Daily Archives: September 16, 2019

Keeping Passwords Simple

We know at times this whole password thing sounds really complicated. Wouldn't be great if there was a brain dead way you could keep passwords simple and secure at the same time? Well, it's not nearly as hard as you think. Here are three tips to keeping passwords super simple while keeping your accounts super secure.

Five ways to manage authorization in the cloud

The public cloud is being rapidly incorporated by organizations, allowing them to store larger amounts of data and applications with higher uptime and reduced costs, while at the same time, introducing new security challenges. One of the more prominent challenges is identity management and authorization. Since the beginning of cloud computing, authorization techniques in the cloud have evolved into newer models, which acknowledge the many different services that now come together to form a company’s … More

The post Five ways to manage authorization in the cloud appeared first on Help Net Security.

Targeted threat intelligence and what your organization might be missing

In this Help Net Security podcast recorded at Black Hat USA 2019, Adam Darrah (Director of Intelligence), Mike Kirschner (Chief Operating Officer) and Christian Lees (Chief Technology Officer) from Vigilate, talk about how their global threat hunting and dark web cyber intelligence research team extends the reach of a company’s security resources, and lives within the underground community to remain ahead of emerging threats. Where many other solutions rely on machine learning (ML) to access … More

The post Targeted threat intelligence and what your organization might be missing appeared first on Help Net Security.

Researchers uncover 125 vulnerabilities across 13 routers and NAS devices

In a cybersecurity study of network attached storage (NAS) systems and routers, Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence. The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices. “Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says lead ISE researcher Rick Ramgattie. “These issues … More

The post Researchers uncover 125 vulnerabilities across 13 routers and NAS devices appeared first on Help Net Security.

BotSlayer tool can detect coordinated disinformation campaigns in real time

A new tool in the fight against online disinformation has been launched, called BotSlayer, developed by the Indiana University’s Observatory on Social Media. The software, which is free and open to the public, scans social media in real time to detect evidence of automated Twitter accounts – or bots – pushing messages in a coordinated manner, an increasingly common practice to manipulate public opinion by creating the false impression that many people are talking about … More

The post BotSlayer tool can detect coordinated disinformation campaigns in real time appeared first on Help Net Security.

Phishing attacks up, especially against SaaS and webmail services

Phishing attacks continued to rise into the summer of 2019 with cybercrime gangs’ focus on branded webmail and SaaS providers remaining very keen, according to the APWG report. The report also documents how criminals are increasingly perpetrating business email compromise (BEC) attacks by using gift card cash-out schemes. The number of phishing attacks observed in the second quarter of 2019 eclipsed the number seen in the three quarters before. The total number of phishing sites … More

The post Phishing attacks up, especially against SaaS and webmail services appeared first on Help Net Security.

Only 15% of organizations can recover from a severe data loss within an hour

There’s a global concern about the business impact and risk from rampant and unrestricted data growth, StorageCraft research reveals. It also shows that the IT infrastructures of many organizations are struggling, often failing, to deliver business continuity in the event of severe data outages. A total of 709 qualified individuals completed the research study. All participants had budget or technical decision-making responsibility for data management, data protection, and storage solutions at a company with 100-2,500 … More

The post Only 15% of organizations can recover from a severe data loss within an hour appeared first on Help Net Security.

How Will the CMMC Impact My Business and How Can We Prepare? Part 1 of 3

Part 1: Laying the Groundwork for Achieving Certification In June of this year, my colleague Tom Taylor wrote about the DoD’s announcement to instate the Cyber Security Maturity Model Certification (CMMC) and elaborated on the fact that, with the CMMC, the DoD appears to be addressing our customers’ core compliance pain points: Varying standards – […]… Read More

The post How Will the CMMC Impact My Business and How Can We Prepare? Part 1 of 3 appeared first on The State of Security.

Mini eBook: CCSP Practice Tests

The Certified Cloud Security Professional (CCSP) shows you have the advanced technical skills and knowledge to design, manage and secure data, applications and infrastructure in the cloud using best practices, policies and procedures. Download the Mini eBook for a sneak peek into the Official (ISC)² CCSP Practice Tests book. Inside you’ll find: 50 CCSP practice test items and answers to gauge your knowledge. Discount code to save on the full version which includes 1,000 items.

The post Mini eBook: CCSP Practice Tests appeared first on Help Net Security.

ImmuniWeb Discovery diminishes application security complexity and operational costs

ImmuniWeb, a global application security testing and security ratings company, is thrilled to announce the launch of ImmuniWeb Discovery that now offers: continuous discovery of external digital web assets actionable security ratings of asset hackability and attractiveness continuous web security testing, best practices and compliance monitoring (PCI DSS, GDPR) continuous monitoring of data leaks, source code exposure, phishing and domain squatting monthly subscription starting at $99 per organization ImmuniWeb Discovery substantially diminishes application security complexity … More

The post ImmuniWeb Discovery diminishes application security complexity and operational costs appeared first on Help Net Security.

Telia Carrier implemets RPKI, reducing the risk of accidental route leaks

Telia Carrier has announced, that it has implemented RPKI – a technology that validates and secures critical route updates or BGP announcements on its #1 ranked global Internet backbone. BGP is the central nervous system of the Internet and RPKI reduces the risk of accidental route leaks, or even hijacks, which can result in critical outages or fraudulent traffic manipulation. Internet connectivity has become an indispensable part of our everyday lives and the networks at … More

The post Telia Carrier implemets RPKI, reducing the risk of accidental route leaks appeared first on Help Net Security.

Accenture supports Exxaro to digitally transform its business and unlock new revenue streams

Accenture has collaborated with Exxaro, one of South Africa’s leading coal producers, to help digitally transform its business and unlock new revenue streams by managing the migration of its SAP solutions, and other centrally-run applications used by Exxaro business units, to Microsoft Azure. This supports Exxaro’s ambition to establish a secure, agile, cost-effective and scalable platform that will improve business processes and continuity. Accenture created a cloud transformation strategy for Exxaro that defined the business … More

The post Accenture supports Exxaro to digitally transform its business and unlock new revenue streams appeared first on Help Net Security.

Understanding the PCI Software Security Framework: New Educational Resources


Ahead of the North America Community Meeting this week in Vancouver, PCI SSC  has published new educational resources on the PCI Software Security Framework (SSF). The SSF At-a-Glance and Transitioning from PA-DSS to SSF Resource Guide provide key information to increase awareness and understanding of the SSF, its benefits and impact to the Payment Application Data Security Standard (PA-DSS) and Program.

MobiHok RAT, a new Android malware based on old SpyNote RAT

A new Android malware has appeared in the threat landscape, tracked as MobiHok RAT, it borrows the code from the old SpyNote RAT.

Experts from threat intelligence firm SenseCy spotted a new piece of Android RAT, dubbed MobiHok RAT, that used code from the old SpyNote RAT.

At the beginning of July 2019, the experts spotted a threat actor dubbed mobeebom that was offering for sale an Android Remote Administration Tool (RAT) dubbed MobiHok v4 on a prominent English hacking forum.

The experts discovered that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, a circumstance that suggests that he is an Arab-speaker. Researchers also noticed that the posts published by the hacker were using poor English.

mobeebom has been promoting the MobiHok RAT through multiple channels, including YouTube and a dedicated Facebook page, since January 2019.

Mobihok

MobiHok is written in Visual Basic .NET and Android Studio, it allows to fully control the infected device. Experts pointed out that the latest release of the RAT implements new features, including a bypass to the Facebook authentication mechanism.

The analysis conducted by the experts suggests that the threat actor obtained SpyNote’s source code and made some minor changes to its code before reselling it online.

“However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.” continues the report.

“The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.”

In July 2016, experts from Palo Alto Networks a RAT offered for free called Spynote, much like OmniRat and DroidJack, today the malware can be purchased from a website on the surface web, or downloaded for free from a forum.

MobiHok supports several features, including access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to another APK app.

“To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.” concludes Sensecy.

Pierluigi Paganini

(SecurityAffairs – MobiHok RAT, malware)

The post MobiHok RAT, a new Android malware based on old SpyNote RAT appeared first on Security Affairs.

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training. 

Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a mandatory cybersecurity training course.

All Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. 

Massey, who holds a degree in criminal justice from the University of Mississippi, told the Commercial Appeal website that he refused to complete the cybersecurity training because the instruction to do so had come to him from the city’s unelected director of information technology. 

"I don't think it's appropriate for a city employee to tell aldermen what they have to do to access their email," said Massey.  

Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines but could complicate the process of fulfilling public records requests. 

Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers. 

Commenting on Massey's argument that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own." 

Asked if Mr. Massey's actions had undermined the authority of Germantown's aldermen, Janda said: "Nothing Mr. Massey can do would undermine the authority of the aldermen. There is nothing special about him."

Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, believes mandatory cybersecurity training for elected officials is a good idea. Asked if he thought that Massey's ability to carry out his alderman duties had been affected by the restriction of his official email account, Janda said: "Yes, at least with staff." 

Stating how he would like to see the situation resolved, Janda said: "Mr. Massey just needs to take the training. It's 45 minutes . . ."

According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.  

Massey did not respond to Infosecurity Magazine's request for comment.

Data of Virtually All Ecuadoreans Leaked Online

Data of Virtually All Ecuadoreans Leaked Online

The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach. 

The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.

The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.

Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.

"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information." 

Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached. 

Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."

A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles. 

Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012. 

Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat

After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019. 

The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures. 

An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.

Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds. 

The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.  

On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."

In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."

PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."

The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts. 

"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."

Data leak exposes sensitive data of all Ecuador ‘citizens

Experts discovered a huge data leak affecting Ecuador, maybe the largest full-country leak, that exposed data belonging to 20 million Ecuadorian Citizens.

Security experts at vpnMentor have discovered a huge data leak affecting Ecuador that exposed data belonging to 20 million Ecuadorian Citizens.

Data were left unsecured online on a misconfigured Elasticsearch server, exposed data includes full PII, marital status and date of marriage, level of education, financial info, and more. 

Maybe this is the largest full-country leak, it affects the whole country and the exposure of such data pose a severe threat to Ecuadorian citizens.

vpnMentor’s research team has found a large data breach that may impact millions of individuals in Ecuador. The leaked database includes over 20 million individuals.” reads the post published by vpnMentor.

“Led by Noam Rotem and Ran Locar, our team discovered the data breach on an unsecured server located in Miami, Florida. The server appears to be owned by Ecuadorian company Novaestrat.

Leaked data include citizens’ financial records and car registration information.

The personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database, ZDNet has learned.

The server contained a total of 20.8 million user records (18 GB of data), more than the country’s total population (16.6 million), likely due to the presence of duplicate records and data of deceased citizens.

Ecuador data leak

The analysis of the indexes revealed that the database is composed of data gathered from government sources (most from Ecuadorian government) and data gathered from private databases.

“Individuals in the database are identified by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”.” continues the post.

“In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US.

The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number.”

The experts found within the leaked records an entry for WikiLeaks founder Julian Assange that also includes the “cedula.”

Experts also found million of entries for children under the age of 18 that contained names, cedulas, places of birth, gender, home addresses.

The data base was secured on September 11, 2019, after vpnMentor notifies its discovery to the Ecuador CERT (Computer Emergency Response Team) team.

Pierluigi Paganini

(SecurityAffairs – Ecuador, data leak)

The post Data leak exposes sensitive data of all Ecuador ‘citizens appeared first on Security Affairs.

Smishing Explained: What It Is and How You Can Prevent It

Reading Time: ~ 3 min.

Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late?

It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received

Click here to see how 9 top endpoint security products perform against 15 efficiency benchmarks in the 2019 PassMark Report

As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:

SMS + Phishing = Smishing

For the rest of us, smishing is the act of using text messages to trick individuals into divulging sensitive information, visiting a risky site, or downloading a malicious app onto a smartphone. These often benign seeming messages might ask you to confirm banking details, verify account information, or subscribe to an email newsletter via a link delivered by SMS.

As with phishing emails, the end goal is to trick a user into an action that plays into the hands of cybercriminals. Shockingly, smishing campaigns often closely follow natural disasters as scammers try to prey on the charitable to divert funds into their own pockets.

Smishing vs Vishing vs Phishing

If you’re at all concerned with the latest techniques cybercriminals are using to defraud their victims, your vocabulary may be running over with terms for the newest tactics. Here’s a brief refresher to help keep them straight.

  • Smishing, as described above, uses text messages to extract the sought after information. Different smishing techniques are discussed below.
  • Vishing is when a fraudulent actor calls a victim pretending to be from a reputable organization and tries to extract personal information, such as banking or credit card information.
  • Phishing is any type of social engineering attack aimed at getting a victim to voluntarily turn over valuable information by pretending to be a legitimate source. Both smishing and vishing are variations of this tactic.

Examples of Smishing Techniques

Enterprising scammers have devised a number of methods for smishing smartphone users. Here are a few popular techniques to be aware of:

  • Sending a link that triggers the downloading of a malicious app. Clicks can trigger automatic downloads on smartphones the same way they can on desktop internet browsers. In smishing campaigns, these apps are often designed to track your keystrokes, steal your identity, cede control of your phone to hackers, or encrypt the files on your phone and hold them for ransom.
  • Linking to information-capturing forms. In the same way many email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected, any information entered into the form can be read and misused by scammers.
  • Targeting users with personal information. In a variation of spear phishing, committed smishers may research a user’s social media activity in order to entice their target with highly personalized bait text messages. The end goal is the same as any phishing attack, but it’s important to know that these scammers do sometimes come armed with your personal information to give their ruse a real feel.
  • Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate customer service representative. 

How to Prevent Smishing

For all the conveniences technology has bestowed upon us, it’s also opened us up to more ways to be ripped off. But if a text message from an unknown number promising to rid you of mortgage debt (but only if you act fast) raises your suspicion, then you’re already on the right track to avoiding falling for smishing.

Here are a few other best practices for frustrating these attacks:

  • Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
  • Never provide financial or payment information on anything other than the trusted website itself.
  • Don’t click on links from unknown senders or those you do not trust
  • Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
  • Always type web addresses in a browser rather than clicking on the link.
  • Install a mobile-compatible antivirus on your smart devices.

The post Smishing Explained: What It Is and How You Can Prevent It appeared first on Webroot Blog.

How Cloud-Based Automation Can Keep Business Operations Secure

The massive data breach at Capital One – America's seventh-largest bank, according to revenue – has challenged many common assumptions about cloud computing for the first time. Ironically, the incident, which exposed some 106 million Capital One customers' accounts, has only reinforced the belief that the cloud remains the safest way to store sensitive data. "You have to compare [the cloud]

A flaw in LastPass password manager leaks credentials from previous site

A flaw in LastPass password manager leaks credentials from previous site

An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

lastpass

On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.

“Hello, I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.” reads a security advisory published by Ormandy.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.

y = document.createElement("iframe");
y.height = 1024;
y.width = "100%";
y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html";
// or y.src="moz-extension://...";
// or y.src="ms-browser-extension://...";
document.body.appendChild(y);  

The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.

“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for translate.google.com and accounts.google.com, but you can iframe untrusted sites with translate.google.com, so the top url is irrelevant.” continues the expert.

“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”

At the time of writing, there is no news about the exploitation of this bug in attacks in the wild.

LastPass implements an auto-update process for both mobile apps and browser extensions, users that have disabled it for some reason have to perform a manual update.

Pierluigi Paganini

(SecurityAffairs – LastPass, hacking)

The post A flaw in LastPass password manager leaks credentials from previous site appeared first on Security Affairs.

Another Side Channel in Intel Chips

Not that serious, but interesting:

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO­short for Data-Direct I/O­increased input/output bandwidth and reduced latency and power consumption.

Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data. A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.

Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.

The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.

Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.

However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.

The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.

The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.

Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.

The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.

The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.

Spam Campaign Targeting German Users with Ordinypt Malware

A new spam campaign is attempting to infect German-speaking users with samples of the destructive Ordinypt malware family. According to Bleeping Computer, the campaign sent spam emails masquerading as a job application from someone named Eva Richter. These messages supported this claim by using the subject line “Bewerbung via Arbeitsagentur – Eva Richterwhich,” which translates […]… Read More

The post Spam Campaign Targeting German Users with Ordinypt Malware appeared first on The State of Security.

France and Germany will block Facebook’s Libra cryptocurrency

Bad news for Facebook and its projects, France and Germany agreed to block Facebook’s Libra cryptocurrency, the French finance ministry said.

France and Germany governments announced that they will block Facebook’s Libra cryptocurrency, the news was reported by French finance ministry Bruno Le Maire.

“We believe that no private entity can claim monetary power, which is inherent to the sovereignty of nations”. reads a joint statement issued by the two governments,

“I want to be absolutely clear: in these conditions, we cannot authorise the development of Libra on European soil.” he said at a conference in Paris on virtual currencies.

French Finance Minister Bruno Le Maire explained last week the Facebook should not be allowed to operate the Libra cryptocurrency in Europe because it threatens the monetary sovereignty and financial systems of the states.

Facebook Libra cryptocurrency
Source: Coindesk.com

Facebook announced in June that it plans to launch Libra in 2020, to make it reliable the social network giant wants to use traditional currency to back Libra. 

The non-profit Libra Association include major firms such as PayPal, Visa, Stripe, Mastercard, eBay, and Uber. 

“Unlike other cryptocurrencies, which are not controlled by a central authority, Libra will not be decentralised, but will be entrusted to a Swiss-based association of major technology and financial services companies. Besides Facebook, backers of Libra include the payment companies Visa, MasterCard and PayPal, and the ride-hailing apps Lyft and Uber.” reported The Guardian.

Authorities also fear possible abuses of the Libra cryptocurrency, including money laundering, and how Facebook would prevent them.

Pierluigi Paganini

(SecurityAffairs – Facebook, cryptocurrency)

The post France and Germany will block Facebook’s Libra cryptocurrency appeared first on Security Affairs.

Raytheon’s cloud-based test bed takes risk out of innovation

Risk, compliance and security are primary concerns for companies operating in the defense industry. But increased focus on these issues can complicate an organization’s agility when adopting or adapting to new technology. This is what Raytheon was up against when it embarked on an IT initiative to develop a secure, cloud-based virtual innovation environment to test and explore new technology.

New technology that hasn’t been screened or tested for potential security threats or vulnerabilities can pose a major risk to organization that prioritizes security. In developing its innovation environment, Raytheon needed to create a solution that both supports the “rigorous and time-consuming processes” of testing for potential security threats and “expedites the risk reviews while still achieving speed, agility and compliance,” says Pierre Brennecke, manager of digital channels and events at the defense contractor.

To read this article in full, please click here

(Insider Story)

US Slaps Sanctions on Three North Korean Cyber Groups

US Slaps Sanctions on Three North Korean Cyber Groups

The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.

The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.

All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.

Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.

While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.

Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.

The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.

This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence. 

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

UK’s Environmental Agencies Lose Hundreds of Devices

UK’s Environmental Agencies Lose Hundreds of Devices

The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.

Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.

They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.

Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.

The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.

Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.

A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.

“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.

“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”

Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”

“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.

“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”

These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.

DOXing in 2019

During the early 2000s in private chats or even in public IRC channels, self-styled “hackers” used to DOX people in order to prove their competence in “dark arts” (cit. Proceedings of the 39th SIGCSE). I always was fascinated by those guys that with few information such as an email address or a nickname were able to find out much of your entire life just looking on the web. Today, after several years a friend of mine asked me to start a DOX session against himself in order to evaluate what ‘Internet’ knows about him.

What is DOX ?

“Doxing” is a neologism that has evolved over its brief history. It comes from a spelling alteration of the abbreviation “docs” (for “documents”) and refers to “compiling and releasing a dossier of personal information on someone”. Essentially, doxing is revealing and publicizing records of an individual, which were previously private or difficult to obtain.

The term dox derives from the slang “dropping dox” which, according to Wired writer Mat Honan, was “an old-school revenge tactic that emerged from hacker culture in 1990s”. Hackers operating outside the law in that era used the breach of an opponent’s anonymity as a means to expose opponents to harassment or legal repercussions.

wikipedia: about DOXing

Nowadays the word DOX or the action to DOX someone gets a bad flavor since it undermines the victim privacy by publicly exposing sensitive data that the DOXer (aka who is performing the DOXing action) has collected and/or correlated. I will not expose any data but I’ll get the chance to review techniques and tools in order to give to my readers an updated view of DOXing tools in 2019.

DOXing methodology

When you start a DOXing session you might decide to play it by ear or to approach the problem with a methodology. Methodologies are not simple at this point since you need to map a back-to-forward and vice-versa information flow. In other words you need to forecast victim’s information that you might get from a victim’s peer or from a victim’s relative, so you need to be able to move from one peer to another one and to stop when you are moving far from the original victim. The feeling that stops you in getting too faraway from the original victim is something quite hard to define, we might decide to use an information threshold such as: after [random number] of iteration, or for example, only on public social profiles, or again getting deeper by defining everything is not involving another entity. Everything we define could be over-killing or restricting in the same way. So my best advise is to follow the path until you feel you are getting too far for your target, at that point wrap back information and start to focus on another way. The following image shows a simple flow that you might decide to take.

Simplified DOXing Flow

A simple but yet useful advise would be to take note to every finding coming from both: manual analysis and automatic analysis. It could sound as trivial suggestion, but I’m sure you will appreciate it once you will get hands dirty on such amount of data you might spot ! I’m used to Maltego, since it automates many searching steps, but there are many great tools out there, find your best fit and keep note of what you do !

Example from Maltego Blog

Used Tools

Fortunately there are a lot of tools for OSINT/Personal-INT which would be great to use. In the following list I’ve just selected some of them, the ones I personally think would get better results in 2019.

  • Doxing (by Hacking Live). It’s not super updated, but hey… Doxing is an ancient practice ! It works quite well and helps to automate many searches.
  • DoxTracker (by Kuro-Code). It would definitely help your automation searches since it includes many tracking web sites.
  • Maltego (by Paterva). Well maybe it’s the king of public information gathering, depending on how many services you will sign-in (Services are information sources) it extracts tons of information on your target.
  • FOCA (by Elevenpaths). FOCA (github) is another great and well-known software that allows you to automate many finding tasks. Unfortunately it runs only on a Windows machine, so if you are Unix/FreeBSD user you need to emulate a Windows OS.
  • FamilyTree. Is a great tool to try with. If you are lucky and your target is inside their DB, oh boy, you’ll get out tons of information to his relatives.
  • TruePeopleSearch. Very useful to find out address and/or phone numbers. It mainly works on US though.
  • PeekYou. It works great by searching on various sources including social networks and phone books. It works independently from the target states
  • Lullar. Another great social aggregation profiler. You can insert first and last name, nickname or the target email, it will check if the target is on socials and will provide you direct link to target social profile.
  • CheckUserNames. Sometimes you want to check if specific usernames exist on social networks. If this is your need CheckUserNames works great.
  • TinEye, Google Image Search, When you start to investigate pictures you could need to locate a specific picture, to do that you might want to find out similar pictures and seeking for comments/tags into similar pictures in order to locate the original picture.
  • Git-Fingerprint. Sometimes your target knows GIT and he might be using it.
  • PictaME. If you need to analyze Instagram profiles and or to check Instagram pictures without an Instagram account

It would be obvious, I know … but don’t forget Google searches. Automatic searches are great since speed you up, but Google and Bing! own a lot of information on your target. My best findings come from manual searches on google by correlating social comments and images.

This activity produced an acclaimed newspaper article on Scienze “La Repubblica” (Biggest Italian Newspaper) on 12 September 2019.

Scienze “La Repubblica” 12 Settembre 2019

The Top 10 Highest Paying Jobs in Information Security – Part 1

Given a surge in digital threats like ransomware, it is no surprise that the field of information security is booming. Cybersecurity Ventures estimates that there will be 3.5 million job openings across the industry by 2021. Around that same time, the digital economy research firm forecasted that global digital security spending would exceed one trillion […]… Read More

The post The Top 10 Highest Paying Jobs in Information Security – Part 1 appeared first on The State of Security.

Is your school GDPR compliant? Use our checklist to find out

At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”

Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.

But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.

A brief summary of the GDPR

The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.

To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.

These include:

  • The right to access the personal information organisations store on them;
  • The right to request that organisations rectify any information that’s inaccurate or incomplete;
  • The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
  • The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.

Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.

GDPR compliance in schools

Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.

Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.

If that’s the case, the data processor must account for requirements concerning:

Can you use consent?

Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.


Understand your consent requirements >>


Privacy notices

Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.

This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.


Find out more about privacy notices >>


Online services offered to children

In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.

The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.

Schools aren’t GDPR-compliant

These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.

The number of security incidents increased from 355 in the second quarter of 2017­­–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.

The ICO found that common disclosure issues included:

  • The loss or theft of paper or digital files;
  • Emailing information to the wrong recipient; and
  • Accidental verbal disclosure.

There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.

Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.

“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”

The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.

GDPR checklist for schools

Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.

Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.


A version of this blog was originally published on 28 March 2019.

The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.

What Does GDPR Mean for Your Organization?

GDPR ,or the General Data Prevention Regulation, is a new law that has been enforced by the European Union since May 25, 2018. The goal of this regulation is to update the Data Protection Directive of 1995; this was was enacted before the widespread use of the internet, which has drastically changed the way data is collected, transmitted, and used.

Another key component of the GDPR is to update regulations about data protection for sensitive personal information. It places an emphasis on the need to protect any and all collected data.

At the core of this new regulation, it aims to simplify, update, and unify the protection of personal data.

Why Does GDPR Matter to You?

The main changes from GDPR mean that companies can no longer be lax about personal data security. In the past, they can get away with simple tick-boxes to achieve compliance. This is no longer the case.

Here are the top points to consider regarding the General Data Prevention Regulation.

  1. A company does not have to be based in the EU to be covered by the GDPR. As long as they collect and use personal data from citizens of the EU, they must adhere to this regulation.
  2. The fines for violating the regulations set forth by the GDPR are huge. Serious infringements such as not having the right customer consent to process their data can net the violating company a fine of 4% of their annual global income, or 20 million Euros — whichever one is bigger.
  3. Personal data definition has become wider and now includes items such as the IP address and identity of their mobile device.
  4. Individuals now have more rights over the use of their personal data for security purposes. Companies can no longer use long-worded terms and conditions in order to obtain explicit consent from their customers to process their data.
  5. GDPR has made technical and organizational measures of protecting personal data to be mandatory. Companies now need to hash and encrypt personal data in order to protect them.
  6. Registries relating to data processing are now mandatory as well. What this means is that organizations need to have a written record (electronically) of all the activities they would do with the personal data, which captures that lifecycle of data processing.
  7. Impact assessments for data protection, such as data profiling, will now be required.
  8. Reporting any and all data breaches is now mandatory. Organizations have a maximum of 72 hours to report a breach in their security, which places personal data at risk. If it poses a high risk for individuals, then it should be reported immediately or without delay.
  9. If an organization processes a large amount of data, they will be required to have a Data Protection Officer, who is in charge of monitoring compliance with the regulation and reports directly to the highest management level of the company.
  10. The GDPR is mainly focused on data protection by design and by default.

There is no doubt that the legal and technical changes the GDPR requires in order to comply at an organizational level is big. Achieving compliance takes more than information security or legal teams alone. It takes the creation of a GDPR task force to find an organization that understands the changes and effects on its operation. They will work together in order to meet compliance requirements set forth by the new regulation.

Also Read,

GDPR: Non-Compliance Is Not An Option

GDPR Compliance And What You Should Know

How Will The GDPR Survive In The Jungle of Big Data?

The post What Does GDPR Mean for Your Organization? appeared first on .