Daily Archives: September 3, 2019

‘Satori’ IoT Botnet Operator Pleads Guilty

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

Strong Customer Authentication: A Vehicle for PCI-DSS Compliance

Payment services that operate electronically should adopt technologies that guarantees the safe authentication of the user and reduces, to the maximum extent possible, the risk of fraud. In order to achieve this, the European Union in 2007 passed the Payment Services Directive (PSD). The aim of this legislation is to regulate payment services and payment […]… Read More

The post Strong Customer Authentication: A Vehicle for PCI-DSS Compliance appeared first on The State of Security.

5 Modern Skills for Modern CISOs

As the digital economy has grown and changed, cybersecurity has become an integral part of operating nearly any successful business. The Chief Information Security Officer (CISO) is at the forefront of the modern cybersecurity organization, and CISOs have to adapt to the changing times in front of them. It used to be that the path […]… Read More

The post 5 Modern Skills for Modern CISOs appeared first on The State of Security.

Spam In your Calendar? Here’s What to Do.

Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Here’s a brief primer on what you can do about it.

Image: Reddit

Over the past few weeks, a good number of readers have written in to say they feared their calendar app or email account was hacked after noticing a spammy event had been added to their calendars.

The truth is, all that a spammer needs to add an unwelcome appointment to your calendar is the email address tied to your calendar account. That’s because the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or “free” items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting “yes,” “no,” or “maybe,” as doing so may only serve to guarantee you more calendar spam.

Fortunately, the are a few simple steps you can take that should help minimize this nuisance. To stop events from being automatically added to your Google calendar:

-Open the Calendar application, and click the gear icon to get to the Calendar Settings page.
-Under “Event Settings,” change the default setting to “No, only show invitations to which I have responded.”

To prevent events from automatically being added to your Microsoft Outlook calendar, click the gear icon in the upper right corner of Outlook to open the settings menu, and then scroll down and select “View all Outlook settings.” From there:

-Click “Calendar,” then “Events from email.”
-Change the default setting for each type of reservation settings to “Only show event summaries in email.”

For Apple calendar users, log in to your iCloud.com account, and select Calendar.

-Click the gear icon in the lower left corner of the Calendar application, and select “Preferences.”
-Click the “Advanced” tab at the top of the box that appears.
-Change the default setting to “Email to [your email here].”

Making these changes will mean that any events your email provider previously added to your calendar automatically by scanning your inbox for certain types of messages from common events — such as making hotel, dining, plane or train reservations, or paying recurring bills — may no longer be added for you. Spammy calendar invitations may still show up via email; in the event they do, make sure to mark the missives as spam.

Have you experienced a spike in calendar spam of late? Or maybe you have another suggestion for blocking it? If so, sound off in the comments below.

Cybercrime’s Most Wanted: Four Mobile Threats that Might Surprise You

It’s hard to imagine a world without cellphones. Whether it be a smartphone or a flip phone, these devices have truly shaped the late 20th century and will continue to do so for the foreseeable future. But while users have become accustomed to having almost everything they could ever want at fingertips length, cybercriminals were busy setting up shop. To trick unsuspecting users, cybercriminals have set up crafty mobile threats – some that users may not even be fully aware of. These sneaky cyberthreats include SMSishing, fake networks, malicious apps, and grayware, which have all grown in sophistication over time. This means users need to be equipped with the know-how to navigate the choppy waters that come with these smartphone-related cyberthreats. Let’s get started.

Watch out for SMSishing Hooks

If you use email, then you are probably familiar with what phishing is. And while phishing is commonly executed through email and malicious links, there is a form of phishing that specifically targets mobile devices called SMSishing. This growing threat allows cybercriminals to utilize messaging apps to send unsuspecting users a SMSishing message. These messages serve one purpose – to obtain personal information, such as logins and financial information. With that information, cybercriminals could impersonate the user to access banking records or steal their identity.

While this threat was once a rarity, it’s rise in popularity is two-fold. The first aspect being that users have been educated to distrust email messages and the second being the rise in mobile phone usage throughout the world. Although this threat shows no sign of slowing down, there are ways to avoid a cybercriminal’s SMSishing hooks. Get started with these tips:

  1. Always double-check the message’s source. If you receive a text from your bank or credit card company, call the organization directly to ensure the message is legit.
  2. Delete potential SMSishing Do not reply to or click on any links within a suspected malicious text, as that could lead to more SMSishing attempts bombarding your phone.
  3. Invest in comprehensive mobile security. Adding an extra level of security can not only help protect your device but can also notify you when a threat arises.

Public Wi-Fi Woes  

Public and free Wi-Fi is practically everywhere nowadays, with some destinations even having city-wide Wi-Fi set up. But that Wi-Fi users are connecting their mobile device to may not be the most secure, given cybercriminals can exploit weaknesses in these networks to intercept messages, login credentials, or other personal information. Beyond exploiting weaknesses, some cybercriminals take it a step further and create fake networks with generic names that trick unsuspecting users into connecting their devices. These networks are called “evil-twin” networks. For help in spotting these imposters, there are few tricks the savvy user can deploy to prevent an evil twin network from wreaking havoc on their mobile device:

  1. Look for password-protected networks. As strange as it sounds, if you purposely enter the incorrect password but are still allowed access, the network is most likely a fraud.
  2. Pay attention to page load times. If the network you are using is very slow, it is more likely a cybercriminal is using an unreliable mobile hotspot to connect your mobile device to the web.
  3. Use a virtual private network or VPN. While you’re on-the-go and using public Wi-Fi, add an extra layer of security in the event you accidentally connect to a malicious network. VPNs can encrypt your online activity and keep it away from prying eyes. 

Malicious Apps: Fake It till They Make It

Fake apps have become a rampant problem for Android and iPhone users alike. This is mainly in part due to malicious apps hiding in plain sight on legitimate sources, such as the Google Play Store and Apple’s App Store. After users download a faulty app, cybercriminals deploy malware that operates in the background of mobile devices which makes it difficult for users to realize anything is wrong. And while users think they’ve just downloaded another run-of-the-mill app, the malware is hard at work obtaining personal data.

In order to keep sensitive information out of the hands of cybercriminals, here are a few things users can look for when they need to determine whether an app is fact or fiction:

  1. Check for typos and poor grammar. Always check the app developer name, product title, and description for typos and grammatical errors. Often, malicious developers will spoof real developer IDs, even just by a single letter or number, to seem legitimate.
  2. Examine the download statistics. If you’re attempting to download a popular app, but it has a surprisingly low number of downloads, that is a good indicator that an app is most likely fake.
  3. Read the reviews. With malicious apps, user reviews are your friend. By reading a few, you can receive vital information that can help you determine whether the app is fake or not.

The Sly Operation of Grayware

With so many types of malware out in the world, it’s hard to keep track of them all. But there is one in particular that mobile device users need to be keenly aware of called grayware. As a coverall term for software or code that sits between normal and malicious, grayware comes in many forms, such as adware, spyware or madware. While adware and spyware can sometimes operate simultaneously on infected computers, madware — or adware on mobile devices — infiltrates smartphones by hiding within rogue apps. Once a mobile device is infected with madware from a malicious app, ads can infiltrate almost every aspect on a user’s phone. Madware isn’t just annoying; it also is a security and privacy risk, as some threats will try to obtain users’ data. To avoid the annoyance, as well as the cybersecurity risks of grayware, users can prepare their devices with these cautionary steps:

  1. Be sure to update your device. Grayware looks for vulnerabilities that can be exploited, so be sure to always keep your device’s software up-to-date.
  2. Beware of rogue apps. As mentioned in the previous section, fake apps are now a part of owning a smartphone. Use the tips in the above section to ensure you keep malicious apps off of your device that may contain grayware.
  3. Consider a comprehensive mobile security system. By adding an extra level of security, you can help protect your devices from threats, both old and new.

Can’t get enough mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post Cybercrime’s Most Wanted: Four Mobile Threats that Might Surprise You appeared first on McAfee Blogs.

This Week in Security News: Ransomware Campaigns Persist with WannaCry as Most Common

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how a total of 118 new ransomware families emerged in the first half of 2018, but only 47 new ones debuted in the first six months of this year, according to Trend Micro’s 2019 Mid-Year security report. Also, read on about how Trend Micro was once again named a Leader in Gartner’s 2019 Magic Quadrant.

Read on:

Trend Micro Named a Leader in 2019 Gartner Magic Quadrant for Endpoint Protection Platforms

Trend was named a Leader in Gartner, Inc.’s 2019 Magic Quadrant for Endpoint Protection Platforms in evaluation of its Apex One endpoint security solution. Trend has been named a Leader in every Gartner Magic Quadrant for this category since 2002.

Three Common Email Security Mistakes that MSPs Make

MSPs can generate recurring revenue by being proactive about educating customers about email threats and how to defeat them—if they avoid three common mistakes: failing to educate customers, placing too much faith on end-user training and leaving service revenue on the table.

WannaCry Remains No. 1 Ransomware Weapon

According to Trend Micro’s 2019 mid-year security report, WannaCry remains the most commonly detected ransomware by far: about 10 times as many machines were found targeted by WannaCry in the first half of this year than all other ransomware variants combined. Bill Malik, vice president of infrastructure strategies at Trend Micro, discusses the prevalence of this ransomware and how it works.

TA505 at it Again: Variety is the Spice of ServHelper and FlawedAmmyy

TA505 continues to show that they intend to wreak as much havoc while maximizing potential profits. Just like in previous operations, this cybercriminal group continues to make small changes for each campaign such as targeting other countries, entities, or the combination of techniques used for deployment.

‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information

Heatstroke demonstrates how far phishing techniques have evolved — from merely mimicking legitimate websites and using diversified social engineering tactics — with its use of more sophisticated techniques such as steganography. 

Hackers to Stress-Test Facebook Portal at Hacking Contest

Hackers will soon be able to stress-test the Facebook Portal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year. Introducing the Facebook Portal is part of a push by Trend Micro’s Zero Day Initiative, which runs the contest, to expand the range of home automation devices available to researchers in attendance.

Fortnite Players Targeted by Ransomware via Fake Cheat Tool

An open-source ransomware variant called “Syrk,” based on the source code of the Hidden-Cry ransomware, was found pretending to be a cheat tool that improves the accuracy of a player’s aim and provides visibility over other players’ location on the map. Upon infection, a ransom note will demand payment from victims in exchange for a decryption password.

Cybercriminal Group Silence Has Reportedly Stolen US$4.2 Million from Banks So Far

Contrary to their moniker, the Silence cybercriminal group has been reported to be actively targeting banks and financial institutions in more than 30 countries. Silence reportedly stole US$4.2 million from June 2016 to August 2019. 

US Cyberattack Damaged Iran’s Ability to Target Oil Tankers, Report Says

A database used by Iran’s paramilitary arm to devise attacks against oil tankers was wiped out by a US cyberattack in June, temporarily reducing Tehran’s means of targeting Persian Gulf shipping traffic.

Nemty Ransomware Possibly Spreads through Exposed Remote Desktop Connections

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

Abuse of WS-Discovery Protocol Can Lead to Large-Scale DDoS Attacks

Security researchers have discovered that attackers can abuse the Web Services Dynamic Discovery (WS-Discovery) protocol to launch massive distributed denial of service (DDoS) campaigns. These researchers have issued a warning after seeing cybercriminals abuse the WS-Discovery protocol in different DDoS campaigns over the past few months.

Phishing Attack Tricks Instagram Users via Fake 2-Factor Authentication

Although 2FA remains a valid and highly useful tool, Instagram users should not be complacent and rely on it alone, especially when fake 2FA notifications can be used for malicious purposes. In this blog, Trend Micro recommends some best practices users can combine with their existing security tools to help protect against phishing.

Q&A: In a Cloud-Connected World, Cybersecurity is Key

Cloud computing is becoming a critical tool for business, in terms of storing an assessing data. With the increases use of the cloud comes greater security risks. Mark Nunnikhoven, vice president of cloud research at Trend Micro, assesses the solutions.

Will you be following Trend’s best protection practices when playing Fortnite or using Instagram? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware Campaigns Persist with WannaCry as Most Common appeared first on .

How to Hack Hardware using UART

Raymond Felch // Preface: I began my exploration of reverse-engineering firmware a few weeks back (see “JTAG – Micro-Controller Debugging“), and although I made considerable progress finding and identifying the JTAG (Joint Test Action Group) pins on my target board (Samsung S3C4510 CPU) Linksys BEFSR41 router, there were complications. I ran into a number of […]

The post How to Hack Hardware using UART appeared first on Black Hills Information Security.

SharPersist: Windows Persistence Toolkit in C#


PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C# to evade modern security products. Some of these advancements include Script Block Logging, Antimalware Scripting Interface (AMSI), and the development of signatures for malicious PowerShell activity by third-party security vendors. Several public C# toolkits such as Seatbelt, SharpUp and SharpView have been released to assist with tasks in various phases of the attack lifecycle. One phase of the attack lifecycle that has been missing a C# toolkit is persistence. This post will talk about a new Windows Persistence Toolkit created by FireEye Mandiant’s Red Team called SharPersist.

Windows Persistence

During a Red Team engagement, a lot of time and effort is spent gaining initial access to an organization, so it is vital that the access is maintained in a reliable manner. Therefore, persistence is a key component in the attack lifecycle, shown in Figure 1.

Figure 1: FireEye Attack Lifecycle Diagram

Once an attacker establishes persistence on a system, the attacker will have continual access to the system after any power loss, reboots, or network interference. This allows an attacker to lay dormant on a network for extended periods of time, whether it be weeks, months, or even years. There are two key components of establishing persistence: the persistence implant and the persistence trigger, shown in Figure 2. The persistence implant is the malicious payload, such as an executable (EXE), HTML Application (HTA), dynamic link library (DLL), or some other form of code execution. The persistence trigger is what will cause the payload to execute, such as a scheduled task or Windows service. There are several known persistence triggers that can be used on Windows, such as Windows services, scheduled tasks, registry, and startup folder, and there continues to be more discovered. For a more thorough list, see the MITRE ATT&CK persistence page.

Figure 2: Persistence equation

SharPersist Overview

SharPersist was created in order to assist with establishing persistence on Windows operating systems using a multitude of different techniques. It is a command line tool written in C# which can be reflectively loaded with Cobalt Strike’s “execute-assembly” functionality or any other framework that supports the reflective loading of .NET assemblies. SharPersist was designed to be modular to allow new persistence techniques to be added in the future. There are also several items related to tradecraft that have been built-in to the tool and its supported persistence techniques, such as file time stomping and running applications minimized or hidden.

SharPersist and all associated usage documentation can be found at the SharPersist FireEye GitHub page.

SharPersist Persistence Techniques

There are several persistence techniques that are supported in SharPersist at the time of this blog post. A full list of these techniques and their required privileges is shown in Figure 3.



Technique Switch Name (-t)

Admin Privileges Required?

Touches Registry?

Adds/Modifies Files on Disk?


Backdoor KeePass configuration file





New Scheduled Task

Creates new scheduled task





New Windows Service

Creates new Windows service






Registry key/value creation/modification





Scheduled Task Backdoor

Backdoors existing scheduled task with additional action





Startup Folder

Creates LNK file in user startup folder





Tortoise SVN

Creates Tortoise SVN hook script





Figure 3: Table of supported persistence techniques

SharPersist Examples

On the SharPersist GitHub, there is full documentation on usage and examples for each persistence technique. A few of the techniques will be highlighted below.

Registry Persistence

The first technique that will be highlighted is the registry persistence. A full listing of the supported registry keys in SharPersist is shown in Figure 4.

Registry Key Code (-k)

Registry Key

Registry Value

Admin Privileges Required?

Supports Env Optional Add-On (-o env)?



User supplied





User supplied





User supplied




HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon






User supplied





User supplied













Figure 4: Supported registry keys table

In the following example, we will be performing a validation of our arguments and then will add registry persistence. Performing a validation before adding the persistence is a best practice, as it will make sure that you have the correct arguments, and other safety checks before actually adding the respective persistence technique. The example shown in Figure 5 creates a registry value named “Test” with the value “cmd.exe /c calc.exe” in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key.

Figure 5: Adding registry persistence

Once the persistence needs to be removed, it can be removed using the “-m remove” argument, as shown in Figure 6. We are removing the “Test” registry value that was created previously, and then we are listing all registry values in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” to validate that it was removed.

Figure 6: Removing registry persistence

Startup Folder Persistence

The second persistence technique that will be highlighted is the startup folder persistence technique. In this example, we are creating an LNK file called “Test.lnk” that will be placed in the current user’s startup folder and will execute “cmd.exe /c calc.exe”, shown in Figure 7.

Figure 7: Performing dry-run and adding startup folder persistence

The startup folder persistence can then be removed, again using the “-m remove” argument, as shown in Figure 8. This will remove the LNK file from the current user’s startup folder.

Figure 8: Removing startup folder persistence

Scheduled Task Backdoor Persistence

The last technique highlighted here is the scheduled task backdoor persistence. Scheduled tasks can be configured to execute multiple actions at a time, and this technique will backdoor an existing scheduled task by adding an additional action. The first thing we need to do is look for a scheduled task to backdoor. In this case, we will be looking for scheduled tasks that run at logon, as shown in Figure 9.

Figure 9: Listing scheduled tasks that run at logon

Once we have a scheduled task that we want to backdoor, we can perform a dry run to ensure the command will successfully work and then actually execute the command as shown in Figure 10.

Figure 10: Performing dry run and adding scheduled task backdoor persistence

As you can see in Figure 11, the scheduled task is now backdoored with our malicious action.

Figure 11: Listing backdoored scheduled task

A backdoored scheduled task action used for persistence can be removed as shown in Figure 12.

Figure 12: Removing backdoored scheduled task action


Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike.

This tool is intended to aid security professionals in the persistence phase of the attack lifecycle. By releasing SharPersist, we at FireEye Mandiant hope to bring awareness to the various persistence techniques that are available in Windows and the ability to use these persistence techniques with C# rather than PowerShell.

Deep learning rises: New methods for detecting malicious PowerShell

Scientific and technological advancements in deep learning, a category of algorithms within the larger framework of machine learning, provide new opportunities for development of state-of-the art protection technologies. Deep learning methods are impressively outperforming traditional methods on such tasks as image and text classification. With these developments, there’s great potential for building novel threat detection methods using deep learning.

Machine learning algorithms work with numbers, so objects like images, documents, or emails are converted into numerical form through a step called feature engineering, which, in traditional machine learning methods, requires a significant amount of human effort. With deep learning, algorithms can operate on relatively raw data and extract features without human intervention.

At Microsoft, we make significant investments in pioneering machine learning that inform our security solutions with actionable knowledge through data, helping deliver intelligent, accurate, and real-time protection against a wide range of threats. In this blog, we present an example of a deep learning technique that was initially developed for natural language processing (NLP) and now adopted and applied to expand our coverage of detecting malicious PowerShell scripts, which continue to be a critical attack vector. These deep learning-based detections add to the industry-leading endpoint detection and response capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Word embedding in natural language processing

Keeping in mind that our goal is to classify PowerShell scripts, we briefly look at how text classification is approached in the domain of natural language processing. An important step is to convert words to vectors (tuples of numbers) that can be consumed by machine learning algorithms. A basic approach, known as one-hot encoding, first assigns a unique integer to each word in the vocabulary, then represents each word as a vector of 0s, with 1 at the integer index corresponding to that word. Although useful in many cases, the one-hot encoding has significant flaws. A major issue is that all words are equidistant from each other, and semantic relations between words are not reflected in geometric relations between the corresponding vectors.

Contextual embedding is a more recent approach that overcomes these limitations by learning compact representations of words from data under the assumption that words that frequently appear in similar context tend to bear similar meaning. The embedding is trained on large textual datasets like Wikipedia. The Word2vec algorithm, an implementation of this technique, is famous not only for translating semantic similarity of words to geometric similarity of vectors, but also for preserving polarity relations between words. For example, in Word2vec representation:

Madrid – Spain + Italy ≈ Rome

Embedding of PowerShell scripts

Since training a good embedding requires a significant amount of data, we used a large and diverse corpus of 386K distinct unlabeled PowerShell scripts. The Word2vec algorithm, which is typically used with human languages, provides similarly meaningful results when applied to PowerShell language. To accomplish this, we split the PowerShell scripts into tokens, which then allowed us to use the Word2vec algorithm to assign a vectorial representation to each token .

Figure 1 shows a 2-dimensional visualization of the vector representations of 5,000 randomly selected tokens, with some tokens of interest highlighted. Note how semantically similar tokens are placed near each other. For example, the vectors representing -eq, -ne and -gt, which in PowerShell are aliases for “equal”, “not-equal” and “greater-than”, respectively, are clustered together. Similarly, the vectors representing the allSigned, remoteSigned, bypass, and unrestricted tokens, all of which are valid values for the execution policy setting in PowerShell, are clustered together.

Figure 1. 2D visualization of 5,000 tokens using Word2vec

Examining the vector representations of the tokens, we found a few additional interesting relationships.

Token similarity: Using the Word2vec representation of tokens, we can identify commands in PowerShell that have an alias. In many cases, the token closest to a given command is its alias. For example, the representations of the token Invoke-Expression and its alias IEX are closest to each other. Two additional examples of this phenomenon are the Invoke-WebRequest and its alias IWR, and the Get-ChildItem command and its alias GCI.

We also measured distances within sets of several tokens. Consider, for example, the four tokens $i, $j, $k and $true (see the right side of Figure 2). The first three are usually used to represent a numeric variable and the last naturally represents a Boolean constant. As expected, the $true token mismatched the others – it was the farthest (using the Euclidean distance) from the center of mass of the group.

More specific to the semantics of PowerShell in cybersecurity, we checked the representations of the tokens: bypass, normal, minimized, maximized, and hidden (see the left side of Figure 2). While the first token is a legal value for the ExecutionPolicy flag in PowerShell, the rest are legal values for the WindowStyle flag. As expected, the vector representation of bypass was the farthest from the center of mass of the vectors representing all other four tokens.

Figure 2. 3D visualization of selected tokens

Linear Relationships: Since Word2vec preserves linear relationships, computing linear combinations of the vectorial representations results in semantically meaningful results. Below are a few interesting relationships we found:

high – $false + $true ≈’ low
‘-eq’ – $false + $true ‘≈ ‘-neq’
DownloadFile – $destfile + $str ≈’ DownloadString ‘
Export-CSV’ – $csv + $html ‘≈ ‘ConvertTo-html’
‘Get-Process’-$processes+$services ‘≈ ‘Get-Service’

In each of the above expressions, the sign ≈ signifies that the vector on the right side is the closest (among all the vectors representing tokens in the vocabulary) to the vector that is the result of the computation on the left side.

Detection of malicious PowerShell scripts with deep learning

We used the Word2vec embedding of the PowerShell language presented in the previous section to train deep learning models capable of detecting malicious PowerShell scripts. The classification model is trained and validated using a large dataset of PowerShell scripts that are labeled “clean” or “malicious,” while the embeddings are trained on unlabeled data. The flow is presented in Figure 3.

Figure 3 High-level overview of our model generation process

Using GPU computing in Microsoft Azure, we experimented with a variety of deep learning and traditional ML models. The best performing deep learning model increases the coverage (for a fixed low FP rate of 0.1%) by 22 percentage points compared to traditional ML models. This model, presented in Figure 4, combines several deep learning building blocks such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory Recurrent Neural Networks (LSTM-RNN). Neural networks are ML algorithms inspired by biological neural systems like the human brain. In addition to the pretrained embedding described here, the model is provided with character-level embedding of the script.

Figure 4 Network architecture of the best performing model

Real-world application of deep learning to detecting malicious PowerShell

The best performing deep learning model is applied at scale using Microsoft ML.Net technology and ONNX format for deep neural networks to the PowerShell scripts observed by Microsoft Defender ATP through the AMSI interface. This model augments the suite of ML models and heuristics used by Microsoft Defender ATP to protect against malicious usage of scripting languages.

Since its first deployment, this deep learning model detected with high precision many cases of malicious and red team PowerShell activities, some undiscovered by other methods. The signal obtained through PowerShell is combined with a wide range of ML models and signals of Microsoft Defender ATP to detect cyberattacks.

The following are examples of malicious PowerShell scripts that deep learning can confidently detect but can be challenging for other detection methods:

Figure 5. Heavily obfuscated malicious script

Figure 6. Obfuscated script that downloads and runs payload

Figure 7. Script that decrypts and executes malicious code

Enhancing Microsoft Defender ATP with deep learning

Deep learning methods significantly improve detection of threats. In this blog, we discussed a concrete application of deep learning to a particularly evasive class of threats: malicious PowerShell scripts. We have and will continue to develop deep learning-based protections across multiple capabilities in Microsoft Defender ATP.

Development and productization of deep learning systems for cyber defense require large volumes of data, computations, resources, and engineering effort. Microsoft Defender ATP combines data collected from millions of endpoints with Microsoft computational resources and algorithms to provide industry-leading protection against attacks.

Stronger detection of malicious PowerShell scripts and other threats on endpoints using deep learning mean richer and better-informed security through Microsoft Threat Protection, which provides comprehensive security for identities, endpoints, email and data, apps, and infrastructure.


Shay Kels and Amir Rubin
Microsoft Defender ATP team


Additional references:

The post Deep learning rises: New methods for detecting malicious PowerShell appeared first on Microsoft Security.

Tips for Kicking Off Your Veracode Security Program Manager Relationship

If you’re a Veracode customer, there’s a good chance that you’ve heard of – or maybe even work with – a Veracode security program manager (SPM). For those of you who might not know, SPMs help you define the goals of your application security program, onboard your team, answer any questions about Veracode products, and work with your teams to ensure that your program stays on track and continues to mature.

If you’re just kicking off your relationship with your program manager, you might be wondering what to expect on your initial calls, and how you can make the most out of the time you spend interacting with each other. Here are a few things you should keep in mind:

How are you developing software?

To realize the value of your investment, we need to understand how your development process works. Right off the bat, your security program manager will want to talk about your existing tech stack (aka – the technology you’re currently using to make your software). There’s a good chance that your organization could be in a different place at the time of your kickoff call compared to where it was when your sales cycle closed. Yes, your account executive will tell your program manager all that he or she knows about your status at the time of closing, but in case anything does change, it’s better to hear everything straight from the horse’s mouth. Helping us understand the size of your software footprint is also key – are you licensed for 10 apps, but have a total of 300, or 3,000? How are they governed from a development and security standpoint? Having everyone on the same page on these basics is a good first step towards maturing your AppSec program.

Who are the key players?

You should also have a clear idea of what your organizational layout is, as well as who the key players are on the development and security sides. Your SPM will know who your key players are, but they likely won’t have met them and interacted with them as much as the account executive has. In addition, if your sales cycle has been particularly long, it’s possible the key players have changed. Be prepared to fill your security program manager in on everyone who has a stake in your AppSec program on the development AND security sides of your organization. Additionally, if there’s any turnover within your company down the line, knowing everyone who’s involved will ensure that SPMs have multiple stakeholders with program context who they can go to in order to keep momentum.

SPMs will also want to know the informal structure of your organization, or the “politics.” It can be helpful to know if your development and security teams are on the same page when it comes to the priority level of AppSec, or if they get along at all! The more insight your SPM has into your organization, the better prepared you can be – as a team – to work together moving forward.

Align your goals and expectations appropriately

Often, the goals that customers set up with Veracode and the goals within their own organizations tend to be two different things. Establish a list of realistic goals, and be prepared to take incremental steps to get there. Rome wasn’t built in a day, and neither is a fully mature application security program.

Once you have your manageable goals, establish who is responsible for each one, and how they’re going to be held accountable for meeting each goal. You’ll need to establish clear channels of communication and accountability internally – for example, when you’re coming up with a plan to remediate flaws, engage development and product management as soon as you have flaw scopes. Make sure that the amount of remediation you’re targeting is realistic for the desired deadline, and let development know about the remediation resources available in the Veracode platform and in the Services organization in case they get stuck. Your SPM can absolutely help you have that conversation!

When it comes to expectations, have an understanding of the driver behind why Veracode was purchased. In some cases, your buyer might not communicate the driving factor to the person running the program – maybe you! Regardless of which end you’re on, make sure that your internal plan is well-communicated with everyone who’s involved across the organization.

At the end of the day, we want you to be successful in your application security journey. By keeping these tips in mind, you’re already one step closer to success. You can find out more by talking to other Veracode customers about how they’ve found success with their application security programs in the Veracode Community.

Writing Your First Bootloader for Better Analyses

From time to time we might observe special Malware storing themselves into a MBR and run during the booting process. Attackers could use this neat technique to infect and to mess-up your disk and eventually asking for a ransom before restoring original disk-configurations (Petya was just one of the most infamous boot-ransomware). But this is only an already known scenario while humongous possibilities are still available for the attacker who holds physical rights to open your disk and to write in it whatever he desires. For this reason I believe it would be interesting to understand how MBR works and how is it possible to write a boot loader program, this skill will help you during the analysis of your next Boot Loader Malware.

How the PC boot process works ?

Actually the boot process is super easy. When you press the power button you are providing the right power to every electronic chips who needs it. The BIOS once is reached by electrical power starts by running its own stored code and when it finishes running its initialization routines it looks for bootable devices. A bootable device is a physically connected device who has 521 bytes of code at its beginning and that contains the boot magic number: 0x55AA as last 2 bytes. If the BIOS find 510 bytes followed by 0x55AA it takes the previous 510 bytes moves them into RAM (to 0x7c00 address) and assumes they are executable bytes. This code is the so-called bootloader. Just a side note: bootloader shall be written in 16bit since x86 compatible CPUs are working in “real_mode” due the limited available instruction set.

Used tools

I am used to write and read assembly on “Intel sintax” (it’s the one I learned during my studies) but today I’d love to use GNU Assembler (compiler&linker) who implements AT&T syntax, which is quite different from the Intel one but it will just work fine for the simple code we are going to write. The first tool we are going to use is as, the GNU compiler, which takes as input an assembly file and it returns its binary representation. as -o boot.o boot.asm is what we are looking for. After the compiler we need a “linker” (GNU linker is called ld). We need to tell to the liner that we want a plain binary file without linked libraries or linked symbols, fir such a reason we’re going to use --oformat binar. We also need to tell to the “linker” where the code starts (-e main). We would add the parameter -Ttext 0x7c00 just in case the code we are going to write does not fit into a 16bit address space, so we will force our linker to map the main function at such address which we know be the address where the BIOS runs bootloaders. Assuming our code named boot.asm and our original entry point to be labelled as ‘main’ we could use the following command: ld -o boot.bin --oformat binary -e main -Ttext 0x7c00 boot.o. For running the compiled code I’ve just used qemu in the following simple way: qemu-system-x86_64 boot.bin

The Code

The following code runs on boot showing up 3 strings and a realtime clock progression. The code have been developed as demo, not caring about performance and optimization, I am sure the code could be optimized and beautified, but this is not my point for this post.

Since the BIOS is in near memory, we are able to use a whole BIOS instruction set as described in here. The used interrupts for the demo bootloader are the following:
1. Int_10,02 for setting up screen size
2. int_10,07 for cleaning the screen from BIOS outputs
3. int_12a,02 for setting cursor positions
4. int_1a,02 for reading the clock status
5.int_10,0e for writing character to screen

Following the “booting source” code is getting explained

Even if the code is slef-described let’s dig a little bit into the structure. The first two lines:
1] .code16
2] .global main
say that the code is going to be written in 16bit mode and the external (exposed) tagged function is the one labelled as ‘main’ (the linker needs it in order to setup the original entry point in proper address space).
The last two lines:
112] .fill 510-(.-init), 1, 0
113] .word 0xaa55
say the code is bootalbe. In line 113 we have little-endian magic code while in line 112 we have the filling command, interpreted by the compiler, to fill-up (nop) the eventually empty bytes (up to 521 bytes) for getting safe the MBR structure.

The entire code exploits %cx register to setup the current state. For example %cx could be: 0x0000if msg is printed, 0x0001 if msg2 is printed, 0x0002 if msg3 is printed and 0x0003 if we want to start the clock printing loop. A very nice primitive command lodsb is used to iterate over string characters (for more details here) in order to print them to monitor until null byte (\0).

Running the boot image


  1. David Jurgens: Help PC Reference Library
  2. AshakiranBhatter: Writing BootLoader

Best Mobile Antivirus Guide – What You Should Know About Mobile Security App?

Nowadays, the mobile phone industry is growing every year and it also uses more advanced technology, applications, and features. Even so, still it became prone to hacking, malwares and even scamming that many people should be aware of. That is mainly because hackers and scammers target millions of mobile users to become a victim.

That is why it is highly recommended to search for the best mobile antivirus and install it on your mobile phone for your security and protection purposes. There are lots of software applications that could be perfect for your mobile phones and even applicable to your tablets or laptops too. You can find free and paid security antivirus apps that you can use for your mobile security. You can find more if you will continue reading.

Why you should install a mobile security app?

Since smartphones have Internet access, it becomes open to any kind of hacking, viruses, and malware, if you are not fully aware of protecting or securing it.

If not secured with any mobile protection apps, your smartphones, tablets and even laptops could be accessible to hackers and scammers. The results could be an annoyance and hassle for you that there is a possibility of deleting all your information, hacking your accounts, data breaching, and worst is scamming. Of course, you do not want this to happen to you.

Thus, it is highly recommended to always make your smartphones or tablets to be updated with its recent software apps. This could help you to fix and repair the system of your mobile phones as well as updating the old into a more advanced and secure system.

Always do the backup for your important information such as videos, photos, files, etc. Also, I have given an example of the built-in security protection for your Apple iOS and to your Google Android smartphones below.

Do you need mobile antivirus for your Android?

Yes, you will need one, either free or paid antivirus app, you need to make your Android devices be secure and protected from viruses and malware.

Even though Google Play Protect is the best features that makes your mobile phones virus-free, still it is highly recommended to have the best mobile protection app for your Android. The Google Play Protect is a security center that you can easily download legal or compatible applications for your smartphones.

It does not support any apps that are not trusted as well as not compatible with its software applications. This is perfect because it automatically works on without requiring the users to switching it on or off. Despite that this Google Play Protect was designed for protection in Android, still, some users have experienced slow detection of malware and viruses on their smartphones.

Do you also need a mobile security app for your Apple iOS? 

Apple iOS is more impenetrable compared to the Androids devices. That is because of the Apple iOS built-in security protection that is being implemented and administered by Apple. It offers more locked down features compared to Android mobile phones. Also, all of its software applications come at Apple’s App Store where they have first checked the apps for the security of its users.

It is not highly recommended to use iPhone protection app, free or paid to your Apple iOS, but it is needed that your iPhones should be updated with the latest software or app updates. Also, you need to be aware of some scamming operations online such as the entering on the fake e-commerce or shopping websites that only uses your information to scam your accounts.

What are the best mobile security brands best for your mobile phones?

If you are looking for the best mobile software app brand, then you should consider checking out the big brands of PC antivirus software too. They also offer mobile security apps just like on their PC security protection software. Such examples of the big security software brands are the Bitdefender, Avast, McAfee, Norton, Trend Micro and Kaspersky. There are some offers also on unpopular mobile security brands such as the 360 Security, Lookout, and Webroot.

Usually, these brands offers paid or premium security software packages that prices range from £5 up to £50. You can also choose or try the free antivirus security that they offer. Usually, brands such as Webroot Security Free, Avira Antivirus Security 2018, Norton Security and Antivirus, Bitdefender Antivirus Free, and Sophos Mobile Security offers free mobile security packages.

But if you are looking for the best and extra protection for your mobile phones, then go for the paid packages because surely you will be securely protected by its specific features and protections. You can always choose to try free mobile protection apps for your mobile phones. At least, you are aware that there is a free installed antivirus that reminds you to not getting involved on that website because of malware being found on it.

Do you need to choose the paid mobile security package? 

The answer is it depends on you. If you think your Android or Apple mobile devices are too important or too valuable for you, then surely choosing the paid mobile protection app is your choice. Paid or premium packages offers more security features compared to free package offers. Usually, they come with more useful and helpful features just like cloud-based or online back-ups of your important information and even eliminating stolen mobile devices.

Free mobile security apps that come from popular software brands such as Avast, BitDefender, McAfee, Lookout, and AVG offers great basic features that are useful to its users. If you are just looking for protection against malware, then these free antivirus app could perform great because it offers basic tools to detect malware sites. Only, you need to know that these free antivirus apps have limitations on time and features. Thus, just in case you are not happy with its service, then you can always check the options of the paid or premium packages they offered.

You can always find different user reviews online for the best free and paid mobile software apps.

So, what are the different mobile antivirus features that premium apps offer?

Here are some examples of the best features that surely you will find it useful for your mobile security and protection:

Anti-phishing – detects unreliable websites and preventing you from accessing it because it might harm your device or breach data.

App lock – provides password lock that can protect your mobile device from its different users.

Backup – backup your files and other important information through saving it on cloud storage and even to your mobile device. Usually, this backup feature happens when you schedule it doing it when you will perform the remote wipe. This can be restored only on the compatible device.

Call/SMS blocking – filtering out and blocking the voice and text messages if they come from suspicious numbers.

Parental controls – prevents to access parental guidance content.

Privacy adviser – checking out the different applications that you download to your device and scanning it to determine which one requires more access.

Remote location – you can find your mobile device location on a map through the GPS.

Remote lock – this features prevents unauthorized access to your mobile device through locking it down remotely through SMS or web interface. Other app features offer more customized screen lock information that might display the contact information of the owner for a safe return.

Remote photo – this feature helps you to identify unauthorized users of your mobile device through taking pictures and sending it back to your email or through taking pictures if the wrong password failed many times.

Remote wipe – wiping all the contacts, photos, calendars, memory card and other important information in your mobile device just in case it was lost to preserve your privacy of information.

SIM lock – locking down your mobile device when the time that your sim card is being removed.

Uninstall protection – This will prevent hackers to bypass your installed mobile security software and to delete all your data. It requires a password to delete the applications.

Related Blogs:

5 Mobile Security Threats That You Should Be Cautious of in 2018

Mobile Security and why it is Important

The post Best Mobile Antivirus Guide – What You Should Know About Mobile Security App? appeared first on .

Veracode Customers Improve Mean Time to Remediation by 90%

Bill Gates is well known for treating time as a scarce resource, and in 1994, John Seabrook published a piece in The New Yorker detailing an email exchange he carried on with the famous technologist. Seabrook notes that Gates’ reverence for time was evident in his correspondence – skipping salutations and pleasantries, leaving spelling mistakes and grammatical errors in-line, and never addressing the journalist by his name. In one of the emails, Gates wrote that, “the digital revolution is all about facilitation – creating tools to make things easy.”

Software is the heart of the global economy, and it has paved the way for increased productivity, simplified workflows, and has helped leaders build businesses beyond their wildest dreams. It has changed the way that security practitioners and developer teams view and manage time, through agile methodology and sprint planning facilitated by tools like JIRA.

Just as minutes, hours, and days can be the difference between meeting sprint deadlines and maintaining speed to market, time is also the difference between preventing a massive data breach and being the victim of one. However, although a cutting-corners approach may work well for email correspondence between colleagues, and perhaps journalists, using this timesaving approach when crafting code has the potential to be downright dangerous. Organizations today need to balance time to market and code quality, which includes code security.

How organizations reduced mean time to remediation and saw a 63% ROI with Veracode

We recently commissioned the Forrester Total Economic ImpactTM of Veracode Application Security Platform to learn how our customers’ security and developer teams are strengthening the security posture of their applications by reducing mean time to remediation (MTTR) by implementing DevSecOps practices using our solutions. Based on interviews with Veracode customers in insurance, healthcare, finance, and information technology services, Forrester created a TEI framework, composite company, and an associated ROI analysis to illustrate financial impact.

The report found that prior to using Veracode, the composite organization experienced 60 flaws per MB of code, though they were using other application security testing solutions. After adopting the Veracode Platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50 percent to 90 percent over three years.

Additionally, by implementing DevSecOps practices, building stringent security controls, and integrating vulnerability testing into their CI/CD pipeline, our customers were able to reduce mean time to remediation by 90 percent. Resolutions that previously took 2.5 hours on average were reduced to 15 minutes, helping developers reduce their time spent remediating flaws by 47 percent. This stands to reason, given that our State of Software Security Volume 9 (SOSS Vol. 9) found that the most active DevSecOps teams fix flaws 11.5x faster than the typical organization.

By using Veracode Greenlight and Veracode Software Composition Analysis, developer teams were able to identify issues while they were coding, which reduced the likelihood that flaws would enter later stages of production. What’s more, our customers’ developer teams introduced fewer flaws to their code, and those flaws took less time to resolve because we offered them contextual information related to the data path and call stack information of their code.

It’s not enough to find security flaws quickly if you’re not remediating the right ones quickly

Most companies prioritize high-severity and critical vulnerabilities because they are less complicated to attack, offer greater opportunity for complete application compromise, and are more likely to be remotely exploitable. The trouble is that if a low-severity vulnerability is present in the execution path, it may put your application at greater risk than a high-severity vulnerability if your application is never calling upon that severe vulnerability in the first place. The exploitability of a vulnerability is a critical consideration many organizations overlook.

In our analysis of flaw persistence in SOSS Vol. 9, we found that organizations hit the three quarters-closed mark about 57 percent sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low-severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.

With many tools out there, developers will receive an extremely large list of vulnerabilities, including those open source libraries packaged in your application, and they will have to make a judgment call on what to fix first – and how much is worth fixing before pushing to production. The stark reality is that the time it takes developers to fix security flaws has a much larger impact on reducing risk than any other factor.

Veracode offers developers the opportunity to write secure code, limit the vulnerabilities introduced into production, and prioritize vulnerabilities with our vulnerable method approach, expert remediation coaching, and security program managers. To learn more about how the Veracode Platform enables security and development teams to work in stronger alignment, reduce mean time to remediation, and boost an organization’s bottom line, download the Forrester Total Economic ImpactTM of Veracode Application Security Platform.

Participate in Our Survey and Get the Chance to Win A $50 Amazon Voucher!

If you’re a Heimdal Blog reader and/or our customer, you already know we advocate for continuous cybersecurity education.

This is why we decided to launch a survey to better understand what’s your level of cybersecurity awareness and what security measures you apply to stay safe on the Internet. Based on your responses, we will create a report to analyze and present the current state of consumers’ cybersecurity hygiene and awareness.

Stay tuned for the final results!

What’s in it for you?

We’ve also prepared some special prizes for you, meaning you can get the chance to win one of the 5 Amazon vouchers worth $50!

Here you can access the survey.

Read the Rules, Terms and Conditions, and Privacy Policy:

Survey/Sweepstakes Rules


Survey/Sweepstakes is open to anyone of legal age in their residing country as of the date of entry, including but not limited to Thor Home users. Employees of Heimdal Security (the Sponsor) and their affiliates, subsidiaries, advertising and promotion agencies, suppliers and their immediate family members and/or those living in the same household of each are not eligible to participate in the Sweepstakes. No purchases are necessary. A purchase will not increase chances of winning. All federal, state and local laws and regulations apply. Void where prohibited or restricted by law. Only the respondents who provide their email address at the final question of the survey (Question 39) will be eligible for winning the prize.


By participating, you agree to be fully unconditionally bound by these Rules, and you represent and warrant that you meet the eligibility requirements set forth herein. In addition, you agree to accept the decisions of Heimdal Security, as final and binding as it relates to the content. The Sweepstakes is subject to all applicable federal, state, and local laws.


The Survey/Sweepstakes entry period begins at 1:30 pm CET on September 3, 2019, and ends at 1:30 pm CET on October 3, 2019. Winners will be selected from entries properly submitted and timely received during the Survey/Sweepstakes Period.


During the Survey/Sweepstakes Period, submit your responses here. The entries must fulfill all sweepstakes requirements, as specified, to be eligible to win a prize. Winners will be granted the prize upon submitting their full name and valid email address at the final question of the survey (Question 39). Respondents who have not provided a valid email address will not be eligible for winning. You may enter only once and you must fill in the information requested. You may not enter more times than indicated by using multiple email addresses, identities or devices in an attempt to circumvent the rules. If you use fraudulent methods or otherwise attempt to circumvent the rules your submission may be removed from eligibility at the sole discretion of Heimdal Security.


There will be 5 winners drawn at random. Each of the 5 winners will receive a $50 Amazon gift card. No cash or other prize substitution permitted. The prize is non-transferable. Any and all prize-related expenses, including without limitation any and all federal, state, and/or local taxes shall be the sole responsibility of the winner. No substitution of prize or transfer/assignment of prize to others or request for the cash equivalent by winners is permitted. Acceptance of prize constitutes permission for Heimdal Security to use winner’s name, likeness, and entry for purposes of advertising and trade without further compensation unless prohibited by law. The odds of winning depend on the number of eligible entries received.


Five (5) winners will be selected by random drawing to be held on October 4, 2019. Winners will be chosen from survey responses received in the Survey/Sweepstake Period. The potential winners will be notified via email to the email address submitted at the final question of the Survey (Question 39) within one (1) week after the drawing. The drawing will be conducted by Heimdal Security. In the event that a potential winner is disqualified for any reason, Heimdal Security may award the applicable prize to an alternate winner selected randomly. Heimdal Security shall have no liability for a winner’s failure to receive notices due to winners’ spam, junk e-mail or other security settings or for winners’ provision of incorrect or otherwise non-functioning contact information. If the selected winner cannot be contacted, is ineligible, fails to claim the prize within 15 days from the time award notification was sent, or fails to timely return a completed and executed declaration and releases as required, prize may be forfeited, and an alternate winner selected.


Heimdal Security reserves the right to modify, terminate, suspend, or cancel the Survey/Sweepstakes at its sole discretion. Heimdal Security also reserves the right to disqualify your entry if found ineligible to participate. If a dispute arises regarding your identity, Heimdal Security reserves the right not to award the prize and draw another winner.

Heimdal Security has the right, in its sole discretion, to maintain the integrity of the Survey/Sweepstakes, to void votes for any reason, including, but not limited to multiple entries from the same user from different IP addresses, multiple entries from the same computer in excess of that allowed by sweepstakes rules, or the use of bots, macros or scripts or other technical means for entering.

Any attempt by an entrant to deliberately damage any web site or undermine the legitimate operation of the sweepstakes may be a violation of criminal and civil laws and should such an attempt be made, Heimdal Security reserves the right to seek damages from any such person to the fullest extent permitted by law.


Your identity will not be disclosed to any third-parties and will only be accessed by Heimdal Security. The names and email addresses collected in the Survey/Sweepstakes period will be deleted within one (1) week after the winners are announced unless you explicitly signed up to receive future Newsletter communications. can opt-out of receiving this communication at any time by clicking the unsubscribe link in the newsletter and choose to be deleted from Heimdal Security’s database.

Your responses will be used to create a report around the current state of consumers’ cybersecurity awareness and practices. Responses will be kept anonymous.



The post Participate in Our Survey and Get the Chance to Win A $50 Amazon Voucher! appeared first on Heimdal Security Blog.

Protecting Your Engineering Business from Industrial Espionage and Cybercriminals

Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.

Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.

Shred Documents

While hackers do much of their work from their computers, they also often rely on a number of offline methods to enhance their effectiveness. For example, social engineering is regularly used to coerce people into unwittingly undermining otherwise very secure systems. Countering social engineering is difficult, although educating your employees about it will go a long way to mitigating the risk.

If a hacker wants to access your systems but is struggling to breach your cybersecurity, they may well turn to other methods to get through your security, including rummaging through bins for any discarded documents. If that sounds desperate to you, you might not realize just how often it works.

Make sure that any documentation that contains information that would be of interest to a would-be hacker, or corporate competitor, is completely destroyed when it is no longer needed. Make sure that if you use a shredder to do this, it is one that shreds documents securely.

Don’t Print Sensitive Information if You Don’t Have to

Of course, what would be better than having to securely destroy documents would be to not generate those documents to begin with. If you don’t have to print out sensitive information – don’t! If your sensitive documents are protected by a decent cybersecurity system, they will be about as safe as they can be. A physical document is much less secure.

Keep Your Schematics Under Wraps

Anyone who has access to the design schematics of your most important products will be able to reverse engineer them and probe them for weaknesses, even if they don’t have access to a physical device. Modern engineering businesses, like businesses in a number of other industries, make extensive use of printed circuit boards. If a competitor gets their hands on your PCB schematics, they can easily copy your proprietary technology.

Designing your own PCBs using Altium.com or a similar software package means that you can produce hardware that is unique to your engineering business. This should give you an added layer of security, as a potential hacker or criminal won’t know the internal layout and therefore won’t know what the potential entry points are. However, if they get their hands on your schematics, you instantly lose this benefit.

Keep it Need to Know

Your most sensitive corporate secrets shouldn’t be given to anyone who doesn’t need them. In any business, there will be coworkers who also become friends. Even if people only see each other when they’re at work, they will often develop friendly relationships with one another. It is important to maintain a distinction between business and pleasure – don’t feel bad about withholding sensitive information from someone that you trust if there is no reason for them to have that information.

If you want to keep your engineering business secure, you need to make sure that workers at all levels understand their individual role in ensuring the security of the business as a whole. All it takes is one clueless person to undermine even the most secure cybersecurity system.

The post Protecting Your Engineering Business from Industrial Espionage and Cybercriminals appeared first on CyberDB.