit union said the investigation that fueled the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring security weaknesses in a Fiserv platform that exposed personal and financial details of customers across hundreds of bank Web sites.

Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.8 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions.

In August 2018, in response to inquiries by KrebsOnSecurity, Fiserv fixed a pervasive security and privacy hole in its online banking platform. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers and email addresses.

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

Bessemer claims Fiserv’s systems let anyone reset a customer’s online banking password just by knowing their SSN and account number.

Recall that in my Aug 2018 report, Fiserv’s systems were exposing online banking account numbers for its customers. Thus, an attacker would only need to know a target’s SSN to reset that customer’s password, according to Bessemer. And that information is for sale in multiple places online and in the cybercrime underground for a few bucks per person.

Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

The lawsuit says the fix Fiserv scrambled to put in place after Bessemer complained was “pitifully deficient and ineffective:”

“Fiserv attempted to fortify Bessemer’s online banking website by requiring users registering for an account to supply a member’s house number. This was ineffective because residential street addresses can be readily found on the internet and through other public sources. Moreover, this information can be guessed through a trial-and-error process. Most alarmingly, this security control was purely illusory. Because some servers were not enforcing this security check, it could be readily bypassed.”

Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”

Fiserv did not immediately respond to requests for comment. But Fiserv spokesperson Ann Cave was quoted in several publications saying, “We believe the allegations have no merit and will respond to the claims as part of the legal process.”

Charles Nerko, the attorney representing Bessemer in the lawsuit, said to protect the credit union’s members, the credit union is replacing its core processing vendor, although Nerko would not specify where the credit union might be taking its business.

According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share. And it’s poised to soon get much bigger.

In January 2019, Fiserv announced it was acquiring payment processing giant First Data in a $22 billion all-stock deal. The deal is expected to close in the second half of 2019, pending an antitrust review by the U.S. Justice Department.

That merger, should it go through, may not bode well for Fiserv’s customers, argues Paul Schaus of American Banker.

“Banks should take this trend as a warning sign,” Schaus wrote. “Rather than delivering new innovations that banks and their customers crave, legacy vendors are looking to remain relevant by acquiring existing products and services that expand their portfolios into new areas of financial services. As emerging technologies grow more critical to everyday business, these legacy vendors, which banks have deep longstanding relationships with, likely won’t be on the leading edge in every product or channel. Instead, financial institutions will need to seek out newer vendors that have deeper commitments and focus in cutting-edge technologies that will drive industry change.”

Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla

German police have shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested its operators.

The German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

The operation against the Wall Street Market started earlier this year after Finnish authorities also shut down another black marketplace, the Silkkitie market (aka the Valhalla marketplace). Many Finnish narcotics sellers moved to the Wall Street Market.

“The German Federal Criminal Police (Bundeskriminalamt) shut down the Wall Street Market, under the authority of the German Public Prosecutor’s office. They were supported by the Dutch National Police (Politie), Europol, Eurojust and various US government agencies (Drug Enforcement Administration, Federal Bureau of Investigation, Internal Revenue Service, Homeland Security Investigations, US Postal Inspection Service, and the US Department of Justice).” reads a press release published by the Europol.

“The Silkkitie (known as the Valhalla Marketplace) and its contents was also seized by Finnish Customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française). 

The Wall Street Market marketplace was considered one of the most important points of aggregation in the cybercrime underground for trading in cocaine, heroin, cannabis and amphetamines as well as digital goods (i.e. stolen data, malware, and fake documents).

The Tor-based marketplace had more than one million registered accounts, more than 5,000 registered sellers and more than 60,000 sales offers.

“The illegal platform was exclusively accessible via the Tor network in the so-called Darknet and aimed at international trade in criminal goods.” continues the Europol. “Most recently, more than 63 000 sales offers were placed on the online marketplace and more than 1 150 000 customer accounts and more than 5 400 sellers registered. For payment, the users of the online marketplace used the crypto currencies Bitcoin and Monero. The alleged marketplace officials are said to have received commission payments of 2 to 6 percent of the sales value for the settlement of illegal sales of the platform.”

The anonymity of the payment was ensured by using Bitcoin and Monero cryptocurrencies. It was a prolific business for the Wall Street market operators that were keeping for them a fee of two to six percent of the sales value.

The German authorities seized over €550 000 in cash and millions worth of cryptocurrencies, the police also seized several vehicles and of course computers and data storage. 

Behind this new success against the cybercrime there is a dedicated Dark Web Team established by the Europol that works together with EU partners and law enforcement across the globe.

The team delivers a complete, coordinated approach for:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets. 

“A shared commitment across the law enforcement community worldwide and a coordinated approach by law enforcement agencies has once again proved their effectiveness.” concludes the Europol. “The scale of the operation at Europol demonstrates the global commitment to tackling the use of the dark web as a means to commit crime.”

Pierluigi Paganini

(SecurityAffairs – Wall Street Market, hacking)

The post Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla appeared first on Security Affairs.

This Week in Security News: BEC Attacks and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the prevalence and impact of BEC attacks. Also, find out how botnet malware can perform remote code execution, DDoS attacks and cryptocurrency mining.

Read on:

Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. 

Cybersecurity Pros Could Work for Multiple Agencies Under Bill Passed by Senate

Skilled federal cybersecurity workers could be rotated among civilian agencies under bipartisan legislation the Senate passed to help fill specific gaps in the workforce. 

New Cybersecurity Report Warns CIOs — ‘If You’re Breached Or Hacked, It’s Your Own Fault’

A new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.

AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

Trend Micro’s honeypot sensors detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability in a collaboration software program used by DevOps professionals. 

U.K. Prime Minister Theresa May Fires Defense Secretary Gavin Williamson Over Huawei Leak

British Prime Minister Theresa May fired Defense Secretary Gavin Williamson, saying he leaked sensitive information surrounding a review into the use of equipment from China’s Huawei Technologies Co. in the U.K.’s telecoms network. 

This Hacker Is Selling Dangerous Windows 0-Day Hacks For Past 3 Years

report by ZDNet has revealed that a mysterious hacker is selling Windows zero-day exploits to the world’s most notorious cybercrime groups for the past three years. At least three cyber-espionage groups also known as Advanced Persistent Threats (APTs) are regular customers of this hacker.

Docker Hub Repository Suffers Data Breach, 190,000 Users Potentially Affected

In an email sent to their customers on April 26, Docker reported that the online repository of their popular container platform suffered a data breach that affected 190,000 users. 

IC3: BEC Cost Organizations US$1.2 Billion in 2018

In the recently published 2018 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses. 

Trend Forward Capital’s First Startup Pitch Competition in Dallas

Trend Forward Capital, in a partnership with Veem, is bringing its Forward Thinker Award and pitch competition to Dallas on May 20. 

BEC Scammers Steal US$1.75 Million From an Ohio Church

The Saint Ambrose Catholic Parish in Brunswick, Ohio was the victim of a BEC attack when cybercriminals gained access to employee email accounts and used them to trick other members of the organization into wiring the payments into a fraudulent bank account. 

Cybersecurity Experts Share Tips And Insights For World Password Day

May 2 is World Password Day. World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. 

Confluence Vulnerability Opens Door to GandCrab

A vulnerability in a popular devops tool could leave companies with a dose of ransomware to go with their organizational agility, according to researchers at Trend Micro and Alert Logic.

Were you surprised by the amount of business email compromise complaints the FBI received in 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: BEC Attacks and Botnet Malware appeared first on .

The 5 Steps to Ensure Cloud Security

According to CSO, more than 80% of enterprises have adopted two or more public cloud infrastructure providers, and nearly two-thirds are using three or more. Those in IT and moving to the cloud, are equally concerned by the security threats. Time is of precious. With the rapid migration to the cloud, organizations need to be on the front foot for the potential threats arising from any weaknesses in a cloud environment.

Cloud safety refers to a set of policies, procedures, and technologies working together to protect cloud-based systems. The objective is to protect data, privacy and lay down authentication rules for users and devices.

Software related to cloud security can be configured to the exact needs of the business. It can be managed in a manner to streamline IT operations. It also allows the focus to be directed to other critical tasks.

Till date, nearly 96 percent of organizations are on cloud computing, says CIO. At the same time, threats to security have increased manifold, increasing the cost. As reported in Forbes, data breaches cost globally an average of $3.86 million. That said, as moving to the cloud becomes mandatory, the cloud security must evolve at the same pace.

If organizations do not prioritize security and don’t recognize the value of system integrity monitoring software, it will pay a heavy price. Proactive IT managers, however, know they must give a cloud environment the protection that it needs.

The following points about cloud security are key that everyone — from engineers to CSOs — should embrace:

1. Security Strategies

Cloud providers deliver the front lines with robust, some organizations may need additional security and compliance measures. Another advantage is that such tools can dramatically shorten the time between critical security audits from yearly or quarterly, to monthly, weekly, or even daily, to identify and address any holes before they become vulnerable. Incident reports can detect underlying system weaknesses. It’s up to your discretion how often integrity monitoring is necessary. Scans can be scheduled or performed to find any security gaps.

2. Employ APTs

Contemporary security movies and practices like; antivirus and firewalls may not be enough to stop a breach from occurring in the cloud without additional processes in place. Advanced persistent threats (APTs) are real and are difficult in detecting APTs as the depth of the cloud increases, there are characteristics that can help identify an APT.

3. Detecting and Minimizing Risk

It’s critical to cut down on the risk when on an average the IT downtime estimated at $100,000 an hour, One of the best ways to protect to keep your cloud secure is a plan for the worst-case scenario. Like, how quick a data can be made available, how quickly data can be. Finally, is there a way to prevent the disaster from occurring in the first place.

A cloud disaster recovery plan can save the day, especially when system files are of concern. Truly protecting your endpoints and data assets requires the ability to remediate incidents when being detected.

4. Cloud Vulnerabilities

Data whether on the cloud, or local system the security solutions still need to be managed and configured. With the rising budget on security, it looks like the attack is growing. Vulnerabilities should not be ignored.

Vulnerabilities can be data back-up issues, application security, excessive access, User tracking, and everlasting password credential concerns. As additional devices and applications are included within an organization’s enterprise, CISOs may need additional tools to help assess these vulnerabilities and threats.

A skilled IT team should be tasked to detect and identify any indicators of compromise regarding security.

5. Practicing Good Security Hygiene

Auditing and cleaning your accounts and striking off the access to the cloud to those who should not have in the first line of defense in intrusion detection. Start with an audit of your cloud privileges and user accounts. No user account should be immune from scrutiny. Users should be given that many permissions that is required to do their job. Cutting down access can help you avoid unnecessary vulnerabilities and risks.

Related Sources:

Cloud Storage Security Strategy And Risks

How Enterprises Can Combat Cybersecurity Challenges On The Cloud

Cloud-Delivered Cybersecurity

Why You Should Move to Cloud Computing?

The post The 5 Steps to Ensure Cloud Security appeared first on .

Episode 485 – Tools, Tips and Tricks – DuckDuckGo Privacy Essentials

This week’s tools, tips and tricks epsiode is about an extension from DuckDuckGo. I have talked about DuckDuckGo in previous episodes. This epsiode talks about the browser extension and how it will make your browsing activity more secure and private. DuckDuckGo App Be aware, be safe. *** Support the podcast with a cup of coffee […]

The post Episode 485 – Tools, Tips and Tricks – DuckDuckGo Privacy Essentials appeared first on Security In Five - Binary Blogger.

New infosec products of the week: May 3, 2019

Trustwave unveils new database security scanning and testing software Trustwave unveiled Trustwave DbProtect, new database security scanning and testing software that helps organizations better protect critical data assets hosted on-site or by major cloud service providers from advanced threats, configuration errors, access control issues, unauthorized privilege escalation, missing patches and more. NS1 Flamethrower: Lightweight, open source DNS performance testing tool NS1 released Flamethrower, a lightweight, configurable open source tool for functional testing, benchmarking, and stress … More

The post New infosec products of the week: May 3, 2019 appeared first on Help Net Security.

Cisco addresses a critical flaw in Nexus 9000 switches

Cisco released security patches to address tens of vulnerabilities in its products, including a critical vulnerability affecting Nexus 9000 switches.

Cisco released security patches to address tens of vulnerabilities in its products. Among the flaws fixed by Cisco, there is also a critical vulnerability in Nexus 9000 switches that is tracked as CVE-2019-1804 and that received a CVSS score of 9.8.

Cisco Nexus 9000

The vulnerability resides in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure Mode Switch Software and it is related to the presence of a default SSH key pair in all devices.

The default SSH key pair could be exploited by an attacker by opening an SSH connection via IPv6 to a targeted device, in this way the attacker will be able to connect to the system with the privileges of the root user.

“A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the rootuser.” reads the security advisory published by Cisco.

“The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user.”

This flaw could not be exploitable over IPv4.

The flaw affects Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode running Cisco NX-OS software release prior to 14.1(1i).

Users have to install software update released by Cisco to address the flaw, no workaround is known.

The good news is that Cisco is not aware of the exploitation of the vulnerability in attacks in the wild.

Cisco also addressed over 20 High severity vulnerabilities affecting the Web Security Appliance (WSA), Umbrella Dashboard, Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, RV320 and RV325 routers, IP Phone 7800 and 8800 Series, Application Policy Infrastructure Controller (APIC) software, and the Nexus 9000 switches.

The list of flaws includes privilege escalation issues, denial of service vulnerabilities and session hijacking bugs.

Pierluigi Paganini

(SecurityAffairs – Cisco Nexus 9000, hacking)

The post Cisco addresses a critical flaw in Nexus 9000 switches appeared first on Security Affairs.

President Trump Signs EO to Bolster Federal Digital Security Workforce

President Trump has signed an executive order (EO) that seeks to bolster the U.S. federal government’s digital security workforce. On 2 May, President Trump authorized the “Executive Order on America’s Cybersecurity Workforce.” This directive sets out various actions designed to strengthen the federal digital security workforce. For instance, it requires the Secretary of Homeland Security […]… Read More

The post President Trump Signs EO to Bolster Federal Digital Security Workforce appeared first on The State of Security.

Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool?

Among machine learning developments, deep learning is a major technological breakthrough. With the development of deep learning, programs for enhanced image recognition technology and games including Pokemon Go have come to pass. Advantages in Artificial Intelligence is likely to apply to anti-virus technology as well, rendering the currently anemic signature-based and heuristics-based antimalware obsolete. The reason is the current state of cyber attacks are becoming sophisticated, as the cybercriminals also practice research and development.

For example, the current cyber attack uses malware at a rate of 90% or more, and it is said that some attacks are being launched using malware at a rate of about once every five seconds. In the case of such a method of attack that allowed cybercriminals to break into the system, it was said that it was within one minute. Under such circumstances, conventional malware detection technology lists and detects data on malware characteristics called signatures, which is also limited. If new malware appears, it will not work unless you provide a corresponding signature.

In other words, malware without signatures is not detected, and it can not be detected until new signatures are created and the characteristics of the malware are grasped. But will it evolve quickly and catch up with malware that is customized to your target? It is also pointed out that there are a large amounts of malware that cybercriminals have created to try to evade antivirus. It is an attempt to evade signature-based malware detection by changing the content of the malware a little and creating a large amount of derived malware in order to avoid detection by signatures.

For these reasons, it has been pointed out that detection of malware with conventional antivirus functions has limitations. Therefore, more effective measures are needed, as the world is facing massive accessibility and sharing of information, all of which comes with risks:

Information leakage due to internal fraud

No matter how much security measures are taken with tools and systems, the damage caused by human disasters will not disappear. It is also reported that the staff of the company handling the information illegally uses customer’s personal information. Information to be abused includes credit cards and security codes. If it is the conduct of a trusted corporate employee, the customer has no way to prevent it and it also relates to social trust.

Attack targeting smartphones and smartphone apps

There is an increasing number of cyber attacks aimed at smartphones and smartphone applications. There is also a virus that infects smartphones, and malicious ones that extract information to a seemingly convenient free app have been confirmed. If smartphones used exclusively for business are abused, the damage to the company can be enormous.

Unauthorized use of Internet banking and credit card information

One of the most noticeable personal cyber damage is the removal of information from online banking and credit cards. Account-related information often leaks from virus-infected PCs and smartphone apps. Based on the stolen information, it leads to the result that Internet banking and credit cards are abused.

Damage caused by ransomware

Among cybercrime, the damage caused by ransomware, which is a type of malware, has been a topic in recent years. It is patterned that the PC that has invaded the malware is broken down and the ransom is paid for the information and system restoration. For a company that deals with information, the damage that makes the important information a hostage will be a great loss.

Damage caused by targeted attacks

Targeted attack refers to launching a cyber attack targeting a specific company. As a typical targeted attack, there is a method of sending an email with a virus attached to employees and departments of IT companies that are targeted. Unlike conventional spam emails, they are malicious because they can not be distinguished from regular emails at first glance. Infection with a virus or malware interferes with the operation of the system.

Also, Read:

Artificial Intelligence Makes its Way to Front-line Security

Adopting Artificial Intelligence in Your Business

Vetting of Artificial Intelligence’s Future Use

The Three Core Factors of Artificial Intelligence to Enhance Cybersecurity

Artificial Intelligence as the Next Host of Cyber Attacks, a Cybersecurity Research Firm Revealed

The post Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool? appeared first on .

Experts Warn of Office 365 Account Takeover Surge

Experts Warn of Office 365 Account Takeover Surge

Over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in just one month thanks to a surge in account takeovers (ATOs), according to Barracuda Networks.

The security vendor yesterday revealed new findings from an analysis of cloud-based email accounts under fire from ATO attempts in March.

It claimed over a quarter (29%) of organizations it monitored had Office 365 accounts compromised by attackers, often via credential stuffing using previously breached credentials, stolen passwords from the same user’s personal email account, brute force attacks, and other web and application channels.

One of the most popular tactics is phishing emails which impersonate Microsoft and request Office 365 log-ins from the unwitting recipient.

“With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals,” warned Barracuda Networks VP of content security services, Asaf Cidon.

Once an account has been taken over, hackers don’t usually launch an attack from it immediately.

“Instead, they monitor email and track activity in the company, to maximize the chances of executing a successful attack,” Cidon explained.

“As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34% of the nearly 4000 compromised accounts.”

The attackers then use their reconnaissance to target high value accounts in the organization such as executives and finance bosses, which could be used to facilitate BEC scams.

“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes,” Cidon claimed.

“Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”

He urged the use of MFA to protect accounts, alongside tools to monitor inbox rules and suspicious activity, staff training, ATO protection and AI tools to better spot BEC and spear-phishing.

Mozilla will block Firefox add-ons that contain obfuscated code

Mozilla has announced that, starting from June 10, Firefox add-ons containing obfuscated code will no longer be allowed on its Add-ons portal and will be blocked. “We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included,” Caitlin Neiman, Add-ons Community Manager at Mozilla, explained. “If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to … More

The post Mozilla will block Firefox add-ons that contain obfuscated code appeared first on Help Net Security.

Cybersecurity for the Public Interest

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of every user of those devices and communications systems.

It's an impassioned debate, acrimonious at times, but there are real technologies that can be brought to bear on the problem: key-escrow technologies, code obfuscation technologies, and backdoors with different properties. Pervasive surveillance capitalism­ -- as practiced by the Internet companies that are already spying on everyone -- ­matters. So does society's underlying security needs. There is a security benefit to giving access to law enforcement, even though it would inevitably and invariably also give that access to others. However, there is also a security benefit of having these systems protected from all attackers, including law enforcement. These benefits are mutually exclusive. Which is more important, and to what degree?

The problem is that almost no policymakers are discussing this policy issue from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate. The result is both sides consistently talking past each other, and policy proposals­ -- that occasionally become law­ -- that are technological disasters.

This isn't sustainable, either for this issue or any of the other policy issues surrounding Internet security. We need policymakers who understand technology, but we also need cybersecurity technologists who understand -- ­and are involved in -- ­policy. We need public-interest technologists.

Let's pause at that term. The Ford Foundation defines public-interest technologists as "technology practitioners who focus on social justice, the common good, and/or the public interest." A group of academics recently wrote that public-interest technologists are people who "study the application of technology expertise to advance the public interest, generate public benefits, or promote the public good." Tim Berners-Lee has called them "philosophical engineers." I think of public-interest technologists as people who combine their technological expertise with a public-interest focus: by working on tech policy, by working on a tech project with a public benefit, or by working as a traditional technologist for an organization with a public benefit. Maybe it's not the best term­ -- and I know not everyone likes it­ -- but it's a decent umbrella term that can encompass all these roles.

We need public-interest technologists in policy discussions. We need them on congressional staff, in federal agencies, at non-governmental organizations (NGOs), in academia, inside companies, and as part of the press. In our field, we need them to get involved in not only the Crypto Wars, but everywhere cybersecurity and policy touch each other: the vulnerability equities debate, election security, cryptocurrency policy, Internet of Things safety and security, big data, algorithmic fairness, adversarial machine learning, critical infrastructure, and national security. When you broaden the definition of Internet security, many additional areas fall within the intersection of cybersecurity and policy. Our particular expertise and way of looking at the world is critical for understanding a great many technological issues, such as net neutrality and the regulation of critical infrastructure. I wouldn't want to formulate public policy about artificial intelligence and robotics without a security technologist involved.

Public-interest technology isn't new. Many organizations are working in this area, from older organizations like EFF and EPIC to newer ones like Verified Voting and Access Now. Many academic classes and programs combine technology and public policy. My cybersecurity policy class at the Harvard Kennedy School is just one example. Media startups like The Markup are doing technology-driven journalism. There are even programs and initiatives related to public-interest technology inside for-profit corporations.

This might all seem like a lot, but it's really not. There aren't enough people doing it, there aren't enough people who know it needs to be done, and there aren't enough places to do it. We need to build a world where there is a viable career path for public-interest technologists.

There are many barriers. There's a report titled A Pivotal Moment that includes this quote: "While we cite individual instances of visionary leadership and successful deployment of technology skill for the public interest, there was a consensus that a stubborn cycle of inadequate supply, misarticulated demand, and an inefficient marketplace stymie progress."

That quote speaks to the three places for intervention. One: the supply side. There just isn't enough talent to meet the eventual demand. This is especially acute in cybersecurity, which has a talent problem across the field. Public-interest technologists are a diverse and multidisciplinary group of people. Their backgrounds come from technology, policy, and law. We also need to foster diversity within public-interest technology; the populations using the technology must be represented in the groups that shape the technology. We need a variety of ways for people to engage in this sphere: ways people can do it on the side, for a couple of years between more traditional technology jobs, or as a full-time rewarding career. We need public-interest technology to be part of every core computer-science curriculum, with "clinics" at universities where students can get a taste of public-interest work. We need technology companies to give people sabbaticals to do this work, and then value what they've learned and done.

Two: the demand side. This is our biggest problem right now; not enough organizations understand that they need technologists doing public-interest work. We need jobs to be funded across a wide variety of NGOs. We need staff positions throughout the government: executive, legislative, and judiciary branches. President Obama's US Digital Service should be expanded and replicated; so should Code for America. We need more press organizations that perform this kind of work.

Three: the marketplace. We need job boards, conferences, and skills exchanges­ -- places where people on the supply side can learn about the demand.

Major foundations are starting to provide funding in this space: the Ford and MacArthur Foundations in particular, but others as well.

This problem in our field has an interesting parallel with the field of public-interest law. In the 1960s, there was no such thing as public-interest law. The field was deliberately created, funded by organizations like the Ford Foundation. They financed legal aid clinics at universities, so students could learn housing, discrimination, or immigration law. They funded fellowships at organizations like the ACLU and the NAACP. They created a world where public-interest law is valued, where all the partners at major law firms are expected to have done some public-interest work. Today, when the ACLU advertises for a staff attorney, paying one-third to one-tenth normal salary, it gets hundreds of applicants. Today, 20% of Harvard Law School graduates go into public-interest law, and the school has soul-searching seminars because that percentage is so low. Meanwhile, the percentage of computer-science graduates going into public-interest work is basically zero.

This is bigger than computer security. Technology now permeates society in a way it didn't just a couple of decades ago, and governments move too slowly to take this into account. That means technologists now are relevant to all sorts of areas that they had no traditional connection to: climate change, food safety, future of work, public health, bioengineering.

More generally, technologists need to understand the policy ramifications of their work. There's a pervasive myth in Silicon Valley that technology is politically neutral. It's not, and I hope most people reading this today knows that. We built a world where programmers felt they had an inherent right to code the world as they saw fit. We were allowed to do this because, until recently, it didn't matter. Now, too many issues are being decided in an unregulated capitalist environment where significant social costs are too often not taken into account.

This is where the core issues of society lie. The defining political question of the 20th century was: "What should be governed by the state, and what should be governed by the market?" This defined the difference between East and West, and the difference between political parties within countries. The defining political question of the first half of the 21st century is: "How much of our lives should be governed by technology, and under what terms?" In the last century, economists drove public policy. In this century, it will be technologists.

The future is coming faster than our current set of policy tools can deal with. The only way to fix this is to develop a new set of policy tools with the help of technologists. We need to be in all aspects of public-interest work, from informing policy to creating tools all building the future. The world needs all of our help.

This essay previously appeared in the January/February 2019 issue of IEEE Security & Privacy. I maintain a public-interest tech resources page here.

BYOD Risks Grow as Half of Firms Fail on Policies

BYOD Risks Grow as Half of Firms Fail on Policies

BYOD is increasingly popular in the workplace, but half of organizations are exposing themselves to unnecessary extra risks by not implementing a clear policy on usage, according to Bitglass.

The security vendor polled 150 IT and security professionals at Cloud Expo Europe in London earlier this year.

It revealed that 74% are allowing employees to use their personal devices at work, but 47% either don’t have a policy in place to manage them, or don’t know if one existed.

Particularly baffling were the findings that unmanaged devices were considered the top blind spot for data leakage, with 31% agreeing. However, just 16% cited this as a top security priority for the coming year. Instead, malware protection (26%) came top.

Also concerning was the fact that over a quarter of respondents (28%) claimed they don’t enforce any multi-factor authentication (MFA) to protect personal devices.

Steve Armstrong, regional director at Bitglass, argued that BYOD can drive improved productivity, cost savings and talent retention, but in so doing may increase the risk of data loss if proper policies and security controls aren’t put in place.

“In order to securely reap the benefits of BYOD, organizations need advanced tools such as user and entity behavior analytics (UEBA) and data loss prevention (DLP),” he added.

“Additionally, they must be able to selectively wipe corporate data from personal devices without affecting the personal data therein. However, for deployments to be successful, these capabilities need to be implemented through an agentless solution that won’t hinder user privacy or device functionality.”

A study from 2018 revealed that 61% of UK small businesses experienced a cybersecurity incident following their introduction of BYOD.

A government breaches survey from earlier this year claimed that the use of personal devices “tend to be less commonly covered” by cybersecurity policies.

Europol: Two More Dark Web Marketplaces Seized

Europol: Two More Dark Web Marketplaces Seized

Europol is claiming victory after announcing the shut down of two more dark web marketplaces and several arrests.

The law enforcement organization said German police shut Wall Street Market, which it claimed was the world’s second largest dark web market, while earlier this year Finnish customs put paid to Silkkitie, aka the Valhalla Marketplace.

It was also revealed that German police arrested three suspects and seized €550,000 in cash, along with six-digit sums of cryptocurrency, vehicles, computers, storage devices and other evidence. US authorities arrested two alleged major drug dealers operating on the site.

The Finnish authorities are also said to have made a major Bitcoin seizure when they shut down the main server hosting Silkkitie, which has been running since 2013. It was claimed that illegal traders were monitored as they moved to other dark web sites following the seizure, although it’s unclear whether they were arrested.

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” said Europol executive director, Catherine De Bolle.

It’s unclear whether the law enforcement activity was linked to the recent news that the site’s admins were attempting an exit scam.

At the time, one moderator was threatening to release the details of any user who sent their address in plain text as part of disputes or tickets, unless they paid a fee.

That same moderator, “Med3l1n,” reportedly posted their Wall Street Market logins and server IP address to Dread, a Reddit-like site for the dark web. That would have given law enforcers vital intelligence to shut down the operation and go after some of the most prolific traders on the site.

In a final irony, the world’s biggest market, Dream Market, which many users left after it said it was going to move to a “partner site,” appears to still be up and running.

How to create an ISO 27001-compliant risk treatment plan

An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.

It’s one of the mandatory documents you must complete as part of your ISO 27001 implementation project, and forms the final stage of the risk assessment process.

What are your risk treatment options?

Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organisations take one of four actions:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

Selecting appropriate controls

The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.

Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:

  • Information security policies: how policies are written and reviewed.
  • Organisation of information security: the assignment of responsibilities for specific tasks.
  • Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • Asset management: identifying information assets and defining appropriate protection responsibilities.
  • Access control: ensuring that employees can only view information that’s relevant to their job role.
  • Cryptography: the encryption and key management of sensitive information.
  • Physical and environmental security: securing the organisation’s premises and equipment.
  • Operations security: ensuring that information processing facilities are secure.
  • Communications security: how to protect information in networks.
  • System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
  • Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
  • Information security aspects of business continuity management: how to address business disruptions.
  • Compliance: how to identify the laws and regulations that apply to your organisation.

Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.

For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.

As with all major security decisions, you should run your decisions past senior management.

Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.

Before you begin

It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.

You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.

Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.

That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.

Help with creating your risk treatment plan

Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.

Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Learn more >>

The post How to create an ISO 27001-compliant risk treatment plan appeared first on IT Governance Blog.

Google offers auto-delete option for location, web tracking history

Google has added a control option to users’ accounts that will allow them to instruct the company to auto-delete their location history, browsing and search data once a certain length of time has passed. “Choose a time limit for how long you want your activity data to be saved—3 or 18 months—and any data older than that will be automatically deleted from your account on an ongoing basis,” the company explained. The new control option … More

The post Google offers auto-delete option for location, web tracking history appeared first on Help Net Security.

10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers

The availability of 10KBLAZE PoC exploits for old SAP configuration issue poses a severe risk of attacks for business applications.

The risk of cyber attacks against SAP systems is increased after security researchers released PoC exploits for old SAP configuration flaws.

SAP Message Server and SAP Gateway implements an access control list (ACL) mechanism to determine IP addresses that are allowed to register application servers. ACL wrong configurations could allow any host with network access to the Message Server to register an application server.

In this scenario, an attacker can access a network hosting the vulnerable systems and take full control.

Experts pointed out that the problem could impact many SAP products, including S/4HANA and NetWeaver Application Server (AS).
The good news is that most recent versions of SAP software are configured by default to drop unauthorized connections,

Since 2005, SAP is providing instructions on how to configure an ACL for the Message Server. In 2005 the company released the security note 8218752 and in 2009 released the security note 14080813 containing instructions on how to properly configure the access list for Gateway. In 2010 SAP released another note, 14210054, that provides instructions on the correct configuration of Message Server ACL.

Despite the numerous notes, many organizations still fail to properly configure their SAP solutions. According to a report published in April 2018 by security firm Onapsis, 90 percent SAP systems were impacted by 13 Year-Old configuration vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.

In April, the two researchers Dmitry Chastuhin and Mathieu Geli presented at the OPCDE cybersecurity conference in Dubai security issues related to SAP configuration and architecture.

The security duo also released exploits designed to target improperly configured systems.

sap 10KBLAZE exploits

Experts at Onapsis dubbed the exploits 10KBLAZE, they estimate that the availability of the hacking codes could significantly increase the number of attacks against SAP installs. Onapsis estimate that 10KBLAZE exploits could affect 9 out of 10 SAP systems of more than 50,000 customers worldwide.

“In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyber attacks against SAP implementations globally.” reads the analysis published by Onapsis. “we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide.”

The name 10KBLAZE comes by the fact that organizations hit by attacks would need to disclose their impact to the U.S. Securities and Exchange Commission (SEC) in their annual 10-K filing.

“Based on publicly available data provided by SAP, Onapsis estimates that approximately 50,000 companies and a collective 1,000,000 systems are currently using SAP NetWeaver and S/4HANA.” reads the report published by the experts. “Onapsis research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available,”

Researchers also found many SAP systems exposed on the internet that could be hit by remote, unauthenticated attackers.

Organizations have to check their configurations to prevent such kind of attacks.

Pierluigi Paganini

(SecurityAffairs – 10KBLAZE , Genesis Store)

The post 10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers appeared first on Security Affairs.

Consumers care deeply about their privacy, security, and how their personal information is handled

65% of consumers are concerned with the way connected devices collect data. More than half (55%) do not trust their connected devices to protect their privacy and a similar proportion (53%) do not trust connected devices to handle their information responsibly, according to a survey by IPSOS Mori on behalf of the Internet Society and Consumers International. The survey was conducted in the United States, Canada, Japan, Australia, France and the United Kingdom. Connected devices … More

The post Consumers care deeply about their privacy, security, and how their personal information is handled appeared first on Help Net Security.

Cybercriminals targeting social media: Facebook and Instagram are becoming phishers’ favorites

Social media phishing, primarily Facebook and Instagram, saw the highest quarter- over-quarter growth of any industry with a 74.7 percent increase, according to the Vade Secure Phishers’ Favorites report for Q1 2019. While Facebook has been in the top 10 since report’s inception, Instagram cracked the top 25 for the first time, taking the #24 spot on the Phishers’ Favorites list. With the headlines about Facebook storing hundreds of millions of user passwords in plain … More

The post Cybercriminals targeting social media: Facebook and Instagram are becoming phishers’ favorites appeared first on Help Net Security.

Cybercriminals thriving on companies overlooking fundamental security requirements

IT leaders in the United States are putting business data at risk by not effectively managing employees’ passwords, according to OneLogin research. Despite the fact that 91% report they have company guidelines in place around password complexity, and 92% believe their current password protection measures and guidelines provide adequate protection for their business, the results suggest there is still a lot of work to be done. OneLogin surveyed 300 IT decision makers across the U.S. … More

The post Cybercriminals thriving on companies overlooking fundamental security requirements appeared first on Help Net Security.

60% of businesses have experienced a serious security breach in the last two years

There is an increase in security breaches and businesses still face challenges surrounding cyberattacks due to lack of IT security and operations basics. With digital transformation on the rise and technology massively outpacing policy, companies must take the lead when it comes to securing their estates. While cybersecurity has received much fanfare – with global spend predicted to exceed $1 trillion through 2021 – the biggest gaps continue to endure in plain sight. Vanson Bourne … More

The post 60% of businesses have experienced a serious security breach in the last two years appeared first on Help Net Security.

Ladders Database Exposed 13M User Records

Employment-recruitment site Ladders exposed 13M User Records

Employment-recruitment site Ladders exposed left online a misconfigured AWS-hosted database that contained 13 million user records.

Sanyam Jain, a security researcher and a member of the GDI Foundation, discovered a database belonging to the employment-recruitment site Ladders left exposed online on a misconfigured AWS-hosted database.

The archive contained 13 million user records, data related to job seekers who had signed up for the service. Exposed records included contact details, current compensation, and applicants’ employment histories.

“Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.” reads a report published by
TechCrunch.

“The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data.”

Ladders, data leak
Source Techcrunch.com

TechCrunch reported the discovery to company that quickly secured the database.

“AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” said Marc Cenedella, founder and CEO of Ladders.

Experts confirmed that the database contained years’ worth of records.

Pierluigi Paganini

(SecurityAffairs – AWS, data leak)

The post Ladders Database Exposed 13M User Records appeared first on Security Affairs.

A wave of regulation is coming to the cryptocurrency economy

There is a concerning trend of cross-border crypto payments leaving U.S. exchanges and entering offshore and untraceable wallets, a CipherTrace report reveals. In the twelve months ending March 2019, crypto transfers from U.S. exchanges to offshore exchanges grew 21 points or 46 percent compared to the same period two years ago. Once these payments reach exchanges and wallets in other parts of the globe, they fall off the radar of U.S. authorities. This highlights a … More

The post A wave of regulation is coming to the cryptocurrency economy appeared first on Help Net Security.

BigID new capabilities help enterprises scale responses to data access requests for privacy regulations

BigID, the leader in ML-driven personal data discovery and privacy, announced first-of-their-kind data access rights management features to help enterprises automate fulfillment of personal data access requests for privacy regulations like the California Consumer Privacy Act (CCPA). Personal data rights around access and deletion of personal information are a cornerstone of more than 130 privacy regulations around the world. The laws grant consumers the right to access and in some instances, delete, correct or port … More

The post BigID new capabilities help enterprises scale responses to data access requests for privacy regulations appeared first on Help Net Security.

Splunk releases Splunk Connected Experiences and Splunk Business Flow

Splunk, delivering actions and outcomes from the world of data, announced the general availability of Splunk Connected Experiences and Splunk Business Flow – new products that bring Splunk customers even closer to their data. Splunk Connected Experiences deliver insights on-the-go through augmented reality (AR), mobile devices like the iPhone, and mobile applications that provide users with the ability to access their data anywhere and at anytime. Splunk Business Flow brings the power of data to … More

The post Splunk releases Splunk Connected Experiences and Splunk Business Flow appeared first on Help Net Security.

FileCloud governance features to enable automatic document life cycle management

FileCloud, a cloud-agnostic enterprise file sync and sharing platform, announced data governance features to enable automatic document life cycle management. Designed for data governance of regulated industries, FileCloud empowers organizations to automate the creation, retention, archival and deletion of files across on-premises and public cloud environments. Enterprise organizations are placing great emphasis on data governance as content management continues to evolve and various industries become bound by regulations. FileCloud Governance was designed to be a … More

The post FileCloud governance features to enable automatic document life cycle management appeared first on Help Net Security.

Votiro and Box partnership to bring secure, centralized and cloud-native content services

Votiro Cybersec Global, a global leader in content disarm and reconstruction (CDR) technology, announced its partnership with Box, a leading cloud content management platform committed to bringing secure, centralized and cloud-native content services to organizations worldwide. Votiro File Disarmer for Box will add an additional layer of protection for security sensitive organizations to ensure that shared files do not contain malware, ultimately preventing content-based attacks such as ransomware, or targeted phishing. “Votiro File Disarmer will … More

The post Votiro and Box partnership to bring secure, centralized and cloud-native content services appeared first on Help Net Security.

Red Hat OpenStack Platform provides a cloud foundation to drive businesses’ innovation

Red Hat, the world’s leading provider of open source solutions, announced that a number of organizations around the world have turned to its massively-scalable infrastructure-as-a-service (IaaS) solution – Red Hat OpenStack Platform. Customers such as Algar Telecom, the University of Adelaide and Vodafone Ziggo are using Red Hat OpenStack Platform as their private cloud platform to more efficiently use, organize and manage compute resources. With Red Hat OpenStack Platform, businesses can increase operational efficiency, accelerate … More

The post Red Hat OpenStack Platform provides a cloud foundation to drive businesses’ innovation appeared first on Help Net Security.

MITRE’s ATT&CK to assess cybersecurity products based on APT29/Cozy Bear/The Dukes

MITRE’s ATT&CK Evaluations program will assess commercial cybersecurity products based on techniques used by APT29/Cozy Bear/The Dukes. Cybersecurity analysts believe the group operates on behalf of the Russian government, and that it compromised the Democratic National Committee starting in 2015. Endpoint detection and response (EDR) vendors may apply for an evaluation via attackevals.mitre.org. The selection of vendors for evaluation is subject to MITRE’s sole discretion. The evaluations are paid for by vendors and are intended … More

The post MITRE’s ATT&CK to assess cybersecurity products based on APT29/Cozy Bear/The Dukes appeared first on Help Net Security.

Anonos SaveYourData transforms pre-GDPR data into fully compliant data

Anonos, the global leader in data risk management, security and privacy, launched its SaveYourData software solution, designed to allow companies operating under the EU General Data Protection Regulation (GDPR) to not only retain personal data collected before the law came into effect, but to also enable dynamic use of the data for analytics, machine learning, artificial intelligence and marketing activities. Anonos SaveYourData transforms non-compliant consent-based pre-GDPR data into fully compliant data with a new legal … More

The post Anonos SaveYourData transforms pre-GDPR data into fully compliant data appeared first on Help Net Security.

Secureworks’ new SaaS app accelerates threat detection and response

Secureworks, a leading cybersecurity company that keeps organizations safe in the digitally connected world, announced the launch of a software-as-a-service (SaaS) application that will transform the way companies detect, investigate and respond to cyber threats. Red Cloak Threat Detection and Response (TDR) is a security analytics application that continuously applies more than 20 years of threat intelligence and advanced analytics to customer endpoints, network and cloud deployments. With deep learning and machine learning at its … More

The post Secureworks’ new SaaS app accelerates threat detection and response appeared first on Help Net Security.

CrowdStrike Falcon provides continuous monitoring for firmware attacks

CrowdStrike, a leader in cloud-delivered endpoint protection, announced CrowdStrike Falcon is breaking new ground in providing continuous monitoring that extends to the firmware level. Modern security tools have focused on detecting attacks at the operating system (OS) level and above, but provide little visibility into lower levels of the modern computing platform. Attackers looking to maintain stealth and persistence have targeted the BIOS to infect it with malicious code that is difficult to detect and … More

The post CrowdStrike Falcon provides continuous monitoring for firmware attacks appeared first on Help Net Security.

Trustwave unveils new database security scanning and testing software

Trustwave unveiled new database security scanning and testing software that helps organizations better protect critical data assets hosted on-site or by major cloud service providers from advanced threats, configuration errors, access control issues, unauthorized privilege escalation, missing patches and more. “Databases are the proverbial ‘bank vaults’ cybercriminals aim to crack leveraging malware, zero-day vulnerabilities, savvy social engineering and other sophisticated means,” said C.J. Spallitta, senior vice president of product management at Trustwave. “As businesses continue … More

The post Trustwave unveils new database security scanning and testing software appeared first on Help Net Security.

Ztudium launches Blocksdna, an AI blockchain operative system and app

Ztudium, a leading technology specialist and consultancy, has announced the launching of Blocksdna, a revolutionary AI blockchain operative system and app. A white label solution that will allow organisations and their customers to get the most out of the blockchain technology. Blocksdna can be described as a blockchain-based mobile app and a white label technology that brings together P2P Messaging, support for crypto and FIAT wallet, payments, digital ID, a reward engine and a marketplace. … More

The post Ztudium launches Blocksdna, an AI blockchain operative system and app appeared first on Help Net Security.

ExaGrid Backup with Veeam offers small to mid-size customers enterprise-level backup performance

ExaGrid, a leading provider of intelligent hyperconverged storage for backup, has announced ExaGrid Backup with Veeam, which will enable customers to effectively and securely manage and protect their data regardless of IT infrastructure. This offering is a collaborative venture with Veeam Software, the leader in Backup solutions that deliver Cloud Data Management. ExaGrid Backup with Veeam provides fast backups and recovery, cost-efficient long-term data storage, as well as replication to an offsite location for disaster … More

The post ExaGrid Backup with Veeam offers small to mid-size customers enterprise-level backup performance appeared first on Help Net Security.

NEC Corporation unveils HCI solution powered by Scale Computing’s H3C software

NEC Corporation of America and NEC Enterprise Solutions (EMEA), announced a new hyperconverged infrastructure (HCI) solution powered by Scale Computing’s HC3 software. The new platform, NEC HCI, provides a complete virtualized solution in a single appliance, designed for rapid deployment, ease-of-use, seamless scaling, high performance and cost effectiveness. “As the HCI market continues to expand significantly, we wanted to offer a competitive solution that provides value to our partners and customers,” said Ram Menghani, Senior … More

The post NEC Corporation unveils HCI solution powered by Scale Computing’s H3C software appeared first on Help Net Security.

Stateless launches Luxon, a software-defined interconnect platform

Stateless, the company reinventing network connectivity, announced Luxon – the industry’s first software-defined interconnect (SD-IX) platform. As the company’s inaugural product since emerging from stealth in January 2019, Luxon seamlessly delivers composable Layer 3+ network services such as routing, security and automation to interconnect points. As the first SD-IX platform to provide complete visibility, end-to-end automation and API-driven functionalities, Luxon allows providers to control and connect to every endpoint, including portfolio data centers, tenant sites … More

The post Stateless launches Luxon, a software-defined interconnect platform appeared first on Help Net Security.

AWS unveils Amazon Managed Blockchain to easily create, manage, and scale blockchain networks

Amazon Web Services, an Amazon.com company, announced the general availability of Amazon Managed Blockchain, a fully managed service that makes it easy to create and manage scalable blockchain networks. Customers who want to allow multiple parties to execute transactions and maintain a cryptographically verifiable record of them without the need for a trusted, central authority can quickly setup a blockchain network spanning multiple AWS accounts with a few clicks in the AWS Management Console. Amazon … More

The post AWS unveils Amazon Managed Blockchain to easily create, manage, and scale blockchain networks appeared first on Help Net Security.

FileShadow for Windows Virtual Desktop enables companies to implement thin provisioned storage

FileShadow announces FileShadow for Windows Virtual Desktop. The new version provides thin provisioned storage to companies using virtual desktops, separating users’ data from the operating system, local applications and user settings in the data center—reducing costs for any company using virtual desktops. FileShadow thin provisioned storage allows virtual desktops to have access to large vaults without synchronizing data to the virtual desktop server. All of the content is available, but only downloaded on demand to … More

The post FileShadow for Windows Virtual Desktop enables companies to implement thin provisioned storage appeared first on Help Net Security.

Imprivata collaborates with Microsoft and creates an IAM Cloud Platform for healthcare

Imprivata, the healthcare IT security company, announced that it will unlock the power of the cloud for clinical users by creating the first end-to-end Identity and Access Management (IAM) Cloud Platform for healthcare in collaboration with Microsoft. The Platform, anchored by Imprivata’s leading solution portfolio and commitment to building trusted digital identities, and the world-class scale and security of Microsoft’s cloud identity platform, Azure Active Directory, will address the unique challenges that healthcare customers face … More

The post Imprivata collaborates with Microsoft and creates an IAM Cloud Platform for healthcare appeared first on Help Net Security.

Banyan and Unusual Ventures to provide unified Zero Trust architecture for cloud-first companies

Banyan, the industry’s first unified Zero Trust platform, announced that it is emerging from stealth and has entered a partnership with Unusual Ventures, a growth-focused investment firm. With Banyan’s goal of providing a unified Zero Trust architecture for cloud-first companies and Unusual’s focus on partnering with market disruptors, the strategic relationship brings to market the first approach to Zero Trust that provides continuous authorization for any application or service hosted in the cloud. “In Banyan, … More

The post Banyan and Unusual Ventures to provide unified Zero Trust architecture for cloud-first companies appeared first on Help Net Security.

CenturyLink Private Cloud is now available on Dell EMC PowerEdge servers

In a move that gives customers more choice and hybrid-cloud flexibility, CenturyLink announced that CenturyLink Private Cloud on VMware Cloud Foundation is now available on Dell EMC PowerEdge servers, a scalable platform that delivers the flexibility and performance enterprises demand. CenturyLink’s comprehensive private cloud offering meets the agile demands of today’s digital businesses. This expansion results in a complete software-defined data center (SDDC) solution based on the Dell Technologies stack – combining Dell EMC PowerEdge … More

The post CenturyLink Private Cloud is now available on Dell EMC PowerEdge servers appeared first on Help Net Security.

Dorsey & Whitney offers three levels of CCPA assessment and compliance packages

International law firm Dorsey & Whitney announced that it is offering three levels of assessment and compliance packages to help businesses comply with the enacted California Consumer Privacy Act (CCPA). The packages, called BASIC, BASIC+ and READY, provide options for legal services based on clients’ particular needs in preparing for the CCPA, which goes into effect on January 1, 2020. This new law marks a dramatic sea change in American privacy law as it imposes … More

The post Dorsey & Whitney offers three levels of CCPA assessment and compliance packages appeared first on Help Net Security.

Accenture, Splunk and UTC join SAFECode, Veracode rejoins the organization

The Software Assurance Forum for Excellence in Code (SAFECode) announced that Accenture, Splunk and United Technologies joined SAFECode as new Associate Members, and Veracode rejoined the organization as an Associate Member. SAFECode is a non-profit, global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving and promoting scalable and effective software security programs. The addition of these companies as SAFECode members is significant because they bring … More

The post Accenture, Splunk and UTC join SAFECode, Veracode rejoins the organization appeared first on Help Net Security.

Weekly Update 137

Weekly Update 137

It's the last one from home for a few weeks, both for Scott and myself. Whilst I head off to the US for a couple of weeks, he's back home to the UK before other Europe travel then we'll both end up back on the Gold Coast in a few weeks time before the AusCERT conference.

This week, we're talking about how kids are so good at circumventing things like parental controls and how maybe - just maybe - talking to your goods and using some social techniques is a better (or at least complimentary) approach to hard controls. Partly as a result of that tweet, we're also discussing the rampant negativity we seem to constantly face by a small minority on Twitter. It's minor in numbers, but increasingly carries a mental weight (see the link below for context). Plus there's Trustico. Ah, Trustico, just have a listen and see what you think...

Weekly Update 137
Weekly Update 137
Weekly Update 137

References

  1. My 9-year old found a clever way to circumvent iOS' parental controls (imagine what it's like for the average person trying to understand this stuff...)
  2. We're both confounded by the unnecessary ongoing negativity folks on Twitter seem intent on espousing (I'm linking to this one because it's a perfect example of injecting negativity into an otherwise happy, joyful tweet)
  3. Trustico has some really shady marketing going on with their certs (that's a link to Scott's post smashing the screwy - make sure you search for "nerdville"!)
  4. Twilio are sponsoring my blog this week, check out what you can do with Authy to add 2FA to your site (this is dead easy - do it!)

Lares appoints Andrew Hay as COO

Lares, a global leader in security assessment, testing, and coaching, announced that veteran technology executive Andrew Hay has joined the company as Chief Operating Officer (COO). He is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments and asked to present at conferences around the globe. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine. Hay was … More

The post Lares appoints Andrew Hay as COO appeared first on Help Net Security.

Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme

The US DoJ indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

The US DoJ indicted the Russian national Anton Bogdanov for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

Bogdanov was charged in federal court in Brooklyn of wire fraud conspiracy, aggravated identity theft and computer intrusion in connection with a scheme in which he and other crooks used stolen personal information to file federal tax returns and fraudulently obtain more than $1.5 million in tax refunds from the Internal Revenue Service.

The Russian man was arrested in Phuket, Thailand, on November 28, 2018 and was extradited to the United States in March 2019. 

“As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury,” stated United States Attorney Donoghue.  “This Office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are.”

According to the indictment, between June 2014 and November 2016,
Anton Bogdanov and his co-conspirators compromised computer systems of private tax preparation firms in the United States and stole personally identifiable information (PII) (including Social Security numbers and dates of birth) of the victims.

Crooks used stolen data to impersonate the victims and modified the tax returns to ensure that the refunds are paid to their prepaid debit cards.

“Bogdanov and his co-conspirators also used misappropriated PII to obtain prior tax filings of victims from an IRS website, and filed new tax returns, purportedly on behalf of the victims, so that refunds were paid to prepaid debit cards under their control.” reads the press release published by the DoJ. “The debit cards were cashed out in the United States, and a percentage of the proceeds was wired to Bogdanov in Russia.”

Anton Bogdanov

According to the investigators, the debit cards were cashed out in the United States, while Bogdanov received a percentage of the proceeds in Russia.

If convicted of the charges, Anton Bogdanov could face up to 27 years’ imprisonment.

Pierluigi Paganini

(SecurityAffairs – Anton Bogdanov, cybecrime)



The post Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme appeared first on Security Affairs.

Adam Levin Discusses Mobile Banking and Security with TicToc

Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.

“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.

See the video below, or on Bloomberg.com:

The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.

TinyPOS: Handcrafted Malware in Assembly Code

TinyPOS: Handcrafted Malware in Assembly Code

Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.

Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.

Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage. 

The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”

That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.

“This latest credit card–stealing malware is extremely stealth and hard to detect, making some retailers even more vulnerable. Storing data securely is another basic security tenant. If merchants store credit card information offline and don’t encrypt it, it is sure to be stolen and abused,” Wilk said.

“However, once the credit card information is stolen, businesses can combat fraudulent online transactions through verification frameworks that can confirm the identity of users and prevent this type of fraud. Analyzing their online behavior, combined with hundreds of other identifiers that hackers can't imitate or steal, is the best protection against fraud, once the user data has been leaked.”

New Exploits Target Components of SAP Applications

New Exploits Target Components of SAP Applications

New exploits have been targeting SAP systems, allowing attackers to fully compromise the platform and delete all business application data, according to new research from Onapsis Inc.

The exploits, dubbed 10KBLAZE, can potentially compromise all NetWeaver Application Server (AS) and S/4HANA systems. “In exposed systems, the exploits can be executed by a remote, unauthenticated attacker having only network connectivity to the vulnerable systems. These exploits are not targeting vulnerabilities inherent in SAP code, but administrative misconfiguration of SAP NetWeaver installations,” the report said.

Attackers could also modify or extract highly sensitive and regulated information in what Onapsis called a serious threat, given that an estimated 50,000 companies and one million systems are configured using SAP NetWeaver and S/4HANA.

Misconfigurations in access control lists (ACLs) could leave systems vulnerable. Based on research collected over the past decade, the report estimated that nearly 90% of these systems suffer from the misconfigurations for which these exploits are now publicly available.“The lack of one of these ACLs being properly protected is enough for an attacker to successfully exploit it. Customers must secure both of the ACL configurations in Gateway and Message Server to stay protected,” the report said.

“This risk to SAP customers can represent a weakness in affected publicly traded organizations that may result in material misstatements of the company's annual financial statements (form 10-K). Further, a breach against these business-critical applications would likely result in the need for disclosure, given the recent SEC's Cybersecurity Disclosure Guidance,” said Larry Harrington, former chairman of the board of the Institute of Internal Auditors (IIA), in a press release.

“SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes,” said Mariano Nunez, CEO and co-founder, Onapsis, in the press release.

APT34: Glimpse project

The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.

Context:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).

The Glimpse Project

The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.

Glimpse Infection Payload Main Loop

The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.

The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: 59071Md8200089EC36AC95T.www.example.com while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:

Command and Control. Env creation for new connected agents
  • M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
  • W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
  • D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
  • 0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip (11.24.237.110) if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
  • 1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
  • 2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication

The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.

10100*9056*****************.33333210100A[.]example[.]com

Glimpse running environment

The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.

Command and Control Panel Hardcoded Settings

The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:

controlPanel = new controlPanel(agent.id, agent.ip, agent.lastActivity);
controlPanel.Show();

After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.

Command and Control, controlPanel insert_command function

The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.

With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.

The original post was published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/05/02/apt34-glimpse-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, Glimpse project)

The post APT34: Glimpse project appeared first on Security Affairs.

TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations

TrustArc is excited to announce a major expansion of our award-winning privacy platform to simplify compliance management for the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and other privacy regulations. The enhancements include a comprehensive set of dynamic components including regulatory updates, risk scores, program status and other privacy program KPIs accessible through a unified privacy program management dashboard. Our new dashboard streamlines compliance and risk management for privacy, IT and business teams. The privacy regulatory landscape is changing dramatically and businesses are looking for ways to stay on top of the new requirements. The major … Continue reading TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations

The post TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations appeared first on TrustArc Blog.

The State of Machine Learning in 2019

Here we are, almost four whole months into 2019 and machine learning and artificial intelligence are still hot topics in the security world. Or at least that was the impression I had. Our 2019 CISO Benchmark Report however, found that between 2018 and 2019, CISO interest in machine learning dropped from 77% to 67%. Similarly, interest in artificial intelligence also dropped from 74% to 66%.

Now there are a number of reasons why these values could have dropped over a year. Maybe there’s a greater lack of certainty or confidence when it comes to implanting ML. Or perhaps widespread adoption and integration into more organizations has made it less of a standout issue for CISOs. Or maybe the market for ML has finally matured to the point where we can start talking about the outcomes from ML and AI and not the tools themselves.

No matter where you stand on ML and AI, there’s still plenty to talk about when it comes to how we as an industry are currently making use of them. With that in mind, I’d like to share some thoughts on ways we need to view machine learning and artificial intelligence as well as how we need to shift the conversation around them.

More effective = less obvious

I’m still amazed by how machine learning is still a hot topic. That’s not to say it does not deserve to be an area of interest though. I am saying however, that what we should be talking about are the outcomes and capabilities it delivers. Some of you may remember when XML was such a big deal, and everyone could not stop talking about it. Fast forward to today and no one advertises that they use XML since that would just be obvious and users care more about the functionality it enables. Machine Learning will follow along the same path. In time, it will become an essential aspect of the way we approach security and become simply another background process. Once that happens, we can focus on talking about the analytical outcomes it enables.

An ensemble cast featuring machine learning

Anyone who has built an effective security analytics pipeline knows that job one is to ensure that it is resilient to active evasion. Threat actors know as much or more than you do about the detection methods within the environments they wish to penetrate and persist. The job of security analytics is to find the most stealthy and evasive threat actor activity in the network and to do this, you cannot just rely on a single technique. In order for that detection to happen, you need a diverse set of techniques all of which complement one another. While a threat actor will be able to evade one or two of them simultaneously, they don’t stand a chance against hundreds of them! Detection in diversity!

To explain this, I would like to use the analogy of a modern bank vault. Vaults employ a diverse set of detection techniques like motion, thermal, laser arrays, and on some physical dimension, an alarm will be tripped, and the appropriate response will ensue. We do the same in the digital world where machine learning helps us model timing or volumetric aspects of the behavior that are statistically normal and we can signal on outliers. This can be done all the way down at the protocol level where models are deterministic or all the way up to the application or users’ behavior which can sometimes be less deterministic. We have had years to refine these analytical techniques and have published well over 50 papers on the topic in the past 12 years.

The precision and scale of ML

So why then can’t we just keep using lists of bad things and lists of good things? Why do we need machine learning in security analytics and what unique value does it bring us? The first thing I want to say here is that we are not religious about machine learning or AI. To us, it is just another tool in the larger analytics pipeline. In fact, the most helpful analytics comes from using a bit of everything.

If you hand me a list and say, “If you ever see these patterns, let me know about it immediately!” I’m good with that. I can do that all day long and at very high speeds. But what if we are looking for something that cannot be known prior to the list making act? What if what we are looking for cannot be seen but only inferred? The shadows of the objects but never the objects if you will. What if we are not really sure what something is or the role it plays in the larger system (i.e., categorization and classification)? All these questions is where machine learning has contributed a great deal to security analytics. Let’s point to a few examples.

The essence of Encrypted Traffic Analytics

Encryption has made what was observable in the network impossible to observe. You can argue with me on this, but mathematics is not on your side, so let’s just accept the fact that deep packet inspection is a thing of the past. We need a new strategy and that strategy is the power of inference. Encrypted Traffic Analytics is an invention at Cisco whereby we leverage the fact that all encrypted sessions begin unencrypted and that the routers and switches can send us an “Observable Derivative.” This metadata coming from the network is a mathematical shadow of the payloads we cannot inspect directly because it is encrypted. Machine learning helps us train on these observable derivatives so that if its shape and size overtime is the same as some malicious behavior, we can bring this to your attention all without having to deal with decryption.

Why is this printer browsing Netflix?

Sometimes we are lucky enough to know the identity and role of a user, application, or device as it interacts with systems across the network. The reality is, most days we are far from 100% on this, so machine learning can help us cluster network activity to make an assertion like, “based on the behavior and interactions of this thing, we can call it a printer!”. When you are dealing with thousands upon thousands of computers interacting with one another across your digital business, even if you had a list at some point in time – it is likely not up to date. The value to this labeling is not just so that you have objects with the most accurate labels, but so you can infer suspicious behavior based on its trusted role. For example, if a network device is labeled a printer, it is expected to act like a printer – future behavior can be expected from this device. If one day it starts to browse Netflix or checks out some code from a repository, our software Stealthwatch generates an alert to your attention. With machine learning, you can infer from behavior what something is or if you already know what something is, you can predict its “normal” behavior and flag any behavior “not normal.”

Pattern matching versus behavioral analytics

Lists are great! Hand me a high-fidelity list and I will hand you back high-fidelity alerts generated from that list. Hand me a noisy or low fidelity list and I will hand you back noise. The definition of machine learning by Arthur Samuels in 1959 is “Field of study that gives computers the ability to learn without being explicitly programmed.” In security analytics, we can use it for just this and have analytical processes that implicitly program a list for you given the activity it observes (the telemetry it is presented). Machine learning helps us implicitly put together a list that could not have been known a priori. In security, we complement what we know with what we can infer through negation. A simple example would be “if these are my sanctioned DNS servers and activities, then what is this other thing here?!” Logically, instead of saying something is A (or a member of set A), we are saying not-A but that only is practical if we have already closed off the world to {A, B} – not-A is B if the set is closed. If, however we did not close off the world to a fixed set of members, not-A could be anything in the universe which is not helpful.

Useful info for your day-to-day tasks

I had gone my entire career measuring humans as if they were machines, and not I am measuring humans as humans. We cannot forget that no matter how fancy we get with the data science, if a human in the end will need to understand and possibly act on this information, they ultimately need to understand it. I had gone my entire career thinking that the data science could explain the results and while this is academically accurate, it is not helpful to the person who needs to understand the analytical outcome. The sense-making of the data is square in the domain of human understanding and this is why the only question we want to ask is “Was this alert helpful?” Yes or no. And that’s exactly what we do with Stealthwatch. At the end of the day, we want to make sure that the person behind the console understands why an alert was triggered and if that helped them. If the “yeses” we’ve received scoring in the mid 90%’s quarter after quarter is any indication, then we’ve been able to help a lot of users make sense of the alerts they’re receiving and use their time more efficiently.

Conclusion

We owe a big round of applause to artificial intelligence for birthing the child we know, and love named machine learning and all that it has contributed to security analytics over the past year. We remain pragmatic in its application as we know that, just because it is the new kid on the block, we cannot turn our backs on simple or complex lists of rules, simple statistical analysis, and any other method that has got us to where we are today.

Lucky for us, machine learning has already shown signs of playing well with its peers as we continue to find ways to improve existing security processes through pairing them with ML. It can’t solve every single problem on its own, but when it works together with the people and processes that have come before it, we get that much closer to a more secure future. And if Machine Learning is the child of AI, who then are its brothers and sisters that we have yet to explore in Security Analytics? We have some big ideas and some already in prototype state, but remember, in the end, we will ask you if it is helpful or not helpful, not all the data science mumbo jumbo!

As always, we welcome your comments below. Readers who enjoyed this blog would also benefit from viewing our library of recent Cybersecurity Reports or checking out our new Threat of the Month blog series.

Putin Signs Law to ‘Stabilize’ Russian Internet

Putin Signs Law to 'Stabilize' Russian Internet

In the event that Russia should ever be disconnected from the global infrastructure of the World Wide Web, Russian president Vladimir Putin has signed a law to stabilize the operation of the Russian internet, dubbed Runet, according to Tass, a Russian news agency.

Infosecurity Magazine reported last month on the then-proposed law, which was has been seen as part of Russia’s plan to cut access to the global internet. The final draft of the bill reportedly prepares for the unlikely event that – should anything threaten the stable, safe and integral operation of the Russian internet on Russian territory – “the Federal Service for Supervision of Communications, Information Technology and Mass Media will be able to carry out 'the centralized operation of the general communications network,'" Tass reported.

The law essentially lays the groundwork for Russia to develop an alternate domain name system (DNS), which would reportedly force all internet service providers to “disconnect from any foreign servers, relying on Russia's DNS instead,” according to Forbes.

We’re disappointed to see this request from Roskomnadzor. OpenVPN cannot in good conscience support censorship; I’ve personally experienced it and know the damage it can cause. We stand by our belief that open, secure access to the internet is a human right,” said Francis Dinha, CEO and co-founder of OpenVPN.

OpenVPN is a protocol and technology, and Dinha said it does not believe the law will impact its B2B services, unless Russia decides to block the OpenVPN protocol. Though the company has a consumer VPN service, it does not have any servers in Russia.

“OpenVPN is committed to our users and customers by protecting them against cyber-threats and providing secure and private access to their information from anywhere in the world. State governments and institutions may have the right to create policies and restrict its citizens from accessing certain content. However, OpenVPN will continue to provide access to our software and services to people no matter where they live or travel to. OpenVPN can’t compromise and must protect the security and privacy of those we serve.”

Fallout from Gavin Williamson sacking | Letters

Readers respond to the sacking of the defence secretary Gavin Williamson over accusations of leaking

While I am delighted that Gavin Williamson (May tells defence secretary: ‘You leaked, you are fired’, 2 May) has been removed from the government – remember he said that all British jihadists should be hunted down and killed in the Middle East rather than returned for trial here – I am sorry that as a result Rory Stewart no longer has responsibility for prisons. His is a deserved promotion, but as prisons minister he was the first member of the government to make any attempt to get to grips with the problems of our criminal justice system and offered to resign if things did not improve. How sad that there are not more of that ilk in public life these days.
Maureen Panton
Malvern, Worcestershire

• Is the Gavin Williamson who has just been sacked as defence secretary for allegedly leaking plans discussed in the National Security Council to allow Huawei to be involved in building the UK’s 5G network the same Gavin Williamson who told us last year that it’s Jeremy Corbyn that “cannot be trusted”?
Sasha Simic
London

Continue reading...

ATO Attacks Affect Around 4,000 Office 365 Accounts

ATO (Account Takeover) attacks have reportedly impacted roughly 4,000 Office 365 accounts, which were later used to carry out malicious activities.

Details about the attacks, which spanned one whole month, have been given out by researchers at Barracuda Networks in a report dated May 2, 2019. The report says, “Barracuda researchers have revealed a startling rise in account takeover, one of the fastest growing email security threats. A recent analysis of account-takeover attacks targeted at Barracuda customers found that 29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019.”

The report reveals that in that one month (March 2019), over 1.5 million malicious and spam emails were sent from the hacked Office 365 accounts.

Barracuda researchers explain that the criminals behind the ATO attacks had used different methods to execute the attacks, including leveraging login credentials acquired in previous data breaches, brute-force attacks, and attacks via web and business applications (including SMS).

The Barracuda Networks blog post, which has been authored by Asaf Cidon, Vice President of content security services, says, “Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access Office 365 accounts. Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled, so they can launch successful attacks, including harvesting additional login credentials for other accounts.”

The attacks begin with infiltration (with hackers impersonating Microsoft in 1 in 3 attacks) and the use of social engineering tactics to lure users into visiting phishing websites which would make them disclose their login credentials. Hackers would rarely launch an attack immediately after compromising an account. They would instead monitor the emails and track company activities, which would help maximize chances of executing successful attacks. Barracuda’s Asaf Cidon writes, “As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34 percent of the nearly 4,000 compromised accounts.”

After reconnaissance, the hackers target other high-value accounts (of executives, financial department employees, etc) using the harvested credentials. The hackers would use spear phishing and brand impersonation in a bid to harvest the credentials for these high-value accounts. They would use domain-spoofing techniques or lookalike fake domains to make their impersonation attempts appear convincing.

“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes. Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction,” explains Asaf Cidon.

Such attacks, it should be noted cause great financial losses to companies and the hackers even make money by successfully targeting wire transfer payments and redirecting them to bank accounts that they control.

How to ensure protection against such ATO attacks…

Barracuda researchers have come up with recommendations that could help ensure comprehensive protection against such ATO attacks.
The first step that could help mitigate such attacks is the successful employment of artificial intelligence. Machine learning could be used to analyze normal communication patterns within an organization and to spot out anomalies, which may indicate attacks (spear-phishing attacks and the like) that are carried out bypassing gateways and spam filters.

The researchers also recommend deploying account take-over protection using AI (artificial intelligence), which could help identify takeovers and also help in remediation.

Using multi-factor authentication, monitoring inbox rules, and suspicious logins and training employees to recognize and report attacks are also effective mitigation measures.

Also, Read:

Office 365, G Suite Cloud Accounts Hacked Using IMAP Protocol

Microsoft 365 Business Boosts SMB Security for PC Protection

The post ATO Attacks Affect Around 4,000 Office 365 Accounts appeared first on .

Get security beyond Microsoft products with Microsoft 365

Over time, organizations and individuals acquire stuff. Things we love and things we need. Things we don’t need but can’t seem to get rid of. I was confronted with this challenge when we bought a 1908 craftsman home. How could I make my beloved modern furniture and mandatory kid-friendly gear work? Planning a space that pulled together the contemporary pieces with the old-world details of our home took some work, but it was worth it (and actually kind of fun). Best of all, our home has character and it feels like us.

IT organizations have also accumulated stuff over the years. Legacy systems can’t be easily replaced (like my kid-friendly furniture). Investments have been made in cloud services and security solutions to solve specific problems. It’s not always practical or even smart to replace existing products around which IT has developed processes that work. This can be a struggle for security architects striving for a single pane of glass across their security ecosystem. While they might never reach that holy grail, Microsoft 365 can get them a lot closer.

Microsoft security capabilities can extend across the entire digital landscape, including non-Microsoft products and services. Our latest e-book, Security beyond Microsoft products, illustrates how IT can secure a diverse digital estate and integrate with other security solutions to eliminate “security silos.”

Secure a diverse digital estate

The Security beyond Microsoft products e-book provides concrete examples of how Microsoft 365 security can be used to protect non-Microsoft applications and services. For example, you can use Azure Active Directory (Azure AD) to extend your sign-in policies to thousands of third-party cloud apps. Microsoft Intune secures and manages Android and Apple devices. You can even track threats across a hybrid cloud ecosystem.

Integrate with other security solutions

Microsoft 365 is a complete, intelligent solution, but it also integrates well with other security products. If you have individual security products that are still under contract or that you’ve fine-tuned for your team and processes, there is no need to lose those investments. The Security beyond Microsoft products e-book describes how Microsoft 365 works with other vendor products, such as a third-party Multi-Factor Authentication (MFA) product or a data loss prevention (DLP) solution.

Learn more

I was able to bring eclectic pieces together in a seamless, comfortable way that balanced the old and new, and you can do the same across your security organization. Learn more by downloading the first five e-books in our series:

Check back to read the final e-book in this series, “Secure your most sensitive data,” which details how Microsoft 365 can protect your data even as it travels.

The post Get security beyond Microsoft products with Microsoft 365 appeared first on Microsoft Security.

Qakbot levels up with new obfuscation techniques

Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In this blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and potentially evade detection.

Read More >>

Confused about Cybersecurity Platforms? We Can Help.

“Cybersecurity platform” continues to be an industry buzzword. Vendors talk about it at industry events, and many analysts. But can every vendor claim to offer a platform and also be credible? More importantly, how does that help your business? The security industry has evolved by responding to emerging threats with new, shiny tools, resulting in many disparate tools. Most organizations (over 60%, according to ESG research) are looking to consolidate security vendors. This trend for fewer tools is also showing better results. A recent Cisco CISO Benchmark Study cited organizations with fewer vendors saw less than 5,000 alerts per day versus 10,000 alerts (over 66% of organizations). Teams were able to focus on more important work like remediation and those with less than 10 vendors had higher average response rates. But fewer vendors can mean fewer management consoles reducing the complexity. Fewer siloed vendors may be a step to a cybersecurity platform. It seems to be a driver for a platform approach or integrated architecture, as suggested by a customer in the Cisco report.

If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.” —Cisco CISO Report 2019

What is a Cybersecurity Platform?

ESG Research dug deeper into this platform appeal by surveying organizations to learn their desire for a cybersecurity platform and what the top attributes for this platform are. The attributes help provide a definition of a cybersecurity platform and fall into three driver buckets: Must Be Comprehensive, Make It Simple, and Embrace the Cloud.

 

 

 

 

How Does McAfee Stack Up?

This is a good list to use to evaluate if you are looking to take a cybersecurity platform approach. McAfee reviewed the ESG criteria to test our platform approach and found that we are 100% on target. See the results in the ESG paper McAfee’s Enterprise-class Cyber Security Technology Platform.

Core to the McAfee platform is industry-acclaimed McAfee ePolicy Orchestrator. There’s also the mature and proven messaging fabric, Data Exchange Layer (DXL), which connects and optimizes across security functions and provides real-time threat intelligence to the entire security ecosystem. Our customers agree—watch our video about Prime Therapeutics. They are detecting threats and correlating data with McAfee ePO, DXL, McAfee Threat Intelligence Exchange, and McAfee Active Response.

Who Are the Platform Players?

Looking at the attributes, not all vendors can meet the criteria. Most security vendors offer just one distinct security tool. Offering a platform requires a vendor to have an integrated portfolio and/or willingness to easily integrate with other security functions. If they do match the criteria, you can dig deeper to find a few “gotcha” items.

Most organizations believe that taking a platform approach for their cybersecurity will yield higher efficacy and stronger operational efficiencies. These metrics can translate into better business outcomes like saving $1 million when an organization can respond efficiently to contain a cyberattack within 30 days of a data breach (IBM Cost of Data Breach Study 2018).

McAfee has held the position for years that security working together is better. Comment below with your cybersecurity platform perspective.

The post Confused about Cybersecurity Platforms? We Can Help. appeared first on McAfee Blogs.

Incident response: Putting all the R’s in IR

It is well established that the ‘R’ in IR stands for “Response.” But given the challenges facing incident response teams today, IR could just as well stand for “It’s Rough.” The landscape is challenging, tools are multiplying, and the talent shortage seems insurmountable.

First of all, according to Cisco’s recent CISO Benchmark Study, 79 percent of security leaders are finding it challenging to orchestrate threat response in a multi-vendor environment. There has also been a drop from Cisco’s 2018 survey in the number of legitimate security alerts organizations are remediating – down from roughly 50 percent last year to just under 43 percent this year. All this means that incident response is not getting any easier: only 35 percent of security professionals find it easy to determine the scope of a compromise, contain it, and remediate it.

Attackers continue to innovate and come up with new attack types at a record pace. They’re so brazen that they even use Facebook and other social networks to share tools and sell stolen, personal information. Meanwhile, security teams struggle to keep up with this innovation, acquiring new technology to deal with every emerging threat.

IT infrastructure is too complicated, and resources are too scarce, to manage all of these tools and derive the intended benefits from them. Especially since, often times, security products don’t talk to one another – requiring the manual analysis and comparison of seemingly infinite alerts and logs to try to make sense of what’s going on.

But there is some good news in all of this. According to a Cybersecurity Almanac published by Cisco and Cybersecurity Ventures, Fortune 500 and Global 2000 CISOs are expected to reduce the number of point security products they are using by 15-18 percent this year. Additionally, our CISO Benchmark Study tells us that more security teams are using time to remediate as a success metric for their operations (48 percent compared to just 30 percent last year). Remediation is difficult, demonstrating that security teams are setting the bar very high for themselves.

This hopefully shows that organizations are allowing CISOs to think more strategically about security – and that the C-suite in general is perhaps realizing that it’s about more than just buying a bunch of products and hoping they work.

Three more R’s: readiness, recon, and remediation

In actuality, there’s more to the ‘R’ in IR than just ‘response.’ To effectively respond to attacks, organizations not only have to react when they occur, but also:

  1. Be prepared for them in the first place. (Readiness.)
  2. Have an efficient way of obtaining visibility into any threats that make their way in. (Recon.)
  3. Mitigate attacks as quickly as possible. (Remediation.)

How do you master all these R’s? First of all, if your environment is made up of dozens of security technologies each performing siloed tasks and not sharing intelligence, you can’t really succeed. You will never have enough time, resources, and patience to piece all of this disparate information together and identify attacks before they rip through your environment.

At Cisco, we are constantly trying to figure out how to make security better to more effectively protect today’s businesses. Above all else – beyond all the latest features and capabilities – we focus on integrated security above everything. We don’t want our products to protect against just one type of attack, or secure just one area of the network. We want to cover you from edge to endpoint – and we want our products to work together to lessen the burden on you and your team.

Here are some of the newer ways we are helping to fortify organizations’ incident response plans, and putting all the R’s in IR.

Cisco Stealthwatch – A whole lot of readiness  

Talk about being prepared. Cisco Stealthwatch has recently become the first and only security analytics platform to provide comprehensive visibility and threat detection across today’s modern infrastructure – including private, hybrid, and public multi-cloud environments. It automatically aggregates and analyzes security information across the entire enterprise to deliver a clear, understandable look at what’s going on 24/7. Stealthwatch prioritizes the most critical issues for the security team, and enables team members to easily drill down into any alerts that require further investigation.

Essentially, Stealthwatch serves as the eyes and ears of the network, using a combination of behavioral modeling and machine learning to pinpoint anomalies that could signify risk. It even detects threats in encrypted traffic without the burden of IT teams having to do decryption. In addition to monitoring on-premises infrastructure and private clouds, Stealthwatch can monitor all public cloud environments including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Cisco Threat Response – Advanced recon and remediation

In the one year since we introduced our threat response platform, included for free with several of our security products, Cisco Threat Response (CTR) has become a foundation for fast, efficient incident investigation and response across the entire Cisco security architecture. It brings together threat intelligence from Cisco and third-party technologies, as well as Cisco Talos, via a single, intuitive console.

CTR reduces the need for security teams to shift between different interfaces and manually piece together data. If a threat is uncovered, it can be quickly remediated directly through CTR. The result is dramatically accelerated threat detection, investigation, and response.

This year, we unveiled a new browser plug-in for CTR to further simplify investigations. With the plug-in, if you are on a web site (such as the Talos blog) that includes information and observables on specific attacks, you can easily pull those observables into CTR to determine if the attack is present in your environment. It works with any web page that includes data on Indicators of Compromise (IOCs), allowing security analysts to quickly kick off the threat investigation process.

AMP for Endpoints – Speaking of recon and remediation…  

Some of you may already be familiar with our Advanced Malware Protection (AMP) technology. But do you know that it can be used to proactively hunt for the riskiest one percent of threats in your environment to improve both security posture and operations? AMP for Endpoints provides a holistic view of all end devices on your network, including IoT devices. It continuously monitors and records all files to quickly detect stealthy malware.

AMP provides valuable insight into how malware got in, where it’s been, what it’s doing, and how to stop it. This greatly simplifies investigations and shortens incident triage and mitigation time. Once a threat is uncovered, you can quickly block it within AMP using just a few clicks.

Through integrations with other prominent Cisco security technologies, this investigation and remediation can also be extended to other parts of the network beyond just endpoints. AMP can see a threat in one area of your environment and then automatically block it everywhere else it appears.

Integrated solutions for accelerated response

These are just a few of the ways Cisco is helping to speed and improve incident response. Th