Daily Archives: October 13, 2019

5 things security executives need to know about insider threat

Insider threat is, unfortunately, an issue that has not yet received sufficient priority. According to the 2018 Deloitte-NASCIO Cybersecurity Study, CISOs’ top challenges remain “budget, talent and increasing cyber threats,” and to some, insider threat doesn’t even make the list of top-ten priorities. Considering what’s at stake – and our 21st-century ability to see signs of, and ultimately prevent, insider threat – this is a phenomenon security executives can no longer afford to ignore. Specifically, … More

The post 5 things security executives need to know about insider threat appeared first on Help Net Security.

New data analysis approach could strengthen the security of IoT devices

A multi-pronged data analysis approach that can strengthen the security of IoT devices, such as smart TVs, home video cameras and baby monitors, against current risks and threats has been created by a team of Penn State World Campus students. Explosion of IoT devices A new forecast from IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025. “These devices can leave people vulnerable … More

The post New data analysis approach could strengthen the security of IoT devices appeared first on Help Net Security.

Researchers may have found a way to trace serial IP hijackers

Hijacking IP addresses is an increasingly popular form of cyberattack. This is done for a range of reasons, from sending spam and malware to stealing Bitcoin. It’s estimated that in 2017 alone, routing incidents such as IP hijacks affected more than 10 percent of all the world’s routing domains. Left to right: senior research scientist David Clark, graduate student Cecilia Testart, and postdoc Philipp Richter. Photo by Jason Dorfman, MIT CSAIL. There have been major … More

The post Researchers may have found a way to trace serial IP hijackers appeared first on Help Net Security.

Phone Call Attacks

More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It's most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you.

70% of presidential campaigns fail to provide adequate online privacy and security protections

An alarming 70% of the campaign websites reviewed in the OTA 2020 U.S. Presidential Campaign Audit failed to meet OTA’s privacy and security standards – potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with … More

The post 70% of presidential campaigns fail to provide adequate online privacy and security protections appeared first on Help Net Security.

Consumers concerned about connected home privacy, still few implement safety practices

In order to understand what people are doing to protect themselves from the risk of compromised smart home devices, such as internet-connected TVs, smart thermostats, home assistants and more, ESET polled 4,000 consumers. Key findings include: Over a third of all respondents indicated they are concerned about unauthorized access of their home networks via connected home devices (smart TVs, smart thermostats etc.). 35% of Americans and 37% of Canadians indicated so in our survey. When … More

The post Consumers concerned about connected home privacy, still few implement safety practices appeared first on Help Net Security.

Webinar: Securing Web Layer Assets with Cloud WAF

Developers and operations teams are under constant pressure to release new features and capabilities that keep their organizations ahead of competitors. But when “Innovate!” is a constant rallying cry and velocity the measure of a development team’s worth, what happens to security at the application layer? There’s a solution: instrument and observe web requests using a Cloud Web Application Firewall (WAF) that provides detection and blocking to protect web layer assets without installing additional software. … More

The post Webinar: Securing Web Layer Assets with Cloud WAF appeared first on Help Net Security.

Climbing the Vulnerability Management Mountain: Reaching Maturity Level 1

The time at ML:0 can be eye-opening form many organizations. There are generally a lot of assets discovered that are new or had been forgotten about. Almost every organization discovers their own Methuselah; this is the system that has been around forever and performs some important tasks but has not been updated in years. The […]… Read More

The post Climbing the Vulnerability Management Mountain: Reaching Maturity Level 1 appeared first on The State of Security.

CounterFlow AI launches ThreatEye, an open, scalable AIOps platform

CounterFlow AI, the first security provider to deliver AIOps for network forensics, introduced its flagship solution – ThreatEye, an open, scalable AIOps platform that brings together machine learning, full packet capture, and visualization to identify network faults, anomalies and threats at wire speed. This new platform eases the burden of SOC analysts who are in need of high-fidelity analysis for investigations but are overwhelmed by unnecessary volumes of data flowing through the network. ThreatEye seamlessly … More

The post CounterFlow AI launches ThreatEye, an open, scalable AIOps platform appeared first on Help Net Security.

Top Tax Scams to Watch out For

Diligent taxpayers are being increasingly targeted by con artists who are well-versed in manipulating the revenue system. The crooks usually impersonate IRS (U.S. Internal Revenue Service) officials, sending fake emails or messages on social media in an attempt to defraud the targeted individuals of their money. Unfortunately, lots of people fall for these scams, and […]… Read More

The post Top Tax Scams to Watch out For appeared first on The State of Security.

GoSecure adds a new antivirus to its Managed Detection and Response portfolio

GoSecure, a leading provider of Managed Detection and Response (MDR) services and a Predictive Endpoint Detection and Response (EDR) platform, announced the addition of Next-Generation Antivirus to their industry leading Managed Detection and Response portfolio. As traditional antivirus is shown to be increasingly ineffective at stopping advanced attacks, organizations are looking to next-generation antivirus (NGAV) to meet their needs. GoSecure’s NGAV offering provides several advanced endpoint security capabilities including: behavioral detection, sandboxing, script and exploit … More

The post GoSecure adds a new antivirus to its Managed Detection and Response portfolio appeared first on Help Net Security.

AirTies unveils portfolio of Wi-Fi 6 devices powered by AirTies Smart Wi-Fi software

AirTies, the most widely deployed supplier of managed Wi-Fi solutions to service providers globally, unveiled its portfolio of Wi-Fi 6 (802.11ax) devices powered by AirTies Smart Wi-Fi software. The company also disclosed that it has signed deals with multiple Tier 1 service providers expected to bring them to market in the coming months. Specifically, AirTies introduced a new, dual-band Wi-Fi 6 Extender, a tri-band Wi-Fi 6 Extender, and a Wi-Fi 6 router. In addition to … More

The post AirTies unveils portfolio of Wi-Fi 6 devices powered by AirTies Smart Wi-Fi software appeared first on Help Net Security.

3 Ways to Secure WAF APIs

In a recent cloud WAF hacking, many customers were alarmed when private API keys, salted passwords, and SSL certificates were revealed to have been compromised.

It’s clear from this specific hacking incident that the appropriate steps were not taken to protect customers’ data. One proper security measure that was overlooked was API security.

API security is concerned with the transfer of data connected to the internet, which means broken, exposed, or hacked APIs can lead to breaches. 

For a cloud WAF, they are essential for the integration of the WAF service into the client’s servers. This blog post will delve deeper into what API security means for cloud WAFs and how you can secure your APIs for WAFs.

Encrypt your API keys.

Keys are central to API security. API keys are essentially long strings that uniquely identify an application and allow two applications to communicate over the internet. 

For WAF vendors and customers, securing these keys can mitigate threats such as man-in-the-middle (MITM) attacks (which alter communications of API messages between two parties) by preventing the interception of site traffic. 

However, this can be protected with SSL. By securing all of your webpages using SSL (which encrypts transmitted data) your data sent via web APIs will also be encrypted. 

This is crucial because APIs sometimes contain sensitive information (e.g. email, card information); with encryption, you can thwart off hackers who are trying to intercept your communications. 

Authenticate users that utilize the API keys.

If an API key is not authenticated, there’s no guarantee that the user “calling” the API is the one you intended to issue the WAF API key. By determining the identity of the user, authentication can help reduce the misuse of the system by preventing too many API requests from one user.

While basic authentication can be implemented using SSL, there are more secure alternatives to authenticate users when using WAF APIs. 

These include OAuth 2 and OpenID Connect, two popular industry standards for authentication.

Some WAFs also offer API tokens that support two-factor authentication. For example, a one-time password can be generated to quickly identify your intended recipient. 

Consider using a secure API Gateway.

If properly secured, API gateways can add an added layer of protection. However, many API gateway technologies are designed for integration, and not necessarily designed with security in mind.

These API products simply provide access control, which is not enough to properly APIs from external threats.

However, API security is much more than access control. Because API gateways also handle traffic management, you might be concerned about data leakage and data integrity.

Luckily, WAFs are commonly used to secure API platforms, as they are able to prevent common web exploits misuse and exploitation. A WAF can also help mitigate application-layer DDoS attacks.

Conclusion

Threats posed by vulnerable APIs, including those affecting WAFs, are ever-growing. In fact, 9 of the top 10 vulnerabilities mentioned by the latest OWASP Top 10 now note APIs.

Yet, API security remains overlooked in information security today. This is because API vulnerabilities are not easy to detect without specialized technology.

WAFs are one way to make sure API platforms are secured, and for securing the actual WAF API keys, encryption and authentication will come in handy. 

As threats evolve and organizations become more aware of the threats that vulnerable APIs pose, it’s clear API security will gain more traction in not just the WAF arena but other cloud services as well.

The post 3 Ways to Secure WAF APIs appeared first on Cloudbric.

Skyworks’ advanced connectivity solutions powering Wi-Fi 6 devices

Skyworks Solutions, an innovator of high performance analog semiconductors connecting people, places and things, announced that its advanced connectivity solutions are powering next generation Wi-Fi 6 (802.11ax) devices from the world’s leading connected home and mesh network providers, including Arris, Asus, D-Link, Netgear, Ruckus and TP-Link. Specifically, Skyworks’ modules are being leveraged in all of the latest Wi-Fi 6 routers named in a recent CNET article. Wi-Fi 6 is the newest 802.11 wireless standard that … More

The post Skyworks’ advanced connectivity solutions powering Wi-Fi 6 devices appeared first on Help Net Security.

Arista Networks selected by SK Telecom for 5G data transmission service

Arista Networks announced that it is providing network platforms for SK Telecom’s 5G network. SK Telecom will be building a high capacity leaf-spine based data center network environment leveraging VXLAN/EVPN for virtualization, scalability and availability, providing customers with reliable high-speed network services. SK Telecom commercialized its 5G service in December of last year for the first time and intends to apply Mobile Edge Computing (MEC) for an efficient IT infrastructure expansion plan in line with … More

The post Arista Networks selected by SK Telecom for 5G data transmission service appeared first on Help Net Security.

Nutanix and ServiceNow team to deliver self-service for automating common IT workflows

Nutanix, a leader in enterprise cloud computing, announced that the Nutanix hyperconverged infrastructure (HCI) platform is integrated with the ServiceNow IT Operations Management solution to automate critical private cloud workflows. With this integration, ServiceNow customers can not only discover Nutanix HCI environments automatically, but also gain access to Nutanix-powered IT services and get direct notification of critical incidents related to Nutanix HCI in their private clouds. Automating the mundane tasks of IT is essential to … More

The post Nutanix and ServiceNow team to deliver self-service for automating common IT workflows appeared first on Help Net Security.

Airbus CyberSecurity and Thales support operators of vital importance against cyber attacks

Airbus CyberSecurity and Thales, two European leaders in cybersecurity, have signed a partnership agreement to offer a unique solution against cyber attacks. The solution will combine the file analysis system Orion Malware from Airbus CyberSecurity with Thales’s intrusion detection system Cybels Sensor, which obtained Security Visa from the French national cybersecurity agency (ANSSI) in April 2019. This cooperation will enable the two companies to offer the best detection solution on the market, increasing the overall … More

The post Airbus CyberSecurity and Thales support operators of vital importance against cyber attacks appeared first on Help Net Security.

Charming Kitten Campaign involved new impersonation methods

Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September.

Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.

ClearSky researchers pointed out that these attacks represent a shift in the group tactics because this is the first time that the Charming Kitten group attempted to interfere in the elections of a foreign country.

The experts said, with medium-high confidence, that the campaign uncovered by Microsoft is the same campaign they observed over the past several months.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation” reads the report published by ClearSky, “based on the following issues:

  • Same victim profiles
  • Time overlapping
  • Similar attack vectors”

Iran-linked Charming Kitten group, (aka APT35, PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

As part of the recently observed campaign, the state-sponsored hackers used three different spear-phishing methods:

  • Ending an email message leveraging social engineering methods.
  • Impersonating social media websites, such as Facebook, Twitter and Instagram, as well as using these social media to spread malicious links. Experts also has observed a few social media entities that used social media to contact their victims in order to trick them into visiting malicious websites.
  • Sending SMS messages to the cellular phone of the victim. The messages include a link and claim to inform the recipient of an attempt to compromise their email account. The link points to a malicious phishing website.

Experts have identified more than eight new and unknown domains, all of which bear the ‘.site’ TL, that were involved in the attacks.

Other technical information, along with indicators of compromise (IoCs) are included in the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, Iran)

The post Charming Kitten Campaign involved new impersonation methods appeared first on Security Affairs.

SHI International opens new Ridge Integration Facility

SHI International, one of North America’s top 10 largest IT solutions providers, will officially open its new 400,000-square foot Ridge Integration Facility in Piscataway, New Jersey at the end of October. The facility, staffed by a team of 120, will expand SHI’s ability to support advanced data center solutions, including integration services that combine components from multiple manufacturers into ready-to-deploy rack systems. With the Ridge Integration Facility joining SHI’s existing 300,000-square foot Integration Center, SHI … More

The post SHI International opens new Ridge Integration Facility appeared first on Help Net Security.

Highrise event series: Bringing together Canada’s digital leaders

In today’s world, we have more technology innovation being developed than any other time in history. In many cases the technology will improve our quality of life and in other cases will have a negative effect not realized until many years later. And, this is why discussions need to keep occurring across the collective community…

Week in review: Umasking cybercriminals, improving incident response, macOS Catalina security

Here’s an overview of some of last week’s most interesting news and articles: Winning the security fight: Tips for organizations and CISOs If you ask Matthew Rosenquist, a former Cybersecurity Strategist for Intel (now independent), overcoming denial of risk, employing the right cybersecurity leader, and defining clear goals are the three most critical objectives for avoiding a negative outcome. Imperva explains how their recent security incident happened In late August, Imperva suffered a security incident, … More

The post Week in review: Umasking cybercriminals, improving incident response, macOS Catalina security appeared first on Help Net Security.

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns

Confiant researchers have discovered a new Mac malware dubbed Tarmac distributed via malvertising campaigns in the US, Italy, and Japan.

Security experts at Confiant have discovered a new Mac malware dubbed Tarmac that is distributed via malvertising campaigns in the US, Italy, and Japan.

“Malicious ads redirect victims to sites showing popups peddling software updates, mainly Adobe Flash Player updates, that once executed will install first install the OSX/Shlayer MacOS malware, which then execute the final payload, the OSX/Tarmac” reads the analysis.

“Indeed, that’s not the official Adobe installer but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named : Fajar Budiarto

Malware authors use to sign malware with Apple developer certificates because it is quite easy to do and allow their code to bypass security protections like Gatekeeper and XProtect.

Tarmac

This malvertising campaign distributing the two malware Shlayer and Tarmac began in January, but at the time experts did not spot the Tarmac malicious code.

Tarmac acts as a second-stage payload for the Shlayer infection, experts pointed out that at the time of the analysis the command and control servers had been shut down and the samples they analyzed were relatively old. Experts believe the campaign is still ongoing and threat actors likely changed its infrastructure.

Tarmac gathers information about the infected hardware and sends it to the C2 servers, then it waits for commands.

At the time of the analysis, it was not possible to understand which commands the malware supports because the C&C servers were down.

Experts noticed that most of key components strings are protected with custom encryption and compression in the attempt to thwart analysis.

ZDNet reported that the malvertising campaign that distributed the Shlayer and Tarmac combo was targeted at users located in the US, Italy, and Japan.

The analysis published by the experts also includes additional technical details along with indicators of compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Tarmac, malvertising)

The post A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns appeared first on Security Affairs.