Researchers at Google announced the discovery of a hacking campaign that used hacked websites to deliver malware to iPhones.
Project Zero, Google’s security research team, discovered fourteen previously unknown vulnerabilities, called zero day exploits, that were capable of compromising iPhones. Further research revealed a small collection of hacked websites capable of delivering malware to iPhone users visiting those sites.
“There was no target discrimination; simply visiting the hacked site was enough for the exploited server to attack your device, and if it was successful, installing a monitoring implant. We estimate that these sites receive thousands of visitors per week,” wrote Project Zero member Ian Beer in a blog post announcing their findings.
The data accessible on the compromised phones included the user’s location, their passwords, chat histories, contact lists, and full access to their Gmail accounts.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services… even after they lose access to the device,” said Beer.
The hacking campaign was active for at least two years before it was discovered by Project Zero. The research team informed Apple of their findings, and the targeted vulnerabilities were patched in an update in February 2019.
Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?
There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions.
The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.
According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft.
Top three cyberthreats
The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom.
Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.
In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless.
7 key questions to ask
Does the school have a system to educate staff, parents, and students about potential risks and safety protocols?
Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
Are data security and student privacy a fundamental part of onboarding new school employees?
Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
Does the school have any new technology initiatives planned? If so, how will it address student data protection?
The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.
Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same.
Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.
Stamford, Ct.-based United Rentals [NYSE:URI] is the world’s largest equipment rental company, with some 18,000 employees and earnings of approximately $4 billion in 2018. On August 21, multiple United Rental customers reported receiving invoice emails with booby-trapped links that led to a malware download for anyone who clicked.
While phony invoices are a common malware lure, this particular campaign sent users to a page on United Rentals’ own Web site (unitedrentals.com).
A screen shot of the malicious email that spoofed United Rentals.
In a notice to customers, the company said the unauthorized messages were not sent by United Rentals. One source who had at least two employees fall for the scheme forwarded KrebsOnSecurity a response from UR’s privacy division, which blamed the incident on a third-party advertising partner.
“Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the response read.
“The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform,” the reply continued. “The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.”
United Rentals told KrebsOnSecurity that its investigation so far reveals no compromise of its internal systems.
“At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking trojan,” said Dan Higgins, UR’s chief information officer.
United Rentals would not name the third party marketing firm thought to be involved, but passive DNS lookups on the UR subdomain referenced in the phishing email (used by UL for marketing since 2014 and visible in the screenshot above as “wVw.unitedrentals.com”) points to Pardot, an email marketing division of cloud CRM giant Salesforce.
Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.
Salesforce told KrebsOnSecurity that this was not a compromise of Pardot, but of a Pardot customer account that was not using multi-factor authentication.
“UR uses a third party marketing agency that utilizes the Pardot platform,” said Salesforce spokesman Bradford Burns. “The third party marketing agency is who was compromised, not a Pardot employee.”
This attack comes on the heels of another targeted phishing campaign leveraging Pardot that was documented earlier this month by Netskope, a cloud security firm. Netskope’s Ashwin Vamshi said users of cloud CRM platforms have a high level of trust in the software because they view the data and associated links as internal, even though they are hosted in the cloud.
“A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows),” Vamshi wrote. “The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.”
Cybercriminals increasingly are targeting cloud CRM providers because compromised accounts on these systems can be leveraged to conduct extremely targeted and convincing phishing attacks. According to the most recent stats (PDF) from the Anti-Phishing Working Group, software-as-a-service providers (including CRM and Webmail providers) were the most-targeted industry sector in the first quarter of 2019, accounting for 36 percent of all phishing attacks.
Update, 2:55 p.m. ET: Added comments and responses from Salesforce.
September 1, 2019 is International Women in Cyber Day. On the blog, we profile Emma Sutcliffe, Head of Standards for the PCI Security Standards Council and member of the PCI SSC senior leadership team.
Trend of PowerShell based malware is increasing. General trend observed shows that malware authors use new techniques for infection and propagation of malwares along with open source tools. PowerShell gets executed with high privileges and that’s why it easily performs its activity and propagates through network. Quick Heal Security Lab…
Cybercriminals use Botnets to Launch Attacks on Social Media
According to a new report, more than half of all login attempts on social media sites are fraudulent, and at least 1 in 4 new account creation attempts are also fraudulent. With the sheer number of potential victims these types of sites provide attackers, these strategies are proving to be more and more lucrative. Even more worrisome: at least 10% of all digital handshakes from online purchases to new accounts being created are being made by malicious actors.
xHelper Trojan Infects Thousands of Android Devices
A new Trojan
has infected over 30,000 devices in a very short time. By disguising itself as a
JAR archive, the dropper is able to move quickly through a system, rather than
being installed within a bundle as a standard APK. At least two variants of the
Trojan have been spotted, one running extremely silently on infected devices
while the other does less to hide itself, creating an actual xHelper icon and
pushing an increasing number of notifications to the device.
Malicious PDF Scanner App
Researchers recently notified Google of a Trojanized CamScanner
app that has been downloaded over 100 million times. The app itself is used to
download and launch a malicious payload, after making contact with the
attacker’s servers. Fortunately, Google is quick to act when they receive these
types of reports, and has already removed the app from the Play Store. This app
follows in a long line of high-install malicious apps to hit the Google Play Store
in the last couple months.
Following the FCC decision to push out a technology
that would allow all telecom companies to implement detections for the excessive
number of robo-calls their customers receive every year. Unfortunately, the FCC
never made an official deadline, so the lobby groups for the cable companies
have been pushing for further delays. Hopefully, more telecom companies will
get behind this technology and start helping their customers avoid this kind of
Hosting Provider Data Breach
A data breach was recently revealed by Hostinger,
a hosting provider, which could affect their entire 14-million-strong customer
base. Within the last week, the company identified unauthorized access to one
of their servers, which contained sensitive customer information. Fortunately,
Hostinger resolved the vulnerability quickly and pushed out a mandatory
password reset to all affected users.
Because I really don’t want to rile up all you wonderful Mac users, I’ve decided to do a follow-up on the whole hiding your folders in plain view dilemma.
If haven’t done so already, be sure to check out my article on how to hide your files, folders, and disk drives; it may not apply to Mojave or whatever else OS you’re running, but at least you’ll get an idea of what you’re up against. So, how do you hide folders on Mac?
Get yourself acquainted with the Terminal (Mac’s version of Windows’ command prompt) because, as it happens, it’s the only way to hide folders on Mac without resorting to third-party tools. Let’s dig in.
How to Hide Folders on Mac – Quick and Painless Version
If you really don’t want to trouble yourself with code, there’s a very easy and extremely fast way to hide your folders on Mac -by using the FileVault.
Basically, it turns your hard-drive in a Fort Knox-like vault which cannot be opened without the proper cipher, which in this case is the username and password associated with your admin account.
Yes, I know it’s like curing the disease by killing the patient, but I did say that it’s the easiest way to go about hiding your folders. Anyway, here’s what you’ll need to do, should you choose to use FileVault for masking your files, folders, and everything in between.
Step 1. Click on the Apple icon located in the upper-left corner of your screen.
Step 2. Click on System Preferences.
Step 3. Click on Security & Privacy.
Step 4. Head to the FileVault tab (it’s right next to the General tab).
Step 5. Click on the padlock icon to make changes.
Step 6. Click on the Turn On FileVault button.
Step 7. In the next dialog box, select the recovery method. You can choose between iCloud and generating a local recovery key. I, for one, would go with the later version since it’s more secure (no use compromising two accounts if your password gets stolen).
Here’s what’s going to happen if you use the local recovery key method: you will be taken to another dialog box where you will be going to see a system-generated code.
It looks very much like a Windows or antivirus activation key. Put this code in a new document or something. That the recovery key you’ll be using in case you don’t remember the password.
Step 8. Click on Continue.
Step 9. Click again on the Continue button to finish the process.
That’s it! Now FileVault will begin encrypting all the data on your drive. Depending on your specs, this process can take anywhere from a couple of hours to a few days.
Don’t worry too much about ending up with a potato computer; you’ll still be able to surf the web, watch movies, or play games because everything happens in the background.
One more thing: don’t forget to hook up your Mac to the power outlet. You really wouldn’t want to run out of juice in the middle of a procedure involving the drive on which your entire data is stored.
Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight provides:
Automatic and silent software updatesSmart protection against malwareCompatibility with any traditional antivirus.
There’s also a way to hide folders on Mac, but it involves using the Terminal. Don’t worry; it’s just a couple of command lines. Nothing too fancy or complicated. So, here’s how to hide files/folders using Terminal.
Step 1. Click on Finder.
Step 2. From the left panel, select Applications.
Step 3. Scroll down until you see Utilities. Double-click to enter the Utilities menu.
Step 4. Double-click on Terminal.
Step 5. Type in the following line:
Step 6. Create a new folder on your desktop. Fill it with stuff that you want to hide.
Step 7. Drag-and-drop the folder on to the Terminal window. If you look closely, you’ll see that the folder’s path has appeared.
Step 8. Press Return to hide the folder.
Great! Now that your folder’s out of sight, out of mind, let’s see how we go about accessing it. There are three ways to access hidden files and folders.
Method 1 – Using the Go to Folder function
From the Go menu, select Go to Folder. In the dialog box that appears on your screen, type in the path of your hidden folder. Don’t forget to include the “~” sign before the path.
It should look something like this: “~/Desktop/MyHiddenFiles”
Method 2 – Using the Open/Dialog function
Double-click on Finder and select Desktop from Favorites. Press the Show items as icons, in a list, in columns, or in the library (the pictogram looks like a rectangle divided by to straight lines). You may need to perform this operation a couple of times before the folder becomes visible.
Method 3 – Show hidden files in Finder
It’s possible to see a hidden file in Finder, but you will need to tinker a bit with Terminal. So, fire up your Terminal, and type in the following line:
Press Return to continue. After that, please type in or paste the following line:
Again, press return, go to Finder, and there you are – what was once hidden, can now be seen. Enjoy!
How to hide folders on your Mac by using Terminal Aliases
Aliases are macros or shortcuts to various commands. Albeit temporary, we can easily turn this into a more permanent solution. Again, you will need to fiddle around with the Terminal. So, here’s what you’ll need to do:
Step 1. Open the Terminal.
Step 2. Type in or paste the following line:
sudo nano ~/.bash_profile
Step 3. When prompted, type in the username and password associated with your active admin account.
Step 4. Press Return to continue.
Step 5. Scroll down to the end of the open .bash_profile.
Step 6. Type in or paste the following line:
alias showFiles=’defaults write com.apple.finder AppleShowAllFiles YES; killall Finder /System/Library/CoreServices/Finder.app
Step 7. Navigate to the following line and type in or paste the following:
alias hideFiles=’defaults write com.apple.finder AppleShowAllFiles NO; killall Finder /System/Library/CoreServices/Finder.app.
Step 8. Save the file.
Step 9. Exit Terminal.
That’s about it. Now, the next time you will launch Finder, all desired folders will be hidden.
Even more ways to hide files and folders on your Mac
As they say, there’s more than one way to skin something (please don’t say “cat”). So, if you found that the methods described are much too difficult, here are a couple of more ways to hide folders on Mac.
Using the “mv” command
The “mv” command in Terminal moves a file or folder from one place to another. How does this help you? Here’s the trick: the “mv” command moves the folder from its original location to a period folder.
Now, by default, period folders are hidden because they contain system-critical information. Basically, it’s the same thing as moving files or folders to your System32 folder in Windows.
To make files invisible in this manner, open Terminal and type in mv filename .filename. Replace “filename” with the name of the file you want to hide and the “.filename” parameter with the name of the system-protect file.
Deploy Apple’s Developer Tools
If you’re in the mood to do a bit of tweaking, download and deploy one of Apple’s Dev Tools and enter the following command in Terminal: setfile -a V <name of the file you want to hide>. The name of the file should follow the “V” parameter without the “<>”. This command will set the file’s attribute to invisible.
Dump everything in the Library folder
When everything else fails, try the Library folder. It’s hidden by default, making it the ideal place to store top-secret stuff. Just fire up your Finder, navigate to Finder, right-click, create a new folder, and drag all the files in there.
Use third-party file-hiding software
You can also use special software to keep your folders away from prying eyes. The best ones are Altomac and Hide Folders. However, there are also open-source alternatives such as AES Crypt, Axcrypt, or File Lock PE. Give them a try if you’re looking to beef up your account’s privacy.
That’s it on how to hide folders on Mac computer. Know any more methods? Hit the comments section and let me know.
If you liked this post, you will enjoy our newsletter.
Google has decided to expand the scope of one of its bug bounty programs as well as launch another security rewards initiative. On 29 August, Android Security & Privacy team members Adam Bacchus, Sebastian Porst, and Patrick Mutchler announced that the Google Play Security Reward Program (GPSRP) will now cover all Google Play apps with […]… Read More
It is true that businesses all over the globe are now facing security threats and their data is at high risk, with dangers having increased in terms of volume and sophistication. Security threats incurred a whopping £30bn cost to the UK economy. Even mobile security threats have contributed immensely to the emerging vulnerabilities. However, these threats have skyrocketed ever since quantum computing became a reality.
The impact of cyber-attacks on companies is enormous and encompasses years of efforts and security maneuvers. According to the reports published in 2017, more than a dozen of large enterprises experienced a cyber-attack or security threat. As per the same report, the companies handling the personal data of their customers are most vulnerable to security threats and data breaches. With the emergence of quantum computing, old-world security measures are becoming obsolete and ineffective.
In spite of the positive impact of quantum computing, security threats are rising. The earlier security protocols and methods are now proving to be insufficient in the face of quantum computing. Even the most sophisticated encryption methods are getting vulnerable to quantum computing threats.
There is strong speculation that within the span of the next five years or so, even the most advanced encryption methods will be vulnerable to the threats of quantum computing. This is why data security challenges should be completely thought over.
The Key Advantages of Quantum Over Traditional Calculation
Quantum computing represents a complete shift of approach from that of traditional computing. Quantum computing in many ways boosts the pace of calculation. The principal way quantum computing can speed up calculation is through the superposition of states. The qubits which are the equivalent of bits in traditional computing are capable to exist simultaneously in two states. This capability called superposition of states ultimately enhances the calculation speed.
The time when quantum computing was at the very stage of conception is gone. Now, it has entered the engineering realm and soon thousands of qubits are going to endanger data encryption. At this moment, the largest quantum computing machine is Google’s 72-qubit machine built in 2018.
When Quantum Computing Can Become a Threat
For any security specialist making this prediction is a challenging task. And most importantly, reaching a consensus between security experts has not become possible as of now. But everyone univocally agrees that Quantum computing has already emerged as a massive security threat that can dismantle the existing security protocols and systems.
In the future, can we have universal quantum computers? Is there any express requirement of the same?
Presumably, we don’t need a quantum computer of such a big scale. Instead, we may require quantic accelerators for our computing tasks. From all the predictions and buzz surrounding us, it is quite understandable that we are actually not going to encounter a massive “Big Bang” like a phenomenon that is going to transform the computing forever and beyond recognition. Instead, the changes will happen in small steps.
But when change seems imminent, how we prepare for the emerging security threats of quantum computing seems to be the most important question. We need to switch from the traditional data security to more advanced data security protocols and mechanisms that can effectively take on the threats posed by quantum computing.
According to the US National Institute of Standards and Technology (NIST), the vulnerability of quantum attacks can become a real threat within the next decade or so. This is precisely why we need to guard against such attacks. Making our cryptographic security more resilient and robust will prove to be most important while facing the quantum attacks.
How to make the cryptographic security more resilient and stronger to take guard against quantum attacks?
Well, the answer lies in the emerging quantum cryptography technology. A cryptography expert today knows that breaking the public-key cryptography that works in traditional computing is not a big challenge. Even the most sophisticated cryptography like RSA and Diffie-Hellman based cryptography were broken apart by the quantum technology. Such attacks and their outcomes made us see the possibilities of security attacks in the quantum era.
After seeing the attacks on robust cryptographic foundations, the experts are working tirelessly on building new foundations that can be more resilient for quantum computing. By having an in-depth understanding of the earlier vulnerabilities that have been subjected to fatal attacks, the modern quantum computing security experts are building more resilient cryptography. Thus, we are entering a new era of quantum cryptography.
Don’t Forget the Positive Role of Quantum Technology for Security
Most security experts focused on quantum cryptography talk about the security threats posed by quantum computing. Yet, they often forget to mention the positive role of quantum computing on data security.
For example, a lot of quantum computing projects have not been looked upon by the NIST report. One of these projects is the key distribution. This is a great technique to help distribute and share the secret keys for cryptographic protocols. Though it has been available for years, security experts are now shedding some more light on this subject.
Another quantum computing project with a positive role is the Quantum sensors referring to the quantum devices responsive to stimulus.
Creating A Security Roadmap Secure from Quantum Threats
Within the span of a few years, many global companies that are playing an instrumental role in establishing a security roadmap to deal with the emerging quantum threats have emerged. These organizations are working on making the cryptographic foundation more resilient and to ensure the quantum era is rather remembered as a bright milestone in the history of computing. From creating a methodology to deal with emerging quantum risks to establishing risk assessment frameworks, a lot of positive efforts are underway to deal with the impending quantum threats.
Cybersecurity in the quantum computing era will continue to loom large for businesses, government agencies, and institutions. How security experts can utilize quantum technology to mitigate the security risks will actually prove to be most important.
This is an article written by guest author Atman Rathod.
Atman Rathod is the Co-founder at CMARIX TechnoLabs Pvt. Ltd., a leading web and mobile app development company with 13+ years of experience. He loves to write about technology, startups, entrepreneurship, and business. His creative abilities, academic track record, and leadership skills made him one of the key industry influencers as well.
SniffAir – Wireless security framework for wireless pentesting SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking ... Read moreSniffAir – Wireless security framework for wireless pentesting
This article will give you insights into the common PayPal hoaxes circulating these days. Additionally, you will learn how to keep your payment experience safe when using the popular service in question. The undeliverable shipment stratagem Crooks may try to defraud someone of money by reporting a delivery failure to PayPal. This hoax starts with […]… Read More
PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.
West Allis, Wis.-based PerCSoft is a cloud management provider for Digital Dental Record (DDR), which operates an online data backup service called DDS Safe that archives medical records, charts, insurance documents and other personal information for various dental offices across the United States.
The ransomware attack hit PerCSoft on the morning of Monday, Aug. 26, and encrypted dental records for some — but not all — of the practices that rely on DDS Safe.
PercSoft did not respond to requests for comment. But Brenna Sadler, director of communications for the Wisconsin Dental Association, said the ransomware encrypted files for approximate 400 dental practices, and that somewhere between 80-100 of those clients have now had their files restored.
Sadler said she did not know whether PerCSoft and/or DDR had paid the ransom demand, what ransomware strain was involved, or how much the attackers had demanded.
Update: Several sources are now reporting that PerCSoft did pay the ransom, although it is not clear how much was paid. One member of a private Facebook group dedicated to IT professionals serving the dental industry shared the following screenshot, which is purportedly from a conversation between PerCSoft and an affected dental office, indicating the cloud provider was planning to pay the ransom:
Another image shared by members of that Facebook group indicates the ransomware that attacked PerCSoft is an extremely advanced and fairly recent strain known variously as REvil and Sodinokibi.
However, some affected dental offices have reported that the decryptor did not work to unlock at least some of the files encrypted by the ransomware. Meanwhile, several affected dentistry practices said they feared they might be unable to process payroll payments this week as a result of the attack.
On Christmas Eve 2018, cloud hosting provider Dataresolution.nettook its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.
The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files. In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual.
It remains unclear whether PerCSoft or DDR — or perhaps their insurance provider — paid the ransom demand in this attack. But new reporting from independent news outlet ProPublica this week sheds light on another possible explanation why so many victims are simply coughing up the money: Their insurance providers will cover the cost — minus a deductible that is usually far less than the total ransom demanded by the attackers.
More to the point, ProPublica found, such attacks may be great for business if you’re in the insurance industry.
“More often than not, paying the ransom is a lot cheaper for insurers than the loss of revenue they have to cover otherwise,” said Minhee Cho, public relations director of ProPublica, in an email to KrebsOnSecurity. “But, by rewarding hackers, these companies have created a perverted cycle that encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”
“In fact, it seems hackers are specifically extorting American companies that they know have cyber insurance,” Cho continued. “After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware.”
Read the full ProPublica piece here. And if you haven’t already done so, check out this outstanding related reporting by ProPublica from earlier this year on how security firms that help companies respond to ransomware attacks also may be enabling and emboldening attackers.
We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).
Google Play Security Reward Program Scope Increases
We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.
Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.
To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.
Introducing the Developer Data Protection Reward Program
Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.
The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.
As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!
When I was a kid, Gilligan’s Island reruns aired endlessly on TV. The character of the Professor was supposed to sound smart, so he’d use complex words to describe simple concepts. Instead of saying, “I’m nearsighted” he’d say, “My eyes are ametropic and completely refractable.” Sure, it was funny, but it didn’t help people understand his meaning.
Security vendors and professionals suffer from a pinch of “Professor-ism” and often use complex words and terminology to describe simple concepts. Here are few guidelines to consider when naming or describing your products, services, and features:
Assess whether a new term or acronym is needed
Before trying to create a new term or acronym, assess whether an existing one will work. Consider the mobile device space where tools used to manage mobile devices were originally known as MDM for mobile device management. Pretty straightforward. But then the acronym flood started with MAM (mobile application management), MIM (mobile information management), and EMM (enterprise mobile management). It’s true, there are some technical differences between the four, but a quick Bing search shows a raft of articles explaining the differences because it’s not clear to the average customer. And, frankly, all of them are basically subsets of the MDM acronym.
Use acronyms with enthusiasm and clarity
When creating a new term or acronym there is no point in being memorable if the meaning gets lost in the noise. Instead of succumbing to the path of least resistance by forming an acronym, put a little oomph into your naming efforts.
A recent example is SOAR (Security Orchestration, Automation, and Response). Yes, it was a whole new category and one that is adjacent to SIEM (security information and event monitoring) but it adds clarity because it describes a new set of features and functions—like incident response activities and playbooks—which aren’t covered by traditional SIEMs.
Acronyms can save time, but when you get into splintered variants like the MDM example, clarity goes out the window. Since not all acronyms are created equal, go for acronym gold—and make sure there is a recognizable connection to your brand or (even better) the product itself.
This strategy can yield explosive results! Think TNT (Trinitrotoluene), or the more chill TCBY® (The Country’s Best Yogurt), or the zip in ZIP code (Zone Improvement Plan). Compare these zingers with an acronym for something like UDM (Unified Data Management). Sorry—is that the sound of you snoring? (Me, too!)
Put a little pep in your step (and your sales) by producing names that are sharply focused—like laser (Light Amplification by Stimulated Emission of Radiation)—which is an acronym that has become synonymous with what it does and has some well-placed vowels. Another winner in this category is GIF (graphics interchange format). While this acronym wasn’t recognizable out the door, it became synonymous with the product it created by adding a bit of pizzazz to the mix.
Use names that are clear and practical—but catch and hold the imagination
Resist the temptation to take a cool buzzword and tack it onto your marketing efforts to take advantage of the attention. I once saw a basic power strip advertised as “internet ready.” Come on now! Find words or phrases that catch and hold the imagination—while saying something about your product’s functionality.
Sometimes it’s as simple as helping customers understand what the product does: antimalware? Customers are going to get that this probably protects against malware. If the solution really is a new approach, make the name as clear as possible.
In addition, rather than inventing new terms, consider being very practical. Think of the use-cases and ask these questions: What does the solution do for the customer or business? What does the solution deliver? Or what kind of brand experience does your product provide?
Years ago, I ran afoul of a company that advertised itself as “S-OX in a Box” (that’s Sarbanes-Oxley, not a sports or footwear reference), because I wrote a piece on the complexity of the tech side of S-OX compliance. I explained why it wasn’t as simple as buying a “S-OX in a BOX” solution. I wasn’t trying to call out that specific company, but rather to show why it can be better to be clear and explicit about what a solution does. S-OX is too complex for a single solution to do it all. But a tool that can help automate S-OX compliance reporting? That, for many companies, is a big win.
Also, think about the non-cyber world—where companies describe the function to discover an evocative name. Examples of everyday products that accomplish this include bubble wrap, Chapstick®, Crock-Pot®, and Onesie®. Not all first tries will be winners. For example, the breathalyzer was originally known as the Drunk-O-Meter. Just experiment with it. Have some fun. Make it meaningful to your client or customer.
Promising customers that they will never have a breach again is a pretty lofty claim. And most likely impossible. Words like absolute, perfect, and unhackable may sound good in copy, but can you guarantee a product or solution really deliver absolute security?
Savvy customers know that security is about risk management and tradeoffs and that no solution is completely immune to all attacks. Rather than overpromise, consider helping the customer understand what the solution does. Does the product protect against a breach by monitoring the database? Good, then say that.
Get creative and mix it up
Get creative by mixing initials and non-initial letters, as in “radar” (RAdio Detection And Ranging). Or try “initialism,” which requires you pronounce your abbreviation as a string of separate letters. Examples include OEM (original equipment manufacturing) and the BBC (British Broadcasting Corporation). You can also incorporate a shortcut into the name by combining numbers and letters like 3M (Minnesota Mining and Manufacturing Company).
If you’re really stuck, try a backronym
A backronym is created when you turn a word into an acronym by assigning each letter a word of its own—after a term is already in use. For example, the term “rap” (as in rap music) is a backronym for rhythm and poetry and SOAR is a backronym for Security Orchestration, Automation, and Response.
If you want something closer to the technology realm, check out what NASA (a well-known acronym for National Aeronautics and Space Administration) did. They named a space station treadmill in honor of comedian Stephen Colbert by coming up with the words to spell out his name: Combined Operational Load-Bearing External Resistance Treadmill (COLBERT).
Find your sweet spot
When it comes to using common words to describe uncommon things, combine the freshness and friendliness of Mary Ann and with the profit mindset of Thurston Howell III to come up with names that intrigue people with their relatability and nail the sale because clients and customers get a clear idea of the product’s business value.
Reach out to me on LinkedIn or Twitter and let me know what you’d like to see us cover as we talk about new security products and capabilities.
Was a cybercrime committed on the International Space Station? What on earth were Ukrainian scientists thinking when they plugged a nuclear power station into the internet? And someone has cloned Canadian clinical psychologist Jordan Peterson’s voice…
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
Until recently, the manufacturing sector as a whole rarely took cyber threats seriously. This was primarily due to the domain’s outlook that it was a highly specialized industry and hence would not be on the radar of cyberattackers. The outlook started to change after annihilating cyberattacks such as spear-phishing attacks on Saudi Aramco, Stuxnet and the LockerGoga started to surface.
Citing one of the latest cyberattacks, Airbus faced a threat this year when it reported that it had detected an attack on its information systems which resulted in a data breach. Though it did not affect their operations, Airbus did admit that employee-related details had been lost in the breach.
It was events like these when this industry realized that it too is equally prone to cyber threats that can shut down entire production lines and have ramifications throughout the supply chain.
In fact, according to Seqrite’s Q2 Threat Report, cyberattacks are on the prowl in manufacturing, especially in the automobile sector.
We discuss key channels for attackers to target the this industry.
Manufacturers store a vast range of often specialized and classified data on their systems. This ranges from the projects they are working on, blueprints for future products that companies would like to be secretive about, confidential financial data and a lot more. Hackers are aware that this data is a potential goldmine putting manufacturers at risk of data breaches which can lead to disastrous consequences. Manufacturing companies must recognize that the risk of data breaches actually exists and work hard to plug the gap.
Internet of Things and connected manufacturing
The manufacturing industry is increasingly moving towards an era of smart manufacturing where the shop floor and the supply chain are progressively getting interconnected. This helps to speed-up production and time-to-market but also creates an ecosystem where there is a reduced division between different stages in the manufacturing lifecycle.
Although beneficial, this increases the risk of a cyberattack in multitudes – the risk of a single cybersecurity breach can have a deep impact on a manufacturing plant.
Furthermore, with futuristic technologies like the Internet of Things (IoT) seeing enterprise adoption at lightning speeds, manufacturers, now, have to deal with an added cyber threat channel.
Intellectual property is the manufacturing industry’s key asset and prized possession. Hence, it is obvious that if it goes in the wrong hands, this could cause immense reputational and financial damage to a manufacturing company. While most companies in this sector have strict rules for employees on the information they can disseminate to external sources, enterprise stakeholders do not consider that the risk for IP theft can also come from cyber attacks, whether it’s data breaches or insider threats.
Falling behind in the skills gap
Mostly, the manufacturing industry collectively understands the importance of specialized knowledge and hiring people with expert skills to solve the problems they face in day-to-day operations. However, considering the current dangerous scenario of enterprise cyberattacks, this needs to be extended to resolve their cybersecurity problems as well.
After all, cybersecurity is a specialized issue and it requires specific people with the correct training and knowledge to tackle it. The manufacturing industry must look beyond a conventional IT department to tackle cyberthreats.
Regulation and compliance
The manufacturing industry has mandates to comply with regulations at a national and an international level that currently encapsulates cybersecurity as well. Most manufacturing companies nowadays operate under some sort of regulatory control for their data. Often this information is stored in the cloud with very limited access and under strict regulations.
If this data privacy is violated, it can have serious consequences and is a factor to be kept in mind when considering a cloud network security strategy.
Keeping the above in mind, it is important for the manufacturing sector to prioritize cybersecurity and invest in solutions like Seqrite Endpoint Security (EPS) and Unified Threat Management (UTM) to ensure they remain protected in this day and age of sophisticated and tailor-made cyberattacks towards the enterprise.
PACK (Password Analysis and Cracking Kit) Credits: iphelix Password Analysis and Cracking Kit by Peter Kacherginsky (iphelix) ================================================================== PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password ... Read morePACK (Password Analysis and Cracking Kit) – HackingVision
As of July 2019, Microsoft has fixed around 43 bugs in the Jet Database Engine. McAfee has reported a couple of bugs and, so far, we have received 10 CVE’s from Microsoft. In our previous post, we discussed the root cause of CVE-2018-8423. While analyzing this CVE and patch from Microsoft, we found that there was a way to bypass it which resulted in another crash. We reported it to Microsoft and it fixed it in the January 19 patch Tuesday. This issue was assigned CVE-2019-0576. We recommend our users to install proper patches and follow proper patch management policy and keep their windows installations up to date.
As mentioned in our previous post, CVE-2018-8423 can be triggered using a malicious Jet Database file and, as per the analysis, this issue was in the index number field. If the index number was too big the program would crash at the following location:
Here, ecx contains the malicious index number. On applying the Microsoft patch for CVE-2018-8423 we can see that, on opening this malicious file, we get the following error which denotes that the issue is fixed, and the crash does not occur anymore:
Analyzing the Patch
We decided to dig deeper and see exactly how this issue was patched. On analyzing the “msrd3x40!TblPage::CreateIndexes” function, we can see that there is a check to see if “IndexNumber” is greater than 0xFF, or 256, as can be seen below:
Here, the ecx which contains the index number has the malicious value of “00002300” and it is greater than 0xFF. If we see the code, there is a jump instruction. If we follow this jump instruction, we reach the following location:
We can see that there is a call to the “msrd3x40!Err::SetError” function, meaning the malicious file will not be parsed if the index value is greater than 0xFF and the program will give the error message “Unrecognized database format” and terminate.
Finding Another Issue with the Patch
By looking at the patch, it was obvious that program will terminate if the index value is greater than 0xFF, but we decided to try it with an index value “00 00 00 20” which is less than 0xFF, and we got another crash in the function “msrd3x40!Table::FindIndexFromName”, as can be seen below:
Finding the Root Cause of the New Issue
As we know, if we give any index value which is less then 0xFF, we get a crash in the function “msrd3x40!Table::FindIndexFromName”, so we decided to analyze it further to find out why that is happening.
The crash is at the following location:
It seems that program is trying to access location “[ebx+eax*4+574h]” but it is not accessible, meaning it is an Out of Bound Read issue.
This crash looks familiar as it was also seen in CVE-2018-8423, except that it was an Out of Bound Write, while this seems to be an Out of Bound Read. If we look at eax it contains “0055b7a8” which, when multiplied by 4, becomes a very large value.
If we look at the file it looks like this:
As can be seen in below image, if we parse this file, this value of “00 00 00 20” (in little endian from the above image), denotes the number of an index whose name is “ParentIDName”:
Looking at the debugger at the point of the crash, it seems that ebx+574h points to a memory location and eax contains an index value which is getting multiplied by 4. Now we need to figure out the following:
What will be the value of eax that will cause the crash? We know that it should be less than 0xFF. But what would be the lowest value?
What is the root cause of this issue?
On setting a breakpoint on “msrd3x40!Table::FindIndexFromName” and changing the index number to “0000001f”, (which does not cause a crash but helps with the debugging and understanding the program flow) we can see that edx contains the pointer to an index name which, in this case, is “ParentIdName”:
Debugging further we can see that the eax value comes from [ebp] and the ebp value comes from [ebx+5F4h] as can be seen below:
When we look at “ebx+5F4” we can see the following:
We can see that “ebx+5F4” contains the index number for all the indexes in the file. In our case the file has two indexes and their number are “00 00 00 01” and “00 00 00 1f”. If we carefully review the memory we can figure out that the maximum number of indices which can be stored here are 0x20, or 32:
Start location: 00718d54
Each index number is 4 bytes long. So 0x20*4 + 00718d54 = 00718DD4
After this, if we look at ebx+574+4, we can see that it contains the pointer to index names:
So, the overall memory structure is like this:
There are only 0x80 or 128 bytes available to save index name pointer at location EBX+574. Each pointer gets saved at an index number location, i.e. for index number 1 it will be saved at EBX+574+1*4, the location for index number 2 will be saved at EBX+574+2*4 and so on. (index number starts from 0).
In this case, if we give an index number which is more than 31, the program will overwrite data past 0x80 bytes, which will be at the start of the EBX+5F4 location, which is the index number from the malicious file. So, in this case, if we give the value “00 00 00 20” instead of “00 00 00 1f”, it will overwrite the index number at the EBX+5F4 location, as can be seen below:
Now the program tries to execute this instruction in “msrd3x40!Table::FindIndexFromName’
Mov ecx, dword ptr [ebx+eax*4+574h]
Here, eax contains the index number which should be “00 00 00 01” but, since it is overwritten by “0055b7a8” which is a memory address, on multiplying it with 4, it becomes a huge number and then 574h is getting added to it. So, if that memory area does not exist and the program tries to read from that memory, we get an access violation error.
So, to answer the questions we had:
Any value which is less then 0xFF and greater then 0x31 will cause a crash if the resulting memory location from [ebx+eax*4+574h] is not accessible.
The root cause is that an index number is getting overwritten by a memory location, causing invalid memory access in this case.
How is it Fixed by Microsoft in the Jan 19 Patch?
We again decided to analyze the patch to see how this issue was fixed. As is clear from the analysis, any value which is greater than or equal to 0x20 or 32 still causes a crash so, ideally, the patch should be checking this. Microsoft has added this check in the Jan 19 patch release, as can be seen below:
As can be seen in the above image, eax hold the index value here and it is compared with 0x20. If it is more than or equal to 0x20 the program jumps to location 72fe1c00. If we go to that location, we can see the following:
As can be seen in the above image, it calls the destructor and then calls msrd3x40!Err::SetError function and returns. So, the program will display a message saying, “Unrecognized database format” and then terminate.
We reported this issue to Microsoft in October 2018 and it fixed this issue in the Jan 19 patch Tuesday. It was assigned CVE-2019-0576 to this issue. We recommend our users keep their Windows installations up to date and install vendor patches on a regular basis.
McAfee Network Security Platform customers are protected from this vulnerability by Signature IDs 0x45251700 – HTTP: Microsoft JET Database Engine Remote Code Execution Vulnerability (CVE-2018-8423) and 0x4525890 – HTTP: Microsoft JET Database Engine Remote Code Execution Vulnerability (CVE-2019-0576).
McAfee AV detects the malicious file as BackDoor-DKI.dr .
McAfee HIPS, Generic Buffer Overflow Protection (GBOP) feature will often cover this, depending on the process used to exploit the vulnerability.
The rapid shift of brands towards online platforms and ecommerce portals, has opened the gates for cyber threats like Phishing, Cybersquatting and Typosquatting. In fact, every entity with an online presence today, feels burdened by the fear of compromising their brand reputation, in the face of these ubiquitous cyber threats….
Whether you’re a small business owner or a blogger, having an accessible website is a must. That’s why many users look to web hosting companies so they can store the files necessary for their websites to function properly. One such company is Hostinger. This popular web, cloud, and virtual private server hosting provider and domain registrar boasts over 29 million users. But according to TechCrunch, the company recently disclosed that it detected unauthorized access to a database containing information on 14 million customers.
Let’s dive into the details of this breach. Hostinger received an alert on Friday that a server had been accessed by an unauthorized third party. The server contained an authorization token allowing the alleged hacker to obtain further access and escalate privileges to the company’s systems, including an API (application programming interface) database. An API database defines the rules for interacting with a particular web server for a specific use. In this case, the API server that was breached was used to query the details about clients and their accounts. The database included non-financial information including customer usernames, email addresses, hashed passwords, first names, and IP addresses.
Since the breach, Hostinger stated that it has identified the origin of the unauthorized access and the vulnerable system has since been secured. As a precaution, the company reset all user passwords and is in contact with respective authorities to further investigate the situation.
Although no financial data was exposed in this breach, it’s possible that cybercriminals can use the data from the exposed server to carry out several other malicious schemes. To protect your data from these cyberattacks, check out the following tips:
Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your accounts for unusual activity. This will help you stop fraudulent activity in its tracks.
Reset your password. Even if your password wasn’t automatically reset by Hostinger, update your credentials as a precautionary measure.
Practice good password hygiene. A cybercriminal can crack hashed passwords, such as the ones exposed in this breach, and use the information to access other accounts using the same password. To avoid this, make sure to create a strong, unique password for each of your online accounts.
And, as always, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
MSPs can generate recurring revenue by being proactive about educating customers about email threats and how to defeat them—if they avoid three common mistakes.
Businesses have come to rely on cloud email and file-sharing applications for communication and productivity. But, too often, they assume these platforms’ built-in security delivers enough protection against email-borne threats.
The reality is quite different.
While the built-in protection of platforms such as Microsoft Office 365 and Google Drive catches some threats, it is not designed to detect the myriad unknown dangers that amount to 95% of all cyber threats in the wild, according to Trend Micro research.
Businesses need an added layer of protection for email and file-sharing platforms. But most organizations don’t realize this need until it’s too late and their systems have already been breached.
That’s why MSPs and IT service providers should be proactive in educating customers about email threats–and how to defeat them. In so doing, providers position themselves to generate new recurring revenue. But they must avoid three common mistakes providers make regarding email security:
1. Failing to educate customers
Surprisingly, not all MSPs and IT service providers are aware of the need to add a layer of protection to cloud email platforms. Like their customers, many believe built-in controls get the job done.
This being the case, providers fail to educate customers on the dangers of email-born threats, leaving them susceptible to malware infections through phishing and spam, fraud, spying and information theft. Providers must make clear that an attack caused by one user’s bad decision to click an infected URL or attachment can bring an organization to its knees and have long-term repercussions: Atlanta is still reeling from a 2018 ransomware attack that cost the city $2.7 million.
2. Placing too much faith on end-user training
There’s no question users need education on safe security practices to avoid infecting their own computers and their network. Phishing is effective because it preys on users’ trust and curiosity to deliver ransomware and other forms of malware: Consider that in 2018, credential phishing tactics accounted for 40 percent of all high-risk email threats. But you can’t stop phishing by merely telling users not to click a link or attachment; someone is always going to do it.
Because training alone cannot fully address security risks, providers should introduce solutions to customers that stop threats before they reach users. They should also teach users to spot threats before clicking infected links and attachments.
3. Leaving service revenue on the table
Providers can build various services around security, including assessments that show how many threats their cloud platforms miss, as well as simulations that determine how many end users fall for phishing scams.
Assessments can lead to other, ongoing services, including awareness and training programs to help users avoid and report email threats. These services create new revenue streams and stickiness with customers.
Trend Micro’s Approach
Increased customer reliance on cloud email makes these platforms a bigger target for hackers. MSPs can minimize the target with the right solutions and services to protect customers. Trend Micro’s email security solution is easy to set up; it has direct APIs for various cloud applications, and it employs advanced features such as machine learning and Writing Style DNA to identify and stop phishing and other threats. Secure your email–and your company’s future–today.
I was happy to help host our fourth annual DEF CON contest with the CMD+CTRL Cyber Range. As always the competition was fierce, but this year even more so! We had over 200 teams and players play over the weekend - many of them dedicating large chunks of their conference time to the contest. With so many talks, villages, and contests vying for attendees’ time it’s awesome to have so many people focused on our Cyber Range.
This year we unveiled two vulnerable applications. Our new LetSee website, which is a cool React.js site backed by a Ruby on Rails API that lets you buy and sell your handmade items, and Runstoppable, an Android fitness application that lets you track runs to show off to your friends!
Straight out of the gates the teams tore into the two applications. We recognized the top three repeat teams early on: Savage Submarine, 8BitBrandon, and BAH Humbug as they quickly established top spots.
Throughout the conference, these three teams vied for the top spots on the leaderboard, but some great highlights came from new players.
We had a father-son team attack the sites. They said it was their first time at DEF CON and their first time participating in a contest. I love that CMD+CTRL was accessible enough they felt like they could dive in, learn some attacks and score some points. As a father myself it was exciting to imagine bringing my sons to DEF CON in future years!
Security Innovation has had a long history of supporting the security ecosystem through sponsorships of various organizations and groups. We are dedicated to helping more women and underrepresented minorities enter into STEM and particularly AppSec careers. This year we sponsored 15 women to attend DEF CON. Quite a few of those women stopped by to play the CMD+CTRL Cyber Range. It was awesome to see them, some of which are first-time attendees, quickly work their way up the leaderboards.
Overall this was a great year at DEF CON, not just for us but for the community as a whole.
Imperva, a leading provider of Internet firewall services that help Web sites block malicious cyberattacks, alerted customers on Tuesday that a recent data breach exposed email addresses, scrambled passwords, API keys and SSL certificates for a subset of its firewall users.
Redwood Shores, Calif.-based Imperva sells technology and services designed to detect and block various types of malicious Web traffic, from denial-of-service attacks to digital probes aimed at undermining the security of Web-based software applications.
Earlier today, Imperva told customers that it learned on Aug. 20 about a security incident that exposed sensitive information for some users of Incapsula, the company’s cloud-based Web Application Firewall (WAF) product.
“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” wrote Heli Erickson, director of analyst relations at Imperva.
“We want to be very clear that this data exposure is limited to our Cloud WAF product,” Erickson’s message continued. “While the situation remains under investigation, what we know today is that elements of our Incapsula customer database from 2017, including email addresses and hashed and salted passwords, and, for a subset of the Incapsula customers from 2017, API keys and customer-provided SSL certificates, were exposed.”
Companies that use the Incapsula WAF route all of their Web site traffic through the service, which scrubs the communications for any suspicious activity or attacks and then forwards the benign traffic on to its intended destination.
Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in business today.
According to Mogull, an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.
At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings and exempt or “whitelist” from the WAF’s scrubbing technology any traffic coming from the attacker. A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker.
“Attackers could whitelist themselves and begin attacking the site without the WAF’s protection,” Mogull told KrebsOnSecurity. “They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare.”
Imperva urged all of its customers to take several steps that might mitigate the threat from the data exposure, such as changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting API keys, and generating/uploading new SSL certificates.
Alissa Knight, a senior analyst at Aite Group, said the exposure of Incapsula users’ scrambled passwords and email addresses was almost incidental given that the intruders also made off with customer API keys and SSL certificates.
Knight said although we don’t yet know the cause of this incident, such breaches at cloud-based firms often come down to small but ultimately significant security failures on the part of the provider.
“The moral of the story here is that people need to be asking tough questions of software-as-a-service firms they rely upon, because those vendors are being trusted with the keys to the kingdom,” Knight said. “Even if the vendor in question is a cybersecurity company, it doesn’t necessarily mean they’re eating their own dog food.”
The challenge: increase endpoint security and simplify operations
Towne Properties is a leading commercial and residential property management company in the Midwest. Our customer, Bill Salyers, the IT Director at Towne Properties, recently migrated the company to Windows 10 to adopt its embedded security features, including Windows Defender Antivirus. Yet he remained concerned about advanced zero-day attacks that bypass antivirus solutions and cause damage to the firm and its clients.
When we met Bill, Towne Properties used a commercial third-party antivirus. The product protects against known attacks, but it didn’t prevent zero-day, evasive memory attacks, which are increasing at a rapid rate. Bill needed to address this gap in his endpoint protection but couldn’t deploy another security detection tool given the lean composition of his security team. They just didn’t have the resources and bandwidth to manage another tool. Bill required better endpoint protection and simplified operations.
“At Towne, our goal is to make our endpoints as secure as possible from advanced threats, while simplifying our environment and maintaining fixed budgets.”
—Bill Salyers, IT Director, Towne Properties
Windows Defender Antivirus provides built-in endpoint protection
When we learned that Towne Properties needed a lightweight solution that would improve endpoint protection, we reintroduced Bill to Windows Defender Antivirus. Built into Windows 10, Windows Defender Antivirus protects endpoints against known software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
Bill performed a thorough evaluation of Windows Defender Antivirus and was thrilled to find that it compared favorably in terms of efficacy and capabilities to their incumbent third-party antivirus. With no installation required or new interface to learn, his team was able to quickly eliminate a third-party tool and reduce their total cost of ownership (TCO).
“Windows Defender Antivirus met all our requirements at no incremental cost. We replaced our third-party antivirus without sacrifice.”
—Bill Salyers, IT Director, Towne Properties
Morphisec adds a new layer of prevention
The money Bill saved dropping the third-party antivirus gave him more flexibility to address zero-days and memory-based attacks. He invested in Morphisec, which is based on their highly innovative Moving Target Defense technology. Morphisec Moving Target Defense stops unknown attacks by morphing critical assets to make them inaccessible to the adversary and killing the attack pre-execution. Morphisec is integrated with Windows Defender Antivirus and extends Towne Properties’ endpoint protection to include zero-days, advanced memory-based threats, malicious documents, and browser-based attacks. It’s lightweight and easy to manage, which is important to Bill. The integration with Windows Defender Antivirus allowed Towne to achieve both better protection and simpler operational management with visibility through a single pane of glass.
Figure 1: As an application loads to the memory space, Morphisec morphs the process structures, making the memory constantly unpredictable to attackers (Source: Morphisec website).
Figure 2: Legitimate application code memory is dynamically updated to use the morphed resources; applications load and run as usual while a skeleton of the original structure is left as a trap. Attacks target the original structure, fail to execute, and are trapped.
“We chose Morphisec because Moving Target Defense’s highly innovative approach prevents the most dangerous unknown memory-based attacks.”
—Bill Salyers, IT Director, Towne Properties
The Morphisec and Microsoft partnership supports Towne Properties’ cybersecurity roadmap
One reason Bill and his management team were so enthusiastic about Morphisec and Windows Defender Antivirus is because it supports their overall security plan. Towne Properties is a Microsoft shop aligned with the Microsoft cybersecurity strategy. Morphisec also integrates with Microsoft Defender Advanced Threat Protection (ATP), which allows Towne Properties to seamlessly chart their Microsoft and Morphisec journey.
“It was also important to learn how Microsoft has partnered closely with Morphisec. Morphisec integrates with Microsoft Defender ATP, giving us high confidence to continue down the Microsoft and Morphisec journey.”
—Justin Hall, Security Specialist, Towne Properties
Windows Defender Antivirus and Morphisec Moving Target Defense are better together
Windows Defender Antivirus and Morphisec Moving Target Defense offer the following features:
Windows Defender Antivirus:
Delivers leading machine learning and behavior-based antimalware and threat protection.
Is built into Windows 10 at no additional cost.
Requires no installation—just turn on features in Windows 10.
Morphisec Moving Target Defense:
Delivers an entirely new layer of deterministic prevention against the most advanced and most damaging threats to the enterprise, including unknown attacks, zero-days, ransomware, evasive fileless attacks, and web-borne attacks.
Simple to manage and extremely lightweight with zero impact on operations.
Virtually patches vulnerabilities.
Integrates with Microsoft Defender ATP to visualize attacks prevented by Morphisec and incorporate threats identified by Morphisec in the Microsoft Defender ATP dashboard.
Morphisec + Microsoft:
Provides superior endpoint protection at an affordable cost.
Is simple to deploy, manage, and maintain.
“Morphisec with Windows Defender Antivirus offers a truly set it and forget it solution. Morphisec’s lightweight design coupled with Windows Defender Antivirus provides strong endpoint security, the best value, and a simpler operational environment.”
—Bill Salyers, IT Director, Towne Properties
Metrics — or perhaps more accurately, the right metrics — are crucial for understanding what’s really happening in your AppSec program. They serve a dual purpose: They demonstrate your organization’s current state, and also show what progress it’s making in achieving its objectives.
We typically recommend our customers measure their compliance against their own internal AppSec policy, plus scan activity, flaw prevalence, and time to resolve.
Flaw rate is another metric you might want to consider tracking. Although this would be a secondary metric, unlike the primary ones listed above, flaw rate, which allows you to do a before-and-after flaw comparison for an application, provides insight into how your rate of security findings is improving over time. Veracode analytics allows you to create the flaw rate metric by using a formula and adding it to your chart in order to visualize the rate alongside any other data you are reporting – such as flaw rate per application, first scan vs most recent scan, or flaw rate per an application per severity of the finding.
Keep in mind that this metric, as with flaws per MB, can vary significantly based on the size of the codebase. A monolithic, legacy application is going to have a much different flaw rate (and flaw density as measured by flaws per MB) than a small, new microservice. The value lies in comparing an application’s initial flaw rate to the current flaw rate, or comparing the flaw rate for a team across several applications (again the initial flaw rate vs. the current). This allows users to get a handle on what is working – or not – for that team to help them close out security findings and reduce the number they are introducing in the first place. In this way, you could validate the impact of your AppSec eLearning or other trainings. I would caution against comparing flaw rate (again much like flaws per MB) between teams or between business units as this won’t directly provide much actionable insights beyond which one is doing better.
Note that this metric will not produce an accurate gauge of your program’s success. Since it is applicable only to static analysis, it doesn’t take all testing techniques into account. Policy compliance is ultimately the best metric for measuring and reporting on the overall progress of your program.
But you could use flaw rate as an additional data point, alongside the following metrics, when reporting on the effectiveness or progress of your AppSec program:
Policy compliance: Your application security policy should stem from an analysis of your entire application inventory. From there, you assign groups of applications different risk categories or ratings by asking questions such as:
Do these applications touch PII?
Are they Internet-facing?
What would be the impact of a compromise to this system (i.e., are they business critical)?
Based on those answers, you can determine which scan frequency and testing types are required, as well as which types or severities of flaws to disallow: an Internet-facing application that contains PII will have a different risk categorization from an internal chat service and thus should be held to a different standard for security.
Additionally, this risk rating will determine frequency of scanning requirements. Low-risk functionality that is rarely updated does not need to be scanned every week, but that Internet-facing/PII app may require a scan for every commit.
Average time to resolve: Many application testing solutions focus on scan activity rather than addressing results. While apps need to be scanned, fixing those security findings in a timely manner is a better mechanism for evaluating your application security program. Time to resolve provides visibility into how many days it takes for a finding to be closed after it is first discovered, helping security teams better understand where there may be bottlenecks in the development and security process.
Flaw prevalence: This metric spotlights how common a risk is within a particular industry or business. It helps an organization prioritize threats such as SQL injection, Cross-Site Scripting (XSS), cryptographic issues, and CRLF injection based on real-world impact.
Learn more about flaw rate
For detailed instructions on measuring flaw rate, please see this article in the Veracode Community.
Some businesses – usually those that have never experienced any kind of major IT incident – think of cybercrime as an inconvenience. They may believe that if their company is hacked it will cause some disruption and perhaps an embarrassing news story, but that ultimately the breach will have only a minor effect.
However, the truth is that cybercrime can have a huge range of unexpected consequences. Here we take a lot of the real impact of a breach – cybercrime might affect you a lot more than you think.
It loses customer confidence
When you suffer a cyberattack it becomes common knowledge very quickly. Whether your site is taken offline or Google places a ‘hacked site’ warning against you, customers will learn fast that you have been compromised. And when a potential customer hears that you have been breached, they will immediately associate you with the attack, deeming your site to be unsafe to use.
Under the General Data Protection Regulation (GDPR) it is also a legal requirement for you to inform any customers whose data has been affected by the breach within 72 hours of becoming aware of the breach. This goes further to lose your confidence with those customers who have already used your services or bought from your site.
It costs you sales
No business wants to lose the confidence of its customers, mostly importantly because it will naturally have an effect on your sales. If – in the eyes of your customers – your site can’t be trusted, they will stop using it and move on to a competitor. This means that before you take anything else into account, you will be losing business simply due to the fact that you have been a victim of cybercrime.
Of course, if the cybercrime takes your website offline, you will also lose any potential transaction over that period – but the more crucial factor is the long-term effect of customers believing that you are not longer safe to buy from.
It costs a lot of money
Cyber attacks can be extremely costly for a variety of reasons. We have already talked about the kind of disruption to trading that will occur when any kind of cybercrime takes place, but it is actually a lot more complicated than that. Firstly, many forms of cybercrime will directly steal money from a business. This could come in the form of a phishing attack on a member of staff, or even a business email compromise attack.
However, there are also other costs to consider such as the financial ramifications of dealing with the hack and securing your business. And of course, any trust that is lost in your partners or suppliers can lead to you losing them.
It weakens your SEO efforts
You might not realise it, but cybercrime can have a serious impact on your search engine optimisation (SEO). There are many reasons for this – firstly, if Google believes your site is hacked, it can place a ‘hacked site’ warning in the listings. Additionally, many hacks will actually alter or steal content from your site, and website content is one of the most important ranking factors in the eyes of all search engines.
Another important factor is downtime. If Google sees that your website is down for a significant period of time, this is a negative ranking factor, and can see your site sliding. Any cybercrime will cause downtime, as you will need to take your site offline in order to fix the issues and return it to normal.
It causes problems with compliance
We have already mentioned the GDPR in this article, and how it can force you to disclose cyber breaches to any affected individuals. However, it is important to remember that compliance with the GDPR and regulations can become an issue if you suffer a cyberattack.
Under the GDPR, businesses are required to take appropriate steps to protect themselves against attacks, in order to secure the private information that they hold on customers. Failing to do can put you at risk of heavy fines from the ICO.
It loses your intellectual property
Another extremely common occurrence during a cyberattack is that intellectual property will be stolen. Given the incredible value of IP to some businesses, such as in technology or pharmaceutical firms, it can be easy to see how stolen IP could make a business unsustainable.
If your organisation relies upon the secrecy of its IP, then you need to make sure you are taking appropriate steps to defend that IP against cybercrime.
The PCI PIN Standard requires implementation of Key Blocks. On the blog, the third of the series, we cover basic questions about the 3 phases for implementing the Key Blocks requirements. On our first blog, Key Blocks 101, we covered basic questions about this security method and how it helps secure payment data.The second blog in the series, Key Blocks 102, addressed questions around Key Block applicability.
“Smashing Security” is a weekly podcast where I, Carole Theriault, and a special guest discuss some of the quirky stories from the last week’s cybersecurity news headlines, and anything else that takes our fancy.
The retail sector has always been at the risk of cyberattacks. The industry has already seen high-profile data breaches, some of which have happened in the recent past at large retail brands, lucrative to cyberattackers, such as Target, TJX and Home Depot.
One of the major reasons for these attacks is the fact that the number of vectors is huge. This industry sees a large volume of cards, cash, POS and online transactions on a regular basis making retail a sought after target for cyberattackers.
Especially nowadays, the retail sector is increasingly moving towards digital and while this will bring a plethora of opportunities, the risks of cyberattacks also automatically become immense. The numbers for various surveys have said it aloud – a 2018 report found that 50% of retailers have been breached in the past year. The monetary consequences for retailers can also be major – according to a KPMG study, 19% of customers said they would completely stop shopping at a retailer over a hack while 33% said they would not shop at the same retailer for more than three months.
These are increasingly troubling statistics and hence, it is important that retailers fix various cybersecurity issues such as:
POS Security Vulnerabilities
One of the reasons why POS systems have a high-security risk is due to the soaring stakes involved. These systems collect data for hundreds of transactions every single day, making it a veritable gold mine for hackers. These systems are also more vulnerable to malware because of the very nature for what they are used for.
As a tool which is used extremely regularly, network administrators do not get the time to ensure that the correct updates and patches are run on the system, making it vulnerable to new and advanced threats.
Of late, malware, especially ransomware – is readily available for download from the dark web. Even amateurs, armed only with criminal intent can access vulnerable retail channels and launch an attack. This naturally raises the sheer number of possible attackers, and that increases the need for retailers to bolster sensitive points in their network. Network security along with endpoint security is extremely vital for retailers and products such as Seqrite’s UTM are proven to safeguard retail enterprise networks.
An enormous amount of cyber risks arise from human factors. In the retail industry, these human factors may not always be controllable, as it employs a large number of low-skilled workforce with high attrition rates, along with a considerable amount of third party interfacing through the supply chain.
Increasing integration with Internet of Things
The Internet of Things (IoT), which essentially connects devices like refrigerators, TVs, other home appliances and even cars to the web, is seeing a heavy adoption. Its potential in the retail industry is immense with companies trying to integrate in-store cameras, sensors etc. with the shoppers’ smartphones.
With multiple devices connecting to an organization’s network, the risk of having unguarded entry points to the system increases. Some of the cyber experts refer to this phenomenon as the ‘Internet of Vulnerabilities’ and if appropriate measures to shield from attacks are not undertaken, the retail industry is nothing more than a fertile hunting ground for cyberattackers.
Security on mobile devices
Mobile phones are ubiquitous and are becoming one of the top tools for shopping. As per a Deloitte report, the younger generation especially 25-34-year-olds are heavily inclined to use mobile devices for browsing, shopping and purchasing.
With a rise in usage of the same by employees within office, a company’s network is suddenly under a deluge of connections some of which might be host to dangerous malware.
This in turn suddenly puts, not only the network under threat but also all the connected devices.
The retail industry is in a vulnerable state and is a target for attacks by organized cybercriminals as well as opportunistic hackers. It is the retail industry’s onus to protect its own operations as well as the critical information of their customers.
It is essential that retailers make use of well-established security practices, frameworks, and solutions like Seqrite to safeguard their customers’ data and their business operations.
With winter almost gone, now is the perfect time to start planning your annual spring clean. When we think about our yearly sort out, most of us think about decluttering our chaotic linen cupboards or the wardrobes that we can’t close. But if you want to minimise the opportunities for a hacker to get their hands on your private online information then a clean-up of your digital house (aka your online life) is absolutely essential.
Not Glamourous but Necessary
I totally accept that cleaning up your online life isn’t exciting but let me assure you it is a must if you want to avoid becoming a victim of identity theft.
Think about how much digital clutter we have accumulated over the years? Many of us have multiple social media, messaging and email accounts. And don’t forget about all the online newsletters and ‘accounts’ we have signed up for with stores and online sites? Then there are the apps and programs we no longer use.
Well, all of this can be a liability. Holding onto accounts and files you don’t need exposes you to all sorts of risks. Your devices could be stolen or hacked or, a data breach could mean that your private details are exposed quite possibly on the Dark Web. In short, the less information that there is about you online, the better off you are.
Digital clutter can be distracting, exhausting to manage and most importantly, detrimental to your online safety. A thorough digital spring clean will help to protect your important, online personal information from cybercriminals.
What is Identity Theft?
Identity theft is a serious crime that can have devastating consequences for its victims. It occurs when a person’s personal information is stolen to be used primarily for financial gain. A detailed set of personal details is often all a hacker needs to access bank accounts, apply for loans or credit cards and basically destroy your credit rating and reputation.
How To Do a Digital Spring Clean
The good news is that digital spring cleaning doesn’t require nearly as much elbow grease as scrubbing down the microwave! Here are my top tips to add to your spring-cleaning list this year:
Weed Out Your Old Devices
Gather together every laptop, desktop computer, tablet and smartphone that lives in your house. Now, you need to be strong – work out which devices are past their use-by date and which need to be spring cleaned.
If it is finally time to part ways with your first iPad or the old family desktop, make sure any important documents or holiday photos are backed up in a few places (on another computer, an external hard drive AND in cloud storage program such as Dropbox and or iCloud) so you can erase all remaining data and recycle the device with peace of mind. Careful not to get ‘deleting’ confused with ‘erasing,’ which means permanently clearing data from a device. Deleted files can often linger in a device’s recycling folder.
Ensure Your Machines Are Clean!
It is not uncommon for viruses or malware to find their way onto your devices through outdated software so ensure all your internet-connected devices have the latest software updates including operating systems and browsers. Ideally, you should ensure that you are running the latest version of apps too. Most software packages do auto-update but please take the time to ensure this is happening on all your devices.
Review and Consolidate Files, Applications and Services
Our devices play such a huge part in our day to day lives so it is inevitable that they become very cluttered. Your kids’ old school assignments, outdated apps and programs, online subscriptions and unused accounts are likely lingering on your devices.
The big problem with old accounts is that they get hacked! And they can often lead hackers to your current accounts so it’s a no-brainer to ensure the number of accounts you are using is kept to a minimum.
Once you have decided which apps and accounts you are keeping, take some time to review the latest privacy agreements and settings so you understand what data they are collecting and when they are collecting it. You might also discover that some of your apps are using far more of your data than you realised! Might be time to opt-out!
Update Passwords and Enable Two-Factor Authentication
As the average consumer manages a whopping 11 online accounts – social media, shopping, banking, entertainment, the list goes on – updating our passwords is an important ‘cyber hygiene’ practice that is often neglected. Why not use your digital spring cleaning as an excuse to update and strengthen your credentials?
Creating long and unique passwords using a variety of upper and lowercase numbers, letters and symbols is an essential way of protecting yourself and your digital assets online. And if that all feels too complicated, why not consider a password management solution? Password managers help you create, manage and organise your passwords. Some security software solutions include a password manager such as McAfee Total Protection.
Finally, wherever possible, you should enable two-factor authentication for your accounts to add an extra layer of defense against cyber criminals. Two-factor authentication is where a user is verified by opt-out password or one-off code through a separate personal device like a smart phone.
Still not convinced? If you use social media, shop online, subscribe to specialist newsletters then your existence is scattered across the internet. By failing to clean up your ‘digital junk’ you are effectively giving a set of front door keys to hackers and risking having your identity stolen. Not a great scenario at all. So, make yourself a cuppa and get to work!
They may not be saying so, but your senior analysts are exhausted.
Each day, more and more devices connect to their enterprise networks, creating an ever-growing avenue for OS exploits and phishing attacks. Meanwhile, the number of threats—some of which are powerful enough to hobble entire cities—is rising even faster.
While most companies have a capable cadre of junior analysts, most of today’s EDR (Endpoint Detection and Response) systems leave them hamstrung. The startlingly complex nature of typical EDR software necessitates years of experience to successfully operate—meaning that no matter how willing the more “green” analysts are to help, they just don’t yet have the necessary skillset to effectively triage threats.
What’s worse, while these “solutions” require your top performers, they don’t always offer top performance in return. While your most experienced analysts should be addressing major threats, a lot of times they’re stuck wading through a panoply of false positives—issues that either aren’t threats, or aren’t worth investigating. And while they’re tied up with that, they must also confront the instances of false negatives: threats that slip through the cracks, potentially avoiding detection while those best suited to address them are busy attempting to work through the noise. This problem has gotten so bad that some IT departments are deploying MDR systems on top of their EDR packages—increasing the complexity of your company’s endpoint protection and further increasing employee stress levels.
Hoping to both measure the true impact of “analyst fatigue” on SOCs and to identify possible solutions, a commissioned study was conducted by Forrester Consulting on behalf of McAfee in March 2019 to see what effects current EDRs were having on businesses, and try to recognize the potential for solutions. Forrester surveyed security technology decision-makers, from the managers facing threats head-on to those in the C-suite viewing security solutions at the macro level in relation to his or her firm’s financial needs and level of risk tolerance. Respondents were from the US, UK, Germany or France, and worked in a variety of industries at companies ranging in size from 1,000 to over 50,000 employees.
When asked about their endpoint security goals, respondents’ top three answers—to improve security detection capabilities (87%), increase efficiency in the SOC (76%) and close the skills gap in the SecOps team (72%)—all pointed to limitations in many current EDRs. Further inquiry revealed that while 43% of security decision makers consider automated detection a critical requirement, only 30% feel their current solution(s) completely meet their needs in this area.
While the issues uncovered were myriad, the results also suggested that a single solution could ameliorate a variety of these problems. The introduction of EDR programs incorporating Guided Investigation could increase efficiency by allowing junior analysts to assist in threat identification, thereby freeing up more seasoned analysts to address detected threats and focus on only the most complex issues, leading to an increase in detection capabilities. Meanwhile, the hands-on experience that junior analysts would get addressing real-life EDR threats would increase both their personal efficiency and their skill level, helping to eliminate the skills gaps present in some departments.
To learn more about the problems and possibilities in the current EDR landscape, you can read the full “Empower Security Analysts Through Guided EDR Investigation” study by clicking here.
Australia! Sunshine, good coffee and back in the water on the tail end of "winter". I'm pretty late doing this week's video as the time has disappeared rather quickly and I'm making the most of it before the next round of events. Be that as it may, there's a bunch of new stuff this week not least of which is the unexpected limit I hit with the Azure API Management consumption tier. I explain the problem in this video along with a bunch of other infosec related bits. I'll do another one from Aus later this week (if I can stick to schedule) and will try and find another nice little spot. Until then, enjoy:
These days it seems that there is a scam for every season, and back-to-school is no different. From phony financial aid, to debt scams, and phishing emails designed to steal your identity information, there are a lot of threats to study up on.
Of course, many of these scams are just different twists on the threats we see year-round. For instance, debt collection, tax, and imposter scams, were named some of the top frauds of 2018 by the Federal Trade Commission, costing U.S. consumers over $1.48 billion. And many of the same techniques are being directed at students, graduates, and their parents.
Here’s what to watch out for:
Identity Theft— While you might think that identity theft would only be a risk to older students applying for aid, in fact over a million children were victims of identity theft in 2017, with two thirds of them under the age of eight. This is because children’s identities can be more valuable to cyber thieves as their Social Security numbers have never been used before, so they have clean credit reports that are rarely checked.
Some savvy scammers have even started to ask parents for their child’s identity information when applying for common back-to-school activities, such as joining a sports league or after school class.
Phony Tuition Fees—“Don’t lose your spot!” This is the call to action scammers are using to trick students and parents into paying a made-up tuition fee. You may receive an official looking email, or receive a call directly from scammers, hoping to take advantage of the stress that many people feel around getting into the school of their choice. Some victims of this scam have already paid tuition, but are confused by last-minute requests for a fee to save their spot.
Financial Aid Fraud—Education has become incredibly expensive in recent years, and scammers know it. That’s why they put up ads for phony financial aid, and send phishing emails, hoping to lure applicants with the promise of guaranteed assistance, or time sensitive opportunities.
Many pose as financial aid services that charge an “advance fee” to help students apply for loans. When you fill out an application the fraudsters potentially get both your money (for the “service”) and your identity information. This can lead to identity theft, costing victims an enormous amount of time and money.
Student Loan Forgiveness—We’ve seen a proliferation of social media ads and emails offering to help student borrowers reduce, or even completely forgive, their loan debt. Some of these offers are from legitimate companies that lend advice on complicated financial matters, but others are scams, charging exorbitant fees with the promise of renegotiating your debt. Just remember, debt relief companies are not permitted to negotiate federal student loans.
Phony Student Taxes—Another common scam that targets students are phony messages and phone calls from the IRS, claiming that the victim needs to immediately pay a “federal student tax”, or face arrest. Of course, this tax does not exist.
Shopping Scams—From books, clothes, and supplies, to dorm accessories, the start of the school year often means the start of an online shopping frenzy. That’s when students and parents are susceptible to phishing emails that offer “student discounts” on popular items, or claim that they “missed a delivery” and need to click on an attachment. Links in these emails often lead to phony websites that collect their payment information, or malware. The same is true for offers of cheap or “free” downloads on normally expensive textbooks.
Here are some tips to avoid these sneaky school-related scams:
Be suspicious of any school programs that ask for more information than they need, like your child’s Social Security number just to join a club.
Only shop on reputable e-commerce sites for back to school supplies. Buy textbooks from recommended providers, and avoid any “free” digital downloads. Consider installing a web advisor to steer you away from risky websites.
When seeking financial aid, ask a school adviser for a list of reputable sources. Avoid any offers that sound too good to be true, like “guaranteed” or zero interest loans. Remember that it does not cost money to simply apply for financial aid.
If you receive any threatening emails or phone calls about loans or fees, do not respond. Instead, contact your loan provider directly to check on the status of your account.
Avoid using unsecured public Wi-Fi on campus, since it’s easy for a hacker to intercept the information that you are sending over the network. Only connect to secure networks that require a password.
Install comprehensive security software all of your computers and devices. Look for software that protects you from malware, phishing attempts, and risky websites, as well as providing identity protection.
Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.
Today was not an easy morning for Ellen DeGeneres. She woke to find that her Instagram account was briefly hacked according to the talk show host’s Twitter and Yahoo Entertainment. A series of giveaways offering free Tesla cars, MacBooks, and more, were posted to the talk show host’s account last night. After seeing the posts, some of her followers became skeptical and warned her of the suspicious behavior. They were smart to flag the giveaways as untrustworthy because DeGeneres confirmed that her Instagram was in fact affected by malicious activity.
While Ellen joked about “password” not being the most secure password, it’s always a best practice to use strong passwords that differ from each of your other accounts to avoid easy break-ins from cybercriminals.
One of the central reasons hackers target social media accounts is to retrieve stored personal information. Once cybercriminals log into an account, they have access to everything that has ever been shared with the platform, such as date of birth, email, hometown, and answers to security questions. They then could potentially use this information to try to log into other accounts or even steal the person’s identity, depending on the level of information they have access to.
Another motive for hijacking a user’s social media account is to spread phishing scams or malware amongst the user’s network. In DeGeneres’ case, her 76 million Instagram followers were prompted to click on links that were scams disguised as giveaways so hackers could steal their personal information. In other cases, hackers will use adware so they can profit off of clicks and gain access to even more valuable information from you and your contacts. Sometimes these cybercriminals will post publicly on your behalf to reach your entire network, and other times they will read through private messages and communicate with your close network directly.
It’s not just celebrities that are vulnerable to cybercriminals. In fact, over 22% of internet users reported that their online accounts have been hacked at least once, and more than 14% said that they were hacked more than once. If your account gets hacked, the first step is to change your password right away and notify your network, so they don’t click on any specious links.
The good news is that by taking proper precautions, you can significantly reduce risk to help keep your account safe. Here are five best practices for protecting your social media accounts from malicious activity:
Use your best judgment and don’t click on suspicious messages or links, even if they appear to be posted by a friend.
Flag any scam posts or messages you encounter on social media to the platform, so they can help stop the threat from spreading.
Use unique, complicated passwords for all your accounts.
Avoid posting any identifying information or personal details that might allow a hacker to guess your security questions.
According to a new report released by the National Center for Education Statistics (NCES), mean girls are out in force online. Data shows that girls report three times as much harassment online (21%) as boys (less than 7%). While the new data does not specify the gender of the aggressors, experts say most girls are bullied by other girls.
With school back in full swing, it’s a great time to talk with your kids — especially girls — about how to deal with cyberbullies. Doing so could mean the difference between a smooth school year and a tumultuous one.
The mean girl phenomenon, brought into the spotlight by the 2004 movie of the same name, isn’t new. Only today, mean girls use social media to dish the dirt, which can be devastating to those targeted. Mean girls are known to use cruel digital tactics such as exclusion, cliques, spreading rumors online, name-calling, physical threats, sharing explicit images of others, shaming, sharing secrets, and recruiting others to join the harassment effort.
How parents can help
Show empathy. If your daughter is the target of mean girls online, she needs your ears and your empathy. The simple, powerful phrase, “I understand,” can be an instant bridge builder. Parents may have trouble comprehending the devastating effects of cyberbullying because they, unlike their child, did not grow up under the threat of being electronically attacked or humiliated. This lack of understanding, or empathy gap, can be closed by a parent making every effort empathize with a child’s pain.
Encourage confidence and assertiveness. Mean girls target people they consider weak or vulnerable. If they know they can exploit another person publicly and get away with it, it’s game on. Even if your daughter is timid, confidence and assertiveness can be practiced and learned. Find teachable moments at home and challenge your daughter to boldly express her opinions, thoughts, and feelings. Her ability to stand up for herself will grow over time, so get started role-playing and brainstorming various ways to respond to mean girls with confidence.
Ask for help. Kids often keep bullying a secret to keep a situation from getting worse. Unfortunately, this thinking can backfire. Encourage your daughter to reach out for help if a mean girl situation escalates. She can reach out to a teacher, a parent, or a trusted adult. She can also reach out to peers. There’s power in numbers, so asking friends to come alongside during a conflict can curb a cyberbully’s efforts.
Exercise self-control. When it comes to her behavior, mean girls habitually go low, so encourage your daughter always to go high. Regardless of the cruelty dished out, it’s important to maintain a higher standard. Staying calm, using respectful, non-aggressive language, and speaking in a confident voice, can discourage a mean girl’s actions faster than retribution.
Build a healthy perspective. Remind your daughter that even though bullying feels extremely personal, it’s not. A mean girl’s behavior reflects her own pain and character deficits, which has nothing to do with her target. As much as possible, help your daughter separate herself from the rumors or lies being falsely attached to her. Remind her of her strengths and the bigger picture that exists beyond the halls of middle school and high school.
Teach and prioritize self-care. In this context, self-care is about balance and intention. It includes spending more time doing what builds you up emotionally and physically — such as sleep and exercise — and less time doing things that deplete you (like mindlessly scrolling through Instagram).
Digitally walk away. When mean girls attack online, they are looking for a fight. However, if their audience disengages, a bully can quickly lose power and interest. Walk away digitally by not responding, unfollowing, blocking, flagging, or reporting an abusive account. Parents can also help by monitoring social activity with comprehensive software. Knowing where your child spends time online and with whom, is one way to spot the signs of cyberbullying.
Parenting doesn’t necessarily get easier as our kids get older and social media only adds another layer of complexity and concern. Even so, with consistent family conversation and connection, parents can equip kids to handle any situation that comes at them online.
If you’re a frequent moviegoer, there’s a chance you may have used or are still using movie ticket subscription service and mobile app MoviePass. The service is designed to let film fanatics attend a variety of movies for a convenient price, however, it has now made data convenient for cybercriminals to potentially get ahold of. According to TechCrunch, the exposed database contained 161 million records, with many of those records including sensitive user information.
So, what exactly do these records include? The exposed user data includes 58,000 personal credit cards and customer card numbers, which are similar to normal debit cards. They are issued by Mastercard and store a cash balance that users can use to pay so they can watch a catalog of movies. In addition to the MoviePass customer cards and financial information numbers, other exposed data includes billing addresses, names, and email addresses. TechCrunch reported that a combination of this data could very well be enough information to make fraudulent purchases.
The database also contained what researchers presumed to be hundreds of incorrectly typed passwords with user email addresses. With this data, TechCrunch attempted to log into the database using a fake email and password combination. Not only did they immediately gain access to the MoviePass account, but they found that the fake login credentials were then added to the database.
Since then, TechCrunch reached out to MoviePass and the company has since taken the database offline. However, with this personal and financial information publicly accessible for quite some time, users must do everything in their power to safeguard their data. Here are some tips to help keep your sensitive information secure:
Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
And, as always, stay on top of the latest consumer and mobile security threats by following meand @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Another 85 photo and gaming apps have been removed from the Google
Play store after they were discovered to have been distributing adware to
the roughly 8 million users who had downloaded the fake apps. The adware itself
is rather tricky: by sitting dormant on devices for at least 30 minutes to avoid
detection, they are then able to display a steady stream of full-screen ads
that make users wait through each in its entirety before allowing continued use
of the app.
municipalities have fallen victim to a single ransomware campaign affecting
at least 22 locations and asking a cumulative ransom of $2.5 million. The state
of Texas has been under fire for the past few months, suffering a seemingly
endless string of ransomware attacks on local governments. Fortunately, many of
the targeted districts have been swift to remediate issues and are already on
the path to full system recovery, managing to avoid paying heavy ransoms.
Steam Zero-Days Released After Valve Bans Submitter
A researcher recently found several zero-day
vulnerabilities within the Steam API that could allow for local privilege
escalation (LPE), which could then allow malware to use the client as a
launching point. Unfortunately, Valve decided the bug was outside of its scope
of responsibility, locked the report, and refused to investigate it any
further, also banning the submitter from the bug bounty program. Eventually,
after much negative media coverage, Valve pushed out a patch that was quickly
subverted by another workaround. It is unusual for a company with so many
active users to blatantly ignore one of Microsoft’s most commonly patched
Adult Site Database Exposed
Yet another adult
site has fallen victim to poor information security practices after a
database containing personally identifiable information belonging to nearly 1
million users was misconfigured and left publicly available. The leak was
discovered by researchers who were able to verify a breach and swiftly report
it to the site, which took only four days to secure the data. Site users were
notified of the breach and are being advised to change login credentials,
especially those using work devices or contact details.
Magecart Found in Poker Tracker
The infamous Magecart
card-skimming script was recently found loaded into Poker Tracker’s main site,
which allows online poker players to make statistics-based betting decisions.
It was later revealed that the site was fully injected via an outdated version
of Drupal that has since been updated. The attack left the attackers with a
copy of every payment made through the site or the app.
Leadership. It’s a weighty term, although frequently it is used too lightly and all too often it’s a self-declared position. We believe, leaders can come and go, and leadership can be fleeting depending on the factors for long term success.
It is for all these reasons, that we are proud, not only to be in a Leader’s position in the 2019 Gartner® Magic Quadrant for Endpoint Protection Platforms (EPP), but to have been named a Leader by Gartner in this category since 2002.
We believe that true leadership is sustained leadership with a proven track record of consistent strength in vision and execution.
It has been a transformative period for the EPP market with waves of innovation along the way. We believe, the difference with Trend Micro as a Leader, is that new techniques and capabilities are additive to our solution value, they are not the sum of it.
We’ve been able to build out our endpoint offering by continuously adding to the wide range of threat detection & response capabilities, along with investigative features as an innate part of a single-agent solution, simplifying deployment and enabling integrated workflows. This provides a balanced and comprehensive approach to endpoint security, which is imperative given the diversity in the threat landscape.
Job one is detecting and blocking as many endpoint threats as possible without manual intervention. The more threats you automatically prevent or stop, the fewer you need to investigate and respond to. That point can’t be overlooked or undervalued, although it often is.
When threats get through, you need actionable insight and an investigative toolset for hunting and sweeping activities, patient zero identification, and root cause analysis covering the use cases most needed and most leveraged.
The market continues to be excited about Endpoint Detection and Response (EDR), and we are strongly committed to delivering an effective solution in this regard; however, we believe effectiveness is not just about deepening the capabilities (although we are doing that), but by also delivering more than what EDR alone is designed to do.
That is why we are committed to going beyond the endpoint, with XDR.
For example, we recently introduced the capability to combine email and endpoints in the investigation of a detection, enabling you to trace a root cause analysis back into email (#1 attack source) to understand who else received the email or has a malicious file in their Office365 or Gmail inbox. Containing the threat and stopping the spread gets easier when you are looking beyond the endpoint — something you can’t do with EDR alone.
Our broader XDR strategy provides customers a means to further integrate and extend their detection and response capabilities across email, endpoints, servers, cloud workloads, and networks in a single platform and/or via a managed service. With XDR, you can clearly visualize the overall security posture and effectively hunt, detect, analyze and respond to threats across security layers. Leveraging our market-leading products like Apex One (endpoint) Deep Security (server/cloud workloads), Deep Discovery and TippingPoint (network) and Cloud App Security (messaging and collaboration), XDR offers expert security analytics for alert correlation, and consolidated visibility and investigation of events. The key value of XDR is that it can connect minor events from different security silos (like EDR) to detect more complex attacks that would have otherwise remained unnoticed. You can learn more about XDR here.
The truth is that for many companies, the capabilities of the detection and response tools often exceed their capacity to use them due to time and resource limitations. Thus, a managed service is a great option. Trend Micro’s Managed XDR service can take the burden off of constrained teams, and also offers customers an opportunity to use the service for one or a multitude of security vectors – endpoint, network, servers & cloud workloads, email – for a single source of detection and response. The more sources to correlate, the better the insight – that’s the XDR advantage.
We believe XDR is another proof point of our deep-seated commitment to our ongoing evolution and innovation. This is how we’ve stayed current, relevant and effective over the years.
At the end of the day, the endpoint is extremely important to a company’s defenses and thus demands a strong solution. That’s why having confidence you are making a reliable choice for endpoint protection, now and over the long term, is imperative. In a market that is changing, amid a vendor landscape that is noisy and confusing, that can be difficult. That’s why third-party evaluations like the Gartner Magic Quadrant are important, along with independent testing and POCs.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Magic Quadrant for Endpoint Protection Platforms, 20 August 2019, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber
 Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Lawrence Pingree, Dionisio Zumerle, Prateek Bhajanka, Paul Webber, August 2019
 Under the names of “Magic Quadrant for Endpoint Protection Platforms,” and previously, “Magic Quadrant for Enterprise Antivirus”
(Enterprise Antivirus 2Q02 MQ: Room for Improvement, Magic Quadrant for Enterprise Antivirus, 1H03, Magic Quadrant for Enterprise Antivirus, 2006, “Magic Quadrant for Endpoint Protection Platforms” from 2007 onwards)
Our mission as a company is to empower every person on the planet to achieve more. We deliver on that mission through products that achieve the highest marks in the industry, which we believe is inclusive of Gartner’s Magic Quadrant. We have been on a journey for the last several years working hard to offer our customers leading endpoint protection so they can defend against increasingly sophisticated attacks across a variety of devices, which is why we are so proud to have placed in the Leaders quadrant for this year’s 2019 Gartner EPP Magic Quadrant and positioned highest in execution!
According to Gartner, “Leaders demonstrate balanced and consistent progress and effort in all execution and vision categories. They have broad capabilities in advanced malware protection, and proven management capabilities for large enterprise accounts.” Our latest product offerings prove that we’ve risen to the challenge that today’s threat landscape presents. This achievement represents our ability to provide best-in-class protection and deliver on innovations that learn and evolve just as attackers change their tactics.
According to Gartner, “An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware, malicious scripts and memory-based threats. It is also deployed to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts”.
Over the last years we continuously evolved our endpoint security platform, Microsoft Defender Advanced Threat Protection (ATP), by further enhancing existing features and by adding new and innovative capabilities, including:
Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
Behavioral detections: Endpoint detection and response (EDR) sensor built into Windows 10 for deeper insights of kernel and memory, and leveraging broad reputation data for files, IPs, URLs, etc., derived from the rich portfolio of Microsoft security services
“Deployment” is as easy as it gets by being built directly into the operating system. There is no agent to deploy, no delays or compatibility issues, and no additional performance overhead or conflicts with other products. No deployment and no on-premises infrastructure directly leads to lower TCO.
Contain the threat: Dramatically reduces the risk by strengthening your defenses when potential threats are detected. Microsoft Defender ATP can automatically apply Conditional access to restrict the endpoint from accessing corporate data until the threat was remediated.
Automated security: From alerts to remediation in minutes – at scale. Microsoft Defender ATP leverages AI to automatically investigate alerts, determine if a threat is active, what course of action to take, and then remediate complex threats in minutes.
Secure Score: Watch your security score rise in the Microsoft Defender Security Center as you implement automated and recommended actions to protect both users and data. Microsoft Defender ATP not only tells you that you have a problem, but Microsoft Defender ATP also recommends how to solve it (and track the execution) with Secure Score. Vulnerability and configuration information provide weighted recommendations and actions to improve endpoint hardening and compare the current posture with the industry and global peers for benchmarking.
Microsoft Threat Experts: Microsoft has your back — with Microsoft’s managed detection and response (MDR) service (called Microsoft Threat Experts), Microsoft supports customers’ incident response and alert analysis. Our automated threat hunting service helps ensure that potential threats don’t go unnoticed.
Download this complimentary full report and read the analysis behind Microsoft’s positioning as a “Leader”. As we continue on this journey and add even more capabilities to protect, detect and respond to this evolving threat landscape, we welcome our customer’s feedback and partnership so we can continue to deliver best-in-class protection.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how most respondents to a Trend Micro survey shared their concern for the risks in implementing DevOps. Also, read on about how Trend Micro uncovered a MyKings variant that had been hiding for roughly two years before it was discovered.
There are many different threats targeting many different areas of a corporate network. I built an interactive graphic to help others understand the full ecosystem of how security works across your network, how to detect threats and ultimately what solutions can be utilized in the different areas of networks to protect themselves and their systems and data.
Greg Young, vice president of cybersecurity at Trend Micro, discusses how many enterprises don’t effectively manage their endpoints and how Trend Micro’s XDR solution is a more effective solution for endpoint management and dealing with evasive threats.
Google just made good on one of the promises it made at I/O 2019 — it’s removing the option to disable camera status LEDs. Nest customers have responded with almost universal anger to the change. They’ll be able to dim the lights on Nest Cam, Dropcam, and Hello devices, but you won’t be allowed to turn them off while they’re recording.
Rik Ferguson, vice president of security research at Trend Micro, discusses how the typical security operations center (SOC) of today is drowning in a volume of alerts. In the financial world, 60 percent of banks routinely deal with more than 100,000 alerts every day, with 17 percent of them reporting more than 300,000 security alerts, and this pattern is repeated across industry verticals.
Bill Malik, vice president of infrastructure strategies at Trend Micro, discusses how a recent series of IT acquisitions and IPOs highlight a simple economic fact: companies that fail to keep up with the fast-paced innovation of technology can easily become targets for acquisition.
Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. A massive, exposed database on one of the company’s many subdomains was found containing 161 million records at the time of writing and growing in real time.
The growing demand for faster and more efficient software development brings DevOps to the fore, but not without disrupting the inner workings of production and security teams. In a survey commissioned by Trend Micro, majority of the respondents shared their concern for the risks in implementing DevOps.
Early this month a new global Android malware campaign called Agent Smith was revealed to have compromised 25 million handsets across the globe including many in the U.S., serving as another reminder to users not to take mobile security for granted. Fortunately, users can make giant strides towards keeping the hackers at bay with a few easy steps.
Security researchers at Trend Micro have revealed that the Google Play Store hosted 85 apps ridden with adware. Worse still, these apps have netted more than 8 million downloads. The adware-ridden apps were posing as legitimate services focusing on gaming or photography.
The Office of the Victorian Information Commissioner (OVIC) determined that the Public Transport Victoria (PTV) breached the Information Privacy Principle (IPP) under the Privacy and Data Protection Act 2014. The decision came after the PTV released data in 2018 that exposed more than 15 million myki cards’ “touch on” and “touch off” travel history data, which could be used to identify specific users.
The CEO of the Invictus Group of Companies, Obinwanne Okeke, has reportedly been arrested by the U.S. Federal Bureau of Investigation (FBI) after he was accused of conspiracy to commit computer and wire fraud. The FBI investigation into Okeke was initiated after a victim of a business email compromise (BEC) scam informed the FBI that it had been defrauded of nearly US$11 million.
State officials confirmed this week that computer systems in 22 municipalities have been infiltrated by hackers demanding a ransom. A mayor of one of those cities said the attackers are asking for $2.5 million to unlock the files. The Federal Bureau of Investigation and state cybersecurity experts are examining the ongoing breach, and officials have not disclosed which specific places are affected.
MyKings alone has already infected over 500,000 machines and mined an equivalent of US$2.3 million as of early 2018. The timing of the attack we recently found could indicate that it may have been part of the campaign we previously found in 2017.
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector, which inject code in Word and PDF files respectively.
A smart device that turns your lights off when you leave or checks to see if you left any doors or windows unlocked may be convenient, but adding and connecting more smart items to your house can cause new and unexpected problems and let the bad guys in. Greg Young, Trend Micro’s vice president of cybersecurity, discusses various ways to protect smart homes from these kinds of cyber attacks.
Are you up to speed on how security works across your network, how to detect threats and what solutions can be utilized in different network areas to protect systems and data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.
Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.
The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.
But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.
Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.
“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”
According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.
An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.
Hy-Vee said the company’s investigation is continuing.
“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.
The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.
As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).
It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.
Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.
Nearly two dozen cities in Texas have been hit by a ransomware attack executed by a single threat actor. These attacks beg the question: Is it ever worth it to pay a cyber attacker’s ransom? In this episode of TECH(feed), Juliet discusses the pattern of ransomware attacks on local governments, how municipalities have responded and how to prevent a ransomware attack in the first place.
It takes only minutes from the first action of an attack with 5 or less steps for an asset to be compromised, according to the 2019 Verizon Data Breach Investigations Report (DBIR). However, it takes days—an average of 279 days—to identify and contain a breach (Ponemon Institute). And the longer it takes to discover the source, the more money the incident ends up costing the organization. Luckily, you can reduce your chance of falling victim to these attacks by proactively anticipating your greatest threats and taking measures to mitigate these.
This blog post breaks down two tools to help you determine just that: your most at-risk data, how this data can be accessed, and the attacker’s motives and abilities. Once you have an understanding of these, it will be much easier to implement countermeasures to protect your organization from those attacks.
I recommend first reading through the DBIR sections pertaining to your industry in order to further your understanding of patterns seen in the principal assets being targeted and the attacker’s motives. This will assist in understanding how to use the two tools: Method-Opportunity-Motive, by Shari and Charles Pfleeger and Attack Trees, as discussed by Bruce Schneier.
Methods are skills, knowledge and tools available to the hacker, which are similar to Tactics, Techniques, and Procedures used by the Military and MITTR. Jose Esteves et. al. wrote, “Although it used to be common for hackers to work independently, few of today’s hackers operate alone. They are often part of an organized hacking group, where they are members providing specialized illegal services….” A hacker’s methods are improved when part of a team, which has a motive and looks for opportunities to attack principle assets.
Opportunities are the amount of time and ability required for an attacker to access their objective. The 2019 DBIR authors’ note, “Defenders fail to stop short paths substantially more often than long paths.” It’s critical to apply the correct controls to assets and to monitor those tools in order to quickly detect threats.
The motive is the reason to attack; for instance, is the attacker trying to access financial information or intellectual property? The 2019 DBIR notes that most attacks are for financial gains or intellectual property (IP), varying by industry.
Using Attack Trees to Visually Detail Method-Opportunity-Motive:
Bruce Schneier (Schneier on Security) provides an analytics tool for systematically reviewing why and how an attack might occur. After defining what assets are most valuable to an attacker (motive), you can identify the attacker’s objective, referred to as the root node in an attack tree. From here, you can look at all the possible actions an attacker might use to compromise the primary assets (method). The most probable and timely method shows the most likely path (opportunity).
I like using divergent and convergent thinking described by Chris Grivas and Gerard Puccio to discover plausible motive, opportunity, and methods used by a potential threat actor. Divergent thinking is the generation of ideas, using techniques like brainstorming. Convergent thinking is the limiting of ideas based on certain criteria. Using this process, you and your security team can generate objectives and then decide which objectives pose the greatest threat. You can then use this process again to determine the possible methods, referred to as leaf nodes, that could be used to access the objective. Then, you can apply values, such as time, to visualize possible opportunities and attack paths.
To further your understanding of how to create an attack tree, let’s look at an example:
1. First, decide what primary assets your company has that an intruder is interested in accessing.
The 2019 DBIR provides some useful categories to determine attack patterns within specific industries. For this example, let’s look at a financial institution. One likely asset that a threat actor is attempting to access is the email server, so this is our root node, or objective. Again, using divergent and convergent thinking can help a team develop and clarify possible objectives.
2. After deciding on the objective, the second step in developing an attack tree is to define methods to access the objective.
The 2019 DBIR describes some likely methods threat actors might use, or you can use divergent and convergent thinking. In the example below, I’ve included some possible methods to access the email server.
3. As you analyze the threat, continue working through the tree and building out the methods to develop specific paths to the asset.
The diagram below shows some potential paths to access and harvest information from the email server, using OR nodes, which are alternative paths, and AND nodes, which require combined activities to achieve the objective (this is represented using ). Note that every method that isn’t an AND node is an OR node.
4. The fourth step is to apply binary values to decide what paths the attack is most likely to follow.
For example, I’m going to use likely (l) and unlikely (u) based on the methods my research has shown is available to the attacking team. Then, use a dotted line to show the all likely paths, which are those in which all methods of the path are assigned a likely value.
5. The fifth step is to apply numeric values to the sub-nodes to decide on what path, specifically, the threat actor might attempt.
I’m going to use minutes in this scenario; however, other values such as associated costs or probability of success could also be used. These are subjective values and will vary amongst teams. Paths with supporting data would provide a more accurate model, but Attack Trees are still useful even without objective data.
In the above example, I have determined the path with the shortest amount of time to be phishing (credential harvesting), assuming the credentials are the same for the user accounts as they are for admin accounts. Since I have already determined that this path is likely and I now know it takes the shortest amount of time, I can determine that this is the most at-risk and likely path to accessing the email server. In this example, the least likely path is stolen credentials.
6. After examining the possible motives, opportunities, and methods, you can decide how you want to protect your assets.
For example, I determined that phishing is likely with the attack tree above, so I might decide to outsource monitoring, detection, and training to a Managed Security Service Provider (MSSP) that can provide this at a lower cost than an in-house staff. I might also consider purchasing software to detect, report, and prevent phishing emails, limiting the possibility of a phishing attempt. If social engineering is determined to be a concern, you could conduct end-user training, look for ways to secure the physical environment (guards, better door locks), or make the work environment more desirable (cafeteria, exercise room, recreation area, etc.)
The models discussed work together to provide ways to determine, analyze, and proactively protect against the greatest threats to your valuable assets. Ultimately, thinking through scenarios using these tools will provide a more thoughtful and cost-effective approach to security.
Now well into its second decade of commercial availability, cloud computing has become near-ubiquitous, with roughly 95 percent of businesses reporting that they have a cloud strategy. While cloud providers are more secure than ever before, there are still risks to using any cloud service. Fortunately, they can be largely mitigated by following these cloud security best practices:
Protect Your Cloud Data
Determine which data is the most sensitive. While applying the highest level of protection across the board would naturally be overkill, failing to protect the data that is sensitive puts your enterprise at risk of intellectual property loss or regulatory penalties. Therefore, the first priority should be to gain an understanding of what to protect through data discovery and classification, which is typically performed by a data classification engine. Aim for a comprehensive solution that locates and protects sensitive content on your network, endpoints, databases and in the cloud, while giving you the appropriate level of flexibility for your organization.
How is this data being accessed and stored? While it’s true that sensitive data can be stored safely in the cloud, it certainly isn’t a foregone conclusion. According to the McAfee 2019 Cloud Adoption and Risk Report, 21 percent of all files in the cloud contain sensitive data—a sharp increase from the year before1. While much of this data lives in well-established enterprise cloud services such as Box, Salesforce and Office365, it’s important to realize that none of these services guarantees 100 percent safety. That’s why it’s important to examine the permissions and access context associated with data in your cloud environment and adjust appropriately. In some cases, you may need to remove or quarantine sensitive data already stored in the cloud.
Who should be able to share it, and how? Sharing of sensitive data in the cloud has increased by more than 50% year over year.1 Regardless of how powerful your threat mitigation strategy is, the risks are far too high to take a reactive approach: access control policies should be established and enforced before data ever enters the cloud. Just as the number of employees who need the ability to edit a document is much smaller than the number who may need to view it, it is very likely that not everyone who needs to be able to access certain data needs the ability to share Defining groups and setting up privileges so that sharing is only enabled for those who require it can drastically limit the amount of data being shared externally.
Don’t rely on cloud service encryption. Comprehensive encryption at the file level should be the basis of all your cloud security efforts. While the encryption offered within cloud services can safeguard your data from outside parties, it necessarily gives the cloud service provider access to your encryption keys. To fully control access, you’ll want to deploy stringent encryption solutions, using your own keys, before uploading data to the cloud.
Minimize Internal Cloud Security Threats
Bring employee cloud usage out of the shadows. Just because you have a corporate cloud security strategy in place doesn’t mean that your employees aren’t utilizing the cloud on their own terms. From cloud storage accounts like Dropbox to online file conversion services, most people don’t consult with IT before accessing the cloud. To measure the potential risk of employee cloud use, you should first check your web proxy, firewall and SIEM logs to get a complete picture of which cloud services are being utilized, and then conduct an assessment of their value to the employee/organization versus their risk when deployed wholly or partially in the cloud. Also, keep in mind that shadow usage doesn’t just refer to known endpoints accessing unknown or unauthorized services—you’ll also need a strategy to stop data from moving from trusted cloud services to unmanaged devices you’re unaware of. Because cloud services can provide access from any device connected to the internet, unmanaged endpoints such as personal mobile devices create a hole in your security strategy. You can restrict downloads to unauthorized devices by making device security verification a prerequisite to downloading files.
Create a “safe” list. While most of your employees are utilizing cloud services for above-the-board purposes, some of them will inadvertently find and use dubious cloud services. Of the 1,935 cloud services in use at the average organization, 173 of them rank as high-risk services.1 By knowing which services are being used at your company, you’ll be able to set policies 1.) Outlining what sorts of data are allowed in the cloud, 2.) Establishing a “safe” list of cloud applications that employees can utilize, and 3.) Explaining the cloud security best practices, precautions and tools required for secure utilization of these applications.
Endpoints play a role, too. Most users access the cloud through web browsers, so deploying strong client security tools and ensuring that browsers are up-to-date and protected from browser exploits is a crucial component of cloud security. To fully protect your end-user devices, utilize advanced endpoint security such as firewall solutions, particularly if using IaaS or PaaS models.
Look to the future. New cloud applications come online frequently, and the risk of cloud services evolves rapidly, making manual cloud security policies difficult to create and keep up to date. While you can’t predict every cloud service that will be accessed, you can automatically update web access policies with information about the risk profile of a cloud service in order to block access or present a warning message. Accomplish this through integration of closed-loop remediation (which enforces policies based on a service-wide risk rating or distinct cloud service attributes) with your secure web gateway or firewall. The system will automatically update and enforce policies without disrupting the existing environment.
Guard against careless and malicious users. With organizations experiencing an average of 14.8 insider threat incidents per month—and 94.3 percent experiencing an average of at least one a month—it isn’t a matter of if you will encounter this sort of threat; it’s a matter of when. Threats of this nature include both unintentional exposure—such as accidentally disseminating a document containing sensitive data—as well as true malicious behavior, such as a salesperson downloading their full contact list before leaving to join a competitor. Careless employees and third-party attackers can both exhibit behavior suggesting malicious use of cloud data. Solutions leveraging both machine learning and behavioral analytics can monitor for anomalies and mitigate both internal and external data loss.
Trust. But verify. Additional verification should be required for anyone using a new device to access sensitive data in the cloud. One suggestion is to automatically require two-factor authentication for any high-risk cloud access scenarios. Specialized cloud security solutions can introduce the requirement for users to authenticate with an additional identity factor in real time, leveraging existing identity providers and identity factors (such as a hard token, a mobile phone soft token, or text message) already familiar to end users.
Develop Strong Partnerships with Reputable Cloud Providers
Regulatory compliance is still key. Regardless of how many essential business functions are shifted to the cloud, an enterprise can never outsource responsibility for compliance. Whether you’re required to comply with the California Consumer Privacy Act, PCI DSS, GDPR, HIPAA or other regulatory policies, you’ll want to choose a cloud architecture platform that will allow you to meet any regulatory standards that apply to your industry. From there, you’ll need to understand which aspects of compliance your provider will take care of, and which will remain under your purview. While many cloud service providers are certified for myriad industry and governmental regulations, it’s still your responsibility to build compliant applications and services on the cloud, and to maintain that compliance going forward. It’s important to note that previous contractual obligations or legal barriers may prohibit the use of cloud services on the grounds that doing so constitutes relinquishing control of that data.
But brand compliance is important, too. Moving to the cloud doesn’t have to mean sacrificing your branding strategy. Develop a comprehensive plan to manage identities and authorizations with cloud services. Software services that comply with SAML, OpenID or other federation standards make it possible for you to extend your corporate identity management tools into the cloud.
Look for trustworthy providers. Cloud service providers committed to accountability, transparency and meeting established standards will generally display certifications such as SAS 70 Type II or ISO 27001. Cloud service providers should make readily accessible documentation and reports, such as audit results and certifications, complete with details relevant to the assessment process. Audits should be independently conducted and based on existing standards. It is the responsibility of the cloud provider to continuously maintain certifications and to notify clients of any changes in status, but it’s the customer’s responsibility to understand the scope of standards used—some widely used standards do not assess security controls, and some auditing firms and auditors are more reliable than others.
How are they protecting you? No cloud service provider offers 100 percent security. Over the past several years, many high profile CSPs have been targeted by hackers, including AWS, Azure, Google Drive, Apple iCloud, Dropbox, and others. It’s important to examine the provider’s data protection strategies and multitenant architecture, if relevant—if the provider’s own hardware or operating system are compromised, everything hosted within them is automatically at risk. For that reason, it’s important to use security tools and examine prior audits to find potential security gaps (and if the provider uses their own third-party providers, cloud security best practices suggest you examine their certifications and audits as well.) From there, you’ll be able to determine what security issues must be addressed on your end. For example, fewer than 1 in 10 providers encrypt data stored at rest, and even fewer support the ability for a customer to encrypt data using their own encryption keys.1 Finding providers that both offer comprehensive protection as well as the ability for users to bridge any gaps is crucial to maintaining a strong cloud security posture.
Investigate cloud provider contracts and SLAs carefully. The cloud services contract is your only guarantee of service, and your primary recourse should something go wrong—so it is essential to fully review and understand all terms and conditions of your agreement, including any annexes, schedules and appendices. For example, a contract can make the difference between a company who takes responsibility for your data, and a company that takes ownershipof your data. (Only 37.3 % of providers specify that customer data is owned by the customer. The rest either don’t legally specify who owns the data, creating a legal grey area—or, more egregiously, claim ownership of all uploaded data.1) Does the service offer visibility into security events and responses? Is it willing to provide monitoring tools or hooks into your corporate monitoring tools? Does it provide monthly reports on security events and responses? And what happens to your data if you terminate the service? (Keep in mind that only 13.3 percent of cloud providers delete user data immediately upon account termination. The rest keep data for up to a year, with some specifying they have a right to keep it indefinitely.) If you find parts of the contract objectionable, you can try to negotiate—but in the case where you’re told that certain terms are non-negotiable, it is up to you to determine whether the risk presented by accepting the terms as-is is an acceptable one to your business. If not, you’ll need to find alternate means of managing the risk, such as encryption or monitoring, or find another provider.
What happens if something goes wrong? Since no two cloud service providers offer the same set of security controls—and again, no cloud provider delivers 100 percent security—developing an Incident Response (IR) plan is critical. Make sure the provider includes you and considers you a partner in creating such plans. Establish communication paths, roles and responsibilities with regard to an incident, and to run through the response and hand-offs ahead of time. SLAs should spell out the details of the data the cloud provider will provide in the case of an incident, how data will be handled during incidents to maintain availability, and guarantee the support necessary to effectively execute the enterprise IR plan at each stage. While continuous monitoring will offer the best chance at early detection, full-scale testing should be performed on at least an annual basis, with additional testing coinciding with major changes to the architecture.
Protect your IaaS environments. When using IaaS environments such as AWS or Azure, you retain responsibility for the security of operating systems, applications, and network traffic. Advanced anti-malware technology should be applied to the OS and virtual network to protect your infrastructure. Deploy application whitelisting and memory exploit prevention for single-purpose workloads and machine learning-based protection for file stores and general-purpose workloads.
Neutralize and remove malware from the cloud.Malware can infect cloud workloads through shared folders that sync automatically with cloud storage services, spreading malware from an infected user device to another user’s device. Use a cloud security solution program to scan the files you’ve stored in the cloud to avoid malware, ransomware or data theft attacks. If malware is detected on a workload host or in a cloud application, it can be quarantined or removed, safeguarding sensitive data from compromise and preventing corruption of data by ransomware.
Audit your IaaS configurations regularly. The many critical settings in IaaS environments such as AWS or Azure can create exploitable weaknesses if misconfigured. Organizations have, on average, at least 14 misconfigured IaaS instances running at any given time, resulting in an average of nearly 2,300 misconfiguration incidents per month. Worse, greater than 1 in 20 AWS S3 buckets in use are misconfigured to be publicly readable.1 To avoid such potential for data loss, you’ll need to audit your configurations for identity and access management, network configuration, and encryption. McAfee offers a free Cloud Audit to help get you started.
There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public sector organizations can purchase information and communications technology in order to better build secure digital foundations. The program allows public bodies to buy commodity-based, pay-as-you-go cloud services through government-approved, short-term contracts via the Digital Marketplace. This procurement process supports the UK Government's Cloud First policy, as well as its desire to achieve a “Cloud Native” digital architecture.
Strengthening the security posture of your applications is critical in strengthening the security posture of your organization, and the Veracode Platform was created as a cloud-based application security solution because of the multitude of advantages it offers our customers. Not only are you able to avoid the expenses associated with purchasing hardware, procuring software, managing deployment and maintaining systems, you are also able to implement immediately – which means seeing results and value on day one. We’ve now made it even simpler for organizations within the UK to secure their application security portfolio: The Veracode Platform and services are now available for purchase on the Gov.co.uk Digital Marketplace.
Revolution not Evolution: How the UK Government Created a Cloud First Initiative
In 2010, the UK Government began a revolution that has influenced the way in which nations around the world are conducting business and structuring cybersecurity programs within their own government bodies and organizations. The creation of Government Digital Service (GDS), a consumer-facing portal and link for businesses that simplifies interacting with the government, led way to the adoption of a Cloud First policy for all government technology purchases.
The GDS team was created to more fundamentally rethink how government works in the modern era, with the aim to establish a digital center for the UK government that would bring the talent in-house, rather than relying on vendor expertise to make changes to government web applications and properties. The ultimate goal was to fix and enhance the way that people interact with the government, embed skills and capability across the government so that it could work in a new way, and open up data and APIs so other people could build on government-developed services.
The re-architecting of the government website began with a whiteboard and a heavy focus on user needs. The small team worked together to build a hub that would evoke a response, understanding that leading with imagery was really powerful, and iterated, changed, and improved as they honed in on the users’ needs. At that time, no other government technology had run in an agile fashion.
And then GDS team took it one step further by making all of its GitHub repositories open, because they considered it to be the people’s code, they wanted the people to help make their code better, and they knew it would make recruitment simpler if they could more easily show potential candidates what was under the hood. It allowed for different agencies within the government to work together more openly, which helped to reduce the risks associated with the open source code everyone was using.
The Cloud First Policy
This new approach to development also called for new processes and policies for acquiring software and working with technology vendors. In 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions. By operating in a Cloud Native framework, the government is able to adapt to how they organize their work to take advantage of what’s available in the market and any emerging technologies. This new policy made it mandatory to consider cloud solutions before alternatives, as well as making it necessary to demonstrate why non-cloud technologies would provide better value for the money if opting for an on-premise solution.
Further, the policy states that the government must also consider public cloud first – to consider SaaS models, particularly for enterprise IT and back office functions – and Infrastructure as a Service and Platform as a Service. The GDS team understands that without adapting and adopting technologies and focusing on core outcomes and principles, it won’t be able to meet the expectations of its users, and it won’t be prepared for the changes likely to arise as they manage growing volumes of data, and a proliferation of devices and sensors.
To truly become cloud native, the GDS transformed how it monitors and manages distributed systems to include diverse applications. It continues to deepen the conversations with vendors about the standards that will help them manage these types of technology shifts. Most of all, it continues to ensure it always chooses cloud providers that fit the needs at hand, rather than basing choices on recommendations.
To learn more about Veracode’s offerings on the Digital Marketplace G-Cloud UK, including our application security platform and services, click here.
The nature of enterprise security is such that it continuously keeps evolving. Trends change, threats vary and morph into different entities, approaches that seem relevant get outdated in six months or sometimes even lesser. For enterprises looking to stay ahead of the curve when it comes to cybersecurity, staying stagnant is not an option. The need of the hour is to keep abreast of the latest new trends and technologies to stay safe.
Thanks to the speed of transformation, enterprise security has seen multifold changes in the last two years, some due to need and some due to necessity. These changes can be summed up through the following pointers:
A move towards a zero-trust network
More and more organizations are moving towards a zero-trust model where no one and nothing is trusted. Introduced by American market research giant, Forrester Research, the zero-trust network model eliminates the concept of a perimeter and calls for enterprises to inspect all network traffic without any classification of ‘internal’ and ‘external.’. Basically, no user or traffic is considered ‘authorized’ and all access to a specific network is governed by the same set of rules.
The evolution from 4G to 5G
In 2017, enterprise security needed to understand 4G – now, network technology has evolved to such an extent that the world is embracing 5G. It is a trend which enterprises must also embrace but at the same time, be aware of the security tradeoffs. As with the advent of any new technology, cybercriminals will also join the bandwagon to ensure they create chaos and profit. 5G will likely have different types of phones, different networks and a completely different kind of technology which will open up new vulnerabilities – early adopters should be extremely careful.
The rise of cryptojacking
An important trend which has caught the industry’s attention is the dangerous threat of cryptojacking. This is a threat which will only become more widespread as the usage of cryptocurrency increases. It works by hackers sending unsuspecting targeted emails with malicious code in them -or they embed this code into sketchy websites. The attack succeeds if malicious code is accessed by unsuspecting users – this malicious code works in the background, silently mining cryptocurrency. This takes up a lot of computer resources and can often lead to slow system performance.
While phishing is a tactic that continues to be used, it has an upgraded, even more dangerous avatar, popularly known as spear phishing. In spear phishing, users get meticulously personalized emails from a trusted source or a company you’re familiar with and interact quite often. This could be as scrupulous as an email from a friend, colleague or your boss asking you for access to classified information. Attackers are now closely examining their targets and gathering as much information about them to ensure their email is as believable as possible. This is done by employing Advanced Persistent Threats (APTs) to entire systems, gathering humongous amounts of data about enterprise and customer habits, and then using this data to launch a spear-phishing campaign.
Certainly, enterprise security has seen a lot of changes in the last two years which is a natural state of affairs in this sector. It is important for enterprises to invest in solutions which continue to evolve and stay attuned to the latest cybersecurity trends to ensure they are not lagging behind. Seqrite’s range of enterprise security solutions is continuously updated to enable enterprises to remain safe from the ever-evolving threats in today’s digital age.
Brave is a free and open-source web browser based on the Chromium web browser. Brave supports Windows, macOS, Linux, Android, and iOS. Download Brave Click Here Brave allows users to support the sites they visit with BAT. Users may earn BAT by watching ads or by funding their BAT wallet. Users are paid ... Read moreDownload Brave Browser Earn Cryptocurrency
In its 2019 CEO Imperative Study, Ernst & Young surveyed 200 global CEOs from the Forbes Global 2000 and Forbes Largest Private Companies across the Americas, Europe, the Middle East, Africa, and the Asia-Pacific region. Also interviewed were 100 senior investors from global firms that manage at least $100 billion in assets.
However, regardless of their location, CEOs, board directors and institutional investors cited national and corporate gaps in cybersecurity as the biggest threats to business growth and the global economy. Income inequality and job losses stemming from technological change came second and third in the list of threats, while ethics in artificial intelligence and climate change respectively rounded out the top five.
Are you facing customers telling you that their data must be stored in a particular location?
Be reassured: As a processor of data, we often encounter a discussion about where the data is resident, and we are often facing people certain that their data must be stored in a given country. But the truth is, most people don’t have the right answer to this legal requirement.
To understand the obligations and requirements surrounding data storage, you first need to understand the difference in concepts between “data residency” and “data localization.”
What Are Data Residency and Data Localization?
Data residency is when an organization specifies that their data must be stored in a geographical location of their choice, usually for regulatory, tax or policy reasons. By contrast, data localization is when a law requires that data created within a certain territory stays within that territory.
People arguing that data must be stored in a certain location are usually pursuing at least one of the following three objectives:
To allow data protection authorities to exert more control over data retention and thereby have greater control over compliance.
In the EU, it is seen as means to encourage data controllers to store and process data within the EU or within those countries deemed to have the same level of data protection as in the EU, as opposed to moving data to those territories considered to have less than “adequate” data protection regimes. The EU has issued only 13 adequacy decisions: for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, US (Privacy Shield only) and Uruguay.
Finally, it is seen by some as a tool to strengthen the market position of local data center providers by forcing data to be stored in-country.
However, it is important to note that accessing personal data is considered a “transfer” under data protection law—so even if data is stored in Germany (for example), if a company has engineers in India access the data for customer service or support purposes, it has now “moved” out of Germany. Therefore, you can’t claim “residency” in Germany if there is access by a support function outside the country. Additionally, payment processing functions also sometimes occur in other countries, so make sure to consider them as well. This is an important point that is often missed or misunderstood.
Having understood the concept of data residency and data localization, the next question is, are there data residency or localization requirements under GDPR?
In short: No. GDPR does not introduce and does not include any data residency or localization obligations. There were also no data residency or localization obligations under the GDPR’s predecessor, the Data Protection Directive (95/46/EC). In fact, both the Directive and the GDPR establish methods for transferring data outside the EU.
Having said that, it is important to note that local law may impose certain requirements on the location of the data storage (e.g., Russia’s data localization law, German localization law for health and telecom data, etc.).
So, if there is no data residency or localization requirement under GDPR, can we transfer the data to other locations?
The GDPR substantially repeats the requirements of the Data Protection Directive, which states that you need to have legal transfer means if you move data outside of the EU into a jurisdiction with inappropriate safeguards (see map here). The legal transfer means are:
Adequacy— A decision by the EU Commission that a country has adequate protection level;
Binding Corporate Rules— Binding internal rules of a company to be approved by data protection authorities;
Standard Contractual Clauses / Model Clauses—Individually negotiated contracts between controller and processor
Privacy Shield— For US companies only; this is a replacement self-certification program for the Safe Harbor.
I have heard that Privacy Shield and Standard Contractual Clauses are under serious scrutiny? What is this all about?
Following the European Court of Justice decision that the EU-US Safe Harbor arrangement does not provide adequate protection for the personal data of EU data subjects, the EU and US entered into a new arrangement to enable the transfer of data (the Privacy Shield). However, a number of non-governmental organizations and privacy advocates have started legal action to seek decisions that the Privacy Shield and the EU Standard Contractual Clauses do not provide sufficient protection of data subjects’ personal data.
It remains to be seen how the European Court of Justice will decide in these cases. They are expected to rule on these matters by the end of 2019.
I have heard that the Standard Contractual Clauses/Model Clauses might be updated. What is that all about?
In order to protect data being transferred outside of the European Union, the Union issued three Standard Contractual Clause templates (for controller to controller transfers and for controller to processor transfers). These have not been updated since they were first introduced in 2001, 2004 and 2010, respectively. However, the European Union’s consumer commissioner, under whom privacy falls, has indicated that the EU is working on an updated version of the Standard Contractual Clauses. It remains to be seen how the Clauses will be modernized and whether the shortcomings, concerns and gripes of existing Standard Contractual Clauses will be addressed to the satisfaction of all parties.
One thing is for certain, however—the data protection space will only get more attention from here on out, and those of us working in this space will have to become more accustomed to complexities such as those surrounding Data Residency.
This blog is for information purposes only and does not constitute legal advice, contractual commitment or advice on how to meet the requirements of any applicable law or achieve operational privacy and security. It is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of applicable privacy laws, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with privacy laws or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.
The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.
This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.
During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.
Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?
The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.
First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.
That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.
There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.
What are access controls?
Put simply, access controls are measures that restrict who can view data. They consist of two elements:
Authentication: a technique used to verify the identity of a user.
Authorisation: determines whether a user should be given access to data.
To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.
Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:
Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.
Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.
Access controls and Cyber Essentials
Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).
Cyber Essentials has two objectives:
To set out five basic cyber security controls that can protect organisations from common cyber attacks.
To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.
Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.
The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.
There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).
This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.
Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.
This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.
In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.
A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.
We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.
As new mobile malware sweeps the globe, here’s how to keep your device secure.
We’re spending more and more of our lives online and for most of us the door to this digital world is our smartphone. It’s the first thing we look at when we wake up and the last thing we check at night. It’s where we do our banking and shopping, where we hang out with friends, play games to pass the time, post status updates and share photos. It’s where we watch TV, hail cabs and even consult our local doctor.
There’s just one problem: the bad guys know this and they’ve become highly skilled at making money off the back of our reliance on mobile devices. Early this month a new global Android malware campaign called Agent Smith was revealed to have compromised 25 million handsets across the globe including many in the US.
It should be another reminder to users not to take mobile security for granted. Fortunately, with a few easy steps you can make giant strides towards keeping the hackers at bay.
What is Agent Smith?
Remember the malignant agent/virus antagonist to Neo in The Matrix? Well, Agent Smith is the latest in a long line of malware campaigns designed to infect consumers’ mobile devices. It begins life embedded inside legitimate-looking applications like photo apps, gaming titles and/or adult-themed software. These are found more on popular third-party marketplaces such as 9Apps, rather than the official Google Play store, though it showed up there too.
Once a user installs one of these booby-trapped apps, the malware will get to work, exploiting vulnerabilities in the Android operating system. It extracts a list of all the legit apps that the user has installed on their phone and then sets about replacing them with identical-looking but malicious versions.
How does it affect me?
If you’re unlucky enough to have your device infected with Agent Smith, it will then go on to hijack your apps to show unwanted ads – thereby generating the hackers money. Although this doesn’t sound too catastrophic for the victim, there is the potential for the attack to get much worse. Researchers have claimed that the same malware could be used to steal sensitive information like online banking credentials from an infected device.
As of early July, Agent Smith had already infected over 302,000 mobile devices in the US. The number may be even higher today. It’s one of the biggest threats seen so far this year, but it’s by no means the only one. Attackers are always looking for ways to get malware onto consumers’ devices, and in so doing:
Steal log-ins for key accounts like online banking
Secretly mine for crypto-currency using your device, which can cause it to slow down
Flood your screen with pop-up adverts, making it unusable
Lock your device with ransomware until a fee is paid
Sign your device up to premium rate services which can incur heavy charges
How do I stay safe?
Google is getting better at preventing apps loaded with hidden malware from being published on its official Play Store, but there are still occasions when some sneak through. The hackers behind Agent Smith were found to have hidden malware elements on 11 apps listed on Google Play. Two of them had already reached 10 million downloads by the time Google was notified and they were withdrawn.
App downloads are also only one of several avenues where your mobile device could be at risk of attack. Others include via malicious text or IM messages, public Wi-Fi networks that you might be sharing with hackers, and even lost or stolen devices.
Here’s a quick rundown of some key steps to stay safe:
Stick to legitimate stores (Google Play and Apple’s App Store) – you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
Read the permissions requested by applications when you install them. If they seem excessive (i.e., a gaming app that wants to access your address book and microphone) then avoid. It’s better to be safe than sorry.
Always ensure you’re on the latest version of Android.
Don’t log-in to public Wi-Fi, or if you must, don’t use any sensitive accounts (email, banking etc) until you get back onto a private and secure network. Otherwise, use a WiFi VPN, like Trend Micro WiFi Protection.
Ensure your device has a remote lock and wipe feature switched on, to sign out of accounts and wipe the device if it is lost or stolen.
Don’t brick/jailbreak the device as this can expose it to security risks.
Be cautious – you may be more likely to click on phishing links in emails, texts, and via social channels when on the move as you could be distracted and/or in a rush.
Run anti-malware on your mobile device, from reputable company like Trend Micro.
How can Trend Micro help?
The last recommendation is non-trivial. Trend Micro offers customers comprehensive anti-malware capabilities via Trend Micro Mobile Security (TMMS), which provides protection from malicious apps via the Mobile App Reputation Service (MARS).
With Agent Smith, there are two malicious parts: the Agent Smith malware itself and the doppelganger apps that it creates on victim devices to replace the legitimate ones. MARS/TMMS detects both. On Google Play, the MARS/TMMS pre-install scan will detect Agent Smith before it installs. (This same function will prevent you from downloading other malicious apps to your device.) Otherwise, both Agent Smith (installed from a 3rd-party store) or the doppelganger apps it creates will trigger the real-time scan in MARS/TMMS and warn you the apps are not safe, so you can delete them from your device.
Among its other features, Trend Micro Mobile Security also:
Blocks dangerous websites
Checks if public WiFi connections are safe
Guards financial and commercial apps
Optimizes your device’s performance
Protects your kids’ devices with parental controls
In the latest of its kind phishing attacks, phishers have been found to use custom 404 Not Found error pages to run phishing campaign. This unusual phishing campaign is basically aimed at tricking unsuspecting victims into sharing their Microsoft login credentials. A 404 Not Found page is typically an indication…
When making secure connections, Chrome trusts certificates that have been locally installed on a user's computer or mobile device. This allows users to run tools to inspect and debug connections during website development, or for corporate environments to intercept and monitor internal traffic. It is not appropriate for this mechanism to be used to intercept traffic on the public internet.
In response to recent actions by the Kazakhstan government, Chrome, along with other browsers, has taken steps to protect users from the interception or modification of TLS connections made to websites.
Chrome will be blocking the certificate the Kazakhstan government required users to install:
The certificate has been added to CRLSet. No action is needed by users to be protected. In addition, the certificate has been added to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course.
Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.
The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.
What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.
While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:
Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.
And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
We recently launched a host of new features and improvements in our CMD+CTRL Cyber Range - new metrics, new player report cards, new hints - all with the aim of providing an experience that you’ll remember. Over the next few weeks, we’ll dive into these new features to give you an idea of what to expect. This week we’re detailing seamless event switching and tracking your performance over multiple events.
CRN, a brand of The Channel Company, recently recognized McAfee CEO Chris Young and Head of Channel Sales Operations for the Americas Ken McCray in its list of Top 100 Executives of 2019. This annual list honors technology executives who lead, influence, innovate and disrupt the IT channel.
Over the past year, Young led McAfee into the EDR space, directed the introduction of McAfee’s cloud and unified data protection offerings, and forged a partnership with Samsung to safeguard the Galaxy S10 mobile device. According to CRN, these accomplishments earned Young the number-three spot in CRN’s list of 25 Most Innovative Executives—a subset of the Top 100 list that recognizes executives “who are always two steps ahead of the competition.” Young is no stranger to the Top 100 Executives list: He also earned a place on last year’s list, when his post-spinout acquisitions led to him being named one of the Top 25 Disruptors of 2018.
Based on his work overseeing the launch of McAfee’s alternative route to market channel initiative, Ken McCray was also recognized as one of this year’s Top 100 Executives. The initiative, which has driven incremental bookings as Managed Security Partners and cloud service providers bring new customers on board, earned McCray a spot on the Top 25 IT Channel Sales Leaders of 2019. This has been an accolade-filled year for McCray: In February, he was named one of the 50 Most Influential Channel Chiefs for 2019, based on his division’s double-digit growth and the relationships he built with key cloud service providers.
The Top 100 Executives being recognized drive cultural transformation, revenue growth, and technological innovation across the IT channel. In doing so, they help solution providers and technology suppliers survive—and thrive—in today’s always-on, always-connected global marketplace.
“The IT channel is rapidly growing, and navigating this fast-paced market often challenges solution providers and technology suppliers alike,” said Bob Skelley, CEO of The Channel Company. “The technology executives on CRN’s 2019 Top 100 Executives list understand the IT channel’s potential. They provide strategic and visionary leadership and unparalleled guidance to keep the IT channel moving in the right direction—regardless of the challenges that come their way.”
We at McAfee are proud of the recognition Young and McCray have received, and look forward to seeing our company continue to thrive under their leadership.
The Top 100 Executives list is featured in the August 2019 issue of CRN Magazine and online at www.CRN.com/Top100.
Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure.
Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.
Weak Cybersecurity Practices
A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.
Targeted Cybersecurity Attacks
Due to the highly
sensitive data stored within their systems, education IT infrastructure is consistently a top target for
cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and
2018 alone. The threat has become a large enough issue that the FBI has
released a public service announcement warning that the education sector
was one of those most frequently targeted by social engineering schemes and
Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.
How to Protect Your Student’s Cybersecurity
can you protect your child’s cybersecurity while they are at school? Get
involved. Ask the school’s administrators about their cybersecurity policy. Ask
about their strength of their firewalls, their
email security measures, and the amount of encryption applied to the data
storage systems. If you’re not satisfied with their measures, be your child’s
you may have limited control over any school-provided devices, you can secure your
child’s personal devices behind a trusted VPN (though they
must know how to use it first). This will wrap your child’s data in a tunnel
of encryption, protecting them from prying eyes wherever they go. In some
cases, VPNs can prevent access to testing and curriculum sites on school
networks, so students should know how to connect and disconnect to their VPN at
Most importantly, teach
your child to be aware of the risks of cybercrime and how to combat them. Help
them understand how a VPN and other measures can keep them safe, how to
recognize phishing attacks, and why they should always be vigilant. Your child
knows to wear a seatbelt when riding in someone else’s car, they should also
know how to stay safe online, whether at home, school, or a friend’s house.
The key to truly
protecting your children from potential cybersecurity threats is education,
both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.
I ruined Easter Sunday 2017 for McAfee employees the world over. That was the day our company’s page on a prominent social media platform was defaced—less than two weeks after McAfee had spun out of Intel to create one of the world’s largest pure-play cybersecurity companies. The hack would have been embarrassing for any company; it was humiliating for a cybersecurity company. And, while I could point the finger of blame in any number of directions, the sobering reality is that the hack happened on my watch, since, as the CMO of McAfee, it was my team’s responsibility to do everything in our power to safeguard the image of our company on that social media platform. We had failed to do so.
Personal accountability is an uncomfortable thing. Defensive behavior comes much more naturally to many of us, including me. But, without accountability, change is hindered. And, when you find yourself in the crosshairs of a hacker, change—and change quickly—you must.
I didn’t intend to ruin that Easter Sunday for my colleagues. There was nothing I wanted less than to call my CEO and peers and spoil their holiday with the news. And, I didn’t relish having to notify all our employees of the same the following Monday. It wasn’t that I was legally obligated to let anyone know of the hack; after all, McAfee’s systems were never in jeopardy. But our brand reputation took a hit that day, and our employees deserved to know that their CMO had let her guard down just long enough for an opportunistic hacker to strike.
I tell you this story not out of self-flagellation or so that you can feel, “Hey, better her than me!” I share this story because it’s a microcosm of why I wrote a book, The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security.
I’m not alone in having experienced an unfortunate hack that may have been prevented had my team and I been more diligent in practicing habits to minimize it. Every day, organizations are attacked the world over. And, behind every hack, there’s a story. There’s hindsight of what might have been done to avoid it. While the attack on that Easter Sunday was humbling, the way in which my McAfee teammates responded, and the lessons we learned, were inspirational.
I realized in the aftermath that there’s a real need for a playbook that gives every employee—from the frontline worker to the board director—a prescription for strong cybersecurity hygiene. I realized that everyone can play an indispensable role in protecting her organization from attack. And, I grasped that common sense is not always common practice.
There’s no shortage of cybersecurity books available for your consumption from reputable, talented authors with a variety of experiences. You’ll find some from journalists, who have dissected some of the most legendary breaches in history. You’ll find others from luminaries, who speak with authority as being venerable forefathers of the industry. And you’ll find more still from technical experts, who decipher the intricate elements of cybersecurity in significant detail.
But, you won’t find many from marketers. So why trust this marketer with a topic of such gravity? Because this marketer not only works for a company that has its origins in cybersecurity but found herself on her heels that fateful Easter Sunday. I know what it’s like to have to respond—and respond fast—when time is not on your side and your reputation is in the hands of a hacker. And, while McAfee certainly had a playbook to act accordingly, I realized that every company should have the same.
So, whether you’re in marketing, human resources, product development, IT or finance—or a board member, CEO, manager or individual contributor—this book gives you a playbook to incorporate cybersecurity habits in your routine. I’m not so naïve as to believe that cybersecurity will become everyone’s primary job. But, I know that cybersecurity is now too important to be left exclusively in the hands of IT. And, I am idealistic to envision a workplace where sound cybersecurity practice becomes so routine, that all employees regularly do their part to collectively improve the defenses of their organization. I hope this book empowers action; your organization needs you in this fight.
Allison Cerra’s book, The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security, is scheduled to be released September 12, 2019 and can be preordered at amazon.com.
There are over 300 million fraudulent sign-in attempts to our cloud services every day. Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology. All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication. Read on to learn about common vulnerabilities and the single action you can take to protect your accounts from attacks.
In a recent paper from the SANS Software Security Institute, the most common vulnerabilities include:
Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.
What you can do to protect your company
You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. To learn more, read Your Pa$$word doesn’t matter.
MFA is easier than you think
According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:
Misconception that MFA requires external hardware devices.
Concern about potential user disruption or concern over what may break.
Matt Bromiley, SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.
Take a leap and go passwordless
Industry protocols such as WebAuthn and CTAP2, ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often preferred to passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.
Convince your boss
Download the SANS white paper Bye Bye Passwords: New Ways to Authenticate to read more on guidance for companies ready to take the next step to better protect their environments from password risk. Remember, talk is easy, action gets results!
Posted by Matt McDonald, Software Engineer, and Sebastian Harl, Software Engineer Intro This is the second post in a series of four, in which we set out to revisit various BeyondCorp topics and share lessons that were learnt along the internal implementation path at Google.
The first post in this series focused on providing necessary context for how Google adopted BeyondCorp. This post will focus on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. Device management provides both the data and guarantees required for making access decisions by securing the endpoints and providing additional context about it.
How do we manage devices? At Google, we use the following principles to run our device fleet securely and at scale:
Secure default settings at depth with central enforcement
Ensure a scalable process
Invest in fleet testing, monitoring, and phased rollouts
Ensure high quality data
Secure default settings
Defense in depth requires us to layer our security defenses such that an attacker would need to pass multiple controls in an attack. To uphold this defensive position at scale, we centrally manage and measure various qualities of our devices, covering all layers of the platform;
Operating system and software
User settings and modifications
We use automated configuration management systems to continuously enforce our security and compliance policies. Independently, we observe the state of our hardware and software. This allows us to determine divergence from the expected state and verify whether it is an anomaly.
Where possible, our platforms use native OS capabilities to protect against malicious software, and we extend those capabilities across our platforms with custom and commercial tooling. Scalable process
Google manages a fleet of several hundred thousand client devices (workstations, laptops, mobile devices) for employees who are spread across the world. We scale the engineering teams who manage these devices by relying on reviewable, repeatable, and automated backend processes and minimizing GUI-based configuration tools. By using and developing open-source software and integrating it with internal solutions, we reach a level of flexibility that allows us to manage fleets at scale without sacrificing customizability for our users. The focus is on operating system agnostic server and client solutions, where possible, to avoid duplication of effort.
Software for all platforms is provided by repositories which verify the integrity of software packages before making them available to users. The same system is used for distributing configuration settings and management tools, which enforce policies on client systems using the open-source configuration management system Puppet, running in standalone mode. In combination, this allows us to easily scale infrastructure and management horizontally as described in more detail and with examples in one of our BeyondCorp whitepapers, Fleet Management at Scale.
All device management policies are stored in centralized systems which allow settings to be applied both at the fleet and the individual device level. This way policy owners and device owners can manage sensible defaults or per-device overrides in the same system, allowing audits of settings and exceptions. Depending on the type of exception, they may either be managed self-service by the user, require approval from appropriate parties, or affect the trust level of the affected device. This way, we aim to guarantee user satisfaction and security simultaneously. Fleet testing, monitoring, and phased rollouts
Applying changes at scale to a large heterogeneous fleet can be challenging. At Google, we have automated test labs which allow us to test changes before we deploy them to the fleet. Rollouts to the client fleet usually follow multiple stages and random canarying, similar to common practices with service management. Furthermore, we monitor various status attributes of our fleet which allows us to detect issues before they spread widely.
High quality data
Device management depends on the quality of device data. Both configuration and trust decisions are keyed off of inventory information. At Google, we track all devices in centralized asset management systems. This allows us to not only observe the current (runtime) state of a device, but also whether it’s a legitimate Google device. These systems store hardware attributes as well as the assignment and status of devices, which lets us match and compare prescribed values to those which are observed.
Prior to implementing BeyondCorp, we performed a fleet-wide audit to ensure the quality of inventory data, and we perform smaller audits regularly across the fleet. Automation is key to achieving this, both for entering data initially and for detecting divergence at later points. For example, instead of having a human enter data into the system manually, we use digital manifests and barcode scanners as much as possible. How do we figure out whether devices are trustworthy? After appropriate management systems have been put in place, and data quality goals have been met, the pertinent security information related to a device can be used to establish a "trust" decision as to whether a given action should be allowed to be performed from the device.
High level architecture for BeyondCorp
This decision can be most effectively made when an abundance of information about the device is readily available. At Google, we use an aggregated data pipeline to gather information from various sources, which each contain a limited subset of knowledge about a device and its history, and make this data available at the point when a trust decision is being made.
Various systems and repositories are employed within Google to perform collection and storage of device data that is relevant to security. These include tools like asset management repositories, device management solutions, vulnerability scanners, and internal directory services, which contain information and state about the multitude of physical device types (e.g., desktops, laptops, phones, tablets), as well as virtual desktops, used by employees at the company.
Having data from these various types of information systems available when making a trust decision for a given device can certainly be advantageous. However, challenges can present themselves when attempting to correlate records from a diverse set of systems which may not have a clear, consistent way to reference the identity of a given device. The challenge of implementation has been offset by the gains in security policy flexibility and improvements in securing our data.
What lessons did we learn? As we rolled out BeyondCorp, we iteratively improved our fleet management and inventory processes as outlined above. These improvements are based on various lessons we learned around data quality challenges.
Audit your data ahead of implementing BeyondCorp
Data quality issues and inaccuracies are almost certain to be present in an asset management system of any substantial size, and these issues must be corrected before the data can be utilized in a manner which will have a significant impact on user experience. Having the means to compare values that have been manually entered into such systems against similar data that has been collected from devices via automation can allow for the correction of discrepancies, which may interrupt the intended behavior of the system.
Prepare to encounter unforeseen data quality challenges
Numerous data incorrectness scenarios and challenging issues are likely to present themselves as the reliance on accurate data increases. For example, be prepared to encounter issues with data ingestion processes that rely on transcribing device identifier information, which is physically labeled on devices or their packaging, and may incorrectly differ from identifier data that is digitally imprinted on the device.
In addition, over reliance on the assumed uniqueness of certain device identifiers can sometimes be problematic in the rare cases where conventionally unique attributes, like serial numbers, can appear more than once in the device fleet (this can be especially exacerbated in the case of virtual desktops, where such identifiers may be chosen by a user without regard for such concerns).
Lastly, routine maintenance and hardware replacements performed on employee devices can result in ambiguous situations with regards to the "identity" of a device. When internal device components, like network adapters or mainboards, are found to be defective and replaced, the device's identity can be changed into a state which no longer matches the known inventory data if care is not taken to correctly reflect such changes.
Implement controls to maintain high quality asset inventory
After inventory data has been brought to an acceptable correctness level, mechanisms should be put into place to limit the ability for new inaccuracies to be introduced. For example, at Google, data correctness checks have been integrated into the provisioning process for new devices so that inventory records must be correct before a device can be successfully imaged with an operating system, ensuring that the device will meet required data accuracy standards before being delivered to an employee.
Next time In the next post in this series, we will discuss a tiered access approach, how to create rule-based trust and the lessons we’ve learned through that process.
The workshop is for developers to share their experiences with Speech Activity Detection (SAD), Automated Speech Recognition(ASR), and Keyword Search (KWS) algorithms or systems when applied to the data
A stark contrast to yesteryears with strict office hours, today’s business trends are permitting employees flexibility when it comes to office hours, remote working and devices through which they can work from.
It is in this context, many leading enterprises all over the world have adapted to a Bring Your Own Device (BYOD) policy – employees can use their own devices (phones, tablets, laptops, etc.) to connect to enterprise networks and work on their deliverables.
And, employees love BYOD because –
Own device familiarity
Ability to work in a preferred location
From an employer perspective, the cost of procuring new devices for each employee is saved which leads to higher cost savings for an enterprise.
The flipside to this otherwise brilliant arrangement is the security lapse that may occur if BYOD policy is not formulated properly. A weak BYOD policy significantly opens enterprise networks to cybersecurity challenges considering traditional enterprise security norms on devices do not apply anymore. This can snowball into a disaster!
Mentioned below are some of the common risks if enterprise mobility is jeopardized.
The Risk of Data Loss
The risk of data loss rises exponentially when it comes to employees using their own devices to access and work in the business networks. Enterprises, typically are not able to deploy the same level of data controls on personal devices as they can on enterprise devices. This leaves personal devices susceptible to data loss through malware, ransomware and various other threats.
Personal devices are prone to be used in plenty of insecure ways if unsolicited users gain access to them- something which is difficult to do for enterprise devices in a conventional business security ecosystem. Personal devices connecting to potentially risky public Wi-Fi networks (airports, public restaurants, etc.) or shared within other people can cause huge risks to business-critical data.
Personal & professional data on the same devices
An increasingly grey area in the context of BYOD, since personal devices contain both personal and professional data and are used for both professional and personal purposes, important business details are threatened. Humans commit mistakes – for instance, sending professional information accidentally to unwanted users.
Increased risk of sabotage
All enterprises face the risk of sabotage by disgruntled employees – it is a serious risk with enterprises addressing it through various means. For companies permitting BYOD, the risk of sabotage through angry or dissatisfied employees is high. A former employee may still have access to company data on his/her device – leaking it to competitors or any other sources could create havoc for the company.
Mobile devices facilitated by businesses operating in the business network can be safeguarded from a plethora of threats by applying policies such as frequent backups, encryption, etc. However, the same may always not be true for personal devices which make it a big risk in cases when employees report a theft of personal devices.
All enterprises have content policies which regulate the kind of content their employees can access. While this can still be easier to regulate and moderate on work devices, it may not be possible on personal devices allowing employees to access and view all kinds of content. This opens up wider enterprise threats in the form of malware, ransomware, etc. which is notoriously hidden in unrestricted content.
The key to managing BYOD is deploying an Enterprise Mobility Management solution which understands and addresses the aforementioned risks. Enterprises can consider Seqrite mSuite which increases the productivity of enterprises by mobilizing the workforce while ensuring that critical data remains absolutely secure.
For episode seven, we have returning guest, Andrew Lancashire, joined by Chief Healthcare Technical Strategist, Sumit Sehgal, where they discuss protecting intellectual property with an emphasis on the healthcare industry.
Open source technology empowers developers to make software better, faster, and more efficiently as they push the envelope and delight users with desired features and functionality. This is a trend that is unlikely to fade – at least not in the foreseeable future – and has further fueled our passion for securing the world’s software. This is also why Veracode acquired SourceClear – we had a vision for the impact that integrating our software composition analysis (SCA) technologies would have on our customers’ ability to develop bold, revolutionary software using open source code – without risking their security posture.
Today, our customers have access to an industry-leading, scalable SCA solution that provides unparalleled support for SCA in DevSecOps environments through the cloud-based Veracode Application Security Platform. Veracode SCA offers a unique vulnerable method detection technology that increases the actionability of SCA scan results, as well as the ability to receive continuous alerts on new or updated vulnerabilities without rescanning an application.
Further, our solution relies on a proprietary library and vulnerability database, built using true machine learning and data mining, which has the ability to identify vulnerabilities not available in the National Vulnerability Database (NVD). In addition to CVEs, the database now also includes Reserved CVEs and No-CVEs detected with our data mining and machine learning models. These results are verified by our expert data research team for all supported languages.
Software Composition Analysis for DevSecOps Environments
Veracode SCA offers remediation guidance, SaaS-based scalability, and integration with Continuous Integration tools to provide users with visibility into all direct and indirect open source libraries in use, known and unknown vulnerabilities in those libraries, and how they impact applications, without slowing down development velocity.
Additionally, it is the only solution in the market that offers two options to start an SCA scan that offers insight into open source vulnerabilities, library versions, and licenses:
Scan via Application Binary Upload
Through the traditional application upload process, you’re able to upload your applications or binaries to the Veracode Application Security Platform so that you can run scans via the UI or an API.
SCA scans continue to run alongside Veracode Static Analysis. During the pre-scan evaluation for static scanning, Veracode executes the SCA scan to review the application’s composition, and the results are delivered while the static scan continues. Bill of materials, scores, policy definition, and open source license detection remain available for those application upload scans.
Agent-based scanning, integrated within the Veracode Application Security Platform, enables you to scan your source code repositories directly, either manually from the command line or in a Continuous Integration pipeline. The agent-based scanning process has been enhanced to include more open source license types available for detection in open source libraries. The libraries and vulnerabilities database has been enhanced with an increase of new vulnerabilities detected, and the ability to link project scans with application profiles for policy compliance, reporting, and PDF reports. Customers using Veracode SCA agent-based scanning can conduct:
Vulnerable Method Detection: Pinpoint the line of code where developers can determine if their code is calling on the vulnerable part of the open source library.
Auto Pull Requests: Veracode SCA identifies vulnerabilities and makes recommendations for using a safer version of the library. This feature automatically generates pull requests ready to be merged with your code in GitHub, GitHub Enterprise, or GitLab. It provides the fix for you.
Container Scanning: Scan Docker containers and container images for open source vulnerabilities in Linux distributions and base libraries.
Users have the flexibility to use both scanning types for the same application. Agent-based scanning can be used during development, and a traditional binary upload scan can be conducted before the application is put into production. Scan results continue to be assessed against the chosen policy and prompt users to take action based on the results. These actions can be automated with integration to Jenkins (or another Continuous Integration tool) to either break the build because of a failed policy scan, or to simply report the failed policy.
It’s no exaggeration to say that every company is becoming a software company, and the adoption of open source is on the rise. Having clear visibility into the open source components within your application portfolio reduces the risk of breach through vulnerabilities. The new Veracode Software Composition Analysis solution helps our customers confidently use open source components without introducing unnecessary risk.
In the complicated, tangled web of managing user rights, permissions and accounts, keeping track of who has access to different resources can seem nearly impossible. Organizations today are facing increasing demands, mandates, and compliance regulations as they manage access and support countless devices and systems that contain data critical to the organization. Identity Governance and Administration (IGA) solutions have provided the capability to create and manage user accounts, roles, and access rights for individual users in an organization. This means companies can more easily oversee user provisioning, password management, policy management, access governance, and identity repositories.
According to the latest Cybersecurity Insiders Identity and Access Management (IAM) Report, which examines key trends, challenges, gaps, and solution preferences for IAM and IGA programs, 86 percent of organizations surveyed reported that Identity and Access Management is extremely important. However, just over half of all organizations rate themselves as effective in managing user access. So what explains this gap and what can organizations do to improve the efficiency and effectiveness of their identity programs? In this blog, we will explore how leveraging an effective Identity Governance and Administration program enables you to mitigate risk, improve compliance, and increase efficiencies across your entire organization.
Improving Security and Mitigating Risk
When it comes to managing access within the organization, the Cybersecurity Insiders report found that 70 percent of users have more access privileges than required for their job. This typically results from bulk approvals for access requests, frequent changes in roles or departments, and not periodically reviewing user access. Additionally, the lack of staff and suitable processes and solutions also contributes to excessive privileges across the organization. Too much access privilege and overprovisioning can open an organization up to insider threats and magnify risk throughout the business.
Making sure that users have the appropriate access goes a long way towards bolstering an organization’s risk management and its security posture. In previous years, a good outer perimeter with security was the most effective way to provide security and risk mitigation for the organization. But today, companies are also faced with insider threats. Phishing and other social engineering activities, which can provide threat actors with user credentials, underscore the importance of ensuring that users are operating within well-defined roles and are not overprovisioned.
Another effective way to leverage IGA to decrease risk is by embracing role-based access controls (RBAC). This means having solid, well-defined roles in place and knowing specifically which access privileges each role needs. As organizations grow and evolve, the right IGA solution can allow for more efficient changes and decrease risk by focusing on role definitions and role assignments rather than on individual accounts. IGA solutions can then be leveraged to find exceptions. The strategy of RBAC works well to decrease the timeline in executing bulk additions where a lot of change is happening at once, like during mergers, acquisitions, seasonal staffing requirements, and corporate reorganizations. This strategy also works well to improve the efficiency of staffing assignments in high turnover areas of a business.
Using an industry-leading role designing tool with cluster analysis and a ‘visual-first’ approach to group like-access privileges together, you can better understand the access that individuals have in common and what outliers might be present, rather than trying to use a spreadsheet to make sense of the data. In fact, the recently published 2019 Insider Threat Report from Cybersecurity Insiders showed that 50 percent of organizations indicate that Identity and Access Management programs are the most effective security tool to protect against insider threats, particularly when they are easy to use, easy to understand, and leverage a visual approach. Similarly, 75 percent of organizations surveyed in the IAM Report that use Identity and Access Management solutions had seen a reduction in unauthorized access incidents. Clearly, the impact of an effective IAM program has a positive impact on reducing risk.
Enhancing Compliance, Review, and Certification Processes
Companies today not only have to manage customer, vendor, and board member demands, they also must make sure they are compliant with any number of governing boards and regulations—from GDPR, HIPAA, and SOX to the Payment Card Industry Data Security Standard (PCI-DSS) and countless others. Organizations are also trying to implement security frameworks, such as NIST SP 800-53, COBIT or the ISO 27000 series. Each of these all create unique challenges for organizations. The increasing number of federal regulations and industry mandates that organizations face today means there is also more auditing, compliance reviews, and reporting to be completed by each organization. While this can be a very manual and time-consuming process, more savvy organizations use solutions that automate data collection, reporting, and the review process, particularly in highly regulated industries like financial services and healthcare.
Those organizations that view regulatory compliance through the lens of an IGA program recognize this means more continuous monitoring and limiting access to only those individuals that need it, enabling companies to stay more compliant. IGA solutions not only ensure access to information like patient records or financial data is strictly controlled, but also enable companies to prove they are taking actions to meet compliance requirements.
Because organizations can receive audit requests at any time, IGA solutions make the review process easier and more effective with built-in reporting capabilities to meet relevant government and industry regulations. Remember, a good compliance program allows for frequent and multiple access reviews to take place at any given time to meet ever-increasing auditor demands without engaging numerous resources from the organization. Leading-edge IGA solutions also do this with a highly visual approach, enabling users to see privileges and certifications in a user-friendly, graphical display. This minimizes the risk of errors and reduces the chance of access not being fully understood.
Increasing Efficiencies Across the Business
According to the Identity and Access Management Report by Cybersecurity Insiders, 49 percent of organizations surveyed viewed operational efficiency as an IAM program driver, second only to security. An effective IGA solution enables organizations to do more with less. Many security teams today are understaffed and are being asked to increase their responsibilities. Yet they just don’t have the time or budget to do more, nor can they afford to hire people to do things manually.
Leveraging IGA solutions for automated user lifecycle provisioning, implementation of role-based access controls, and periodic user access reviews and certification saves time and streamlines the entire process. Perhaps most interesting is that increasing operational efficiency goes hand-in-hand with organizations that want to increase their security posture.
One key takeaway, however, is that while some security teams may view IGA as a one-time project, it should be viewed rather as an ongoing initiative, with focused, achievable goals along the way. This enables your business to become more secure, do more with less, and prepare for growth and change—no matter what form it takes.
Ready for IGA Solutions That Move You Forward?
The primary reason for implementing an IGA solution is to ensure that users only have access to the resources they need. Making sure you provide appropriate access goes a long way in mitigating risk and improving the overall security posture of your organization. But many companies today may not view this as a strategic priority. Don’t wait until you are reacting to a security incident. See how our IGA Solutions are the foundation for a solid Identity and Access Management program in your organization.
Quick Heal Security Lab spotted 27 malicious apps of dropper category on official “Google Play Store”. These apps have been removed from Play Store after Quick Heal Security Lab reported it to Google last week. These apps continuously show installation prompt for fake “Google Play Store”. If any user falls…
In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.
IoT visibility & security in 2019:
1. IoT endpoint security vs network security
Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.
Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.
2. “Cryptography is typically bypassed, not penetrated” Shamir’s law
In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.
3. 3rd party IoT vulnerabilities
One of the main issues in IoT security is the heavily reliance of IoT devices on third-party components for communication capabilities, cryptographic capabilities, the operating system itself etc. In fact, this reliance is so strong that it has reached a point where it’s unlikely to find an IoT device without third-party components within it. The fact that third-party libraries are commonly used across devices, combined with the difficulty to secure them, makes them a sweet spot for hackers to look for IoT vulnerabilities and exploit many IoT devices through such 3rd party component.
Vulnerability in third-party components is very dangerous. In many IoT devices, there is no separation and segmentation between processes and/or tasks, which means that even one vulnerability in a third-party library is compromising the entire device. This could lead to lethal results: attackers can leverage the third-party vulnerability to take control over the device and cause damage, steal information of perform a ransomware attack on the manufacturer.
it’s not only that third-party components are dangerous, but they are also extremely difficult to secure. Many third-party components are delivered in binary form, with no source code available. Even when the source code is available, it’s often hard to dive into it and asses the security level or vulnerabilities inside it. Either way, most developers use the open-source components as black-boxes. On top of that, static analysis tools and compiler security flags lack the ability to analyze and secure third-party components and most IoT security solutions cannot offer real-time protection into binary code.
A recent example of such third party vulnerability that affects millions of devices can be found in the security bugs found in the VxWorks embedded operating system. These vulnerabilities exposed every manufacturer that used VxWorks operating system, even if security measures like penetration testing, static analysis, PKI and firmware analysis were taken.
To summarize, in order to provide strong and holistic IoT protection, you must handle and secure all parts of the device, including the third-party components. Sternum IoT security solutions focus on holistically securing IoT devices from within and therefore offers a unique capability of embedding security protection & visibility into the device from end-to-end. Sternum’s solution is also operating during real-time execution of the device and prevents all attack attempts at the exact point of exploitation, while immediately alerting about the attack and its origins, including from within third-party libraries.
4. Regulation is kicking in
In the past two years, we’re seeing a across industries effort to create regulations and standards for IoT security. We are expecting to see more of these efforts shaping into real regulations that will obligate manufacturers to comply with them.
A good and important example is the FDA premarket cybersecurity guidance that was published last year and is expected to become a formal guidance in 2020. The guidance includes different aspects of cybersecurity in medical devices (which is in many cases are essentially IoT devices) such as data integrity, Over-the-air updates, real-time protection, execution integrity, third-party liabilities and real-time monitoring of the devices.
Another example is the California Internet of Things cybersecurity law that states: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.
We expect to see more states and countries forming regulations around IoT security since these devices lack of security may have a dramatic effect on industry, cities, and people’s lives. Top two regulations that are about to be released are the new EU Cybersecurity Act (based on ENISA and ETSI standards) and the NIST IoT and Cybersecurity framework.
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions.
Distinguishing Between Machine Learning, Deep Learning and Artificial Intelligence
Put simply, analytics is the scientific process of transforming data into insight for making better decisions. Within the world of cybersecurity, this definition can be expanded to mean the collection and interpretation of security event data from multiple sources, and in different formats for identifying threat characteristics.
Simple explanations for each are as follows:
Machine Learning: Automated analytics that learn over time, recognizing patterns in data. Key for cybersecurity because of the volume and velocity of Big Data.
Deep Learning: Uses many layers of input and output nodes (similar to brain neurons), with the ability to learn. Typically makes use of the automation of Machine Learning.
Artificial Intelligence: The most complex and intelligent analytical technology, as a self-learning system applying complex algorithms which mimic human-brain processes such as anticipation, decision making, reasoning, and problem solving.
Benefits of Analytics within Cybersecurity
Big Data, the term coined in October 1997, is ubiquitous in cybersecurity as the volume, velocity and veracity of threats continue to explode. Security teams are overwhelmed by the immense volume of intelligence they must sift through to protect their environments from cyber threats. Analytics expand the capabilities of humans by sifting through enormous quantities of data and presenting it as actionable intelligence.
While the technologies must be used strategically and can be applied differently depending upon the problem at hand, here are some scenarios where human-machine teaming of analysts and analytic technologies can make all the difference:
Identify hidden malware with Machine Learning: Machine Learning algorithms recognize patterns far more quickly than your average human. This pattern recognition can detect behaviors that cause security breaches, whether known or unknown, periodically “learning” to become smarter. Machine Learning can be descriptive, diagnostic, predictive, or prescriptive in its analytic assessments, but typically is diagnostic and/or predictive in nature.
Defend against new threats with Deep Learning: Complex and multi-dimensional, Deep Learning reflects similar multi-faceted security behaviors in its actual algorithms; if the situation is complex, the algorithm is likely to be complex. It can detect, protect, and correct old or new threats by learning what is reasonable within any environment and identifying outliers and unique relationships. Deep Learning can be descriptive, diagnostic, predictive, and prescriptive as well.
Anticipate threats with Artificial Intelligence: Artificial Intelligence uses reason and logic to understand its ecosystem. Like a human brain, AI considers value judgements and outcomes in determining good or bad, right or wrong. It utilizes a number of complex analytics, including Deep Learning and Natural Language Processing (NLP). While Machine Learning and Deep Learning can span descriptive to prescriptive analytics, AI is extremely good at the more mature analytics of predictive and prescriptive.
With any security solution, therefore, it is important to identify the use case and ask “what problem are you trying to solve” to select Machine Learning, Deep Learning, or Artificial Intelligence analytics. In fact, sometimes a combination of these approaches is required, like many McAfee products including McAfee Investigator. Human-machine teaming as well as a layered approach to security can further help to detect, protect, and correct the most simple or complex of breaches, providing a complete solution for customers’ needs.
Simply by downloading the right combination of apps, parents can now track their child’s location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that’s called safety. To kids, it’s considered maddening.
Kids are making it clear that parents armed with apps are overstepping their roles in many ways. And, parents, concerned about the risks online are making it clear they aren’t about to let their kids run wild.
I recently watched the relationship of a mother and her 16-year-old daughter fall apart over the course of a year. When the daughter got her driver’s license (along with her first boyfriend), the mother started tracking her daughter’s location with the Life360 app to ease her mind. However, the more she tracked, the more the confrontations escalated. Eventually, the daughter, feeling penned in, waged a full-blown rebellion that is still going strong.
There’s no perfect way to parent, especially in the digital space. There are, however, a few ways that might help us drive our digital lanes more efficiently and keep the peace. But first, we may need to curb (or ‘chill out on’ as my kids put it) some annoying behaviors we may have picked up along the way.
Here are just a few ways to keep the peace and avoid colliding with your kids online:
Interact with care on their social media. It’s not personal. It’s human nature. Kids (tweens and teens) don’t want to hang out with their parents in public — that especially applies online. They also usually aren’t too crazy about you connecting with their friends online. And tagging your tween or teen in photos? Yeah, that’s taboo. Tip: If you need to comment on a photo (be it positive or negative) do it in person or with a direct message, not under the floodlights of social media. This is simply respecting your child’s social boundaries.
Ask before you share pictures. Most parents think posting pictures of their kids online is a simple expression of love or pride, but to kids, it can be extremely embarrassing, and even an invasion of privacy. Tip: Be discerning about how much you post about your kids online and what you post. Junior may not think a baby picture of him potty training is so cute. Go the extra step and ask your child’s permission before posting a photo of them.
Keep tracking and monitoring in check. Just because you have the means to monitor your kids 24/7 doesn’t mean you should. It’s wise to know where your child goes online (and off) but when that action slips into a preoccupation, it can wreck a relationship (it’s also exhausting). The fact that some kids make poor digital choices doesn’t mean your child will. If your fears about the online world and assumptions about your child’s behavior have led you to obsessively track their location, monitor their conversations, and hover online, it may be time to re-engineer your approach. Tip: Put the relationship with your child first. Invest as much time into talking to your kids and spending one-one time with them as you do tracking them. Put conversation before control so that you can parent from confidence, rather than fear.
Avoid interfering in conflicts. Kids will be bullied, meet people who don’t like them and go through tough situations. Keeping kids safe online can be done with wise, respectful monitoring. However, that monitoring can slip into lawnmower parenting (mowing over any obstacle that gets in a child’s path) as described in this viral essay. Tip: Don’t block your child’s path to becoming a capable adult. Unless there’s a serious issue to your child’s health and safety, try to stay out of his or her online conflicts. Keep it on your radar but let it play out. Allow your child to deal with peers, feel pain, and find solutions.
As parents, we’re all trying to find the balance between allowing kids to have their space online and still keep them safe. Too much tracking can cause serious family strife while too little can be inattentive in light of the risks. Parenting today is a difficult road that’s always a work-in-progress so give yourself permission to keep learning and improving your process along the way
With job growth projected
to surge 24% over the next seven years, software
engineering is one of the most demanded professional fields in the U.S.
Exceptionally competitive pay and the chance to pursue careers across many
industries are just a few benefits of being a software engineer.
We explore how software
engineers working in cybersecurity face unique challenges and opportunities in
our sit down with Fred Yip, Manager of Software Development in Webroot’s San
Besides this sunny San
Diego weather, what gets you out of bed and into the office?
surrounded everyday by smart people who want to do their best to solve customer
problems. There is a lot to do, but the work is very engaging and
rewarding. My favorite part of the job is working
closely with my team to deliver products to our customers. We work in
a startup-like environment. Everyone wears many hats: as software
developer, as tester, DevOps engineer,
and customer support.
There are many industries
that demand your talent, what drew you to cybersecurity?
Cyberattacks are a rising trend. I used to work for an
enterprise serving Fortune 500 companies. Knowing that cyberattacks affect
everybody, I saw an opportunity to bring my skillset to Webroot. We extend our
product to small and mid-sized businesses as well as consumers, which gives me
the satisfaction of building a top-notch technology for anyone who needs it,
whether it be a doctor’s office, coffee shop, or someone walking down the
What does a week of life at Webroot look like for you?
typical week for a manager is not much different than that of a team
member. We do software development, testing, and deployment
of product features as a team. I help design and implement the cloud
infrastructure that supports our software components as microservices. In
addition, I look out for the well-being of each team member in terms of
technical, personal, and career development.
What skills and traits do
you look when hiring software engineers?
As an engineer, you have to be a team player, not
self-focused. I look for a lot of integrity and honesty about what they are
doing and what they know and don’t know. An eager attitude toward learning is
important because it allows them to solve problems and contribute to the team. When
they bring their best character and performance, they help to build a strong
team. As long as someone has some relevant experience, they can always learn
the technical skills. And an ability to learn new things quickly is another
thing I always look for in a potential team member.
Are there any outside
activities that you and your team are involved in?
We attended a coding challenge at UC San Diego earlier this year, where we host students for a friendly competition. It was very high energy and there was a lot of participation. It was a fun challenge beyond just writing code. You could actually see the code working against others and the top winner was recognized after we gave out prizes. I always tell candidates to participate in the event, it’s a way to motivate them to join our team!
Exclusive: Hannah Fry says ethical pledge needed in tech fields that will shape future
Mathematicians, computer engineers and scientists in related fields should take a Hippocratic oath to protect the public from powerful new technologies under development in laboratories and tech firms, a leading researcher has said.
The ethical pledge would commit scientists to think deeply about the possible applications of their work and compel them to pursue only those that, at the least, do no harm to society.
Despite being invisible, maths has a dramatic impact on our lives
The phrase “false positive” has become so ubiquitous in Information Security that we often don’t stop to consider what it means or how it is used. Many use the term to describe every alert generated by a tool that does not lead to the discovery of a true infection when investigated. If every alert activated for trivial information is considered a false positive, this may overstate the intention and function of the tool and may even give the user a false sense that the tool has more features than it actually does. It is worth establishing a distinction, calling this type of notification a “trivial alert,” reserving the phrase “false positive” for correlated, contextualized, and evidence supported positive identifications of active infections which prove to be false. Taking the time to establish clear definitions may lead to a better understanding of what security tools can do and ultimately improve information security.
What do we call a false positive?
Users of security tools often expect those tools to provide the one alert that will lead them to a true infection in their network. However, these tools are often placed in a location which prevents them from being able to definitively confirm infections. Instead, they alert on everything that might be a marker of infection to avoid missing the one indicator that does lead to an infection. This results in security analysts being flooded with hundreds of thousands or even millions of alerts per day, none of which provide enough information on their own.
What’s the harm in not having a clear definition of a false positive?
Users of such security tools often refer to these trivial alerts as false positives. In order to use the common vernacular, vendors of those security tools may also refer to those alerts as false positives. Unfortunately, implying a product has false positives suggests that the product can verify an infection, which is outside the scope of most of these solutions. Providing a more accurate definition and understanding of what constitutes a false positive will give users of security tools a clearer method for evaluating the suitability of those tools for their environment.
What is a false positive?
The phrase “false positive” suggests that there was a positive that was proven false. However, these individual pieces of evidence, without context or correlation, are never actionable on their own. As noted above, alerts for such items are perhaps better termed trivial alerts. A true positive alert must be so serious that it gets the analyst out of their chair. A false positive must have gotten them out of their chair to investigate, only to find that nothing is actually wrong, proving that alert false. A security solution of this nature should not only get the analyst out of their chair, it must also have a false positive rate low enough to maintain the trust of the user.
How do we get to that true positive alert?
In order to get an alert that can definitively prove an infection, a security solution must gather and analyze individual pieces of evidence, contextualizing them and gathering the requisite supporting evidence. From there, it must build an evidence-based case for an infection and provide a complete case, including all the evidence, to the user.
Does a security solution like that exist?
Core Network Insight is installed inside the perimeter, inside inner ring policy enforcement so that it can see the whole picture. It gathers the individual pieces of evidence that other tools alert on, weighs and analyzes them, building a case against each infected endpoint. This case includes evidence from twelve detection engines correlated, contextualized, and positively attributed to a specific endpoint. Network Insight also provides the name of the last user to log in to the infected endpoint, a full list of users who have logged into the infected endpoint, and a list of other endpoints each user has logged into.
Network Insight also calculates a business risk for each infection on each infected endpoint based on the infection related network activity, the value and risk posed by the endpoint, and the intent of the threat actor and activity of the malware. In other words, Network Insight connects the dots of all the various security events, creating a clear picture of a breach. These contextualized, correlated, and evidence supported alerts combined with a low false positive rate ensure that analysts don’t just get out of their chairs, they leap out of them.
Until users and vendors begin differentiating between trivial alerts and false positives, it’s important to remember that not all false positives are created equal.
Geo-locating and other sensitive data has been leaked from the
hookup app 3fun,
exposing the information for more than 1.5 million users. While some dating
apps using trilateration to find nearby users, 3fun showed location data capable
of tracing a user to a specific building or floor. Though users had the option
to disable coordinate tracking, that data was nevertheless stored and available
through the app’s API. 3fun has since resolved the leak and has hopefully
implemented stronger security measures considering the private nature of their
Ransomware Attacks on DSLR Cameras
Malware authors continue to find new victims, as a ransomware
variant has been found to be remotely attacking Canon DSLR
cameras and demanding a ransom to regain access to the device. Researchers
have found multiple vulnerabilities that could allow attackers to perform any
number of critical functions on the cameras, including displaying a ransom note
and remotely taking pictures with the camera. Fortunately, Canon has already
begun issuing patches for some of its affected devices, though it’s taking
longer to fully secure others.
Google Drive Exploit Allows Phishing Campaign to Flourish
A new phishing campaign has been discovered that uses a
Drive account to launch a phishing campaign
that impersonates the CEO asking the victim to open the Google Docs file and
navigate to the phishing site’s landing page. Luckily for victims, the campaign
has a few tells. The phony CEO email address uses a non-conforming naming
convention and the email itself appears to be a hastily compiled template.
British Airways Data Leak
Airways has again come under scrutiny, this time after it was discovered
that their e-ticketing system was leaking sensitive passenger data. The leak stems
from flight check-in links that were sent out to customers containing both
their surname and booking confirmation numbers completely unencrypted within
the URL. Even more worrisome, this type of vulnerability has been well-known
since last February when several other airlines were found to have the same
issue by the same security firm.
Android Trojan Adds New Functionality
Following in the footsteps of Anubis, an Android banking Trojan
for which source code was recently revealed, Cerberus
has quickly filled the void without actually borrowing much of that code. One
major change is that Cerberus implemented a new method of checking if the
device is physically moving or not, in hopes of avoiding detection by both the
victim and any researchers who may be analyzing it. Additionally, this variant uses
phishing overlays from several popular sites to further collect any login
credentials or payment card data.
I made it out of Vegas! That was a rather intense 8 days and if I'm honest, returning to the relative tranquillity of Oslo has been lovely (not to mention the massive uptick in coffee quality). But just as the US to Europe jet lag passes, it's time to head back to Aus for a bit and go through the whole cycle again. And just on that, I've found that diet makes a hell of a difference in coping with this sort of thing:
The number one most effective way I’ve found for coping with jet lag, stress, crazy work loads and general health is to focus on diet. It’s hard to control a lot of other environmental factors, but food is definitely one I can easily take charge on. pic.twitter.com/sUdXDbzbbw
This week it's almost all about commercial CAs and their increasingly bizarre behaviour. It's disappointing to see disinformation and privacy violations from any organisations, but when it's from the ones literally controlling trust on the web it's especially concerning. Maybe once they're no longer able to promote EV in the way they have been that will change, but I have a feeling we've got a bunch more crap to endure yet. See what you think about all that in this week's update:
The PCI SSC Latin America Forum took place this week in São Paulo, Brazil, gathering more than 350 payment security practitioners from Brazil and Latin America to discuss the latest in payment security and standards. Here we talk with Carlos Caetano, PCI SSC Associate Regional Director for Brazil about payment security trends, highlights from the Latin America Forum, and industry involvement opportunities for the region.
With enterprises being the centre of attention of an ever-evolving threat landscape, foolproof security of business assets has become the need of the hour. To counter the menace of cyberattacks, today we have businesses that specialize in the development and deployment of advanced and futuristic solutions that have the capability to defend businesses from the most dangerous of malware.
However, this vigilance may falter if enterprise stakeholders are not cautious about the basics of cybersecurity. Every critical aspect such as email, user access, software updates et al. needs to be optimized so that even a worst-case scenario pertaining to cyberattacks turns in the business’ favour.
Seqrite intends to educate its esteemed customers about very simple but effective steps that organizations need to integrate into their status quo to bolster cybersecurity.
Regular data backups
Data backups are essential because ransomware is notorious for locking enterprise data and demanding monetary benefits in exchange for data release. There is other malware too that may make businesses lose 100 % of their critical data.
Back up your important data regularly and keep a recent backup copy offline
Encrypt your backup
Always use a combination of online and offline backup
If your computer gets infected with ransomware, your files can be restored from the offline backup, once the malware has been removed
Do not keep offline backups connected to your system as this data could be encrypted when ransomware strikes
Administrators should practice extreme caution while granting rights to the business workforce. Pin-point accuracy is a must while assigning access rights to employees. Admins should have absolute clarity about what parts of the business should be accessible to which users.
Regularly audit local/domain Users and remove/disable unwanted users
Set strong passwords for every business account
A strong password includes a combination of –
Letters in upper case
Letters in lower case
Numbers & special characters
Password should consist of a minimum 8-10 characters
Mandating a password change on a periodic basis
A bad example would be common passwords like P@ssw0rd, Admin@123#, etc.
Set password expiration & account lockout policies (in case the wrong password is entered)
Don’t assign Administrator privileges to users
If possible enable Multi-Factor authentication to ensure all logins are legitimate
Don’t stay logged in as an administrator, unless it is strictly necessary.
Avoid browsing, opening documents or other regular work activities while logged in as an administrator
Software updates drop the latest fixes to bugs and patches to every software entity present in your business.
Keep your Operating System and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities which could be exploited by attackers. Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Flash, and Internet Browsers like Internet Explorer, Chrome, Firefox, Opera, etc., including Browser Plugins
Always keep your security software (antivirus, firewall, etc.) up-to-date to protect your computer from new variants of malware
Do not download cracked/pirated software, as they risk backdoor entry for malware into your computer
Avoid downloading software from untrusted P2P or torrent sites. In most cases, they harbour malicious software
Securing network and shared folders
Typically, network and shared folders are home to the most confidential business data. Hackers are always on a prowl to break-in to these folders and gain access to highly-sensitive information.
Keep strong and unique passwords for login accounts and network shares
Disable unnecessary, admin share. i.e. admin$. Give access permission to shared data as per requirement
Audit RDP access & disable it if not required or, set appropriate rules to allow only specific & intended systems
Change RDP port to a non-standard port
Configure firewall in the following way –
o Deny access to all to important ports (in this case RDP port 3389)
o Allow access to only IP’s which are under your control
Use a VPN to access the network, instead of exposing RDP to the Internet
Possibly implement Two Factor Authentication (2FA)
Set lockout policy which hinders guessing of credentials
Create a separate network folder for each user when managing access to shared network folders
Don’t keep shared software in executable form
No business can function without email. History is proof that email is one of the most go-to channels for hackers to propel cyber attacks.
Enable Multi-Factor authentication to ensure all logins are legitimate
Set password expiration & account lockout policies (in case the wrong password is entered)
Don’t open attachments and links in an email sent by an unknown, unexpected or unwanted source. Delete suspicious-looking emails you receive from unknown sources, especially if they contain links or attachments
Cybercriminals use ‘Social Engineering’ techniques to trick users into opening attachments or clicking on links that lead to infected websites
Always turn on email protection of your antivirus software
Disable macros for Microsoft Office
Fairly self-explanatory, macros should be disabled because a lot of malware penetrates due to the enablement of macros.
Do not enable ‘macros’ or ‘editing mode’ by default upon execution of the document, especially for attachments received via emails. A lot of malware infections rely on your action to turn on macros
Consider installing Microsoft Office Viewers. These viewer applications let you see what documents look like without even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so this reduces the risk of enabling macros unintentionally
Web browsers are the most sought out channels for malware attacks – everybody knows it.
Always update your browser
Try to avoid downloading pirated/cracked media or software from sites like torrents
Block the ad pop-ups in the browser.
Always verify whether you are accessing the genuine site by checking the address bar of the browser. Phishing sites may show contents like a genuine one
Bookmark important sites to avoid being a victim of phishing
Do not share your personal details like name, contact number, email id, social networking site credentials for any unknown website
Do not install extensions in browsers which you are not fully aware of. Lookout for impersonating web-pages and do not allow any prompt on an unknown web page that you are visiting. Avoid visiting crack software download websites
Policies should be clearly communicated for employees opting for BYOD (Bring Your Own Devices) facilities
Policies for using official applications on platforms other than office infrastructure should be established
Lastly, for pen drives, disable the autorun feature if not needed and regularly educate employees for best cybersecurity practices.
Seqrite is Quick Heal Technologies’ flagship enterprise product – the company is a stalwart and an industry major that has spearheaded the movement about the importance of cybersecurity. Hope, this educational document helps.
Please get in touch with us for any specific questions.
Security departments are juggling a multitude of security initiatives, and each is competing for a slice of one budget. How do you make the case that AppSec deserves a slice of that budget pie, or a bigger slice, or even to make the pie bigger? Here are a few key ways:
Find a compelling event
The most obvious compelling event, of course, is a breach, but there are other events that will compel executives to budget for application security. For instance, regulations could be a compelling event – if you have to comply with a security regulation (PCI, NY DFS cybersecurity regulations, etc.) or pay a fine, that’s an easy budget win. In addition, customers asking about the security of software could be a compelling event. IT buyers are increasingly asking about the security of software before purchasing. We recently conducted a survey of IT buyers with IDG, and 96 percent of respondents reported that they are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.” Sales losing a deal because they couldn’t respond to a security audit would certainly be considered a compelling event.
Look to the future
A clear road map and plan for your AppSec program not only gives you more credibility, but also helps to “warm up” your investors to what you’re planning on doing in future years. Show the efficiencies and risk reduction your program will make in the future to highlight how upfront investment will lead to future results. For instance, an investment in developer training will make developers more self-sufficient and lessen the burden on security teams.
It can be powerful to illustrate where your organization’s security program sits relative to other organizations and your peers. If you're lagging, it’s a clear indication that further investment is needed. If you're leading, you can use that fact to prove your progress and make the case for more ambitious projects.
Veracode’s State of Software Security is a good benchmarking resource, as is the OpenSAMM framework. The State of Software Security report includes comparisons by industry, so you can point to the application security progress made by others within your own industry. In addition, OWASP’s Application Security Verification Standard (ASVS) can help organizations to classify applications into three different levels from low to high assurance. This helps firms to allocate security resources based on the software’s business importance or risk breach.
Know your audience
Speak the language of executives when making the case for more budget. For instance, telling the CFO, “we've reduced the number of SQL injections” won’t resonate. Rather than the number of SQL injections, talk about how the program will reduce the number of breaches by X percent, or how it will reduce the cost to fix vulnerabilities by X percent. Be mindful of your audience and frame your budgeting conversation accordingly.
Be visible and credible
The more credible you are, the better your chances of getting the budget you’re asking for. Clearly understand what you're going to do with the money, and how you're going to justify that spend. Prove that you understand how your organization works and that you will use the money effectively. Finally, tie application security to business priorities and initiatives, and be able to show a clear roadmap for your program.
In addition, be visible. It's important to promote success of your program. Present on the progress you’re making, run awareness sessions, or have visible dashboards.
Break down your budget (must, should, could)
You’ll have a range of priorities and things that you could be spending money on in your AppSec program. Give your budget stakeholder options. Start with what you must do – for instance, what you need to achieve for regulatory compliance. And then give them some wiggle room in the middle on projects that they should or could do. If you go in with a number in mind and don't get it, be ready to slice and dice your budget request.
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim’s contact list. What’s more, the author of the Cerberus malware has decided to rent out the banking trojan to other cybercriminals as a means to spread these attacks.
According to The Hacker News, the author claims that this malware was completely written from scratch and doesn’t reuse code from other existing banking trojans. Researchers who analyzed a sample of the Cerberus trojan found that it has a pretty common list of features including the ability to take screenshots, hijacking SMS messages, stealing contact lists, stealing account credentials, and more.
When an Android device becomes infected with the Cerberus trojan, the malware hides its icon from the application drawer. Then, it disguises itself as Flash Player Service to gain accessibility permission. If permission is granted, Cerberus will automatically register the compromised device to its command-and-control server, allowing the attacker to control the device remotely. To steal a victim’s credit card number or banking information, Cerberus launches remote screen overlay attacks. This type of attack displays an overlay on top of legitimate mobile banking apps and tricks users into entering their credentials onto a fake login screen. What’s more, Cerberus has already developed overlay attacks for a total of 30 unique targets and banking apps.
So, what can Android users do to secure their devices from the Cerberus banking trojan? Check out the following tips to help keep your financial data safe:
Be careful what you download.Cerberus malware relies on social engineering tactics to make its way onto a victim’s device. Therefore, think twice about what you download or even plug into your device.
Click with caution.Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether.
Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protection so you can connect with confidence.
And, of course, stay on top of the latest consumer and mobile security threats by following meand @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Cybersecurity has become the hot industry – tips and tricks on how to get the most out of your cybersecurity internship (and land a job after graduation).
Students today are faced with grueling course loads, pressure to get real-world experience and a looming competitive job market. The need for hands-on knowledge and a developed resume is crucial, making internships a necessity. However, once you nail your interview and land your position, how do you prepare and make the most out of the opportunity?
The goal of an internship is to prepare you for your future career. While earning a college degree in computer science is quite an accomplishment, in the cybersecurity field, a theoretical knowledge and your required coding and science classes just aren’t enough. It’s critical to supplement those courses with real experience tackling a variety of threats in the cyber landscape, not only to gain new skills, but also understand what it’s really like to work in cybersecurity to decide if that career path is right for you.
According to a recent Wall Street Journal article, companies and government organizations are beginning to lock in contracts with cybersecurity job candidates younger than ever before–during junior, sometimes even sophomore year. Often, these early recruits are individuals who interned for the company in the past and proved themselves as an invaluable member of the team; securing a good position and acing your internship have never been more crucial to future career success. There’s no better feeling than having job security heading back to college for your senior year or being able to focus your electives on skills that will immediately translate to skills you’ll need for your upcoming role.
Be Eager and Ready to Learn
While pursuing a major in cybersecurity provides the background necessary for your internship, you won’t know it all. You should walk into your internship everyday ready to learn the ins and outs of the field and be eager to take on new experiences. Say “yes” to everything.
According to William W. Dyer, director of the Corporate Affiliates Program for the Jacobs School of Engineering at the University of California San Diego, “Students study theories, case studies and learn both fundamental and advanced coding, but are not able to work on threats and breaches in real-time. They have structured work with a finite ending (quarters are 10 weeks long), whereas hacks and threats can happen at any time and require immediate response and solutions.”
A simple way to learn (and network) is to reach out to a few professionals who are working on a project you’re interested in or skilled in an area you’d like to further develop. Grabbing a quick coffee with someone who has been working in the cybersecurity field will allow you to gain valuable insights and real-world anecdotes. Not only will these people be able to mentor you, but they could even be a reference when the time comes for you to apply for jobs after graduation.
Be Up-To-Date on All Things Cybersecurity
Before your first day, it’s important to be well versed in the latest cybersecurity news, trends and data breaches. Taking the initiative to keep up on the latest in the industry and to provide an educated opinion on these issues will not only set you apart from other interns, but it will impress your managers and allow you to have a deeper understanding of your tasks and assignments. Every security incident is an opportunity to learn and ask questions that will serve you well later.
When pressed for what cybersecurity students should do to prepare for a future career in the space, Fred Yip, manager of software development at Webroot said, “Follow cybersecurity news and podcasts to understand what problems the industry is facing.”
Listening to a security podcast on your morning commute or setting up simple Google alerts for topics such as, ‘data breach,’ or ‘cybersecurity,’ will keep you up to date on the conversations happening in the space. Lots of great discussions happen on professional LinkedIn forums and Twitter too.
Continue to Grow in Cybersecurity, Even After Your Internship Ends
Once your internship has concluded, it is important to keep growing and honing your arsenal, especially that crucial developer knowledge. According to Dyer, “We encourage our students to participate in any and all extracurricular activities that enhance their skills.” Taking online tutorial courses or participating in hackathons or coding challenges are a great way to put your new skills to the test.
Also continue following industry news and engaging with professionals through social channels. The network you create during your college years with classmates, professors and folks you meet during your internships will be instrumental in securing future opportunities. Check in with your internship managers, what’s their take on the latest data breach, acquisition or trend?
In today’s competitive job market, setting yourself apart through quality work is important and can be the key to a future at that company. While the classroom provides you with the concepts necessary to succeed, real-world experience will not only help you decide if a career in cybersecurity is something you want to continue to pursue, but you will gain invaluable knowledge and begin to grow your professional network that will be so crucial upon graduation. It is important to connect with colleagues and other interns, keep up with cybersecurity news, engage with professionals and accept as many opportunities as possible to learn about your chosen career path, allowing you to get the most out of your internship.
The PCI PIN Standard requires implementation of Key Blocks. On the blog, we cover basic questions about the applicability of this requirement. This blog is the second in a series on the Key Block requirement. On our first blog post in the series,Key Blocks 101, we covered basic questions about this security method and how it helps secure payment data.
Anti-malware technology is one of the most basic cyber security mechanisms that organisations should have in place, but according to IT Governance’s 2019 Cyber Resilience Report, 27% of respondents haven’t implemented such measures.
This finding is even more surprising given that our customer base is naturally more knowledgeable about information security than the average organisation. Our results represent the most optimistic assessment of organisations’ cyber resilience, so the chances are things are even worse in the wider world.
Anti-malware technology isn’t the only area where organisations are neglecting essential cyber security measures. The report also found that:
43% of organisations don’t have a formal information security management programme.
An information security management plan provides a comprehensive assessment of the way an organisation addresses data protection risks. It ensures that preventative measures are appropriate to the scale of the risk and that every necessary precaution is being taken.
Organisations that lack a formal plan will be tackling security measures piecemeal, if at all.
33% of organisations don’t have documents that state how they plan to protect their physical and information assets.
Without documented plans, it’s impossible to track whether they work and what adjustments are necessary. More to the point, it’s possible that the organisation has no plans in place at all, exposing them to myriad threats.
30% haven’t implemented identity and access controls.
Sensitive information should only be available to those who need it to perform their job, otherwise you run the risk of someone in the organisation using it for malicious purposes.
In some cases, an unauthorised person simply viewing the information is a serious privacy breach. You wouldn’t want everyone at an organisation being able to look at your medical information or political affiliations, for example. That’s why it’s essential to implement controls that ensure that only approved employees can access certain information.
Where do these figures come from?
The report has its origins in our Cyber Resilience Framework, which we developed last year to help organisations improve their ability to prevent security incidents and respond when disaster strikes.
Alan Calder, the founder and executive chairman of IT Governance, said: “Attackers use cheap, freely available tools that are developed as soon as a new vulnerability is identified, producing ever more complex threats, so it is evident that, in the current landscape, total cyber security is unachievable.
“An effective cyber resilience strategy is therefore the answer, helping organisations prevent, prepare for and respond to cyber attacks, and ensure they are not only managing their risks but also minimising the business impact.”
As part of the framework, we offered a self-assessment questionnaire, which helped organisations see how their existing measures compared to the framework and how much work was necessary to achieve cyber resilience.
We collated the results of the self-assessment to create this report, which provides a broader insight into how organisations are addressing cyber security risks and which threats are most commonly overlooked.
How does your organisation compare?
Download the report for free from our website to see the survey results in full and guidance on where organisations are going right and wrong.
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.
In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.
While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:
Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
Posted by Jennifer Pullman, Kurt Thomas, and Elie Bursztein, Spam and Abuse research
Back in February, we announced the Password Checkup extension for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe---1.5% of sign-ins scanned by the extension.
Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, available here, will be presented this week as part of the USENIX Security Symposium.
Which accounts are most at risk? Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use strong, unique passwords for all your accounts, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.
In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.
Anonymous telemetry reported by Password Checkup extension shows that users most often reuse vulnerable passwords on shopping, news, and entertainment sites.
Helping users re-secure their unsafe passwords Our research shows that users opt to reset 26% of the unsafe passwords flagged by the Password Checkup extension. Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password.
Improving the Password Checkup extension Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data. It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information.
We're continuing to improve the Password Checkup extension and exploring ways to implement its technology into Google products. For help keeping all your online accounts safe from hijacking, you can install the Password Checkup extension here today.
Researchers able to identify MP Anthony Carbines’s travel history using tweets and Public Transport Victoria dataset
The three-year travel history of a Victorian politician was able to be identified after the state government released the supposedly “de-identified” data of more than 15m myki public transport users in a breach of privacy laws.
In July 2018, Public Transport Victoria (now the Department of Transport) released a dataset containing 1.8bn travel records for 15.1m myki public transport users for the period between June 2015 and June 2018.
See you about 05.24AM tomorrow at Rosanna to catch the first train to town. Well done all. Thanks for hanging in there. Massive construction effort. Single track gone. Two level crossings gone. The trains! The trains! The trains are coming! pic.twitter.com/kk2Cj3ey9T
Cyberattacks are on the rise, and companies are noticing. Everyone is in a scramble to avoid being the next corporation sweeping news headlines with the words “data breach” following. As a result, the demand for cybersecurity experts is skyrocketing, but there are a couple of problems. Not only are there not enough cybersecurity experts to fill those roles, but for the cybersecurity experts that are out there, they’re demanding a premium for their talents.
A recent Bloomberg article stated that in 2012, an enticing rate for a chief information security officer at a large company was $650,000. Fast forward to 2019, and the same role at the same company is going for $2.5 million. On top of that, the article points to data that shows there were more than 300,000 unfilled cybersecurity jobs over a 12-month period in the United States in 2017-2018. When looking to the future, Cybersecurity Ventures predicts that the amount of unfilled positions will grow to about 3.5 million jobs.
So, the problem itself is double-pronged. Companies are recognizing that they need to address cybersecurity in some way, shape, or form, and are looking to bring in experts to help them out – but those experts come at a very high cost.
Alternatives to the salary game
Hiring additional security professionals does not have to be the starting point for your company to take the leap into more secure software. One practical way to embed security into your organization, and get more from your existing security team, is to look for – and create – security champions on your development teams. Step one is finding a security-minded individual on your development team, and then giving them extra training, responsibilities, and perks to incentivize them to be that security liaison. Developers will be much more inclined to take security advice from someone who’s already familiar with their lingo and processes.
Ultimately, with a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.
As organizations struggle to find the right people to step in and oversee their programs, another effective way to ensure you have your bases covered is by bringing in an outside partner. Having a solution like that offers hands-on support, coaching for developers, and AppSec expertise can make a world of a difference. We aren’t suggesting you replace your internal team with outside consultants; rather, that you free your team to focus on managing risk by taking these tasks off of their plates:
Addressing the blocking and tackling of onboarding
Application security program management
Reporting Identifying and addressing barriers to success
Working with development teams to ensure they’re finding and remediating vulnerabilities
Learn more about the benefits of bringing in an outside partner in this blog.
While you try to find the balance between keeping your headcount low, yet covering all of your bases from a security standpoint, a fantastic way to tie your approach together lies within utilizing automated security solutions. You can remove the need for human intervention as much as possible, continue to enable your developers to test for flaws early and often, and integrate a solution that works in tandem with your current environment. Having the security champions, automated solutions that are easy to work with, and a partner who can help your developers out when they run into roadblocks are all effective ways to reduce your risk – and without breaking the bank.
Want to find out how Veracode can help you check off all of these boxes and more? Request a personalized demo of our platform today.
GRA Quantum launches a comprehensive scalable security services offering to provide small to midsize firms a custom solution that scales as their business needs change.
NEW YORK, August 14, 2019 (Newswire.com) – Global cybersecurity firm GRA Quantum announces the launch of its comprehensive offering, Scalable Security Suite, providing solutions based on a combination of Managed Security Services and professional services, tailored to the specific needs of each client. Scalable Security Suite was created to give small to mid-sized organizations a running start when it comes to security, providing the same standard of security controls as large enterprises.
According to GRA Quantum’s President Tom Boyden, “Small and medium-sized firms are prime targets for cybercrime, but many don’t have the necessary resources or guidance to properly strengthen their security stance. Our Scalable Security Suite is designed to help these organizations prioritize their greatest vulnerabilities and provide them a security solution that aligns with their business needs and evolves as these needs and the threat landscapes change.”
Managed Security Services (MSS), launched in December 2018, is the foundation of Scalable Security Suite. Through comprehensive security assessments, GRA Quantum experts identify vulnerabilities and provide recommendations for a custom combination of professional service offerings to best address these vulnerabilities. Professional services can be added to Managed Security Services to overcome vulnerabilities and build a more comprehensive, proactive security program.
Jen Greulich, GRA Quantum’s Director of Managed Security Services, has seen the need arise among current MSS clients for these supplemental services. “Oftentimes, it becomes clear in a scoping call that clients’ needs extend beyond what we offer through MSS. Our new flexible offering allows us to work with the clients to develop a custom security solution for them that compliments MSS — whether they need incident response or penetration testing services.”
Aligned with GRA Quantum’s mission, Scalable Security Suite goes beyond the ordinary cyber assessment to understand and remediate acute physical and human-centric vulnerabilities as well.
Apache Solr is an open source enterprise search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, dynamic clustering, and document parsing. You treat it like a database: you run the server, create a collection, and send different types of data to it (such as text, XML documents, PDF documents, etc.). Solr automatically indexes this data and provides a fast but rich REST API interface to search it. The only protocol to talk to the server is HTTP, and yes, it's accessible without authentication by default, which makes it a perfect victim for keen hackers.
In a new research paper, Veracode Security Researcher Michael Stepankin sheds light on this new type of vulnerability for web applications – Solr parameter injection – and explains how cyberattackers can achieve remote code execution through it. Whether the Solr instance is Internet-facing, behind the reverse proxy, or used only by internal web applications, the ability to modify Solr research parameters is a significant security risk. Further, in cases where only a web application that uses Solr is accessible, by exploiting 'Solr (local) Parameters Injection,' it is possible to at least modify or view all the data within the Solr cluster, or even exploit known vulnerabilities to achieve remote code execution.
Read the in-depth, technical whitepaper, “Apache Solr Injection,” on GitHub.
Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
As a mum of 4 sons, my biggest concerns about the era of social media is the impact of the ‘like culture’ on our children’s mental health. The need to generate likes online has become a biological compulsion for many teens and let’s be honest – adults too! The rush of dopamine that surges through one’s body when a new like has been received can make this like culture understandably addictive.
Research Shows Likes Can Make You Feel As Good As Chocolate!
The reason why our offspring (and even us) just can’t give up social media is because it can make us feel just so damn good! In fact, the dopamine surges we get from the likes we collect can give us a true psychological high and create a reward loop that is almost impossible to break. Research published in Psychological Science, a journal of the Association for Psychological Science, shows the brain circuits that are activated by eating chocolate and winning money are also activated when teens see large numbers of ‘likes’ on their own photos or photos of peers in a social network.
Likes and Self Worth
Approval and validation by our peers has, unfortunately, always had an impact on our sense of self-worth. Before the era of social media, teens may have measured this approval by the number of invitations they received to parties or the number of cards they received on their birthday. But in the digital world of the 21st century, this is measured very publicly through the number of followers we have or the number of likes we receive on our posts.
But this is dangerous territory. Living our lives purely for the approval of others is a perilous game. If our self-worth is reliant on the amount of likes we receive then we are living very fragile existences.
Instagram’s Big Move
In recognition of the competition social media has become for many, Instagram has decided to trial hiding the likes tally on posts. Instagram believes this move, which is also being trialled in six other countries including Canada and New Zealand, will improve the well-being of users and allow them to focus more on ‘telling their story’ and less on their likes tally.
But the move has been met with criticism. Some believe Instagram is ‘mollycoddling’ the more fragile members of our community whilst others believe it is threatening the livelihood of ‘Insta influencers’ whose income is reliant on public displays of likes.
Does Instagram’s Move Really Solve Address our Likes Culture?
While I applaud Instagram for taking a step to address the wellbeing and mental health of users, I believe that it won’t be long before users simply find another method of social validation to replace our likes stats. Whether it’s follower numbers or the amount of comments or shares, many of us have been wired to view social media platforms like Instagram as a digital popularity contest so will adjust accordingly. Preparing our kids for the harshness of this competitive digital environment needs to be a priority for all parents.
What Can Parents Do?
Before your child joins social media, it is imperative that you do your prep work with your child. There are several things that need to be discussed:
Your Kids Are So Much More Than Their Likes Tally
It is not uncommon for tweens and teens to judge their worth by the number of followers or likes they receive on their social media posts. Clearly, this is crazy but a common trend/ So, please discuss the irrationality of the likes culture and online popularity contest that has become a feature of almost all social media platforms. Make sure they understand that social media platforms play on the ‘reward loop’ that keep us coming back for more. Likes on our posts and validating comments from our followers provide hits of dopamine that means we find it hard to step away. While many tweens and teens view likes as a measure of social acceptance, it is essential that you continue to tell them that this is not a true measure of a person.
Encourage Off-Line Activities
Help your kids develop skills and relationships that are not dependent on screens. Fill their time with activities that build face-to-face friendships and develop their individual talents. Whether it’s sport, music, drama, volunteering or even a part time job – ensuring your child has a life away from screens is essential to creating balance.
Education is Key
Teaching your kids to be cyber safe and good digital citizens will minimise the chances of them experiencing any issues online. Reminding them about the perils of oversharing online, the importance of proactively managing their digital reputation and the harsh reality of online predators will prepare them for the inevitable challenges they will have to navigate.
Keep the Communication Channels Open – Always!
Ensuring your kids really understand that they can speak to you about ANYTHING that is worrying them online is one of the best digital parenting insurance policies available. If they do come to you with an issue, it is essential that you remain calm and do not threaten to disconnect them from their online life. Whether it’s cyberbullying, inappropriate texting or a leak of their personal information, working with them to troubleshoot and solve problems and challenges they face is a must for all digital parents.
Like many parents, I wish I could wave a magic wand and get rid of the competition the likes culture has created online for many of our teens. But that is not possible. So, instead let’s work with our kids to educate them about its futility and help them develop a genuine sense of self-worth that will buffer them from harshness this likes culture has created.
As one of the most popular hosting platforms alongside cPanel, Plesk provides a variety of security extensions for its users. Each Plesk security extension boosts their own unique features, meant to fully protect your website, server, email, and network from potential threats.
Some extensions on Plesk require advanced system administration, so it’s important that you choose the right security tools based on your knowledge and experience — as not all security extensions are created equal.
While Plesk offers a range of security tools such as malware scanners or ransomware protection software, this blog post will focus on security extensions that are available on Plesk that provide protection against web application attacks and DoS and DDoS attacks.
These types of web threats directly affect web applications and can result in your websites going offline. In this case, customers and visitors are denied access to your information and commercial services, which will negatively impact your business’s bottom line.
Take a look below at some of the most popular security extensions available on Plesk and how they can help prevent web attacks as well as their potential shortcomings.
BitNinja specializes in server security; their Plesk security extension is designed to effectively eliminate threats from your Linux servers. The security extension is also meant to save you from having to perform any configurations and spend long hours of troubleshooting.
Because BitNinja’s security extension is equipped with DoS mitigation and a WAF (web application firewall), they protect against web application and DDoS attacks. Their DDoS mitigation works based on TCP based protocols, but instead of permanently blocking the IP source they “greylist” the attacker IP.
On the WAF side, they analyze incoming traffic to your server based on different factors and stops attacks against the applications running on your server. They utilize the same WAF model used by Cloudflare and Incapsula. More specifically, for their reverse proxy engine, they use Nginx, WAF engine by ModSecurity, and a ruleset from the OWASP. One downside to BitNinja is that they are unable to constantly update and finetune the WAF ruleset or implement other rulesets in real time.
The Variti DDoS security extension focuses on protection against DoS and DDoS attacks. They do this by allowing incoming web traffic to pass through a distributed network of filtering nodes. Then, traffic is analyzed in real time and classified as either legitimate or illegitimate. Upon detection of a threat, their Active Bot Protection (ABP) technology immediately blocks this malicious traffic with a response time of less than 50 ms.
Because of this bot protection technology, Variti is able to distinguish traffic between real users and bots, including those coming from the same IP address. Thus, they can also protect against both network and application layer DDoS attacks. Though it doesn’t offer a WAF, Variti is one of the few DDoS protection tools that are available on Plesk.
ModSecurity is arguably one of the most well-known WAFs. They support web servers such as Apache on Linux or IIS on Windows, to protect web applications from malicious attacks. ModSecurity works by checking incoming HTTP requests and based on the set of rules applied, ModSecurity either allows the HTTP request to enter the website or blocks it.
The ModSecurity security extension on Plesk offers both free and paid sets of rules. It includes regular expressions that are used for HTTP requests filtering, but you can also apply custom rulesets. This may require extensive knowledge on WAF rules by the system administrator. For example, you may need to manually switch off certain security rules so maintenance of the rulesets can be a setback for those who are looking for a more hands-off WAF.
Furthermore, there have also been cases where customers experience ModSecurity blocking legitimate requests too when too many rules are applied.
The Cloudflare Servershield security extension is intended to protect and secure your servers, applications and APIs against DoS/DDoS and other web attacks. While the security extension is primarily used to speed up websites, Cloudflare Servershield also offers WAF and DDoS protection.
Cloudflare’s WAF option and its rulesets can only be enabled on their paid plans – more specifically the Cloudflare Servershield Advanced extension on Plesk. Cloudflare’s WAF uses the OWASP Modsecurity Core Rule Set to inspect web traffic and block illegitimate requests. These OWASP rules are supplemented by Cloudflare’s built-in rules that you can apply with the click of a button.
As part of their free plan, Cloudflare provides unlimited and unmetered mitigation of DDoS attacks, regardless of the size of an attack.
Imunify360 takes a multi-layered approach when it comes to server security. This security extension combines an advanced firewall, WAF, IDS/IPS, and more. Their advanced firewall is also powered by a machine learning engine. They take a proactive defense to preemptively stop all malware and identify potential attacks on your server.
Their WAF protects web servers from multiple threats, such as DoS attacks, port scans, and distributed brute force attacks. Their WAF also relies on ModSecurity and is automatically installed on certain versions of Imunify360. Because other third-party ModSecurity vendor’s rulesets may be installed (for example, OWASP or Comodo), these rulesets can generate a large number of false-positives and may duplicate Imunify360’s rulesets.
You will need to manually disable other third-party ModSecurity vendors on different hosting panels.
To simplify the management of website security, Cloudbric’s cloud-based WAF is integrated with the Plesk platform. The Cloudbric WAF extension also includes DDoS protection and SSL certificate renewal automation at no extra cost.
Instead of painfully blocking the customer’s IP address individually to keep DDoS attacks under control, Cloudbric blocks these huge amounts of traffic before it reaches the site. Cloudbric’s advanced DDos protection ensures your website stays up and running.
The Cloudbric WAF is designed to install and work with as little human interaction as possible. We handle the security so that customers don’t have to. Unlike ModSecurity which maintains a library of malicious patterns, known as signatures, Cloudbric takes it up a notch by also implementing signature-less detection techniques into the WAF engine.
Additionally, unlike the rules of ModSecurity that are updated once per month, Cloudbric’s WAF does not require signature updates.
This signature-less detection technology can also identify and block modified and new web application attacks. Cloudbric’s WAF engine includes 27 unique pre-set rules and AI capabilities to create an advanced threat detection engine to accurately detect and block attacks.
If your company is dependent on online traffic for business, then protection against DDoS and web application attacks is a must.
For Plesk users, there are a variety of security extensions to choose from to make the management of security extremely easy for web managers, designers, system administrators, and other web professionals – it all depends on your security needs and whether you are looking for fully managed services or customization.
It’s time to unpack the suitcases and pack up those backpacks! With the summer season quickly coming to an end, it’s time to get those college cybersecurity priorities in order so you can have the best school year yet. As students across the country get ready to embark on—or return to—their college adventure, many are not proactively protecting their data according. A recent survey from McAfee. found that only 19% of students take extra steps to protect their academic records, which is surprising considering 80% of students have either been a victim of a cyberattack or know someone who has been impacted. In fact, in the first few months of 2019, publicly disclosed cyberattacks targeting the education sector increased by 50%, including financial aid schemes and identity theft.
From data breaches to phishing and ransomware attacks, hitting the books is stressful enough without the added pressure of ensuring your devises and data are secure too. But you’re in luck! Avoid being the cybersecurity class clown and head back to school in style with our A+ worthy Back-to-School RT2Win sweepstakes!
Three  lucky winners of the sweepstakes drawing will receive a McAfee Back-to-School Essentials Backpack complete with vital tech and cybersecurity supplies like Beats Headphones, UE BOOM Waterproof Bluetooth Speaker, Fujifilm Instax Mini 9 Instant Camera, DLINK router with McAfee Secure Home Platform, Anker PowerCore Portable Charger and so much more! ($750 value, full details below in Section 6. PRIZES). The best part? Entering is a breeze! Follow the instructions below to enter and good luck!
The sweepstakes tweet will be released on Tuesday, August 13, 2019, at 12:00pm PT. This tweet will include the hashtags: #ProtectWhatMatters, #RT2Win AND #Sweepstakes.
Retweet the sweepstakes tweet released on the above date, from your own handle. The #ProtectWhatMatters, #RT2Win AND #Sweepstakes hashtags must be included to be entered.
Sweepstakes will end on Monday, August 26, 2019 at 11:59pm PT. All entries must be made before that date and time.
Winners will be notified on Wednesday, August 28, 2019, via Twitter direct message.
Limit one entry per person.
1. How to Win:
Retweet one of our contest tweets on @McAfee_Home that include “#ProtectWhatMatters, #RT2Win AND #Sweepstakes” for a chance to win a McAfee Back-to-School Essential Backpack (for full prize details please see “Prizes” section below). Three  total winners will be selected and announced on August 28, 2019. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.
#RT2Win Sweepstakes Terms and Conditions
2. How to Enter:
No purchase necessary. A purchase will not increase your chances of winning. McAfee Back-to-School #RT2Win Sweepstakes will be conducted from August 13, 2019 through August 27, 2019. All entries for each day of the McAfee Back-to-School #RT2Win Sweepstakes must be received during the time allotted for the McAfee Back-to-School #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Back-to-School #RT2Win Sweepstakes, duration is as follows:
Begins Tuesday, August 13 at 12:00pm PST
Ends: Monday, August 26, 2019 at 11:59pm PST
Three  winners will be announced: Wednesday, August 28, 2019
For the McAfee Back-to-School #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Back-to-School Sweepstakes:
Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #ProtectWhatMatters, #RT2Win and #Sweepstakes
Retweet the sweepstakes tweet of the day and make sure it includes the #ProtectWhatMatters, #RT2Win, and hashtags.
Note: Tweets that do not contain the #ProtectWhatMatters, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
Limit one entry per person.
Three  winners will be chosen for the McAfee Back-to-School #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #ProtectWhatMatters, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Wednesday, August 28, 2019 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.
McAfee Back-to-School #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Back-to-School #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Back-to-School #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.
4. Winner Selection:
Winners will be selected at random from all eligible retweets received during the McAfee Back-to-School #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of three  potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Back-to-School #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.
5. Winner Notification:
Each winner will be notified via direct message (“DM”) on Twitter.com by August 28, 2019. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty-four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.
McAFEE BACK-TO-SCHOOL ESSENTIAL BACKPACK (3)
Approximate ARV for Prize: $750
McAfee Water Bottle
D-Link Ethernet Wireless Router with McAfee Secure Home
McAfee Total Protection, 5 devices, 1-year subscription
Beats EP On-Ear Headphones
Ultimate Ears BOOM Portable Waterproof Bluetooth Speaker
Fujifilm Instax Mini 9 Instant Camera with Mini Film Twin Pack
Tile Mate – Anything Finder
Anker PowerCore 10000, Portable Charger
Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered.
The prize for the McAfee Back-To-School #RT2Win Sweepstakes is a ONE (1) Back-to-School Essential Backpack, complete with the above supplies, for each of the three (3) entrants. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Back-to-School #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Back-to-School #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.
7. General Conditions:
Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Back-to-School #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Back-to-School #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Back-to-School #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Back-to-School #RT2Win Sweepstakes-related activity, or participation in the McAfee Back-to-School #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).
8. Limitations of Liability; Releases:
By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.
To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.
To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list). As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.
9. Prize Forfeiture:
If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee Back-to-School #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Back-to-School #RT2Win Sweepstakes.
10. Dispute Resolution:
Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Back-to-School #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Back-to-School #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.
11. Governing Law & Disputes:
Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.
Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after August 13,2019 before August 27, 2019 to the address listed below, Attn: #RT2Win at CES Sweepstakes. To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
Despite the amazing and futuristic progression of technologies in cybersecurity, it’s still incredibly hard to answer the most basic of questions like: how many assets do I have, and do they adhere to my security policy? Somewhere along the line, asset management became very mundane compared to the other initiatives we’re responsible for in cybersecurity. Yet everything in cybersecurity lies on a foundation of understanding our devices, cloud instances, users, and the solutions that cover them.
So why is asset management—a problem that has persisted for decades—still an issue in 2019? Today, we look at why asset management remains a challenge, the Axonius approach to cybersecurity asset management, and how integrations with several Microsoft technologies are key to solving the problem and delivering value to organizations around the world.
The cybersecurity solution paradox
The more devices you have, the more solutions you implement to manage and secure them. Although one might think that the more security and management solutions at an organization the better, that’s not always the case. We call this the cybersecurity solution paradox: the idea that the more solutions you have, the harder it actually becomes to get answers to very basic questions. All of the information exists in separate silos, making it more difficult to aggregate the data, correlate it, and derive context and meaning.
Watch this short video outlining today’s asset management challenge.
The Axonius approach
If we were to outline an approach to asset management, we’d want a product to:
Understand which assets are unmanaged—Those devices and cloud instances not being managed or secured by the tools outlined in our security policies.
Understand which managed assets are missing agents—For example, which Windows 10 devices are missing an endpoint agent?
Discover new devices—Any time a new device hits the network, we’d want to know whether it adheres to our security policies.
Give context—If our security operations team gets an alert about a device, we would want to understand what the device is, what’s installed, its patch level, known vulnerabilities, which users have signed in, etc.
To get this information, a product would need to be very simple, agentless, and it would:
Connect to every security and management solution that knows about assets.
Collect and normalize all relevant asset and user information.
Correlate the information to know that every asset is unique.
Understand the relationship between users, devices, cloud instances, and the solutions that manage and secure them.
Give customers a credible, comprehensive asset inventory—We include every desktop, laptop, mobile device, virtual machine, server, cloud instance, and IoT device that is managed and unmanaged, cloud or on-premises.
Uncover security solution coverage gaps—Using pre-built and custom queries, customers can understand how every asset stacks up against their policies.
Automatically validate and enforce security policies—Customers can create automated enforcement sets to take action whenever assets do not adhere to their security policies.
Axonius is integrated with Microsoft Intune and Azure Active Directory (Azure AD), core products in the Microsoft Intelligent Security Association (MISA). To help customers better understand exactly what assets they have and whether their assets and users adhere to their security policies, Axonius builds upon Intune by connecting to networking gear itself to learn about assets that aren’t being managed. If your policy states that every mobile device needs to have another security or management solution, Axonius can easily identify those devices that aren’t being protected.
Let’s look at two specific examples that show how Axonius customers use integrations with Microsoft to solve their asset management challenges.
How Appsflyer uses Axonius for better asset management
When Guy Flechter, joined mobile attribution and analytics leader AppsFlyer in January 2018 as their chief information security officer, he began implementing a wide-ranging cybersecurity program to protect his heterogenous environment. After implementing the best security tools for every device type, the AppsFlyer team realized that they needed an automated way to ensure that every device had the required solutions installed, and that users had the correct permissions to adhere to the overall security policy.
“We needed an easy and automated way to have clear visibility into which agents were missing from each device, and a way to know when users had rights that conflicted with our security policies. For example, I want to immediately see all Windows devices missing an endpoint agent and unmanaged devices in various VLANs. These are really foundational elements of any cybersecurity program, and there were no good ways to get the answers,” said Flechter.
Using simple queries in Axonius, Flechter was able to get this level of visibility in minutes:
Moving from configuration manager to Intune: No device left behind
As part of their initiative to be nimble and cloud first, AppsFlyer wanted to move from on-premises Microsoft System Center Configuration Manager (ConfigMgr) to Intune, yet the team needed a way to make sure that no devices were left behind. Using queries from Axonius, Flechter was able to easily monitor the switch to Intune and could prioritize which assets should be moved and in what order. Watch this video to learn more.
Understanding user permissions
In addition to devices, Axonius customers are able to understand how each user compares to the overall security policy. Using information from Active Directory, Azure AD, and other IAM providers, customers are able to understand whenever a user account deviates from what is expected.
Example query showing users with bad configurations.
To learn more about how the Axonius cybersecurity asset management platform and its many integrations with Microsoft and other leading security and management providers can help your organization, visit Axonius.com. Also, visit the MISA website to learn more about how top security companies are partnering with Microsoft to defend against increasingly sophisticated cyberthreats.
Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies. By seamlessly integrating with more than 130 security and management solutions, Axonius is deployed in minutes, improving cyber hygiene immediately. Covering millions of devices at customers like the New York Times, Schneider Electric, and AppsFlyer, Axonius was named the Most Innovative Startup of 2019 at the prestigious RSAC Innovation Sandbox and was named Rookie Security Company of the Year by SC Magazine. For more visit Axonius.com.
In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by just basic assumptions on case-sensitiveness during development.
In this 3rd post we focus on the “confusion” technique, where even though the technique is already known (Medium / Tyranidslair), the ramifications of these effects have not all been analyzed yet.
Going back to normalization, some Win32 API’s remove trailing whitespaces (and other special characters) from the path name.
As mentioned in the last publication, the normalization can, in some cases, provide the wrong result.
The common scenario that could be used as “bait” for the user to click, and even to hide what is seen, is to create a directory with the same name ending with a whitespace.
A very trivial example “That’s not my notepad…..”:
Open task manager, Right click on the “notepad” with putty icon -> Properties. (The properties were read from the “non-trailing-space” binary)
Open Explorer on “C:\Windows “; it will generate the illusion that the original files (from the folder without trailing whitespace) are there. This will happen for any folder/file not present in the whitespace version.
Screenshots opening a McAfee Agent Folder:
Both folders opened; note that the whitespace version does not have any .dll or additional .exe but Explorer renders the missing files from the “normalized – non-whitespace directory”.
Trying to open the dll…
Getting properties from task manager will fetch those from the normalized folder path, that means you can be tricked to think it is a trusted app.
Watch the video recorded by our expert Cedric Cochin illustrating this technique:
With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:
Education Needs to Go Beyond the Normal Curriculum
While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.
Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.
Take Notes on Device Security
Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.
Class Dismissed: Cyberattacks Targeting Education Are on the Rise
According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.
Become a Cybersecurity Scholar
In order to go into this school year with confidence, students should remember these security tips:
Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.
And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Businesses increasingly face a wide array of ever-changing cyber risks as they adapt to the technologies and trends of today’s work environment. The world is in the throes of a digital revolution which has constituted a wide array of changes that enterprises must manage, from the Internet of Things to mobility management and many more. To ensure that enterprise security does not get breached, the importance of Enterprise Security Management (ESM) cannot be understated.
Defining Enterprise Security Management
Enterprise Security Management refers to entire set of end-to-end processes through which an enterprise creates a security management framework for their organization. A comprehensive ESM process will include a wide range of security protocols that an enterprise is following including endpoint security, network security management, Intrusion Prevention & Detection Systems, Encryption, Backup, Patch Management, Mobile Device Management (MDM), Incident Response Plans and so on.
As mentioned earlier, Enterprise Security Management is the key function that ties the entire organization with cyber security. It is in many ways, the one inter-related process which connects the enterprise’ cyber security outlook and shapes its attitude and outlook towards threat prevention. A perfectly designed Enterprise Security Management process will ensure that all the different parts of the process work well in sync with each other, doing the job of protecting the enterprise from cyber threats outside. However, a disconnected process will result in one hand not knowing what the other is doing, causing confusion and incoherence in the entire enterprise. The consequences of this can be severe – cyber criminals are always on the lookout for such enterprises and a cyber attack could lead to both financial and reputational damage.
To go about creating a strong ESM process, it is important to first do a proper assessment of the following factors:
Critical Data – All data is not the same and this is common for all enterprises. There will be data that is absolutely critical to the company and cannot be breached, there will be data that is confidential and there will be data which is none of the above two. An assessment needs to be made about this categorization of data, as that will help in creating different layers of data security.
Policies in place – Are the policies in place helping drive employees and the company’s outlook towards cyber security? Information security and cyber security are linked and it is a good idea to do a thorough review of the Information Security Policy of a company before finalizing on an enterprise security management approach.
Likely threats – A threat assessment report is very important for an enterprise to identify the types of the threats that they are most vulnerable against. This will help in creating strategies and contingency plans to deal with such threats. Threats can also be classified into categories as 1. Extreme Vulnerability, 2. Medium Vulnerability, 3. Low Vulnerability.
Patch management – What is the current state of infrastructure, especially patch management? Is the enterprise using outdated software and hardware, poorly patched and hence making itself vulnerable to cyber attacks?
MDM readiness – With business shifting to mobile devices and the lines between the personal and the professional blurring, enterprises must evaluate their readiness when it comes to Mobile Device Management (MDM) and come to an agreement about the kind of security controls they would like to impose.
The above points make it quite evident about the importance of Enterprise Security Management (ESM). For support in this regard, organizations can consider Seqrite, a leader in cyber security, for the provision of a secure platform for businesses to keep their data safe online. A multi-layered solution offers a range of powerful tools to allow enterprises to block malware, vulnerabilities and unauthorized alien access, leading to an unrisk enterprise.
Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.
The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead. Here's the Google announcement:
On HTTPS websites using EV certificates, Chrome currently displays an EV badge to the left of the URL bar. Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon.
In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information).
Chrome 77 is currently scheduled to ship on September 10 and Firefox 70 on October 22. With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.
I will admit to some amusement in watching all this play out, partly because the ludicrous claims about EV efficacy really come crashing down when it's no longer visible to the end user. But also partly because of comments along the lines of "Google is pushing the EV changes into the spec". Google wasn't pushing anything into a spec, no more so than Apple was last year and Mozilla is now, they were all simply adapting their own UIs to better service their customers and they've all arrived at the same conclusion: remove the EV entity name. But it's the reasons why they're doing this that I find particularly interesting, for example in the Chrome announcement:
Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.
That absolutely nails it - users aren't going to change their behaviour when they see a DV padlock rather than an EV entity name. This is precisely what Mozilla called out in their announcement:
The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.
In fact, Mozilla went even further and referenced the great work that Ian Carroll did when he registered a colliding entity name and got an EV cert for it:
More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.
All Ian had to do was spend $100 registering "Stripe Inc" in a different US state to the payment processor you'd normally associate the name with then another $77 on the EV cert and less than hour later, he had this newsworthy result:
I'm assuming the bit about brand refers to the entity name in EV as it doesn't appear against OV or DV on that page. Oh - and just for reference, DigiCert refused to issue Ian a certificate for Stripe due to "risk factors". What risk factors? Well...
There were risk factors for the EV business model.
It's time for re-sellers to clean up their act too, for example The SSL Store:
I chose to leave the entire browser window in this screen grab to highlight the irony of "The SSL Store" having an EV cert issued to "Rapid Web Services". Remember one of Apple's complaints - "Org name is not tied to users intended destination" - yeah...
Actually, The SSL Store provides many great opportunities for reflection on the EV craziness that was (it's pretty safe to use the past tense now). Their piece on how EV provides "tremendous value" is clearly now on the nose and is full of great zingers such as how important it is to be able to differentiate PayPal.com from FakePayPal.com. Why a great zinger? Because PayPal themselves decided that didn't matter back in September last year. And since that entire piece was in response to me writing about just how useless EV was even back then, let's pick it apart even further, for example:
The value of an EV certificate is clear. It is the ability to know more than your browser can assert through connecting to a hostname, parsing a certificate file, and verifying an encryption key.
Ouch - that didn't age well!
EV is now really, really dead. The claims that were made about it have been thoroughly debunked and the entire premise on which it was sold is about to disappear. So what does it mean for people who paid good money for EV certs that now won't look any different to DV? I know precisely what I'd do if I was sold something that didn't perform as advertised and became indistinguishable from free alternatives...
Posted by Dongjing He, Software Engineer and Christiaan Brand, Product Manager Passwords, combined with Google's automated protections, help secure billions of users around the world. But, new security technologies are surpassing passwords in terms of both strength and convenience. With this in mind, we are happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. The feature is available today on Pixel devices and coming to all Android 7+ devices over the next few days.
Simpler authentication experience when viewing your saved password for a website on passwords.google.com
These enhancements are built using the FIDO2 standards, W3C WebAuthn and FIDO CTAP, and are designed to provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C.
An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services. This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.
Note that your fingerprint is never sent to Google’s servers - it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers. This is a fundamental part of the FIDO2 design.
Here is how it works
Google is using the FIDO2 capability on Android to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.
High-level architecture of using fingerprint or screen lock on Android devices to verify a user’s identity without a password
Please follow the instructions below if you’d like to try it out. Prerequisites
Phone is running Android 7.0 (Nougat) or later
Your personal Google Account is added to your Android device
Valid screen lock is set up on your Android device
For additional security Remember, Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password. Further, you can protect your accounts with two-step verification (2SV), including Titan Security Keys and Android phone’s built-in security key.
Both security keys and local user verification based on biometrics use the FIDO2 standards. However, these two protections address different use cases. Security keys are used for bootstrapping a new device as a second factor as part of 2SV in order to make sure it’s the right owner of the account accessing it. Local user verification based on biometrics comes after bootstrapping a device and can be used for re-authentication during step-up flows to verify the identity of the already signed-in user.
This new capability marks another step on our journey to making authentication safer and easier for everyone to use. As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services. Check out this presentation to get an early glimpse of the use cases that we are working to enable next.
Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how to enable it, and explain why it should be enabled, by highlighting some of the malware we are able to detect with it.
ENS 10.6 and Above
The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect, as shown in the image below:
Figure 1 – Obfuscated VBS script being de-obfuscated with AMSI
Enable the Scanner
By default, the AMSI scanner is set to observe mode. This means that the scanner is running but it will not block any detected scripts; instead it will appear in the ENS log and event viewer as show below:
Figure 2 – Would Block in the Event log
To actively block the detected threats, you need to de-select the following option in the ENS settings:
Figure 3 – How to enable Blocking
Once this has been done, the event log will show that the malicious script has now been blocked:
Figure 4 – Action Blocked in Event Log
In the Wild
Since January 2019, we have observed over 650,000 detections and this is shown in the IP Geo Map below:
Figure 5 – Geo Map of all AMSI detection since January 2019
We are now able to block some of the most prevalent threats with AMSI. These include PowerMiner, Fileless MimiKatz and JS downloader families such as JS/Nemucod.
The section below describes how these families operate, and their infection spread across the globe.
The PowerMiner malware is a cryptocurrency malware whose purpose is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once executed, this batch file will download a malicious PowerShell script which will then begin the infection process.
The infection flow is shown in the graph below:
Figure 6 – Infection flow of PowerMiner
With the AMSI scanner, we can detect the malicious PowerShell script and stop the infection from occurring. The Geo IP Map below shows how this malware has spread across the globe:
Figure 7 – Geo Map of PS/PowerMiner!ams detection since January 2019
McAfee Detects PowerMiner as PS/PowerMiner!ams.a.
Mimikatz is a tool which enables the extraction of passwords from the Windows LSASS. Mimikatz was previously used as a standalone tool, however malicious scripts have been created which download Mimikatz into memory and then execute it without it ever being downloaded to the local disk. An example of a fileless Mimikatz script is shown below (note: this can be heavily obfuscated):
Figure 8 – Fileless Mimikatz PowerShell script
The Geo IP Map below shows how fileless Mimikatz has spread across the globe:
Figure 9 – Geo IP Map of PS/Mimikatz detection since January 2019
McAfee can detect this malicious script as PS/Mimikatz.a, PS/Mimikatz.b, PS/Mimikatz.c.
Figure 10 – Infection flow of Js/Downloader
Figure 11 – Example phishing email distributing JS/Downloader
Below is the IP Geo Map of AMSI JS/Downloader detections since January 2019:
Figure 12 – Geo Map of AMSI-FAJ detection since January 2019
The AMSI scanner detects this threat as AMSI-FAJ.
MVISION Endpoint and ENS 10.7
MVISION Endpoint and ENS 10.7 (Not currently released) will use Real Protect Machine Learning to detect PowerShell AMSI generated content.
This is done by extracting features from the AMSI buffers and running these against the ML classifier to decide if the script is malicious or not. An example of this is shown below:
Thanks to this detection technique, MVISION EndPoint can detect Zero-Day PowerShell threats.
We hope that this blog has helped highlight why enabling AMSI is important and how it will help keep your environments safe.
We recommend our customers who are using ENS 10.6 on a Windows 10 environment enable AMSI in ‘Block’ mode so that when a malicious script is detected it will be terminated. This will protect Endpoints from the threats mentioned in this blog, as well as countless others.
Customers using MVISION EndPoint are protected by default and do not need to enable ‘Block’ mode.
All testing was performed with the V3 DAT package 3637.0 which contains the latest AMSI Signatures. Signatures are being added to the V3 DAT package daily, so we recommend our customers always use the latest ones.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. A widely used Transport Layer Protocol, SSH is used to secure connections between clients and servers. SSH was basically designed as a replacement for conventional Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. These protocols send critical information, such as passwords, in plain text format, and are susceptible to interception and disclosure using methods like packet analysis or deep packet inspection. The encryption used by SSH provides confidentiality and integrity of data over an unsecured network, such as the Internet.
How Does SSH Work?
The SSH protocol employs a client-server model for authentication and encryption of data transferred between them.
Negotiating Encryption for the Session
Version Exchange: When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues.
Key Exchange Initialization: To kick off the key exchange, both sides send a SSH_MSG_KEX_INIT message to each other, with a list of cryptographic primitives they support with their preference. These primitives are basic building blocks, used to perform key exchange and bulk data encryption. The following table (Tab.1) shows some examples of cryptographic primitives.
Diffie-Hellman Initialization: The key exchange begins by the client, generating an ephemeral key pair (private and associated public key) and sending its public key to the server in a, SSH_MSG_KEX_ECDH_INIT message (Fig. 2). The server checks the authorized_keys file of the account that the client is attempting to log into for the key ID. If strict key checking is enabled, and key is not found to be correct, the connection is rejected by the server thereby safeguarding the server from connecting with unknown clients. The key pair created will only be used during the key exchange and disposed afterwards. So, for an attacker it is extremely difficult to steal a private key while passively recording encrypted traffic. This property is called forward secrecy.
Diffie-Hellman Reply: On receiving SSH_MSG_KEX_ECDH_INIT message, server generates its own ephemeral key pair. The shared secret key K is generated by server, with its own key pair and client’s public key. After successful generation of shared secret an exchange hash H is generated (Fig. 3). The exchange hash is signed by server to generate its signature HS (Fig. 4).
The exchange hash and its signature serve several purposes:
• The signature or verification loop, of the exchange hash and its signature enables the client to verify whether the server has ownership of the host private key. If yes, the client is connected to the correct server.
• A faster handshake is achieved by signing the exchange hash instead of input to exchange hash.
The exchange hash is generated by taking the hash (either SHA256, SHA384 or SHA512, as per the key exchange algorithm) of the following fields:
• Magics M
• Server host public key (or certificate) HPub
• Client public key A
• Server public key B
• Shared secret K
Magics consists of client version, server version, clients SSH_MSG_KEXINIT message and server SSH_MSG_KEXINIT message. With this information in hand, the SSH_MSG_KEX_ECDH_REPLY message can be constructed by the server from the following:
• ephemeral public key of the server B,
• the host public key of the server HPub,
• and the signature on the exchange hash HS.
After SSH_MSG_KEX_ECDH_REPLY is received by client, the client can calculate the secret K and the exchange hash H.
The client extracts the host public key (or certificate) from SSH_MSG_KEX_ECDH_REPLY and verifies the signature of exchange hash HS, hence proving the ownership of the host private key.
In order to prevent Man-in-the-Middle (MITM) attacks, after the signature is validated, the host public key (or certificate) retrieved is checked against a local database of the trusted hosts; if this key (or certificate) is not trusted the connection is terminated.
If you have ever seen a message like below (Fig. 5), it means that the key presented is not in your local database of known hosts.
Authenticating the User’s Access to the Server
The next stage involves authenticating the user and deciding access. There are various mechanisms for authentication but which mechanism to use depends upon what purpose the server is configured for.
The simplest is password authentication, but this is highly not recommended due to complexities and automated password breaking scripts.
The most popular and recommended alternative is the use of SSH key pairs. SSH key pairs are asymmetric keys. The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared, because, although it can encrypt for the private key, there is no method of deriving the private key from the public key.
SSH provides a secured encrypted channel for configuration of remote servers, established by agreed cryptographic primitives, and user authentication by symmetric key pairs.
The following diagram shows various stages of SSH handshake in establishing a secured channel that uses a password authentication mechanism.
Web security firm Cloudflare’s decision to terminate 8chan as a customer is welcome, but risks setting a dangerous precedent
Last Saturday morning, a gunman armed with an assault rifle walked into a Walmart store in El Paso, Texas, and shot 22 people dead and injured 24 more. Shortly before he did so, a post by him appeared on the /pol/ [politically incorrect] message board of the far-right website 8chan. Attached to it was a four-page “manifesto”. The 8chan thread was quickly deleted by a site moderator (it was news to me that 8chan had moderators), but archived copies of it rapidly circulated on the internet.
“There is nothing new in this killer’s ramblings,” wrote one analyst who had read it. “He expresses fears of the same ‘replacement’ of white people that motivated the Christchurch shooter and notes that he was deeply motivated by that shooter’s manifesto.”
Well that's Vegas done. 8 days of absolutely non-stop events that's now pretty much robbed me of my voice but hey, I got a flying cow! Scott and I both spent BSides, Black Hat and DEF CON doing "hallway con" or in other words, wandering around just meeting people. The personal engagement you get from these ad hoc meetups really can't be beat and I appreciate everyone who took the time to come over and say hi. Just a sample of our week is below:
Editor’s note: This is Part II of helping kids manage digital risks this new school year. Read Part I.
The first few weeks back to school can be some of the most exciting yet turbulent times of the year for middle and high schoolers. So as brains and smartphones shift into overdrive, a parent’s ability to coach kids through digital drama is more critical than ever.
Paying attention to these risks is the first step in equipping your kids to respond well to any challenges ahead. Kids face a troubling list of social realities their parents never had to deal with such as cyberbullying, sexting scandals, shaming, ghosting, reputation harm, social anxiety, digital addiction, and online conflict.
As reported by internet safety expert and author Sue Scheff in Psychology Today, recent studies also reveal that young people are posting under the influence and increasingly sharing risky photos. Another study cites that 20 percent of teens and 33 percent of young adults have posted risky photos and about 8 percent had their private content forwarded without their consent.
No doubt, the seriousness of these digital issues is tough to read about but imagine living with the potential of a digital misstep each day? Consider:
How would you respond to a hateful or embarrassing comment on one of your social posts?
What would you do if your friends misconstrued a comment you shared in a group text and collectively started shunning you?
What would you do if you discovered a terrible rumor circulating about you online?
Where would you turn? Where would you support and guidance?
If any of these questions made you anxious, you understand why parental attention and intention today is more important than ever. Here are just a few of the more serious sit-downs to have with your kids as the new school year gets underway.
Let’s Talk About It
Define digital abuse. For kids, the digital conversation never ends, which makes it easier for unacceptable behaviors to become acceptable over time. Daily stepping into a cultural melting pot of values and behaviors can blur the lines for a teenage brain that is still developing. For this reason, it’s critical to define inappropriate behavior such as cyberbullying, hate speech, shaming, crude jokes, sharing racy photos, and posting anything intended to cause hurt to another person.
If it’s public, it’s permanent. Countless reputations, academic pursuits, and careers have been shattered because someone posted reckless digital content. Everything — even pictures shared between best friends in a “private” chat or text — is considered public. Absolutely nothing is private or retractable. That includes impulsive tweets or contributing to an argument online.
Steer clear of drama magnets. If you’ve ever witnessed your child weather an online conflict, you know how brutal kids can be. While conflict is part of life, digital conflict is a new level of destruction that should be avoided whenever possible. Innocent comments can quickly escalate out of control. Texting compromises intent and distorts understanding. Immaturity can magnify miscommunication. Encourage your child to steer clear of group texts, gossip-prone people, and topics that can lead to conflict.
Mix monitoring and mentoring. Kids inevitably will overshare personal details, say foolish things, and make mistakes online. Expect a few messes. To guide them forward, develop your own balance of monitoring and mentoring. To monitor, know what apps your kids use and routinely review their social conversations (without commenting on their feeds). Also, consider a security solution to help track online activity. As a mentor, listening is your superpower. Keep the dialogue open, honest, and non-judgmental and let your child know that you are there to help no matter what.
Middle and high school years can be some of the most friendship-rich and perspective-shaping times in a person’s life. While drama will always be part of the teenage equation, digital drama and it’s sometimes harsh fallout doesn’t have to be. So take the time to coach your kids through the rough patches of online life so that, together, you can protect and enjoy these precious years.
Management. Control. It seems that you can’t stick five people in a room together without one of them trying to order the others around. This tendency towards centralized authority is not without reason, however – it is often more efficient to have one person, or thing, calling the shots. For an example of the latter, one needs look no further than Delta’s enteliBUS Manager, or eBMGR. Put simply, this device aims to centralize control for various pieces of hardware often found in corporate or industrial settings, whether it be temperature and humidity controls for a server room, a boiler and its corresponding alarms and sensors in a factory, or access control and lighting in a business. The advantages seem obvious, too – it can be configured to adjust fan speeds according to thermostat readings or sound an alarm if pressure crosses a certain threshold, all with little human interaction.
The disadvantages, while less obvious, become clear when one considers tech-savvy malicious actors. Suddenly, your potentially critical system now has a single point of failure, and one that is attached to a network, to make matters worse.
Consider for a moment a positive pressure room in a hospital, the kind typically used to keep out contaminants during surgeries. Managing rooms such as these is a typical application for the eBMGR and it does not take an overactive imagination to envision what kind of damage a bad actor could cause if they disrupted such a sensitive environment.
Management. Control. That’s what’s at stake if a device such as this is not properly secured. It’s also what made this device such a high priority for McAfee’s Advanced Threat Research team. The decision to make network-connected critical systems such as these demands an extremely high standard of software security – finding where it might fall short is precisely our job.
With these stakes in mind, our team went to work. We began by hooking up an eBMGR unit to a network with several other devices to simulate an environment somewhat true to life. Using a technique known as “fuzzing”, we then blasted the device with all kinds of deliberately malformed network traffic, looking for a chink in the armor. That is one advantage often afforded to the bad guys in software security; they can make many mistakes; manufacturers need only make one.
Perhaps unsurprisingly, persistence and creativity led us to discover one such mistake: a mismatch in the memory sizes used to handle incoming network data created what is often referred to as a buffer overflow vulnerability. This seemingly innocuous mistake rendered the eBMGR vulnerable to our carefully crafted network attack, which allows a hacker on the same network to gain complete control of the device’s operating system. Worse still, the attack uses what is known as broadcast traffic, meaning they can launch the attack without knowing the location of the targets on the network. The result is a twisted version of Marco Polo – the hacker needs only shout “Marco!” into the darkness and wait for the unsuspecting targets to shout “Polo!” in response.
In this field, complete control of the operating system is typically the finish line. But we weren’t content with just that. After all, controlling the eBMGR on its own is not all that interesting; we wanted to see if we could use it to control all the devices it was connected to. Unfortunately, we did not have the source code for the device’s software, so this new goal proved non-trivial.
We went back to the drawing board and acquired some additional hardware that the Delta device might realistically be charged with managing and had a certified technician program the device just as he would for a real-world client – in our case, as an HVAC controller. Our strategy quickly became what is often referred to as a replay attack. As an example, if we wanted to determine how to tell the device to flip a switch, we would first observe the device flipping the switch in the “normal” way and try to track down what code had to run for that to happen. Next, we would try to recreate those conditions by running that code manually, thus replaying the previously observed event. This strategy proved effective in granting us control over every category of device the eBMGR supports. Moreover, this method remains agnostic to the specific hardware attached to the building manager. Hypothetically, this sort of attack would work without any prior knowledge of the device’s configuration.
The result was an attack that would compromise any enteliBUS Manager on the same network and attach a custom piece of malware we developed to the software running on it. This malware would then create a backdoor which would allow the attacker to remotely issue commands to the manager and control any hardware connected to it, whether it be something as benign as a light switch or as dangerous as a boiler.
To make matters worse, if the attacker knows the IP address of the device ahead of time, this exploit can be performed over the Internet, increasing its impact exponentially. At the time of this writing, a Shodan scan revealed that over 1600 such devices are internet connected, meaning the danger is far from hypothetical.
For those craving the nitty-gritty technical details of how we went about accomplishing this, we also published what is arguably a novella here that delves into the vulnerability discovery and exploitation process from start to finish.
In keeping with our responsible disclosure program, we reached out to Delta Controls as soon as we confirmed that the initial vulnerability we discovered was exploitable. Shortly thereafter, they provided us with a beta version of a patch meant to fix the vulnerability and we confirmed that it did just that – our attack no longer worked. Furthermore, by using our understanding of how the attack is performed at a network level, we were able to add mitigation for this vulnerability to McAfee’s Network Security Platform (NSP) via NSP signature 0x45d43f00, helping our customers remain secure. This is our idea of a success story – researchers and vendors coming together to improve security for end users and ultimately reduce the attack surface for the adversary. If there’s any doubt they are interested in targets like these, a quick search will illuminate the myriad attempts to exploit industrial control systems as a top target of interest.
Before we leave you with “all’s well that ends well”, we want to stress that there is a lesson to be learned here: it doesn’t take much to make a critical system vulnerable. Thus, it is important that companies extend proper security practices to all network-connected devices – not just PCs. Such practices might include placing all internet-connected devices behind a firewall, monitoring traffic to these devices, segregating them from the rest of the network using VLANs, and staying on top of security updates. For critical systems that cannot afford significant downtime, updates are often pulled instead of pushed, putting the onus on end users to keep these devices up to date. Whatever the precise implementation may be, a good security policy often begins by adopting the principle of least privilege, or the idea that all access should be restricted by default unless there is a compelling reason for it. For example, before approaching the challenge of keeping a device like the eBMGR secure on the internet, it’s important to first ask if having it connected to internet is necessary in the first place.
While companies and consumers should certainly take the proper steps to keep their networks secure, manufacturers must also take a proactive approach towards addressing vulnerabilities that impact their end users. Delta Controls’ willingness to collaborate and timely response to our disclosure certainly seems like a step in the right direction. Please refer to the following statement from Delta Controls which provides insight into the collaboration with McAfee and the power of responsible disclosure.
The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated an industrial control system (ICS) produced by Delta Controls. The product, called “enteliBUS Manager”, is used for several applications, including building management. Our research into the Delta controller led to the discovery of an unreported buffer overflow in the “main.so” library. This flaw, identified by CVE-2019-9569, ultimately allows for remote code execution, which could be used by a malicious attacker to manipulate access control, pressure rooms, HVAC and more. We reported this research to Delta Controls on December 7th, 2018. Within just a few weeks, Delta responded, and we began an ongoing dialog while a security fix was built, tested and rolled out in late June of 2019. We commend Delta for their efforts and partnership throughout the entire process.
The vulnerable firmware version tested by McAfee’s Advanced Threat Research team is 3.40.571848. It is likely earlier versions of the firmware are also vulnerable, however ATR has not specifically tested these. We have confirmed the patched firmware version 3.40.612850 effectively remediates the vulnerability.
This blog is intended to provide a deep and thorough technical analysis of the vulnerability and its potential impact. For a high-level, non-technical walk through of this vulnerability, please refer to our summary blog post here.
Exploring the Attack Surface
The first task when researching a new device is to understand how it works from both a software and hardware perspective. Like many devices in the ICS realm, this device has three main software components; the bootloader, system applications, and user-defined programming. While looking at software for an attack vector is important, we do not focus on any surface which is defined by the users since this will potentially change for every install. Therefore, we want to focus on the bootloader and the system applications. With the operating system, it is common for manufacturers to implement custom code to operate the device regardless of an individual user’s programming. This custom code is often where most vulnerabilities exist and extends across the entire product install base. Yet, how do we access this code? As this is a critical system, the firmware and software are not publicly available and there is limited documentation. Thus, we are limited to external reconnaissance of the underlying system software. Since the most critical vulnerabilities are remote, it made sense to start with a simple network scan of the device. A TCP scan showed no ports open and a UDP scan only showed ports 47808 and 47809 to be open. Referring to the documentation, we determined this is most likely used for a protocol called Building Automation Control Network (BACnet). Using a BACnet-specific network enumeration script, we determined slightly more information:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 11:03 EDT Nmap scan report for 192.168.7.15 Host is up (0.00032s latency).
PORT STATE SERVICE 47808/udp open bacnet | bacnet-info: | Vendor ID: Delta Controls (8) | Vendor Name: Delta Controls | Object-identifier: 29000 | Firmware: 571848 | Application Software: V3.40 | Model Name: eBMGR-TCH
The next question is, what can we learn from the hardware? To answer this question, the device was first carefully disassembled, as shown in Figure 1.
The controller has one board to manage the display and a main baseboard which holds a System on a Module (SOM) chip containing both the processor and flash modules. With a closer look at the baseboard, we made a few key observations. First, the processor is an ARM926EJ core processor, the flash module is a ball grid array (BGA) chip, and there are several unpopulated headers on the board.
To examine the software more effectively, we needed to determine a method of extracting the firmware. The BGA chip used by the system for flash memory will mostly likely hold the firmware; however, this poses another challenge. Unlike other chips, BGA chips do not provide pins externally which can be attached to. This means to access the chip directly, we would need to desolder the chip from the board. This is not ideal since we risk damaging the system.
We also noticed several unpopulated headers on the board. This was promising as we could find an alternative method of exacting the firmware using one of these headers. Soldering pins to each of the unpopulated headers and using a logic analyzer, we determined that the 4-pin header in the center of the board is a universal asynchronous receiver-transmitter (UART) header running at a baud rate of 115200.
Using the Exodus XI Breakout board (shout out to @Logan_Brown and the Exodus team) to connect to the UART headers, we were met with an unprotected root prompt on the system. Now with full access to the system, we could start to gain a deeper understanding of how the system works and extract the firmware.
Firmware Extraction and System Analysis
With the UART interface, we could now explore the system in real-time, but how could we extract the firmware for offline analysis? The device has two USB ports which we were able to use to mount a USB drive. This allowed us to copy what is running in memory using dd onto a flash drive, effectively extracting the firmware. The next question was, what do we copy?
Using “/proc/mtd” to gain information about how memory is partitioned, we could see file systems located on mtd4 and mtd5. We used dd to copy off both the mtd4 and mtd5 partitions. We later discovered that one of the images is a backup used as a system fall back if a persistent issue is detected. This filesystem copied became increasingly useful as the project continued
With the active UART connection, it was now possible to investigate more about how the system is running. Since we were able to previously determine the device is only listening on ports 47808 and 47809, whichever application is listening on these ports would be the only point of an attack for a remote exploit. This was quickly confirmed using “netstat -nap” from the UART console.
We noticed that port 47808 was being used by an application called “dactetra”. With minimal further investigation, it was determined that this is a Delta-controller-specific binary was responsible for the main functions of the device.
Finding a Vulnerability
With a device-specific binary listening on the network via an open port, we had an ideal place to start looking for a vulnerability. We used the common approach of network fuzzing to start our investigation. To implement network fuzzing for BACnet, we turned to a tool produced by Synopsys called Defensics, which has a module designed for BACnet servers. Although this device is not a BACnet server and functions more as a router, this test suite provided several universal test cases which gave us a great place to start. BACnet utilizes several types of broadcast packets to communicate. Two such broadcast packets, “Who-Is” and “I-Am” packets, are universal to all BACnet devices and Defensics provides modules to work with them. Using the Defensics fuzzer to create mutations of these packets, we were able to observe the device encountering a failure point, producing a core dump and immediately rebooting, shown in Figure 5.
The test case which caused the crash was then isolated and run several more times to confirm the crash was repeatable. We discovered during this process that it takes an additional 96 packets sent after the original malformed packet to cause the crash. The malformed packet in the series was an “I-Am” packet, as seen below. The full packet is not shown due to its size.
Examining further, we could quickly see that the fuzzer created a packet with a BACnet layer size of 8216 bytes, using “0x22”. We could also see the fuzzer recognized the max acceptable size for the BACnet application layer as only 1476 bytes. Additional testing showed that sending only this packet did not produce the same results; only when all 97 packets were sent did the crash occur.
Analyzing the Crash
Since the system provides a core dump upon crashing, it was logical to analyze it for further information. From the core dump (reproduced in Figure 7), we could see the device encountered a segmentation fault. We also saw that register R0 contained what looked like data copied from our malformed packet, along with the backtrace being potentially corrupted.
The core dump also provided us the precise location of the crash. Using the memory map from the device, it was possible to determine that address 0x4026e580 is located in memcpy. Since the device does not deploy Address Space Layout Randomization (ASLR), the memory address did not change throughout our testing. As we had successfully extracted the firmware, we used IDA Pro to attempt to learn more about why this crash was occurring. The developers did not strip the binaries during compiling time, which helped simplify the reversing process in IDA.
The disassembly told us that memcpy was attempting to write what was in R3 to the “address” stored in R0. In this case, however, we had corrupted that address, causing the segmentation fault. The contents of several other registers also provided additional information. The value 0x81 in R3 was potentially the first byte of a BACnet packet from the BACnet Virtual Link Control (BVLC) layer, identifying the packet as BACnet. By looking at R3 and the values at the address in R5 together, we confirmed with more certainty that this was in fact the BVLC layer. This implied the data being copied was from the last packet sent and the destination for the copied data was taken from the first malformed packet. Registers R8 and R10 held the source and destination port numbers, respectively, which in this case were both 0xBAC0 (accounting for endianness), or 47808, the standard BACnet port. R4 held a memory address which, when examined, showed a section of memory that looks to have been overwritten. Here we saw data from our malformed packet (0x22); in some areas, memory was partially overwritten with our packet data. The value for the destination of the memcpy appeared to be coming from this region of memory. With no ASLR enabled, we could again count on this always landing in the same location.
At this point, with the information provided by the core dump, packets, and IDA, we were fairly certain that the crash found was a buffer overflow. However, memcpy is a very common function, so we needed to determine where exactly this crash was coming from. If the destination address for the memcpy was getting corrupted, then the crash in memcpy was simply collateral damage from the buffer overflow – so what code was causing the buffer overflow to occur? A good place to start this analysis would be the backtrace; however, as seen above, the backtrace was corrupted from our input. Since this device uses an ARM processor, we could look at the LR registers for clues on what code called this memcpy. Here, LR was pointing to 0x401e68a8 which, when referencing the memory map of the process, falls in “main.so”. After calculating the offset to use for static analysis, we arrived at the code in Figure 10.
The LR register was pointing to the instruction which is called after memcpy returns. In this case, we were interested in the instruction right before the address LR is pointing to, at offset 0x15C8A4. At first glance, we were surprised not to see the expected memcpy call; however, digging a little deeper into the scNetMove function we found that scNetMove is simply a wrapper for memcpy.
So, how did the wrong destination address get passed to memcpy? To answer this, we needed a better understanding of how the system processes incoming packets along with what code is responsible for setting up the buffers sent to memcpy. We can use ps to evaluate the system as it is running to see that the main process spawns 19 threads:
The function wherein we found the “scNetMove” was called “scBIPRxTask” and was only referenced in one other location outside of the main binary; the initialization function for the application’s networking, shown in Figure 12.
In scBIPRxTask’s disassembly, we saw a new thread or “task” being created for both BACnet IP interfaces on ports 47808 and 47809. These spawned threads would handle all the incoming packets on their respective ports. When a packet would be received by the system, the thread responsible for scBIPRxTask would trigger for each packet. Using the IDA Pro decompiler, we could see what occurs for each packet. First, the function uses memset to zero out an allocated buffer on the stack and read from the network socket into this buffer. This buffer becomes the source for the following memcpy call. The new buffer is created with a static size of 1732 bytes and only 1732 bytes are appropriately read from the socket.
After reading data from the socket, the function sets up a place to store the packet it has just received. Here it uses a function called “pk_alloc,” which takes the size of the packet to create as its only argument. We noticed that the size was another static value and not the size received from the socket read function. This time the static value passed is 1476 bytes. This allocated buffer is what will become the destination for the memcpy.
With both a source and destination buffer allocated, “scNetMove” is called and subsequently memcpy is called, passing both buffers along with the size parameter taken from the socket read return value.
This code path explains why and how the vulnerability occurs. For each packet sent, it is copied off the stack into memory; however, if the packet is longer than 1476 bytes, for each byte over 1476 and less than or equal to 1732, that many bytes in memory past the end of the destination buffer are overwritten. Within the memory which is overwritten, there is an address to the destination of a later memcpy call. This means there is a buffer overflow vulnerability that leads to an arbitrary write condition. The first malformed packet overwrites a section of memory with attacker-defined data – in this case, the address where the attacker wishes to write to. After an additional 95 packets are read by the system, the address controlled by the attacker will be put into memcpy as the destination buffer. The data in the last packet, which does not need to be malformed, is what will be written to the location set in the earlier malformed packet. Assuming the last packet is also controlled by the attacker, this is now a write-what-where condition.
Kicking the Dog
With a firm grasp on the discovered vulnerability, the next logical step was to attempt to create a working exploit. When developing an exploit, the ability to dynamically debug the target is extremely valuable. To this end, the team first had to cross-compile debugging tools such as gdbserver for the device’s specific kernel and architecture. Since the device runs an old version of the Linux kernel, we used an old version of Buildroot to build gdbserver and later other applications.
Using a USB drive to transfer gdbserver onto the device, an initial attempt to debug the running application was made. A few seconds after connecting the debugger to the application, the device initiated a reboot, as shown in Figure 16.
An error message gave us a clue on why the crash occurred, indicating a watchdog timer failure. Watchdog timers are common in critical embedded devices that if the system hangs for a predetermined amount of time, it takes action to try and correct the problem. In this case, the action chosen by the developers is to reboot the system. Searching the system binaries for this error message revealed the section of code shown in Figure 17. The actual error messages have been redacted at the request of the vendor.
The function is decrementing three counters. If any of the counters ever get to zero, then an error is thrown and later the system is rebooted. Examining the code further shows that multiple processes call this function to check the counters very frequently. This means we are not going to be able to dynamically debug the system without figuring out how to disable this software watchdog.
One common approach to this problem is to patch the binaries. It is important when looking at patching a binary to ensure the patch you employ does not introduce any unintended side effects. This generally means you want to make the smallest change possible. In this case, the smallest meaningful change the team came up with was to modify the “subtract by 5” to a “subtract by 0.” This would not change how the overall program functioned; however, every time the function was called to decrement the counter, the counter would simply never get smaller. The patched code is provided in Figure 18. Notice the IDA decompiler has completely removed the subtraction statement from the code since it is no longer meaningful.
With the software watchdog patched, the team attempted to again dynamically debug the application. Initially the test was thought to be successful, since it was possible to connect to gdbserver and start debugging the application. However, after three minutes the system rebooted again. Figure 19 shows the message the team caught on reboot after several repeated experiments with the same results.
This indicates that in the boot phase of startup, a hardware watchdog is set to 180 seconds (or three minutes). The system has two watchdog timers, one hardware and one software; we had only disabled one of the timers. The same method of patching the binary which was used to disable the software watchdog timer would not work for the hardware watchdog timer; the application would also need to kick the watchdog to prevent a reboot. Armed with this knowledge, we turned to the Delta binaries on the device for code that could help us “kick” the hardware watchdog. With the debugging symbols left in, it was relatively easy to find a function which was responsible for managing the hardware watchdog.
There are several approaches which could be used to attempt to disable the hardware watchdog. In this scenario, we decided to take advantage of the fact that the code which dealt with the hardware watchdog was in a shared library and exported. This allowed for the creation of a new program using the existing watchdog-kicking code. By creating a second program that will kick the hardware watchdog, we could debug the Delta application without the system resetting.
This program was put in the init script of the system, so it would run on boot and continually “kick the dog”, effectively disabling the hardware watchdog. Note: no actual dogs were harmed in the research or creation of this exploit. If anything, they were given extra treats and contributed to the coding of the watchdog patch. Here are some very recent photos of this researcher’s dogs for proof.
With both the hardware and software watchdog timers pacified, we could continue to determine if our previously discovered vulnerability was exploitable.
Writing the Exploit
Before attempting exploitation, we wanted to first investigate if the system had any exploit mitigations or limitations we needed to be aware of. We began by running an open source script called “checksec.sh”. This script, when run on a binary, will report if any of the common exploit mitigations are in place. Figure 21 shows the script’s output when ran on the primary Delta binary, named “dactetra”.
The check came back with only NX enabled. This also held true for each of the shared libraries where the vulnerable code is located.
As discussed above, the vulnerability allows for a write-what-where condition, which leads us to the most important question: what do we want to write where? Ultimately, we want to write shellcode somewhere in memory and then jump to that shellcode. Since the attacker controls the last packet sent, it is plausible that the attacker could have their shellcode on the stack. If we put shellcode on the stack, we would then have to bypass the No eXecute (NX) protection discovered using the checksec tool. Although this is possible, we wondered if there was a simpler method.
Reexamining the crash dump at the memory location which has been overwritten by the large malformed packet, we found a small contiguous section of heap memory, totaling 32 bytes, which the attacker could control. We came to this conclusion because of the presence of 0x22 bytes – the contents of the malformed packet’s payload. At the time the overflow occurs, more of this region is filled with 0x22’s, but by the time our write-what-where condition is triggered, many of these bytes get clobbered, leaving us with the 32-byte section shown in Figure 22.
Being heap memory, this region was also executable, a detail that will become important shortly. Replacing the 0x22’s in the malformed packet with a non-repeating pattern both revealed where in the payload to place our shell code and confirmed that the bytes in this region were all unique.
With a potential place to put our shellcode, the next major component to address was controlling execution. The write-what-where condition allowed us to write anywhere in memory; however, it did not give us control of execution. One technique to tackle this problem is to leverage the Global Offset Table (GOT). In Linux, the GOT redirects a function pointer to an absolute location and is located in the .got section of an ELF executable or shared object. Since the .got section is written to at execution time, it is generally still writable later during execution. Relocation Read Only (RELRO) is an exploit mitigation which marks the loaded .got section read-only once it is mapped; however, as seen above, this protection was conveniently not enabled. This meant it was possible to use the write-what-were condition to write the address of our shellcode in memory to the GOT, replacing a function pointer of a future function call. Once the replaced function pointer is called, our shellcode would be executed.
But which function pointer should we replace? To ensure the highest probability of success, we decided it would be best to replace the pointer to a function that is called as close to the overwrite as possible. This is because we wanted to minimize changes to the memory layout during program execution. Examining the code again from the return of the “scNetMove” function, we see within just a few instructions “scDecodeBACnetUDP” is called. This therefore becomes the ideal choice of pointer to overwrite in the GOT.
Knowing what to write where, we next considered any conditions which needed to be met for the correct code path to be taken to trigger the vulnerability. Taking another look at the code in memcpy that allows the buffer overflow to occur, we noticed that the overwrite does indeed have a condition, as shown in Figure 24.
The code producing the overwrite in memory is only taken if the value in R0, when bitwise ANDed with the immediate value 3, is not equal to 0. From our crash dump, we knew that the value in R0 is the address of the destination we want to copy to. This potentially posed a problem. If the address we wanted to write to was 4-byte aligned, which was highly likely, the code path for our vulnerability would not be taken. We could ensure that our code path was taken by subtracting one from the address we wish to write to in the GOT and then repairing the last byte of the previous entry. This ensures that the correct code path is taken and that we do not unintentionally damage a second function pointer.
While we discovered a place to put our shellcode, we only discovered a very small amount of space, specifically 32 bytes, in which to write the payload, shown in Figure 24. What can we accomplish in such a small amount of space? One method that does not require extensive shellcode is to use a “return to libc” attack to execute the system command. For our exploit to work out of the box, whatever command or program we run with system must be present on the device by default. Additionally, the command string itself needs to be quite short to accommodate the limited number of bytes we have to work with.
An ideal scenario would be executing code that would allow remote shell access to the device. Fortunately, Netcat is present on the device and this version of Netcat supports both the “-ll” flag, for persistent listening on a port for a connection, and the “-e” flag, for executing a command on connection. Thus, we could use system to execute Netcat to listen on some port and execute a shell when a connection is made. Before writing shell code to execute system with this command, we first tested various Netcat commands on the device directly to determine the shortest Netcat command that would still give us a shell. After a few iterations, we were able to shorten the Netcat command to 13 bytes:
nc -llp9 -esh
Since the instructions must be 4-byte-aligned and we have 32 bytes to work with, we are only concerned with the length of the string rounded up to the nearest multiple of 4, so in this case 16 bytes. Subtracting this from our total 32 bytes, we have 16 bytes left, or 4 instructions total, to set up the argument for system and jump to it. A common method to fit more instructions into a small space in memory on ARM is to switch to Thumb mode. This is because ARM’s Thumb mode utilizes 16-bit (2-byte) instructions, instead of the regular 32-bit (4-byte) ARM instructions. Unfortunately, the processor on this device did not support Thumb mode and therefore this was not an option.
The challenge to accomplishing our task in only 4 ARM instructions is the limit ARM places on immediate values. To jump to system, we needed to use an immediate value as the address to jump to, but memory address are not generally small values. Immediate values in ARM are limited to 12 bits; eight of these bits are for the value itself and the other 4 are used for bit shifting. This means that an immediate value can only be one byte long (two hex digits) but that byte can be zero padded in any fashion you like. Therefore, loading a full memory address of 4 bytes using immediate values would take all 4 instructions, whether using MOV or ADD. While we do have 4 instructions to play with, we also need at least one instruction to load the address of our command string into R0, the register used as the first parameter for system, and at least one instruction to branch to the address, requiring a total of 6 instructions.
One way to reduce the number of instructions needed is to start by copying a register already containing a value close to the address we want at the time the shellcode executes. Whether this is feasible depends on the value of the address we want to jump to compared to the addresses we have available in the registers right before our shell code is executed.
Starting with the address we need to call, we discovered three address we could jump to that would call system.
0x4006425C – the address of a BL system (branch to system) instruction in boot.so.
0x40054510 – the address of the system entry in “boot.so”’s GOT.
0x402874A4 – the direct address of system in libuClibc-0.9.30.so.
Next, we compared these options to the values in the registers at the time the shellcode is about to execute using GDB, shown in Figure 25.
Of the registers we have access to at the time our shell code executes, the one that gives us the smallest delta between its contents and one of these three addresses we can use to call system is R4. R4 contains 0x40235CB4, giving a delta of 0x517F0 when compared to the address for a direct call to system. The last nibble being 0 is ideal since that means we don’t have to account for the last bit, thanks to the rotation mechanism inherent to ARM immediate values. This means that we only need two immediate values to convert the contents of R4 into our desired address: one for 0x51000, the other for 0x7F0. Since we can apply an immediate offset when MOV’ing one register into another, we should be able to load a register with the address of system in only two instructions. With one instruction for performing the branch and 16 bytes for the command string, this means we can get all our shell code in 32 bytes, assuming we can load R0 with the address of our string in one instruction.
By starting our ASCII string for the command directly after the fourth and last instruction, we can copy PC into R0 with the appropriate offset to make it point to the string. An added benefit of this approach is that it makes the string’s address independent of where the shell code is placed into memory, since it’s relative to PC. Figure 26 shows what the shellcode looks like with consideration for all restrictions.
It is important to note that the “.asciz” assembler directive is used to place a null-terminated ASCII string literal into memory. R12 was chosen as the register to contain the address of branch, since R12 is the Intra Procedural (IP) scratch space register on the ARM architecture. This means R12 is often used as a general-purpose register within subroutines indicating it is almost certainly safe to clobber for our purposes without experiencing unexpected adverse effects.
Piecing Everything Together
With a firm understanding of the vulnerability, exploit, and the shellcode needed we could now attempt exploitation. Looking at the sequence of packets used to cause this attack, it is not a single packet attack, but a multiple packet attack. The initial buffer overflow is contained in the large malformed packet, so what data do we build into it? This packet is overwriting memory but not providing control over execution; therefore, this can be considered the “setup” or “staging” packet. This is where memcpy will look for the address of the destination buffer for our last packet. The address we want to overwrite goes in this packet followed by our shellcode. As explained above, the address we are looking to overwrite is the address of the scDecodeBACnetUDP function pointer in the GOT minus one, to ensure the address isn’t 4-byte aligned. By repairing the last byte of the previous function pointer and overwriting this address, we can gain execution control.
The large malformed packet contains “where” we want to “write” to and puts our shellcode into memory yet does not contain “what” we want to write. The “what”, in this case, is the address of our shellcode, so our last packet needs to contain this address. The final challenge is deciding where in the last packet the address belongs.
Recall from the core dump shown previously that the crash happens on memcpy attempting to write the value 0x81 to the bad address. 0x81 is the first byte of the BVLC layer, indicating this where our address needs to go within the last packet to ensure that only the address we want is overwritten. We also need to ensure there are not any bytes after our address, otherwise we will continue to overwrite the GOT past our target address. Since this application is a multi-threaded application, this could cause the application to crash before our shellcode has a chance to execute. Since the BVLC layer is typically how a packet is identified as a BACnet packet, a potential problem with altering this layer is that the last packet will no longer look like a BACnet packet. If this is the case, will the application still ingest the packet? The team tested this and discovered that the application will ingest any broadcast packet regardless of type, since the vulnerable code is executed before the code that validates the packet type.
Taking everything into account and sending the series of 97 packets, we were able to successfully exploit the building manager by creating a bind shell. Below is a video demonstrating this attack:
A Real-world Scenario
Although providing a root shell to an attacker proves the vulnerability is exploitable, what can an attacker do with it? A shell by itself does not prove useful unless an attacker can control the normal operation of the system or steal valuable data. In this case, there is not a lot of useful data stored on the device. Someone could download information about how the system is configured or what it’s controlling, which may have some value, but this will not hold significant impact on its own. It is also plausible to delete essential system files via a denial-of-service attack that could easily put the target in an unusable state, but pure destruction is also of low value for various reasons. First, as mentioned previously, the device has a backup image that it will fall back to if a failure occurs during the boot process. Without physical access to the device, an attacker wouldn’t have a clear idea of how the backup image differs from the original or even if it is exploitable. If the backup image uses a different version of the firmware, the exploit may no longer work. Perhaps more importantly, a denial-of-service attack suffers from its inherent lack of subtlety. If the attack immediately causes alarms to go off when executed, the attacker can expect that their persistence in the system will be short-lived.
What if the system could be controlled by an attacker while being undetected? This scenario becomes more concerning considering the type of environments controlled by this device.
Controlling the standard functions of the device from just a root shell requires a much deeper understanding of how the device works in a normal setting. Typically, the Delta eBMGR is programmed by an installer to perform a specific set of tasks. These tasks can range from managing access control, to building lighting, to HVAC, and more. Once programmed, the controller is connected to several external input/output (I/O) modules. These modules are utilized for both controlling the state of an attached device and relaying information back to the manager. To replicate these “normal conditions”, we had a professional installer program our device with a sample program and attach the appropriate modules.
Figure 27 shows how each component is connected in our sample programming. For our initial testing, we did not actually have the large items such as the pump, boiler and heating valve. The state of these items can be tracked through either LEDs on the modules or the touchscreen interface, hence it was unnecessary for us to acquire them for testing purposes. Despite this, it is still important to note which type of input or output each “device”, virtual or otherwise, is connected to on the modules.
The programming to control these devices is surprisingly simple. Essentially, based on the inputs, an output is rendered. Figure 28 shows the programming logic present on the device during our testing.
There are three user-defined software variables: “Heating System”, “Room Temp Spt”, and “Heating System Enable Spt”. Here, “spt” indicates a set point. These can be defined by an operator at run time and help determine when an output should be turned on or off. The “Heating System” binary variable simply controls the on/off state of the system.
Controlling the Device
Like when we first started looking for vulnerabilities, we want to ensure our method of controlling the device is not dependent on code which could vary from controller to controller. Therefore, we want to find a method that allows us to control all the I/O devices attached to a Delta eBMGR, ensuring we are not dependent on this device’s specific programming.
As on any Linux-based system, the installer-defined programming at its lowest level utilizes system calls, or functions, to control the attached hardware. By finding a way to manipulate these functions, we would therefore have a universal method of controlling the modules regardless of the installer programming. A very common way of gaining this type of control when you have root access to a system is through the use of function hooking. The first challenge for this approach is simply determining which function to hook. In our case, this required an extensive amount of reverse engineering and debugging of the system while it was running normally. To help reduce the scope of functions we needed to investigate, we began by focusing our attention on controlling binary output (BO). Our first challenge was how to find the code that handles changing the state of a binary output.
A couple of key factors helped point us in the right direction. First, the documentation for the controller indicates the devices talk to the I/O modules over a Controller Area Network Bus (CAN bus), which is common for PLC devices. As previously seen, the Delta binaries all have symbols included. Thus, we can use the function names provided in the binaries to help reduce the code surface we need to look at – IDA tells us there are only 28 functions with “canio” as the first part of their name. Second, we can assume that since changing the state of a BO requires a call to physical hardware, a Linux system call is needed to make that change. Since the device is making a change to an IO device, it is highly likely that the Linux system call used is “ioctl”. When cross-referencing the functions that start with “canio” and that call “ioctl”, our prior search space of 28 drops to 14. One function name stood out above the rest: “canioWriteOutput”. The decompiled version of the function has been reproduced in Figure 29.
Using this hypothesis, we set a break point on the call to “ioctl” inside canioWriteOutput and use the touchscreen to change the state of one of the binary outputs from “off” to “on”. Our breakpoint was hit! Single stepping over the breakpoint, we were able to see the correct LED light up, indicating the output was now on.
Now knowing the function we needed to hook, the question quickly became: How do we hook it? There are several methods to accomplish this task, but one of the simplest and most stable is to write a library that the main binary will load into memory during its startup process, using an environment variable called LD_PRELOAD. If a path or multiple paths to shared objects or libraries are set in LD_PRELOAD before executing a program, that program will load those libraries into its memory space before any other shared libraries. This is significant, because when Linux resolves a function call, it looks for function names in the order in which the libraries are loaded into memory. Therefore, if a function in the main Delta binary shares a name and signature with one defined in an attacker-generated library that is loaded first, the attacker-defined function will be executed in its place. As the attacker has a root shell on the device, it is possible for them to modify the init scripts to populate the LD_PRELOAD variable with a path to an attacker-generated library before starting the Delta software upon boot, essentially installing malware that executes upon reboot.
Using the cross-compile toolchain created in the early stages of the project, it was simple to test this theory with the “library” shown in Figure 30.
The code above doesn’t do anything meaningful, but it does confirm if hooking this method will work as expected. We first defined a function pointer using the same function prototype we saw in IDA for canioWriteOutput. When canioWriteOutput is called, our function will be called first, creating an output file in the “opt” directory and giving us a place to write text, proving that our hook is working. Then, we search the symbol table for the original “canioWriteObject” and call it with the same parameters passed into our hook, essentially creating a passthrough function. The success of this test confirmed this method would work.
For our function hook to do more than just act as a passthrough, we needed to understand what parameters were being passed to the function and how they affect execution. By using GDB, we could examine the data passed in during both the “on” and “off” states. For canioWriteObject, it was discovered that the state of binary output was encoded into the second parameter passed to the function. From there, we could theoretically control the state of the binary output by simply passing the desired state as the second parameter to the real function, leaving the other parameters as-is. In practice, however, the state change produced using this method persisted only for a split second before the device reset the output back to its proper state.
Why was the device returning the output to the correct state? Is there some type of protection in place? Investigating strings in the main Delta binary and the filesystem on the device led us to discover that the device software maintains databases on the filesystem, likely to preserve device and state information across reboots. At least one of these databases is used to store the state of binary outputs along with, presumably, other kinds of I/O devices. With further investigation using GDB, we discovered that the device is continuously polling this database for the state of any binary outputs and then calling canioWriteOutput to publish the state obtained from the database, clobbering whatever state was there before. Similarly, changes to this state made by a user via the touchscreen are stored in this same database. At first, it may appear that the simplest solution would be to change the database value since we have root access to the device. However, the database is not in a known standard format, meaning we would need to take the time to reverse this format and understand how the data is stored. As we already have a way to hook the functions, controlling the outputs at the time canioWriteOutput is called is simpler.
To accomplish this, we updated our malware to keep track of whether the attacker has made a modification to the output or not. If they have, the hook function replaces the correct state, stored in canioWriteOutput’s second parameter, with the state asserted by the attacker before calling the real canioWriteOutput function. Otherwise, the hook function acts as a simple passthrough for the real deal. A positive side effect of this, from the attacker’s perspective, is the touchscreen will show the output as the state the user last requested even after the malware has modified it. Implementing this simple state-tracking resolved our prior issue of the attacker-asserted state not persisting.
With control of the binary output, we moved on to looking at each of the other types of inputs and outputs that can be connected to the modules. We used a similar approach in identifying the methods used to read or write data from the modules and then hooking them. Unfortunately, not every function was as simple as canioWriteOutput. For example, when reversing the functions used to control analog outputs, we noticed that they utilized custom data structures to hold various information about the analog device, including its state. As a result, we had to first reverse the layout of these data structures to understand how the analog information was being sent to the outputs before we could modify their state. By using a combination of static and dynamic analysis, we were able to create a comprehensive malicious library to control the state of any device connected to the manager.
Taking our Malware to the Next Level
Although making changes from a root shell certainly proves that an attacker can control the device once it has been exploited, it is more practical and realistic for the attacker to have complete remote control not contingent on an active shell. Since we were already loading a library on startup to manipulate the I/O modules, we decided it would also be feasible to use that same library to create a command-and-control type infrastructure. This would allow an attacker to just send commands remotely to the “malware” without having to maintain a constant connection or shell access.
To bring this concept to life, we needed to create a backdoor and an initialization function was probably the best place to put one. After some digging, we found “canioInit”, a function responsible for initializing the CAN bus. Since the CAN bus is required to make any modifications to the operation of the device, it made sense to wait for this function to be called before starting our backdoor. Unlike some of the previous hooks mentioned, we don’t make any changes to this call or its return data; we only use it as a method to ensure our backdoor is started at the proper time.
When canioInit is called, we first spawn a new thread and then execute the real canioInit function. Our new thread opens a socket on UDP port 1337 and listens for very specific commands, such as “bo0 on” to indicate to “turn on binary output 0” or “reset” to put the device back in the user’s control. Based on the commands provided, the “set_io_state” method called by this thread activates the necessary hooking methods to control the I/O as described in the previous section.
With a fully functioning backdoor in the memory space of the Delta software, we had full control of the device with a realistic attack chain. Figure 33 outlines the entire attack.
The entire process above, from sending out the malicious packets to gaining remote control, takes under three minutes, with the longest task being the reboot. Once the attacker has established control, they can operate the device without impacting what information the user is provided, allowing the attacker to stay undetected and granting them ample opportunity to cause serious damage, depending on what kind of hardware the Delta controller manages.
Real World Impact
What is the impact of an attack like this? These controllers are installed in multiple industries around the world. Via Shodan, we have observed nearly 600 internet-accessible controllers running vulnerable versions of the firmware. We tracked eBMGR devices from February 2019 to April 2019 and found that there were a significant number of new devices available with public IP addresses.
As of early April 2019, 492 eBMGR devices remained reachable via internet-wide scans using Shodan. Of those found, a portion are almost certainly honeypots based on user-applied tags found in the Shodan data, leaving 404 potentially vulnerable victims. If we include other Delta Controls devices using the same firmware and assume a high likelihood they are vulnerable to the same exploit, the total number of potential targets balloons to over 1600. We tracked 119 new internet connected eBMGR devices since February 2019; however, these were outpaced by the 216 devices that have subsequently gone offline. We believe this is a combination of standard practice for ICS systems administrators to connect these devices to the Internet, coupled with a strategy by the vendor (Delta Controls) proactively reaching out to customers to reduce the internet-connected footprint of the vulnerable devices. Most controllers appear to be in North America with the US accountable for 53% of online devices and Canada accounting for 35%. It is worth noting the fact that in some cases the IP address, and hence the geographic location of the device from Shodan, is traced back to an ISP (Internet Service Provider), which could result in skewed findings for locations.
Some industries seem more at risk than others given the accessibility of devices. We were only able to map a small portion of these devices to specific industries, but the top three categories we found were Education, Telecommunications, and Real Estate. Education included everything from elementary schools to universities. In academic settings, the devices were sometimes deployed district-wide, in numerous facilities across multiple campuses. One example is a public-school system in Canada where each school building in the district had an accessible device. Telecommunications was comprised entirely of ISPs and/or phone companies. Many of these could be due to the ISPs being listed as a service provider. The real estate category generally included office and apartment buildings. From available metadata in the search results, we also managed to find instances of education, healthcare, government, food, hospitality, real estate, child care and financial institutions using the vulnerable product.
With a bit more digging, we were easily able to find other targets through publicly available information. While it is not common practice to post sensitive documents online, we’ve found many documents available that indicate that these devices are used as part of the company’s building automation plans. This was particularly true for government buildings where solicitations for proposals are issued to build the required infrastructure. All-in-all we have collected around 20 documents that include detailed proposals, requirements, pricing, engineering diagrams, and other information useful for reconnaissance. One particular government building had a 48-page manual that included internal network settings of the devices, control diagrams, and even device locations.
Redacted network diagram found on the Internet specifying ICS buildout
What does it matter if an attacker can turn on and off someone’s AC or heat? Consider some of the industries we found that could be impacted. Industries such as hospitals, government, and telecommunication may have severe consequences when these systems malfunction. For example, the eBMGR is used to maintain positive/negative pressure rooms in medical facilities or hospitals, where the slightest change in pressurization could have a life-threating impact due to the spread of airborne diseases. Suppose instead a datacenter was targeted. Datacenters need to be kept at a cool temperature to ensure they do not overheat. If an attacker were to gain access to the vulnerable controller and use it to raise heat to critical levels and disable alarms, the result could be physical damage to the server hardware in mass, as well as downtime costs, not to mention potential permanent loss of critical data. According to the Ponemon Institute (https://www.ponemon.org/library/2016-cost-of-data-center-outages), the average cost of a datacenter outage was as high as $740,357 in 2016 and climbing. Microsoft was a prime example of this; in 2018, the company suffered a massive datacenter outage (https://devblogs.microsoft.com/devopsservice/?p=17485) due to a cooling failure, which impacted services for around 22 hours.
To show the impact beyond LED lights flashing, McAfee’s ATR contracted a local Delta installer to build a small datacenter simulation with a working Delta system. This includes both heating and cooling elements to show the impact of an attack in a true HVAC system. In this demonstration we show both normal functionality of the target system, as well as the full attack chain, end-to-end, by raising the temperature to dangerous levels, disabling critical alarms and even faking the controller into thinking it is operating normally. The video below shows how this simple unpatched vulnerability could have devastating impact on real systems.
We also leverage this demo system, now located in our Hillsboro research lab, to highlight how an effective patch, in this case provided by Delta Controls, is used to immediately mitigate the vulnerability, which is ultimately our end goal of this research project.
Discoveries such as CVE-2019-9569 underline the importance of secure coding practices on all devices. ICS devices such as this Delta building manager control critical systems which have the potential to cause harm to businesses and people if not properly secured.
There are some best practices and recommendations related to the security of products falling into nonstandard environments such as industrial controls. Based on the nature of the devices, they may not have the same visibility and process control as standard infrastructure such as web servers, endpoints and networking equipment. As a result, industrial control hardware like the eBMGR PLC may be overlooked from various angles including network or Internet exposure, vulnerability assessment and patch management, asset inventory, and even access controls or configuration reviews. For example, a principle of least privilege policy may be appropriate, and a network isolation or protected network segment may help provide boundaries of access to adversaries. An awareness of security research and an appropriate patching strategy can minimize exposure time for known vulnerabilities. We recommend a thorough review and validation of each of these important security tenants to bring these critical assets under the same scrutiny as other infrastructure.
One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. As per McAfee’s vulnerability public disclosure policy, McAfee’s ATR informed and worked directly with the Delta Controls team. This partnership resulted in the vendor releasing a firmware update which effectively mitigates the vulnerability detailed in this blog, ultimately providing Delta Controls’ consumers with a way to protect themselves from this attack. We strongly recommend any businesses using the vulnerable firmware version (571848 or prior) update as soon as possible in line with your patch policy and testing strategy. Of special importance are those systems which are Internet-facing. McAfee customers are protected via the following signature, released on August 6th: McAfee Network Security Platform 0x45d43f00 BACNET: Delta enteliBUS Manager (eBMGR) Remote Code Execution Vulnerability.
We’d like to take a minute to recognize the outstanding efforts from the Delta Controls team, which should serve as a poster-child for vendor/researcher relationships and the ability to navigate the unique challenges of responsible disclosure. We are thrilled to be collaborating with Delta, who have embraced the power of security research and public disclosure for both their products as well as the common good of the industry. Please refer to the following statement from Delta Controls which provides insight into the collaboration with McAfee and the power of responsible disclosure.
When Reuters’ investigative reporter Joseph Menn confirmed that presidential candidate Beto O’Rourke was an early member of The Cult of the Dead Cow (cDc), it seemed as though folks had two viewpoints on it. They either had more respect for him because they understood what cDc was trying to accomplish, or they were relatively horrified because “hackers are bad.” It’s easy to fear what we don’t understand, and what is often shed in a bad light.
In InfoSec, we know and understand that hackers are not inherently bad. Many of them are hactivists looking to make positive change in the world. During the Black Hat panel discussion, “Making Big Things Better the Dead Cow Way,” Menn talked about how O’Rourke was 14 or 15 years old when he joined the cDc and left before the organization grew in notoriety, and that he interviewed a neo-Nazi in Texas and proceeded to let him hang himself with his own words. Even at that young age, he was all about diversity and engagement, especially within the cDc.
Mudge Zatko, a prominent member of L0pht and the cDc, who went on to be a program manager at DARPA, shared what he thought stood out most about O’Rourke, saying, “You can form groups online, but when you get together and meet the person, are they who you thought? You met [Beto] and he was a very friendly guy.”
This story matters because in order to make change, you have to understand where your power and influence lie to have the best results. For O’Rourke, that looks like running for president. For the cDc, it was acknowledging that hackers have power and influence. With the understanding that computers and encryption could be leveraged to help human rights efforts, the group made a more public move toward hactivism.
“What can you do to make the world a better place? How do we leverage this power? Use that to go through the media, and hopefully through some sort of technology, but especially through our connections to the media and use the influence of our long history,” said Mudge.
While Veracode co-founder Christien Rioux, or Dildog, opted to work with the private sector to tackle issues of security at a wide-scale by creating the technology that would become static binary analysis and Veracode, there are many who opt to take more of a hactivist approach. As with anything else, there are varying views on what hactivism is and what it isn’t – which parallels with debates about what human rights truly encompasses.
“What is your definition of human rights? Just governmental interaction because of civil liberties, or is it applicable to private organizations,” asks Luke Benfey (aka Deth Veggie). “Some believe it is and some believe it isn't. There are philosophical disagreements about what is ethically valid. Some believe that DDOS or web defacement is not applicable as legitimate means of protest, and others believe it is a legitimate means of protest. These are things that are still going on, and I don't necessarily think that the kinds of hactivism have changed radically, so much as scale has changed; the Internet and access to it has spread much more widely around the world.”
With broader access comes broader awareness and even broader responsibility: once something is seen it can’t be unseen. While we certainly see malicious cyberattacks making headlines, a lot of good is being done by the hacktivist community as well. Just look to discussions around coordinated disclosure and the ways in which security researchers are working with private and public organizations to make them – and all of us – safer.
If you’re looking for something to do, and want real proof of the cDc’s hacktivist ethos, we were told that if you search the former Yugoslavia website for cDc in the case files pertaining to former Yugoslav president Slobodan Milosevic’s trial for war crimes, you’ll see that they pop up a lot for their work helping prosecutors.
Or you could just watch this video Q&A where Veracode Co-Founder Chris Wysopal (@WeldPond) interviews Menn, Rioux, and Deth Veggie about the cDc and Menn’s book, “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World” at this year’s Black Hat.
According to a study by LogicMonitor, the number of applications hosted on-premises will decrease by 10%, to 27%, by 2020. In comparison, the number of cloud-native, more specifically serverless hosted applications, like AWS Lambda, Google Cloud and Microsoft Azure, will increase to 41%.
The trend to cloud, specifically serverless, and away from on-prem, is not new and of no surprise, as serverless hosted applications provide developers with a faster speed to market and allows for them to release new functionality on a more frequent basis. In addition, it can save organizations bundles in infrastructure costs. It has however left DevSecOps and security teams in a quandary. While they don’t want to impede development efforts, they are left with no choice but to place the security of serverless applications in someone else’s hands.
To alleviate this issue, there are several serverless security best practices that must be put in place in order to properly secure serverless apps launched by the developer.
Serverless Security Best Practices
Don’t rely solely on WAF protection: Application layer firewalls are only capable of inspecting HTTP(s) traffic. This means that a WAF will only protect functions which are API Gateway-triggered functions. It will not provide protection against any other event trigger types. A WAF will not help if your functions are triggered from different events sources, such as:
Having a WAF in place is still important, but it is not and should not be the only line of defense in securing serverless applications. Relying solely on a WAF leaves many gaping security holes.
Customize Function Permissions: 90% of permissions in serverless applications are found to be over permissioned. While setting up permissions feels like a daunting task when thinking of the function levels in serverless, a one size fits all approach is not a solution. Setting policies that are larger and more permissive in the function is a common serverless security mistake, and failing to minimize individual function roles and permissions makes your attack surface larger than necessary. Creating proper function level permissions requires DevSecOps teams to sit down with the developers who wrote the functions and review what each function does. Only after determining what each function actually needs to do, can a unique role for each function and a suitable permission policy be created. Luckily there are tools available to help automate this process for heightened AWS Lambda security, as well as other cloud-native platforms.
Conduct a Code Audit: Black Duck Software conducted an audit of 1,000 commonly-used applications in enterprises and found that 96% utilized open-source software. Furthermore, their researchers found that 60% of that software contained security vulnerabilities, and some of the bugs were more than four years old. This makes code ownership and authenticity a critical security risk, as can you really trust what isn’t yours?
Referred to as “Poisoning the Well,’ attackers aim to gain more long-term persistence in your application by means of an upstream attack. Cloud-native applications tend to comprise of many modules and libraries. The modules often include many other modules, so it’s not uncommon for a single serverless function to include tens of thousands of lines of code from various external sources, even with less than 100 lines of code your developers wrote. Attackers look to include their malicious code in common projects. After poisoning the well, they patiently wait as the new version makes its way into your cloud applications. To enhance AWS serverless security, as well as Microsoft Azure, Google Cloud Functions, etc, it is important to conduct a security audit of the code or look for tooling that can automate the process, scanning for vulnerabilities as a serverless security best practice.
Retain Control Over Your Functions: This may sound like a utopian dream, but code vulnerability can be mitigated through careful CI/CD. Malicious functions can slip in through a variety of means, such as being deployed by a rogue employee. Additionally, develop workstations could be a target for attackers, rather than the deployed apps themselves, and would enable attackers to deploy malicious functions through legitimate channels. Such functions could sneak in and wreak havoc, undetected. To offset this chance, create a policy and strategy for conducting a code analysis during build before it goes into runtime, and make sure every function goes through CI/CD.
Look at All Attack Indicators: Visibility gets harder with serverless. The shift to serverless significantly increases the total amount of information and the number of resources, which hinders DevSecOps and Security team’s ability to make sense of all the data. As the quantity of functions increases, it becomes even more difficult to determine if everything is behaving the way it’s supposed to. Case in point, only a few hundred functions can generate billions of events in your log every day and it becomes difficult to know which are important. Even if you are familiar with the attack patterns that are unique to serverless apps, visually scanning them all simply can’t be done, so leverage AI tools for added serverless security visibility and efficiency.
Time Out Your Functions: Functions should have a tight runtime profile. Admittedly, crafting appropriate serverless function timeouts is often not intuitive. The maximum duration of a function can be quite specific to that function. DevSecOps teams must consider the configured timeout versus the actual timeout. Many developers set the timeout to the maximum allowed since the unused time doesn’t create an additional expense. However, this approach creates an enormous security risk because if an attacker is able to succeed with a code injection, they have more time available to do more damage. Shorter timeouts require them to attack more often, which we refer to as a “Groundhog Day,” attack, but it makes the attack more visible. As a serverless security best practice, shrink not just what a function can do, but how long it can run.
In conclusion, despite new security challenges arising, serverless deployments are great for organizations of all sizes- providing developers with speed to launch, and improving operational costs and efficiencies. Serverless also creates an opportunity to adopt an even greater security posture since everything is at the function level making it even more difficult for attackers. To embrace this new opportunity, it is important for teams to change their approach to application security in serverless deployments. Securing serverless apps requires a variety of tools and tactics, including collaboration between the people involved in the application and the security.
The alert, issued in partnership with the Retail & Hospitality ISAC (information sharing and analysis centre https://rhisac.org/ ), highlights a recent increase in malware attacks targeting e-commerce websites to gain payment card data.
There’s a good chance that organisations and individuals have been compromised and aren’t yet aware, because the attacks are designed to draw as little attention to themselves as possible.
How does online skimming work?
Online skimming is a variation of a criminal tactic used to gain access to payment card information. Until recently, it was more commonly associated with physical fraud, in which criminals use a device (‘skimmer’) that interacts with a victim’s payment card.
One of the most common skimming methods is to place a duplicate card reader on top of an ATM’s payment card slot. Criminals can then siphon off card details as the card enters the machine.
This reader will typically be paired with a pinhole camera or duplicate keypad placed over the machine so that the fraudsters can log the customer’s PIN.
Online skimming works in much the same way, except the ATM is replaced by an online payment form and the physical skimming device is replaced by malicious code.
Magecart is the umbrella term used involving criminal groups exploiting vulnerabilities that mostly target Magento-based online stores or content management systems. A number of recent data breaches such as Ticketmaster/British Airways was believed to be part of such credit card skimming operations.
These skimming malwares such as JS Sniffer/Magecart targets Web Hosting companies/3rd party development firms that develops code for ecommerce firms. Once within the code hackers can manipulate the code and infect any other websites within the environment affecting other websites and its users.
These malwares are known to extract credit card details from shopping baskets and forms. When customers enter their payment card details, the malware ‘skims’ the information. The transaction continues as normal and neither the organisation nor the customer notices anything is amiss.
The only way to tell is if the organisation performs a thorough assessment of its security practices or the customer notices fraudulent payments coming out of their account. And by then, it is too late.
How are organisations infected?
There are many ways that an organisation’s website can be infected. The PCI SSC and the Retail & Hospitality ISAC highlight the threat of:
Phishing scams and other social engineering techniques; and
Attacks targeting third-party applications, such as advertising scripts, live chat functions and customer rating features.
Any organisation that takes online payments is at risk, and those that are infected are often targeted again within days. They should therefore take extra care to clean affected systems and address any underlying vulnerabilities to prevent reinfection.
Reviewing code in order to identify vulnerabilities;
Using vulnerability security assessment tools to test web applications and vulnerabilities;
Audit logging and reviewing logs and security events for all system components to identify suspicious activity;
Running file-integrity monitoring or change-detection software;
Performing internal and external network vulnerability scans; and
Performing penetration tests to identify security weaknesses.
Organisations should also take this opportunity to review which third-party services they use.
It’s not good enough to say you weren’t to blame for a breach because the vulnerability occurred at a service provider. Organisations are responsible for who they work with, so they must only use services from providers they trust.
Protect yourself from online skimming
As a CREST-accredited provider of security testing, and a certified PCI QSA (Qualified Security Assessor) company, IT Governance can help with all your PCI DSS compliance needs.
Scammers are literally on their toes all year round, but for all the wrong reasons, devising ways and means to trick innocent people. In their latest attempt at fraud, cyber criminals are using fake SMS pretending to be from Income Tax Department to trick innocent victims into sharing bank account…
Posted by Felix Groebert, Information Security Engineering
Today, we’re excited to announce a yearly Google Cloud Platform (GCP) VRP Prize to promote security research of GCP. A prize of $100,000.00 will be paid to the reporter of the best vulnerability affecting GCP reported through our Vulnerability Reward Program (g.co/vulnz) and having a public write-up (nominations will be received here).
We’ve received vulnerability reports for various application security flaws in GCP over the years, but we felt research of our Cloud platform has been under-represented in our Vulnerability Reward Program. So, with the GCP VRP Prize, we hope to encourage even more researchers to focus on GCP products and help us identify even more security vulnerabilities.
Note that we will continue to pay hundreds of thousands of dollars to our top bug hunters through our Vulnerability Research Grants Program even when no bugs are found, and to reward up to tens of thousands of dollars per bug to the most impactful findings. This prize is meant to create an additional incentive for more people to focus on public, open security research on GCP who would otherwise not participate in the reward program.
This competition draws on our previous contests, such as Pwnium and the Project Zero Prize, and rather than focusing bug hunters on collecting vulnerabilities for complex bug chains, we are attempting a slightly different twist and selecting a single winner out of all vulnerabilities we receive. That said, this approach comes with its own challenges, such as: defining the right incentives for bug hunters (both in terms of research as well as their communications with our team when reporting vulnerabilities); or ensuring there are no conflicting incentives, either when our own team is looking for similar vulnerabilities (since we aren't eligible for collecting the prize).
For the rest of the year, we will be seeking feedback from our top bug hunters and the security community to help define what vulnerabilities are the most significant, and we hope we can work together to find the best way to incentivize, recognize, and reward open security research. To further incentivize research in 2019, we will be issuing GCP VRP grants summing up to $100,000 to our top 2018 researchers.
Head over here for the full details on the contest. Note that if you have budget constraints for access to testing environments, you can use the free tier of GCP.
We look forward to our Vulnerability Rewards Programs resulting in even more GCP customer protection in the following years thanks to the hard work of the security research community. Follow us on @GoogleVRP.
Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software and hardware, we decided to have a look at the Avaya 9600 series IP Deskphone. We were able to find the presence of a Remote Code Execution (RCE) vulnerability in a piece of open source software that Avaya likely copied and modified 10 years ago, and then failed to apply subsequent security patches to. The bug affecting the open source software was reported in 2009, yet its presence in the phone’s firmware remained unnoticed until now. Only the H.323 software stack is affected (as opposed to the SIP stack that can also be used with these phones), and the Avaya Security Advisory (ASA) can be found here ASA-2019-128.
The video below demonstrates how an attacker can leverage this bug to take over the normal operation of the phone, exfiltrate audio from its speaker phone, and potentially “bug” the phone. The current attack is conducted with the phone directly connected to an attacker’s laptop but would also work via a connection to the same network as a vulnerable phone. The full technical details can be found here, while the rest of this article will give a high-level overview on how this bug was found and some consideration regarding its resolution. The firmware image Avaya published on June 25th resolves the issue and can be found here. As a user, you can verify if your Deskphone is vulnerable: first determine if you have one of the affected models (9600 Series, J100 Series or B189), then you can find which firmware version your phone is using in the “About Avaya IP Deskphone” screen under the Home menu, version 6.8.1 and earlier are vulnerable when using a H.323 firmware (SIP versions are not affected).
What are Researchers Looking for?
When studying the security of embedded and IoT devices, researchers generally have a couple of goals in mind to help kickstart their research. In most cases, two of the main targets are recovering the files on the system so as to study how the device functions, and then finding a way to interact directly with the system in a privileged fashion (beyond what a normal user should be able to do). The two can be intertwined, for instance getting a privileged access to the system can enable a researcher to recover the files stored on it, while recovering the files first can show how to enable a privileged access.
In this case, recovering the files was straightforward, but gaining a privileged access required a little more patience.
Recovering the Files From the Phone
When we say recovering the files from the phone, we mean looking for the operating system and the various pieces of software running on it. User files, e.g. contacts, settings and call logs, are usually not of interest to a security researcher and will not be covered here. To recover the files, the easiest approach is to look for firmware updates for the device. If we are lucky, they will be freely available and not encrypted. In most cases, an encrypted firmware does not increase the security of the system but rather raises the barrier of entry for security researchers and attackers alike. In this case, we are in luck, Avaya’s website serves firmware updates for its various phone product lines and anyone can download them. The download contains multiple tar files (a type of archive file format). We can then run a tool called binwalk on the extracted files. Binwalk is a large dictionary of patterns that represents known file formats; given an unknown firmware file, it will look for any known pattern and, upon finding potential matches, will attempt to process them accordingly. For instance, if it finds what looks like a .zip file inside the firmware, it will try to unzip it. Running this tool is always a good first step when facing an unknown firmware file as, in most cases, it will identify useful items for you.
When processing the phone’s firmware, extracting the files and running binwalk on them gave us the program the phone runs at startup (the bootloader), the Linux kernel used by the phone, and a JFFS filesystem that contains all the phone’s binaries and configuration files. This is a great start, as from there we can start understanding the inner workings of the device and look for bugs. At this stage however, we are limited to performing a static analysis: we can look at the files and peek at the assembly instructions of various binaries, but we cannot execute them. To make life easier, there are usually two options. The first one is to emulate the whole phone, or at least some region of interest, while the other is to get a privileged access to the system, to inspect what is running on it as well as run debugging tools. Best results come when you mix and match all these options appropriately. For the sake of simplicity, we will only cover the latter, but both were used in various ways to help us in our research.
Getting the Privileged Access
In most cases, when talking about gaining privileged access to an IoT/embedded device, security researchers are on the lookout for an administrative interface called a root shell that lets them execute any code they want with the highest level of privilege. Sometimes, one is readily available for maintenance purposes; other times more effort is required to gain access to it, assuming one is present in the first place. This is when hardware hacking comes into play; security researchers love to rip open devices and void warranties, looking for potential debug ports, gatekeepers of the sought-after privileged access.
Close up of the phone’s circuit board. UART ports in Red and the EEPROM in blue
In the picture above, we can see two debug ports labeled UART0 and UART1. This type of test point, where the copper is directly exposed, is commonly used during the manufacturing process to program the device or verify everything is working properly. UART stands for Universal Asynchronous Receiver-Transmitter and is meant for two-way communication. This is the most likely place where we can find the administrative access we are looking for. By buying a $15 cable that converts UART to USB and soldering wires onto the test pads, we can see debug information being printed on screen when the phone boots up, but soon the flow of debug information dries up. This is a curious behavior—why stop the debug messages?—so we need to investigate more. By using a disassembler to convert raw bytes into computer instructions, we can peek into the code of the bootloader recovered earlier and find out that during the boot process the phone fetches settings from external memory to decide whether the full set of debug features should be enabled on the serial console. The external memory is called an EEPROM and is easily identifiable on the board, first by its shape and then by the label printed on it. Labels on electronic components are used to identify them and to retrieve their associated datasheet, the technical documentation describing how to use the chip from an electrical engineering standpoint. Soldering wires directly to the chip under a microscope, and connecting it to a programmer (a $30 gizmo called a buspirate), allows us to change the configuration stored on it and enable the debug capabilities of the phone.
EEPROM ready to be re-programmed
Rebooting the phones gives us much more debug information and, eventually, we are greeted with the root shell we were after.
Confirmation we have a root shell. Unrelated debug messages are being printed while we are invoking the “whoami” command
The approach described above is fairly lengthy and is only interesting to security researchers in a similar situation. A more generic technique would be to directly modify the filesystem by altering the flash storage (a NAND Flash on the back of the circuit board) as we did for previous research, and then automatically start an SSH server or a remote shell. Another common technique is to tamper with the NAND flash while the filesystem is loading in memory, to get the bootloader in an exception state that will then allow the researcher to modify the boot arguments of the Linux kernel. Otherwise, to get remote shell access, using an older firmware with known RCE vulnerabilities is probably the easiest method to consider; it can be a good starting point for security researchers and is not threatening to regular users as they should already have the most up-to-date software. All things considered, these methods are not a risk to end-users and are more of a stepping stone for security researchers to conduct their research.
In Search of Vulnerabilities
After gaining access to a root shell and the ability to reverse engineer the files on the phone, we are faced with the open-ended task to look for potentially vulnerable software. As the phone runs Linux, the usual command line utilities people use for administering Linux systems are readily available to us. It is natural to look at the list of processes running, find the ones having network connection and so forth. While poking around, it becomes clear that one of the utilities, dhclient, is of great interest. It is already running on the system and handles network configuration (the so-called DHCP requests to configure the phone’s IP address). If we invoke it in the command line, the following is printed:
Showing a detailed help screen describing its expected arguments is normal behavior, but a 2004-2007 copyright is a big red flag. A quick search confirms that the 4.0.0 version is more than 10 years old and, even worse, an exploit targeting it is publicly available. Dhclient code is open source, so finding the differences between two successive version is straightforward. Studying the exploit code and how the bug was patched helps us to narrow down which part of the code could be vulnerable. By once again using a disassembler, we confirm the phone’s version of dhclient is indeed vulnerable to the bug reported in 2009. Converting the original exploit to make it work on the phone requires a day or two of work, while building the proof of concept demonstrated in the above video is a matter of mere hours. Indeed, all the tools to stream audio from the phone to a separate machine are already present on the system, which greatly reduces the effort to create this demo. We did not push the exploitation further than the Proof of Concept shown in the above video, but we can assume that at this point, building a weaponized version able to threaten private networks is more of a software engineering task and a skilled attacker might only need a few weeks, if not days, to put one together.
Upon finding the flaw, we immediately notified Avaya with detailed instructions on how to reproduce the bug and suggested fixes. They were able to fix, test and release a patched firmware image in approximately two months. At the time of publication, the fix will have been out for more than 30 days, leaving IT administrators ample time to deploy the new image. In a large enterprise setting, it is pretty common to first have a testing phase where a new image is being deployed to selected devices to ensure no conflict arises from the deployment. This explains why the timeline from the patch release to deployment to the whole fleet may take longer than what is typical in consumer grade software.
IoT and embedded devices tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose. In this case, with a minimal hardware investment and free software, we were able to uncover a critical bug that remained out-of-sight for more than a decade. Avaya was prompt to fix the problem and the threat this bug poses is now mitigated, but it is important to realize this is not an isolated case and many devices across multiple industries still run legacy code more than a decade old. From a system administration perspective, it is important to consider all these networked devices as tiny black-box computers running unmanaged code which should be isolated and monitored accordingly. The McAfee Network Security Platform (NSP) detects this attack as “DHCP: Subnet Mask Option Length Overflow” (signature ID: 0x42601100), ensuring our customers remain protected. Finally, for the technology enthusiasts reading this, the barrier of entry to hardware hacking has never been this low, with plenty of online resources and cheap hardware to get started. Looking for this type of vulnerability is a great entry point to information security and will help make the embedded world a safer place.
During her briefing with Kelly Shortridge, vice president of product strategy at Capsule8, Dr. Nicole Forsgren, research and strategy at Google, did a beautiful job of adding imagery to the story she told of the attendee reactions during the now-famous talk Paul Hammond and John Allspaw gave at Velocity in 2009. If you're not familiar, the title of said talk was, "10 Deploys Per Day: Dev & Ops Cooperation at Flickr."
Forsgren recalled that, "The room was split. At the end of this process, large pieces of code would be deployed and, basically, lit everyone on fire. Half the room was amazed and it was changing the world. Half of the room said they were monsters and how dare they light people on fire 10 times per day." Forsgren concluded that "DevOps has crossed the chasm - the business benefits are too striking. We see most of the industry doing this. There is no turning the ship around."
Indeed, DevOps has long moved beyond the conceptual and has become a widely adopted practice in software development and delivery. It gave birth to the InfoSec equivalent of DevSecOps and the concept of "shifting security left." From where I sit within Veracode, I see the ways that many security solutions providers are doing their best to provide developers with the tools they need to embed security into their workflow, yet it’s clear that there is still more to be done to get InfoSec professionals on board.
"James Wickett has said the ratio of engineers in development, operations, and InfoSec in a typical technology organization is 100:10:1. If we integrate [InfoSec professionals] earlier to have input, the shift left can build a more collaborative culture, contribute to amazing outcomes - like stability, reliability, and resiliency," Forsgren said. "We need to build secure systems, and we will find ways to do this. We know this is super important, and security is the next frontier. Security can contribute to this and join DevOps. Or you can stand aside as DevOps figures this out and carves its own path. I would love to see InfoSec contributing the expertise we just don't have."
Forsgren was clearly echoing the sentiment Dino Dai Zovi expressed in his conference keynote. Certainly, the concept of being lit on fire 10 times per day would create a fight-or-flight response, and it is much easier to go to no than to go to yes. Yet, when Forsgren spoke about the benefits of this type of work, she explained that what InfoSec pros would face would be mini-fires with a smaller blast radius. She argues that it is time for InfoSec to say, "no, and…"
The Security of Chaos
It appeared that Shortridge couldn't have agreed more.
"The real DevOps will be held accountable for security fixes," said Shortridge. "So what should goals and outcomes become? Why should InfoSec and DevOps goals diverge? InfoSec should support innovation in the face of change - not add friction. InfoSec has arguably failed, so 'this is how we've always done it' is invalid. The greatest advances in security are rarely spawned by the security industry."
In other words, it's time to start jumping out of the proverbial planes in order to face our fears and start doing things differently in security. Shortridge reminded us that it is inevitable that things will fail and things will be pwned, which is why she is a proponent of adopting chaos engineering. Chaos engineering is the discipline of experimenting on a software system in production to provide your organization with a level of confidence in the system's capability to withstand turbulent and unexpected conditions, while still creating adequate quality of service (resiliency) during difficult times.
The concept of chaos engineering was created while Greg Orzell was overseeing Netflix's migration to the cloud in 2011. He wanted to address the lack of adequate resilience by creating a tool that would cause breakdowns in their production environment - the one used by Netflix customers. In doing this, the team could move from a development model that assumed no breakdowns to one where they were considered inevitable. This encouraged developers to build resilience into their software from the start. By regularly "killing" random instances of software service, they could test redundant architecture to make sure that a server failure wouldn't noticeably impact the customer experience.
"Expect your security controls will fail and prepare accordingly. System architectures must be designed assuming the controls and users will fail," she said. "Users very rarely follow the ideal behaviors. Don’t try to avoid incidents. Embrace your ability to respond to them. Ensure that your systems are resilient enough to handle incidents gracefully. Pivot toward realistic resilience."
If your team can plan for nothing but the chaos factor, then you should understand that there are true benefits to applying chaos resilience, including lower remediation costs, decreased stress levels during real incidents, and less burnout.
"Incidents are a problem with known processes, rather than fear and uncertainty. It creates feedback loops to foster understanding of systemic risk. Chaos engineering does this to help us continuously refine security strategy - essentially all the time red teaming. You have the ability to automate the toil, or the manual, repetitive, tactical work that doesn't provide enduring value," she said.
How to Marry DevOps and Security
At the end of the talk, Forsgren offered these tenants for a scalable love between DevOps and Security:
Sit in on early design decisions and demos – but say “No, and…” vs. “No.”
Provide input on tests so every testing suite has InfoSec’s stamp on it.
By the last “no” gate in the delivery process, nearly all issues will be fixed.
InfoSec should focus on outcomes that are aligned with business goals.
Time To Remediate (TTR) should become the preliminary anchor of your security metrics.
Security- and performance-related gamedays can’t be separate species.
Cultivate buy-in together for resilience and chaos engineering.
Visibility/observability: collecting system information is essential.
Your DevOps colleagues are likely already collecting the data you need - work with them to collect it.
Changing culture: change what people do, not what they think.
Forsgren and Shortridge made the case that security cannot force itself into DevOps, it must marry it - and have an equal partnership. Chaos/resilience are natural homes for InfoSec and represent its future, and InfoSec will need to evolve to unify responsibility and accountability.
"If not, InfoSec will sit at the kids’ table until it is uninvited from the business," Shortridge said. "Giving up control isn’t a harbinger of doom. Resilience is a beacon of hope."
Posted byElie Bursztein, Security & Anti-abuse Research Lead, Daniela Oliveira, Professor at the University of Florida
Phishing attacks continue to be one of the common forms of account compromise threats. Every day, Gmail blocks more than 100 million phishing emails and Google Safe Browsing helps protect more than 4 billion devices against dangerous sites.
As part of our ongoing efforts to further protect users from phishing, we’re partnering with Daniela Oliveira from the University of Florida during a talk at Black Hat 2019 to explore the reasons why social engineering attacks remain effective phishing tactics, even though they have been around for decades.
Overall, the research finds there are a few key factors that make phishing an effective attack vector:
Phishing is constantly evolving: 68% of the phishing emails blocked by Gmail today are new variations that were never seen before. This fast pace adversarial evolution requires humans and machines to adapt very quickly to prevent them.
Phishing is targeted: Many of the campaigns targeting Gmail end-users and enterprise consumers only target a few dozen individuals. Enterprise users being 4.8x more targeted than end-users.
Phishers are persuasion experts: As highlighted by Daniela’s research with Natalie Ebner et al. at the University of Florida, phishers have mastered the use of persuasion techniques, emotional salience and gain or loss framing to trick users into reacting to phishing emails.
45% of users don’t understand what phishing is: After surveying Internet users, we found that 45% of them do not understand what phishing is or the risk associated with it. This lack of awareness increases the risk of being phished and potentially hinders the adoption of 2-step verification.
Protecting users against phishing requires a layered defense approach that includes:
Educating users about phishing so they understand what it is, how to detect it and how to protect themselves.
Leveraging the recent advances in AI to build robust phishing detections that can keep pace with fast evolving phishing campaigns.
Displaying actionable phishing warnings that are easy to understand by users so they know how to react when they see them.
Using strong two factor authentication makes it more difficult for phishers to compromise accounts. Two-factor technologies, as visible in the graph above, can be effective against the various forms of phishing, which highlights the importance of driving awareness and adoption among users.
While technologies to help mitigate phishing exist, such as FIDO standard security keys, there is still work to be done to help users increase awareness understand how to protect themselves against phishing.
You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.
How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.
Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:
Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
And, of course, stay on top of the latest consumer and mobile security threats by following meand @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
When your organization is young and growing, you may find yourself overwhelmed with a never-ending to-do list. It can be easy to overlook security when you’re hiring new employees, finding infrastructure, and adopting policies. Without a proper cybersecurity strategy, however, the business that you’ve put your heart and soul into, or the brilliant idea that you’ve spent years bringing to life, are on the line. Every year, businesses face significant financial, brand, and reputational damage resulting from a data breach, and many small businesses don’t ever recover.
Not only that, but as you grow you may be looking to gain investors or strategic partners. Many of these firms are not willing to give organizations that don’t take security seriously a chance. A strong security stance can be your differentiator among your customers and within the Venture Capital landscape.
One thing’s for sure: you’ve spent a great deal of time creating a business of your own, so why throw it all away by neglecting your security? You can begin building your own cybersecurity strategy by following these steps:
1. Start by identifying your greatest business needs.
This understanding is critical when determining how your vulnerabilities could affect your organization. Possible business needs could include manufacturing, developing software, or gaining new customers. Make a list of your most important business priorities.
2. Conduct a third-party security assessment to identify and remediate the greatest vulnerabilities to your business needs.
The assessment should evaluate your organization’s overall security posture, as well as the security of your partners and contractors.
Once you understand the greatest risks to your business needs, you can prioritize your efforts and budget based on ways to remediate these.
3. Engage a Network Specialist to set-up a secure network or review your existing network.
A properly designed and configured network can help prevent unwanted users from getting into your environment and is a bare necessity when protecting your sensitive data.
Don’t have a set office space? If you and your team are working from home or communal office spaces, be sure to never conduct sensitive business on a shared network.
4. Implement onboarding (and offboarding) policies to combat insider threat, including a third-party vendor risk management assessment.
Your team is your first line of defense, but as you grow, managing the risk of bringing on more employees can be challenging. Whether attempting to maliciously steal data or clicking a bad link unknowingly, employees pose great threats to organizations.
As part of your onboarding policy, be sure to conduct thorough background checks and monitor users’ access privileges. This goes for your employees, as well as any third parties and contractors you bring on.
5. Implement a security awareness training program and take steps to make security awareness part of your company culture.
Make sure your training program includes topics such as password best practices, phishing identification and secure travel training. Keep in mind, though, that company-wide security awareness should be more than once-a-year training. Instead, focus on fostering a culture of cybersecurity awareness.
6. Set-up multi-factor authentication and anti-phishing measures.
Technology should simplify your security initiatives, not complicate them. Reduce the number of administrative notifications to only what is necessary and consider improvements that don’t necessarily require memorizing more passwords, such as password managers and multi-factor authentication for access to business-critical data.
7. Monitor your data and endpoints continuously with a Managed Security Services Provider.
As you grow, so does the amount of endpoints you have to manage and data you have to protect. One of the best ways to truly ensure this data is protected is to have analysts monitoring your data at all hours. A managed security services provider will monitor your data through a 24/7 security operations center, keeping eyes out for any suspicious activity such as: phishing emails, malicious sites, and any unusual network activity.
You’re not done yet: revisit your security strategy as you evolve.
It’s important to remember that effective cybersecurity strategies vary among organizations. As you grow, you’ll want to consider performing regular penetration testing and implementing an Incident Response Plan.
And, as your business changes, you must continually reassess your security strategy and threat landscape.
Cybersecurity firm FireEye says ‘aggressive’ APT41 group working for Beijing is also hacking video games to make money
A group of state-sponsored hackers in China ran activities for personal gain at the same time as undertaking spying operations for the Chinese government in 14 different countries, the cybersecurity firm FireEye has said.
In a report released on Thursday, the company said the hacking group APT41 was different to other China-based groups tracked by security firms in that it used non-public malware typically reserved for espionage to make money through attacks on video game companies.
"Did you know that your 20th Black Hat is when you get to give the keynote at Black Hat?" Dino Dai Zovi, head of security for Cash App at Square, joked to the packed ballroom. While it may have been Dai Zovi's 20th conference, the topic of his keynote has never been more fitting for where we are in security and the ways in which it mirrors what we experience in our day-to-day life.
He gave us an overview of his history: in high school he realized that hacking and security was a lot more like magic than he previously thought, because it was about figuring out how things work, putting a lot of thought into writing and making something respond in the way you want it to. In college, he spent his nights, weekends, and spring breaks learning how to find and exploit vulnerabilities in code. And about that time (in 2007) he used his skills to simultaneously prove that Apple's OS X operating system could, indeed, be hacked and win a laptop for his friend in the Pwn2Own competition.
No big deal.
Dai Zovi took his work as a security researcher into more corporate organizations, where he learned about the importance of automation, understanding what is really being asked for in order to solve the right problem, and ensuring that there is collaboration between security and development to achieve more quality outcomes. Here are the four key lessons that Dai Zovi learned as he transitioned from offense to defense.
Work backwards from the job: Dai Zovi talked about how McDonald's was working to understand how they should evolve their milkshake. What they noticed was that people were ordering them in the morning, and they wanted to see why this was happening. In discussions with a customer, the customer indicated that they needed to have breakfast on their morning commute. They had tried a banana, but it wasn't filling enough; a bagel was too dry, and spreading cream cheese while driving was too challenging; in giving doughnuts a shot, they found they were eating too may; but the McDonald's milkshake - unlike other milkshakes - was thick enough to last the full 40 minute drive to work and left them feeling full. As it turns out, they customer was not ordering a milkshake to satisfy hunger, but to cure boredom. Really try to understand your customer, who they are and where they struggle, and what you need to do to provide the best product or solution for them.
Seek and apply leverage: For this story, Dai Zovi took us back to his time with @stake, where when he first started he was essentially fuzzing by hand. He wanted to show off his skills, but when he realized that his colleague was completing his work - and finding more vulnerabilities - faster than him (and subsequently honing his foosball game) by using an automated technique. So Dai Zovi followed his lead and found that he was able to find more and do it more effectively. By using feedback loops, software, and automation you can really scale your impact.
Culture is more powerful than strategy which is more powerful than tactics: In one of the organizations he worked in, Dai Zovi was in a conversation with a developer who had been working on a feature but noticed it was coming out…a bit "sketchy." So the developer and security team white boarded out the feature and worked together to ensure that it was secure by design (shift left, anyone?). As security leaders, it's important that we focus on the security culture of our organizations. If we can create security culture change in every team, we can scale a lot more powerfully than we can if security is only security's responsibility.
Start with yes: We need to engage the world starting with yes. It keeps the conversation going, it keeps the conversation collaborative, and it keeps the conversation constructive. It says, "I want to work to solve the other problems you have, and I want to make you safe.” That's how we create real change and have a real impact.
"Why don't all security teams start with yes," Dai Zovi asked the audience. "Fear. There are lots of reasons to be afraid. But fear misguides us because it's irrational. Fear causes paralysis and creates more insecurity because it often leads to doing nothing."
For me, this was the most powerful takeaway. Dai Zovi talked about how he overcame his fear of flying by learning how to skydive. He felt the fear center in his brain activate and assured it that he would be fine: he had the right equipment and knowledge and knew that he would land safely. The more he jumped, the more he proved to his brain that he was safe and the fear dissipated.
Here is a truth about the human brain: we fear being rejected (or not belonging) and change above all else. There was a time when being outcast from the community meant certain death, and because change cannot be predicted, it cannot be planned for. As evolved as we have become, our brains have not kept up and we are all walking around with outdated technology that thinks that it should respond to change in the same way that it does being chased by a lion.
Ultimately, if we want to strengthen communication we need to first understand that we're all human and assume good intent. Everyone wants to feel safe and they want to belong, and these two desires can stop progress in its tracks. Yet being agile and objective, communicative and collaborative, are essential in today's changing threat landscape. The reality is, we need more innovation and teamwork in development and security - not less. Change is both an inevitable part of life and keeping software safe - we must be agile in our thinking and in our actions.
The kick-off keynote for the 23rd Black Hat USA Conference in Las Vegas set the stage for the conversations that will undoubtedly be discussed in great detail over the next two days - and likely the next two years - if Black Hat founder Jeff Moss’ opening remarks are indicative of a trend. Moss pointed out that security had been asking for the spotlight, both in legislative and more corporate settings, and the industry has had it for the last two years. However, it isn't enough to have the spotlight if you don't know how to harness it. In this case, what Moss was talking about is that how we communicate determines the outcomes we receive. He quipped that if you communicate well, then you may find yourself with more budget - and if you communicate poorly, you could find yourself fired.
Yet defining what cyber or security is remains an ongoing challenge, and Moss notes that oftentimes the language that we use causes us to think of a problem in a certain way, taking us in a direction we don't really want to be heading. He notes that while cyber, or information, is considered the Fifth Domain, it doesn't mean that it is equal to land, sea, air, and space. It's different and requires a different language and level of thinking. You can't use the language and laws of the sea to govern the laws of the Internet or how we engage there, because it is vastly different in nature. It's also vastly different depending on where you're engaging, assuming the Internet isn't simply … everywhere.
Moss told a story about how he was speaking with a colleague who told him about how in China, the money is in DDoS protection because attackers are using the "Great Firewall of China" to blackmail other Chinese companies. They're not worried about identity theft because they don't really have it: Chinese farmers sell their identity for 3,000 yen. Meaning that "all of the identities are legit, they're just not the person you think they are."
"You think might think the Internet works one way, and in one conversation it can flip upside down," Moss told the audience.
Simply put: we all have our perceptions, either individually or collectively, about what is needed when it comes to cybersecurity - and we're not communicating effectively about them. In order to fix this problem, we need to reorder the way that we think about things so that we can have more open and effective dialogue. As Moss said, "communication is a soft skill that leads to better technical outcomes."
Veracode’s RESTful APIs use Hash-based Message Authentication Code (HMAC) for authentication, which provides a significant security advantage over basic authentication methods that pass the username and password with every request. Passing credentials in the clear is not a recommended practice from a security perspective; encryption is definitely preferred for obvious reasons, but HMAC goes a step further and passes just a unique signature.
Developers familiar with Amazon Web Services (AWS) may already have experience with this method of authentication, as it is the primary method used by AWS. In fact, Veracode began providing users the ability to use HMAC authentication when utilizing our suite of integration products and Java/C# SDKs in early 2016.
What Is HMAC Authentication?
With Hash-based Message Authentication Code (HMAC), the server and the client share a public ID and a private Secret Key (for more information on obtaining an ID and Secret Key with Veracode, please see our help center). Unlike a password with basic authentication, the Secret Key is known by the server and client, but is never transmitted. Rather than sending the Secret Key in the request, it is instead used in combination with a hash function to generate a unique HMAC signature, which is then combined with the public ID, a nonce, and additional information. The server ultimately receives the request and generates its own HMAC and compares the two – if equal, the request is executed (this process is referred to as the “secret handshake”). Thus, the Secret Key is used in confirming authenticity and integrity of a request, but never transmitted in that request. For more information about HMAC, please visit this link.
How Does HMAC Authentication Affect Me?
HMAC provides significant security improvements when making API calls to Veracode. While more secure than basic authentication, additional steps are required to perform API calls using HMAC. Veracode does minimize and streamline the HMAC calculation to make this process simple and easy for users. In fact, there are several examples of HMAC authentication code or sample libraries available for your reference in the Veracode Help Center and on our Github page:
The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found evidence of a connection between the distribution method used for the existing campaign and this new spyware. All the spyware we found this time pretends to be security applications targeting users in Japan and Korea. We discovered a phishing page related to DNS Hijacking attack, designed to trick the user into installing the new spyware, distributed on the Google Play store.
Fake Japanese Security Apps Distributed on Google Play
We found two fake Japanese security applications. The package names are com.jshop.test and com.jptest.tools2019. These packages were distributed on the Google Play store. The number of downloads of these applications was very low. Fortunately, the spyware apps had been immediately removed from the Google Play store, so we acquired the malicious bullets thanks to the Google Android Security team.