Daily Archives: October 9, 2019

Cybercrime is maturing, shifting its focus to larger and more profitable targets

Cybercrime is continuing to mature and becoming more and more bold, shifting its focus to larger and more profitable targets as well as new technologies. Data is the key element in cybercrime, both from a crime and an investigate perspective. These key threats demonstrate the complexity of countering cybercrime and highlight that criminals only innovate their criminal behavior when existing modi operandi have become unsuccessful or more profitable opportunities emerge. In essence, new threats do … More

The post Cybercrime is maturing, shifting its focus to larger and more profitable targets appeared first on Help Net Security.

Only 32% of organizations employ a security-first approach to cloud data storage

Although nearly half (48%) of corporate data is stored in the cloud, only a third (32%) of organizations admit they employ a security-first approach to data storage in the cloud, according to a global study from Thales, with research from the Ponemon Institute. Surveying over 3,000 IT and IT security practitioners in Australia, Brazil, France, Germany, India Japan, the United Kingdom and the United States, the research found that only one in three (31%) organizations … More

The post Only 32% of organizations employ a security-first approach to cloud data storage appeared first on Help Net Security.

Does poor password hygiene still hamper your ability to achieve high security standards?

While more businesses are investing in security measures like multifactor authentication (MFA), employees still have poor password habits that weaken companies’ overall security posture, according to LastPass. Given that stolen and reused credentials are linked to 80 percent of hacking-related breaches, businesses must take more action to improve password and access security to make a big impact on risk reduction. “Securing employee access has never been more important and unfortunately, we see businesses ignore password … More

The post Does poor password hygiene still hamper your ability to achieve high security standards? appeared first on Help Net Security.

Impact and prevalence of cyberattacks that use stolen hashed administrator credentials

There’s a significant prevalence and impact of cyberattacks that use stolen hashed administrator credentials, also referred to as Pass the Hash (PtH) attacks, within businesses today, according to a survey from One Identity. Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations. Conducted by Dimensional Research, the survey of more than 1,000 IT professionals reinforces the crucial need for organizations to … More

The post Impact and prevalence of cyberattacks that use stolen hashed administrator credentials appeared first on Help Net Security.

Free eBook: Threat intelligence platforms

Today’s threat environment is complex and dynamic. The internet was built for connectivity, not security, and approaches such as intrusion detection systems, anti-virus programs, and traditional incident response methodologies by themselves are no longer sufficient in the face of the widening gap between offensive and defensive capabilities. Organizations today face Advanced Persistent Threats (APTs) and organized, criminally motivated attacks launched by adversaries with the tools, training, and resources to breach most conventional network defense systems. … More

The post Free eBook: Threat intelligence platforms appeared first on Help Net Security.

FireEye Digital Threat Monitoring: Visibility beyond your walls

FireEye announced the availability of FireEye Digital Threat Monitoring – a new way for customers to defend their digital footprint across otherwise inaccessible facets of the web. Traditional cyber defenses are designed to protect assets that exist within an organization’s network. However, assets extend far beyond the network perimeter, thereby increasing the risk of exposure or theft. FireEye Digital Threat Monitoring automatically collects and analyzes content on the dark and open web, alerting defenders whenever … More

The post FireEye Digital Threat Monitoring: Visibility beyond your walls appeared first on Help Net Security.

SolarWinds Identity Monitor helps orgs improve security posture and mitigate risk proactively

SolarWinds, a leading provider of powerful and affordable IT management software, announced the launch of SolarWinds Identity Monitor. The easy-to-use solution is designed to help IT and security professionals strengthen their security posture and combat instances of account fraud, loss of revenue, brand damage, and spam by automating account takeover (ATO) prevention. This launch further underscores SolarWinds’ commitment to making security solutions accessible for every organization that needs them, helping to fill a gap not … More

The post SolarWinds Identity Monitor helps orgs improve security posture and mitigate risk proactively appeared first on Help Net Security.

The Current State of CCPA – What You Need to Know

In the digital age, more often than not, you can be sure that some enterprise has hold of your personal information. This information could be your name, email, phone number, IP address, country and other details. This can come from submitting a form, subscribing to a newsletter, accepting cookies, accepting the privacy policy or terms […]… Read More

The post The Current State of CCPA – What You Need to Know appeared first on The State of Security.

Wind River unveils new VxWorks release to redefine embedded software development

Wind River, a global leader in delivering software to the intelligent edge, announced the latest release of its industry-leading real-time operating system (RTOS) VxWorks, which has been enabling the security, safety, and deterministic performance of embedded applications for more than 30 years. Over these three-plus decades, VxWorks has continually evolved to meet the changing needs of software developers. The latest release redefines embedded software development with new capabilities and industry firsts to drive greater business … More

The post Wind River unveils new VxWorks release to redefine embedded software development appeared first on Help Net Security.

Medcurity expands intuitive and comprehensive approach for HIPAA compliance

As part of their commitment to be “The HIPAA Compliance Platform for Healthcare Organizations,” Medcurity has released Customizable Security Policies and Procedures and Business Associate Management. These new tools expand Medcurity’s intuitive and comprehensive approach for HIPAA compliance. Much like Turbo Tax, Medcurity walks organizations through a questionnaire to populate key aspects of each policy. The final policies automatically reflect their specific workflows and environment, including branding. These tightly integrated Security policies can be accessed … More

The post Medcurity expands intuitive and comprehensive approach for HIPAA compliance appeared first on Help Net Security.

Intel unveils its latest lineup of Intel Xeon W and X-series processors

Intel unveiled its latest lineup of Intel Xeon W and X-series processors, which puts new classes of computing performance and AI acceleration into the hands of professional creators and PC enthusiasts. Custom-designed to address the diverse needs of these growing audiences, the new Xeon W-2200 and X-series processors are targeted to be available starting November, along with a new pricing structure that represents an easier step up for creators and enthusiasts from Intel Core S-series … More

The post Intel unveils its latest lineup of Intel Xeon W and X-series processors appeared first on Help Net Security.

Signal Sciences’ WAF and RASP solution interoperates effectively with Pivotal Container Service

Signal Sciences, the fastest growing web application security company in the world, announced its Pivotal Container Service (PKS) integration. The integration ensures that Signal Sciences’ next-gen WAF and RASP solution interoperates effectively with PKS, and customers can now easily deploy Signal Sciences to protect against web application attacks, such as the OWASP top 10, account takeovers, API misuse, and bad bots. PKS is a purpose-built container solution to operationalize Kubernetes for multi-cloud organizations. It enables … More

The post Signal Sciences’ WAF and RASP solution interoperates effectively with Pivotal Container Service appeared first on Help Net Security.

A Guide to PCI Compliance in the Cloud

In an age where hosting infrastructure in a cloud environment becomes more and more attractive – whether for maintenance, price, availability, or scalability – several service providers offer different PCI-DSS (Payment Card Industry – Data Security Standard) compliant solutions for their customers’ need to deal with payment cards.

Many companies believe that when choosing a business partner already certified in PCI-DSS, no further action is required since this environment has already been evaluated. However, while a PCI-DSS compliant provider brings more security and reliability, only its certification is not enough for the contractor’s environment to be certified as well.

All certified service providers must offer their customers an array of services and responsibilities, where they clearly define what each party needs to do to achieve PCI compliance in the environment. 

With this in mind, there are some important tips to take into account, mainly focusing on the first six PCI-DSS requirements, and also some important information for cloud service providers to take into account.

Requirement 1: Install and maintain a firewall configuration to protect the cardholder data

To protect cardholder data, you must implement and configure environmental targeting in accordance with PCI network requirements. It should be analyzed with tools the service provider offers to enable the contractor to achieve compliance. Some important services to consider:

  • Network Groups: A tool that will be used to perform the logical segmentation of the cloud-hosted environment. Traditionally, communications are blocked, and rules must be created to release access between instances.
  • Private Cloud: Should be used to isolate the provider’s networks in private networks, preventing the connection and access of other networks except those duly authorized by the targeting tool created in the same private cloud. This configuration facilitates the segmentation and logical management of accesses, reducing the exposure of the environment and card data.
  • Elastic Computing: It allows the creation of an instance that is scalable, that is, after it is identified that the processing reaches a parameter pre-defined by the user, creates another instance identical to the first. This process repeats itself as there is a need for more processing power. With the reduction of processing, the instances are then deactivated.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

In the case of SaaS (Software as a Service) cloud services, the need to apply secure configuration controls rests with the provider, assuming that the service provider identifies the service as part of its environment accordingly.

Using PaaS (Platform as a Service) or IaaS (Infrastructure as a Service), when the configuration of the instance is made by the contracted company, it is very important to create the procedure of hardening to be used and to ensure that it is properly applied in the instance before creating the rules that grant access to the other environments.

Requirement 3: Protect stored data from cardholder

Secure storage of card data is one of the priorities of the standard. Natively, cloud environments do not protect data, so the company acquiring the service must identify how it can make the data secure during the process, as well as assess whether the provider provides the necessary tools.

For card data encryption, key management is another crucial point, as important encryption of the data itself. The documentation and secure management of the data encryption keys (DEK) and key-encryption key (KEK) must be done by the contractor and can use the resources offered by the providers.

Requirement 4: Encrypt the cardholder data transmission on open public networks

The implementation of secure communication channels must be planned by the contractor, either through the acquisition of a secure communication service or even through the implementation of communication certificates. Always use robust PCI-DSS-based encryption protocols, such as TLS 1.2, IPSec, SFTP, etc.

Requirement 5: Use and regularly update anti-virus software or programs

Another common mistake is to consider that the implementation of antivirus is the responsibility of the service provider, or even believe that their systems are not susceptible to malicious software.

Cloud services do not include the provision of this type of software by default in all scenarios. This means that those seeking PCI-DSS certification need to identify how to implement and define the use of an antivirus solution, ensuring its installation, management, logging, and monitoring.

Requirement 6: Develop and maintain secure systems and applications

By confirming the certified service offered by the cloud provider (Saas) in the responsibility matrix, the contracting company does not need to take any additional actions related to the management of the structure that maintains that environment.

In the case of a certified service offered by the cloud provider, the contracting company confirming this in the contractor’s responsibilities matrix does not need to take any additional actions related to the management of the structure that maintains that environment.

However, when acquiring IaaS or PaaS services, it is important to enable vulnerability identification procedures, security updates, change management, and secure development.

Speaking specifically of public-facing web applications, PCI-DSS requires the manual or automated validation of all code developed for the application. A recommended alternative is the implementation of a Web Application Firewall, which can also be used as a service acquired from the marketplace of these companies or as an application to be contracted (e.g. AWS WAF, Azure WAF, Google Virtual Web Application Firewall).


Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America’s regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company’s revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending.

The post A Guide to PCI Compliance in the Cloud appeared first on Cloudbric.

CFC acquires Solis Security to expand its in-house cyber incident response capabilities

CFC, a specialist insurance provider and pioneer in emerging risk, announced that it has expanded its in-house cyber incident response capabilities with the acquisition of Solis Security, a Texas-based incident response provider. CFC has one of the largest in-house cyber claims and incident response teams in the world and has handled nearly 1,500 cyber claims this year alone. With the addition of Solis Security, the company deepens its bench of highly skilled in-house technical experts … More

The post CFC acquires Solis Security to expand its in-house cyber incident response capabilities appeared first on Help Net Security.

Okta partners with Atlassian to accelerate organizations’ move to the cloud

Okta, the leading independent provider of identity for the enterprise, announced a strategic partnership with Atlassian, a leading provider of team collaboration and productivity software, to accelerate organizations’ move to the cloud. By integrating Okta’s authentication technology into Atlassian cloud products – spanning collaboration, productivity, and DevOps and IT – organizations can give their workforces secure access to the tools they need to be successful. In order to compete with today’s disruptors, organizations of every … More

The post Okta partners with Atlassian to accelerate organizations’ move to the cloud appeared first on Help Net Security.

SAP to Resell BigID data discovery and privacy products as solution extensions

BigID, a leader in data-centric personal data discovery and privacy, announced a global reseller agreement with SAP. Through this agreement, SAP can sell two BigID powered products under the names SAP Privacy Management application by BigID and SAP Data Mapping and Protection application by BigID. The agreement will enable businesses that use SAP solutions to more readily meet the challenges of data-centric data discovery and privacy by harnessing BigID’s advanced Machine Learning-based discovery and intelligence … More

The post SAP to Resell BigID data discovery and privacy products as solution extensions appeared first on Help Net Security.

Signifyd announces formation of its Customer Advisory Board

Signifyd announced the formation of its Customer Advisory Board, an array of forward-thinking retailers who will help chart the course of the company’s innovation as it continues its mission of providing fearless commerce around the world. Signifyd has built its success on customer compassion, bringing the voice of the customer into every decision, feature and product the company makes. The Customer Advisory Board is a significant way for Signifyd to understand its customers’ goals and … More

The post Signifyd announces formation of its Customer Advisory Board appeared first on Help Net Security.

AtScale appoints Dustin Webber as CSO

AtScale, provider of the adaptive analytics fabric, announced it has named Dustin Webber – a renowned cloud security visionary and entrepreneur – chief security officer. In this role, Webber will expand AtScale’s growing security and governance presence within the Fortune 2000, while enhancing its product offerings. Webber will report directly to AtScale Executive Chairman and CEO, Christopher Lynch. Webber’s latest security startup, Critical Stack, where he served as co-founder and CTO, was acquired by Capital … More

The post AtScale appoints Dustin Webber as CSO appeared first on Help Net Security.

Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil

Attackers often make their lives easier by relying on pre-existing operating system and third party applications in an enterprise environment. Leveraging these applications assists them with blending in with normal network activity and removes the need to develop or bring their own malware. This tactic is often referred to as Living Off The Land. But what about when that land is an Apple orchard?

In recent enterprise macOS investigations, FireEye Mandiant identified the Apple Remote Desktop application as a lateral movement vector and as a source for valuable forensic artifacts.

Apple Remote Desktop (ARD) was first released in 2002 and is Apple’s “desktop management system for software distribution, asset management, and remote assistance”. An ARD deployment consists of administrator and client machines. While the administrator app must be downloaded from the macOS App Store, the client application is included natively as part of macOS. Client systems must be added to the client list on an administrator system manually, or they can be discovered via Bonjour if they are in the same local subnet as the administrator system. In a typical enterprise environment deployment, managers would be the ARD administrators and have the ability to view, manage, and remotely control their managed personnel’s workstations via ARD.

Lateral Movement

Mandiant has observed attackers using the ARD screen sharing function to move laterally between systems. If remote desktop was not enabled on a target system, Mandiant observed attackers connecting to systems via SSH and executing a kickstart command to enable remote desktop management. This allowed remote desktop access to the target systems. The following is an example from the macOS Unified Log showing a kickstart command used by an attacker to enable remote desktop access for all users with all privileges:


Figure 1: Kickstart command example

During an investigation, you can use a few different artifacts to trace this activity. Execution of the kickstart command modifies the contents of the configuration file /Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd to contain the string “enabled”. SSH login activity can be found in the Apple System Logs or Audit Logs. Execution of the kickstart command can be found in the Unified Logs, as seen in Figure 1.

An ARD administrator has a substantial amount of power available to them, similar to compromising an administrator account in a Windows environment. By compromising an account that has access to ARD administrator system, an attacker can perform any of the following actions:

  • Remotely control VNC-enabled machines, including in “Curtain Mode” which hides the remote actions from the local workstation’s screen
  • Transfer files
  • Remotely shut down or restart multiple machines simultaneously
  • Schedule tasks
  • Execute AppleScript and UNIX shell scripts

Apple’s ARD web page and the ARD help page contain more details about ARD’s capabilities.

ARD Reporting as a Forensic Force Multiplier

Along with remote system control functionality, Apple Remote Desktop’s asset management capabilities include conducting remote Spotlight searches, file searching, generating software version information reports, and more importantly, generating application usage and user history reports. The reporting process generally follows these steps:

  1. Client systems compute reports and cache the data locally before transferring them to the administrator system (the default policy is to begin this at 12:00 AM local time, daily).
  2. Data received from clients is cached on the administrator system. Alternatively, a macOS system with the administrator version of ARD installed can be set up as a “Task Server” for a centralized collection option.
  3. Cached data is written to SQLite database on the administrator system

The cached data is stored in various subdirectories under the /private/var/db/RemoteManagement/ parent directory. The directory has the following structure:


Figure 2: /private/var/db/RemoteManagement/ directory structure

This directory structure is present on all systems, but which files exist in which directories depends on whether the system is an ARD client or administrator system.

Artifacts from ARD Client Systems

There is one directory that is the focus for investigations on client systems: /private/var/db/RemoteManagement/caches/. This directory contains the following files, which are the local client data cache that is periodically reported to the administrator system. Do note, however, that these files are routinely deleted by the system, so they may not be present. These files are typically deleted from the client system once they are transmitted to the administrator system. Once transmitted, the data is stored on the administrator system.

File

Description

AppUsage.plist

plist file containing application usage data

AppUsage.tmp

Binary plist file containing application usage data, often the same as or less thorough than AppUsage.plist

asp.cache

Binary plist of system information

filesystem.cache

Database containing an index of the entire file system, including users and groups

sysinfo.cache

Binary plist containing system information, some of which is also present in asp.cache

UserAcct.tmp

Binary plist containing user login activity

Table 1: ARD cache files

In our experience, the most useful information available from these files is application usage and user activity.

Application Usage

The RemoteManagement/caches/AppUsage.plist file contains one key per application, where each key is the full path of the application, such as file:///Applications/Calculator.app/.

Each application key contains a dictionary that includes a “runData” array and a “Name” string, which is the friendly name of the application, such as “Calculator”, as seen in Figure 3.


Figure 3: AppUsage.plist structure

Each “runData” array contains at least one dictionary consisting of the following keys and values:

Key

Value Format

Description

wasQuit

Boolean: true or false

Indicator of whether or not the application was quit prior to the last report time. This field may not exist if the value is not “true”.

Frontmost

Number of seconds

Total duration which the application was “frontmost” on the screen

Launched

macOS absolute timestamp

Time the application was launched

runLength

Number of seconds

Duration the application was run

username

String

User who launched the application

Table 2: AppUsage.plist runData keys and values

Of the two application usage cache artifacts, RemoteManagement/caches/AppUsage.plist usually contains the same or more content than RemoteManagement/caches/AppUsage.tmp.

User Activity

The RemoteManagement/caches/UserAcct.tmp file is a binary plist that contains user activity that can be correlated with other artifacts on a macOS systems, such as the Apple System Logs or Audit Logs. The file contains keys with the short name of each user logged on the system.

Each key contains a dictionary that includes a “uid” string with the user’s UID, and an array for each login type: console, tty, or SSH. Each login-type array contains at least one dictionary consisting of the following keys and values:

Key

Value Format

Description

inTime

macOS absolute timestamp

Time the user logged in

outTime

macOS absolute timestamp

Time the user logged out

host

String

Originating host for remote login. This field has been observed to not be consistently present.

Table 3: UserAcct.tmp keys and values

Artifacts From ARD Administrator Systems

The data outlined in Table 1 is reported to the administrator system daily. The files are then stored in the RemoteManagement/ClientCaches/ directory. Each file is renamed to the MAC address of the reporting system and placed into the appropriate subdirectory, as seen in Table 4. The subdirectories contain the following:

Subdirectory

Data Contained in Each File

ApplicationUsage/

AppUsage.plist files

SoftwareInfo/

Filesystem.cache files

SystemInfo/

Sysinfo.cache files

UserAccounting/

UserAcct.tmp files

Table 4: /private/var/db/RemoteManagement/ClientCaches/ subdirectories

Additionally, there is a plist file, RemoteManagement/ClientCaches/cacheAccess.plist that contains keys of MAC addresses with values of more MAC addresses. The purpose and context for this file has yet to be determined.

The Gold Mine

All the aforementioned data, with the exception of the filesystem.cache files, is added to the main SQLite database RemoteManagement/RMDB/rmdb.sqlite3 (“RMDB”). The RMDB exists on all ARD systems but is only populated on the administrator system. It houses a wealth of information about the systems in the ARD network over a significant timespan. Mandiant has observed data for application usage timestamps from over a year prior to when we acquired a database on a live system.

The RMDB file contains five tables: ApplicationName, ApplicationUsage, PropertyNameMap, SystemInformation, and UserUsage. The following sections detail each table within the database:

ApplicationName

This table is an index for the applications on each system, where each application is assigned an item sequence number (“ItemSeq”) per system. This data is used for correlation in the ApplicationUsage table.

Column

Value Format

Description

ComputerID

String

Client MAC address, no separators

AppName

String

Friendly application name

AppURL

String

Application URL path (i.e. file:///Applications/Calculator.app)

ItemSeq

Integer

ID number for each application, per ComputerID, used for the AppName table

LastUpdated

macOS absolute timestamp

Last report time of the client

Table 5: ApplicationName table columns

ApplicationUsage

The AppName table is unique in the fact the “Frontmost” and “LaunchTime” values in the table are swapped. The research at the time of this blog post was verified on MacOS 10.14 (Mojave).

Column

Value Format

Description

ComputerID

String

Client MAC address, no separators

FrontMost

macOS absolute timestamp

Application launch time

LaunchTime

Number of seconds to 6 decimal places

Total duration the application was “frontmost” on screen

RunLength

Number of seconds to 6 decimal places

Total duration the application was running

ItemSeq

Integer

ItemSeq number for the respective ComputerID, referenced in the ApplicationName table

LastUpdated

macOS absolute timestamp

Last report time of the client

UserName

String

User who launched the application

RunState

Integer

“1” for “running”, or “0” for “terminated” at the time of the last report

Table 6: ApplicationUsage table columns

PropertyNameMap

This table is used as a reference for the SystemInformation table.

Column

Value Format

Description

ObjectName

String

Various elements of a macOS system, such as Mac_HardDriveElement, Mac_USBDeviceElement, Mac_SystemInfoElement

PropertyName

String

Property names for each element, such as ProductName, ProductID, VendorID, VendorName for Mac_USBDeviceElement

PropertyMapID

Integer

ID number for each property, per element

Table 7: PropertyNameMap table columns

SystemInformation

There is a substantial amount of system information collected in this table. This table can be leveraged to extract USB device information, IP addresses, hostnames, and more, of all the reported client systems.

Column

Value Format

Description

ComputerID

String

Client MAC address, with colon separators

ObjectName

String

Elements of a macOS system outlined in the PropertyNameMap table

PropertyName

String

Properties per element outlined in the PropertyNameMap table

ItemSeq

Integer

ID number for each element, i.e. if there are 4 Mac_USBDeviceElement data sets, each one will have an ItemSeq number, 0-3, to group the properties together

Value

String

Data for the respective property

LastUpdated

yyyy-mm-ddThh:mm:ssZ

24 hour local time, last report time of the client. Example: 2019-08-07T02:11:34Z

Table 8: SystemInformation table columns

UserUsage

This table contains the user login activity for all the reported client systems.

Column

Description of Value

ComputerID

Client MAC address, no separators

LastUpdated

macOS absolute timestamp, last report time of the client

UserName

Short name of the user

LoginType

Console, tty, or ssh

inTime

macOS absolute timestamp, time the user logged in

outTime

macOS absolute timestamp, time the user logged out

Host

Originating host for remote login. This field has been observed to not be consistently present.

Table 9: UserUsage table columns

Filesystem Cache

The RemoteManagement/ClientCaches/filesystem.cache file is a database that indexes the files and directories found on a macOS computer’s file system. Rather than using SQLite like the RMDB, ARD uses a custom database implementation to track this information. Fortunately, the database file format is fairly simple, consisting of a file header, six tables, and entries that point to string values. By interpreting the information in the filesystem cache file, an investigator can recreate the directory structure of an ARD-enable system. Mandiant uses this technique to identify and demonstrate the existence of attacker-created files.

The database header, identified by the magic value “hdix”, contains metadata about the database, such as the total number of indexed folders, files, and symlinks. Pointers from this header lead to the six tables: “main”, “names” (file names), “kinds” (file extensions), “versions” (macOS app bundle version infos), “users”, and “groups”. Entries in the “main” table contain references to entries in the other tables; by walking these references, an investigator can recover full file system paths and metadata.

In practice, the filesystem.cache file may be tens of megabytes in size, tracking dozens or hundreds of thousands of file system entries. Figure 4 shows truncated content of a parsed file system cache file; these entries are for the artifacts discussed in this article!


Figure 4: Screenshot of filesystem.cache contents, listing ARD artifacts

On a macOS system, the program “build_hd_index” traverses the file system and indexes the files and directories into filesystem.cache. Figure 5 shows a portion of the documentation for this tool; as expected, the default output directory is [/private]/var/db/RemoteManagement/caches/.


Figure 5: documentation for build_hd_index

Ironically, internet message board posts going back to at least 2007 complain of the performance impact of this tool. A post by “Anonymous” indicates that “build_hd_index” was designed to support file indexing on OS X Panther (2003), which didn’t have Spotlight. Now, 16 years later, we can exploit these artifacts during an incident response.

Introducing: ARDvark

It was evident that if this artifact exists in a future investigation, leveraging its wealth of data will be critical to identifying attacker activities. In some scenarios, investigators may be able to generate reports directly from an ARD administrator system, but this may not always be the case. If not, then investigators would have to rely on manually acquiring and extracting information from the RMDB file on the ARD administrator system. ARDvark is a tool that extracts all user activity and application usage recorded in the RMDB and outputs the data in an analyst-friendly format.

ARDvark will also process the AppUsage.plist and UserAcct.tmp files found on ARD client systems under /private/var/db/RemoteManagement/caches/. Additionally, ARDvark has the capability to parse the filesystem.cache files to produce a file system listing, as well as all users and groups present on the respective system. Please see the FireEye Github for more information.

Detecting and Preventing ARD Abuse

To detect suspicious ARD usage, organizations can monitor for anomalous modification of the /Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd file to identify remote desktop access enablement where ARD is not used. Analyzing the Unified Logs for evidence of unexpected kickstart commands during threat hunting missions can uncover suspicious ARD usage as well.

Mitigating ARD abuse is reliant upon the principle of least privilege. Mandiant recommends allowing as few remote control privileges as possible, and only allowing administrator privileges to necessary accounts. Apple provides guidance on setting privileges, and authenticating without using local accounts with ARD in the help page and in the ARD user guide. ARD administrators can then routinely generate reports in the ARD application to ensure no changes are made to administration privilege settings.

A Bushel of Evidence

Application usage artifacts for macOS are few and far between. To date, some of the best artifacts for application usage include CoreAnalytics files and the Spotlight database, but none of these artifacts provide the exact time of execution of all applications. While ARD artifacts are not present across every macOS system, if ARD is deployed in an enterprise environment it may provide some of the most valuable data for investigators which you would not uncover otherwise.

User login activity typically exists in the Apple System Logs and Audit Logs, but short log retention is frequently an issue when the average attacker dwell time in 2018 was 78 days. The RMDB provides a potential source of application usage and user login information that is over a year old, long outliving typical log retention times.

The system information available in the RMDB includes IP addresses, USB device information, and more which may be useful to investigators. Also, the file system cache files that are collected contain an extensive file listing of multiple macOS systems, which allows investigators to identify files or users of interest on other systems without having to collect data from the suspect system directly.

ARD is an excellent example of how remote administration tools provide an attack surface for abuse while simultaneously providing a vast amount of data to help piece together malicious activity, all from a single system. If your organization utilizes ARD, consider reviewing the information available through the reporting functionality during threat hunting and future investigative purposes, as the artifact doesn’t fall far from the tree.

Multiple APT groups are exploiting VPN vulnerabilities, NSA warns

NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Last week, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents

Microsoft researchers recently reported that the APT5 cyberespionage group (aka MANGANESE) has been exploiting VPN vulnerabilities since July, some weeks before PoC exploits were publicly discosed.

Now NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

“Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices.” reads the security advisory published by the NSA.

“If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching. NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network:

  • Immediately update VPN user, administrator, and service account credentials.
  • Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users.
  • If compromise is suspected, review accounts to ensure no new accounts were created by adversaries.”

Both NCSC or NSA intelligence agencies confirmed that APT groups targeted several sectors, including military, government, academic, business and healthcare. The security advisories published by the agencies did not name any APTs leveraging the above VPN vulnerabilities.

In August, BadPackets experts observed a mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN endpoints vulnerable to CVE-2019-11510. At the time, over 14,000 vulnerable Pulse Secure endpoints were hosted by more than 2,500 organizations. The number of vulnerable endpoints dropped to roughky 6,000 by October 8, most of them in the United States, Japan and the UK.

Pierluigi Paganini

(SecurityAffairs – VPN vulnerabilities, hacking)

The post Multiple APT groups are exploiting VPN vulnerabilities, NSA warns appeared first on Security Affairs.

7-Year-Old Critical RCE Flaw Found in Popular iTerm2 macOS Terminal App

A 7-year-old critical remote code execution vulnerability has been discovered in iTerm2 macOS terminal emulator app—one of the most popular open source replacements for Mac's built-in terminal app. Tracked as CVE-2019-9535, the vulnerability in iTerm2 was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS) and conducted by cybersecurity

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

According to a new research survey, 68% of IT security stakeholders aren't sure whether they've experienced a Pass the Hash attack, and 4% don't even know what this globally prevalent form of attack is. 

These almost fantastical findings, released today by One Identity, came from a survey of more than a thousand IT professionals conducted by Dimensional Research.

One Identity field strategist Dan Conrad told Infosecurity Magazine: "While 4% seems like a small percentage, that means nearly one in every 20 IT security professionals does not even know about a significant cyber-attack method. 

"As attacks that have such a large impact on organizations, it’s imperative that the security industry continues to emphasize the importance of understanding PtH attacks and the proper methods to combat them." 

In a PtH attack, a threat actor obtains privileged credentials by compromising an end user’s machine. The attacker then simulates an IT problem, which prompts a privileged account holder to log into an administrative system. When they do, the attacker stores their login credentials as a hash that can be extracted and used to access additional IT resources across the organization. 

This attack technique has been doing the rounds since the 1990s and was first reported by Paul Ashton on Bugtraq in 1997. Back then it consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords.

Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations, with 70% reporting a direct impact on operational costs.

A large majority (87%) of survey respondents say they are already taking steps to prevent PtH attacks, but only 55% have implemented privileged password management. 

Microsoft issued guidance back in 2017 for companies to implement Active Directory Red Forest Design, aka Enhanced Security Administrative Environment (ESAE), to help prevent PtH attacks. The survey found that just a paltry 16% of small organizations and 31% of larger companies have followed this advice. 

Perhaps most shockingly, among the respondents that have not taken any steps at all to prevent a PtH attack, 85% have no plans to do so. 

Dan Conrad told Infosecurity Magazine: "As attacks that typically begin with a phishing email and could lead to a ransomware attack or sensitive data being accessed and stolen, the impact of a PtH attack can be widespread and severe. 

"With data breaches creating a significant time and financial burden on any organization, it’s imperative that businesses take these attacks seriously and put privileged access management strategies and protocols in place to defend themselves."

Cheating at Professional Poker

Interesting story about someone who is almost certainly cheating at professional poker.

But then I start to see things that seem so obvious, but I wonder whether they aren't just paranoia after hours and hours of digging into the mystery. Like the fact that he starts wearing a hat that has a strange bulge around the brim -- one that vanishes after the game when he's doing an interview in the booth. Is it a bone-conducting headset, as some online have suggested, sending him messages directly to his inner ear by vibrating on his skull? Of course it is! How could it be anything else? It's so obvious! Or the fact that he keeps his keys in the same place on the table all the time. Could they contain a secret camera that reads electronic sensors on the cards? I can't see any other possibility! It is all starting to make sense.

In the end, though, none of this additional evidence is even necessary. The gaggle of online Jim Garrisons have simply picked up more momentum than is required and they can't stop themselves. The fact is, the mystery was solved a long time ago. It's just like De Niro's Ace Rothstein says in Casino when the yokel slot attendant gets hit for three jackpots in a row and tells his boss there was no way for him to know he was being scammed. "Yes there is," Ace replies. "An infallible way. They won." According to one poster on TwoPlusTwo, in 69 sessions on Stones Live, Postle has won in 62 of them, for a profit of over $250,000 in 277 hours of play. Given that he plays such a large number of hands, and plays such an erratic and, by his own admission, high-variance style, one would expect to see more, well, variance. His results just aren't possible even for the best players in the world, which, if he isn't cheating, he definitely is among. Add to this the fact that it has been alleged that Postle doesn't play in other nonstreamed live games at Stones, or anywhere else in the Sacramento area, and hasn't been known to play in any sizable no-limit games anywhere in a long time, and that he always picks up his chips and leaves as soon as the livestream ends. I don't really need any more evidence than that. If you know poker players, you know that this is the most damning evidence against him. Poker players like to play poker. If any of the poker players I know had the win rate that Mike Postle has, you'd have to pry them up from the table with a crowbar. The guy is making nearly a thousand dollars an hour! He should be wearing adult diapers so he doesn't have to take a bathroom break and cost himself $250.

This isn't the first time someone has been accused of cheating because they are simply playing significantly better than computer simulations predict that even the best player would play.

News article. BoingBoing post

RCMP charges two in Montreal over Bell customer data theft

RCMP arrested two Montrealers on charges of stealing Bell customer data. Nana Koranteng and Jesiah Russel-Francis were arrested by RCMP on Oct. 8th, 2019, on charges of unauthorized use of a computer, fraud over $5000, conspiracy to commit fraud, laundering proceeds of crime, identity theft, and identity fraud. In 2018, RCMP initiated an investigation after…

Breaches are now commonplace, but Reason Cybersecurity lets users guard their privacy

There has been no shortage of massive security breaches so far this year. Just last July, Capital One disclosed that it was hit by a breach that affected more than 100 million customers. Also recently, researchers came across an unsecured cloud server that contained the names, phone numbers, and financial information of virtually all citizens of Ecuador – around 20 million people. These are

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

The McCombs School of Business at the University of Texas at Austin has launched America's first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks. 

The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8 million person gap that the 2017 Global Information Security Workforce Study predicted will hit the global cybersecurity workforce in 2022.

This unique certification course sprang forth from a collaboration between the school and the cybersecurity industry, healthcare organizations, and governmental agencies. It is endorsed by the Texas Hospital Association, cyber risk management and compliance solution provider Clearwater, and CynergisTek, Inc., a cybersecurity consulting firm dedicated to serving the information assurance needs of the healthcare industry.

"This unique leadership program will rapidly equip individuals with the knowledge, leadership skills, and problem-solving competencies needed to manage risk in healthcare environments," said a statement from the McCombs School of Business. 

Cross-sector experts in healthcare privacy and security and experienced healthcare technology educators are being brought in to teach the course, which will run for eight weeks starting in July 2020. Students will learn via practical, case-based simulations and hands-on exposure to current and future healthcare cybersecurity technologies.

The course, which has been developed to meet the needs of healthcare organizations, vendors, and governmental agencies, will be built around multiple thematic modules. Modules confirmed so far include "Processes to Ensure Organizational Safety and Security" and "Policies and Governance in Healthcare Entities."

To ensure that the curriculum keeps up with the ever-evolving cybersecurity threat landscape, the program will be shaped by ongoing feedback from members of the privacy and cybersecurity industries, and in the future by program graduates as well. 

With nearly 500 US healthcare organizations having been targeted by ransomware attacks since the start of the year, the need for a training program geared toward their protection is unequivocal.

Founder and executive chairman of Clearwater, Bob Chaput, who described the new certification as a "much-needed program," said: "While there’s a massive shortage of traditional technical cybersecurity talent in all industries, healthcare has been specifically challenged as one of our nation’s last industries to undergo significant digital transformation."

Patching as a social responsibility

In the wake of the devastating (Not)Petya attack, Microsoft set out to understand why some customers weren’t applying cybersecurity hygiene, such as security patches, which would have helped mitigate this threat. We were particularly concerned with why patches hadn’t been applied, as they had been available for months and had already been used in the WannaCrypt worm—which clearly established a ”real and present danger.”

We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management. To help make it easier for organizations to plan, implement, and improve an enterprise patch management strategy, Microsoft is partnering with the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).

NIST and Microsoft are extending an invitation for you to join this effort if you’re a:

  • Vendor—Any vendor who has technology offerings to help with patch management (scan, report, deploy, measure risk, etc.).
  • Organization or individual—All those who have tips and lessons learned from a successful enterprise management program (or lessons learned from failures, challenges, or any other situations).

If you have pertinent learnings that you can share, please reach out to cyberhygiene@nist.gov.

During this journey, we also worked closely with additional partners and learned from their experience in this space, including the:

  • Center for Internet Security (CIS)
  • U.S. Department of Homeland Security (DHS) Cybersecurity
  • Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT / DHS NCCIC)

A key part of this learning journey was to sit down and listen directly to our customer’s challenges. Microsoft visited a significant number of customers in person (several of which I personally joined) to share what we learned—which became part of the jointly endorsed mitigation roadmap—and to have some really frank and open discussions to learn why organizations really aren’t applying security patches.

While the discussions mostly went in expected directions, we were surprised at how many challenges organizations had on processes and standards, including:

  • “What sort of testing should we actually be doing for patch testing?”
  • “How fast should I be patching my systems?”

This articulated need for good reference processes was further validated by observing that a common practice for “testing” a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum.

This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE in collaboration with other industry vendors. This project—kicking off soon—will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.

Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think.

In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide. This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology.

Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action. If you’re a vendor that can help or if you have relevant learnings that may help other organizations, please reach out to cyberhygiene@nist.gov. Now!

The post Patching as a social responsibility appeared first on Microsoft Security.

Are Cybersecurity Robots Coming For Your Job?

“14 Jobs That Will Soon Be Obsolete.” “Can A Robot Do Your Job?” “These Seven Careers Will Fall Victim to Automation.” For each incremental advance in automation technology, it seems there’s an accompanying piece of alarmist clickbait, warning of a future in which robots will be able to do everything we can, only better, cheaper, and for longer. Proponents of AI and automation view this as the harbinger of a golden age, ushering in a future free from all the paper-pushing, the drudgery, the mundane and repetitive things we have to do in our lives. We will work shorter hours, focus on more meaningful work, and actually spend our leisure time on, well, leisure.

But while it’s one thing to enjoy having a robot zipping across the floor picking up your 3-year-old’s wayward Cheerios, it’s quite another to imagine automation coming to our workplace. For those of us in cybersecurity, however, it has become a foregone conclusion: Now that criminals have begun adopting automation and AI as part of their attack strategies, it’s become something of an arms race, with businesses and individuals racing to stay one step ahead of increasingly sophisticated bad actors that human analysts will no longer be able to fend off on their own.

Spurred by growth in both the number of companies deploying automation and the sophistication of threats, automated processes are closing in on and even surpassing human analysts in some tasks—which is making some cybersecurity professionals uneasy. “When robots are better threat hunters, will there still be a place for me? What if someday, they can do everything I can do, and more?”

According to the “2019 SANS Automation and Integration Survey,” however, human-powered SecOps aren’t going away anytime soon. “Automation doesn’t appear to negatively affect staffing,” the authors concluded, after surveying more than 200 cybersecurity professionals from companies of all sizes over a wide cross-section of industries. What they found, in fact, suggested the opposite: Companies with medium or greater levels of automation actually have higher staffing levels than companies with little automation. When asked directly about whether they anticipated job elimination due to automation, most of those surveyed said they felt there would be no change in staffing levels. “Respondents do not appear concerned about automation taking away jobs,” the paper concludes.

There are many reasons for this, but perhaps the most basic is that, in order to see any sort of loss in the number of cybersecurity jobs, we’d first need to get to parity—and we’re currently about 3 million short of that.

Phrased another way, automation could theoretically eliminate three million jobs before a single analyst had to contemplate a career change. That’s an oversimplification, to be sure, but it’s also one that presupposes AI and automation will live up to all of its promises—and as we’ve seen with a number of “revolutionary” cybersecurity technologies, many fall short of the hype, at least in the early days.

Automation currently faces some fundamental shortcomings. First, it cannot deploy itself: Experts are needed to tailor the solution to the business’ needs and ensure it is set up and functioning correctly. And once they’re in place, the systems cannot reliably cover all the security needs of an enterprise—due to a lack of human judgment, automated systems surface a great many false positives, and failing to put an analyst in charge of filtering and investigating these these would create a huge burden on the IT staff responsible for remediation.

There’s also the issue of false negatives. AI is great at spotting what it’s programmed to spot; it is vastly more unreliable at catching threats it hasn’t been specifically instructed to look for. Machine learning is beginning to overcome this hurdle, but the operative word here is still “machine”—when significant threats are surfaced, the AI has no way of knowing what this means for the business it’s working for, as it lacks both the context to fully realize what a threat means to its parent company, and the ability to take into consideration everything a person would. Humans will still be needed at the helm to analyze risks and potential breaches, and make intuition-driven, business-critical decisions.

As effective as these automated systems are, once they’ve been programmed, their education begins to become obsolete almost immediately as new types of attack are created and deployed. Automated systems cannot continue to learn and evolve effectively without the guiding hand of humans. Humans are also needed as a check on this learning, to test and attempt to penetrate the defenses the system has developed.

Then there are the things that can never be automated: hiring and training people; selecting vendors; any task that requires creativity or “thinking outside the box”; making presentations and eliciting buy-in from the board of directors and upper management—and, of course, compliance. No automated system, no matter how sophisticated, is going to know when new laws, company regulations, and rules are passed, and no system will be able to adjust to such changes without human intervention. Even if the work of compliance could be completely automated, the responsibility for compliance cannot be outsourced, and rare would be the individual who could sleep easy letting a machine handle such tasks singlehandedly.

But for the sake of argument, let’s assume for a moment we could fully automate the SOC. While the loss of jobs is certainly a serious matter, we’d soon find the stakes to be much higher than even that. Hackers have already demonstrated an ability to hack into automated systems. If they were able to retrain your AI to ignore critical threats, and there was no human present to realize what was happening and respond swiftly and appropriately, sensitive data could be compromised enterprise-wide—or worse.

In short, automation won’t eliminate the demand for human cybersecurity expertise, at least in the short- to medium-term. But it will certainly redefine roles. According to SANS, implementation of effective automation often requires an initial surge in staff to get the kinks worked out—but it is almost invariably accompanied by a redirection, not reduction, of the existing workforce. Once in place, the automated systems will have two functions. By allowing analysts to shift their focus to more critical cybersecurity functions, improving efficiency, reducing incident response time, and reducing fatigue, they function as a tool for cybersecurity professionals to increase their effectiveness.

But their most valuable role may be as a partner. Automation may be powerful, but automation closely directed and honed by humans is more powerful. Rather than taking the place of humans, robots will take their place alongside humans. Automation, then, should be thought of as a way not to replace SecOps teams, but rather to complement and complete them in a way that will allow them to handle both the monotonous and mundane (yet necessary) tasks in the SOC, and also attend to the true mission-critical tasks rapidly and without distraction.

For more on misconceptions surrounding automation, read the 2019 SANS Automation Survey

The post Are Cybersecurity Robots Coming For Your Job? appeared first on McAfee Blogs.

Number of Girls Applying for British Cybersecurity Courses Surges

Number of Girls Applying for British Cybersecurity Courses Surges

Britain's National Cyber Security Centre has reported a significant increase in the number of young women applying for cybersecurity courses.

According to new figures released yesterday, applications from girls for the NCSC's 2019 CyberFirst summer courses were up 47% compared to last year.  

Rather appropriately, the surge in female applicants for the free cybersecurity courses was announced on Ada Lovelace Day, an international celebration of women in science, technology, engineering, and math (STEM) held every year on the second Tuesday of October.

According to the figures, nearly 12,000 girls took part in the prestigious CyberFirst Girls Competition 2019. Also, the CyberFirst Defenders course, which introduces teenagers to how to build and protect small networks and personal devices, had 705 female participants. 

NCSC's cybersecurity courses, which are held at venues across the UK, have proved to be popular beyond just girls, with the center reporting a 29% rise in overall applications in 2019 compared to the year before. 

Working with training experts QA and education charity The Smallpeice Trust, the NCSC delivers a range of one-day and five-day courses for 11- to 17-year-olds each year. 

Participants are given the opportunity to encounter and explore everyday technology so they can build an understanding of how it works. They also attend lectures, learn through hands-on practical projects, and have the chance to hear presentations by guest speakers.  

Saskia, who attended the CyberFirst Futures course that took place in Cardiff, said: "I haven't had the opportunity to study computer science at school, but CyberFirst has encouraged me to consider the subject at University—I just wish the course was longer!"

As part of the NCSC's CyberFirst initiative, young people interested in studying cybersecurity at university can apply for an annual bursary of £4,000. They can also put themselves forward for three-year apprenticeships in the cybersecurity industry, which allow them to earn while they complete a recognized degree course. 

Chris Ensor, NCSC deputy director for growth, said: "We're delighted to see so many young people interested in finding out more about cybersecurity. The significant rise in female applications is especially pleasing, and something we want to see continue into the future.

"It's never been more important to increase and diversify the cybersecurity workforce and we're committed to nurturing the next generation of skilled experts and addressing the gender imbalance."

Microsoft introduces several new capabilities to Office 365 and Surface devices

In order to make work and play more intuitive and natural than before, Microsoft has brought about innovations in voice, digital ink, and touch across Office 365.  In addition to announcing several new devices at its Surface event, Oct. 2, 2019, aimed at making modern work more intuitive and natural for everyone, Microsoft also shared…

Webcast: In-Depth SILENTTRINITY Demo, Explanation & Walkthrough

Click on the timecodes to jump to that part of the video (on YouTube) Download slides: https://www.activecountermeasures.com/presentations 1:07 Quick review of SILENTTRINITY functions, an overview of Bring your own Interpreter (BYOI) capabilities, BYOI payload 7:08 BYOI/SILENTTRINITY in a nutshell, advantages vs. disadvantages 16:53 Overview of the almost 50 new modules that have been incorporated, live demo 38:12 […]

The post Webcast: In-Depth SILENTTRINITY Demo, Explanation & Walkthrough appeared first on Black Hills Information Security.

vBulletin addresses three new high-severity vulnerabilities

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post vBulletin addresses three new high-severity vulnerabilities appeared first on Security Affairs.

NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm

Not Just Patch or Perish, But Also Pay Attention, Security Experts Warn
The U.S. National Security Agency is the latest intelligence agency to warn that unpatched flaws in three vendors' VPN servers are being actively exploited by nation-state attackers. Security experts say such alerts, which are rare, are a clear sign that serious damage is being caused.

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher infamous for creating the ‘Samy’ Myspace computer worm that gained notoriety when it propagated across the social networking site in 2005, said that hacking exploits are not always malicious in nature, and are rather often imbedded in inquisitively and a determination to push boundaries.

“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.

It is that capability that often inspires hackers and researchers to continually evolve and develop different attack methods, and explains why threats are not only constantly changing, but are also constantly harder to defend against, Kamkar argued. “Once there is no challenge, the fun is gone [for hackers].”

Kamkar likened hacking to “solving a puzzle” and “it’s always really fun to solve a puzzle – it feels good to get to the other side."

He said: “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out. With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to get to the other side.”

Tackling the BEC Epidemic in a New Partnership with INTERPOL

In just a few short years, Business Email Compromise (BEC) has gone from a peripheral threat to a major cyber risk for organizations. It’s making criminal gangs millions of dollars each month, hitting corporate profits and reputation in the process. Trend Micro has built a formidable array of resources over the past few years to help protect our global customers from BEC. We also recognize that to combat cybercrime effectively, we have a duty to share these resources with law enforcement agencies wherever possible.

That’s why we’ve teamed up with INTERPOL in a new awareness-raising campaign set to launch in 59 participating countries around the world this month.

 BEC on the rise

Reported BEC attacks cost global firms nearly $1.3 billion in 2018, almost half of total cybercrime losses recorded by the FBI. The problem is getting worse. We detected a 58% increase in BEC attempts on customers in the first half of 2019 compared to the last six months of 2018. Some firms have been conned out of tens of millions of dollars. Among the list effected include Facebook ($99m) and Google ($23m), to name but a few.

Reports suggest BEC gangs are employing increasingly professionalized tactics, for example using commercial lead generation services to amass databases of tens of thousands of corporate executives to target. Victims need not be large enterprises either: BEC could affect SMBs, schools, non-profits — any organization that makes regular wire transfers.

It’s perhaps no surprise that BEC made such gangs over $300m each month in 2018 from US victims alone, according to the Treasury.

 Fighting back

At Trend Micro, we have developed multiple layers of protection to help insulate our customers from the worst effects of BEC. These include our AI-powered Writing Style DNA feature that learns the writing characteristics of your executives and sounds the alarm if it spots any emails deviating from the norm. We also make it a priority to collaborate with global law enforcement agencies to raise BEC awareness among global organizations.

INTERPOL’s new campaign will launch during the Europol-Interpol Cybercrime Conference on October 9-11 and feature a series of infographics posted across Twitter, Facebook and Instagram over the succeeding weeks. Each post will tackle a new area, including:

  • Which employees are typically targeted inside organizations
  • The role of malware and social engineering in attacks
  • Key prevention tips

Trend Micro will support the campaign by reposting the infographics and adding links to its own resources to further educate and raise awareness among possible BEC targets.

Hand-in-hand

This is the latest in a long line of collaborative efforts between Trend Micro and INTERPOL.

Back in 2014, we signed an three year agreement to support the body with additional knowledge, resources and tactics, which has been extended through March 2021. Since then, we helped to disrupt a major $60m BEC network in a swoop that led to the arrest of its leader. In another joint operation, Trend Micro helped to identify nearly 270 websites infected with malware and 8,800 C&C servers across eight countries, which were responsible for spreading malware and spam, and launching DDoS attacks.

It’s great to see law enforcement making inroads into cybercrime gangs. Some 281 BEC suspects were recently arrested in a global crackdown. However, we know these efforts are just scratching the surface. That’s why we will continue to provide both industry leading threat protection for our customers, as well as collaborate on awareness raising and law enforcement operations. Public-private partnerships of this sort are necessary in a world in which the bad guys are often more agile and willing to team up to achieve common goals.

The post Tackling the BEC Epidemic in a New Partnership with INTERPOL appeared first on .

Password Mistakes You and Your Employees Are (Probably) Making

Your employees might already be aware of a few password security practices. But are they actually following the latest recommendations? In fact, are you aware of what makes up a strong password policy? Both you and your employees could be (unknowingly) making common password mistakes and applying antiquated password security guidelines. So, keep on reading to make sure you’re in alignment with the most recent password requirements.

In this article, I’m going to share with you pieces of advice on how you can prevent the most frequent password mistakes and how you can create a strong password policy for your organization.

Some of the points covered in this article may seem controversial at first glance and completely out of sync with the password security rules that we’ve all grown accustomed to by now. Nonetheless, they are supported by the latest password guidelines released by The National Institute of Standards and Technology (NIST) – NIST 800-63-3: Digital Identity Guidelines. For those unfamiliar with this institution, to give you a quick background, they are a non-regulatory federal agency within the US Department of Commerce, whose guidelines oftentimes have built the foundation of the security industry’s standards.

The NIST paper isn’t new. In fact, it was released more than two years ago. Yet, many organizations still seem to be ignoring it and this is why we’ve decided to bring it into the spotlight and present their instructions on password security.

What are the Best Practices for Creating a Strong Password Policy?

Older NIST password security guidelines required enforcing policies such as using highly complex passwords, changing them regularly, and forbidding password reuse. However, their newest guide is based upon a quite radically different approach.

Does this mean that your employees should be setting their passwords to “Password1234” and never change them?

Of course not. This new approach is focused on making password management easier and more user-friendly. It has been created based on studies showing that very strict password policies only lead to poorer password habits.

Below you will find password security recommendations that will make it slightly easier for your employees to comply with and for you to keep your business secured. So, here is what you should do to promote a healthy password security management among your employees based on NIST’s recommendations:

#1. Stop asking your users to change their passwords on a predefined schedule

First of all, your users will be thankful that they won’t have to create new passwords and remember the new ones every 90 days (or even more frequently). Most of them do not even change their passwords entirely anyway and only add an extra character at the end every time they are required to modify them. So how does this practice reinforce password security?

Periodic password resets have been created in order to reduce the period of time a system is exposed due to an account potentially being compromised. But why change passwords if there is no suspicious of a breach? Useless password resets burden users and create additional tasks for sysadmins if, for instance, your employees forget them and require password resets.

So, how often should your users change their passwords?

According to NIST, passwords should NOT be changed unless there is evidence of a data breach or any reason which shows a specific account has been compromised. In other words, only when there is a possible danger related to an account should password resets be mandatory, rather than making your users change their passwords on a predetermined schedule.

However, it’s really important for you to provide your specialists with the proper cybersecurity tools to monitor users’ activity and identify compromised accounts in real-time.

Microsoft has removed the password expiration policies from their Windows 10 security baseline. Here is what they wrote on their blog:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

[…]

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines. 

Aaron Margosis, Microsoft Security Guidance blog

#2. Encourage your users to select long and easy to recall passphrases

It’s time to move beyond complicated passwords based upon highly complex construction rules. It will be much easier for people to remember phrases that actually make sense to them instead of memorizing strings of completely random characters. However, the passphrase should not be something too obvious and tightly related to something which defines them as individuals (and might also be at hand for malicious hackers on social media).

Traditional PasswordsNIST Passwords
Highly complex string of random characters

Example: *Ajh{df0s_SF(8aLsV9(fkj@<;sK+
Long and memorable passphrases

Example: “It’s so easy to create strong passwords with NIST’s guidelines!”
Example: “I’m really looking forward to this year’s holiday season.”

Of course, longer passwords composed of various types of characters are more difficult to decipher from a cryptographic standpoint. Nonetheless, traditional password construction rules make them harder to remember and seem to only be making users end up choosing insecure passwords. According to NIST, IT systems should allow a minimum of 8 characters and a maximum of 64 characters and include all kinds of characters including punctuation and spaces. The minimum required password length proposed by NIST is still 8 characters.

Sometimes, many password-related attacks are not affected by password length and complexity at all. Unfortunately, complicated passwords completely fail when it comes to social engineering attacks, credential stuffing, keyloggers, or phishing/spear phishing, but this is a whole different subject that I’m not going to dive into in this article.

#3. Implement multi-factor authentication

NIST’s guidelines also advise on the implementation of multi-factor authentication, which can considerably increase security without further burdening users with complex requirements. Multi-factor authentication encompasses a wide range of authentication technologies, such as biometrics, smartphone apps/codes received via text messages, or token devices which will provide an additional layer of security.

#4. Cross-check passwords with password dictionaries

A password validation dictionary that contains commonly used and insecure passwords is also necessary. This way, unsafe passwords will be automatically rejected by your system.

Let’s say a user creates a password of the minimum required length that also happens to be highly insecure. And let’s suppose that the password will not be prohibited by the restricted passwords list, yet the chosen password can be easily hacked.

Since NIST does not provide a list of “bad” passwords, organizations should create their own notorious passwords databases and constantly update them. According to the paper featured in the ISACA Journal, the open-source repository “SecLists” on GitHub or the password validation tool “NIST Bad Passwords” can be good starting points for you to create your own internal password dictionary.

Also, the same publication advises against forgetting about context-specific passwords. For instance, you should take into account the usage of a user’s own name, the company’s name or anything closely related to the organization they are part of.

In essence, a generic password dictionary will not be able to block anything related to an individual user, which brings us to the next point.

#5. Constantly revisit and update your password policy

Unfortunately, a one-size-fits-all approach when it comes to password policies is not advisable. Every organization must create a policy that covers custom password restrictions and revise them constantly. What’s more, if a data breach ever takes place, all compromised passwords must be included in the forbidden passwords list.

#6. Train your users

Last but not least, make sure that in your cybersecurity training sessions you teach your employees how to form passwords based on the most recent NIST guidelines. After they’ve been properly trained, they should be able to correctly identify which passwords are secure and which ones are not.

Key Takeaways

  • Recommended Password Length— 8-64 characters.
  • Character types — All available characters are allowed and encouraged.
  • Multi-factor Authentication — Highly encouraged.
  • Password Construction — Long passphrases instead of complex passwords are recommended. There must be no match between them and the password dictionary.
  • Password Reset Frequency — Only if the password is forgotten or at first signs of compromise.

Examples of Password Mistakes Made by Your Employees

I’ve already gone through password construction rules, but there are more best practices in regard to password security that your employees should follow. They may seem obvious for most people, however, be certain you still include them in your cybersecurity training sessions as a reminder.

#1. Reusing the same password

Your users may be using the same passwords for different business-related accounts – for instance, for their email login account and an online third-party service where they registered with their corporate email address. If that specific website gets hacked, chances are that cyber-attackers will use their passwords to try to log into their accounts. This tactic is called credential stuffing and is a practice highly employed by cybercriminals.

What’s more, another mistake can be reusing a password they’ve set up for a personal account on their business account, since the same type of attack could easily happen.

#2. Sharing passwords

Needless to say, your employees’ passwords must always remain confidential. They should never share them with other employees or members outside of your organization.

#3. Not using a password manager

We can all agree on the fact that remembering a different password for each account is a hassle, especially for third-party websites. However, when using password managers, your employees will only need to remember the one used to access their password manager, where all their passwords are stored.

#4. Skipping multi-factor authentication

Multi-factor authentication can dramatically reduce fraudulent login attempts, so make sure that you’ve set up this option on your organizations’ accounts and that your people do not have the possibility to skip it!

#5. Changing a single character of the password after you’re suspecting their account has been compromised

If cybercriminals have managed to guess their password, if the new one is just slightly different, chances are the password is going to be hacked once again. So, make sure your users understand and apply the password security guidelines presented in-depth above.

#6. Storing passwords in plain text on their devices

Your employees may be keeping their passwords in plain text and that is, of course, a terrible practice, since the passwords could be easily accessed by malicious actors. Thus, they should stay away from storing them on their phones, spreadsheets, text files, or emailing the passwords to their personal email addresses for whatever reasons.

#7. Writing them down in easily accessible places

No one should write down their passwords on post-it notes kept on their desks, hidden under the keyboard, written on their day planner, etc. The danger of insider threat might linger inside your organization.

#8. Logging into their business accounts on unsecured networks or devices.

If your employees want to connect remotely and use an open public Wi-Fi network or enter their login credentials on a personal device that is not properly secured, their connection could be left open to snooping. In this case, they should always use a VPN.

Conclusion

The guidelines proposed by NIST truly have the capacity to aid IT professionals to strengthen their defenses without unnecessarily burdening their users. Nonetheless, organizations that have adopted them or are considering implementing them, should completely understand the logic and approach behind. And most importantly, security professionals must first comprehend the cybersecurity risk profile of their company to create strong password policies.

What do you think about NIST’s password security guidelines? Have you already implemented them inside your organization?

The post Password Mistakes You and Your Employees Are (Probably) Making appeared first on Heimdal Security Blog.

Twitter Admit Personal Contact Details Used by Advertising Systems

Twitter Admit Personal Contact Details Used by Advertising Systems

Twitter has admitted that personal contact information of users may have “inadvertently been used for advertising purposes.”

According to a statement published earlier, it discovered that when users provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have been the recipient of Twitter’s Tailored Audiences and Partner Audiences advertising system.

“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)” it explained, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

The statement read: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”

It could not say “with certainty” how many people were impacted by this, but it clarified that no personal data was ever shared externally with partners, or any other third parties.

“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

In an email to Infosecurity, Javvad Malik, security awareness advocate for KnowBe4, said that many companies have implemented two-step authentication for services via an SMS message to the users phone, as this protects accounts against attacks such as credential stuffing, where attackers can access accounts by having the password.

“However, with email address and phone numbers, advertisers are able to profile people more accurately across multiple services and target them with more accuracy,” he said. “It is unfortunate that Twitter allowed this to happen, as these details were only provided for security purposes.

“In light of this, and other similar revelations in the past, as well as the growing number of attacks such as SIM swap, which hijack users phone numbers, companies should make the strategic decision to move away from using a phone number as a primary means of authentication, and adopt more secure alternatives for multi-factor authentication.”

Stuart Sharp, VP of solution engineering at OneLogin, said that it would be up to the lawyers to decide whether or not Twitter's misuse of personal contact details broke the letter of the law, but “it certainly broke the spirit of GDPR.”

He said: “This type of activity will likely result in users removing their phone numbers from the site, which will ultimately affect the number of people using additional factors for authentication such as text verification, which is a massive step backwards for all those working hard to push MFA as a method of increasing security online. Ultimately, everyone will lose as Twitter accounts will be more vulnerable to malicious take-over.”

#DTXEurope: Former Chief of MI6 Reflects on Growth of Tech and Cyber-Threats

#DTXEurope: Former Chief of MI6 Reflects on Growth of Tech and Cyber-Threats

At Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), explored the recent growth of cyber technology and its impact on cyber-threats and cyber-defense.

Reflecting upon his career at MI6, Sawers noted how cyber and technology became an integral part of the Secret Intelligence Service's work during his tenure.

“Even at MI6, a human-intelligence service, I had to increase our spend on technology from about a third of our budget to half of our budget during the five years that I was chief of the service,” he explained. “Technology was such a big driver of everything we did; the power of data analytics in terms of piecing together puzzles about terrorist plots and identifying who was posing a threat was an absolutely vital tool.”

Sawers saw a “lot of life move online,” including the significant rise of extremist websites and chatrooms, and “the role of cyber developed as both an attack tool, and as a crucial part of national defenses.”

This has led to hostile cyber-attacks, particularly nation state attacks, becoming ever more sophisticated, powerful and capable of reaching diverse, widespread targets. He added that, through cyber and tech evolutions, the “skills of offensive cyber are becoming readily available,” and whilst defenses are getting better and better at both a corporate and state level, the “attack tools available to hostile actors are getting more and more powerful.

“That battle, in the cyber-domain, is bound to continue.”

Hackers compromised Volusion infrastructure to siphon card details from thousands of sites

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users.

Volusion is a privately-held technology company that provides ecommerce software and marketing and web design services for small and medium sized businesses. The company has over 250 employees and has served more than 180,000 customers since its founding in 1999.

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users. Experts report more than 6,500 stores have been hacked, but they believe that tens of thousands of e-commerce platforms may have been compromised.

The discovery was made by Check Point security researcher Marcel Afrahim that shared his findings in a blog post on Medium.

The experts initially noticed that the Sesame Street Live online store was compromised, it is built with Volusion’s All-in-One E-commerce Website Builder and the name servers are maintained by the Volusion’s Name servers.

While analyzing the checkout page the expert noticed that all the resources are loading from sesamestreetlivestore.com or volusion.com affiliated websites, except for an odd javascript file being loaded from storage.googleapis.com having bucket name of volusionapi

This suggests that hackers gained access to Google Cloud infrastructure of Volusion, they were able to inject in JavaScript file the malicious code that siphons payment card details.

volusion hack

The compromised script was located at at https://storage.googleapis.com/volusionapi/resources.js and is loaded on Volusion-based online stores via the /a/j/vnav.js file.

“At its core, the additional code consists of two sections. The first section is reading the values entered at the Credit Card information fields and after a series of checks, it’s Base64 encoded along with serialization and simple shift operation, So that a simple Base64 deobfuscation would not reveal the data.” reads the post published by the researcher. “The second part of the script is responsible for reading that data stored and posting it to their primary server hxxps://volusion-cdn.com/analytics/beacon.”

Who is behind the attack?

The attackers’ TTPs suggest the involvement of one of the Magecart groups, that in the past already used public cloud storage to host their malicious scripts. 

A report recently published by RiskIQ, the experts estimated that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

Pierluigi Paganini

(SecurityAffairs – Volusion, hacking)

The post Hackers compromised Volusion infrastructure to siphon card details from thousands of sites appeared first on Security Affairs.

Intel unveils Element device for modular PC builds

The new hardware, which comprises a processor, Thunderbolt and USB ports, and built-in network connectivity in a dual-slot PCIe card, is a more powerful version of the NUC Compute Element the chipmaker introduced earlier this year as a replacement for the Compute Card.

#DTXEurope: Huawei Dispute Symbolic of Wider Problems in Telecoms Industry

#DTXEurope: Huawei Dispute Symbolic of Wider Problems in Telecoms Industry

Speaking in the opening keynote session of Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), said that the ongoing dispute between the US and Chinese telecommunications giant Huawei is symbolic of broader problems affecting the global telecoms industry.

“A big thing has been made about the intelligence and security threat posed by having Huawei equipment in the British national system," he said. “I actually tend to play that down a little bit. I think we have a rather good system here in the UK whereby all Chinese equipment that goes into the UK national infrastructure goes through a checking station run by GCHQ, and we’ve not, in the 20 years that we’ve had Huawei equipment in our system, experienced it being used by the Chinese state for espionage purposes.”

However, there is a wider problem in the telecoms industry because there are so few suppliers and manufacturers supplying goods, he explained, and you have no “big American player.”

This is what has led to the US making such an issue around Huawei technology in recent months, Sawers argued, pin-pointing three specific matters that have played a particular role in the dispute..

The first is that there is a potential espionage threat that needs to be managed, and we do all have to be mindful of that.

Secondly, and more importantly, “there’s the industrial policy argument, where the West needs its own telecoms national infrastructure manufacturers, so that we can rely on Western-made, Western-designed kit,” Sawers argued.

Thirdly, Huawei has become a “point of leverage in the wider US-China trade negotiations.”

So, the Huawei issue is “much more complicated than is sometimes presented (as a simple one about national security and intelligence threats) and it’s about a much wider issue of the control of technology,” Sawers pointed out.

“In essence, it’s a microcosm of the challenges the West is going to face during the 2020s. As we move into a world of competition between powers, competition over technology and a time when Western politics is not as healthy or as unified as it has been before, it creates a very complicated backdrop for those who are in the technology business,” he concluded.

Ransomware victim hacks attacker, turning the tables by stealing decryption keys

Normally it works like this. Someone gets infected by ransomware, and then they pay the ransom. The victim then licks their wounds and hopefully learns something from the experience. And that’s what happened to Tobias Frömel, a German developer and web designer who found himself paying a Bitcoin ransom of 670 Euros (US $735) after […]… Read More

The post Ransomware victim hacks attacker, turning the tables by stealing decryption keys appeared first on The State of Security.

October Patch Tuesday: Microsoft fixes critical remote desktop bug

Microsoft fixed 59 vulnerabilities in October's Patch Tuesday, including several critical remote code execution (RCE) flaws.

5 Key Benchmarks for Choosing Efficient Endpoint Security

Reading Time: ~ 3 min.

First and foremost, endpoint protection must be effective. Short of that, MSPs won’t succeed in protecting their clients and, more than likely, won’t remain in business for very long. But beyond the general ability to stop threats and protect users, which characteristics of an endpoint solution best set its administrators for success?

Get the 2019 PassMark Report: See how 9 endpoint protection products perform against 15 efficiency benchmarks.

Consider the world of the MSP: margins can be thin, competition tight, and time quite literally money. Any additional time spent managing endpoint security, beyond installing and overseeing it, is time not spent on other key business areas. Performance issues stemming from excess CPU or memory usage can invite added support tickets, which require more time and attention from MSPs. 

So, even when an endpoint solution is effective the majority of the time (a tall order in its own right), other factors can still raise the total cost of ownership for MSPs. Here are some metrics to consider when evaluating endpoint solutions, and how they can contribute to the overall health of a business. 

1. Installation Time

We’ve written recently about the trauma “rip and replace” can cause MSPs. It often means significant after-hours work uninstalling and reinstalling one endpoint solution in favor of another. While MSPs can’t do much about the uninstall time of the product they’ve chosen to abandon, shopping around for a replacement with a speedy install time will drastically reduce the time it takes to make the switch. 

Quick installs often also make a good impression on clients, too, who are likely having their first experience with the new software. Finally, it helps if the endpoint solution doesn’t conflict with other AVs.  

2. Installation Size

Few things are more annoying to users and admins than bulky, cumbersome endpoint protection, even when it’s effective. But cybersecurity is an arms race, and new threats often require new features and capabilities. 

So if an endpoint solution is still storing known-bad signatures on the device itself, this can quickly lead to bloated agent with an adverse effect on overall device performance. Cloud-based solutions, on the other hand, tend to be lighter on the device and less noticeable to users.

3. CPU Usage During a Scan

Many of us will remember the early days of antivirus scans when considering this stat. Pioneering AVs tended to render their host devices nearly useless when scanning for viruses and, unfortunately, some are still close to doing so today. 

Some endpoint solutions are able to scan for viruses silently in the background, while others commandeer almost 100 percent of a device’s CPU to hunt for viruses. This can lead to excruciatingly slow performance and even to devices overheating. With such high CPU demand, scans must often be scheduled for off-hours to limit the productivity hit they induce. 

4. Memory Usage During a Scheduled Scan 

Similar to CPU use during a scan, RAM use during a scheduled scan can have a significant effect on device performance, which in turn has a bearing on client satisfaction. Again older, so-called legacy antiviruses will hog significantly more RAM during a scheduled scan than their next-gen predecessors. 

While under 100 MB is generally a low amount of RAM for a scheduled scan, some solutions on the market today can require over 700 MB to perform the function. To keep memory use from quickly becoming an issue on the endpoints you manage, ensure your chosen AV falls on the low end of the RAM use spectrum. 

5. Browse Time

So many of today’s threats target your clients by way of their internet browsers. So it’s essential that endpoint security solutions are able to spot viruses and other malware before it’s downloaded from the web. This can lead to slower browsing and frustrate users into logging support tickets. It’s typically measured as an average of the time a web browser loads a given site, with variables like network connection speed controlled for. 

Effectiveness is essential, but it’s far from the only relevant metric when evaluating new endpoint security. Consider all the above factors to ensure you and your clients get the highest possible level of satisfaction from your chosen solution.

The post 5 Key Benchmarks for Choosing Efficient Endpoint Security appeared first on Webroot Blog.

Illegal Data Center Hidden in Former NATO Bunker

Interesting:

German investigators said Friday they have shut down a data processing center installed in a former NATO bunker that hosted sites dealing in drugs and other illegal activities. Seven people were arrested.

[...]

Thirteen people aged 20 to 59 are under investigation in all, including three German and seven Dutch citizens, Brauer said.

Authorities arrested seven of them, citing the danger of flight and collusion. They are suspected of membership in a criminal organization because of a tax offense, as well as being accessories to hundreds of thousands of offenses involving drugs, counterfeit money and forged documents, and accessories to the distribution of child pornography. Authorities didn't name any of the suspects.

The data center was set up as what investigators described as a "bulletproof hoster," meant to conceal illicit activities from authorities' eyes.

Investigators say the platforms it hosted included "Cannabis Road," a drug-dealing portal; the "Wall Street Market," which was one of the world's largest online criminal marketplaces for drugs, hacking tools and financial-theft wares until it was taken down earlier this year; and sites such as "Orange Chemicals" that dealt in synthetic drugs. A botnet attack on German telecommunications company Deutsche Telekom in late 2016 that knocked out about 1 million customers' routers also appears to have come from the data center in Traben-Trarbach, Brauer said.

EDITED TO ADD (10/9): This is a better article.

New Sextortion Scam Uses Alternative Cryptocurrencies to Evade Detection

A new sextortion scam variant is using a wallet for a cryptocurrency other than bitcoin in an attempt to evade detection. On October 8, Cofense revealed it had detected a modified sextortion scam that was using a wallet address for Litecoin instead of bitcoin. The variant thereby differentiated itself from earlier sextortion campaigns detected by […]… Read More

The post New Sextortion Scam Uses Alternative Cryptocurrencies to Evade Detection appeared first on The State of Security.

What is Ryuk Ransomware?

English

Throughout the summer and now into the fall, there have been many stories in the news about Ryuk, a targeted and powerful piece of ransomware that has been attacking countless organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that countless files are still missing, or beyond repair.

How Does Ryuk Work?

What many people don’t understand about Ryuk is that Ryuk is not the beginning of the attack, but is instead the end product. Once Ryuk is triggered to encrypt and ransom files, the real damage has already been done.

 The attack begins as a phishing email or a drive-by download triggered by visiting a website or clicking on a popup. The threat actors use a dropper and a Trojan or bot to establish persistent access to the network. They use the tools of the typical Advanced Persistent Threat (APT) operators, from exploiting vulnerable machines to installing keyloggers and stealing credentials, to move around the infiltrated network. They look for information to steal, then gather and exfiltrate it, expanding their footprint as they go. They also install Ryuk on  each system they gain access.  Once they have accessed and exfiltrated everything they can, they trigger Ryuk to encrypt what’s left and ransom their victims.

 Victims of this Ryuk attack have paid hundreds of thousands of dollars to regain access to their information. Unfortunately, it is the the attack that comes before Ryuk is even deployed that wipes out most of their data.    

What to do After a Ryuk Attack

Unfortunately, as stated earlier, once you have been infected with Ryuk, there is very little to be done. However, it is still strongly recommended that you contact authorities.  For example, US companies can contact the FBI, either through their local office, or with an IC3 complaint form. With so many different strains of Ryuk out in the wild, it is vital that as much knowledge as possible be collected in order to find a way to put a stop to such attacks. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place.

How to Prevent Ryuk Attacks

Many organizations, both public and private, already have the precursors of Ryuk in their network. It is the detection of this persistent access that can save an organization that already has an active attack underway. Early detection and remediation can minimize exfiltration and prevent Ryuk from being placed and deployed, thwarting the ransomware element completely. The answer to detecting this persistence is to know what to look for.

Core Security has been tracking this attack since early 2016. The presence of any of these threats is a good indicator that you are under an attack that will likely end up as a Ryuk ransom of your network. The good news is that Core Network Insight detects the Emotet dropper, the Trojan Trickbot, and other precursors of a Ryuk attack early in the infection so that you can get them clean up your IT environment, eliminating the persistent access to your network that gives the threat actors the opportunity to pillage your network and place Ryuk.

Core Network Insight is the only mature, purpose built, active threat detection solution on the market. It is agentless, as well as OS and platform agnostic. This means that it can detect Emotet, Trickbot, and other infections on such diverse network endpoints as workstations and servers, printers and multifunction devices, IP telephone and IP cameras, video conference units, HVAC and SCADA systems, point of sale terminals and ATMs, MRI, CT, and other DI systems and mobile medical devices, the Internet of Things, and even refrigerators with web panels and network connected coffee makers. If it has an IP address, is plugged into your network, and becomes infected, Core Network Insight will detect it fast and let you know early so you can get ahead of the attack before the damage occurs.

Network Insight
Attribute this content to a different author: 
Hank Carr, Sales Engineer, Technical Solutions
Big text: 
Article
Resource type: 
Articles
Is Your Environment Infected?

Download our guide on how to identify compromised devices with certainty and get ahead of threats before it's too late.

Microsoft October Update Patches Nine Critical Vulnerabiltiies

Microsoft October Update Patches Nine Critical Vulnerabiltiies

Microsoft patched 59 vulnerabilities yesterday, releasing one advisory for Windows 10 Servicing Stack.

Of the 59 vulnerabilities patched, nine are classified as “critical.” There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.

Jimmy Graham, senior director of product management at Qualys, said that alongside these patches, a Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. “If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized,” he said.

Satnam Narang, senior research engineer at Tenable, said: “Two more vulnerabilities in Remote Desktop were patched this month. CVE-2019-1333 is a remote code execution vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the Remote Desktop Protocol (RDP), or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.

“CVE-2019-1326 is a denial of service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding.

"There is also a pair of Win32k elevation of privilege vulnerabilities (CVE-2019-1362, CVE-2019-1364) caused by a failure in how the Windows kernel-mode driver handles objects in memory. These vulnerabilities require an attacker to have previously compromised a system before they can elevate privileges. Both vulnerabilities affect Windows Server 2008 and Windows 7, which will no longer receive security updates after January 14, 2020."

October 2019 Patch Tuesday: A small batch of updates from Microsoft, none from Adobe

As predicted by Ivanti’s Chris Goettl, October 2019 Patch Tuesday came with a relatively small number of Microsoft updates and, curiously enough, with no security updates from Adobe. There is no report of any of the Microsoft bugs being exploited, but there is public PoC code for and info about a local privilege escalation flaw in Windows Error Reporting (CVE-2019-1315). Microsoft’s patches Microsoft has addressed nearly 60 vulnerabilities, nine of which are critical. Seven of … More

The post October 2019 Patch Tuesday: A small batch of updates from Microsoft, none from Adobe appeared first on Help Net Security.

Twitter inadvertently used Phone Numbers collected for security for Ads

Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.

Twitter apologized to have used phone numbers and email addresses, privided by the users for security purposes, for advertising. According to the social media company, data used for account authentication were also matched with advertisers’ database to improve the efficiency of ads.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.

At the time of writing it is unclear the number of impacted Twitter users.

The company attempted to downplay the severity of the privacy incident highlighting that none of the user data was shared with partners outside the company.

The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.

The root cause of the problem was addressed in September 17, 2019.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.

“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”

Pierluigi Paganini

(SecurityAffairs – Twitter, privacy)

The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.

#ACS19: Make Your Friends and Plans Before the Breach

#ACS19: Make Your Friends and Plans Before the Breach

Preparing for data breach response should involve practising with third parties, and repeating the processes. 

Speaking at the ATM & Cybersecurity 2019 conference in London, Mark Whitehead, head of customer breach support at Deloitte said that “reputation is an ethereal thing” and hard to control.

He said that reputation is fundamentally based on two things: what you do; and what you say, also consider how you perform. “If you don’t do everything you can, you’re losing the ability to influence in the first place,” he said. “In terms of how you plan and how you prepare, your role and influence becomes incredibly important and brand and reputation means a lot more than you think it does.”

He recommended having in place the following steps, as “no matter how good you get it, you will never be famous for doing it well, but you will be infamous for doing it badly.” These were;

  • Communications – How do you get out ahead of social media, and don’t develop messages on the fly
  • Speed – This is of the essence, as if you don’t respond quickly, you will be behind the message and the press
  • Capacity and Capability – You have capability designed and sized to support ‘business as usual’ so consider how manage that and support those customers who are affected
  • Identity Protection and Repair – Your insurance will cover this, but only 10-20% of customers will take this opportunity up, so consider if it is an effective means of protecting customers?
  • Professional Expertise – Whether it is a law firm, crisis communications or a claim team, it is important to have professional entities of people who have been through the process before

Whitehead said breach response preparation was a classic case of “make friends before you need them” in the event of a crisis. Pointing at the Information Commissioner’s Office, he said that it is clear in the guidance from the EU to the supervisory authorities' 11 criteria to assess organizations with after a data breach, and whether a fine is relevant, and what the size of the fine should be.

One point states that “any action taken by a controller to mitigate the damage suffered by data subjects” should be considered, and of the 11 criteria, “this is the only one to talk duty of care to data subjects.” 

Whitehead said that, if you have exercised duty of care, you may or may not get a fine. “So worry about duty of care and your customers; not just because from a brand and reputation perspective, as if you don’t look after them they will go elsewhere,” he said. “But you should also worry about your duty of care as it is the tipping point for the supervisory authorities to decide on the size of the fine.”

Hashtag Trending – No Adobe for Venezuela; Apple buries iTunes; Instagram goes dark

Adobe deactivates all Adobe accounts in Venezuela, MacOS Catalina kills iTunes, Instagram gets a dark mode! That’s all the tech news that’s trending today. It’s Wednesday, Oct. 9th, and I’m your host, Tom Li. First, trending on Google, Adobe has deactivated all Adobe accounts in Venezuela. The company reached the decision following a U.S. sanction,…

You Gave Your Phone Number to Twitter for Security and Twitter Used it for Ads

After exposing private tweets, plaintext passwords, and personal information for hundreds of thousands of its users, here is a new security blunder social networking company Twitter admitted today. Twitter announced that the phone numbers and email addresses of some users provided for two-factor authentication (2FA) protection had been used for targeted advertising purposes—though the company

Researchers discovered a code execution flaw in NSA GHIDRA

Security researchers discovered a code-execution vulnerability that affects versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

NSA has released the suite Ghidra in March, it could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

A couple of weeks ago, security researchers discovered a vulnerability in the Ghidra tool, tracked as CVE-2019-16941, that could be exploited by an attacker to execute arbitrary code within the context of the affected application. The researchers discovered that the flaw could be exploited only when the experimental mode is enabled.

The vulnerability resides in the Read XML Files feature of Bit Patterns Explorer, an attacker could exploit it by using modified XML documents.

“NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.” reads the security advisory. “This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).”

The vulnerability has been rated as “critical severity” and received a CVSS score of 9.8.

The NSA attempted to downplay the severity of the flaw explaining that it is hard to exploit.

The good news is that the issue has been already fixed, a patch is available for those who build Ghidra themselves from the master branch.

The Ghidra 9.1 release, that is currently in beta testing, will also address the flaw.

Pierluigi Paganini

(SecurityAffairs – NSA, hacking)

The post Researchers discovered a code execution flaw in NSA GHIDRA appeared first on Security Affairs.

Patch Tuesday Lowdown, October 2019 Edition

On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.

Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.

Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.

Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix a critical Internet Explorer zero-day flaw (CVE-2019-1367) that was being exploited in the wild.

That out-of-band security update for IE caused printer errors for many Microsoft users whose computers applied the emergency update early on, according to Windows update expert Woody Leonhard. Apparently, the fix available through this month’s roundup addresses those issues.

Security firm Ivanti notes that the patch for the IE zero day flaw was released prior to today for Windows 10 through cumulative updates, but that an IE rollup for any pre-Windows 10 systems needs to be manually downloaded and installed.

Once again, Microsoft is fixing dangerous bugs in its Remote Desktop Client, the Windows feature that lets a user interact with a remote desktop as if they were sitting in front of the other PC. On the bright side, this critical bug can only be exploited by tricking a user into connecting to a malicious Remote Desktop server — not exactly the most likely attack scenario.

Other notable vulnerabilities addressed this month include a pair of critical security holes in Microsoft Excel versions 2010-2019 for Mac and Windows, as well as Office 365. These flaws would allow an attacker to install malware just by getting a user to open a booby-trapped Office file.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A reliable backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

Winning the security fight: Tips for organizations and CISOs

For large organizations looking to build a robust cybersecurity strategy, failure to get the fundamentals in place practically guarantees a disaster. If you ask Matthew Rosenquist, a former Cybersecurity Strategist for Intel (now independent), overcoming denial of risk, employing the right cybersecurity leader, and defining clear goals are the three most critical objectives for avoiding a negative outcome. Getting things right “Every organization, large and small, begins with a belief they are not at significant … More

The post Winning the security fight: Tips for organizations and CISOs appeared first on Help Net Security.