Daily Archives: July 18, 2019

New infosec products of the week: July 19, 2019

Perimeter 81 ensures zero trust access to web applications without an agent Zero Trust Application Access is designed to meet the demands of today’s ever-expanding modern network and ensure fully secured, isolated and agentless access to an organization’s critical web applications, SSH, RDP, VNC and Telnet in an emulated, streamlined and seamless way, regardless of where employees connect. Privitar extends data-protection and safe data-analysis capabilities of its Publisher product With Privitar Publisher 3.0, companies can … More

The post New infosec products of the week: July 19, 2019 appeared first on Help Net Security.

36TB Data Breach: The Culprit, Lenovo’s Obsolete Iomega NAS

The probability that Lenovo has earned the infamous record for becoming a subject of the world’s biggest data breach in history is shaping-up fast. The culprit? The still online legacy Iomega storage system harboring a security flaw but still being used as an internal NAS drive that was left within the infrastructure of Lenovo for many months, and were tapped by an external party. Iomega used to be a famous external storage company incorporated in 1980, which was famous for being a trailblazer of early high capacity devices such as the Zip and Jaz disc in the late ‘90s. It merged with Lenovo, creating a subsidiary, a shadow of its former self now known as LenovoEMC.

Vertical Structure, a penetration testing service firm, disclosed the information in their special blog article titled: “Best Practices in Identifying and Remediating Vulnerabilities”. An estimated 13,000 LenovoEMC spreadsheet files were indexed in the data breach, reaching a total size of 36TB were leaked by unknown parties. Yes, you read it right, 36 Terabytes worth of spreadsheets, with a “T”, apparently containing sensitive personal information, including financially sensitive data.

Lenovo confirmed the data breach in their official press release posted in their support page. The bug in the legacy Iomega storage NAS documented as CVE-2019-6160. “A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API. Update to the firmware level (or later) described for your system in the Product Impact section.If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks,” explained LenovoEMC.

The irony with Lenovo’s own press statement is the company itself is the primary victim of its own hardware’s security flaw. During the period of the leak incident, around 5,114 of these legacy vulnerable NAS devices were still in full operations within the network of Lenovo. The sorry state of using these end-of-life devices in daily operations of the company is serious being taken as irresponsible use of equipment from the standpoint of IT security professionals. That means, these devices though operational inside the Lenovo’s own network are actually not supported in any way by its subsidiary LenovoEMC, they were left operating without the presence of any bug fixing process. The primary difference between a support product compared to a discontinued one is the latter’s firmware is no longer patched to fix security flaws.

Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it,” emphasized Vertical Structure.

The most conflicting advice that Lenovo provided its users about how to handle the CVE issue was to update the firmware. Such advice does not apply for Iomega NAS drives that already reached its life cycle. It is not yet clear if Lenovo has already shutdown the NAS devices that were involved in the data breach incident.

Also Read,

The Biggest and Most Affected Data Breach

Data Breach Hits Desjardins, 2.7 Million People Affected

Data Breaches in Healthcare Comes From Within

The post 36TB Data Breach: The Culprit, Lenovo’s Obsolete Iomega NAS appeared first on .

NSS Labs test exposes weaknesses in NGFW products

Firewalls are the most widely deployed network security devices. Enterprises expect next generation firewalls (NGFWs) to prevent exploits and malware from infecting critical systems. NSS Labs 2019 NGFW Group Test NSS Labs announced the results of its 2019 NGFW Group Test. Twelve of the industry’s NGFW products were tested to compare NGFW product capabilities across multiple use cases. Products were assessed for security effectiveness, total cost of ownership (TCO), and performance. This is the ninth … More

The post NSS Labs test exposes weaknesses in NGFW products appeared first on Help Net Security.

New open source solution reduces the risks associated with cloud deployments

An open source user computer environment (UCE) for the Amazon Cloud, called Galahad, has been launched by the University of Texas at San Antonio (UTSA). The technology will fight to protect people using desktop applications running on digital platforms such as Amazon Web Services (AWS). Galahad will leverage nested virtualization, layered sensing and logging to mitigate cloud threats. These layers will allow individual users to host their applications seamlessly and securely within the cloud avoiding … More

The post New open source solution reduces the risks associated with cloud deployments appeared first on Help Net Security.

Business owners prioritise investment in technology over upskilling

Business owners say their strategy is to prioritize investing in technology (52%) over upskilling (24%) their workforce, according to Adecco. The research titled, People, Technology and the Future of Upskilling, which surveyed 500 managers, directors, and business owners at SMEs, found that this focus on investing in technology over upskilling is not necessarily shared across all roles in the business. Just 28% of middle managers and 33% of directors prioritize investment in technology over upskilling. … More

The post Business owners prioritise investment in technology over upskilling appeared first on Help Net Security.

Mobile ID schemes take the lead over digital identity cards

The number of people using government-issued digital identity credentials will grow by over 150% from an expected 1.7 billion in 2019 to over 5 billion in 2024, according to Juniper Research. Emerging economies in Asia and Africa are some of the biggest markets, as countries leapfrog analogue identities to benefit from the efficiencies digital registration and management bring. Emerging economies follow Estonia The report, Digital Identity: Technology Evolution, Regulatory Analysis & Forecasts 2019-2024, shows that … More

The post Mobile ID schemes take the lead over digital identity cards appeared first on Help Net Security.

CyberArk enhances its portfolio of SaaS offerings for privileged access security

CyberArk announced groundbreaking new services and enhancements to the industry’s most complete portfolio of Software-as-a-Service (SaaS) offerings for privileged access security. As the industry leader, only CyberArk has the technology expertise and experience to deliver innovative solutions that make it simple and easy for cloud-first organizations and those embracing digital transformation to consume, use and manage privileged access security solutions, especially in hybrid cloud environments. “Privileged access security is foundational to effective cybersecurity programs. As … More

The post CyberArk enhances its portfolio of SaaS offerings for privileged access security appeared first on Help Net Security.

Bitdefender 2020 gives consumers privacy amid a rising criminal tide

Bitdefender, the innovative cybersecurity solutions provider protecting 500 million machines worldwide, is proud to unveil Bitdefender 2020, its new cybersecurity line designed to give consumers complete privacy in an era of intrusion and total security amid a rising criminal tide. The Bitdefender 2020 series of products is designed to overcome the most sophisticated attacks, including rampant invasion of privacy from criminal hackers, nosy companies and invasive websites, as well as history’s most sophisticated malware meant … More

The post Bitdefender 2020 gives consumers privacy amid a rising criminal tide appeared first on Help Net Security.

BehavioSec updates the BehavioSec Behavioral Biometrics Platform with new capabilities

BehavioSec, the pioneering vendor behind behavioral biometrics, announced new capabilities strengthening the BehavioSec Behavioral Biometrics Platform’s market leadership helping financial services, fintech, retail, and other customers defeat relentless attacks utilizing stolen passwords and other weaponized online credentials. As the September 14, 2019 deadline for compliance with the European Union’s PSD2 payment security mandate approaches, BehavioSec’s pioneering behavioral biometrics inventions and performance across industries give businesses and mobile app developers a proven way to rapidly increase … More

The post BehavioSec updates the BehavioSec Behavioral Biometrics Platform with new capabilities appeared first on Help Net Security.

Fugue’s SaaS product now supports the Microsoft Azure cloud computing service

Fugue, the company delivering autonomous cloud infrastructure security and compliance, announced that its Software as a Service (SaaS) product now supports the Microsoft Azure cloud computing service. Fugue provides enterprises with continuous visibility into the security posture of their Microsoft Azure and Amazon Web Services (AWS) cloud environments and protects critical resources with self-healing infrastructure. Fugue enables development teams to “Shift Left” on cloud security and compliance by integrating policy checks into CI/CD pipelines. “Fugue’s … More

The post Fugue’s SaaS product now supports the Microsoft Azure cloud computing service appeared first on Help Net Security.

Insight Connected Suite helps clients accelerate the use of smart solutions

Insight Enterprises, a Fortune 500 global solution integrator for organizations of all sizes, announced the launch of Insight Connected Suite, a fully managed Internet of Things (IoT) solution that is industry-agnostic and helps clients accelerate the use of smart solutions. “Communities and businesses understand the transformative potential of IoT and smart solutions as they look to modernize their infrastructure. However, the time and resources needed to develop complex, one-off solutions have remained a roadblock to … More

The post Insight Connected Suite helps clients accelerate the use of smart solutions appeared first on Help Net Security.

SnapLogic Quick Start solution to help orgs quickly build and deploy cloud data lakes on AWS

SnapLogic, the #1 Intelligent Integration Platform provider, introduced a new Quick Start solution to help enterprises build and deploy cloud data lakes on Amazon Web Services (AWS) with speed and confidence. Enterprises can now fast-track their cloud data lake projects by deploying SnapLogic components, AWS services such as Amazon Simple Storage Service (Amazon S3) and Amazon Redshift, and best practices from Agilisium Consulting. To generate business value from their data, organizations are implementing cloud data … More

The post SnapLogic Quick Start solution to help orgs quickly build and deploy cloud data lakes on AWS appeared first on Help Net Security.

Claroty unveils several enhancements to its Continuous Threat Detection solution

Claroty, the global leader in industrial cybersecurity, introduced several enhancements to Continuous Threat Detection (CTD), its award-winning operational technology (OT) security solution. The latest release of CTD now enables enterprises to discover and monitor their Internet of Things (IoT) devices, provides customers with greater network visibility, reduces deployment time, and eliminates the “noise” of non-critical alerts. The company also announced it has joined the Industrial Internet Consortium (IIC), the world’s leading organization transforming business and … More

The post Claroty unveils several enhancements to its Continuous Threat Detection solution appeared first on Help Net Security.

ViON unveils new hybrid, multi-cloud solution portfolio that offers single interface management

ViON, a cloud service provider and market leader in the design, delivery and maintenance of mission-critical IT infrastructure solutions, announced the launch of the ViON Enterprise Cloud (VEC), a hybrid, multi-cloud solution portfolio that offers single interface management. Organizations leveraging the VEC will be able to bring a public cloud experience to their private cloud environment, while still managing existing infrastructure and taking advantage of ViON’s Multi-Cloud Orchestrator, Cloud Services Platform and Professional and Managed … More

The post ViON unveils new hybrid, multi-cloud solution portfolio that offers single interface management appeared first on Help Net Security.

Enzoic for Active Directory offers real-time blocking and monitoring of unsafe passwords

Enzoic, a leading provider of compromised credential screening solutions, released the latest version of Enzoic for Active Directory. The product is the only Active Directory plugin to meet NIST 800-63b requirements for real-time blocking of unsafe passwords at set-up and provide continuous monitoring of those same passwords to ensure they don’t become vulnerable later. The service gives organizations new ammunition in the ongoing fight against the use of compromised passwords. Across industries, organizations of all … More

The post Enzoic for Active Directory offers real-time blocking and monitoring of unsafe passwords appeared first on Help Net Security.

Cyber Power Smart App Online UPS systems offer more power and functionality in less space

Cyber Power Systems, a leader in power protection and management products, released two new models of professional-grade Smart App Online UPS systems. The Smart App Online High-Density UPS systems provide high capacity output with a power factor rating of 1 within a space-saving design. The systems use double-conversion topology, providing sine wave output to deliver clean AC power for mission-critical applications and high-end system components that require seamless power correction. The products are the latest … More

The post Cyber Power Smart App Online UPS systems offer more power and functionality in less space appeared first on Help Net Security.

SyncDog and Nine23 to enable mobile workforces a secure cloud-based collaboration tools access

SyncDog, the leading Independent Software Vendor (ISV) for next generation mobile security and data loss prevention, announced a partnership with Nine23, a highly-focused UK mobile security solutions company serving the public and private sector. This partnership will enable mobile workforces to access cloud-based collaboration tools from their own devices with an increased level of security and greater cost savings. SyncDog provides a secure application workspace for employees accessing enterprise mobile productivity apps on BYOD (Bring … More

The post SyncDog and Nine23 to enable mobile workforces a secure cloud-based collaboration tools access appeared first on Help Net Security.

TMD Security integrates SALTO’s key-less locks in TMD Access Management

TMD Security announced that SALTO Systems, a worldwide leading manufacturer of state-of-the-art access door locks, will be the hardware partner for TMD’s Access Management solution for a wide variety of access points including ATM rooms, branches and datacentres. TMD Security has integrated SALTO’s key-less locks in TMD Access Management, a single access scheduling and provision solution for ATMs and for a wide variety of access points that uses encrypted one-time-codes and mobile app instead of … More

The post TMD Security integrates SALTO’s key-less locks in TMD Access Management appeared first on Help Net Security.

Druva acquires CloudLanes to expand cloud to the edge

Druva, the leader in Cloud Data Protection and Management, announced the acquisition of CloudLanes, an innovator in hybrid cloud data protection and migration that enables seamless and secure movement of data from on-premises to cloud. With the new addition, Druva is set to expand cloud to the edge, bringing enterprises the ability to keep data readily available on-site, while leveraging SaaS-based business continuity, short recovery windows and greater workload mobility to reduce costs by up … More

The post Druva acquires CloudLanes to expand cloud to the edge appeared first on Help Net Security.

Cirrus Insight appoints Phil Sims as CTO

Cirrus Insight is pleased to announce the appointment of Phil Sims as Chief Technology Officer. Cirrus Insight sales enablement platform for Gmail and Outlook offers an all-in-one sales productivity platform with world-class Salesforce integration. Cirrus Insight is committed to delivering high-quality value in the sales enablement space. The appointment of an award-winning CTO represents a spearhead investment in agile engineering, product, and support that benefits Cirrus Insight customers immediately. Phil Sims joins Cirrus Insight bringing … More

The post Cirrus Insight appoints Phil Sims as CTO appeared first on Help Net Security.

Abacode appoints Michael Brooks to lead its Governance, Risk and Compliance Practice

Abacode, one of the fastest growing Cybersecurity and Compliance firms in the United States, announced that Michael Brooks, a retired Air Force senior officer and PwC alum, has been chosen to lead its high demand Governance, Risk and Compliance (GRC) Practice. In this new role, Brooks will be responsible for leading a talented team of risk and compliance experts who provide a suite of premium GRC services designed to strengthen the cyber security posture for … More

The post Abacode appoints Michael Brooks to lead its Governance, Risk and Compliance Practice appeared first on Help Net Security.

The Problem With the Small Business Cybersecurity Assistance Act

The Small Business Cybersecurity Assistance Act may provide business owners with access to government-level tools to secure small business against attacks.

Perhaps the best approach to rampant malware, ransomware and cybercrime is stronger cooperation between the public and private sectors.

The American Congress took a stab at that kind of ecumenical solution to the looming $6 trillion problem of cybersecurity in the form of the Small Business Cybersecurity Assistance Act (SBCAA). It’s as bipartisan a bill as the U.S. can hope for at present and an encouraging sign that the problem is on the government’s radar.

Regrettably, the Small Business Cybersecurity Assistance Act has already gathered criticism and detractors, with some saying it falls short of the mark. Let’s look at why this might be the case and what the Act actually contains that might, or might not, be of value to worried business owners.

What Does the SBCAA Seek to Accomplish?

The two main co-sponsors of the Act — Senators Gary Peters and Marco Rubio — frame the SBCAA’s mission as primarily an educational effort to bring small business owners up to speed on cybercrime-related issues such as:

  • The variety of cyber threats in the world today
  • The potential risk that small business owners face
  • The tools available to help them protect themselves

The small business community must understand that they represent a larger — not a smaller — portion of the threat surface where cybercrime is concerned. Small business owners are less likely to have taken adequate measures to protect their digital systems and are consequently at an even higher risk of sustaining a data breach or a ransomware attack than a major corporation.

Under the Small Business Cybersecurity Assistance Act, business owners could visit U.S. Small Business Development Center (SBDC) locations to secure educational materials, enroll in programs, and work with representatives from the Department of Homeland Security to better understand and confront cyber threats and risks. Clearly, the intentions and the desired outcome are heading in the right direction.

The question is: What on earth is a Small Business Development Center?

A Good Idea With Limited Infrastructure Behind It

Like many public services in the United States, Small Business Development Centers are wonderful in theory but consistently go underfunded — despite their value — and remain mostly unknown to the communities most in need of their assistance. Among other things, SBDCs provide services like business counseling and information on local, state and federal government compliance and assistance programs.

But because this service goes underfunded and unheralded, the U.S. has only 63 such centers — barely one for every U.S. state and territory. In contrast, the U.S. had almost 140,000 Starbucks locations in 2018, despite the company employing under 200,000 people that year.

The SBDC’s 63 locations, meanwhile, are meant to support the entire American small business community. In 2016, companies with fewer than 100 employees made up 33.4% of the U.S. workforce, and companies with 500 or fewer made up nearly half.

Many of the criticisms leveled against the SBCAA have latched onto this lack of infrastructure and public awareness. Earmarking additional funding could possibly help raise the SBDC’s public profile and make more people aware of their existence. But this isn’t certain, and it doesn’t look like the SBCAA has addressed the existing funding shortfall.

The Act reportedly permits Small Business Development Centers to use their current funding to make cybersecurity resources available after they’re prepared by other government agencies. But the key phrase is “current funding.” SBDCs, like the one at Wharton School, already face shuttering their doors because of a lack of funding. Adding to the demands placed on their staff without a commensurate rise in funding could be fruitless.

The other problem, apart from a lack of funding and awareness, is that significant numbers of small business owners do business in the cloud. As a result, they outsource most of their IT and digital systems architecture work, including data hosting services, to third parties.

It could be fairly useful to educate small business owners on the security best practices these third parties should follow in their operations — either by law or according to common sense. What’s not useful is doing all of this without backing it up with appropriately harsh fines for the larger companies which mishandle or misplace client data, either by mistake or because they have nefarious intent.

The European Union is off to a slow start levying fines for abusing data privacy and security, but the now-year-old General Data Protection Regulation gives the government the power to do so. Until the U.S. implements a similar measure, U.S. states are left on their own to fine companies which don’t take cybersecurity or client privacy seriously. Any measure undertaken to educate the small business community about cybersecurity won’t do much good if the U.S. government doesn’t stand ready to have their backs.

Another potentially fruitful avenue to explore is providing grants or subsidies to help small business owners purchase cyber liability insurance. Not all small business owners know such products exist, but these services can go a long way toward keeping small businesses in operation after they fall victim to a cybercrime.

Safety on the Internet Isn’t a Luxury

Some seem content to let cybersecurity remain a competitive advantage or a luxury commodity. Others believe the buy-in should be the same for both small entrepreneurships and major corporations when it comes to keeping digital properties safe. Everybody has a right to stay safe online — it shouldn’t be something that only moneyed interests get to enjoy.

The SBCAA is a well-intentioned measure styled after the American tradition of empowering people to pull themselves up by their own bootstraps and know-how.

 But without a more robust support system in place, it risks confirming what many people already believe — that the government throws money at problems instead of solving them. It’s best to think of the SBCAA as a first step toward something better.

A better, second draft would back up its proposals for DHS-SBDC collaboration with additional funding as well as adequate punitive measures for data handlers that get cybersecurity wrong.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(Security Affairs – Small Business Cybersecurity Assistance Act)

The post The Problem With the Small Business Cybersecurity Assistance Act appeared first on Security Affairs.

Black Hat 2019: Q&A with McAfee

Now in its 22nd year, Black Hat is an information security event showcasing the latest research, newest technology, scariest threats, and biggest trends. Around 19,000 security professionals will be taking over Las Vegas’s Mandalay Bay during the six-day event.

Before the security world convenes the first week in August, we spoke with McAfee leadership and threat researchers about the major themes we should expect to see at Black Hat and DEF CON this year.

Q: What should attendees watch out for at this year’s Black Hat?

Steve Povolny, Head of Advanced Threat Research: This year will piggyback on some of the themes we’ve seen developing in recent Black Hat briefings, including a growing focus on emerging technologies such as autonomous and connected vehicles, blockchain, and 5G, among many others. Some of the key industries under extra scrutiny include industrial control systems, aviation and aerospace, and supply chain. Finally, there is a continued and now-standard focus on crypto, mobile, and cloud/virtualization security.

Douglas McKee, Senior Security Researcher: Once again, Black Hat will have a great variety of talks for both the offensive- and defensive-minded individual. One of the newest topics we are starting to see will be on deepfakes. As social engineering continues to have a large impact on every security discipline, the concept of deepfakes becomes something to watch out for.

Q: What topic(s) do you think will play an important role at this year’s Black Hat and DEF CON?

Povolny: I foresee vehicle security continuing to generate heavy interest, as well as cloud and virtualization attacks. The more popular mobile device sessions are typically well attended, and we’ve had a spate of recent high-profile vulnerabilities that may drive even heavier traffic this year. Industrial controls are receiving renewed focus, though I’m surprised to see little to nothing in the area of medical devices given the security research community’s focus on this topic for the last 12-18 months.

McKee: Topics focused around our critical infrastructure and transportation will continue to play an important role, as these topics are growing fast with a security focus. As major companies continue to strive towards greater automation, how we protect this automation will play a key role in our everyday lives.

Philippe Laulheret, Senior Security Researcher: Although it’s not new, hackers and security researchers are looking into the security of secondary targets and then pivoting towards their main goal, which is usually hardened and more difficult to reach. Of particular interest are two talks centering on communication modules, and few others concerning equipment. Targeting VoIP phones, printers, faxes, etc., is really interesting: These devices sit on the network, are hard to monitor, and if compromised, can be used as a stepping stone to attack other machines. At the same time, they’re also valuable targets for eavesdropping or stealing confidential information.

Q: What is one of the biggest cyber concerns in 2019, and how can consumers or enterprises stay protected?

Povolny: The BlueKeep vulnerability (CVE-2019-0708) is a prime example of what should be top of mind for both enterprises and consumers. As WannaCry quickly taught the world, eliminating legacy operating systems and defunct protocols should be a foremost priority. These systems tend to be the most valuable targets, as attackers can reach millions of targets quickly through self-propagating code. I anticipate we will likely still see BlueKeep exploited publicly, perhaps (and maybe likely) turned into a worm in 2019. This is a rare opportunity for consumers and enterprise to address a likely breach before it happens, and to invest extra attention into removing or securing similar systems.

McKee: In 2019 it is almost impossible to buy a device that doesn’t have an IP address; everything is network connected. As both consumers and enterprises, we need to stay vigilant about what devices and information we are allowing to connect to the internet. Both our homes and offices are only as strong as our weakest device. The industry needs to continue to invest in developing secure products from the beginning while consumers direct extra attention to what they are buying.

Q: What are you hoping to get out of Black Hat or DEF CON this year and what do you want your attendees to take away from your session?

Povolny: I’m always interested in which topics tend to generate the most interest and why. So, I will be curious to see if my assessments of the most interesting topics are on point and will be spending additional time networking with researchers and attendees to find out what is driving them towards the topic. I’ll be speaking on IoT security, which encompasses threats across many of the industries, devices, protocols and technologies being presented at this year’s Black Hat. I’m hoping to give attendees a better understanding of the breadth and depth of the problem space and what the impacts are to them by showing them first-hand research from McAfee’s Advanced Threat Research team on a few IoT targets.

McKee: As a security researcher, I am always most interested in what new techniques the industry has uncovered to continue to find new vulnerabilities. It’s a constant game between evolving protections and new bypasses. In my session at DEFCON, I hope to convey some of the new methods we have used over the last year. More importantly I hope to highlight how, when researchers work together with vendors, very critical vulnerabilities can be swiftly mitigated.

 Laulheret: My presentation, “Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices,” is part of the DC 101 track and has the same aspiration of sharing one’s passion. The goal of this track is to get people up to speed on topics they are not familiar with yet. Hardware hacking can be intimidating if you are coming from a software background or if you never had any electronic/electricity classes. What I really want for this session is to show people that hardware hacking is neither hard nor scary, and by learning the basics, they will be able to investigate devices from their day-to-day life, potentially finding previously unknown critical flaws. There’s something extremely empowering in gaining the ability to dissect devices that used to be magic black boxes sitting on your network.

Best ways to catch McAfee at Black Hat & DEF CON:

Speaking Sessions:

Black Hat: Internet of Threats – The Current State of IoT Device Security

Steve Povolny, Head of Advanced Threat Research

Wednesday, August 7 | 12:40pm PT | Business Hall Theater B


DEF CON: Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices

Philippe Laulheret, McAfee Security Researcher

Thursday, August 8 | 1:00pm PT | Paris Theater


DEF CON: HVACking: Understand the Difference Between Security and Reality

Douglas McKee, McAfee Senior Security Researcher

Mark Bereza, McAfee Security Researcher

Friday, August 9 | 1:00pm PT | Track 2


Booth Presence:

Visit us at Booth #914 and test your hacking skills with our Capture the Flag contest.


Be sure to follow @McAfee for real-time updates from the show throughout the week.

The post Black Hat 2019: Q&A with McAfee appeared first on McAfee Blogs.

Downloaded FaceApp? Here’s How Your Privacy is Now Affected

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.

According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.

So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:

  • Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
  • Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Downloaded FaceApp? Here’s How Your Privacy is Now Affected appeared first on McAfee Blogs.

APT Targets Diplomats in Europe, Latin America

APT Targets Diplomats in Europe, Latin America

Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET.

The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release.

Named Okrum by ESET, the malware was first detected in late 2016 when it was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. However, researchers have seen multiple variations of the malware families and attributed the activity to the Ke3chang group.

“In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican,” the release stated.

“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” said Zuzana Hromcova, the ESET researcher who made the discoveries. 

The group has remained active in 2019. As recently as March, researchers “detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It affected the same targets as the backdoor from 2018,” according to the research.

“Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API in order to gain administrator privileges.” It then automatically collects information about the infected computer, including computer name, user name, host IP address, primary DNS suffix value, OS version, build number, architecture, user agent string and locale info (language name, country name), the report added.

How to Spot Phishing Lures

Phishing attacks, in which scammers try to trick you out of your private information or money, are one of the most prevalent threats we see today. Part of the problem is that the cybercriminals have numerous ways in which to hook you, either online, over the phone, or even in person.

In today’s busy world we are often bombarded with information and it can be hard to tell who to trust, and when to be wary. But given that new phishing web pages grew by 900,000 in the third-quarter of 2018 alone, costing consumers and businesses potentially billions of dollars, it’s worth learning more about common phishing lures and how to avoid them. After all, most malware is delivered by phishing attacks, and malware grew by a stunning 53% in the third quarter of last year.

The first thing you should know about phishing is that it almost always involves a form of “social engineering”, in which the scammer tries to manipulate you into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business.

You can get a better idea of how this works by learning about some of the most popular threats circulating today, the first of which are a growing number of business-related scams:

  • The CEO/Executive Scam—This scam appears as an email from a leader in your organization, asking for highly sensitive information like company accounts, employee salaries and Social Security numbers, or even sensitive client information.The hackers “spoof”, or fake, the executive’s email address so it looks like a legitimate internal company email. That’s what makes this, and the other business scams, so convincing—the lure is that you want to do your job well and please your coworkers.
  • The Business Entity Scam—This one targets corporations with the clever trick of filing phony Statements of Information with the Secretary of State using the government’s website. The fraudsters then use these doctored statements to apply for hard money loans, using them to prove they have assets. This scam works because the states don’t double check corporate statements for accuracy.
  • File Sharing & DocuSign—Phony requests to access files in Dropbox accounts are on the rise, tricking workers into clicking on dangerous links that download malware. There has also been a rash of threats masquerading as requests to electronically sign documents, pretending to be legitimate services like DocuSign, which is often used for real estate and other important transactions.
  • The Urgent Email Attachment—Phishing emails that try to trick you into downloading a dangerous attachment that can potentially infect your computer and steal your private information have been around for a long time. This is because they work. You’ve probably received emails asking you to download attachments confirming a package delivery, trip itinerary, or prize. They might urge you to “respond immediately!” The lure here is offering you something you want, and invoking a sense of urgency to get you to click.
  • The “Lucky” Phone Call—How fortunate! You’ve won a free gift, an exclusive service, or a great deal on a trip to Las Vegas. Just remember, whatever “limited time offer” you’re being sold, it’s probably a phishing scam designed to get you to give up your credit card number or identity information. The lure here is something free or exciting at what appears to be little or no cost to you.
  • The Romance Scam—This one can happen completely online, over the phone, or in person once contact is established. But the romance scam always starts with someone supposedly looking for love. The scammer often puts a phony ad online, or poses as a friend-of-a-friend on social media and contacts you directly. But what starts as the promise of love or partnership, often leads to requests for money or pricey gifts. The lure here is simple—love and acceptance.
  • The Mobile Phish—Our heavy use of mobile devices have given scammers yet another avenue of attack. They may distribute fake mobile apps that secretly gather your personal information in the background, or they could send phony text messages, inviting you to click on a dangerous link. Either way, you may be misled by a false sense of trust in who has access to your mobile device. In this case, you may be lured by the convenience of an app, or expediency of a message.

Here are some more smart ways not to get hooked:

  • Be wary of anyone who asks for more information than they need, even if you are talking to a company or bank you do business with.
  • When responding to a message, first check to see if you recognize the sender’s name and email address.
  • Before clicking on a link, hover over it to see if the URL address looks legitimate.
  • Before logging into an online account, make sure the web address is correct.
    Phishers often forge legitimate websites, like online storage accounts, hoping to trick you into entering your login details.
  • Avoid “free” offers, or deals that sound too good to be true. They probably are.
  • Review your bank statements and business filings on a regular basis to check for suspicious activities.
  • Always use comprehensive security software to protect your devices and information from malware and other threats that might result from a phishing scam.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.


The post How to Spot Phishing Lures appeared first on McAfee Blogs.

Bigger Rewards for Security Bugs

Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project. We're proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.

Back in 2010 we created the Chrome Vulnerability Rewards Program which provides cash rewards to researchers for finding and reporting security bugs that help keep our users safe. Since its inception the program has received over 8,500 reports and paid out over five million dollars! A big thank you to every one of the researchers - it's an honor working with you.

Over the years we've expanded the program, including rewarding full chain exploits on Chrome OS, and the Chrome Fuzzer Program, where we run researchers' fuzzers on thousands of Google cores and automatically submit bugs they find for reward.

Today, we're delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000.

We've also clarified what we consider a high quality report, to help reporters get the highest possible reward, and we've updated the bug categories to better reflect the types of bugs that are reported and that we are most interested in.

But that's not all! On Chrome OS we're increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

These new reward amounts will apply to bugs submitted after today on the Chromium bug tracker using the Security template. As always, see the Chrome Vulnerability Reward Program Rules for full details about the program.

In other news, our friends over at the Google Play Security Reward Program have increased their rewards for remote code execution bugs from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000. The Google Play Security Reward Program also pays bonus rewards for responsibly disclosing vulnerabilities to participating app developers. Check out the program to learn more and see which apps are in scope.

Happy bug hunting!

Security Experts Warn Against Use of FaceApp

Security Experts Warn Against Use of FaceApp

Security experts are warning the public not to partake in the FaceApp craze, which is being exacerbated by the #FaceAppChallenge that is going viral on social media, according to multiple reports. 

While security experts and privacy advocates are warning users to avoid the app, Senator Chuck Schumer has requested that the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) investigate whether there are adequate safeguards in place to protect the privacy of the app’s users. 

"FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including foreign governments," wrote Schumer.

Created in 2017 by developers at Wireless Lab in St. Petersburg, Russia, FaceApp now has access to the face and images of over 150 million people, Forbes reported. Users’ photos are being uploaded to the cloud, yet the terms and conditions grant FaceApp the ability to do additional processing locally on their device.

“To make FaceApp actually work, you have to give it permissions to access your photos – ALL of them. But it also gains access to Siri and Search....Oh, and it has access to refreshing in the background – so even when you are not using it, it is using you,” tweeted technology author Rob La Gesse, who warned users who have installed the app to delete it. 

“FaceApp serves as an important reminder that free isn't free when it comes to apps. The user and his/her [photo are] the commodity, whether sold for purposes like marketing or more nefarious things like identity theft and creation of deep fakes. Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed," said Rick McElroy, head of security strategy at Carbon Black.

What Is The True Score of AI VS Malware?

We admit here in hackercombat.com, we are one of the cybersecurity news organizations that somewhat hyped Artificial Intelligence (AI) when it comes to cybersecurity. We wrote numerous articles heralding the “hero” that will save us from the seemingly endless cat and mouse race between discovering a vulnerability that is currently exploited, and the time the vendor issues the patch addressing the vulnerability. We are no different from other tech sites which placed AI as a possible solution to the human labor-intensive process in order to quash software bugs, let alone the security flaws it enables.

IBM Security exposed the world’s dependence on the “hero”, the AI being mistakenly identified by many cybersecurity organizations as a silver bullet of our current cybersecurity problems. Big Blue considers such a premise as bias, indeed, IBM is correct. Seemingly the industry is so used to the intensive labor procedure of fixing a discovered security flaw. It takes humans to discover a bug, report it to the vendor and another unknown period until the latter issues the patch which will quash the bug. That is, of course, is an ideal situation, many of the flaws were discovered, weaponized by cybercriminals without the vendor knowing its existence for weeks, months or even years. It takes a “good samaritan” to finally report the bug with enough details to the developers, who is the only one that can issue a fix.

One is the algorithm itself. Is it biased in the way it’s approached, and the outcome it’s trying to solve? If you’re trying to solve the wrong outcome, and the outcome is biased, then your algorithm is biased. It’s not like the bad guys are waiting for us to learn how to do this. So, the faster we get there, the better off (we are),” hinted Aarti Borkar, IBM Security’s Vice President.

Antivirus products and End Point services for decades have employed heuristics scanning, which in itself is a crude type of artificial intelligence. Heuristics scanning claims to detect threats that signature-based scanning cannot accomplish, as the latter requires the actual virus signature present in its scanning engine to detect the particular malware. Instead of causing the number of malware to plummet, cybercriminals took the challenge – employing a combination of virus development and social engineering in their campaigns.

Heuristics scanning technologies predates all the current crop of malware we are encountering such as ransomware, cryptocurrency mining malware and stealth banking trojans. Current heuristics from a practical standpoint were unable to disable infection from those mentioned threats. We continue to hear news of local governments operations disabled due to ransomware infections, and all of them paid the steep ransom demand of cybercriminals.

Other than that Artificial Intelligence technologies will continue to improve, maybe in a year or two from now, we will post a follow-up article expressing our happiness as AI becomes truly effective against the campaigns launched by malware authors. Till then, we will continue reporting stories about malware infections, even if that means we will indirectly implicate the ineffectiveness of today’s antimalware software products.

Also Read,

Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool?

A New Malware Called Silex Targets IoT Devices

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post What Is The True Score of AI VS Malware? appeared first on .

Data Privacy and Security Risks in Healthcare

Healthcare is a business much like all verticals I work with; however, it has a whole different set of concerns beyond those of traditional businesses. The compounding threats of malware, data thieves, supply chain issues, and the limited understanding of security within healthcare introduces astronomical risk. Walking through a hospital a few weeks ago, I was quickly reminded of how many different devices are used in healthcare—CT scanners, traditional laptops, desktops, and various other devices that could be classified as IoT.

Sitting in the hospital, I witnessed people reporting for treatment being required to sign and date various forms electronically. Then, on a fixed-function device, patients were asked to provide a palm scan for additional biometric confirmation. Credit card information, patient history, and all sorts of other data was also exchanged. In my opinion, patients should be asking, “Once the sign-in process is complete, where is the patient data stored, and who has access to it? Is it locked away, encrypted, or sent to the “cloud” where it’s stored and retrieved as necessary? If it’s stored on the cloud, who has access to that?” I do recall seeing a form asking that I consent to releasing records electronically, but that brings up a whole new line of questions. I could go on and on …

Are these challenges unique to healthcare? I would contend that at some level, no, they’re not. Every vertical I work with has compounding pressures based on the ever-increasing attack surface area. More devices mean more potential vulnerabilities and risk. Think about your home: You no doubt have internet access through a device you don’t control, a router, and many other devices attached to that network. Each device generally has a unique operating system with its own set of capabilities and with its own set of complexities. Heck, my refrigerator has an IP address associated with it these days! In healthcare, the risks are the same, but on a bigger scale. There are lives at stake, and the various staff members—from doctors, to nurses, to administrators—are there to hopefully focus on the patient and the experience. They don’t have the time or necessarily the education to understand the threat landscape—they simply need the devices and systems in the hospital network to “just work.”

Many times, I see doctors in hospital networks and clinics get fed up with having to enter and change passwords. As a result, they’ll bring in their personal laptops to bypass what IT security has put in place. Rogue devices have always been an issue, and since those devices are accessing patient records without tight security controls, they are a conduit for data loss. Furthermore, that data is being accessed from outside the network using cloud services. Teleradiology is a great example of how many different access points there are for patient data—from the referring doctor, to the radiologist, to the hospital, and more.

Figure 1:  Remote Teleradiology Architecture

With healthcare, as in most industries, the exposure risk is potentially great. The solution, as always, will come from identifying the most important thing that needs to be protected, and figuring out the best way to safeguard it. In this case, it is patient data, but that data is not just sitting locked up in a file cabinet in the back of the office anymore. The data is everywhere—it’s on laptops, mobile devices, servers, and now more than ever in cloud services such as IaaS, PaaS and SaaS. Fragmented data drives great uncertainty as to where the data is and who has access to it.

The security industry as a whole needs to step up. There is a need for a unified approach to healthcare data. No matter where it sits, there needs to be some level of technical control over it based on who needs access to it. Furthermore, as that data is traversing between traditional data centers and the cloud, we need to be able to track where it is and whether or not it has the right permissions assigned to it.

The market has sped up, and new trends in technology are challenging organizations every day. In order to help you keep up, McAfee for Healthcare (and other verticals) are focusing on the following areas:

  • Device – OS platforms—including mobile devices, Chromebooks and IoT—are increasingly locked down, but the steadily increasing number of devices provides other avenues for attack and data loss.
  • Network – Networks are becoming more opaque. HTTP is rarely used anymore in favor of HTTPS, so the need for a CASB safety net is essential in order to see the data stored with services such as Box or OneDrive.
  • Cloud – With workloads increasingly moving to the cloud, the traditional datacenter has been largely replaced by IaaS and PaaS environments. Lines of business are moving to the cloud with little oversight from the security teams.
  • Talent – Security expertise is extremely difficult to find. The talent shortage is real, particularly when it comes to cloud and cloud security. There is also a major shortage in quality security professionals capable of threat hunting and incident response.

McAfee has a three-pronged approach to addressing and mitigating these concerns:

  • Platform Approach – Unified management and orchestration with a consistent user experience and differentiated insights, delivered in the cloud.
    • To enhance the plaform, there is a large focus on Platform Driven Managed Services—focused on selling outcomes, not just technology.
  • Minimized Device Footprint – Powerful yet minimally invasive protection, detection and response spanning full-stack tech, native engine management and ‘as a service’ browser isolation. This is becoming increasingly important as the typical healthcare environment has an increasing variety of endpoints but contuinues to be limited in resources such as RAM and CPU.
  • Unified Cloud Security – Spanning data centers, integrated web gateway/SaaS, DLP and CASB. The unification of these technologies provides a safety net for data moving to the cloud, as well as the ability to enforce controls as data moves from on-prem to cloud services. Furthermore, the unification of DLP and CASB offers a “1 Policy” for both models, making administration simpler and more consistent. Consistent policy definition and enforcement is ideal for healthcare, where patient data privacy is essential.

In summary, security in healthcare is a complex undertaking. A vast attack surface area, the transformation to cloud services, the need to for data privacy and the talent shortage compound the overall problem of security in healthcare. At McAfee, we plan to address these issues through innovative technologies that offer a consistent way to define policy by leveraging a superior platform. We’re also utilizing sophisticated machine learning to simplify the detection of and response to bad actors and malware. These technologies are ideal for healthcare and will offer any healthcare organization long-term stability across the spectrum of security requirements.

The post Data Privacy and Security Risks in Healthcare appeared first on McAfee Blogs.

Experts detailed new StrongPity cyberespionage campaigns

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.

AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims.

The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the cyberespionage group targeting users in Europe, in the Middle East, and in Northern Africa. The group set up malicious sites mimicking legitimate ones to carry out watering holes to deliver tainted installers and malware.

The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.

“Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples – we assess the campaign operated from the second half of 2018 into today (July 2019).” reads the analysis published by the researchers. “We have also identified StrongPity deploying malicious versions of the WinBox router management software, WinRAR, and other trusted software to compromise targets.”

The new malware samples analyzed in July 2019 appear to have been rebuild by the group in response to public reporting on the group’s activities. The analysis of compilation times, infrastructure build and use, and public distribution of samples allowed the experts to attribute the activity to StrongPity group.

One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.

The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the target’s machine.

winbox GUI StrongPity 2

The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.

“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.

“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”

The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).

Experts were not able to exactly determine the delivery mechanism of the tainted installers, however, it is likely that methods used in past campaigns such as regional download redirecting from ISPs are still used.

The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

Pierluigi Paganini

(SecurityAffairs – StrongPity, APT)

The post Experts detailed new StrongPity cyberespionage campaigns appeared first on Security Affairs.

How Will Companies Deploy Industrial IoT Security Solutions?

Industrial IoT (IIoT) devices will comprise the majority of the billions of IoT devices deployed over the next decade. How will the information security market meet this onslaught of technology?

The consumer market is not a useful guide for this analysis. Consumers buy in small quantities and choose to deploy information security tools piecemeal. Few consumers buy smart phone security products, usually after experiencing an incident. The industrial market is more sensitive to risk.

Industrial-scale IoT devices must have low price points. Once an enterprise decides to deploy a fleet of IIoT technology, they seek out the lowest price product that will meet their needs. This puts pressure on manufacturers to keep costs low. IIoT device manufacturers will not spend extra resources designing, installing, testing, and configuring effective security measures voluntarily. Government regulation will change this reluctance, but until forced to do so buyers will have to secure their devices after installation.

What will the IIoT security market look like? Given the low purchase price and vast scale of deployments, there will be a negligible aftermarket for individual IIoT device security software or hardware. The market will focus on aggregation points, concentrators, gateways, and network access devices.

Consider a solar panel farm. The largest solar farm now under construction, the Egyptian Benban solar park near Aswan, will cost about $4 billion, and should come on-line in 2020. Ten times larger than New York City’s Central Park, it will generate 1.8 gigawatts using 5 million panels. Each panel has an inverter and a sensor, and every 16 panels has a PLC (programmable logic controller). This farm will have 10 million edge IIoT devices and 312,500 PLCs.

How would you secure over 10 million IIoT devices? Assume the control systems are centralized. By protecting the external gateway only, you spend the least, but if any problem gets in, the plant could be disabled or destroyed. Segmentation costs more, but reduces the attack surface and impedes the spread of malware.

What is the optimum number of cells? There is no hard and fast rule. The cost of a device increases with its capacity, so having a few large cells would require powerful security appliances. More cells will reduce the impact of a breach, and lessen the load per appliance, allowing a lower price point. With one appliance for every thousand PLCs (covering 16,000 panels, meaning 32,000 IIoT devices) the configuration would need over three hundred appliances, with monitoring and control through an appropriately configured automation and management hub. The appliance cost would be miniscule compared with the total cost of the overall configuration.

The full security configuration would include the engineering and architecture skill to design and site the appliances, the architecture and deployment of the management hubs (dual for high availability), and the training for ongoing operations and maintenance. IIoT security vendors will work through channel partners with expertise in the specific vertical industries they serve.

Project managers for large industrial IoT deployments should work with their IT channel and OT engineering teams to identify the most cost-effective sourcing and deployment options for comprehensive, effective IT/OT security.

What do you think? Let me know, either in the comments below or @WilliamMalikTM.

The post How Will Companies Deploy Industrial IoT Security Solutions? appeared first on .

California State Auditors Say Government IT is Flawed

California State Auditors Say Government IT is Flawed

Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.

In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks. 

According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.

Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”

Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.

“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”

Identity Theft on the Job Market

Identity theft is getting more subtle: "My job application was withdrawn by someone pretending to be me":

When Mr Fearn applied for a job at the company he didn't hear back.

He said the recruitment team said they'd get back to him by Friday, but they never did.

At first, he assumed he was unsuccessful, but after emailing his contact there, it turned out someone had created a Gmail account in his name and asked the company to withdraw his application.

Mr Fearn said the talent assistant told him they were confused because he had apparently emailed them to withdraw his application on Wednesday.

"They forwarded the email, which was sent from an account using my name."

He said he felt "really shocked and violated" to find out that someone had created an email account in his name just to tarnish his chances of getting a role.

This is about as low-tech as it gets. It's trivially for me to open a new Gmail account using a random first and last name. But because people innately trust email, it works.

Thousands of NHS computers are still running Windows XP from beyond the grave

Two years after the WannaCry ransomware outbreak shone a light on the computer security of the the UK’s National Health Service, and five years after Microsoft said it would no longer release patches for Windows XP, the NHS still has 2300 PCs running the outdated operating system.

Read more in my article on the Tripwire State of Security blog.

Malicious Python packages found on PyPI

Researchers have uncovered another batch of malicious Python libraries hosted on Python Package Index (PyPI). The malicious packages PyPI is the official third-party software repository for Python and a great source of open source libraries and modules for implementing common functionalities. Unfortunately, if a malicious component ends up on it, chances are many developers will download and implement it before it is discovered and removed from the repository. This happened with libpeshnx, libpesh and libari, … More

The post Malicious Python packages found on PyPI appeared first on Help Net Security.

IDG Contributor Network: Brand reputation at risk

The world is going digital at an unprecedented pace. Established business models are reaching the end of their life cycle. New market entrants are disruptively entering the arena with asset-light balance sheets, build upon platforms and apps, which turn the dynamics of competition upside-down. Technology, media and entertainment, and telco (TMT) companies are at the forefront of this wave.

Although many TMT companies are leaders in digital transformation, they arguably more vulnerable to cyber-attacks than other industries, with the consequences of a breach more serious as highlighted in EY’s GISS 2018-19. Unlike the global panel, this excerpt focuses on consolidated findings from TMT companies.

To read this article in full, please click here

Microsoft Observed Nation-State Attacks Targeting 10,000 of Its Customers

Microsoft has notified approximately 10,000 of its customers that they were the targets of nation-state attacks over the past year. On 17 July, Microsoft’s Corporate Vice President of Customer Security & Trust Tom Burt revealed that 84 percent of those attacks had targeted the tech giant’s enterprise customers. The remaining 16 percent of campaigns went […]… Read More

The post Microsoft Observed Nation-State Attacks Targeting 10,000 of Its Customers appeared first on The State of Security.

Security is Biggest Digital Transformation Concern

Security is Biggest Digital Transformation Concern

Cybersecurity is viewed as the biggest single risk to digital transformation projects, but most organizations aren’t involving CISOs early enough in projects, according to new research from Nominet.

The .uk registry and DNS security organization polled 274 CISOs, CIOs, CTOs and others with responsibility for security in US and UK organizations.

It found that the vast majority (93%) were implementing digital transformation projects, although of the small number who weren’t, more than a quarter (27%) said it is because of security concerns.

Cybersecurity was also far and away the biggest worry for those currently undertaking such projects, with 53% citing it as a top-three threat. Some 95% expressed some concern, with over two-fifths (41%) either “very” or “extremely” concerned.

Topping these concerns were exposure of customer data (60%), cyber-criminal sophistication (56%), an increased threat surface (53%), visibility blind spots (44%), and IoT devices (39%).

Although a third (34%) of respondents claimed security was considered during the development of the digital transformation strategy, many left it to the pre-implementation (28%) and implementation (28%) stages, or even post-implementation (9%). Some 2% said security wasn’t considered at all.

IT leaders may be over-confident in their ability to mitigate cyber-risk in digital transformation. Some 82% of respondents claimed it was considered early enough in their projects and 85% scored it near top marks for effectiveness, despite 86% having suffered a breach in the past 12 months.

What's more, a majority of partners (59%), customers (55%) and industry/regulatory bodies (54%) had queried the robustness of their approach.

“For any IT project it is absolutely fundamental that security is considered from word go. Otherwise, you end up trying to retrospectively fit security to a system and that results in gaps and vulnerabilities in the security architecture,” argued Nominet CISO, Cath Goulding.

“With digital transformation you have to be sure that when you’re bringing in new applications, security is considered from the outset. More than this though, in a digital transformation project, the real trick is to manage the security considerations of legacy and new applications simultaneously.”

On the plus side, 31% of respondents reported that 11-25% of their digital transformation budget is allocated to cybersecurity, with over a fifth (23%) claiming that 26-50% is set aside.

Authentication and the Have I Been Pwned API

Authentication and the Have I Been Pwned API

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important attributes at the time of launch:

There is no authentication.

There is no rate limiting.

There is no cost.

One of those changed nearly 3 years ago now - I had to add a rate limit. The other 2 are changing today and I want to clearly explain why.

Identifying Abusive API Usage

Let me start with a graph:

Authentication and the Have I Been Pwned API

This is executions of the V2 API that enables you to search an individual email address. There's 1.06M requests in that 24 hour period with 491k of them in the last 4 hours. Even with the rate limit of 1 request every 1,500ms per IP address enforced, that graph shows a very clear influx of requests peaking at 14k per minute. How? Well let's pull the logs from Cloudflare and see:

Authentication and the Have I Been Pwned API

This is the output of a little log analyser I wrote that breaks requests down by ASN (and other metrics) over the past hour. There were 15,573 requests from AS23969 across 82 unique IP addresses. Have a look at where those IP addresses came from:

Authentication and the Have I Been Pwned API

There is no conceivable way that this is legitimate, organic usage of the API from Thailand. The ASN is owned by TOT Public Company Limited, a local Thai telco that somehow, has ended up with a truckload of IP addresses hitting HIBP at just the right rate to not trigger the rate limit. The next top ASN is Biznet Networks in Indonesia. Then Claro in Brazil. After that there's Digital Ocean and then another Indonesian telco, Telkomnet. It makes for a geographical spread that's entirely inconsistent with legitimate usage of genuine consumers (no, HIBP isn't actually big in Iran!):

Authentication and the Have I Been Pwned API

Late last year after seeing a similar pattern with a well-known hosting provider, I reached out to them to try and better understand what was going on. I provided a bunch of IP addresses which they promptly investigated and reported back to me on:

1- All those servers were compromised. They were either running standalone VPSs or cpanel installations.

2- Most of them were running WordPress or Drupal (I think only 2 were not running any of the two).

3- They all had a malicious cron.php running

This helped me understand the source of the problem, but it didn't get me any closer to actually blocking the abusive behaviour. For the sake of transparency, let me talk about how I tried to tackle this because that will help everyone understand why I've arrived at a very different model to what I started with.

Combating Abuse with Firewall Rules

Firewall rules on Cloudflare are amazingly awesome. It takes just a few seconds to have a rule like this in place:

Authentication and the Have I Been Pwned API

Make more than 40 requests in a minute and you're in the naughty corner for a day. Only thing is, that's IP-based and per the earlier section on abusive patterns, actors with large numbers of IP addresses can largely circumvent this approach. It's still a fantastic turn-key solution that seriously raises the bar for anyone wanting to get around it, but someone determined enough will find a way.

No problems, I'll just take abusive ASNs like the Thai one above and give them the boot. I scripted a lot of them based on patterns in the log files and create a firewall rule like this:

Authentication and the Have I Been Pwned API

That works pretty quickly and is very effective, except for the fact that there's an awful lot of ASNs out there being abused. Plus, it has side-effects I'll come back to shortly too.

So how about looking at user agent strings instead? I mean could always just block the ones bad actors are using, except that was never going to work particularly well for obvious reasons (you can always define whatever one you like). That said, there were a heap of browser UAs which clearly were (almost) never legitimate for a client making API calls. So I blocked these as well:

Authentication and the Have I Been Pwned API

That shouldn't have come as a surprise to anyone as the API docs were actually quite clear about this:

The user agent should accurately describe the nature of the API consumer such that it can be clearly identified in the request. Not doing so may result in the request being blocked.

Problem is, people don't read docs and I ended up with a heap of default user agents (such as curl's) which were summarily blocked. And, of course, the user agent requirement was easily circumvented as I expected it would be and I simply started seeing randomised strings in the UA.

Another approach I toyed with (very transiently) was blocking entire countries from accessing the API. I was always really hesitant to do this, but when 90% of the API traffic was suddenly coming from a country in West Africa, for example, that was a pretty quick win.

I'm only writing about this here now because as the new model comes into place, all of this will be redundant. Plus, I wanted to shed some light on the API behaviour some people may have previously seen which they couldn't quite work out, and that brings me to the next section.

The Impact on Legitimate Usage

The attempts described above to block abuse of the API also blocked a lot of good requests. I feel bad about that because it made something I'd always intended to be easily accessible difficult for some people to use. I hope that by explaining the background here, people will understand why the approaches above were taken and indeed, why the changes I'm going to talk about soon were necessary.

I got way too many emails from people about API requests being blocked to respond to. Often this was due to simply not meeting the API requirements, for example providing a descriptive UA string. Other times it was because they were on the same network as abusive users. There were also those who simply smashed through the rate limit too quickly and got themselves banned for a day. Other times, there were genuine API users in that West African country who found themselves unable to use the service. I was constantly balancing the desire to make the API easily accessible whilst simultaneously trying to ensure it wasn't taken advantage of. In the end, the path forward was clear - the API would need to be authenticated.

The New Model: Authenticated Requests

I held back on this for a long time because adding auth to the API adds a barrier to entry. It also adds coding effort on my end as well as management overhead. However, by earlier this year it became clear that this was the only way forward: requests would have to be auth'd. Doing this solves a heap of problems in one fell swoop:

  1. The rate limit could be applied to an API key thus solving the problem of abusive actors with multiple IP addresses
  2. Abuse associated to an IP, ASN, user agent string or country no longer has to impact other requests matching the same pattern
  3. The rate limit can be just that - a limit rather than also dishing out punishment via the 24 hour block

Making an authenticated call is a piece of cake, you just add an hibp-api-key header as follows:

GET https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com
hibp-api-key: [your key]

However, this wasn't going to completely solve the problem, rather it moved the challenge to the way in which API keys were provisioned. It's no good putting controls around the key itself if a bad actor could just come along and register a heap of them. Anti-automation on the form where a key can be requested is one thing, stopping someone from manually registering, say, 20 of them with different email addresses and massively amplifying their request rate is quite another. I had to raise the bar just high enough to dissuade people from doing this, which brings me to the financial side of things.

There's a US$3.50 per Month Fee to Use the API

Clearly not everyone will be happy with this so let me spend a bit of time here explaining the rationale. This fee is first and foremost to stop abuse of the API. The actors I've seen taking advantage of it are highly unlikely to front up with a credit card and provide what amounts to personally identifiable data (i.e. make a credit card payment) in order to mass enumerate the API.

In choosing the $3.50 figure, I wanted to ensure it was a number that was inconsequential to a legitimate user of the service. That's about what a latte costs at my local coffee shop so spending a few bucks a month to search through billions of records seems like a pretty damn good deal, especially when that rate limit enables 57.6k requests per day.

One thing I want to be crystal clear about here is that the $3.50 fee is no way an attempt to monetise something I always wanted to provide for free. I hope the explanation above helps people understand that, and also the fact the API has run the last 5 and a half years without any auth whatsoever clearly demonstrates that financial gain has never been the intention. Plus, the service I'm using to implement auth and rate limits comes with a direct cost to me:

Authentication and the Have I Been Pwned API

This is from the Azure API Management pricing page which is the service I'm using to provision keys and control rate limits (I'll write a more detailed post on this later on - it's kinda awesome). I chose the $3.50 figure because it represents someone making one million calls. Some people will make much less, some much more - that rate limit represents a possible 1.785 million calls per month. Plus, there's still the costs of function executions, storage queries and egress bandwidth to consider, not to mention the slice of the $3.50 that Stripe takes for processing the payment (all charges are routed through them). The point is that the $3.50 number is pretty much bang on the mark for the cost of providing the service.

What this change does it simultaneously gives me a much higher degree of confidence the API will be used in an ethical fashion whilst also ensuring that those who use it have a much more predictable experience without me dipping deeper and deeper into my own pocket.

The API is Revving to Version 3 (and Has Some Breaking Changes)

With this change, I'm revising the API up to version 3. All documentation on the API page now reflects that and also reflects a few breaking changes, the first of which is obviously the requirement for auth. When using V3, any unauthenticated requests will result in an HTTP 401.

The second breaking change relates to how the versioning is done. Back in 2014, I wrote about how your API versioning is wrong and headlined it with this graphic:

Authentication and the Have I Been Pwned API

I outlined 3 different possible ways of expressing the desired version in API calls, each with their own technical and philosophical pros and cons:

  1. Via the URL
  2. Via a custom request header
  3. Via the accept header

After 4 and a bit years, by far and away the most popular method with an uptake of more than 90% is versioning via the URL. So that's all V3 supports. I don't care about the philosophical arguments to the contrary, I care about working software and in this case, the people have well and truly spoken. I don't want to have to maintain code and provide support for something people barely use when there's a perfectly viable alternative.

Next, I'm inverting the condition expressed in the "truncateResponse" query string. Previously, a call such as this would return all meta data for a breach:

GET https://haveibeenpwned.com/api/v2/breachedaccount/test@example.com

You'd end up with not just the name of the breach, but also how many records were in it, all the impacted data classes, a big long description and a whole bunch of other largely redundant information. I say "redundant" because if you're hitting the API over and over again, you're pulling but the same info for each account that appears in the same breach. Using the "truncateResponse" parameter reduced the response size by 98% but because it wasn't the default, it wasn't used that much. I want to drive the adoption of small responses because not only are they faster for the consumer, they also reduce my bandwidth bill which is one of the most expensive components of HIBP. You can still pull back all the data for each breach if you'd like, you just need to pass "truncateResponse=false" as true is now the default. (Just a note on that: you're far better off making a single call to get all breached sites in the system then referencing that collection by breach name after querying an individual email address.)

I'm also inverting the "includeUnverified" parameter. The original logic for this was that when I launched the concept of unverified breaches, I didn't want existing consumers of the API to suddenly start getting results for breaches which may not be real. However, with the passage of time I've come across a couple of issues with this and the first is that a heap of people consumed the API with the default params (which wouldn't include unverified breaches) and then contacted me asking "why does the API return different results to the front page of HIBP?" The other issue is that I simply haven't flagged very many breaches as unverified and I've also added other classes of breach which deviate from the classic model of loading a single incident clearly attributable to a single site such as the original Adobe breach. There are now spam lists, for example, as well as credential stuffing lists and returning all data by default is much more consistent with the ethos of considering all breached data to be in scope.

The other major thing related to breaking stuff is this:

Versions 1 and 2 of the API for searching breaches and pastes by email address will be disabled in 4 weeks from today on August 18.

I have to do this on an aggressive time frame. Whilst I don't, all the problems mentioned above with abuse of the API continues. When we hit that August due date, the APIs will begin returning HTTP 400 "Bad Request" and that will be the end of them.

One important distinction: this doesn't apply to the APIs that don't pull back information about an email address; the API listing all breaches in the system, for example, is not impacted by any of the changes outlined here. It can be requested with version 3 in the path, but also with previous versions of the API. Because it returns generic, non-personal data it doesn't need to be protected in the same fashion (plus it's really aggressively cached at Cloudflare). Same too for Pwned Passwords - there's absolutely zero impact on that service.

During the next 4 weeks I'll also be getting more aggressive with locking down firewall rules on the previous versions at the first sign of misuse until they're discontinued entirely. They're an easy fix if you're blocked with V2 - get an API key and roll over to V3. Now, about that key...

Protecting the API Key (and How My Problem Becomes Your Problem)

Now that API keys are a thing, let me touch briefly on some of the implications of this as it relates to those of you who've built apps on top of HIBP. And just for context, have a look at the API consumers page to get a sense of the breadth we're talking about; I'll draw some examples out of there.

For code bases such as Brad Dial's Pwny Corral, it's just a matter of adding the hibp-api-key header and a configuration for the key. Users of the script will need to go through the enrolment process to get their own key then they're good to go.

In a case like What's My IP Address' Data Breach Check, we're talking about a website with a search feature that hits their endpoint and then they call HIBP on the server side. The HIBP API key will sit privately on their end and the only thing they'll really need to do is stop people from hammering their service so it doesn't exceed the HIBP rate limit for that key. This is where it becomes their (your) problem rather than mine and that's particularly apparent in the next scenario...

Rich client apps designed for consumer usage such as Outer Corner's Secrets app will need to proxy API hits through their own service. You don't want to push the HIBP API key out with the installer plus you also need to be able to control the rate limit of all your customers so that it doesn't make the service unavailable for others (i.e. one user of Secrets smashes through the rate limit thus making the service unavailable for others).

One last thing on the rate limit: because it's no longer locking you out for a day if exceeded, making too many requests results in a very temporary lack of service (usually single digit seconds). If you're consuming the new auth'd API, handle HTTP 429 responses from HIBP gracefully and ask the user to try again momentarily. Now, with that said, let me give you the code to make it dead easy to both proxy those requests and control the rate at which your subscribers hit the service; here's how to do it with Cloudflare workers and rate limits:

Proxying With a Cloudflare Worker (and Setting Rate Limits)

The fastest way to get up and running with proxying requests to V3 of the HIBP API is with a Cloudflare Worker. This is "serverless code on the edge" or in other words, script that runs on Cloudflare's 180 edge nodes around the world such that when someone makes a request for a particular route, the script kicks in and executes. It's easiest just to have a read of the code below:

Stand up a domain on Cloudflare's free tier (if you're not on there already) then it's $5 per month to send 10M queries through your worker which is obviously way more than you can send to the HIBP API anyway. And while you're there, go and use the firewall rules to lock down a rate limit so your own API isn't hammered too much (keeping in mind some of the challenges I faced when doing this).

The point is that if you need to protect the API key and proxy requests, it's dead simple to do.

"But what if you just..."

I'll get a gazillion suggestions of how I could do this differently. Every single time I talk about the mechanics of how I've built something I always do! The model described in this blog post is the best balance of a whole bunch of different factors; the sustainability of the service, the desire to limit abuse, leveraging the areas my skills lie in, the limited availability of my time and so on and so forth. There are many other factors that also aren't obvious so as much as suggestions for improvements are very welcomed, please keep in mind that they may not work in the broader sense of what's required to run this project.


There's a couple of these and they're largely due to me trying to make sure I get this feature out as early as possible and continue to run things on a shoestring cost wise. Firstly, there's no guarantee of support. We do the same thing with entry-level Report URI pricing and it's simply because it's enormously hard to do with the time constraints of a single person running this. That said, if anything is buggy or broken I definitely want to know about it. Secondly, there's no way to retrieve or rotate the API key. If you extend the one-off subscription you'll get the same key back or if you cancel an existing subscription  and take a new one you'll also get the same key. I'll build out better functionality around this in the future.

I'm sure there'll be others that pop up and I'll expand on the items above if I've missed any here.


The changes I've outlined here strike a balance between making the API available for good purposes, making it harder to use for bad purposes, ensuring stability for all those in the former category and crucially, making it sustainable for me to operate. That last point in particular is critical for me both in terms of reducing abuse and reducing the overhead on me trying to achieve that objective and supporting those who ran into the previously mentioned blocks.

I expect there'll be many requests to change or evolve this model; other payment types, no payment at all for certain individuals or organisations, higher rate limits and so on and so forth. At this stage, my focus is on keeping the service sustainable as Project Svalbard marches forward and once that comes to fruition, I'll be in a much better position to revisit suggestions (also, there's a UserVoice for that). For now, I hope that this change leads to a much more sustainable service for everyone.

CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites

Drupal developers urge users to update their installs to version 8.7.5, which addresses the CVE-2019-6342 flaw that allows hackers to take control of Drupal 8 sites.

Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.

The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.

“In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.” reads the security advisory.

The vulnerability can be mitigated by disabling the Workspaces module.

“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.

The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.

The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway, security experts believe that threat actors could start exploiting the flaw very soon because it affects default configurations, it is easy to exploit and require minimal user interaction to be triggered.

The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.

Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver cryptocurrency miners and other payloads.

In 2018, threat actors compromised many Drupal sites by exploiting other two flaw dubbed Drupalgeddon2 and Drupalgeddon3.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-6342, hacking)

The post CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites appeared first on Security Affairs.

BEC Scams Cost US Firms $300m Each Month

BEC Scams Cost US Firms $300m Each Month

Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.

The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.

They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.

Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.

In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.

The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.

Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.

“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”

In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.

The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.

The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.

FaceApp privacy panic: Be careful which apps you use

The privacy panic over FaceApp, the selfie-editing mobile app that makes photo subjects younger, older or turns them into members of the opposite sex, has been overblown. The (overblown) issue FaceApp is an iOS and Android app developed by Russian company Wireless Lab and is not without past controversy (e.g., lightening skin color to make users “hot”). In this latest bout of massive popularity, the app makers were “accused” of siphoning pictures from users’ mobile … More

The post FaceApp privacy panic: Be careful which apps you use appeared first on Help Net Security.

Dutch Police Nab Macro Malware Suspect

Dutch Police Nab Macro Malware Suspect

Dutch police have arrested a man suspected of developing and selling toolkits designed to build malicious Office documents for use in attacks.

In a statement on Wednesday, the country’s high-tech crime team (THTC) revealed it had apprehended a 20-year-old Utrecht man after monitoring his participation in hacking forums, with help from McAfee.

He’s suspected of selling specialized off-the-shelf toolkits such as Rubella Macro Builder which effectively weaponize Office docs by enabling them to use obfuscated macro code to deliver a malicious payload, bypassing traditional security filters in the process.

However, in one of the man’s suspected posts to a hacking forum, investigators spotted use of a Dutch version of Microsoft Word. Given the relatively small global population that speaks the language, McAfee researchers went on the hunt for more clues.

“During our research we were able to link different nicknames used by the actor on several forums across a time span of many years,” the vendor said in a blog post. “Piecing it all together, Rubella showed a classic growth pattern of an aspiring cyber-criminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.”

On arrest, the suspect was found with data on dozens of credit cards and manuals on carding, as well as access credentials for thousands of websites.

“The suspect has collected an amount of approx. €20,000 in cryptocurrency such as Bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued,” a police statement noted.

“The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.”

Scraping the TOR for rare contents

Cyber security expert Marco Ramilli explains the difficulties for scraping the ‘TOR networks’ and how to enumerate hidden-services with scrapers.

Scraping the “TOR hidden world” is a quite complex topic. First of all you need an exceptional computational power (RAM mostly) for letting multiple runners grab web-pages, extracting new links and re-run the scraping-code against the just extracted links. Plus a queue manager system to manage scrapers conflicts and a database to store scraped data need to be consistent. Second, you need great starting points. In other words you need the .onion addresses where your scrapers start from. You might decide to begin from common and well-known onion links such as The TOR-hidden-wiki or to start from great reddit threads such this one, but seldom those approaches bring you to what I refer as “interesting links”. For this post “interesting links” means specific links that are rare or not very widespread and mostly focused on cyber-attacks and/or cyber-espionage. Another approach needs be used in order to reach better results. One of the most profitable way to search for “interesting links” is to look for .onion addresses in temporal and up-to-date spots such as: temporal pasties, IRC chats, slack or telegram groups, and so on and so forth. In there you might find links that bring you to more rare contents and to less spread information.

Today I want to start from here by showing some simple stats about scraped .onion links in my domestic scraping cluster. From the following graph you might appreciate some statistics of active-and-inactive scraped hidden services. The represented week is actually a great stereotype of what I’ve got in the last whole quarter. What is interesting, at least in my personal point of view, is the percentage of offline (green) onion services versus the percentage of online (yellow) onion services.

Tor crawlers

This scenario changed dramatically in the past few months. While during Q1 (2019) most of the scraped websites were absolutely up-and-running on Q2 (2019) I see, most of the scraped hidden services, dismissed and/or closed even if they persists in the communication channels (IRC chat, Pasties, Telegram, etc.).

I think there are dual factors that so much affected last quarter in spotting active hidden service. (1) Old content revamping. For example bots pushing “interesting links” back online even after months of inactivity. This activity is not new at all, but during the past quarter has been abused too many time respect to previous quarters. (2) Hidden services are changing address much more fast respect to few months ago. In order to make hard to spot malicious actors, they might decide to keep up-and-running their hidden services only for few hours and then change address/location. Is that way to enumerate hidden-services passing away or is it a simple weird time-frame? We will see it during the next “Scraping” months, stay tuned !

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans.

This analysis and many other studies and tools are available on Marco Ramilli’s blog:


Pierluigi Paganini

(SecurityAffairs – Tor network, DarkWeb)

The post Scraping the TOR for rare contents appeared first on Security Affairs.

Experts spotted a rare Linux Desktop spyware dubbed EvilGnome

Experts at Intezer discovered a new backdoor, dubbed EvilGnome, that is targeting Linux systems for cyber espionage purpose.

Intezer spotted a new piece of Linux malware dubbed EvilGnome because it disguises as a Gnome extension. The researchers attribute the spyware to the Russia-linked and Gamaredon Group.  The modules used by EvilGnome are reminiscent of the Windows tools used by the Gamaredon Group, other analogies include the use of SFX, persistence with task scheduler and the deployment of information stealers.

“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”

The experts confirmed that the spy agent used by the threat actors was never seen before.


The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.

The Security Service of Ukraine (SBU) blamed theRussia’s Federal Security Service (FSB) for the cyber attacks. 

The sample analyzed by Intezer was uploaded to VirusTotal by mistake, the presence of metadata that was not removed by the attackers revealed that the malicious code was created on July 4. The analysis revealed that the malicious code includes an unfinished keylogger, some comments, symbol names and compilation metadata, a circumstance that suggests the authors are still working on it.

EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.

The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.

The hosting provider used by attackers behind EvilGnome was used by Gamaredon Group for years, the SSH was exposed over the port 3436, the same used by Gamaredon to expose SSH.

The Linux implant is delivered in the form of a self-extracting archive shell script created with makeself that is a small shell script that generates a self-extractable compressed tar archive from a directory. The generated files appear as a shell script, many having a .run suffix, that can be launched as is. 

The setup script installs the malicious code to ~/.cache/gnome-software/gnome-shell-extensions/, and attackers gain persistence by registering gnome-shell-ext.sh to run every minute in crontab.

In the last step of the installation process, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext:

“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.

“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”

The spy agent is composed of five modules that run in separate threads:

  • ShooterSound – captures audio from the user’s microphone and uploads to C2;
  • ShooterImage – captures screenshots and uploads to C2;
  • ShooterFile – scans the file system for newly created files and uploads them to C2;
  • ShooterPing – receives new commands from C2;
  • ShooterKey – unimplemented and unused, most likely an unfinished keylogging module;

The modules access to shared resources that are safeguarded through mutexes, they use RC5 with the key “sdg62_AS.sa$die3” to encrypt or decrypt data to and from the C&C.

The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this post, we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group.” concludes the group. “We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations.”

Pierluigi Paganini

(SecurityAffairs – EvilGnome, Linux malware)

The post Experts spotted a rare Linux Desktop spyware dubbed EvilGnome appeared first on Security Affairs.

Multi-Cloud Security Best Practices Guide

A multi-cloud network is a cloud network that consists of more than one cloud services provider. A straightforward type of multi-cloud network involves multiple infrastructure as a service (IaaS) vendors. Can you use AWS and Azure together? For example, you could have some of your cloud network’s servers and physical network provided by Amazon Web […]… Read More

The post Multi-Cloud Security Best Practices Guide appeared first on The State of Security.

Anatomy of a spear phishing attack – with example scam

With cyber crime quickly becoming a top priority for organisations, IT admins have felt the pressure to invest in network defences and ensure their systems aren’t breached.

But those measures aren’t much help when criminals use phishing scams to bypass organisations’ defences and hit them where they’re most vulnerable: their employees.

Fraudsters have countless tricks up their sleeve when targeting people for attacks, but perhaps the most dangerous is spear phishing. Let’s take a look at how it works, along with an example to help you spot the clues of an attack.

What is spear phishing?

Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person.

They can gather the information they need to seem plausible by researching the target online – perhaps using Facebook, LinkedIn or the website of the target’s employer – and imitating a familiar email address.

Spear phishing is harder to detect than regular phishing scams, because although messages contain the same clues as any phishing attack, the fact that they are addressed specifically to the target assuages suspicions that they are bogus.

However, other than creating a false sense of security, the attack works in the same way as any other type of phishing scam. The message will either contain an attachment infected with malware or direct the recipient to a malicious website, which might inject malware into the browser or request user credentials through spoofing.

See also:

Proofpoint’s 2019 State of the Phish Report found that 83% of respondents were hit by at least one spear phishing attack in last year. This shows just how hard it is to identify and properly respond to targeted email threats.

An example of a spear phishing email

Here’s an example of a real spear phishing email. You can see the whole message below, followed by a breakdown of the text showing how you can tell that the message is bogus.

Subject: Domain Notification for [website] : This is your Final Notice of Domain

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: [website]

ATT: [name redacted]
[website redacted]
Response Requested By
5 – Nov. – 2018


Attn: [name]

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!

Select Package:
[website link redacted]

Payment by Credit/Debit Card

Select the term using the link above by 5 – Nov. – 2018

Spotting the signs of spear phishing

Did you see the clues that the email was fake? And what about the tricks the scammer used to make the message look genuine? Let’s take a closer look at the message, beginning with the subject line:

“This is your Final Notice”

Right from the start, the criticality of this email is established in my mind. I’m also concerned as it looks like I’ve missed a previous notice.

“Attention: Important Notice”

The importance of this email has been set.

“Domain Name: [website]”

It’s the correct domain, indicating this email is indeed relevant to me.

“ATT: [name]”

Correct name also; must be legit and specific to me personally.

“As a courtesy”

They’re doing me the service. Sounds decent and generous.

“This letter is to inform you that it’s time to send in your registration.”

Sounding official now and the time pressure is being ramped up. It’s also trying to soften me up to part with personal information.

“Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.”

If I don’t comply quickly (time pressure again), there’s going to be an adverse impact on me and I’ll lose customers. This could potentially hit me in the pocket!

“Search engine registration includes domain name search engine submission.”

They’re going to perform some sort of important-sounding service for me.

“Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Really mixed messages here. An instruction not to “discard” this important “notice” but no pressure, as this isn’t a request for money (“not an invoice”) but just a generous and selfless “courtesy” and “reminder” that will benefit me.

“This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!”

Time pressure cranked up to maximum. No need to think; just act now before it’s too late.

All the above are typical examples of emotional manipulation. This is classic spear phishing.

I didn’t click the link and hand over my payment card details, because it raised all manner of red flags. Instead, I googled the link, which confirmed my suspicions.

Sadly, some would have fallen for it simply through a lack of training and awareness.

Teach your staff to spot phishing emails

You can help educate employees on the threat of phishing and what they can do to mitigate the risk by enrolling them on our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the one above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

You might also benefit from a comprehensive review of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>

The post Anatomy of a spear phishing attack – with example scam appeared first on IT Governance Blog.

True passwordless authentication is still quite a while away

The password has been one of the great inventions in the history of computing: a solution that allowed simple and effective identity and access management when the need arose for it. Unfortunately, as time passed, the downsides of using (just) passwords became apparent: they can be forgotten, guessed, cracked, stolen and, finally, misused. While we wait for the password to die… During the last decade or so, many IT and IT security professionals have foretold … More

The post True passwordless authentication is still quite a while away appeared first on Help Net Security.