Daily Archives: October 16, 2019

Key challenges impacting IT audit pros navigating an evolving risk landscape

Protiviti and ISACA surveyed 2,252 chief audit executives (CAEs), internal audit professionals and IT audit vice presidents and directors worldwide. Asked to identify their biggest technology challenges, IT audit leaders and professionals noted the following as their top five: IT security and privacy/cybersecurity Data management and governance Emerging technology and infrastructure changes – transformation/innovation/disruption Staffing and skills challenges Third-party/vendor management “As much as organizations are focusing on cybersecurity and protecting their data, they’re still behind … More

The post Key challenges impacting IT audit pros navigating an evolving risk landscape appeared first on Help Net Security.

MSPs face increased risks and opportunities to rethink cybersecurity

Managed service providers (MSPs) and their small-and medium-sized business (SMB) customers lack the tools and resources needed to sufficiently defend against rising cyberattacks and threats, according to Continuum. Security shortcomings The report found significant shortcomings in how MSPs offer cybersecurity, emphasizing the need for both MSPs and their SMB customers to reevaluate their cybersecurity strategies and identify effective solutions to bridge the widening IT skills gap. Conducted by Vanson Bourne, the study surveyed 200 MSPs … More

The post MSPs face increased risks and opportunities to rethink cybersecurity appeared first on Help Net Security.

1 in 5 SMBs have fallen victim to a ransomware attack

Ransomware remains the most common cyber threat to SMBs, according to a Datto survey of more than 1,400 MSP decision makers that manage the IT systems for small-to-medium-sized businesses. SMBs are a prime target While it is used against businesses of all sizes, SMBs have become a prime target for attackers. The report uncovered a number of ransomware trends specifically impacting the SMB market: Ransomware attacks are pervasive. The number of ransomware attacks against SMBs … More

The post 1 in 5 SMBs have fallen victim to a ransomware attack appeared first on Help Net Security.

Executives are not actively engaged in ensuring the effectiveness of cybersecurity strategy

There’s a clear lack of accountability, especially on the board and among C-suite executives, and a lack of confidence in determining the efficacy of security technologies. AttackIQ and Ponemon Institute surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments. “Enterprise culture is formed at the top. If enterprise leaders are not actively engaged in ensuring a strong cybersecurity posture, it … More

The post Executives are not actively engaged in ensuring the effectiveness of cybersecurity strategy appeared first on Help Net Security.

Do digital architects have the tools to make the most of transformative technologies?

Digital architects are struggling to satisfy their organizations’ digital transformation ambitions, research from Couchbase has found. In a survey of 450 heads of digital transformation responsible for managing data architecture at enterprises across the U.S., U.K., France and Germany, 85 percent of respondents were under pressure to deliver digital projects – with 41 percent experiencing “high” or “extremely high” pressure. This is not helped by the apparent scale of the challenge facing architects. Sixty eight … More

The post Do digital architects have the tools to make the most of transformative technologies? appeared first on Help Net Security.

When Card Shops Play Dirty, Consumers Win

Cybercrime forums have been abuzz this week over news that BriansClub — one of the underground’s largest shops for stolen credit and debit cards — has been hacked, and its inventory of 26 million cards shared with security contacts in the banking industry. Now it appears this brazen heist may have been the result of one of BriansClub’s longtime competitors trying to knock out a rival.

And advertisement for BriansClub that for years has used my name and likeness to peddle stolen cards.

Last month, KrebsOnSecurity was contacted by an anonymous source who said he had the full database of 26M cards stolen from BriansClub, a carding site that has long used this author’s name and likeness in its advertising. The stolen database included cards added to the site between mid-2015 and August 2019.

This was a major event in the underground, as experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards on the black market today.

The purloined database revealed BriansClub sold roughly 9.1 million stolen credit cards, earning the site and its resellers a cool $126 million in sales over four years.

In response to questions from KrebsOnSecurity, the administrator of BriansClub acknowledged that the data center serving his site had been hacked earlier in the year (BriansClub claims this happened in February), but insisted that all of the cards stolen by the hacker had been removed from BriansClub store inventories.

However, as I noted in Tuesday’s story, multiple sources confirmed they were able to find plenty of card data included in the leaked database that was still being offered for sale at BriansClub.

Perhaps inevitably, the admin of BriansClub took to the cybercrime forums this week to defend his business and reputation, re-stating his claim that all cards included in the leaked dump had been cleared from store shelves.

The administrator of BriansClub, who’s appropriated the name and likeness of Yours Truly for his advertising, fights to keep his business alive.

Meanwhile, some of BriansClub’s competitors gloated about the break-in. According to the administrator of Verified, one of the longest running Russian language cybercrime forums, the hack of BriansClub was perpetrated by a fairly established ne’er-do-well who uses the nickname “MrGreen” and runs a competing card shop by the same name.

The Verified site admin said MrGreen had been banned from the forum, and added that “sending anything to Krebs is the lowest of all lows” among accomplished and self-respecting cybercriminals. I’ll take that as a compliment.

This would hardly be the first time some cybercriminal has used me to take down one of his rivals. In most cases, I’m less interested in the drama and more keen on validating the data and getting it into the proper hands to do some good.

That said, if the remainder of BriansClub’s competitors want to use me to take down the rest of the carding market, I’m totally fine with that.

The BriansClub admin, defending the honor of his stolen cards shop after a major breach.

The Evolution of Phishing: The Spear Is Aimed at You

You can’t go a week without seeing a story about a data breach or ransomware hitting organizations. These breaches can be very costly, but they still continue to show up. Are the good guys not winning the cybersecurity war? Organizations invest millions of dollars in security products and services, but they keep getting breached. We […]… Read More

The post The Evolution of Phishing: The Spear Is Aimed at You appeared first on The State of Security.

ManageEngine launches PAM360, a complete privileged access security solution for enterprise IT

ManageEngine, the IT management division of Zoho Corporation, announced the launch of PAM360, a complete privileged access security solution for IT security teams. Available immediately, PAM360 offers enterprise-grade capabilities in privileged access governance, including just-in-time controls and privileged user behavior analytics (PUBA), to provide CISOs and cybersecurity executives holistic visibility of their privileged access security. Monitoring and regulating access to privileged accounts are critical to enterprise security. In fact, Forrester estimates that compromised privileged credentials … More

The post ManageEngine launches PAM360, a complete privileged access security solution for enterprise IT appeared first on Help Net Security.

Revisiting The Concepts of Disaster Recovery and Risk as Organizations Move Their Infrastructure To The Cloud

The calculus for disaster recovery and risk management is changing. Most small businesses within the past decade would often keep many of their critical technology assets locally, perhaps in a server closet, or a centralized data center for multiple offices. They built their own “vault” of applications, databases, email, files, etc., often on a few […]… Read More

The post Revisiting The Concepts of Disaster Recovery and Risk as Organizations Move Their Infrastructure To The Cloud appeared first on The State of Security.

Symantec Endpoint Security delivers protection, detection and response in a single solution

Symantec, the world’s leading cyber security company, announced a major revamp to its endpoint portfolio with Symantec Endpoint Security (SES), which now delivers protection, detection and response in a single solution, as well as new attack surface reduction, threat hunting, and breach assessment and prevention capabilities. To safeguard their organizations from modern and sophisticated attacks, security teams need simple, comprehensive and flexible solutions. They also need automated assistance with security management to quickly evaluate risks … More

The post Symantec Endpoint Security delivers protection, detection and response in a single solution appeared first on Help Net Security.

Elastic blends SIEM and endpoint security into a single solution for real-time threat response

Elastic, the company behind Elasticsearch and the Elastic Stack, announced the introduction of Elastic Endpoint Security, based on Elastic’s acquisition of Endgame, a pioneer and industry-recognized leader in endpoint threat prevention, detection, and response based on the MITRE ATT&CK matrix. Elastic is combining SIEM and endpoint security into a single solution to enable organizations to automatically and flexibly respond to threats in real time, whether in the cloud, on-premises, or in hybrid environments. Elastic is … More

The post Elastic blends SIEM and endpoint security into a single solution for real-time threat response appeared first on Help Net Security.

Kanguru releases UltraLock USB-C M.2 NVMe SSD with SuperSpeed+ Connectivity

Kanguru has launched its newest and fastest external Solid State Drive with SuperSpeed+ Connectivity. The new Kanguru UltraLock USB-C M.2 NVMe SSD is super fast for high-speed data transfers, and packs lots of great convenient features into such a small device. “The new Kanguru UltraLock USB-C M.2 NVMe Solid State Drive combines cutting edge interface technology with high-quality SSDs to create one of the fastest USB storage devices currently available on the market,” says Ken … More

The post Kanguru releases UltraLock USB-C M.2 NVMe SSD with SuperSpeed+ Connectivity appeared first on Help Net Security.

Databricks unveils Model Registry, a new capability within MLflow

Databricks, the leader in unified data analytics, announced Model Registry, a new capability within MLflow, an open-source platform for the machine learning (ML) lifecycle created by Databricks. The new component enables a comprehensive model management process by providing data scientists and engineers a central repository to track, share, and collaborate on machine learning models. The Model Registry manages the full lifecycle of models and their stage transitions from experimentation to staging and deployment. Since introducing … More

The post Databricks unveils Model Registry, a new capability within MLflow appeared first on Help Net Security.

Shared Assessments and 57 cross industry firms drive uniform cybersecurity alert definitions

The Shared Assessments Program, the member-driven leader in third party risk assurance, announced that the organization’s Continuous Monitoring Taxonomy subgroup has released “Creating a Unified Continuous Monitoring Cybersecurity Taxonomy: Gaining Ground by Saying What’s What.” An unprecedented community of Continuous Monitoring (CM) service providers and third party risk experts have been brought together by the Shared Assessments Program for this endeavor. It is understood to be the first such effort to establish standardized commonalities and … More

The post Shared Assessments and 57 cross industry firms drive uniform cybersecurity alert definitions appeared first on Help Net Security.

Gigamon ThreatINSIGHT’s new features reduce investigation and response time

Gigamon, the leader in network visibility and analytics for digital innovators, announced the latest version of Gigamon ThreatINSIGHT, the cloud-native Network Detection and Response (NDR) solution. ThreatINSIGHT uses Machine Learning (ML) and Gigamon Applied Threat Research (ATR) techniques to dramatically reduce investigation and response time. New features include: ML-based automated behavior profiling curated by ATR provides best-in-class detection capabilities Ability to identify and curate clusters of network events allowing incident responders to quickly identify impending … More

The post Gigamon ThreatINSIGHT’s new features reduce investigation and response time appeared first on Help Net Security.

Smashing Security #150: Liverpool WAGs, Facebook politics, and a selfie stalker

Footballers’ wives go to war over Instagram leaks, it turns out fake news is fine on Facebook (just so long as it’s in a political ad), and things take a horrific turn in Japan, as a stalker uses a scary technique to find out where his pop idol lives.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dave Bittner.

BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

Infamous Website BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked 26 Million Credit Debit Cards Leaked! 26 Million Credit Debit Cards Leaked: BriansClub an infamous underground website that sells stolen credit and debit cards has been hacked and over 26 million credit and debit card dumps have been leaked. Over a period of ... Read moreBriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

The post BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked appeared first on HackingVision.

ThreatConnect named winner of the SOAR Platform of the Year award

ThreatConnect, provider of the industry’s only intelligence-driven security operations platform, announced that it has been named the winner of the “Overall Security Orchestration, Automation and Response (SOAR) Platform of the Year” award from CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies, and products in the global information security market today. CyberSecurity Breakthrough Awards recognizes the innovation, hard work, and success in a range of information security categories, including Cloud … More

The post ThreatConnect named winner of the SOAR Platform of the Year award appeared first on Help Net Security.

Vermont Schools Spy on What Students Do Online

Vermont Schools Spy on What Students Do Online

Schools in Vermont are hiring companies to monitor what their students post and search for online.

According to a report by investigative journalism platform VTDigger, five schools in the Green Mountain State hired Burlington-based firm Social Sentinel to track the online activities of their students. 

Social Sentinel uses keyword-based algorithms and machine learning to scan social media posts within a set geographic area for words that could indicate that a student is at risk or poses a threat to others. 

When a particular word is discovered, a red flag is raised, causing an alert to be sent to school officials. For an additional fee, Social Sentinel can also scan the contents of students' emails. The aim is to alleviate problems like cyber-bullying, self-harm, and teen suicide and to prevent mass shootings or other violence.

A further eight schools told VTDigger that they had contracts with vendors to monitor activity on district services and school-sponsored email for browsing habits and keywords that could mean a student is a threat or in danger. Companies hired to carry out the monitoring included SecurlyBark, and Lightspeed Systems.

Middle schools in the Burlington school district reported using a product called Admin, which is made by GoGuardian. Admin is a multi-layered filtering solution powered by advanced machine learning, which allows school officials to keep tabs on what students search for, watch, and read while using district devices. 

The information was uncovered when VTDigger sent a public records request to all 52 superintendents in Vermont, asking if any social media monitoring contracts had been signed. 

Contacted for comment by VTDigger, Social Sentinel founder Gary Margolis said: "We built a technology that actually helps prevent bad things from happening by giving information that can give context to what’s going on, in a way that respects privacy, and all I do is get questioned by you and folks in the media about privacy issues. It’s mind-bogglingly frustrating."

Brian Schaffer, principal at Lamoille Union High school, which contracted with Social Sentinel for a year in 2015, said the technology "wasn’t as functional as I had hoped it would be."

According to Schafffer, most of the daily alerts flagged irrelevant posts, some of which were written by Quebec tourists bragging about buying Heady Topper beer while on vacation in Vermont.

task force created by Gov. Phil Scott earlier this year to help prevent school shootings recommended that Vermont invest in monitoring software to scan social media posts statewide. The task force was formed after a plot by Fair Haven Union High School student Jack Sawyer to carry out a mass shooting at his school was discovered in February 2018.

The Ultimate Missing Link in Cyber: Continuous Compromise Assessment

According to Ricardo Villadiego, Lumu Technologies' Founder and CEO, organizations are "sitting on a gold mine: their own data". Under the single premise that organizations should assume they are compromised and prove otherwise, Lumu seeks to empower enterprises to answer the most basic question: Is your organization talking with adversary infrastructure?

‘Graboid’ Cryptojacking Worm Spreads Through Containers

Using Docker Containers to Spread Worm Is a New, Untested Technique, Researchers Say
Attackers are using Docker containers to spread a cryptojacking worm in a campaign dubbed "Graboid," according to researchers at Palo Alto Network's Unit 42 threat research unit. Although the researchers describe the campaign as "relatively inept," they says it has the potential to become much more dangerous.

Ransomware Attacks: STOP, Dharma, Phobos Dominate

GlobeImposter 2.0 and Sodinokibi Strikes Also Common, Researchers Find
Ransomware is once again the most common illicit profit-making tool in online attackers' arsenal, police warn. Security firm Emsisoft says the most-seen strains in recent months include STOP, Dharma .cezar, Phobos, GlobeImposter 2.0 and Sodinokibi. Less widely seen Ryuk also continues to generate big profits.

WAV files spotted delivering malicious code

Attackers have embedded crypto-mining and Metasploit code into WAV audio files to stymie threat detection solutions. “All WAV files discovered adhere to the format of a legitimate WAV file (i.e., they are all playable by a standard audio player),” Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told Help Net Security. “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV … More

The post WAV files spotted delivering malicious code appeared first on Help Net Security.

Over 550 Fake US Election Web Domains Discovered

Over 550 Fake US Election Web Domains Discovered

External threat intelligence experts have detected hundreds of fake election web domains designed to target American voters.

New research by Digital Shadows uncovered over 550 fake domains ranging from false funding pages to counterfeit candidate sites set up against 19 Democrat and four Republican presidential candidates.

Most of the sites—68%—simply redirect the user to another domain, often to that of a rival candidate. Worryingly, 8% of domain squats discovered redirect users to file converter or secure browsing Google Chrome extensions that can be used to infringe on voter privacy and host potentially dangerous malware if downloaded. 

One false funding page exploited the possibility of a typo to encourage voters to switch their allegiance. Financial donors who accidentally type WinRde.com when searching for Republican fundraising page WinRed.com are taken to ActBlue.com, a fundraising site for the rival Democratic party. 

Harrison Van Riper, strategy and research analyst at Digital Shadows, told Infosecurity Magazine: "We detected a few redirecting domains (donaldtrump[.]cloud, for example), which sent the browser to doyoulikebread.weebly[.]com and would pose the straightforward question of "Do You Like Bread?" with Yes or No options. 

"Yes would lead the user to a video for “You’re the one that I want” from the musical Grease, and No would lead to a video of Oprah Winfrey exclaiming how much she likes bread. The internet can be a weird place, sometimes!"

In total, 66 of the 550+ domains were being hosted on the same IP address, registered under the privacy protection service WhoisGuard, Inc. and potentially operated by the same individual. Digital Shadows was unable to attribute any of the fake domains to a specific person or group. 

"We really can't say who is responsible for these redirects, but hackers with a sense of humor is certainly a possibility. It could also be individuals who want to see their favorite candidate succeed," Van Riper told Infosecurity Magazine.

Van Riper said that the enactment of the GDPR regulation has made it harder to tell who or what organization stands behind a specific domain. Under the new rules, domain registration details have been removed from official records.

Instead of changing the law to prevent fake sites, Van Riper suggests registrars could do more to combat the problem. He said: "I don't see this as a legal issue; rather, I think that registrars could do more to verify that people registering these domains are doing so for legitimate purposes. This is a huge task, but ultimately, it's within the registrar's control to help combat the issue of people setting up fake domains for legitimate websites."

Top 6 email security best practices to protect against phishing attacks and business email compromise

Most cyberattacks start over email—a user is tricked into opening a malicious attachment, or into clicking a malicious link and divulging credentials, or into responding with confidential data. Attackers dupe victims by using carefully crafted emails to build a false sense of trust and/or urgency. And they use a variety of techniques to do this—spoofing trusted domains or brands, impersonating known users, using previously compromised contacts to launch campaigns and/or using compelling but malicious content in the email. In the context of an organization or business, every user is a target and, if compromised, a conduit for a potential breach that could prove very costly.

Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or a ransomware attacks, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that every organization’s security strategy include a robust email security solution.

So, what should IT and security teams be looking for in a solution to protect all their users, from frontline workers to the C-suite? Here are 6 tips to ensure your organization has a strong email security posture:

You need a rich, adaptive protection solution.

As security solutions evolve, bad actors quickly adapt their methodologies to go undetected. Polymorphic attacks designed to evade common protection solutions are becoming increasingly common. Organizations therefore need solutions that focus on zero-day and targeted attacks in addition to known vectors. Purely standards based or known signature and reputation-based checks will not cut it.

Solutions that include rich detonation capabilities for files and URLs are necessary to catch payload-based attacks. Advanced machine learning models that look at the content and headers of emails as well as sending patterns and communication graphs are important to thwart a wide range of attack vectors including payload-less vectors such as business email compromise. Machine learning capabilities are greatly enhanced when the signal source feeding it is broad and rich; so, solutions that boast of a massive security signal base should be preferred. This also allows the solution to learn and adapt to changing attack strategies quickly which is especially important for a rapidly changing threat landscape.

Complexity breeds challenges. An easy-to-configure-and-maintain system reduces the chances of a breach.

Complicated email flows can introduce moving parts that are difficult to sustain. As an example, complex mail-routing flows to enable protections for internal email configurations can cause compliance and security challenges. Products that require unnecessary configuration bypasses to work can also cause security gaps. As an example, configurations that are put in place to guarantee delivery of certain type of emails (eg: simulation emails), are often poorly crafted and exploited by attackers.

Solutions that protect emails (external and internal emails) and offer value without needing complicated configurations or emails flows are a great benefit to organizations. In addition, look for solutions that offer easy ways to bridge the gap between the security teams and the messaging teams. Messaging teams, motivated by the desire to guarantee mail delivery, might create overly permissive bypass rules that impact security. The sooner these issues are caught the better for overall security. Solutions that offer insights to the security teams when this happens can greatly reduce the time taken to rectify such flaws thereby reducing the chances of a costly breach

A breach isn’t an “If”, it’s a “When.” Make sure you have post-delivery detection and remediation.

No solution is 100% effective on the prevention vector because attackers are always changing their techniques. Be skeptical of any claims that suggest otherwise. Taking an ‘assume breach’ mentality will ensure that the focus is not only on prevention, but on efficient detection and response as well. When an attack does go through the defenses it is important for security teams to quickly detect the breach, comprehensively identify any potential impact and effectively remediate the threat.

Solutions that offer playbooks to automatically investigate alerts, analyze the threat, assess the impact, and take (or recommend) actions for remediations are critical for effective and efficient response. In addition, security teams need a rich investigation and hunting experience to easily search the email corpus for specific indicators of compromise or other entities. Ensure that the solution allows security teams to hunt for threats and remove them easily.
Another critical component of effective response is ensuring that security teams have a good strong signal source into what end users are seeing coming through to their inbox. Having an effortless way for end users to report issues that automatically trigger security playbooks is key.

Your users are the target. You need a continuous model for improving user awareness and readiness.

An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.

A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. Another, often overlooked, but equally critical, component of this strategy, is ensuring that the everyday applications that end-users use are helping raise their awareness. Capabilities that offer users relevant cues, effortless ways to verify the validity of URLs and making it easy to report suspicious emails within the application — all without compromising productivity — are very important.

Solutions that offer Phish simulation capabilities are key. Look for deep email-client-application integrations that allow users to view the original URL behind any link regardless of any protection being applied. This helps users make informed decisions. In addition, having the ability to offer hints or tips to raise specific user awareness on a given email or site is also important. And, effortless ways to report suspicious emails that in turn trigger automated response workflows are critical as well.

Attackers meet users where they are. So must your security.

While email is the dominant attack vector, attackers and phishing attacks will go where users collaborate and communicate and keep their sensitive information. As forms of sharing, collaboration and communication other than email, have become popular, attacks that target these vectors are increasing as well. For this reason, it is important to ensure that an organization’s anti-Phish strategy not just focus on email.

Ensure that the solution offers targeted protection capabilities for collaboration services that your organization uses. Capabilities like detonation that scan suspicious documents and links when shared are critical to protect users from targeted attacks. The ability in client applications to verify links at time-of-click offers additional protection regardless of how the content is shared with them. Look for solutions that support this capability.

Attackers don’t think in silos. Neither can the defenses.

Attackers target the weakest link in an organization’s defenses. They look for an initial compromise to get in, and once inside will look for a variety of ways increase the scope and impact of the breach. They typically achieve this by trying to compromise other users, moving laterally within the organization, elevating privileges when possible, and the finally reaching a system or data repository of critical value. As they proliferate through the organization, they will touch different endpoints, identities, mailboxes and services.

Reducing the impact of such attacks requires quick detection and response. And that can only be achieved when the defenses across these systems do not act in silos. This is why it is critical to have an integrated view into security solutions. Look for an email security solution that integrates well across other security solutions such as endpoint protection, CASB, identity protection, etc. Look for richness in integration that goes beyond signal integration, but also in terms of detection and response flows.

 

 

The post Top 6 email security best practices to protect against phishing attacks and business email compromise appeared first on Microsoft Security.

UK Abandons Planned Online Pornography Age Verification System

UK Abandons Planned Online Pornography Age Verification System

The British government has dropped plans to introduce a national online pornography age verification system because implementing it would be too difficult.

A nationwide system to ensure X-rated online content cannot be viewed by children was first proposed in 2015 by the then culture secretary Sajid Javid. However, it took the proposal two years to become law.

Under the proposal, pornography websites would be required to verify that users were age 18 or older. Suggested ways of doing this included running verification checks on credit cards and making porn passes available to purchase from newsagents on the presentation of photo ID. 

Websites that refused to go along with the age checks could have been blocked by UK internet service providers or had their access to payment services revoked. 

The system was going to be funded and run by private companies and overseen by the British Board of Film Classification.

The system was initially due to come into force on July 15 this year but was then delayed for six months because the government had neglected to announce the plan to the European Union. 

Today, culture secretary Nicky Morgan told parliament that the age verification system would be dropped altogether. Morgan said that the government would focus instead on implementing broader child protection measures as laid out in the online harms white paper published in April 2019. 

The white paper proposes establishing in law a new duty of care toward internet users, which will be overseen by an independent regulator. Companies will be held to account for tackling a more comprehensive set of online harms, ranging from illegal activity and content to behaviors that are harmful but not necessarily illegal.

"The government’s commitment to protecting children online is unwavering. Adult content is too easily accessed online and more needs to be done to protect children from harm," said Morgan. 

"This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care."

While privacy campaigners who raised data security concerns over the proposed system may be celebrating its abandonment, British businesses that had invested time and money in developing verification products are sure to be disappointed.

Guarding against supply chain attacks—Part 1: The big picture

Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. For example, in 2018, an unidentified major telecommunications company in the U.S. uncovered hardware manufactured by a subcontractor in China for Super Micro Computer Inc., a California-based company. These parts which were manufactured in China and assumed to have been tampered with by the Chinese intelligence service.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, Monster.com experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security.

Investing in our Future Cybersecurity Workforce Through JROTC

digital risks

We all know that filling the pipeline for IT jobs is one of our nation’s biggest challenges. The Department of Labor projects there will be 3.5 million computing-related jobs available by 2026, but our current education pipeline will only fill 19% of those openings, threatening our security and global leadership.

Congress recently proposed a plan to grow the talent pipeline and diversify the computer science and cybersecurity workforce in the federal government. The Junior Reserve Officers’ Training Corps (JROTC) Cyber Training Act (H.R.3266/S.2154), which was sponsored by Representatives Lizzie Fletcher (D-TX), Rob Bishop (R-UT), Jackie Speier (D-CA), Conor Lamb (D-PA) and Michael Waltz (R-FL) in the House, and Senators Jackie Rosen (D-NV), Marsha Blackburn (R-TN), Gary Peters (D-MI) and John Cornyn (R-TX) in the Senate, would direct the Secretary of Defense to develop a program to prepare JROTC high school students for military and civilian careers in computer science and cybersecurity

If enacted, the bill would create targeted internships, cooperative research opportunities and funding for training with an emphasis on computer science and cybersecurity education. This important legislation has the potential to bring evidence-based computer science and cybersecurity education to 500,000 students at 3,400 JROTC high schools across the United States, greatly improving the number of professionals ready to take on the cyber challenges of tomorrow.

The Department of Defense reports that 30% of JROTC cadets join the military after high school or college. The remaining 70% of cadets represent a large pool of talent that could enter into civilian roles in the defense and cybersecurity sectors if given the proper training while in the JROTC program. The JROTC Cyber Training Act is an important opportunity to fill those job openings with innovative thinkers from the JROTC program, while simultaneously growing and diversifying the future workforce.

Cybersecurity is one of the greatest technical challenges of our time, and we need to be creative to meet it. McAfee is proud to support initiatives to establish programs, such as the JROTC Cyber Training Act, that provide skills to help build the STEM pipeline, fill related job openings, and close gender and diversity gaps.

The post Investing in our Future Cybersecurity Workforce Through JROTC appeared first on McAfee Blogs.

Checking for Malware on Your iPad

If you own a jailbreak-free iPad, you have the assurance that your device is virus-free. Moreover, you’re safe from any vital issues caused by malware because it doesn’t target iPads exclusively. On the other hand, you must still be watchful of some concerns that you’ll find out here.

Although a virus can’t wreak havoc to your iPad, some threats like malware exist. For one, phishing scams can fool you to provide your password on a fraudulent recovery page you received. Cybercriminals can send you messages, like the ones you receive on your computer, to your iPad.

Various methodologies can verify if it’s a phishing scam or adware, and you don’t need to buy them. Moreover, you can protect your device from these issues and avoid malware if you’ve jailbroken your iPad. We invite you to continue reading to understand how you can protect your table from malware and fraudulent advertisements. Also, we’ll tell you how to keep your electronic device safe.

Checking for Malware and Other Problems on Your iPad

You can find out if your iPad is a victim of a phishing scam or adware by examining the URL of the site you’re visiting on your web browser. If there are wrong spelling or many letters and numbers, you’re most probably visiting a scam page, so you must exit it immediately.

If you continue to receive messages that you have a virus or malware on your device, either through a page or in a pop-up ad, you must free the cache of your iPad. However, you must understand that you’re also clearing your saved passwords. This scenario is truly annoying, but you have no choice but to enter them again. You may avail of a password manager before you clear your cache, so you won’t encounter problems about re-saving them. You can return to your routine iPad use immediately.

After securing your passwords, you can now proceed to Settings and tap Safari. Then, you can rap on “Clear History and Website Data,” which you can find at the lower portion of the page, before finally tapping “Clear.” You won’t be receiving the virus or malware warning.

If you receive a weird email notification, you can verify the email address. Just like what we did with the webpage, the email address mustn’t contain any misspellings. Also, it must be the official email address of your subscription or account. You can report unauthorized email as a scam before deleting it from your inbox.

If you’ve jailbroken your iPad, you need to think about your recent downloads and answer these questions:

  • Did you download any apps outside of the app store?
  • Did you download an app from a company that you can’t verify?
  • Are you having issues with a specific app that acts oddly?

Most probably, your problem is with the app, so you must check the company’s social media pages for any announcements. Moreover, you must ensure that you have the latest version of the app. If you have an updated app and you can’t find any reported issue on social media, you can uninstall it. Then, you must verify if you’re still experiencing problems on your device. If your iPad works find, you’ve found your malefactor.

You may search for an alternative software for that function. If you’re still experiencing issues, you can check the other downloaded apps or files. You may try uninstalling each app to see if it fixes your problem. If you’re getting unreliable information from your iPad, you can check the tips we shared here. You can protect it, so you won’t have to face the same issue over and over again.

Protecting Your iPad

We discussed verifying email addresses and URLs in the previous section. You must do so before you provide information or click links. Aside from doing these things, you must ensure that you update your apps and iOS as needed. Apple and software developers offer updates from time to time to add security features or as direct responses to malicious codes and hacks. If you want to secure your iPad from phishing scams, malware, and adware, you must ensure that you keep abreast of software updates.

Moreover, you mustn’t jailbreak your device to make it repairable and safe. Many Apple Genius bars won’t help you if you’ve jailbroken your device. However, if you still decide to jailbreak your iPad, you must follow these safety precautions. First, you must avail of a VPN, so outsiders can’t target your device as you browse online. 

Furthermore, if you want to download apps, you must ensure that you do so from reputable developers. You can install anti-virus software to ensure that your iPad is more secure against any malicious attempts from hackers. This app can provide security like device wipe features, additional web protection, and remote locks. Often, restarting your device can reset your device if malicious apps have infiltrated it. Doing so also kicks out hackers who have accessed your iPad remotely. Also, periodic clearing of cache can flush out adware before it can trick you, or it becomes an annoyance.

Finally, you can protect your iPad through regular backups. You may back up so to your computer or cloud storage. This way, if a malware enters your system, you can merely restore your iPad to factory settings. Clean backups can prevent malicious malware infection, and you can have your device functioning sooner than expected.

iPads are safe from viruses and malware, but they can be vulnerable to a few attacks. If you know some essential information, you can keep your device safe. Moreover, you can protect it in advance by following the tips we provided.

Protecting Your iPhone from Viruses

Malware, viruses, and adware can be lurking in every corner of the Internet. Many users believe that their iPhone is safe from the influx of viruses because this information was public knowledge some years ago. However, this info isn’t accurate anymore; therefore, you must shield your iPad and iPhone from these malicious infections.

The post Checking for Malware on Your iPad appeared first on .

Scammers Using Hacked Servers, Bogus Links to Target LinkedIn Users

Digital fraudsters are using compromised servers and bogus links in an ongoing effort to target LinkedIn members with scams. The scam began when a Sophos employee received what it appeared to be an unexceptional email from someone they know in real life and with whom they keep in touch on LinkedIn. The body of the […]… Read More

The post Scammers Using Hacked Servers, Bogus Links to Target LinkedIn Users appeared first on The State of Security.

Signature update for Symantec Endpoint protection crashed many device

Symantec rolled out an intrusion prevention signature update for its Endpoint Protection product that has caused many devices to crash and display a so-called blue screen of death (BSOD).

An intrusion prevention signature update for the Endpoint Protection product had a bad impact on the devices, in many cases it caused the devices to crash and display the blue screen of death (BSOD).

Several users reported problems through the company’s support forums and other sites online.

Customers complained about problems with Windows 7, 8 and 10.

Symantec Endpoint Protection

Symantec has acknowledged the problem with the update to its Endpoint Protection Client explaining that it causes a Windows kernel exception.

The company released the version 2019/10/14 r62 to address the issue caused by the 2019/10/14 r61 update.

“After running LiveUpdate on Symantec Endpoint Protection (SEP), the computer crashes indicating IDSvix86.sys/IDSvia64.sys as the cause of the exception.” reads the security advisory published by the researchers.

Symantec recommends to download the new signature version for the Endpoint Protection or roll back to an earlier stable version.

“Please run LiveUpdate to download latest Intrusion Prevention signature 2019/10/14 r62, or rollback to an earlier known good content revision to prevent the BSOD situation. Please check How to Backdate Virus Definitions in Endpoint Protection Manager for more details on how to roll back definitions.” continues Symantec.

Customers who cannot run LiveUpdate to apply the signatures on their systems can use the following workaround:

  1. Boot in Safe Mode and perform the following for x64 or x86 installations of SEP,
  2. Run sc config idsvia64 start= disabled or sc config idsviax86 start=disabled from cmd,
  3. Reboot in normal mode,
  4. Update the IPSdefs,
  5. Run sc config idsvia64 start= system or sc config idsviax86 start=system from cmd
  6. Reboot.

Pierluigi Paganini

(SecurityAffairs – Symantec, BSOD)

The post Signature update for Symantec Endpoint protection crashed many device appeared first on Security Affairs.

Phorpiex Botnet Sending Out Millions of Sextortion Emails Using Hacked Computers

A decade-old botnet malware that currently controls over 450,000 computers worldwide has recently shifted its operations from infecting machines with ransomware or crypto miners to abusing them for sending out sextortion emails to millions of innocent people. Extortion by email is growing significantly, with a large number of users recently complaining about receiving sextortion emails that

Pradeo Secure Private Store facilitates and expands safe BYOD usage

In 2019, 67% of employees access their company’s information system through their personal smartphone. So far, IT security teams were facing a dilemma: manage BYOD devices to control their integrity or let them run unmanaged and risk fraudulent connections to corporate data and services. Pradeo launched a unique Secure Private Store solution that allows organizations to distribute mobile services to their collaborators (public and private apps, documents), that they can freely use under the condition … More

The post Pradeo Secure Private Store facilitates and expands safe BYOD usage appeared first on Help Net Security.

Approaching the Reverse Engineering of a RFID/NFC Vending Machine

Security expert Pasquale Fiorillo demonstrates how to hack n RFID/NFC Vending Machine.

The affected vendor did not answer to my responsible disclosure request, so I’m here to disclose this “hack” without revealing the name of the vendor itself.

The target vending machine uses an insecure NFC Card, MIFARE Classic 1k, that has been affected by multiple vulnerabilities so should not be used in important application.
Furthermore, the user’s credit was stored on the card enabling different attack scenarios, from double spending to potential data tamper storing an arbitrary credit.

Useful notes from MIFARE Classic 1K datasheet:

EEPROM: 1 kB is organized in 16 sectors of 4 blocks. One block contains 16 bytes.
The last block of each sector is called “trailer”, which contains two secret keys and programmable access conditions for each block in this sector.

  • Manufacturer block: This is the first data block (block 0) of the first sector (sector 0). It contains the IC manufacturer data. This block is read-only.
  • Data blocks: All sectors contain 3 blocks of 16 bytes for storing data (Sector 0 contains only two data blocks and the read-only manufacturer block).
    The data blocks can be configured by the access conditions bits as:
    • Read/Write blocks: fully arbitrary data, in arbitrary format
    • Value blocks: fixed data format which permits native error detection and correction and a backup management.
      A value block can only be generated through a write operation in value block format:
      • Value: Signifies a signed 4-byte value. The lowest significant byte of a value is stored in the lowest address byte. Negative values are stored in standard 2´s complement format. For reasons of data integrity and security, a value is stored three times, twice non-inverted and once inverted.
      • Adr: Signifies a 1-byte address, which can be used to save the storage address of a block, when implementing a powerful backup management. The address byte is stored four times, twice inverted and non-inverted.
Value block example for value 0x0012D687

Let’s start hacking:

In this post I did not show you how to crack the MIFARE Classic Keys needed to read/write the card, ’cause someone else has already disclosed it some time ago, so google is your friend.
At last, please, use this post to skill yourself about the fascinating world of reverse engineering, and not for stealing stuffs.

In order to start the analysis I need some dump to compare.
The requirements of this task are nfc-mfclassic tool included in libnfc, a NFC hardware interface like ACR122U, and a binary compare (aka binarydiff) tool like dhex.

Dumps:

  • Dump 0: Virgin card (not included in the screenshot below ’cause all data bytes were 0x00, except for the sector 0 that has UID and manufacturer information. These sector is read only, so these bytes are the same across dumps)
  • Dump 1: Card charged with single 0.10€ coin (Note that vending machine displays the balance with 3 decimals, 0.100€)
  • Dump 2: 0.00€ after spending the entire balance with 4 transactions of 0.025€ each
  • Dump 3: 0.10€ recharged with one single coin
Dump 1 compared to Dump 2, yellow bytes differ
Dump 2 compared Dump 3, yellow bytes differ

Blurred bytes are the MIFARE keys A and B, except for the 32 bytes at 0xE0 offset of which I don’t know their purpose.
The 4 bytes between the keys are Access Condition and denotes which key must be used for read and write operation (A or B key) and the block type (“read/write block” or “value block”).

The tool mfdread is useful to decode the Access Condition bytes rapidly, and, in general, to display MIFARE Classic data divided by sectors and blocks:

Dump 1 with mfdread parser

Early analysis:

Note: from now on I will refer to the offsets with a [square parenthesis] and a value with no parenthesis.

  • Blocks 8, 9, 10, 12 and 13 can be used also as “value block”
  • Except for bytes between offsets [0x80] and [0x9F], only few bytes differ between dumps
  • Some data are redundant, for example [0x60 … 0x63] has the same values of [0xA0 … 0xA3]
  • Values at [0xC0], [0xD0], [0xC8], [0xD8] differ by 4 between 1st and 2nd dump (eg: 0xFE – 0xFA = 0x4) and differ by 1 between 2nd dump and 3rd dump (eg: 0xFA – 0xF9 = 0x1)
  • Values at [0xC4], [0xD4] differ by 4 between 1st and 2nd dump (eg: 0x05 – 0x01 = 0x4) and differ by 1 between 2nd and 3rd dump (eg: 0x06 – 0x05 = 0x1)
    • 4 is the number of spent transaction made the first time, and 1 is the number of recharge transaction made the second time
  • Sum between yellow squared and red squared offsets has 0xFF value. In other words red squared is inverse (XOR with 0xFF) of yellow squared. For example:
    • 0xFE ⊕ 0xFF = 0x01
    • 0xFF ⊕ 0xFF = 0x00
    • 0x7F ⊕ 0xFF = 0x80
  • Values at [0x60 … 0x63] are a UNIX TIMESTAMP in little endian notation:
    • Dump 1: 0x4F9E2C27 -> 0x272C9E4F = 657235535 = 10/29/1990 @ 9:25pm
    • Dump 2: 0x71B62C27 -> 0x272CB671 = 657241713 = 10/29/1990 @ 11:08pm
    • Dump 3: 0x18592D27 -> 0x272D5918 = 657283352 = 10/30/1990 @ 10:42am
      • Ok, we are not in the 90ies, but the time difference between transactions is correct, maybe the vending machine doesn’t have an UPS 🙂

Early findings:

  • Timestamp of the last transaction was stored as 32 bit integer at MIFARE block 6 and redundant at at MIFARE block 10
  • Only MIFARE blocks 12 and 13 has “Value block” format, and they are used to store the counter of remain transaction in 32 bit format.
    This counter starts from 0x7FFFFFFF (2.147.483.647) and is decreased at each transaction
  • Blocks 1, 4, and 14 contains some data that are fixed between dumps
  • Blocks 8 and 9 changes entirely at each transaction

The credit:

If there is credit stored on the card, it was encoded at blocks 8 and 9, and the number of bytes involved between small credit difference (for example between 0.00€ and 0.10€) could indicate that some cryptographic function is involved.

At this time, a double spending attack could confirm if the credit is really stored on the card.
So, after spending all the credit, I have rewritten a previous dump on the card and I went to test it at the vending machine. The card was fully functional with the previous credit stored in that dump. Now, I’m certain that the credit is encoded (and probably encrypted) in the blocks 8 and 9.

Conclusion:

Even if the encoding format of the credit is still unknown, a double spending attack was possible.

This means that the vendor’s effort to obfuscate the credit is nullified 🙁

Adding some unique token on the card that are invalidated into back-end after each transaction, means that this token needs to be shared between all the vending machines of the vendor, but, if we add internet connection to the vending machine, there is no longer reason to store the credit on the card.

So, after all, the only remediation action that makes sense is: DO NOT STORE THE CREDIT ON THE CARD! And, more generally: DO NOT TRUST THE CLIENT!

Road to arbitrary credit:

Spending 1€ infinite times isn’t the scope of that hack. The only real scope is FUN!
To continue this analysis I need to collect a large number of dumps to advance some hypothesis so, when I have other material I will make another post.

An example of easier card:

Some vendor has more easier approach by using the MIFARE “Value block” to store the credit without obfuscation or encryption.

Credit stored on the MIFARE Value Block

The above screenshot made with “MIFARE Classic Tool” on Android smartphone, represents a Value Block used to store the credit:

0x00000CE4 = 3300 is the value in Euro thousandths (3.30€).

This particular vendor do not use key A and the Key B is a default key 0xFFFFFFFFFFFFFFFF, so the attacker doesn’t need to crack anything.

Reverse engineering and cracking of a Vending Machine is always funny.

The original post was published here

About the author: Pasquale Fiorillo

I’m a Security Auditor of ISGroup and an independent Security Researcher. As Security Auditor, my job is to perform security activities like Penetration Test and Vulnerability Assessment on networks and web applications in order to identify security issues that may be exploited by an attacker to perform malicious actions on your assets.

When I was a teenager I have co-founded an underground e-zine called Italian Hard Phreaking with some friends on IRC, writing lots of papers related to hack and reverse engineering stuffs in the telecommunication world. Later, I’ve started a new adventure as a Security Researcher, discovering vulnerabilities in a commonly used software, web applications, and web sites, in collaboration with other fabulous people of U.S.H.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Approaching the Reverse Engineering of a RFID/NFC Vending Machine appeared first on Security Affairs.

‘Silent Librarian’ Revamps Phishing Campaign: Proofpoint

Iranian-Backed Hacking Group Targeting Research Universities
"Silent Librarian," a hacking group with apparent ties to the Iranian government, is continuing to revamp and refine its phishing techniques as it targets research universities in the U.S. and Europe in an attempt to steal intellectual property, according to the security firm Proofpoint.

Industry Calls for Standardization of CISO Role

Industry Calls for Standardization of CISO Role

Professionals from the cybersecurity industry have called for clarity regarding the role of Chief Information Security Officers (CISOs).

Research from Cyber Security Connect UK (CSCUK), a forum for cybersecurity professionals, has stated that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes.

The research also pointed to a lack of skilled, fully qualified professionals coming into the profession.

Mark Walmsley, the chair of the CSCUK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyber-attack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defense against such events is a dedicated person to lead the fight against cyber-attacks."

Not only does this person need to be qualified, Walmsley added, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.

“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardization and guidance can the role be fully effective. As further digitization of processes occurs and cyber-attacks become more sophisticated, this need will become only greater,” Walmsley argued.

According to CSCUK, in order for standardization to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.

“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained. “This includes comparing the role within different organizations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries.”

Over 100 Million IoT Attacks Detected in 1H 2019

Over 100 Million IoT Attacks Detected in 1H 2019

A security vendor has detected over 100 million attacks on IoT endpoints in the first half of 2019 alone, highlighting the continued threat to unsecured connected devices.

Russian AV vendor Kaspersky said its honeypots had spotted 105 million attacks coming from 276,000 unique IP addresses in the first six months of the year. The number of attacks is nearly nine times more than the figure for 1H 2018 when only 12 million were detected, originating from 69,000 IP addresses, the firm added.

The figures can be seen in the context of a smart home boom, with consumers buying in increasing numbers connected devices which often have poor in-built security and/or are not properly secured by their owners.

Mirai-like attacks which take advantage of weak factory-default log-ins for such devices are increasingly common, conscripting IoT endpoints into botnets which can then be used to launch DDoS and other attacks, Kaspersky explained. Some attacks also exploit old unpatched vulnerabilities to hijack devices, it added.

The most common malware types are Mirai (39%) and Nyadrop (38.6%), which itself often serves as a Mirai downloader. Some way behind them is Gafgyt (2%), which uses brute-forcing techniques to gain persistence.

“Judging by the enlarged number of attacks and criminals’ persistence, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Kaspersky security researcher, Dan Demeter.

“This is much easier than most people think: the most common combinations by far are usually ‘support/support,’ followed by ‘admin/admin,’ ‘default/default.’ It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

Devices in China were most affected by attacks, accounting for 30% of infections in the first half of the year, followed by Brazil (19%) and Egypt (12%).

How to build a battle-ready cybersecurity team?

Estimated reading time: 3 minutes

Organizations and the people who run them are slowly perceiving cybersecurity to be a slightly different ball game than information security.

As global organizations grapple with cyber threats and aim to keep their enterprises safe from malware, hackers and other forms of threats, their understanding of this domain is getting richer every day.

Cybersecurity management cannot happen in isolation – appointing one security officer to handle everything in cybersecurity is not going to make an organization efficient or secure.

There needs to be a specialized team whose sole task should be to manage the entire paradigm of cybersecurity for a business.

If you are a CEO or a senior leader of an enterprise, reading this and agreeing to this, the next question you should ask is how to create a solid, efficient & battle-ready security team?

The following tips may help:

  1. Look for specialized resources and hire them

A Frost & Sullivan report observed that the global cybersecurity workforce will have more than 1.5 million unfulfilled positions by 2020. This indicates that there will be a substantial hiring gap when it comes to dealing with cybersecurity and enterprises must be aware of that. To build a good team, there cannot be any gaps. If you’re a CISO or even a CEO, go hunting for specialized specific cybersecurity skills in the market and don’t leave any stones unturned till you find them. Make it clear to the organization that this is a hiring gap that needs to be filled at any cost whatsoever. Once the skills are identified, swoop in quickly and hire the personnel as soon as possible, before someone else gets to them.

  1. Assign responsibilities

There are different facets to cybersecurity and if the hiring has been correct, then an enterprise has hired people suited to those facets. But roles need to be assigned properly as well keeping in mind your employee capabilities – ensure that there are enough people looking after essential cybersecurity behaviours like patch updates, firewall protection, endpoint security, insider threats and regular audits. Once people are aware of their roles, it is easier to form a plan and act accordingly.

  1. Conducting regular Red Team Assessments

Think of cybersecurity personnel as virtual firefighters or disaster management specialists – most of their training takes place as simulations in the hope that when that one incident happens in reality, the personnel will be perfectly trained to take the appropriate measures. The same is true for your cybersecurity team. Regular assessments and Red Team Assessments (which are basically mock trials of cyberattacks) must happen regularly to inculcate absolute readiness into your team. This will help make them battle-ready when an inevitable attack takes place.

  1. Keep upskilling

You have assembled a great cybersecurity team with perfect readiness to tackle the next cyberattack. Work is done, right? Not quite. A team tackling cyber threats is only as good as today. Tomorrow’s cyber threats are continuously evolving as criminals constantly innovate in their desperation to hit targets hard. Cybersecurity is that critical function which needs continuous upskilling in the form of training, self-education or anything else. The learning never stops in cybersecurity.

  1. Empower cybersecurity personnel

Security personnel cannot be lame ducks in an enterprise. In such a situation, all their skills and endurance will be wasted giving way to a high-risk factor to the enterprise. These personnel must be empowered by their managers to act and take decisions in a field as dynamic as cyber attack prevention.

To complement a battle-ready security team, Seqrite offers a range of security solutions providing complete enterprise security. The company’s Endpoint Protection was recently awarded as the best in the world by AV-Test and comes preloaded with Data Loss Prevention (DLP) for advanced endpoint and data protection.

The post How to build a battle-ready cybersecurity team? appeared first on Seqrite Blog.

Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

The Chinese government orchestrated a sophisticated multi-year cyber-espionage campaign to gain parity with western aerospace firms and help it build the C919 commercial airliner, a new report has alleged.

The story is an exemplar of the lengths Beijing is prepared to go to steal IP and force tech transfers from foreign companies and nations in order to gain self-sufficiency.

“What is known from CrowdStrike Intelligence reporting and corroborating US government reporting is that Beijing uses a multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the CrowdStrike report claimed.

“Specifically, state-owned enterprises (SOEs) are believed to help identify major intelligence gaps in key projects of significance that China’s intelligence services then are likely tasked with collecting.”

In this case, that job was taken by the Jiangsu Bureau of the Ministry of State Security (JSSD), tracked by CrowdStrike as Turbine Panda.

Dating back to 2010, the operatives undertook a broad cyber-espionage and human intelligence campaign to target multiple aerospace providers including Honeywell, Safran, Capstone Turbine and others.

Interestingly, many of the operatives were sourced from the local cybercrime community, with PlugX and Winnti hacking tools favored, as well as unique malware linked to a group dubbed “Sakula.”

As part of the campaign, they recruited an insider at General Electric (Zheng Xiaoqing), joint manufacturer of the key LEAP-X turbofan, and a Chinese-born army reservist (Ji Chaoqun) who entered the US on an F-1 student visa to study electrical engineering.

Then the US fightback began: Sakula developer Yu Pingan was arrested whilst attending a US security conference, and insiders Zheng and Ji Chaoqun were also picked up. Other China-based operatives and insiders were also indicted. However, the biggest coup was the arrest of their handler, MSS officer Xu Yanjun: alleged deputy division director of the Sixth Bureau of the JSSD in charge of insider threats.

The report claimed that JSSD operatives were also responsible for the breach of the Office of Personnel Management (OPM) and health insurance firm Anthem.

Depressingly, it seems that even these arrests will do little to halt intrusive Chinese cyber-activity.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” the report concluded. “China still seeks to decrease its dependency on this [Airbus-Boeing] duopoly and eventually compete on an even footing with them.”

Major Carding Forum BriansClub Suffers Data Breach

Major Carding Forum BriansClub Suffers Data Breach

One of the web’s largest marketplaces for stolen card data has been hacked, leading to the theft the second time over of more than 26 million cards.

A source shared the news with security researcher Brian Krebs, whose name and likeness have been used for years by the administrators of the online BriansClub store.

It is claimed that the trove includes credit and debit card details stolen from bricks-and-mortar retailers from the past four years, including eight million uploaded so far in 2019.

The binary data could allow hackers to create fake magstripe cards with which to fraudulently purchase goods in stores. Although the roll-out of EMV is intended to put an end to this practice, there are still enough merchants and cardholders using the legacy cards to make such forums a going concern.

In fact, Krebs calculated that with cardholder losses estimated at $500 per card, BriansClub could have generated as much as $4 billion in losses from the roughly nine million cards it has sold to fraudsters since 2015.

Tim Mackey, principal security strategist at Synopsys, argued that whether you’re running a global enterprise, a small business or an underground carding forum, there are several shared cybersecurity truths.

“First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data,” he explained.

“Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “how,” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons."

Adobe splats bucketful of bugs in Acrobat and Reader

If you thought that Adobe skipped this month’s Patch Tuesday because there were no immediate vulnerabilities to fix, you were wrong: a week later the company dropped security updates for several of its products, including Acrobat and Reader and the Download Manager. All in all, 82 security holes – most of which are critical – have been plugged. The good news is that none are under active exploitation. The updates The update for Adobe Acrobat … More

The post Adobe splats bucketful of bugs in Acrobat and Reader appeared first on Help Net Security.

#ISWUK: Ransomware Remains Top Threat For Present and Future

#ISWUK: Ransomware Remains Top Threat For Present and Future

Ransomware remains the dominant threat for business now, and will continue to be in the future.

Speaking at the NTT Security Information Security World 2019 conference in London, Nicole van der Meulen, head of strategy and development at Europol’s European Cybercrime Centre (EC3) reflected upon the top cyber-threats impacting the security of data today.

van der Meulen Highlighted the five top current threats as:

  • Ransomware
  • Compromised data
  • DDoS attacks
  • Card not present fraud
  • The Dark Web

Van der Meulen said that whilst ransomware was not new and efforts are often determined to be “amateur,” there is a move to more sophisticated attacks “and it is the most dominant threat when it comes to what is reported.”

She added that ransomware reports from law enforcement and the private sector are not different from last year, there has been a “decline in volume” of attacks. However, the next step is to target more profitable targets who are willing to pay, and this is a more efficient approach.

She also said that DDoS attacks are becoming more professional with a financial focus. Meanwhile, card not present fraud continues to rise “and is the most stable” as compromised data is readily available. “The cost of doing business has been accepted, and it is a facilitator for other crimes.”

While there are changes in terms of threats and threat actors, Van der Meulen pointed out that there is a terminology problem, as “we call it cybersecurity, but talk about information security, and confidentiality, integrity and availability” and everything still begins with unauthorized access and the next stage is down to the motive of the attacker.

She also said that there is a lot of focus on the future threats and technology, and while there is a need to predict the emphasis on attackers using AI, it is still cheap to get and use ransomware: “We haven’t solved today’s problems, so why focus on tomorrow? Don’t get too far ahead when threats are the same, but just wearing new clothes.”

7 steps to a successful ISO 27001 risk assessment

Risk assessments are at the core of any organisation’s ISO 27001 compliance project.

They are essential for ensuring that your ISMS (information security management system) – which is the end-result of implementing the Standard – is relevant to your organisation’s needs.

What is an information security risk assessment?

An information security risk assessment is the process of identifying, resolving and preventing security problems.

Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.

The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.

ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.

So, how should you get started?

How to conduct an ISO 27001 risk assessment

Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:

1. Define your risk assessment methodology

ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

2. Compile a list of your information assets

If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

3. Identify threats and vulnerabilities

Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.

4. Qualify the extent of the risk

Assign impact and likelihood values of the risk occurring.

5. Mitigate the risks to reduce them to an agreed and acceptable level

ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.

6. Compile risk reports

ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).

7. Review, monitor and audit

ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.

Learn more about risk assessments

We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:

  • The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
  • Things to avoid when performing a risk assessment;
  • The importance of risk assessments to the ISO 27001 Statement of Applicability; and
  • How to make your risk assessments as cost-effective as possible.

Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.

Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.


A version of this blog was originally published on 19 September 2017.

The post 7 steps to a successful ISO 27001 risk assessment appeared first on IT Governance Blog.

Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

The post Chinese-speaking cybercrime gang Rocke changes tactics appeared first on Security Affairs.

Code dependency mapping’s role in securing enterprise software

Enterprise software is only as good as its security. Today, a data breach costs $3.92 million on average. Organizations are expected to spend $124 billion on security in 2019 and will probably invest even more given the alarming rate at which cyberattacks are growing. Despite these investments, newer and more sophisticated threats are emerging every day, making the security of an enterprise’s software environment challenging – even for the most well-prepared. Fortunately, new innovations have … More

The post Code dependency mapping’s role in securing enterprise software appeared first on Help Net Security.

Microsegmentation for refining safety systems

When the TRITON (aka TRISIS) attack struck three refining sites in the Middle East in November of 2017, it was the first known cyber incident to target safety instrumented systems (SIS), specifically Schneider Electric’s Triconex gear. The consequences of these attacks were plant-wide shutdowns. While such shutdowns are costly, the consequences could have been far worse. Refineries rely on correctly functioning SIS equipment to prevent worker casualties and environmental disasters in the face of both … More

The post Microsegmentation for refining safety systems appeared first on Help Net Security.