Daily Archives: May 16, 2019

New infosec products of the week: May 17, 2019

Alcide launches continuous security and hygiene scanner for Kubernetes and Istio Alcide Advisor is a continuous security and hygiene scanner for Kubernetes & Istio, which automatically scans for the widest range of compliance, security and governance risks and vulnerabilities. Already deployed in numerous customer environments, and fully integrated with the CI/CD pipeline, it empowers engineering teams to maintain engineering motion and identify security drifts and risks, even before they are introduced to production. Keysight Technologies … More

The post New infosec products of the week: May 17, 2019 appeared first on Help Net Security.

How can we give cybersecurity analysts a helping hand?

It’s tough being a cybersecurity analyst these days. Over the last few years we have been repeatedly reminded of the challenge they are now facing, primarily through the steady stream of high-profile data breaches that have hit the headlines. In the last month alone Microsoft has been in the news after suffering a breach that enabled hackers to access customer email accounts, while a breach at beleaguered social giant Facebook was believed to have left … More

The post How can we give cybersecurity analysts a helping hand? appeared first on Help Net Security.

Stack Overflow’s Production Systems Accessed by Hackers

In a brief announcement yesterday, Stack Overflow reports that it was the target of an attack that led hackers to access its production systems.

The website is currently online and the few public details provided in a short message indicate that a survey revealed that a “level of production access was obtained on May 11”.

User data are safe

It is not clear how the intruders were able to access the internal Stack Overflow network, but the actions taken as a result of the violation includes the patching all known vulnerabilities. The incident was discovered internally and the initial assessment is that no customer or user data has been affected.

“Our customers’ and users’ security is of the utmost importance to us. After we conclude our investigation cycle, we will provide more information,” says Mary Ferguson, VP of Engineering at Stack Overflow.

Stack Overflow was launched in 2008 as a website for questions and answers about programming themes. As part of the Stack Exchange Network, it is a community of more than 10 million as on January 2019.

Stack Overflow is available in several languages (English, Spanish, Russian, Portuguese and Japanese). According to the website, more than 50 million visitors access it every month, looking for ways to solve their problems, develop their skills or find work.

The platform is considered as a reliable source for an overview of accurate trends in the developer community, as well as pay package information based on experience, location, training, and technology.

Source: https://www.zdnet.com/article/stack-overflow-says-hackers-breached-production-systems/


Related Resources:

Hackers Steal Around $41 Million in Bitcoin from Binance

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

The post Stack Overflow’s Production Systems Accessed by Hackers appeared first on .

Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities. However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious … More

The post Memory analysis is the ground truth appeared first on Help Net Security.

The largest breaches over the past three years have caused massive and irreparable damage

Publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price, a Bitglass report reveals. Bitglass researched the three largest data breaches of publicly traded companies from each of the last three years in order to uncover cybersecurity trends and demonstrate the extensive damage that can be done by improper security. Among the incidents detailed in the Kings of the Monster Breaches report are the Marriott breach of 2018, the … More

The post The largest breaches over the past three years have caused massive and irreparable damage appeared first on Help Net Security.

Half of companies missed GDPR deadline, 70% admit systems won’t scale

Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals. “The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations. DataGrail surveyed more than 300 U.S. privacy management … More

The post Half of companies missed GDPR deadline, 70% admit systems won’t scale appeared first on Help Net Security.

Analysis of device data shines a light on cybersecurity risks in healthcare

The convergence of IT, IoT and OT makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks. IoT and OT devices are rapidly increasing in numbers, but traditional IT still represents the most vulnerable attack surface, according to the Forescout Technologies report. Forescout Technologies announced insights from 75 real healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices contained within the … More

The post Analysis of device data shines a light on cybersecurity risks in healthcare appeared first on Help Net Security.

Data will be processed by edge computing in 59% of IoT deployments by 2025

Edge computing is on the rise in IoT deployments and is expected to show solid growth over the coming years, according to Strategy Analytics most recent report. Strategy Analytics believes that data will be processed (in some form) by edge computing in 59% of IoT deployments by 2025. The driving forces in this assumption are the key benefits derived from edge computing, namely more efficient use of the network, security and response time. Currently, Strategy … More

The post Data will be processed by edge computing in 59% of IoT deployments by 2025 appeared first on Help Net Security.

Entrust Datacard unveils new cloud-based solution hosted in a PCI-CP-certified data center

Entrust Datacard launched of a new cloud-based solution that enables banks to instantly personalize and activate customer payment cards. Whether buying coffee or shopping online, consumers expect instant service and fast delivery. Getting a new debit or credit card, or replacing a lost or stolen card is no different. Secure instant issuance allows banks to issue customers a permanent, personalized payment card on demand. They have access to their card, funds and services, in just … More

The post Entrust Datacard unveils new cloud-based solution hosted in a PCI-CP-certified data center appeared first on Help Net Security.

ASG-Enterprise Orchestrator enhancements to enable end-to-end value stream control

ASG Technologies, a trusted provider of proven solutions for information access, management and control for the world’s top enterprises, unveiled ASG-Enterprise Orchestrator, which delivers cross-technology stack orchestration of critical enterprise value streams. Spanning capabilities from mainframe to cloud, ASG-Enterprise Orchestrator offers workload automation, value stream visibility and DevOps tool-chain coordination required to optimize value streams. It delivers control from a single view and choreographs work across a broad spectrum of technology stacks and software packages. … More

The post ASG-Enterprise Orchestrator enhancements to enable end-to-end value stream control appeared first on Help Net Security.

Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network appeared first on Help Net Security.

Laptop Running Six Most Dangerous Malware up for Auction

This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.

A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).

It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.

A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”

The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”

The six strains of malware that the laptop contains are

WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.

Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.

Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.

BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.

ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.

DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.

Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”

This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.

Also, Read:

Wolters Kluwer Cloud Accounting & Tax System Down To Malware Attack

The Fileless Malware Attacks Are Here To Stay

Japanese Government to Deploy Defensive Malware

Kodi Hardware Add-on Users, Mostly At Risk With Malware

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .

Onapsis appoints Gerhard Eschelbeck to board of directors

Onapsis, the global leader in business application cyber resilience, announced the appointment of former Google Vice President Security & Privacy Engineering (CISO) Gerhard Eschelbeck to the company’s board of directors. Eschelbeck brings strong experience in transforming traditional security solutions and delivering them through the cloud, which will help Onapsis guide customers to the cloud with confidence. A proven information technology executive with strong operational and strategic experience, Eschelbeck has launched innovative and successful companies and … More

The post Onapsis appoints Gerhard Eschelbeck to board of directors appeared first on Help Net Security.

Feds Target $100M ‘GozNym’ Cybercrime Network

Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network, an international cybercriminal syndicate suspected of stealing $100 million from more than 41,000 victims with the help of a stealthy banking trojan by the same name.

The locations of alleged GozNym cybercrime group members. Source: DOJ

The indictments unsealed in a Pennsylvania court this week stem from a slew of cyber heists carried out between October 2015 and December 2016. They’re also related to the 2016 arrest of Krasimir Nikolov, a 47-year-old Bulgarian man who was extradited to the United States to face charges for allegedly cashing out bank accounts that were compromised by the GozNym malware.

Prosecutors say Nikolov, a.k.a. “pablopicasso,” “salvadordali,” and “karlo,” was key player in the GozNym crime group who used stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal their money through electronic funds transfers into bank accounts controlled by fellow conspirators.

According to the indictment, the GozNym network exemplified the concept of ‘cybercrime as a service,’ in that the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The malware was dubbed GozNym because it combines the stealth of a previous malware strain called Nymaim with the capabilities of the powerful Gozi banking trojan.

The feds say the ringleader of the group was Alexander Konovolov, 35, of Tbilisi, Georgia, who controlled more than 41,000 victim computers infected with GozNym and recruited various other members of the cybercrime team.

Vladimir Gorin, a.k.a “Voland,”  “mrv,” and “riddler,” of Orenburg, Russia allegedly was a malware developer who oversaw the creation, development, management, and leasing of GozNym.

The indictment alleges 32-year-old Eduard Malancini, a.k.a. “JekaProf” and “procryptgroup” from Moldova, specialized in “crypting” or obfuscating the GozNym malware to evade detection by antivirus software.

Four other men named in the indictment were accused of recruiting and managing “money mules,” willing or unwitting people who can be used to receive stolen funds on behalf of the criminal syndicate. One of those alleged mule managers — Farkhad Rauf Ogly Manokhim (a.k.a. “frusa”) of Volograd, Russia was arrested in 2017 in Sri Lanka on an international warrant from the United States, but escaped and fled back to Russia while on bail awaiting extradition.

Also charged was 28-year-old Muscovite Konstantin Volchkov, a.k.a. “elvi,”  who allegedly provided the spamming service used to disseminate malicious links that tried to foist GozNym on recipients who clicked.

The malicious links referenced in those spam emails were served via the Avalanche bulletproof hosting service, a distributed, cloud-hosting network that for seven years was rented out to hundreds of fraudsters for use in launching malware and phishing attacks. Avalanche was dismantled in Dec. 2016 by a similar international law enforcement action.

The alleged administrator of the Avalanche bulletproof network — 36-year-old Gennady Kapkanov from Poltova, Ukraine — has eluded justice in prior scrapes with the law: During the Avalanche takedown in Dec. 2016, Kapkanov fired an assault rifle at Ukrainian police who were trying to raid his apartment.

After that incident, Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge later ordered him to be released, saying the prosecution had failed to file the proper charges. The Justice Department says Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.

The five Russian nationals charged in the case remain at large. The FBI has released a “wanted” poster with photos and more details about them. The Justice Department says it is working with authorities in Georgia, Ukraine and Moldova to build prosecutions against the defendants in those countries.

Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019.  He is scheduled to be sentenced on Aug. 30, 2019.

It’s good to see this crime network being torn apart, even if many of its key members have yet to be apprehended. These guys caused painful losses for many companies — mostly small businesses — that got infected with their malware. Their activities and structure are remarkably similar to that of the “Jabberzeus” crime gang in Ukraine that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses several years ago.

The financial losses brought about by that gang’s string of cyberheists — or at least the few dozen heists documented in my series Target: Small Business — often caused victim companies to lay off employees, and in some cases go out of business entirely.

A copy of the GozNym indictment is here (PDF).

Past, present, and future of the Dark Web

Which is the difference between the Deep Web and Dark Web? Considerations about past, present, and future of the Dark Web.

These are intense days for the Dark Web. Operations conducted by law enforcement agencies lad to the arrests of many individuals and the closure of the most popular Black Marketplaces, many of which remained alive over the years.

Operators behind the principal black markets made a lot of money, let’s think of managers of the Wall Street Market and Valhalla recently seized by feds. These are historic points of aggregations where it was possible to buy drugs, weapons, and any kind of hacking tools.

The icing on the cake was a US research that decreed how the size of the Dark Web was significantly lower than previously thought. This isn’t a novelty for the experts that are studying dark web and its evolution.

Unfortunately there is too much confusion between the term deep web and dark web, many videos on YouTube channels provide wrong information. Misinterpretation, superficiality, some times simple profits, these are the root cause of the confusion. This misinformation is extremely dangerous for kids, first consumers of videos published on the principal social media platform. Some videos show that is very simple to buy drugs securely or explain how to hack a website. Describing these phenomena, some journalists have been labeled “as experts on the dark web”.

The Dark Web is just a portion of the Deep Web, its access is quite simple and doesn’t require any specific technological skill. It is very easy to access to the Tor network or browse content on other anonymizing networks like I2P.

I started this research on September 2016, when I started writing my my book, “The Prison of the Humanity – from the deep web to 4.0 the new digital prisons”.


Dark Web 1

An Iceberg has always been used as a visual representation of the Internet world. The visible peak, which represents the smallest part of the iceberg, that many have mistakenly associated with the clear web: is the part reachable by search engines.

Even a child could easily wonder: how can billions of sites visible to internet users represent 5% of the internet itself?

Exactly, how?

The Deep Web is composed of the content of the www that is not indexed by search engines. Try to imagine the site of a Provider that offers voice or connectivity services to millions of people, families and companies. Its files are not indexable by search engines. Try to think of a banking site with millions of account holders who keep the history of transactions, deposits, investments for years and years, without obviously being accessible to the entire web population.

Let’s also include all information by the IOT devices that are connected online by that that cannot be accessed for obvious reasons.

Well, not you can have an idea about the dimension of the deep web.


What is the Dark Web? It is a non-indexed subset of the Deep Web. Accessible through TOR and other software, it has a size that is incalculable if we use imagination. In fact, there could be many .onion sites, an extension of the domains inside the TOR network, which are not indicated by the Hidden Wiki, a sort of Wikipedia of onion Links. Furthermore, each website can have sublevels that could reach infinity.

But here we talk about legends. We go into the merits of my research which is based on the facts and experience of three years of journalistic navigation in the Dark Web where not only do you have browsed dozens of Directories, but you have visited at least 100,000 sites.

My search is based on 100,000 sites that I have personally visited and that can be easily classified into very few categories that I will explain to you with brief descriptions:


The spirit of the Dark Web includes precisely the freedom of expression with portals that give “uncomfortable” or “alternative” news in countries where there is censorship. There are many sites in multiple languages ​​that refer to ideological and collective movements, due to the greater number of Anarchist derivations, but there are also movements that promote the defense of online privacy. So there is so much counter-information and the most obvious example that I always carry forward is the version of the Bible translated into the languages ​​of the countries where it is strictly prohibited.

Black Markets:

They are the heart of the Dark Web in economic terms, needless to say that it is impossible to count them verify their reliability, but they are certainly the points of aggregation for several million users and unscrupulous sellers that offer drugs, weapons, medicines requiring medical prescription, bank credential and personal data of unsuspecting users, steroids and hacking guides.

Empty or non-functional web pages:

Empty pages, typical errors displaying code 404 that feed the list of the .onion domains in the directories.


There are many sites that promise the same services as Black Markets, including hitman services, hacking services, money laundering services… but they are only services operated by scammers.

Directories – Search Engines

There are many directories that offer the same links, Hidden Wiki services that offer a guide to the principal links in the Dark Web, but it is clear that the hidden Wiki is one and the original not only reports the links to the sites but also provides an “obscure and forbidden” encyclopedia service similar to the best known Wikipedia. The presence of search engines that are similar to Google are also frequent, but they do not always find the result that they hope for.

Child pornography-pornography-violence on animals-GORE

There are many pornographic sites on the clear web, but pornography in the dark web takes on gruesome tones. Violence, child abuse, snuff movies and extreme sex are very common. The sites that belong to these categories are divided into different types: chat rooms, traditional websites or service containers. The chats are usually open and there is a remarkable exchange of multimedia files for free. Then there are the forums that need registration, they offer audio/video content or images, and also provide suggestions on how to kill people or how to eat them in ritual cannibalism. Furthermore, there are many child pornography sites on the dark web that point to the largest online sharing platforms, such as Satoshi box or Megaupload, where it is possible to pay to download packages of illegal content.

Websites – Forums

They are normal websites that deal with different topics, including forums that represent meeting points for users that discuss legal and non-legal issues. There are many blogs that for the greater part deal with issues of cybersecurity and the rights of the digital population in terms of consumer protection and privacy.


Consider sites belonging to the above categories, in many cases they are traps set up by the law enforcement agencies to attempt to identify criminals. The dark web is full of honeypots.


Let’s conclude with some statistic on the composition of the Dark Web:

  • Not Working: 45%
  • Scam: 44%
  • Websites – Forums: 6%
  • Child pornography – Gore: 4%
  • Directories – search engines: 0.5%
  • Information: 0.3%
  • Black Markets: 0.2%

At this time, it is not possible to determine the exact number of Black Markets, anyway, it is really limited. Terrorism is an irrelevant phenomenon in terms of propaganda. It is also impossible to determine the diffusion of honeypots.

The real question is not how big is the Dark Web, but what will happen after the operations conducted law enforcement?

Who will be its users? Will Black Markets still exist?

Or is the Dark Web itself a honeypot for criminals, anarchists, terrorists and. pedophiles?

These doubts are legitimate, given that the military origins of the most popular anonymizing network.

About the Author: Livio Varriale

Pierluigi Paganini

(SecurityAffairs – Dark Web, crime)

The post Past, present, and future of the Dark Web appeared first on Security Affairs.

Google ‘0Day In the Wild’ project tracks zero-days exploited in the Wild

White hat hackers at Google Project Zero are tracking cyber attacks exploiting zero-days before the vendor released security fixes.

Experts at Google Project Zero are tracking cyber attacks exploiting zero-days as part of a project named 0Day ‘In the Wild.’

“Today, we’re sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource:

Spreadsheet link: 0day “In the Wild”

This data is collected from a range of public sources. We include relevant links to third-party analysis and attribution, but we do this only for your information;” reads the blog post published by Google Project Zero.

The experts are monitoring the zero-day vulnerabilities exploited by hackers before they became publicly disclosed or known to the vendor.


The project aims at tracking zero-days exploited in attacks covered by Project Zero researches.

The researchers collected the information in a shared spreadsheet that already includes over 100 vulnerabilities exploited in attacks since 2014.

The table includes the following information:

  • CVE ID;
  • Impacted Vendor and Product;
  • Description;
  • Discovery Date;
  • Date when the patch was released;
  • A link to the security advisory;
  • Claimed Attribution;

The list of vulnerabilities include zero-days affecting products from major vendors, including Adobe, Apple, Cisco, Facebook, Google, Microsoft, and Oracle.

The attacks tracked by the experts were carried out my popular threat actors, including APT3, APT28, APT31, APT37, DarkHotel, Equation Group, and Sandworm.

The project doesn’t cover zero-day exploits for software that reached end of life (EOL) by the time the flaw is discovered.

“The data described in the spreadsheet is nothing new, but we think that collecting it together in one place is useful.” concludes Google Project Zero.

Aggregating the data it is possible to extract useful information such as:

  • On average, a new “in the wild” exploit is discovered every 17 days (but in practice these often clump together in exploit chains that are all discovered on the same date);
  • Across all vendors, it takes 15 days on average to patch a vulnerability that is being used in active attacks;
  • A detailed technical analysis on the root-cause of the vulnerability is published for 86% of listed CVEs;
  • Memory corruption issues are the root-cause of 68% of listed CVEs

Pierluigi Paganini

(SecurityAffairs – zero-days, Google)

The post Google ‘0Day In the Wild’ project tracks zero-days exploited in the Wild appeared first on Security Affairs.

Profile of a Hacker: BiaSciLabs

Over the last twelve months our team has ramped up the number of public CMD+CTRL Cyber Range events we deliver at conferences, OWASP meetings, and Meetups. The feedback we have received has been great - people love learning how to hack in simulated, free form environments. In some cases the feedback we receive is so good that we need to share it with others in the form of profiles like Brandon Evans and Andre Gott.

More Attacks against Computer Automatic Update Systems

Last month, Kaspersky discovered that Asus's live update system was infected with malware, an operation it called Operation Shadowhammer. Now we learn that six other companies were targeted in the same operation.

As we mentioned before, ASUS was not the only company used by the attackers. Studying this case, our experts found other samples that used similar algorithms. As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors:

  • Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,
  • Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,
  • Zepetto, the South Korean company that developed the video game Point Blank.

According to our researchers, the attackers either had access to the source code of the victims' projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago: the CCleaner incident.

Also, our experts identified three additional victims: another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea. For now we cannot share additional details about those victims, because we are in the process of notifying them about the attack.

Me on supply chain security.

Critical Vulnerabilities in Cisco Products

Critical Vulnerabilities in Cisco Products

A high-risk vulnerability in Cisco's secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices.

The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality,” Cisco reported.

Additionally, Cisco reported that another vulnerability (CVE-2019-1862) in the “web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.”

The vulnerability, called Thrangrycat, affects millions of Cisco devices (including routers, switches and firewalls) and exposes a large number of corporate and government networks to remote attacks, according to Red Balloon Security.

Cisco also noted in regard to the Secure Boot vulnerability that it will release software patches, but there are no workarounds to address the issue.

An attacker could exploit this to gain full and permanent access to those networks. It also can't be fixed with a software patch, so it will be difficult for affected organizations to fully mitigate the threats this poses, according to Red Balloon Security.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a press release. 

“We're talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn't easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won't completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”

Forbes Site Up, Then Down Again after Magecart Attack

Forbes Site Up, Then Down Again after Magecart Attack

Forbes was reportedly back online but went down again at 3:30 pm UTC after reports that the site was hit with the Magecart card-skimming malware, according to security researcher Troy Mursch.

Mursch tweeted on May 15 that Forbes had been infected with the Magecart malware, adding that customers who made a purchase while the site was compromised likely had their credit card information stolen. In a later tweet, Mursch confirmed that the malware had been removed.

Hackers apparently injected obfuscated JavaScript, which could be linked to the ongoing supply chain attacks that have been reported by Willem DeGroot this week. Forbes is, according to The Register, a customer of Picreel, which has been the victim of a supply chain attack.

Mursch reportedly sent several emails in an attempt to alert Forbes to the Magecart infection and reported the problem to the domain owner, yet he has not heard back from Forbes, The Register said.

“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise,” said Mike Bittner, associate director of digital security and operations, The Media Trust.

“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ rev ops teams, who make pivotal decisions on security and privacy.

“The bottom line here is that publishers should carefully vet ALL their third parties for security and privacy and conduct frequent audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”

Supply Chain Attack Hits Best of the Web Website

Supply Chain Attack Hits Best of the Web Website

The website Best of the Web, whose purpose is to assure site visitors that their user data is safe and that the websites it lists value visitor privacy, has been hacked, according to security researcher Willem de Groot. The site is a directory of websites that receive a trust seal so visitors will know they are real businesses, but the site itself was injected with an information stealing malware.  

On May 13, the researcher tweeted that the Best of the Web seal was injected with two keyloggers and that more than 100 websites were still linked to the compromised seal.

Attackers reportedly injected obfuscated JavaScript code, and according to his latest tweet, DeGroot confirmed that the attackers used open S3 buckets to inject form jackers. DeGroot has identified several supply chain attacks that have impacted multiple companies (complete list at PublicWWW), including Picreel, historydaily.org, groupon.com.ar, groupon.cl, trome.pe and tributes.com

Best of the Web confirmed that it had been compromised, stating, "Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

“In this latest supply chain attack, hackers went after the weakest link with the most impact to affect the greatest number of websites,” said Matan Or-El, CEO of Panorays. “It’s certainly ironic to hack a trust seal, and the message is clear: you cannot trust anything. This cyber incident underscores the importance of assessing the security of all third parties and continuously monitoring them, since their status can quickly change, as was the case here where the code was maliciously modified.”

7 Steps to Strengthen Your Cybersecurity Program Today

Managing a security program in today’s ever-changing cyber threat landscape is no small feat. Many administrators struggle with knowing where to even start. Cybersecurity programs must be continually evaluated and should evolve as cyber threats and company risk changes; however, these steps can guide you in the right direction to begin strengthening your security program today.

 1.  Assess your current security program.

The best way to assess a security program is to first choose a framework best for your company. A good framework to follow is the NIST Cybersecurity Framework, which is a comprehensive guide to baseline security requirements and controls any company can implement to strengthen a security program. For companies of all sizes, implementing a security control or practice must be evaluated from a business standpoint to determine if the benefit to the business outweighs the cost of the security control. Following a framework for this evaluation will help you prioritize cybersecurity initiatives and give your company a clear roadmap for the way you want to develop a cybersecurity program.

2.  Identify what data you have and where it lives.

Data cannot be protected if the custodians don’t know it exists, or where it exists. Identification of the data stored, created, or controlled by a company is crucial to understanding your cybersecurity and data protection priorities. Further, identifying whether sensitive data is stored in cloud services, on hard drives, or in file servers can drastically change the strategy needed in order to protect that data. Even Data Loss Prevention (DLP) tools are less effective if the tool is not looking in the right locations to determine whether data is being accessed or is leaving the protected network in some way. Identifying data locations can also help you to ensure your proprietary or confidential data is moved from less secure locations, such as private cloud storage accounts, to secure, company-controlled environments like an enterprise cloud account.

3.  Implement and enforce policies to combat insider threat.

Policies and procedure are essential to combat the human element of cybersecurity. Employees often do not understand what they can and cannot do with a company’s documents, hardware, and system access if there are no policies in place to guide them. Insider threat isn’t necessarily a nefarious actor out to steal company data; it often presents itself in examples such as a well-meaning employee who shares a document with a partner in an insecure way – exposing the data to unauthorized access.

4.  Implement a security awareness training program.

Continuing with the theme of well-meaning employees, phishing attacks are the cause of data breaches in 98% of the cases reported (Verizon DBIR). Anti-phishing measures can only go so far to detect phishing attacks, so it’s up to the employee to know how to recognize a phishing email, and to know what to do with that email. Security awareness training can teach an employee to recognize the signs of phishing emails and may prevent the employees and the company from falling victim to a phishing attack.

5.  Talk to your IT team for multi-factor authentication and anti-phishing measures.

Multi-factor authentication (MFA) is one of the best security controls you can implement to prevent unauthorized access to company systems.  Simply put, MFA works by adding not only something the user knows (i.e. a password) but also something the user has (i.e. a texted code to a cell phone, or better yet, a hardware key an employee has to interact with) to system access. Many instances of unauthorized system access could have been thwarted by a company’s use of MFA on their critical systems. In addition, as mentioned above, phishing attacks are responsible for a large majority of data breaches and anti-phishing measures should be taken to protect corporate email systems.

6.  Implement a third party vendor risk management program.

Many companies work with third party vendors and service providers and in some cases, these providers need access into corporate infrastructure and IT systems.  You can invest millions or even billions into your cybersecurity program, but it can be for nothing if a trusted service provider becomes compromised. As is the case in many high profile breaches, it was the service provider who suffered the breach, in turn causing their partners to suffer the same fate.  Implement a third party risk management program in which new and existing service providers must show proof of their internal security program practices and controls, before allowing them access into a corporate system.

7.  Implement onboarding and offboarding policies that integrate HR and IT.

When onboarding a new employee, a policy needs to be in place that allows for your HR and IT departments to work together to determine what information the new hire needs access to in order to do their job.  Equally important, you must also have a policy in place for offboarding.  Without proper offboarding policies, former employees or contractors may still be able to access certain IT systems well after the they’ve left the organization. Cases where former contractors or employees retained access to a company’s IT systems for months or even years after that access should have been revoked are not uncommon. And in many cases, an employee leaves a company involuntarily, and decides to use their company access to destroy documents, steal company intellectual property, and can be as destructive as deleting entire servers and infrastructure, leaving the company to pick up the pieces. Access to systems should be approved by HR (to prevent extra accounts and backdoors from being created without company knowledge), and departed employees should be immediately deprovisioned from all systems.

Implementing any cybersecurity controls or program initiatives requires a company culture shift and executive buy-in. However, organizations of any size simply cannot afford to ignore security, nor can they wait for a breach to occur before security is taken seriously. The steps outlined in this post will be an excellent start to a strong security program and will help you gain traction for future program changes and improvements.

Download the Checklist to Share.

The post 7 Steps to Strengthen Your Cybersecurity Program Today appeared first on GRA Quantum.

Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments

According to a new Ovum report, “[Azure Sentinel]…positions [Microsoft] to be a force for change in a security information and events management (SIEM) market that is ripe for disruption at the moment.” As enterprises migrate to the cloud, they’re increasingly operating on-premises and cloud environments spread across multiple cloud providers. These complex environments and multiple security products can make it challenging for security professionals to make correlations across their entire infrastructure and separate the signal from the noise.

The report, titled Microsoft’s Expanded Horizons in Security, written by Rik Turner and published in April 2019, evaluated Azure Sentinel among other new Microsoft services and determined that hybrid cloud customers who use Azure as one of their cloud providers should consider Microsoft for security across hybrid and multi cloud environments.

It has been noted by Ovum that in the last few years new services and capabilities have been introduced that support operating systems and platforms beyond Windows. The report identified the following reasons that Microsoft security products are appropriate, if you need to secure non-Microsoft products as well as Azure:

  • Password-less authentication and conditional access.
  • Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure.
  • Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security.
  • Azure Sentinel may disrupt the security management marketplace.

Azure for password-less authentication and conditional access

Active Directory and Azure Active Directory (Azure AD) are market leaders for on-premises and cloud-based directories that many enterprises already use. In addition to provisioning and deprovisioning, security capabilities such as modern authentication and conditional access make Azure AD a compelling choice for identity access management (IAM).

In recent years, Microsoft has introduced many capabilities to support modern authentication. Multi-Factor Authentication (MFA) or 2nd-Factor Authentication (2FA) allows you to enforce a secondary authentication method, so you don’t rely on passwords alone. Azure AD supports password-less authentication, such as biometrics and FIDO-2 compliant keys, and the Microsoft Authenticator mobile app, which generates a one-time passcode or push notification, can serve as a secondary authentication method.

Azure AD conditional access gives administrators additional control over who can access company resources both on the first access attempt and throughout the user session. Conditional access works by evaluating the circumstances of the authentication request—such as the device used, the location of the request, the user, or the network—to assign a risk score and then automatically apply pre-defined access polices.

For example, if a user attempts to access sensitive data from an unsecure network, Azure AD can block the request. If a user has been deemed likely compromised, Azure AD can require a password reset before allowing access.

Azure AD security policies aren’t just for Microsoft products. Integration with Microsoft Cloud App Security, a cloud access security broker (CASB) lets you extend authentication policies to all your cloud apps including non-Microsoft applications.

Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure

Recent acquisitions and the Microsoft Intelligent Security Graph give Microsoft the data and technology to provide protection across identities, endpoints, emails, messages, documents, cloud applications, and infrastructure. The Intelligent Security Graph gathers threat information from Microsoft products deployed around the world, security partners, and Microsoft’s own security team. To make sense of trillions of signals, machine learning and artificial intelligence (AI) algorithms analyze the data to find correlations and patterns. The Microsoft Threat Protection suite of products uses analysis from the Microsoft Intelligence Security Graph to learn what is normal user behavior, so that it can detect and alert or block anomalous behavior.

Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security

Microsoft Information Protection helps secure data at-rest in file repositories, cloud storage services, and on users’ devices. It protects data in motion as it moves or travels to different locations. The service accomplishes this with four steps: detection, classification, protection, and monitoring. Microsoft Information Protection is able to detect sensitive data across on-premises and cloud repositories. Once the data is detected, Microsoft Information Protection classifies and labels it based on a pre-defined taxonomy that identifies how sensitive the data is, such as “Highly Confidential” or “Non Business.” Protection is applied based on the classification and can include actions such as file encryption. You can set policies to prevent copy and save functions, among other protections. Monitoring capabilities allow administrators to track the document as it moves inside and outside of your organization.

Microsoft Cloud App Security integrates with Microsoft Information Protection to extend the discovery, classification, protection, and monitoring capabilities to cloud apps. Administrators can even quarantine a file or limit sharing after it has moved to non-Microsoft cloud services.

Azure Sentinel may disrupt the security management marketplace

Ovum’s report identifies opportunities to offer better products in security management, especially SIEM platforms and products. SEIMs aggregate log files into one repository, so security teams can analyze the data and remediate detected threats. As the amount of data has increased, the need to augment the SIEMs with more robust analytics capabilities has exploded. SIEMs charge a lot to store log files, and customers are overwhelmed by the number of alerts, many of them false positives generated by their SIEM platforms.

Azure Sentinel can save time, reduce costs, and reduce alert fatigue by using AI and machine learning models to sift through the noise and more accurately identify real threats. Azure Sentinel currently aggregates data from Office 365 apps and data from security partners. In pilot tests, it reduced alert fatigue by as much as 90 percent.

Microsoft’s other security management offerings can help customers manage security across a diverse cloud ecosystem. Azure Security Manager helps customers stay compliant with regulations, identifies security vulnerabilities, and detects and blocks threats. Later this year, these capabilities will be extended to Amazon Web Services (AWS) and eventually Google Cloud Provider (GCP).

Learn more

The report offers several examples of how Microsoft is evolving its security strategy to support the complex environments that enterprises must secure. Ovum expects that Microsoft will continue to expand the number of products that secure multiple platforms as it provides more support for Mac, Linux, AWS, and GCP.

Read the Ovum report to learn more about how Microsoft’s current offering and strategy makes it a good fit for current Azure customers who have a mix of on-premises and clouds and/or use two or more cloud service providers.

The post Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments appeared first on Microsoft Security.

Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy

Preoccupied with privacy? You’ve come to the right place. In today’s guide, I’ll go through everything you should know about Duckduckgo vs Google, how each of them works and how you can make the switch work for you (or not). You’ll also get performance comparisons, pros and cons for each product and advice on how to make the most of your privacy.

Should you decide in the end to switch to the Duckduckgo search engine over Google (I won’t tell you what to do, the decision is entirely yours after getting all the info below), I’ll also share extra advice on how to make the most out of your Duckduckgo products. Since the software suite is not limited to the search engine, there are also some software products to consider. But first thing’s first, let’s check out the Duckduckgo vs Google competition, comparison, and in-depth analysis.

Duckduckgo vs Google: The Competition Between Them and the Shift of Users

Usually, when people think of the Duckduckgo vs Google competition they are immediately thinking of the search engine Duckduckgo vs the search engine Google. Namely, this debate is about whether to use Duckduckgo or Google as your default browser search engine and / or homepage.

Even though Duckduckgo has other tools and apps besides its search engine, as I’ll get into below, for now let’s keep referring strictly to the search engine. This way, you’ll understand better what all the fuss is about with the Duckduckgo vs Google debate. Here’s an overview of public perception on it and everything you need to know about the context of this competitive comparison.

As the tools and techniques used for data gathering have slowly turned into more and more comprehensive algorithms tracking scores of information, both consumers and businesses have become more preoccupied with privacy. The rise of the so-called big data and big tech conglomerates has led to an increased level of surveillance which makes most people uncomfortable.

The fact that all the search history of users is tracked by Google (even in incognito browser mode) has contributed to the growing discomfort of concerned users.

If they’re not particularly concerned with how Google itself manages their personal data, then they’re concerned about data breaches.

Nowadays, with so many breaches making the headlines, it’s hard to trust that your data will remain as private as you’d like. Even if the entities you’re willing to share that data with have your confidence, no one is truly unhackable.

So How Are Duckduckgo and Google Competing?

Google doesn’t compete with Duckduckgo so much, in the grand scheme of things. Google is the big guy in the industry and while they are certainly aware of their smaller competitors catching up, it’s not really the same league. Yet.

Virtually all internet users tend to be Google search engine users, by default. The main strategy for Google is to try to hold on to the users it has by implementing better security and privacy protection measures. This is something definitely on their agenda, but the issue still remains that user data is tracked. Therefore, Google is leaking some users who are leaving its boat in order to climb aboard that of Duckduckgo.

For their part, Duckduckgo are directly positioning themselves as an alternative and competitor to the Google search engine. Their very blog is aiming to answer the very direct question of ‘Why You Should Use Us Instead of Google’.

So, why do some users prefer switching to Duckduckgo from Google? Here’s our unbiased comparison.

Duckduckgo Search Engine at a Glance: Pros and Cons

Obviously, since many users (exact number unknown) are switching to Duckduckgo from Google, the product is a great one, for people who are more concerned with privacy.

Why is the number of Duckduckgo users unknown?

Well, that’s the beauty of it: not even Duckduckgo knows exactly how many users it has, precisely because they do not track them. Nice, right?

However, according to their official approximations based on the number of searches they get each month and based on the fact that each user makes 1 search per day, on average (so 30 per month), their total user pool should be around 25 million people. That’s pretty impressive.

As a side note, I’d like to point out that my intuition says people make more than 30 searches per month if they are active internet users. And if they heard about Duckduckgo enough as to use it, they are probably tech-savvy and active enough online to use their devices almost daily. Therefore, I’d say that there’s a good chance that some users only switch to Duckduckgo when they are doing searches which they would rather keep truly private. Funny thought.

As you can see, the main advantage, unique selling point and promise of the Duckduckgo search engine is its utter privacy. Here’s the entire picture of my Duckduckgo review, broken down in pros and cons.

Pros of Duckduckgo as a search engine:

  • Perfect privacy. No data on your online searches collected or stored. (If you want this privacy to extend further than searches and to all your browser activity, you need to install the complementary Duckduckgo products, which I described below).
  • No ads targeting you based on your searches.
  • No social engineering techniques used on your based on your searches and other interests.
  • You can be sure you are getting the same search results as all other users (no targeting or profiling).
  • 1-page search results. Infinite scroll: as long as you keep going down, more search results keep loading. It’s a well-known fact that many users don’t make it to the second page of Google search results, but Duckduckgo just presents to you more info on the same page so you never have to click next and lose the initial results from sight.

Cons of Duckduckgo as a search engine:

  • Has a few nice extra perks and features, but still not as many as Google. Just think of Google Maps, Google Flights, Google Finance, Google Books, etc.
  • Less personalization: Duckduckgo doesn’t remember your search history, which is technically an advantage for privacy, but it can also be less convenient sometimes.

screenshot with duckduckgo search

For example, here’s a Duckduckgo search I did for ‘Aviatorilor’, a place in Bucharest, the city I live in. Normally, with Google, I would also get the option of quickly checking out on the map where that place is and how to get there from my location, how long will this take and so on.

In terms of privacy, Duckduckgo clearly wins. But if privacy is not your pet peeve, Google is an incredible product as well, and not one to reject without careful consideration. Here’s how things look like from the other side, too.

Google Search Engine at a Glance: Pros and Cons

Google is not the immediate loser in this competition, however. Not only because it’s still leagues away from Duckduckgo and because most internet users still use the Google search engine.

But it also has unique advantages when compared to Duckduckgo, advantages which derive precisely from its data collecting practices. After all, even if your personal data is used by Google to make money, you still get a few benefits too.

It all comes down to whether you prefer privacy or personalization. Since personalization requires data storing, you can’t have both.

So, here are the pros and cons of the Google search engine, very briefly.

Pros of Google as a search engine:

  • Displays unique content (including advertising content) tailored for your preferences and history
  • Offers built-in features which can be of help (like Google Maps, or help with calculating your trajectory to a place you’re searching for, or search results filters like Books or Flights, etc.)
  • Remembers your search history (this also counts as a con, but it can be helpful in some cases when you want to revisit a web page you forgot to save elsewhere)
  • It’s integrated with your other Google accounts and products, which can sometimes be rewarding.

Cons of Google as a search engine:

  • Remembers your search history (also counts as a pro if you need it, see above).
  • Not even incognito browsing is truly private (read the fine print the next time you open an incognito browser tab in Chrome – or Mozzila, for that matter).
  • Sells your data to third parties and offers them sophisticated tools of tracking you across the web so you can be bombarded with tailored ads.
  • Pulls data from your private emails in order to spam you with ads. Google representatives say this is an automatic process and that no human employee sees your personal emails but it can still be uncomfortable for some users. Imagine, for example, that you and your partner are surprised with an unexpected pregnancy and you’re considering abortion, only to be spammed with baby carriage ads all of a sudden.

How to Protect Your Privacy with the Duckduckgo Search Engine

If you decide to go for Duckduckgo as a way to protect your privacy a bit more, here is everything you need to know in order to make the most of it. The goal is to increase your privacy while also making sure you understand all the ways you can use the Duckduckgo technology to your fullest potential and, if possible, to preseve some of the convenience we are used to from the Google days.

Frequently asked questions about Duckduckgo

Q: Can you browse dark web websites with Duckduckgo?

A: Indeed, you can. But we’d recommend using the go-to browser for the deep and dark web, which is the Tor browser. Many users browse the darker regions of the internet by using the Duckduckgo search engine on the Tor browser.

That still doesn’t mean that doing illegal things on the dark web or on the deep web will stay secret if you do, however. Law enforcement can still track illegal things taking place there (as they should). But as far as privacy goes (and if you don’t want the other users lurking around the creepy corners of the web to see you), Duckduckgo is a great tool.

Q: What browser is better for privacy, Tor or Duckduckgo?

A: First of all, let’s make something clear: there is no Duckduckgo browser on computers. There’s just the Duckduckgo extension to be added to Chrome. But you can use Duckduckgo as a search engine on the Tor browser and that is, indeed, a much more private option than using Duckduckgo in Chrome (even with the extension installed).

On the other hand, there are Duckduckgo browsers for mobile devices (more on those in the products section below). Still, mobile devices also have the option of using the Tor browser for Android. Both are just as safe, privacy-wise.

Q: How does Duckduckgo make money if it blocks ads?

A: One of the major things that puts people off regarding Google is that it makes money selling their data to advertisers. You know what they say – when a product is free of charge, it’s because you are the product.

So, in search of more privacy and less misuse of their data (or less risk of data breaches), people switch to Duckduckgo. But then they think ‘wait, but Duckduckgo is also free’. So how do they make money, then, if they don’t store and sell data?

Just because they offer you complete privacy, it doesn’t mean Duckduckgo has no advertising ties. The Duckduckgo business model is still based on advertising and affiliate revenue. The ads are displayed on the right of your search results, based on the exact keyword of the search. But unlike Google, those ads are not personalized (as in, based on your search history, demographics, shopping history, etc.), because your data is not tracked.

Other Duckduckgo Products to Consider

Mainly, Duckduckgo is a search engine and that’s their core product offering. A search engine with a focus on privacy much above Google privacy practices, which is great for the users who are concerned about this. In today’s digital landscape, we should all be a little more watchful of our private data and what happens to it.

So the privacy aspect of the Duckduckgo search engine is what makes people use them.

The search engine is their main product, and you can access and use it as an URL here. It’s simple and clean and comes with no other product required for its use.

On the other hand, you can also access this search engine from the Duckduckgo products which complement it. Here are the options:

  • The Duckduckgo extension for Chrome: As far as security goes, this is a great Chrome extension to add*. It’s great if you want to keep using Google Chrome (it’s not like you want to reject the brand altogether) but still make sure that the Duckduckgo search engine is used everywhere in your browser by default, and that your data is not collected or stored. Using the Duckduckgo extension for Chrome will also block advertising trackers.
  • The Duckduckgo Privacy Browser (Android app): This is a privacy browser meant to be used on tablets and smartphones using the Android OS.
  • The Duckduckgo Privacy Browser (Apple app): This app is the same, but issued for Apple mobile devices (like iPhones).

You will notice that there is no Duckduckgo browser for computers or laptops. That’s because it isn’t needed: the Duckduckgo extension for Google Chrome effectively turns your browser into a Duckduckgo browser.

Of course, you can still use the Duckduckgo search engine with other browsers as well, such as Mozilla Firefox, or Opera and so on.

Some users who really want to maximize their privacy protection use the Tor browser with the Duckduckgo search engine. Duckduckgo is actually the default search engine for the Tor browser, especially desirable for users who want to browse the deep web or the dark web safely.

Important note: you will notice many other sources and blogs saying Duckduckgo is a ‘safe browser’ or ‘secure browser’. This safety and security they are referring to only extends to the privacy aspect. Using Duckduckgo will not keep you safe from viruses, malware, ransomware, and other internet dangers. Only a full security solution (based both on an anti-virus component and a traffic filtering, proactive component, like our Thor Premium Home) can protect you from cyber-attacks.

*You can also check out other great Google Chrome extensions for increased security (all hand-picked by us and devoid of any ulterior motive like compensation or whatever).

Bonus: 15 Extra Duckduckgo Features which Google Doesn’t Have

#1. Seeing social media bios

You can have links to the social media profiles featured on a website directly from the search results. If you want to connect to an author or customer support for a specific business and so on, Duckduckgo will point you directly to those profiles, no need to enter the website and manually search for them.

#2. App store alternatives to apps

You can search for apps in the app stores just as you would do in any other search engine, but Duckduckgo will also present you with alternatives for the same thing. No more time wasted on scout work.

#3. The Duckduckgo bangs

This is a very cool feature that allows you to search within a specific website for the words you want. Here is the entire list of Duckduckgo bangs.

#4. Weather data available instantly

You can search for simple things like ‘Is it raining in [town name]?’ and you’ll find out what you need to know instantly.

#5. Keyboard shortcuts

Macros and other cool keyboard shortcuts are just a few settings away in Duckduckgo.

#6. Emoticon ‘translations’

Not sure what an emoticon like ‘;;)’ means? Just ask Duckduckgo. (P.S: It’s something from the ancient times of Yahoo Messenger and I know it because I’m old. No, I’m not serious about the last part).

#7. Quick stopwatch

Just what the name says.

#8. Drink recipes

If you search for stuff like ‘how to make a mojito’, the recipe will be displayed right in the search results, no click required. Cheers!

#9. Password generator

Just like other browsers, Duckduckgo will help you generate stronger passwords. (This is important because of credential stuffing attacks and so on). But unlike other browsers, it won’t store them in any way. That’s up to your memory, password manager tool, etc.

#10. Finding rhymes

Troubled by some poetry writing and you just can’t find the rhyme? Or you’re unsure whether two words actually rhyme? No worries, ask Duckduckgo and it will tell you. Yes, seriously.

#11. Calendar as an instant answer

Google also has a calendar feature, but with Duckduckgo it’s an instant answer. You can just search for ‘March 2021’ and you will instantly see the month calendar laid out right in the search results.

#12. Loan calculators

Need help figuring out interest rates and stuff? Duckduckgo has you covered with this too.

#13. Cool features for developers

Plenty of nice things. Here’s just a few:

  • Generate lorem ipsum text quickly and automatically
  • Encode links to machine-readable text
  • Convert binary code to decimal code
  • Convert content to ASCII texts
  • Show a list of special characters and their HTML values
  • Show HTML value for any special character
  • Convert colors to their universal numeric code
  • Show colors based on hexadecimal values

#14. Anagram solver

If you have a poetry writing assistant built-in, why not also an anagram solver assistant? Yes, it really works.

#15. Instant text converting for lower-case, upper-case and capital letter

This is super-useful whenever you need to modify a text in this regard, and it’s a feature currently supported nowhere else.

Final words

If you think these Duckduckgo features look good, rest assured that there are many, many more. Some are downright useful, others just cute, but there’s no denying that Duckduckgo is heading on the right track when it comes to popularity.

This surge isn’t limited to the geek community. More and more users are making their choice in the Duckduckgo vs Google battle, and it’s not in favor of the Google giant.

The post Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy appeared first on Heimdal Security Blog.

Keys to Scaling Your Application Security Program

It’s best practice to kick off your AppSec inititive by starting small, scanning your most business-critical apps, and addressing the most severe flaws. But it’s also best practice to scale your program to eventually cover your entire app landscape, and all flaws. Why? First, because you can be breached through non-critical apps; JP Morgan was breached through third-party software supporting its charitable road race, and Target was breached through its HVAC vendor’s software. Second, you can be breached through a low-severity vulnerability. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How do you make this transition from few to many, especially with limited security staff and expertise? This is a significant challenge. In fact, we typically see AppSec programs fail for two reasons: Lack of experience in running an application security program, and the inability to hire enough qualified staff to run application security tools at scale. Very few application security managers have run large programs before and have the experience to predict ramp up and adoption. The global shortage of security professionals also makes it difficult to hire enough people to coordinate between development and security teams. The 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.

Yet, we’ve also helped thousands of customers grow and mature their AppSec programs over the past 12 years, and we know there are a few keys to effectively scaling an application security program. These keys include:

The right partner

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise and free your team to focus on managing risk by taking these tasks of their plates:

Addressing the blocking and tackling of onboarding

  • Application security program management
  • Reporting
  • Identifying and addressing barriers to success
  • Work with development teams to ensure they are finding and remediating vulnerabilities

We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.

In fact, data collected for our State of Software Security report found that developers who get remediation coaching from our security experts fix 88 percent more flaws.

Security champions

Another way to scale your AppSec program is to develop and nurture security champions within your development teams. While these developers aren’t (and don’t have to be) security pros, they can act as the security conscience of the team by keeping their eyes and ears open for potential issues. The team can then fix the issues in development or call in your organization’s security experts for guidance. An embedded security champion can effectively help an organization make up for a lack of security coverage or skills by acting as a force multiplier who can pass on security best practices, answer questions, and raise security awareness. Because your security champion speaks the lingo of developers and is intimately involved in your organization’s development projects, he or she can communicate security issues in a way that development teams will understand and embrace.

How can you start developing security champions?

  • Get leadership buy-in. Make sure management, the security team, and the Scrum leaders are willing to invest the time, money, and resources it will take to make security champions effective.
  • Set the standard. Create expectations for what security champions should do and incorporate it into their pre-existing peer review work to minimize disruptions.
  • Track success. Make security a KPI so your organization can evaluate the ROI of the program
  • Provide training. Volunteers can bring passion, but it’s up to your security experts to provide the knowledge your security champions will need to review code for flaws and pass best practices on to the development team.
  • Build community. Make sure security champions have ample opportunity to meet with each other and the security team to discuss specific issues and overall trends.

Cloud-based solution

In addition, a cloud-based application security solution can help you scale your program without a lot of extra cost or hassle compared to an on-premises solution. When an on-premises application security program needs to be scaled, enterprises frequently need to track down more of hard-to-find security specialists, in addition to installing more servers.

Things that usually cost extra in an on-premises solution — features such as integrations, onboarding, upgrades, and maintenance — are all included with a cloud-based solution. This allows your security team to focus on scaling your AppSec efforts without worrying about going over budget.

Learn more

Application security is about more than scanning; the ability to scale your program is a critical factor that can make or break your program. Learn more about AppSec best practices in our new eBook, Application Security: Beyond Scanning.

Fallout from a Fallout

It is often that a data breach reveals other issues that a business is experiencing, but it isn’t every day I see the opposite. When I heard about what was happening at Bethesda Softworks and their online game, I was interested immediately. The background on this is simple enough. Bethesda is a well-known video game […]

The post Fallout from a Fallout appeared first on Privacy Ref Blog.

Why You Should Pick a Leader for Your Enterprise Email Security

Email is a mature technology, but threats targeting email are evolving and getting more sophisticated. 97%1 of ransomware attacks come from email. That’s why there are so many email security vendors and solutions in the market offering different types of technologies and coverages. Picking the best email security solution for an organization can be overwhelming.

Maybe it doesn’t have to be. Forrester Research, a well-known independent research firm, released “The Forrester Wave™: Enterprise Email Security, Q2 2019” report on May 16, 2019. Using its 32-criterion evaluation of enterprise email content security providers, Forrester identified the 12 most significant vendors and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals select the right one for their needs.

Trend Micro has been named a Leader in the Forrester report. What’s special is that we also received the highest score in the Strategy category among all 12 vendors. Furthermore, we got the highest score possible for the “Technology leadership” criterion, which is a sub-criterion of the Product Strategy criterion. Trend Micro also received the highest score possible in the “Deployment options” and “Cloud integration” criteria.

Highest score possible for “Technology leadership” criterion in Strategy category – our takeaways

Building on 20+ years in email security, Trend Micro continues to make strong investment and technology innovation in this market. Email threats are evolving, so do Trend Micro’s email security solutions.  To cite just a couple of examples, new technologies developed by Trend Micro to combat latest email threats include:

  • The unique, patent-pending Writing Style DNA technology compares the writing style of suspected fraud emails to the known AI model of the executive being impersonated. This technology adds another layer of filtering for Business Email compromise (BEC) attacks on top of the machine learning-based email header and content analysis. To-date, Trend Micro has built AI writing style models for almost 7,000 high-profile users, and found 5,400 additional attacks at 160 organizations. This is the final detection layer after Microsoft Office 365 and/or email gateway filtering and other Trend Micro anti-phishing filters.
  • Computer vision detection of popular fake login sites for account takeover protection. This patent-pending technology blends computer vision image analysis technology with artificial intelligence to “see” fake websites. It protects customers from credential phishing attacks.

With a long and innovative history with email security, Trend Micro remains at the forefront of the industry with a strong strategy that continues to position its customers well over the long term.

Highest score possible in “Deployment options” and “Cloud integration” criteria – our takeaways

Trend Micro is the only vendor to offer dual layer email protection via a cloud-based API plus SMTP solution for advanced threat protection. This unique approach provides “best of both worlds”, offering the benefits of both deployment types. Email gateway (SMTP solution) is perfect for inbound filtering and outbound DLP or email encryption. Trend Micro’s API solution is quick and easy to deploy, and can protect internal phishing emails for your Office 365 or Gmail, as well as cloud file sharing services (e.g. OneDrive or Google Drive).

Trend Micro email security is proven to be effective in protecting customers. In 2018, Trend Micro Cloud App Security, the API solution, stopped 8.9 million high-risk threats that weren’t caught by Office 365 security.

By choosing Trend Micro, you are investing in a solution which will continuously evolve to combat tomorrow’s email security challenges.

Check out the report and see for yourself why Trend Micro is a leader in Enterprise Email Security.

1 TrendLabs 2017 Security Roundup, March 2018

The post Why You Should Pick a Leader for Your Enterprise Email Security appeared first on .

Another Intel Chip Flaw

Remember the Spectre and Meltdown attacks from last year? They were a new class of attacks against complex CPUs, finding subliminal channels in optimization techniques that allow hackers to steal information. Since their discovery, researchers have found additional similar vulnerabilities.

A whole bunch more have just been discovered.

I don't think we're finished yet. A year and a half ago I wrote: "But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride." I think more are still coming.

Best 5 Nintendo 3DS Emulator for Android, iOS & PC

The Nintendo 3D was introduced on February 26, 2011, in Japan and around the world. Later in less than six months, Nintendo has declared a significant price drop. Initially, Nintendo started experimenting with a stereoscopic 3D video game from the 1980s.

Nintendo didn’t taste great success initially, but gradually it continued to innovate, and in 2010 it announced its first Nintendo console managed in official 3D in the Nintendo Ds family that has achieved a great success.

Today we’ll talk about the few best 3Ds emulators for Android and PC that will help you play Nintendo games on your phone or PC, and you will not have to change any settings. If you want the new Nintendo Switch emulator, it is also available.

Best 3DS Nintendo Emulators for PC, Mac, and Linux.

1. nds4droid 

nds4droid is a free Nintendo DS emulator. It is still in its infancy, but supports many features you’d expect like save states and sound. It also supports the OUYA game console.

One of the best things about Nds4droid is that the application is open source, so any user can download it without paying anything and even change its code. Loading ROMs are exactly the same as it would be with any other emulator.

Nds4droid supports some video games, but it has its limitation. Some work perfectly, while others have problems with the emulator. Final Fantasy IV, for example, works well, but with a frame rate that is less than desirable.

Nds4droid is a powerful emulator for the Nintendo DS. It does not yet support the full catalog of Nintendo DS games, but you can still play excellent titles.

2. Drastic 3ds Emulator for Android

It is one of the fastest android emulators that play Nintendo games at full speed. The emulator works on enhancing the 3D graphics by 2 times, it gives you a smooth game experience and makes you win the games.  It can perform most popular games with ease. With this emulator, you can even enjoy high-end graphics on your smartphone. It has a lot of features. Screen layout customization, Google Drive support, fast forwarding, controller customization, software and hardware controller support are some of them to name.

3. Citra 3Ds Emulator For Windows

Citra is a work-in-progress 3DS emulator. Citra can currently emulate, with varying degrees of success, a wide variety of different homebrew programs and commercial software. It is compatible with multiple platforms such as Windows, Mac OS X, and Linux, the developers constantly work with the stability issues for the tool and it offers maximum features when compared to other emulators in the market.

4. NeonDS (for Windows)

NeonDS (for Windows) is a NintendoDS emulator that allows you to play old commercial games for Windows computers. This mouse mimics the stick on the Nintendo DS portable computer. The Nintendo DS is the first portable console that offers two screens; one of them is a touch screen. NeonDS allows you to emulate the Nintendo DS, and let you play DS games on your computer.

5. 3DS emulator app for iOS

The 3DS Emulator can be installed with iOs 11, iOS 11.12 or iOS 11.2 without jailbreaking, the apps give access to paid Nintendo games for free. The Nintendo 3DS emulator for the Apple operating system is a very useful framework that allows users to simulate and create an environment similar to the 3DS console, on their iOS-based mobile phone or computer. The simulation environment is fully functional as if you are using a 3DS console, without obstacles or bugs. Users can experience the same on it looks on the 3DS console.

Source: https://gbhackers.com/working-nintendo-3ds-emulator-2019/

Related Resource: 

Gamers Be Warned, Never Download ‘Free AAA’ Games In Peer-To-Peer Networks

4 Things Gamers Should Never Forget Even If It Is The Holiday Season

The post Best 5 Nintendo 3DS Emulator for Android, iOS & PC appeared first on .

A joint operation by international police dismantled GozNym gang

A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.

GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.

“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”


The GozNym banking malware was first spotted in April 2015 by researchers from the  IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.

Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.

5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.

The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.

One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.

Operators behind the GozNym malware used the Avalanche network to spread the malware.

“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.

The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.

“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:

  • infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.

“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.

Below the advisory published by the FBI:


Pierluigi Paganini

(SecurityAffairs – GozNym, malware)

The post A joint operation by international police dismantled GozNym gang appeared first on Security Affairs.

Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution

The vendor also issued a patch schedule for the still-unpatched bug in its Secure Boot trusted hardware environment, which affects most of its enterprise and SMB portfolio, amounting to millions of vulnerable devices.

Forbes subscribers warned of Magecart threat skimming credit card details

The notorious Magecart malware, that blights online stores by stealing payment card details from unsuspecting shoppers at checkout, has claimed another high profile victim. Security researcher Troy Mursch raised the alarm on Twitter that the Forbes magazine subscription website had been compromised with malicious code that was siphoning off sensitive credit card information as users […]… Read More

The post Forbes subscribers warned of Magecart threat skimming credit card details appeared first on The State of Security.

Microsoft renewed its Attack Surface Analyzer, version 2.0 is online

Microsoft has renewed its Attack Surface Analyzer tool to take advantage of modern, cross-platform technologies.

The first version of the Attack Surface Analyzer 1.0 was released back in 2012, it aims at detecting and changes that occur in the Windows operating systems during the installation of third-party applications. 

The Analyzer has been released on GitHub, it has been developed using .NET Core and Electron. The choice to use these two cross-platform technologies allows running on macOS and Linux, and of course Windows.

“Attack Surface Analyzer is a Microsoft-developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.” reads the README file published by Microsoft.

“Attack Surface Analyzer 2.0 replaces the original Attack Surface Analzyer tool, released publicly in 2012.”

Attack Surface Analyzer

Users of Attack Surface Analyzer could determine changes to the system attack surface introduced when a software is installed and evaluate risk presented when third-party software is installed.

The tool is able to detect any changes to OS components, including file system (static snapshot and live monitoring available), user accounts, services, network ports, certificates, registry (Windows only).

“The core feature of Attack Surface Analyzer is the ability to “diff” an operating system’s security configuration, before and after a software component is installed.” continues Microsoft. “This is important because most installation processes require elevated privileges, and once granted, can lead to unintended system configuration changes.”

The tool reports on potential vulnerabilities introduced during app installation. 

“This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes,” reads a blog post published by Microsoft. 

Microsoft pointed out that the tool includes both Electron and command line interface options. The results for the command line use option are written to a local HTML or JSON file, an implementation choice that makes it easy to include the tool in the user automated toolchain.

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Microsoft renewed its Attack Surface Analyzer, version 2.0 is online appeared first on Security Affairs.

Epsiode 494 – Why Forcing Password Resets Makes You Less Secure

This epsiode is a continuation on the death of the password. I talk about how forcing resets actually can make you less secure and what the future may bring for authenticaiton for everyone. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to […]

The post Epsiode 494 – Why Forcing Password Resets Makes You Less Secure appeared first on Security In Five.

A flaw in Google Titan Security Keys expose users to Bluetooth Attacks

Titan Security Keys are affected by a severe vulnerability, for this reason, Google announced it is offering a free replacement for vulnerable devices.

Google announced it is offering a free replacement for Titan Security keys affected by a serious vulnerability that could be exploited by to carry out Bluetooth attacks.

Titan Security Keys

The Titan Security Keys were introduced by Google in July 2018 to provide an additional layer of security to its users and protect them from Phishing and MiTM attacks.

The Titan Security Key is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Keys are available in both USB and Bluetooth versions, 

The vulnerability affects the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys, both USB and NFC security keys are not impacted.

Google users can refer a page set up by the company to discover if their devices are affected by the flaw and receive instructions to replace them.

The vulnerability is a misconfiguration issue in the Titan’s Bluetooth pairing protocols that was discovered by Microsoft. Google explained that the attack is hard to exploit, an attacker physically close to the victim could trigger the flaw only in under specific conditions.

The attacker has to connect their device to the victim’s security key before the legitimate device connects, moreover he has to launch the attack exactly when the victim presses the button on their dongle.

“Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b)communicate with the device to which your key is paired.” reads the advisory published by Google.

Below the conditions that the attacker would match to carry out the attack:

  • When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
  • Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

The attacker can also use its own device to connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can set the device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

Even if the keys are vulnerable to Bluetooth attacks, they remain the strongest protection against phishing attacks.

“Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” continues Google.

Mobile users have been advised to use their Titan Security Keys only when cannot be in physical proximity of a potential attacker.

Pierluigi Paganini

(SecurityAffairs – Titan Security Keys, hacking)

The post A flaw in Google Titan Security Keys expose users to Bluetooth Attacks appeared first on Security Affairs.

Intel MDS attack mitigation: An overview

Intel has revealed on Tuesday that some of its CPUs are vulnerable to a number of new speculative execution attacks that may allow attackers to stealing sensitive data and keys/passwords. ZombieLoad, RIDL and Fallout attacks have been extensively written about by the various groups of researchers that came up with them, but many customers and enterprise users are still unclear on whether these could affect them and what they can do to protect themselves. A … More

The post Intel MDS attack mitigation: An overview appeared first on Help Net Security.

The stealthy email stealer in the TA505 hacker group’s arsenal

Experts at Yoroi-Cybaze Z-Lab observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group


During the last month, our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

Figure 1. Attack campaign spotted in the wild.

Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Figure 2. Attack campaign spotted in the wild.

Technical Analysis

The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.

ThreatCustom Email Stealer
Brief DescriptionExecutable of the email stealer
Figure 3: Malware Signature by SLON LTD

Firstly, we noticed this secondary component was well protected against antivirus detection, in fact, the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be a victim of previous hacks or not.

Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.

Figure 4: Malware suspicious entropy level

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:

Figure 5: HTTP POST communication

The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.

In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.

Figure 6: Static information about the packed sample (on the left) and the unpacked one (on the right)

As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.

As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:

Figure 7: Outlook process search routine

The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:

Figure 8: C2 connection routine

The last routine being analyzed is the credential harvesting inside the entire filesystem.

Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.

Figure 9: Autodeletion batch script

Analysis of Exposed Emails

In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.

Figure 10: Distribution of TLD

As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.

Figure 11: Geolocation of emails TLD exposure

The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.


Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.

Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.


[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TS505, malware)

The post The stealthy email stealer in the TA505 hacker group’s arsenal appeared first on Security Affairs.

Smashing Security #128: Shackled ankles, photo scrapes, and SIM card swaps

A bad software update causes big headaches for Dutch police, but brings temporary freedom to criminals. SIM swaps are in the news again as fraudsters steal millions. And does your cloud photo storage service have a dirty little secret?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Rip Off Britain’s David McClelland.

UK Fraud Complaints Surge Over 40%

UK Fraud Complaints Surge Over 40%

UK consumers’ complaints over banking fraud have surged by over 40% to hit an all-time high in the 2018-19 financial year, driven by online scams, according to official figures.

The Financial Ombudsman Service (FOS), which settles disputes between customers and their banks, said it received 12,195 complaints over the period, a 43% increase on the 6952 in the previous 12 months.

“One of the fastest-growing types of fraud is authorized push payment (APP) fraud — where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves,” the FOS said.

“We’ve been taking a close look at the APP complaints we’ve received. And we’ve reminded banks of their existing obligations to ensure that victims of fraud are treated fairly, as we’ve found that they haven’t always got this right.”

A new voluntary code of practice will come into force at the end of May designed to help victims of APP fraud get their money back more easily. Up until now, banks have been reluctant to pay out in such cases and often blame the individual.

Some £354m was lost to APP fraud in the UK last year, up 50% from 2017. Although some lenders, like TSB, have sought to differentiate by promising to refund victims, the industry in general has been slow to react to the threat.

“Bank transfer fraud is spiraling out of control, with people losing life-changing sums every day and then facing a grueling battle to get their money back from the very banks that should be preventing them from falling victim in the first place,” argued Gareth Shaw, head of money at consumer rights group Which.

“Banks have just two weeks to sign up to the new industry code [of practice], which will only be deemed a success if they finally halt this worsening crime by offering better protection to their customers, while swiftly and fairly reimbursing all those who lose money through no fault of their own.’

Another new proposal comes from the Payment Systems Regulator (PSR) and will introduce “confirmation of payee checks” to warn users when the name they enter into online bank transfers doesn’t match the sort code and account number on record.

However, a July 1, 2019 deadline is now set to be pushed back to 2020.

WhatsApp attacked by spyware | TECH(feed)

WhatsApp’s recent spyware hack took advantage of a security vulnerability and allowed attackers to access private, digital communication. In this episode of TECH(feed), Juliet walks through the hack, who was affected and how you can secure your devices ASAP.

The Six Most Effective Email Spam Blocker Tips

Email, as we know, is always susceptible to spam. Anyone using email would have to face spam almost on a regular basis. Email clients today are equipped with anti-spam filters that filter and move spam to separate folders. But since such filters are not 100 percent effective, it’s always best for email users to know how to deal with spam in an effective manner. Here’s a look at some of the most effective of email spam blocker tips that could help combat spam in the best of manners

Begin by training your spam filter

As we’ve already stated, the email spam filter that your email client is equipped with by default is not 100 percent perfect in filtering emails and detecting spam. Thus, it becomes important for you to keep training your spam filter to be more perfect. This can be done in two ways. Firstly, whenever you come across spam that has sneaked past the spam filter and landed up in your inbox, you shouldn’t limit yourself to just deleting it. You should select it and tell your email client that it is spam by clicking on the button that’s given to report spam. Secondly, when mail that is not spam lands up in your spam folder, you should select it and tell the client that it made a mistake. You should click on the ‘Not Spam’ (or similar) button. This way, you can train your spam filter to perform better.

Secondly, train yourself not to respond to spam

Well, we’d say this is of utmost importance among all email spam blocker tips. Security always starts from the individual users. You must train yourself, in the very first place, to refrain from responding to spam. You’ll be coming across, almost on a daily basis, spam emails landing up in your inbox. Many of these might even look genuine. You need to train yourself to identify spam and also to refrain from responding to them. Even if an email seems a bit suspicious don’t click on the accompanying link or open the accompanying attachment. Confirm the genuineness of the email and then only open the link or the attachment. Similarly, whenever you realize that you’ve got spam that has been sent from a known email address, contact that person and pass on information regarding the same. That person might not be aware of this. This helps in effective prevention of the spreading of spam emails.

Learn to protect and, if needed, hide your email address

You must learn to protect your email address from spam. There are some very important things that you need to do for this. It’s best to have one or more alternative email addresses, which you could use for things like hotel booking, online shopping etc. This way, your primary email address would be saved from those unwanted spam emails that come following your online purchases or reservations or any such web activities that might enlist you to a spam despatch list.

Another thing that you could do to protect your email address is to hide it as much as possible. Never publish your primary email address on the web unless you absolutely have to do it. At places where you have to publish your email address, publish a secondary one if that’s OK. Publish your primary email address only when you have to do it.

Use third-party antispam filters

It’s always best to use third-party antispam filters or extensions that could help nab those spam emails that sneak past your default email spam filter. Such third-party filters work by identifying spam as messages travel between an email server and an email client. There are different options- free as well as paid- depending on the kind of device you are using and also depending on the extent of your filtering requirements.

Learn to unsubscribe things that you don’t need

There are certain things that come seeking you on a periodic level, like newsletters, which you might not actually need. It would be advisable if you can unsubscribe to such services if you don’t need them at all. Yes, make it a point to unsubscribe things that you don’t need in your inbox. There would be links that would allow you to unsubscribe to such services or to stop receiving emails from that source. This step could help curb spam emails, which might accompany such emails and newsletters, to a great extent.

Change email address, if needed

You must be ready to change your primary email address if needed. When you have accidentally responded to spam and your email address is infected beyond repair, when your email address has been revealed at too many places and stand chances of being suspected to spam attacks, and when your email address has loads of spam in it despite existing security measures being taken (because of security flaws or other such issues) it’s best to change your primary email address, at the earliest. This, we agree, is a drastic step, but if such a drastic step has to be taken, just go for it. Security, after all, is of utmost importance.

Source: https://www.pcworld.com/article/3072435/5-ways-to-stop-spam-from-invading-your-email.html

Related Resources: 

Best Anti-Spam Email Filters for Thunderbird

How To Avoid Being A Phishing Scams Victim

Is It Possible To Have Email Security Without OpenPGP/S-MIME?

Phishing Emails Are Here To Stay, Says Security Firm

The post The Six Most Effective Email Spam Blocker Tips appeared first on .

Magecart hackers inject card Skimmer in Forbes Subscription Site

The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.

The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.

The malicious traffic was spotted by the security expert Troy Mursch
Chief Research Officer of Bad Packets, on Wednesday.

Magecart forbes magazine

Magecart hackers have installed malicious JavaScript skimmer on forbesmagazine.com to siphon payment card data entered into the site by subscribers. Crooks injected an obfuscated JavaScript in the HTML code of the payment section, the script decoded is here.

The expert immediately attempted to report his discovery to Forbes via email, but without success.

The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.

A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.

Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.

During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.

Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.

“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.

Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Pierluigi Paganini

(SecurityAffairs – Magecart, Forbes)

The post Magecart hackers inject card Skimmer in Forbes Subscription Site appeared first on Security Affairs.

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Privacy campaigners are hailing a major legal victory after the Supreme Court ruled that the intelligence services should not be exempt from oversight by ordinary UK courts.

Privacy International (PI) has fought a five-year case with the government, following the Edward Snowden disclosures that UK spies used bulk hacking techniques which may have impacted millions.

The case was initially heard in the secret Investigatory Powers Tribunal (IPT) — which rules specifically on cases involving the intelligence services. It agreed in principle with the government that it would be acceptable to use a single, broad warrant to hack every mobile phone in a UK city.

PI tried to fight that decision in the High Court, with the government arguing that IPT rulings couldn’t be subject to regular judicial review. Both the High Court and then the Court of Appeal agreed with the government, but the rights group was in 2017 allowed to take its case all the way to the Supreme Court.

Its decision yesterday effectively means that IPT decisions can be subject to judicial review in the High Court, which means mistakes made by the tribunal can now be corrected by the courts.

PI general counsel, Caroline Wilson Palow, argued the ruling was a “historic victory for the rule of law.”

“Countries around the world are currently grappling with serious questions regarding what power should reside in each branch of government. Today's ruling is a welcome precedent for all of those countries, striking a reasonable balance between executive, legislative and judicial power,” she added.

“Today's ruling paves the way for Privacy International's challenge to the UK government's use of bulk computer hacking warrants. Our challenge has been delayed for years by the government's persistent attempt to protect the IPT’s decisions from scrutiny. We are heartened that our case will now go forward."

Trump Declares National Emergency to Contain China Threat

Trump Declares National Emergency to Contain China Threat

The Trump administration has turned up the heat on China after declaring a national emergency designed ostensibly to protect US networks from “foreign adversaries.”

Although China and Huawei are not named in the declaration, it is widely seen as a move designed to target the latter. It will effectively extend the federal ban on Huawei equipment to all US firms.

Separately, and perhaps even more importantly, the Shenzhen giant and 70 affiliates have been placed on an “entity list.”

This means that it will not be able to source key components from US providers without Commerce Department approval.

Depending on whether this approval is granted or not, this could put the firm in a serious position similar to ZTE's when US firms were prohibited from selling to it after the Chinese telecoms firms broke Iran sanctions. At that time, only an intervention from Trump saved the company.

US officials told Reuters the decision would make it nearly impossible for Huawei to sell some of its products as they rely on US-made kit.

A White House statement revealed that the Executive Order invoked the International Emergency Economic Powers Act, which allows a President to interfere with commerce in order to protect national security. The Commerce Department now has 150 days to draw up an enforcement plan.

“The President has made it clear that this administration will do what it takes to keep America safe and prosperous, and to protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services in the United States,” noted a message from the White House press secretary.

“This Executive Order declares a national emergency with respect to the threats against information and communications technology and services in the United States and delegates authority to the Secretary of Commerce to prohibit transactions posing an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

Unsurprisingly, Huawei and China have hit back, claiming the order will not make the US safer but only result in delayed 5G roll-outs which will harm consumers.

Washington has so far failed to produce any hard evidence to suggest that Huawei is a national security risk, although Chinese law demands that any Middle Kingdom firm co-operate with the authorities if required.

However, UK intelligence services have raised serious concerns around the quality of the telecoms kit maker’s “security and engineering processes.”

Still, Prime Minister Theresa May recently overruled several Cabinet members in approving the firm to supply non-core 5G kit.

Steve Patton, director and cybersecurity Specialist at Telesoft Technologies, argued that a “measured approach” is needed to combat telecoms cyber risk.

“Even with a network built from other, non-Chinese vendors, there should be additional protection and — more importantly — monitoring of critical infrastructure to scan for threats,” he said.

“After all, given we live in a truly technological age, where cyber-threats are increasingly advanced, it's impossible to guarantee that any one vendor is fully immune from attacks.”

Why ISO 27005 risk management is the key to achieving ISO 27001 certification

If you’re familiar with ISO 27001, you’ll know that it’s the international standard for information security and contains the certification requirements that are expanded upon throughout the ISO 27000 series.

There are 46 standards in total in the series (although only a few apply to every organisation), of which ISO 27005, the risk management standard, is arguably the most important and easiest to get wrong.

What is risk management?

Risk management is the process of analysing how an organisation will be affected by a disruptive incident and what the consequences might be. This includes any scenario in which the confidentiality, integrity and availability of data is compromised.

Assessing these risks helps inform your decision about the best way to reduce risk to an acceptable level.

Getting this process right is essential, because your entire ISMS (information security management system) is shaped around your response to risks. You need an accurate estimation of how risks will play out in order to prioritise the biggest threats and adopt the appropriate controls.

What does ISO 27005 say?

As with every standard in the ISO 27000 series, ISO 27005 doesn’t prescribe a specific approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.

This is markedly different from other popular risk management standards such as OCTAVE and NIST SP 800-30, which adopt a one-size-fits-all approach and are perceived to restrict business efficiency and productivity.

That’s not to say organisations have to figure everything out themselves. ISO 27005 provides a detailed but flexible structure to meet its requirements, comprising five stages.

1. Identification

  • Identify assets: First, you need to locate every piece of information you hold and determine whether it is a ‘primary’ or ‘supporting’ asset. Primary assets are information or business processes, and supporting assets are related IT systems, infrastructure and people resources. Organisations are required to identify primary assets, and supporting assets that could have an impact on the primary asset, typically giving details about asset ownership, location and function.
  • Identify threats: Threats are many and varied, and should be continuously monitored to take into account new and emerging threats.
  • Identify vulnerabilities: Your organisation will have weaknesses in its technology, people (human error, malicious action, social engineering, etc.) and processes, all of which need to be identified.
  • Identify existing controls: Unlike other risk assessment methodologies, an ISO 27005 risk assessment requires an organisation to identify all of its existing controls and to take into account the protection provided by these controls before applying any new ones.

2. Assessment

ISO 27005 encourages organisations to focus their response efforts on the biggest threats, so you should use the information you’ve gathered about your assets, vulnerabilities and threats to prioritise the biggest risks.

There are many ways to do this, but the most common approach involves the following equation:

Risk = (the probability of a threat exploiting a vulnerability) x (total impact of the vulnerability being exploited)

Find out more about risk assessment >>

3. Treatment

Now that you know the level of risk that each threat poses, you need to decide how you’ll treat them. There are four options:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk  with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible. For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.

You’ll therefore be required to modify most risks. This involves selecting the relevant information security controls, which are outlined in Annex A of ISO 27001 and explained further in ISO 27002.

4. Communication

You need to keep a record of how you are tackling the risk and inform anyone who might be affected.

For example, if you’ve modified the risk of certain sensitive documents being misappropriated by applying access controls to them, you should tell your employees. This ensures that, should a staff member be denied access when they have a legitimate need to view the information, they know what the issue is and what action to take.

Likewise, if you’re avoiding a risk by no longer doing whatever it is that caused the problem, you also need to pass on the message to your staff.

5. Review

Risk management (and ISO 27001 compliance generally) is an ongoing process, so you need to regularly monitor your management plan. This serves two purposes. First, it enables you to check whether the treatment options you selected are working as intended. You might find that a control you implemented isn’t addressing the risk as well as you’d hoped or that it’s simply not appropriate. Likewise, you might have chosen to avoid certain risks but found that they are still present.

Second, it enables you to assess the changing threat landscape. New risks will have emerged and existing ones might have transformed, forcing you to reassess your priorities and your approach to risk management.

Learn how to deliver effective ISO 27005 risk management

Our ISO 27005 Certified ISMS Risk Management training course is the ideal starting point for anyone who wants to know more about how to deal with information security threats.

This three-day course develops your understanding of the key areas of information risk management, and is based on recognised best practice and real-world examples.

Find out more >>

A version of this blog was originally published on 8 May 2017.

The post Why ISO 27005 risk management is the key to achieving ISO 27001 certification appeared first on IT Governance Blog.

BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor

The BlackTech cyber-espionage group exploited the ASUS update process for WebStorage application to deliver the Plead backdoor.

The cyber espionage group tracked as BlackTech compromised the ASUS update process for WebStorage application to deliver the Plead backdoor.

The BlackTech group was first observed by ESET on July 2018, when it was abusing code-signing certificates stolen from D-Link for the distribution of the Plead backdoor that has been in the wild since at least 2012.

According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.

At the end of April 2019, experts from ESET observed observed multiple attempts to deploy the Plead backdoor. In the attacks observed by the researhcers, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe that is associated with the Windows client for a cloud storage service called ASUS WebStorage. The executable file used in the attack is digitally signed by ASUS Cloud Corporation.

Experts noticed that all observed samples of the Plead backdoor had the file name ‘Asus Webstorage Upate.exe.’ Experts discovered that
during the software update process, the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames.

Threat actors might have had access to the update mechanism a circumstance that suggest two attack scenarios:

  • Hackers hack compromise the supply chain for the ASUS WebStorage cloud service;
  • Hackers were in the position to carry out a MITM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Experts believe that the second scenario is more plausible updates for the
ASUS WebStorage software are not provided through a secure connection and the process lack of validation for the binaries downloaded.

“The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM).” reads the advisory published by ESET. “Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

Experts from ESET noticed that most of the affected organizations have routers made by the same vendor and their admin panels are exposed online. It is likely that attackers compromised the routers to carry out a MitM attack.

Plead backdoor

During the update mechanism for ASUS WebStorage, the client sent a request to the server to request the update, in turn the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain,” says ESET. 

The attackers serve a Plead sample that acts as a first-stage downloader that fetches a fav.ico file from a server, whose name mimics the official ASUS WebStorage server. The downloaded file contains a PNG image and data used by the malware, which is located right after PNG data

The second-stage loader writes itself to the Start Menu startup folder to gains persistence. The loader executes shellcode in memory to load the third-stage DLL, the TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.” ESET concludes.  “This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,”

Pierluigi Paganini

(SecurityAffairs – Plead Backdoor, Zero-day, BlackTech group)

The post BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor appeared first on Security Affairs.

Identity theft victims could lead us to accept more security-improving friction

Far too many individuals who have never been victims of identity theft and financial crimes don’t understand how devastating those are to victims. “There are many victim services organizations that assist violent crime victims and the understanding of the trauma and the victim experience is not questioned (which is very appropriate and as it should be),” Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), told Help Net Security. After all, we … More

The post Identity theft victims could lead us to accept more security-improving friction appeared first on Help Net Security.