Daily Archives: May 20, 2019

MuddyWater BlackWater campaign used new anti-detection techniques

A recent MuddyWater campaign tracked as BlackWater shows that the APT group added new anti-detection techniques to its arsenal.

Security experts at Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group (aka SeedWorm and TEMP.Zagros). 

The researchers also pointed out that the cyber espionage group has been updating its tactics, techniques, and procedures (TTPs) by adding three distinct steps to their operations to avoid the detection.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

In June 2018, Trend Micro researchers discovered a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT. The final payload delivered in the campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

This campaign aims at installing a PowerShell-based backdoor onto the victim’s machine for espionage purposes.

MuddyWater document

As part of the recent BlackWater campaign, the MuddyWater APT group leveraged an obfuscated Visual Basic for Applications (VBA) macro script to add a Run registry key and gain persistence.

Then the attackers used a PowerShell stager script masquerade as a red-teaming tool that would download a PowerShell-based Trojan from a C2 server.

The stager download from the C2 a component of the FruityC2 agent script, an open-source framework on GitHub, that uses to enumerate the host machine.

“This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity.” reads the analysis published by Talos group. “Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated.”

The cyberspies also used to replace some variable strings in the more recent samples to avoid signature-based detection from Yara rules. 

Attackers used a document that once was opened, it prompted the user to enable the macro titled “BlackWater.bas”. They protected the macro with a password to prevent user to view it in Visual Basic. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced by their corresponding integer. 

“This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”.” continues the analysis. “Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script. Next, the script would enumerate the victim’s machine”

Experts conclude that even if the changes implemented by the threat actor were minimal, they were significant enough to avoid detection and to allow the group to continue to perform operations.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MuddyWater, APT)

The post MuddyWater BlackWater campaign used new anti-detection techniques appeared first on Security Affairs.

Five ways automating IAM saves you money

Identity is the foundation of security, so a robust automated identity and access management (IAM) system is by far the best way to keep your company’s information safe. It’s also a great way to increase efficiency and save money. It’s no wonder so many businesses are adopting IAM systems. The global market value of identity and access management systems has grown from $4.5 billion in 2012 to $7.1 billion in 2018. By 2021, it is … More

The post Five ways automating IAM saves you money appeared first on Help Net Security.

US Commerce Department delays Huawei ban for 90 Days

US Commerce Department will delay 90 days before to apply the announced Huawei ban to avoid huge disruption of the operations.

During the weekend, the Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

On Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

Now a Commerce Department filing confirmed that delay does not change the Trump’ ban, but gives a 90-days temporary license that will grant Huawei to continue doing business with American businesses.

The Temporary General License aims at preventing disruption to the operations of the company that could have a dramatic impact on mobile users and broadband network operators.

“The Temporary General License grants operators time to make other arrangements and (gives) the Department space to determine the appropriate long term measures for Americans and foreign telecommunications providers that currently rely on Huawei equipment for critical services,” said Secretary of Commerce Wilbur Ross.

“In short, this license will allow operations to continue for existing Huawei mobile phone users and rural broadband networks.”

Huawei ban

While the tech giant is in the middle of a heated debate, FiveEyes intelligence agencies believe the Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, they asked mobile companies to avoid using the equipment of the Chinese company.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

US intelligence believes Huawei equipment is taitend with backdoors that could allow Chinese intelligence to spy on communications networks of rival countries.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States highlighted the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan. Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Now the US Commerce Department delayed the bad for 90 days. Experts believe that Huawei is only one of the Chinese companies that will face similar measures because could threaten the economic and technological leadership of the United States.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Huawei ban, China)

The post US Commerce Department delays Huawei ban for 90 Days appeared first on Security Affairs.

Traditional approach to data security hindering digital transformation initiatives

Security professionals who adopted a more traditional or reactive approach to their data protection and security program did not believe they would reach their digital transformation goals, according to a TITUS report. The report, “The Vital Role of Security in Digital Transformation,” is based on a survey conducted by Market Strategies International of more than 600 IT decision makers at leading brands across a diverse set of industries in the United States, Canada and the … More

The post Traditional approach to data security hindering digital transformation initiatives appeared first on Help Net Security.

Instagram Influencer’s Account Information Exposed

The life of Instagram Influencers goes public. An exposed database seems to have been added to the information available about them.

According to a TechCrunch report, account details of 49 million Instagram users, including influential people and brand accounts, have been published online. The note contains public data that appears to have been extracted from Instagram user profiles, as well as personal data such as telephone numbers and e-mail addresses.

According to the report, the database belongs to Chtrbox, an Indian marketing company that connects influential people with brands who want to promote their products. Chtrbox has not responded to the matter yet.

“We’re looking into the issue to understand if the data described — including email and phone numbers — was from Instagram or from other sources,” an Instagram spokeswoman said in a statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available.”

Instagram prohibits deleting accounts in its terms of service. The website of the Chtrbox claims to have more than 184,000 Instagram influencer’s as customers, far fewer than the millions of records reportedly found in the database.

This is not for the first time that Instagram accounts have published high profile user information. In 2017, hackers used a software error in the photo-sharing app to find phone numbers and contact information of celebrities.

According to TechCrunch, independent cyber security researcher Anurag Sen found the data and found that the database is no longer visible to the public. An under-protected cloud database is another problem – a problem that grows as more and more companies, place sensitive data on cloud servers without the necessary data security expertise. Researchers around the world are looking for exposed databases and are trying to get companies to secure them. This is, for example, a cache with demographic data for 80 million American households that were removed in April.

“Celebrity Instagram users might be at risk if hackers got their hands on their private email addresses. He recommended Gmail users check their security settings through the Google Security Checkup and also set up extra login protections, including prompts and the Advance Protection Program,” said Mark Risher, head of account security at Google,

“Given the high-profile nature of some of these accounts, attackers may try to break into the email accounts as a means to impersonate the legitimate account holder,” Risher said.

Related Resources:

Instagram Accidentally Exposed Some User Passwords

Instagram New Feature to Share Location Data with Facebook

Instagram Hit By Widespread Hack And Users Locked Out

New Instagram Attack After JB’s Nude Photos Deleted

The post Instagram Influencer’s Account Information Exposed appeared first on .

SD-WAN adoption growing as enterprises embrace app-centric architecture transition

The connected era and cloud-based environment have created a need to redesign network operations, according to ResearchAndMarkets. In addition, businesses find it operationally draining to utilize resources on ensuring a connected ecosystem rather than focusing on critical business issues. Software-defined Wide Area Network (SD-WAN) helps enterprises build an agile and automated environment, which is streamlined to support new-age cloud environments and traditional Multiprotocol Label Switching (MPLS) systems in a cost-efficient manner. To understand enterprise perceptions … More

The post SD-WAN adoption growing as enterprises embrace app-centric architecture transition appeared first on Help Net Security.

Engineering teams are struggling because they’re missing the right automation

Driven by the trend of microservices creating complexity in code delivery and every company becoming a technology company, the software development community is under enormous pressure to deliver high-quality, leading-edge, and scalable code to an insatiable market. Data from a new survey by Codefresh exposes the relentless pressure, with 32 percent reporting they were not using any CI/CD tools at all, and about 60 percent agreeing that their organizations are “not using the right amount … More

The post Engineering teams are struggling because they’re missing the right automation appeared first on Help Net Security.

Women and Nonbinary People in Information Security: Yaz

Last time, I spoke with technology marketing communicator Stacey Holleran. Our work is similar but different. Plus, she warned me about what I might expect from the tech industry in a few years when I turn 40! For my last interview until fall/autumn, I had the pleasure of speaking with Yaz. She went from the […]… Read More

The post Women and Nonbinary People in Information Security: Yaz appeared first on The State of Security.

Letting Go While Holding On: Managing Cyber Risk in Cloud Environments

As recently as 2017, security and compliance professionals at many of Tripwire’s large enterprise and government customers were talking about migration to the cloud as a possibility to be considered and cautiously explored in the coming years. Within a year, the tone had changed. What used to be “we’re thinking about it” became “the CIO […]… Read More

The post Letting Go While Holding On: Managing Cyber Risk in Cloud Environments appeared first on The State of Security.

ThreatQ adds support for mobile and PRE-ATT&CK in response to rapid customer adoption

ThreatQuotient, a leading security operations platform innovator, announced that the ThreatQ integration with MITRE ATT&CK now includes support for PRE-ATT&CK and Mobile. Together with Enterprise ATT&CK, the three-pronged framework creates an end-to-end attack chain that examines and assesses an adversaries’ actions. Since first integrating with MITRE ATT&CK in early 2018, ThreatQuotient has helped customers integrate the framework in their workflows to achieve a holistic view of their organization’s specific attack vectors and what needs to … More

The post ThreatQ adds support for mobile and PRE-ATT&CK in response to rapid customer adoption appeared first on Help Net Security.

Exabeam enhances security management approach and boosts cybersecurity degree program

Exabeam, the Smarter SIEM company, announced a partnership with Deakin University in Australia to strengthen its security management approach and bolster its already distinguished cybersecurity degree program, delivered through the School of IT. The university not only deployed Exabeam Advanced Analytics to help process the large amounts of generated data and spot anomalies on its network; it also turned to the security management leader’s industry expertise to build out its curriculum and initiate a real-life … More

The post Exabeam enhances security management approach and boosts cybersecurity degree program appeared first on Help Net Security.

Catchpoint’s new monitoring platform offers continuous visibility into all network dependencies

Catchpoint, the digital experience monitoring (DEM) leader, introduced Internet Intelligence, a new monitoring capability providing organizations with deeper visibility into the health and pathways of the external and internal networks upon which their applications or digital services depend. Internet Intelligence shows a network’s impact on the end user experience by continuously monitoring network health and network paths to private, public or hybrid clouds, CDNs, and other distributed IT architecture. This far-reaching visibility isolates degradations across … More

The post Catchpoint’s new monitoring platform offers continuous visibility into all network dependencies appeared first on Help Net Security.

Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation appeared first on Help Net Security.

BC in the Cloud rebrands as Infinite Blue and expands its enterprise application business

BC in the Cloud announced its new name, Infinite Blue, and its acquisition of Rollbase, a low-code development platform that helps customers to deliver agile, adaptable business applications quickly, increasing speed to market. Infinite Blue’s new offering — Infinite Blue Platform — will combine a low-code development platform with a flexible deployment architecture to make it easier than ever to build, deploy and manage business applications. The company will use Infinite Blue Platform to power … More

The post BC in the Cloud rebrands as Infinite Blue and expands its enterprise application business appeared first on Help Net Security.

Mellanox launches Ethernet Cloud Fabric technology based on Spectrum-2

Mellanox Technologies, a leading supplier of high-performance, end-to-end smart interconnect solutions for data center servers and storage systems, introduced breakthrough Ethernet Cloud Fabric (ECF) technology based on Spectrum-2, the world’s most advanced 100/200/400 Gb/s Ethernet switches. ECF technology provides the ideal platform to quickly build and simply deploy state of the art public and private cloud data centers with improved efficiency and manageability. ECF combines three critical capabilities: Industry-leading packet forwarding data plane Agile, flexible … More

The post Mellanox launches Ethernet Cloud Fabric technology based on Spectrum-2 appeared first on Help Net Security.

Syncsort launches Syncsort Invent initiative to help orgs anticipate and embrace Next Wave technologies

Syncsort, the global leader in Big Iron to Big Data software, announced the launch of Syncsort Invent, an initiative focused on helping enterprises anticipate and embrace the Next Wave – an era that defines the new technologies and applications that are making existing data more useful. Syncsort Invent advances data by helping enterprises connect decades of data infrastructure investment with Next Wave technologies such as cloud and blockchain. “We believe that data makes the difference. … More

The post Syncsort launches Syncsort Invent initiative to help orgs anticipate and embrace Next Wave technologies appeared first on Help Net Security.

Syncurity IR-Flow SOAR platform now in the Oracle Cloud Marketplace

Syncurity, a market leader in Security Orchestration, Automation and Response (SOAR), and a Silver level member of Oracle PartnerNetwork (OPN), announced that its award-winning and patent-pending IR-Flow SOAR platform has achieved Powered by Oracle Cloud status and is now available in the Oracle Cloud Marketplace, offering added value to Oracle Cloud customers. The IR-Flow SOAR platform, Syncurity IR-Flow, enables a “process-first” approach to streamlining the entire incident management process — from proactive threat hunting and … More

The post Syncurity IR-Flow SOAR platform now in the Oracle Cloud Marketplace appeared first on Help Net Security.

Data belonging to Instagram influencers and celebrities exposed online

A new data leak made the headlines, a database containing the contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The news was first reported by the TechCrunch website, a database was left unprotected on an AWS bucket, anyone was able to access it without authentication.

instagram

The unprotected database was discovered by the security researcher Anurag Sen that immediately reported its discovery to TechCrunch in an effort to find the owner.

“A massive database containing contact information of millions of Instagram  influencers, celebrities and brand accounts has been found online.” states TechCrunch.

“At the time of writing, the database had over 49 million records — but was growing by the hour.”

The database contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers, have, if they’re verified, their location by city and country, private contact information, the email address and phone number of the Instagram account owner.

Each record in the database also contained a field that calculated the worth of each account.

The list of influencers in the archive includes prominent food bloggers, celebrities and other social media influencers.

According to TechCrunch, the database belongs to India-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts.

Strangely two people contacted by TechCrucnh that confirmed the authenticity of the data in the archive denied any involvement with Chtrbox.

“We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts.” continues the website. “Neither had any involvement with Chtrbox, they said.”

TechCrunch contacted Chtrbox that secured the database, but it is not clear how the company obtained those data.

Facebook, that currently owns Instagram, announced it is investigating the incident.

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” reads a statement from Facebook. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,”

In 2017, a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses of 6 million celebrities.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Instagram, data leak)

The post Data belonging to Instagram influencers and celebrities exposed online appeared first on Security Affairs.

Lattice Semiconductor enhances its Lattice sensAI solutions stack

Lattice Semiconductor Corporation, the low power programmable leader, announced major performance and design flow enhancements for its award-winning Lattice sensAI solutions stack. The Lattice sensAI stack provides a comprehensive hardware and software solution for implementing low power (1mW-1W), always-on artificial intelligence (AI) functionality in smart devices operating at the Edge. IHS forecasts 40 billion devices will be operating at the network Edge by 2025. For reasons including latency, network bandwidth limitations, and data privacy, OEMs … More

The post Lattice Semiconductor enhances its Lattice sensAI solutions stack appeared first on Help Net Security.

Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws

On May 10, New Jersey Bill S-52 was signed into law, which amends the state’s data breach notification law to expand the definition of personal information. Under the amended law, effective September 1, 2019, “personal information” that requires a company to notify individuals if breached now includes a “user name, email address, or any other account holder identifying information, in combination with any password or security questions and answer.” In Washington, the state legislature passed an amendment to the existing data breach notification law that expands the list of data elements that require notification to individuals if breached in combination with an … Continue reading Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws

The post Privacy Intelligence News & Insights: New Jersey and Washington Amend State Data Breach Notification Laws appeared first on TrustArc Blog.

The Concept of "Return on Data"

This law review article by Noam Kolt, titled "Return on Data," proposes an interesting new way of thinking of privacy law.

Abstract: Consumers routinely supply personal data to technology companies in exchange for services. Yet, the relationship between the utility (U) consumers gain and the data (D) they supply -- "return on data" (ROD) -- remains largely unexplored. Expressed as a ratio, ROD = U / D. While lawmakers strongly advocate protecting consumer privacy, they tend to overlook ROD. Are the benefits of the services enjoyed by consumers, such as social networking and predictive search, commensurate with the value of the data extracted from them? How can consumers compare competing data-for-services deals? Currently, the legal frameworks regulating these transactions, including privacy law, aim primarily to protect personal data. They treat data protection as a standalone issue, distinct from the benefits which consumers receive. This article suggests that privacy concerns should not be viewed in isolation, but as part of ROD. Just as companies can quantify return on investment (ROI) to optimize investment decisions, consumers should be able to assess ROD in order to better spend and invest personal data. Making data-for-services transactions more transparent will enable consumers to evaluate the merits of these deals, negotiate their terms and make more informed decisions. Pivoting from the privacy paradigm to ROD will both incentivize data-driven service providers to offer consumers higher ROD, as well as create opportunities for new market entrants.

Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS

Experts discovered a privilege escalation vulnerability in the Linux Kernel, tracked as CVE-2019-11815, that affects the implementation of RDS over TCP.

Experts discovered a memory corruption vulnerability in Linux Kernel that resides in the implementation of the Reliable Datagram Sockets (RDS) over TCP.

The vulnerability tracked as CVE-2019-11815 could lead to privilege escalation, it received a CVSS base score of 8.1. The vulnerability only affects Linux kernels prior to 5.0.8, that use the Reliable Datagram Sockets (RDS) for the TCP module.

“An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” reads the security advisory published by the NIST.

The NIST classified the flaw as a race condition that affects the kernel’s rds_tcp_kill_sock in net/rds/tcp.c.. 

The vulnerability could be exploited by a remote attacker with no privileges over the network, the issue doesn’t require user interaction.

An attacker could exploit the vulnerability to access restricted information or trigger a denial of service condition. 

“A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down,” reads the advisory published by Red Hat.

According to a note included in the security advisory published by Canonical, there is no evidence that the bug is remotely exploitable. 

“I haven’t yet seen evidence to support allegations that this is remotely exploitable. Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading.” said Seth Arnold from the Ubuntu’s security team. “The default configuration of the kmod package has included RDS in /etc/modprobe.d/blacklist-rare-network.conf since 14.04 LTS. I’m dropping priority as a result.”

Both Suse and Debian also published security advisories for the
CVE-2019-11815 vulnerability.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Linux, CVE-2019-11815)

The post Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS appeared first on Security Affairs.

Criminals Hack Forum Used for Trading Stolen Credentials

This is really interesting- a popular online forum that hackers have been using to trade stolen credentials has been hacked!

Reports confirm that OGusers, a popular online form used by hackers to trade stolen account credentials, has been hacked and that this had caused sensitive personal data of many users to be exposed.

Brian Krebs writes, in his website KrebsOnSecurity, “Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.”

It all started with an administrator of OGusers explaining to forum members, on May 12, that an outage had caused a hard drive failure, leading to the erasure of private messages, forum posts and prestige points that’s worth several months. He also stated that he had restored a backup from January 2019. But then, the OGusers administrators didn’t realize that what had happened, coinciding with the outage, was the theft of users’ database from the forum and the wiping of forum hard drives as well. Four days later, on May 16, the administrator of rival hacking community RaidForums uploaded the entire OGusers database for anyone to download for free.

The KrebsOnSecurity report quotes the message that RaidForums administrator Omnipotent has posted. It reads, “On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

Brian Krebs further says, “The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).”

Experts point out that although the passwords that were exposed are hashed, the fact that the encryption method used was MD5, an older and easily hackable form of encryption, puts all passwords at risk of exposure.

Since OGusers is already known as a forum that attracts people who hijack phone numbers to take over victims’ social media, financial accounts, email etc and sell such access for thousands of dollars, the exposure has caused shock among many in the community. Anxious members responded promptly and, as per Brian Krebs, some of them even complained of being targeted by phishing emails. It’s also reported that some members even expressed anger at the main administrator of OGusers. The members even seemed to claim that the main administrator, who uses the nickname ‘Ace’, altered the functionality of the forum following the hack so as to prevent users from removing their accounts.

On the other hand, reports say that an OGusers administrator commented, after the hack was disclosed, that though members’ frustration is understandable, it’s to be noted that even Twitter, Facebook and other Forums that people have used have been breached more than once.

Brian Krebs concludes his report with a very relevant remark. He says, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Also, Read:

Cyber Criminals are selling Hacking Tools on the Dark Web

Malaysia Continues to Lure Cybercriminals: Report

How Cyber Criminals Attempt Cashing in on Cryptocurrency

Cyber Criminals to Exploit Vulnerabilities

Cyber Criminals Will Attack Critical IT Infrastructure

The post Criminals Hack Forum Used for Trading Stolen Credentials appeared first on .

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

Read More

The post Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques appeared first on Cisco Blog.

Episode 496 – The Most Dangerous Email Attachment Types

Email is still the number one communication method used today. People also use it primarily to send files and forth. Even though you may know and trust a source you should still be cautious on the file types being sent and the security controls to ensure those files are not inadvertently going to cause problems. […]

The post Episode 496 – The Most Dangerous Email Attachment Types appeared first on Security In Five.

How to Get the Best Layered and Integrated Endpoint Protection

Security teams have historically been challenged by the choice of separate next-gen endpoint security technologies or a more integrated solution with a unified management console that can automate key capabilities.

At this point it’s not really a choice at all – the threat landscape requires you to have both. The best layered and integrated defenses now include a broad portfolio of advanced prevention technologies, endpoint security controls, and advanced detection/response tools – all within an integrated system that goes beyond alerts and into insights that even a junior analyst can act on.

More Endpoints = More Vulnerabilities

Endpoints are long beyond on-premises servers, PCs, and traditional operating systems. Internet of things devices such as printers, scanners, point-of-sale handhelds, and even wearables are vulnerable and can provide entry points for organized attacks seeking access to corporate networks. Mobile devices—both BYOD and corporate issued—are among the easiest targets for app-based attacks. Per the 2019 McAfee Mobile Threat Report, the number one threat category was hidden apps, which accounted for almost one-third of all mobile attacks.

Many enterprises are unaware of their target-rich endpoint environments, resulting in security teams struggling to maintain complete vigilance. A 2018 SANS Survey on Endpoint Protection and Response revealed some sobering statistics:

  • 42% of respondents report having had their endpoints exploited
  • 84% of endpoint breaches include more than one endpoint
  • 20% didn’t know whether they’d been breached

Endpoint attacks are designed to exploit the hapless user, including web drive-by, social engineering/phishing, and ransomware. Because these attacks rely on human actions, there’s a need for increased monitoring and containment, along with user education.

The latest attacks have the ability to move laterally across your entire environment, challenging every endpoint until a vulnerability is found. Once inside your walls, all endpoints become vulnerable. Modern endpoint security must extend protection across the entire digital terrain with visibility to spot all potential risks.

Less Consoles = Better Efficiency

A 2018 MSA Research report on security management commissioned by McAfee revealed that 55% of organizations struggle to rationalize data when three or more consoles are present. Too many security products, devices, and separate consoles call for a large budget and additional employees who might struggle to maintain a secure environment.

In contrast, single management consoles can efficiently coordinate the defenses built into modern devices while extending their overall posture with advanced capabilities—leaving nothing exposed. With everchanging industry requirements, an integrated endpoint security approach ensures that basic standards and processes are included and up to date.

Why McAfee Endpoint Security

McAfee offers a broad portfolio of security solutions that combine established capabilities (firewall, reputation, and heuristics) with cutting-edge machine learning and containment, along with endpoint detection and response (EDR) into a single-agent all-inclusive management console.

Is it time you took a fresh look at your strategy? Learn more in this white paper: Five ways to rethink your endpoint protection strategy.

The post How to Get the Best Layered and Integrated Endpoint Protection appeared first on McAfee Blogs.

Ecuador Shares Assange’s Legal Docs with US

Ecuador Shares Assange's Legal Docs with US

Complying with a request by US authorities, Ecuadorian officials are preparing to hand over documents that are reportedly the entire legal defense against Julian Assange, compiled during the time he has been living in the Ecuadorian embassy in London, according to WikiLeaks.

"On Monday Ecuador will perform a puppet show at the embassy of Ecuador in London for their masters in Washington, just in time to expand their extradition case before the UK deadline on 14 June," WikiLeaks editor-in-chief Kristinn Hrafnsson said. "The Trump administration is inducing its allies to behave like it's the Wild West."

Assange’s lawyers are reportedly not permitted to be present during what is being called the “illegal seizure of his property.”

“The material includes two of his manuscripts, as well as his legal papers, medical records and electronic equipment. The seizure of his belongings violates laws that protect medical and legal confidentiality and press protections,” WikiLeaks said.

Ecuador officials also refused a request by UN special rapporteur on privacy, who requested permission to monitor Ecuador's seizure of Assange's property.

The US had previously asked Ecuador to share audiovisual material and additional documents, which had reportedly been collected during an internal spying operation against Assange, WikiLeaks said.

"It is extremely worrying that Ecuador has proceeded with the search and seizure of property, documents, information and other material belonging to the defense of Julian Assange, which Ecuador arbitrarily confiscated, so that these can be handed over to the agent of political persecution against him, the United States. It is an unprecedented attack on the rights of the defence, freedom of expression and access to information exposing massive human rights abuses and corruption. We call on international protection institutions to intervene to put a stop to this persecution," said Baltasar Garzón, international legal coordinator for the defense of Assange and WikiLeaks.

Though Ecuador is obviously not a part of the EU, "if arguing that because Assange is an EU resident and therefore subject to the protections of GDPR, Article 23 makes a pretty strong case that those protections become restricted if revealing that data was a matter of national defense or if some other form of legal matter, either criminal or civil, is involved,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

“While I’m not a lawyer, it seems likely that all nations involved would have a good chance of demonstrating some sort of legal action involved here and thus, make this action a non-event under the provisions of GDPR. Morally, there’s a whole other argument here that could (and should, in my opinion) be had. However, I’m not sure there’s much that can or will be done under GDPR in this case.”

Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk

Content publishers, media and other advertising-supported websites have already had to grapple with the privacy requirements put forth in the EU General Data Protection Regulation (GDPR). Similar regulations are also in force in a number of other countries in the Americas, Europe and Asia. In addition, at the start of 2020, publishers will have to comply with the California Consumer Privacy Act (CCPA). Still more privacy regulations are being advanced and debated in other U.S. states, and around the world. In fact, more than ten different U.S. states, including Massachusetts and Texas, are in the process of considering privacy laws … Continue reading Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk

The post Publishers and Privacy: How Ad-Supported Websites Can Manage Privacy and Minimize Risk appeared first on TrustArc Blog.

Why AI Innovation Must Reflect Our Values in Its Infancy

In my last blog, I explained that while AI possesses the mechanics of humanness, we need to train the technology to make the leap from mimicking humanness with logic, rational and analytics to emulating humanness with common sense. If we evolve AI to make this leap the impact will be monumental, but it will require our global community to take a more disciplined approach to pervasive AI proliferation. Historically, our enthusiasm for and consumption of new technology has outpaced society’s ability to evolve legal, political, social, and ethical norms.

I spend most of my time thinking about AI in the context of how it will change the way we live. How it will change the way we interact, impact our social systems, and influence our morality.  These technologies will permeate society and the ubiquity of their usage in the future will have far reaching implications. We are already seeing evidence of how it changes how we live and interact with the world around us.

Think Google. It excites our curiosity and puts information at our fingertips. What is tripe – should I order it off the menu? Why do some frogs squirt blood from their eyes? What does exculpatory mean?

AI is weaving the digital world into the fabric of our lives and making information instantaneously available with our fingertips.

AI-enabled technology is also capable of anticipating our needs. Think Alexa. As a security professional I am a hold out on this technology but the allure of it is indisputable. It makes the digital world accessible with a voice command. It understands more than we may want it to – Did someone tell Alexa to order coffee pods and toilet tissue and if not – how did Alexa know to order toilet tissue? Maybe somethings I just don’t want to know.

I also find it a bit creepy when my phone assumes (and gets it right) that I am going straight home from the grocery store letting me know, unsolicited, that it will take 28 minutes with traffic. How does it know I am going home? I could be going to the gym. It’s annoying that it knows I have no intention of working out. A human would at least have the decency to give me the travel time to both, allowing me to maintain the illusion that the gym was an equal possibility.

On a more serious note, AI-enabled technology will also impact our social, political and legal systems. As we incorporate it into more products and systems, issues related to privacy, morality and ethics will need to be addressed.

These questions are being asked now, but in anticipation of AI becoming embedded in everything we interact with it is critical that we begin to evolve our societal structures to address both the opportunities and the threats that will come with it.

The opportunities associated with AI are exciting.  AI shows incredible promise in the medical world. It is already being used in some areas. There are already tools in use that leverage machine learning to help doctors identify disease related patterns in imaging. Research is under way using AI to help deal with cancer.

For example, in May 2018, The Guardian reported that skin cancer research using a convolutional neural network (CNN – based on AI) detected skin cancer 95% of the time compared to human dermatologists who detected it 86.6% of the time. Additionally, facial recognition in concert with AI may someday be commonplace in diagnosing rare genetic disorders, that today, may take months or years to diagnose.

But what happens when the diagnosis made by a machine is wrong? Who is liable legally? Do AI-based medical devices also need malpractice insurance?

The same types of questions arise with autonomous vehicles. Today it is always assumed a human is behind the wheel in control of the vehicle. Our laws are predicated on this assumption.

How must laws change to account for vehicles that do not have a human driver? Who is liable? How does our road system and infrastructure need to change?

The recent Uber accident case in Arizona determined that Uber was not liable for the death of a pedestrian killed by one of its autonomous vehicles. However, the safety driver who was watching TV rather than the road, may be charged with manslaughter. How does this change when the car’s occupants are no longer safety drivers but simply passengers in fully autonomous vehicles. How will laws need to evolve at that point for cars and other types of AI-based “active and unaided” technology?

There are also risks to be considered in adopting pervasive AI. Legal and political safeguards need to be considered, either in the form of global guidelines or laws. Machines do not have a moral compass. Given that the definition of morality may differ depending on where you live, it will be extremely difficult to train morality into AI models.

Today most AI models lack the ability to determine right from wrong, ill intent from good intent, morally acceptable outcomes from morally irreprehensible outcomes. AI does not understand if the person asking the questions, providing it data or giving it direction has malicious intent.

We may find ourselves on a moral precipice with AI. The safeguards or laws I mention above need to be considered before AI becomes more ubiquitous than it already is.  AI will enable human kind to move forward in ways previously unimagined. It will also provide a powerful conduit through which humankind’s greatest shortcomings may be amplified.

The implications of technology that can profile entire segments of a population with little effort is disconcerting in a world where genocide has been a tragic reality, where civil obedience is coerced using social media, and where trust is undermined by those that use mis-information to sew political and societal discontent.

There is no doubt that AI will make this a better world. It gives us hope on so many fronts where technological impasses have impeded progress. Science may advance more rapidly, medical research progress beyond current roadblocks and daunting societal challenges around transportation and energy conservation may be solved.  It is another tool in our technological arsenal and the odds are overwhelmingly in favor of it improving the global human condition.

But realizing its advantages while mitigating its risks will require commitment and hard work from many conscientious minds from different quarters of our society. We as the technology community have an obligation to engage key stakeholders across the legal, political, social and scientific community to ensure that as a society we define the moral guardrails for AI before it becomes capable of defining them, for or in spite of, us.

Like all technology before it, AI’s social impacts must be anticipated and balanced against the values we hold dear.  Like parents raising a child, we need to establish and insist that the technology reflect our values now while its growth is still in its infancy.

The post Why AI Innovation Must Reflect Our Values in Its Infancy appeared first on McAfee Blogs.

New South Wales Announces New Cybersecurity Position

New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Whales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Don’t have your account hijacked. Secure your online accounts with more than a password, says Google

Research published at the end of last week argues that the typical user can significantly harden the security of their online accounts by linking a recovery phone number that can send an alert if there is suspicious activity on the account.

Read more in my article on the Hot for Security blog.

Online Account Hijacker Forum OGUsers Hacked

Online Account Hijacker Forum OGUsers Hacked

An online forum used by those involved in online account hijacking has been breached, according to KrebsonSecurity.

An attack on OGUsers.com leaked the personal information of nearly 113,000 people. Krebs reportedly received a copy of the database, which included usernames, email addresses, hashed passwords, private messages and IP address.

The RaidForums Omnipotent administrator announced to forum members that he had made the OGUsers forum database for available for download, writing:

Hello RaidForums Community,

Today I have uploaded the OGUsers Forum Database for you to download for free, thanks for reading and enjoy!

On the 12th of May 2019 the forum ogusers.com was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth view his statement here or if you don't want to visit their website view it here. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao.

Compromised data: Website activity, Usernames, Emails, IP Addresses, Passwords (Salted MD5), Source code, Website data, User private messages.

While users on the OGUsers.com forum expressed concern about their identities being revealed as a result of the hack, Krebs said, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Defiant Tech firm who operated LeakedSource pleads guilty

The Royal Canadian Mounted Police (RCMP), announced that the company behind LeakedSource, Defiant Tech Inc., pleads guilty in Canada.

Defiant Tech Inc., the company behind the LeakedSource.com website, pleaded guilty in Canada.

The LeakedSource website was launched in late 2015, in January 2017 the popular data breach notification website has been raided by feds.

It reported some of the largest data breaches, including the ones that affected Last.fmRambler.ruFriendFinder NetworksLinkedIn, and MySpace.

LeakedSource

In December 2017, the Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the LeakedSource.com website that operated through his company Defiant Tech.

LeakedSource offered for sale access to data gathered data from the victims of security breaches, sometimes buying it from hackers.

For $2 a day, a subscriber at LeakedSource, had the possibility to obtain the details on individuals by entering his email address or username. LeakedSource was also cracking the associated passwords when it was possible. The website was very popular among the users of the HackForums.net.

“A guilty plea was entered in court today by Defiant Tech Inc., to the charges of Trafficking In Identity Information and Possession of Property Obtained By Crime a year and a half after charges were laid into the RCMP’s cybercrime investigation dubbed Project “Adoration”. ” reads the press release published by RCMP.

“LeakedSource.com had a database of approximately three billion personal identity records and associated passwords that could be purchased for a small fee. Defiant Tech Inc. was operating the LeakedSource.com website and the company earned approximately $247,000 from trafficking identity information. “

The arrest of Bloom is the result of a joint effort of Canadian authorities, FBI and Dutch National Police.

According to the Royal Canadian Mounted Police, Defiant Tech made around CAN$247,000 (US$183,000) from his illegal activities.

“We are pleased with this latest development,” said Superintendent Mike Maclean, Officer in Charge Criminal Operations of the RCMP National Division. “I am immensely proud of this outcome as combatting cybercrime is an operational priority for us.”

According to the experts, Bloom didn’t operate the website alone, at least another US citizen was involved, but none was charged for this.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cybercrime, LeakedSource)

The post Defiant Tech firm who operated LeakedSource pleads guilty appeared first on Security Affairs.

How to write a business continuity plan: the easy way

Earthquake. Flood. Cyber attack. The threat of disruption looms over organisations more ominously than ever, thanks to the increasing infiltration of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about disruptions, so you need to prepare for whatever might come your way with a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.

What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow to continue operating in the event of a disruption. The steps outlined in a BCP are typically a set of temporary measures or quick fixes to ensure that the most important business operations remain functional, even if at the cost of overall productivity.

Organisations’ top priorities tend to be their technologies, and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t about recovering IT. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services. In that regard, it simply considers IT a critical resource for preserving those activities – in other words, a dependency.

However, recovering your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi; even so, organisations must outline them in a BCP to ensure employees know what’s expected of them.

Business continuity vs disaster recovery

BCPs shouldn’t be confused with DRPs (disaster recovery plans), even though they both tackle the immediate aftermath of a disruption.

Business continuity focuses primarily on ensuring that you maintain functionality – even if at reduced capacity – in the event of an incident while attending to the disruption. Disaster recovery is a purely corrective measure that looks to recover to full IT functionality as quickly as possible.

These concepts might sound similar enough, but business continuity’s focus on first and foremost reviving the most critical business functions is a crucial difference, and one that makes it a good idea to separate it from disaster recovery. The latter is usually just used in an IT context, as only semi-functioning technology often isn’t good for operations, but achieving full recovery may take some time.

Business continuity recognises that time is of the essence, and often involves temporary fixes that ensure vital operations continue. Recovery is also time-sensitive; temporary solutions don’t tend to offer the same level of productivity, so you don’t want to rely on them for long.

Whether taking a disaster recovery or business continuity approach, your objective should be to create a plan that buys you enough time to recover within an acceptable timeframe as defined by your RTO (recovery time objective). Just remember that business continuity has to consider two timeframes: when to be up and running again, and when to be back to full functionality.

Common threats to business continuity

Most disruptions that you will experience fall into one of these categories:

  • Natural disasters

Earthquakes, hurricanes and wildfires might spring to mind when you think of natural disasters, and although they often disrupt business, you only need to worry about them if you live in a part of the world where they are known to occur.

However, natural disasters also include snowstorms, heavy wind and floods, which are less dependent on geography but can still disrupt business, and which you should therefore plan for.

  • Man-made disasters

Your main concern in this category should be events that damage or disrupt transport routes, like car accidents and train crashes. If a major road or rail network is shut down, you might be unable to receive deliveries, and employees and customers might not be able to reach you.

Other man-made disasters include oil spills, terrorist acts, industrial accidents and acts of war.

  • Utility failures

Electrical fires and burst pipes can cause huge problems for organisations and are liable to occur at any time.

A fire or flood could damage expensive equipment or require a room to be vacated. If a sewage line is broken, the sanitary risk (not to mention the smell) could force the organisation to send its employees home.

  • Technological failures

Sometimes technology can simply stop working. Systems crash, files are lost and documents go missing. The whys of technological failures are so manifold and unpredictable that it’s impossible to anticipate how or when they will occur – just consider them an ever-present risk that will materialise at some point, so be ready for when they occur.

  • Human error

An organisation’s staff is often its biggest security weakness. Employees will lose or accidentally expose data from time to time, and although staff awareness training will reduce the risk, it won’t eradicate the threat. Humans inevitably make mistakes, and you need to be aware of that when planning for disruptions.

  • Sabotage

Employees might also breach data deliberately. This typically happens if they are disgruntled at work (maybe they were turned down for a promotion) or have left the organisation acrimoniously and their login credentials are still active.

There’s also the possibility that staff will simply be lured by the financial gain from stealing sensitive information and selling it on the dark web.

  • Cyber attacks

The most frequent examples of cyber attacks include phishing emails (which are designed to steal information), brute-force attacks (in which crooks use automated software to crack an employee’s password) and ransomware (which locks down an organisation’s system until a fee is paid).

These are far from the only threats you need to plan for, though. Organisations’ networks and the applications used will contain dozens of vulnerabilities that crooks are always looking to exploit.

Why business continuity planning is so important

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption. Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as the delay continues.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches. As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as a disruption could cause major problems for a large section of the population. To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.

Benefits of business continuity planning

Beyond the obvious reasons to implement a BCP (to remain functional in the event of a disruption), you should also consider its ability to:

  • Protect your organisation’s reputation: In demonstrating a fast and efficient response to disruption, the public will almost certainly be impressed by the way you operate. This will mitigate any negative sentiments that will accompany the loss of productivity, and it might even improve your reputation.
  • Boost employees’ morale: No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong. If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, which will prove to employees that management has considered their needs.
  • Build your relationship with third parties and subsidiaries: An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with. It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and partners.

Writing your business continuity plan: 8 simple steps

  1. Purpose and scope of the BCP

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

  1. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

  1. Invoking the BCP

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond. You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

  1. Specific BCP content

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline:

  • Steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption;
  • Actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities;
  • Guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where);
  • Prioritised recovery objectives and the actions and resources that are needed to achieve them; and
  • Internal and external (inter)dependencies and interactions, and how these might impact one another during a disruptive incident.
  1. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding. In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

  1. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

  1. Appoint a business continuity manager

The business continuity manager is responsible for documenting the plan and keeping it safe. They are also responsible for reviewing the plan to make sure the information is accurate. For example, if someone with BCP responsibilities leaves the organisation, the business continuity manager should flag this, so the team can appoint a successor.

  1. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.

Don’t forget to test your plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

a. Table-top exercise

A table-top exercise is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

b. Structured walkthrough

A structured walkthrough is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions. The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours. As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

c. Disaster simulation testing

A disaster simulation test is essentially a dress rehearsal. You create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are. Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.

Business continuity planning made simple

Anyone looking for help on how to develop and document their BCP should take a look at our free BCP template.

It expands on the eight steps we’ve listed in this article, showing you exactly how to structure your plan.

BCP template

Download our template >>

The post How to write a business continuity plan: the easy way appeared first on IT Governance Blog.

Six Best Password Managers for Online Protection in 2019

We at HackerCombat have always been emphasizing on the importance of passwords and password management in cybersecurity. At a time when even individual users have and manage many login ids and passwords, it’s undoubtedly a herculean task for organizations to manage the large number of passwords they have at their disposal. (Remember, it’s never ever advisable to have same passwords for different accounts/services, from the security point of view!) The best thing that organizations can do, as regards handling passwords, is to use a decent password manager.

We seek to put together a list of the six best password managers that can be used for online protection in 2019. Here we go-

Keeper, from Keeper Security Inc.

The password manager offered by Keeper Security Inc., which suits Windows, Linux and Mac is ideal for business enterprises and other organizations and can also be used by individuals or family groups. Keeper password manager used two-factor authentication plus secure file storage, which ensures comprehensive protection of your information. The other notable features include version history (ability to restore previous versions of users’ records), emergency access for five different contacts to access a subscriber’s passwords, custom fields to keep personal records (driving license numbers, passport data etc) in the app etc. Utmost flexibility is offered as regards data storage.

LastPass Password Manager

The LastPass password manager, which is for Windows, Linux, Mac and Chrome, offers some remarkable features including two-factor authentication, free credit monitoring, an auto-fill feature to streamline users’ shopping, multiple identities etc. Once the user sets up a master password, LastPass enables importing of all saved login credentials from Chrome, Firefox, Edge, Opera, and Safari. Once this is done, the user needs to remember only the master password and all the rest is taken care of. A notable advantage of using LastPass password manager is that it stores encrypted information on its cloud servers and hence users can access the passwords from computers other than their personal PCs as well. They can even share the data with others in their family group or organization, enabling them to access the credentials from the cloud. There’s also a password generator that helps create unique passwords. The premium version comes with additional authentication options, data syncing with mobile devices, excellent tech support etc. Use LastPass for its excellent interface and notable features.

Sticky Password, from the AVG Antivirus team

Sticky Password is a password manager that’s ideal for Windows, iOS, Android and Apple, and is created by the team behind the AVG antivirus. It supports lots of browsers, especially on the desktop and offers secure cloud-encrypted syncing options between devices and also offers, in addition to the conventional sign-in options, Face ID as well as fingerprint sign-ins. It’s easy and simple and has a free version plus a premium version with extra cloud features. It comes with AES-256 encryption and strong password generation capabilities.

1Password

1Password, which is a good password manager for Windows, macOS, Android, iOS and Chrome OS, has notable features like reliable username-password storage with secure sharing, strong password generator, digital wallet (for saving logins, card data, network passwords etc), intuitive and easy user interface etc. 1Password, which is developed by AgileBits Inc., has as its highlight a built-in “watchtower” service that notifies users of ongoing website breaches. The password manager allows, in addition to local syncing of data, the syncing of information between computers via iCloud, Dropbox etc. There is no free-version for 1Password, which can also be used as browser extensions, integrated with desktop web browsers like Chrome, Safari, Firefox, Edge, and Opera.

LogMeOnce Password Manager

One of the best password managers for Mac OS X, LogMeOnce also syncs passwords across Windows, iOS and Android. The notable features offered include two-factor authentication, securing passwords with military-grade AES-256 encryption and the very remarkable Mugshot feature, which takes a photograph of an intruder when there is a hack and also tracks locations in case the device is stolen.

Dashlane Password Manager

Dashlane password manager, which is ideal for Windows, iOS, Mac and Android, has some notable features. It is secured with two-factor authentication and offers users the ability to change multiple passwords for multiple websites with just a few clicks. The user can encrypt (with AES-256 encryption) and store passwords either locally or automatically sync them across different devices. Dashlane’s automatic password changer helps change accounts’ passwords without the user having to deal with it personally. Though there is a free version for individual users, businesses need to go for a paid one, which comes with an annual fee.

Related Resources:

10 Practical Computer Protection Tips

7 Data Protection Tips for Small Businesses

The post Six Best Password Managers for Online Protection in 2019 appeared first on .

Sajid Javid announces overhaul of espionage and treason laws

New bill needed to tackle hostile activity by Russia and others, says home secretary

Hostile state actors – spies, assassins or hackers directed by the government of another country – are to be targeted by refreshed espionage and treason laws, the home secretary has announced.

In a speech to security officials in central London, Sajid Javid revealed plans to publish a new espionage bill to tackle increased hostile state activity from countries including but not limited to Russia.

Continue reading...

Chronicle experts spotted a Linux variant of the Winnti backdoor

Security researchers from Chronicle, Alphabet’s cyber-security division, have spotted a Linux variant of the Winnti backdoor.

Security experts from Chronicle, the Alphabet’s cyber-security division, have discovered a Linux variant of the Winnti backdoor. It is the first time that researchers found a Linux version of the backdoor user by China-linked APT groups tacked as Winnti.

chinese hackers

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Chronicle researchers while investigating the cyber attack that hit the Bayer pharmaceutical company in April.

Searching for samples of Winnti malware on its VirusTotal platform, the experts discovered a Linux variant of Winnti, dating back to 2015. At the time the malware was used in the hack of a Vietnamese gaming company.

“In April 2019, reports emerged of an intrusion involving Winnti malware at a German Pharmaceutical company.” reads the analysis published by
Chronicle. “Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples designed specifically for Linux.” 

The technical analysis of the Linux version of Winnti backdoor revealed the presence of two files, the main backdoor (libxselinux) and a library (libxselinux.so) used to avoid the detection.

The Winnti backdoor has a modular structure, it implements distinct functionalities using plugins. During the analysis, the researchers were unable to recover any active plugins. Experts believe attackers used additional modules for Linux to implement plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host.

Further analysis revealed many code similarities between the Linux version of the Winnti variant and the Winnti 2.0 Windows version.

“The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report.” continues the report. “Embedded in this sample’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators. Winnti ver. 1, these values were designated as ‘tag’ and ‘group’. “

Like Windows variants of the Winnti backdoor, the Linux version also handles outbound communications using multiple protocols including ICMP, HTTP, as well as custom TCP and UDP protocols.

The Linux version also implements another feature that allows threat actors to initiate connections to infected hosts without requiring a connection to a control server.

The feature could allow attackers to directly access infected systems when access to the hard-coded control servers is disrupted.

“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts.” continues the report. “This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts.”

In 2016, the Winniti hackers also hit German heavy industry giant ThyssenKrupp to steal company secrets.

Technical information about the above feature was also shared by the Thyssenkrupp CERT, its experts released a Nmap script that could be used to identify Winnti infections through network scanning.

“An expansion into Linux tooling indicates iteration outside of their traditionalcomfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.” concludes the report that includes IoCs and Yara rules for the identification of the threat.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Winnti, Linux malware)

The post Chronicle experts spotted a Linux variant of the Winnti backdoor appeared first on Security Affairs.

Company Behind LeakedSource Pleads Guilty after RCMP Investigation

A company responsible for helping to operate LeakedSource.com has submitted a guilty plea following an investigation by the Royal Canadian Mounted Police (RCMP). On 17 May, Defiant Tech Inc. pleaded guilty to the charge of “trafficking in identity information and possession of property obtained by crime” in association with an investigation surrounding LeakedSource. RCMP initiated […]… Read More

The post Company Behind LeakedSource Pleads Guilty after RCMP Investigation appeared first on The State of Security.

LeakedSource Company Pleads Guilty

LeakedSource Company Pleads Guilty

The operators of an infamous breached credentials site have pleaded guilty to trading in stolen information, according to Canadian police.

Defiant Tech, which owns the LeakedSource website, entered the plea on Friday at a court in Ottowa, a brief notice from the Royal Canadian Mounted Police (RCMP) stated.

The charges of “trafficking in identity information and possession of property obtained by crime” came after an investigation was launched by the police in 2016, when the RCMP found that servers hosting LeakedSource were located in Quebec.

Project “Adoration,” as it was known, saw the RCMP’s newly formed National Division Cybercrime Investigative Team receive assistance from the Dutch National Police and the FBI.

In December 2017, Jordan Evan Bloom, 27, from Thornhill, Ontario, was arrested on suspicion of making an estimated C$247,000 ($200,000) from the business.

The now-defunct site had a database of around three billion passwords and identity records, which users could access via simple search functionality for a fee. This information is said to have been purchased from hackers and lifted from the public domain. Data was taken from big-name companies like LinkedIn and MySpace.

"We are pleased with this latest development,” said superintendent Mike Maclean, officer in charge of criminal operations for RCMP National Division.

“This is all thanks to the relentless efforts put by our men and women working in the National Division Cybercrime Investigative Team. I am immensely proud of this outcome as combating cybercrime is an operational priority for us."

A second man is suspected to have conspired with Bloom, but charges have so far not been brought.

Ex-CIA Man Gets 20 Years for Handing China Secrets

Ex-CIA Man Gets 20 Years for Handing China Secrets

A former CIA intelligence officer has been sentenced to two decades behind bars after being found guilty last year of passing defense secrets to China.

Kevin Patrick Mallory, 62, of Leesburg, was found guilty by a federal jury in June 2018 of conspiracy to deliver, attempted delivery, delivery of national defense information to aid a foreign government, and making material false statements.

He is said to have been paid $25,000 for handing classified documents to 'Michael Yang,' a Chinese intelligence officer he met in Shanghai in March and April 2017.

These documents included information on CIA informants, according to the Department of Justice.

Fluent Mandarin-speaker Mallory is said to have scanned the Top Secret documents onto an SD card at his local FedEx store. Yet although he shredded the originals, the FBI found the storage device carefully hidden, during a search of his home.

The disgraced former spy worked for various government agencies and defense contractors, including roles as a covert case officer for the CIA and an intelligence officer for the Defense Intelligence Agency (DIA). His Top Secret clearance is said to have been terminated in 2012 when he left government service.

“Former US intelligence officer Kevin Patrick Mallory will spend the next 20 years of his life in prison for conspiring to pass national defense information to a Chinese intelligence officer,” said assistant attorney general for national security, John Demers.

“This case is one in an alarming trend of former US intelligence officers being targeted by China and betraying their country and colleagues. This sentence, together with the recent guilty pleas of Ron Hansen in Utah and Jerry Lee in Virginia, deliver the stern message that our former intelligence officers have no business partnering with the Chinese, or any other adversarial foreign intelligence service.”

Lee is thought to have provided the information needed to take down a major CIA network in China between 2010 and 2012. The US is believed to be at a distinct intelligence disadvantage now with regards to China.

Google will block Huawei from using Android and its services

The Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

The news a bomb, Google has suspended some business with Huawei after Trump’s ban on the Chinese telco giant.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Huawei Dutch intelligence

The decision is a blow to the Huawei and has a significant impact on its strategy.

Just on Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

“Alphabet Inc’s Google has suspended business with Huawei that requires the transfer of hardware, software and technical services except those publicly available via open source licensing.” reported the Reuters.

Google explained that there will be no impact on current owners of Huawei devices running Google software because they will continue to receive updates provided by the US firm.

“We are complying with the order and reviewing the implications,” said a Google spokesperson.

“For users of our services, Google Play and the security protections from Google Play Protect will continue to function on existing Huawei devices,”

Of course, the decision will disrupt the commercial activity of Chinese telco firm outside China. Everyone will buy a Huawei device will have no access to updates to Google Android and will have no access to Google services, including the Google Play Store and Gmail and YouTube apps.

Google confirmed that Huawei will only be able to use the public version of Android (Android Open Source Project (AOSP)), but the users of the Chinese giant will not be able to get access to proprietary apps and services from Google.

The Google decision could make it impossible for the Chinese company to sell its devices abroad and other companies could interrupt any trade with the company fearing repercussions.

Intel Corp, Qualcomm Inc, Xilinx Inc, and Broadcom Inc have already announced that they will not supply critical software and components to Huawei until further notice.

Is the Chinese giant ready to face this earthquake?

According to the company, it is already working to develop its own technology fearing a total block from US companies.

“Huawei has said it has spent the last few years preparing a contingency plan by developing its own technology in case it is blocked from using Android. Some of this technology is already being used in products sold in China, the company has said.” reported the Reuters.

“No matter what happens, the Android Community does not have any legal right to block any company from accessing its open-source license,”
March, Eric Xu, rotating chairman of Huawei, told to Reuters.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Android, Google)

The post Google will block Huawei from using Android and its services appeared first on Security Affairs.

Chipmakers Cut Huawei Shipments

Chipmakers Cut Huawei Shipments

European and US chipmakers have stopped supplying Huawei with products while Google will cease providing technical Android support from the next OS iteration, as Donald Trump’s executive order starts to bite.

Google said in a tweet yesterday: “while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.”

However, it’s believed the same will not be true of new Huawei handsets. Google is also set to cut key support for the operating system from its next version, which could leave users without apps like YouTube and Google Maps, according to reports.

Huawei could still use the open source version of Android, although it has been developing an in-house OS which it could also switch across to in the event that Trump’s executive order is not reversed.

The firm is also being hit as global chipmakers cut supplies in compliance with the order. Qualcomm (smartphones) Intel (servers and laptops), Xilinx and Broadcom (networking kit) and many other US producers, as well as German chipmaker Infineon, have reportedly taken immediate action.

Huawei produces some processors and modems for its smartphones in-house, so Qualcomm’s decision is perhaps the least likely to affect it. The firm is said to have stockpiled other types of chips for several months while it waits to see whether the US action is a bargaining play or is set for the long-term.

Trump signed an executive order last week banning “foreign adversaries” from providing telecoms equipment in the US. However, Huawei and 70 subsidiaries were also placed on an “Entity List” meaning US firms are not able to supply it with their products unless Huawei is granted a special license from the Commerce Department.

Although the tech firms have already taken action, the department is still drawing up the enforcement plan, and has 150 days to do so.

3 Ways to Improve Your Online Store’s Cyber Security

If you don’t do your utmost best to ensure that your online store is safe to use, you could end up putting your customers in real danger. From their finances being stolen to their personal data being hacked into, any kind of trouble could befall your site’s users if you do not take cyber security seriously. Make sure, then, that you take it seriously!

When it comes to improving your online store’s cybersecurity measures, the following advice makes for essential reading.

Make your mobile payments safer

One of the most burgeoning e-commerce trends is mobile payment. As stated on Oberlo’s mobile shopping trends article, this is because this kind of transaction process prioritizes comfort, and it makes the buying process a whole lot simpler. You would be foolish not to grant your customers the opportunity to pay for things on your store via their mobile devices.

Allowing this kind of payment to take place does come with its fair share of drawbacks; however, the biggest one being that it isn’t always the safest form of transaction. This doesn’t mean that you can’t strengthen your mobile payment process, though. Some of the measures that you can and should put into place in this instance include:

  • Only ever using a trusted payment platform
  • Ensuring that your payment terminals are NFC-enabled
  • Encrypting your network to ensure sensitive information cannot be sent through it

Switch to HTTPS

In this day and age, if you continue to stick with the HTTP protocol, your online store will be a sitting duck for cyber criminality. If you’re serious about safety, you must switch to HTTPS.

Created initially to safeguard the particularly sensitive elements of e-commerce sites, such as the payment process, HTTPS is now used to protect whole websites. By embracing this protocol, you will be able to be sure that your visitors’ data will remain safe at all conceivable points.

Protect your Admin Panel

Your Admin Panel is the aspect of your store that is least difficult for cybercriminals to crack. All it takes is for you to set a weak password, and hackers can have a field day when it comes to accessing all of the data you store in the backend of your site.

To protect your Admin Panel, you need to:

If they were to encounter trouble with a cybercriminal while using your online store, you can be sure that your customers will not give you a second chance. They will lose trust in you instantly, and more than likely never return to you again — and they’ll tell everybody that they know to avoid your website in the future, too, for good measure. If you don’t take cybersecurity seriously, you could also even find yourself in hot water with the authorities. The impact cyber criminality could have on your online store is something you should want to avoid at all costs, which is why you must put all of the above advice into practice as soon as possible.

The post 3 Ways to Improve Your Online Store’s Cyber Security appeared first on CyberDB.

Amnesty International filed a lawsuit against Israeli surveillance firm NSO

Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware.

The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software.

The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue.

The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

“An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian.

“The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.””

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control.

On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology.

NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab.

It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel.

The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”.

“We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – NSO Group, Amnesty International)

The post Amnesty International filed a lawsuit against Israeli surveillance firm NSO appeared first on Security Affairs.

On the path to Zero Trust security: Time to get started

No need to belabour the point. We all know that trying to defend the network perimeter is a bit futile in today’s mobile and cloud first world. So, the obvious question – what’s next? Vendors are quick to come to your aid with their latest, next generation, virtualized, machine learning and AI based security platform. Industry analysts on the other hand are proposing various security frameworks and approaches for reducing risk. Whether it’s Gartner with … More

The post On the path to Zero Trust security: Time to get started appeared first on Help Net Security.