Monthly Archives: January 2020

How to Deal With Orphaned Accounts in Your Business


According to the 2019 Verizon Data Breach Investigations Report, 62 percent of all data breaches last year involved the use of stolen credentials, brute force, or phishing. Nearly half of these types of breaches were directly attributed to stolen credentials. Stolen credentials are not only a risk through active user accounts, but can be a significant risk through orphaned accounts. One notable example of this type of credential theft occurred last fall when Avast and NordVPN reported a data breach tied to “forgotten or unknown user accounts,” or the predominance of orphaned accounts lacking proper oversight and governance.

Orphaned accounts within an organization are accounts that are no longer associated with a valid business owner. They represent ideal places for bad actors to gain access into your company because no one is actively looking into them. According to KrebsonSecurity, “forgotten user accounts that provide remote access to internal systems…have been a persistent source of data breaches for years,” as was the case with Avast and NordVPN. But to better understand orphaned accounts and what you can do about them, let’s take a look at where they originate from and then identify several key strategies you can use to combat them in your business.

Where Do Orphaned Accounts Come From?

Orphaned accounts typically arise when someone leaves your company or changes positions within the organization. In the case of separation, this means access to certain applications, data, or systems is not terminated. In the case of a position change, access is not reduced to an appropriate level, which may include complete removal of access. This frequently happens in industries with fairly high turnover, like healthcare or retail, because as people exit the company or transition roles, there may be no formal process for cleaning up these accounts in either internal or external system access. While prominent in these specific industries, orphaned accounts pose a real problem across every industry and across businesses of all sizes.

The problem only magnifies with contingent workers, temporary employees, non-employees, contractors, and consultants. This category of user is often a target for bad actors because turnover is high for these roles and orphaned accounts can stack up if there is an undefined process for cleaning up these accounts. And because these types of users are often not contained in a central repository, like an HRIS, it is difficult to identify a change in status quickly, like a closed contract, so the access can be removed in a timely manner. That’s why it’s essential not to overlook these types of workers or make them a lower priority in managing access. Even though they may not be highly privileged, if their access falls into the wrong hands, real damage can be inflicted by bad actors.

Does your organization have high turnover for certain positions or do you have seasonal employees? What about interns? Orphaned accounts are a natural part of the dynamic nature of business. And with so many users in your system, without automated processes and controls, you will not have visibility into who has access to what. Leaving these accounts open increases your threat surface and the likelihood that you will be breached. This risk becomes even greater if excess privileges are unused because nefarious access can go undetected. Combined together, these factors make it very difficult to manage risk within the business.  

How Can You Combat the Risk of Orphaned Accounts?

So how can you put an end to orphaned accounts? First, you have to arm yourself with intelligence to quickly identify and evaluate access risks posed by internal threats across your business-critical systems. This means you have access to a continuous, comprehensive view and analysis of the relationships between identifies, access rights, policies, and resources that occur across your environments.

Automated Provisioning and Deprovisioning

With a manual system that relies on paper forms or their web version counterparts—basic lists of who has access to what and the types of applications that can be selected—or even worse, a field to type in a model user, you have little context of what access in your organization really should be. Rather, you need to automate provisioning actions based on the user lifecycle within your organization. One of the most important areas for this is when an employee leaves the organization, either voluntarily or through termination. Accounts should be quickly and automatically disabled, preventing any opportunity for employees to retain access to data upon their departure from the organization, and removing any opportunity of orphaned accounts.

Beyond when an employee leaves, the right process to manage the risk of orphaned accounts actually starts with proper onboarding. This is when a new employee, or a non-employee like a contractor or vendor, receives initial accounts and access to appropriate systems and applications. This means you can track the access that is approved and granted initially so that you know specifically who has what access and when it is time to remove it—with no guesswork.

Role-Based Approach

Combating orphaned accounts also means you should adopt a role-based approach. Roles are really just a collection of access privileges typically defined around a job title or job function. Using roles, organizations have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs and what access to remove—reducing the chances for orphaned accounts. Embracing a role-based approach simplifies identity governance, and aids organizations as they grow and change—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions.


You also need to take advantage of micro-certifications to ensure you have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This means that when an access event is triggered where an employee may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as ‘out of band,’ a manager or business application owner will be alerted and can perform an access review immediately associated with the risk event.  Provisioning outside the process is a common way that users get access that can be missed when it is time to remove it, whether it is a result of a transfer or separation.

Start Revealing Your Hidden Access Risks

Orphaned accounts pose a critical risk within your business. But you can’t act upon what you don’t see. Waiting for an internal audit to uncover orphaned accounts may be too late. You must take an active role in trying to prevent them through intelligent identity governance solutions. One way to start is by conducting a quick scan of your environment through the Core Access Risk Quick Scan. This consulting offering leverages our award-winning Core Access Insight solution to diagnose hidden risks within your organization. Remember, you can only manage what you can see. So don’t ignore the importance of dealing with orphaned accounts in your business today.



Identity and Access Management
Big text: 
Resource type: 
Start revealing the hidden access within your organization.

Get actionable information and insights with immediate visibility into the hidden risks in your business.

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Gary DeMercurio, 43 of Seattle, and Justin Wynn, 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs, a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings.

Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.'”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

Matthew Linholm, an attorney representing DeMercurio and Wynn in the case, said the justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news of the dropped charges.

While the case against Coalfire’s employees has rallied many in the cybersecurity community around the accused, not everyone sees this dispute in black-and-white. Chris Nickerson, a digital intrusion specialist and founder of LARES Consulting, said in a Twitter post Thursday that “when a company puts us in harm’s way due to their poor planning, failed sales education, inadequate project management and deplorable contract management…We shouldn’t celebrate them. We should hold them accountable.”

Asked to elaborate, Nickerson referred to a recent podcast which touched on the arrests.

“The things that concern me about this situation are more of the pieces of safety that exist across how the industry instruments doing these types of engagements,” Nickerson said. “They seem very, very reasonable and obvious once they become obvious but until then they’re completely foreign to people.”

“It’s really on the owners of the organization to educate the customer of those potential pitfalls,” Nickerson continued. “Because there isn’t a good standard. We haven’t all gotten together and institutionalized the knowledge that we have in our heads and dump it down to paper so that someone who is new to the field being tasked with this can go through and say, ‘Hey, did you ask them if the city versus the state versus the building owner and the real estate people…are all of these people in lock step?'”

Coalfire CEO Tom McAndrew seemed to address this point in our interview Thursday, saying there were two unique aspects of this particular engagement. First, although the client in this case said they did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing the physical security of the site, it was clear after the fact that state officials never did that on their own.

More importantly, McAndrew said, there was ambiguity around who actually owned the buildings that they were hired to test.

“If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.”

Asked what Coalfire has learned from this ordeal, McAndrew said his company is likely to insist that local, state and even federal law enforcement be informed in advance of any penetration tests, at least as far as those engagements relate to public entities.

“When we look at the contracts and we look at who’s authorized to do what…typically, if a [chief security officer] says test these IP addresses, we would say okay that’s enough,” he said. “But we’re questioning from a legal perspective at what point does that need to have legal counsel review.”

McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.

“There’s no standard in the industry,” he said. “When it comes to these sorts of issues in red teaming — the legal challenges and the contracts — there’s really nothing out there. There are some things that can’t be undone. There’s the mugshots that are out there forever, but even as we get the charges dropped, these are permanently going to be in the federal database. This is a permanent thing that will reside with them and there’s no legal way we’re aware of to get these charges removed from the federal database.”

McAndrew said while he remains frustrated that it took so long to resolve this dispute, he doesn’t believe anyone involved acted with malicious intent.

“I don’t think there were any bad people,” he said. “Everyone was trying to do the right things — from law enforcement to the sheriff to the judges to the county — they all had the right intentions. But they didn’t necessarily all have the right information, and possibly people made decisions at levels they weren’t really authorized to do. Normally that’s not really our call, but I think people need to be thinking about that.”

Threat Roundup for January 24 to January 31

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 24 and Jan 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More


TRU01312020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for January 24 to January 31 appeared first on Cisco Blogs.

Cyber News Rundown: Magecart Hackers Arrested

Reading Time: ~ 2 min.

Indonesian Magecart Hackers Arrested

At least three individuals were arrested in connection to the infamous Magecart information stealing malware. Thanks to the combined efforts of several international law enforcement agencies, numerous servers issuing commands to awaiting Magecart scripts have been taken down in both Indonesia and Singapore. While these are not the only individuals who have profited from the Magecart code, they are the first to be identified and brought to justice.

German City Suffers Cyberattack

The City of Potsdam, Germany, is recovering from a cyberattack that took down parts of its administration systems. Fortunately, the systems were being actively monitored and were quickly taken offline to prevent data from being removed. It seems, after further investigation, that the servers were not fully patched with the latest updates. This could have allowed the attackers to move and execute malware freely.

Job Listings Used to Commit Fraud

A new wave of data theft has hit the job hunting crowd, making life harder for people looking to be hired. Cybercriminals have been creating phony sites with job listings for the purpose of absconding with the information one would normally provide an employer after accepting an offer. Though these types of scams have been executed in the past, they tend to reappear occasionally due to their continued success.

UK Court Freezes Bitcoin Wallet

After falling victim to a ransomware attack that shut down more than 1,000 computers, a Canadian insurance company took advantage of their cybersecurity policy to pay out a nearly $1 million ransom. By working with a cyber analysis firm, the company was able to track their ransom payment through the blockchain to a final wallet, which was then frozen by the currency exchange to stop further transactions and to identify the owners of the wallet. Though this may sound positive for the victims, they may be the target of additional negative repercussions like having their stolen data published or being attacked again.

South Carolina Water Company Shutdown

The Greenville Water service in South Carolina was hit with a cyberattack that took down all their systems for around the last week. As they continue to restore systems to proper function, officials have stated that no customer data was accessed, nor is any payment card data actually stored there. Fortunately, Greenville Water was able to return to normal functions within a week and informed customers that late fees would not be issued for payments made during the outage.

The post Cyber News Rundown: Magecart Hackers Arrested appeared first on Webroot Blog.

NSA Security Awareness Posters

From a FOIA request, over a hundred old NSA security awareness posters. Here are the BBC's favorites. Here are Motherboard's favorites.

I have a related personal story. Back in 1993, during the first Crypto Wars, I and a handful of other academic cryptographers visited the NSA for some meeting or another. These sorts of security awareness posters were everywhere, but there was one I especially liked -- and I asked for a copy. I have no idea who, but someone at the NSA mailed it to me. It's currently framed and on my wall.

I'll bet that the NSA didn't get permission from Jay Ward Productions.

Tell me your favorite in the comments.

Hackers penetrated NEC defense business division in 2016

Japanese electronics and IT giant NEC confirmed a security breach suffered by its defense business division in December 2016.

The IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016.

The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event.

NEC is a contractor for Japan’s defense industry and was involved in various defense projects.

Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment.

“In July 2018, we succeeded in decrypting encrypted communication with an infected server and an external server that was performing unauthorized communication, and stored it on our internal server for information sharing with other departments used by our defense business division 27,445 files were found to have been accessed illegally.

As a result of investigations conducted by the Company and external specialized organizations, no damage such as information leakage has been confirmed so far.” reads the statement from the company.

“These files do not contain confidential information or personal information. In addition, since July 2018, the situation has been individually explained to customers related to files that have been accessed illegally,”

The situation is different according to the Nikkei newspaper that reported that the Japanese Ministry of Defense said that the exposed files contained “information on contracts with NEC, not defense secrets, and there is no impact on Japan’s defense system.”

NEC was informed of the intrusion in July 2017 by a security company contracted by the electronics company to investigate alleged unauthorized accesses to the internal network.

In July 2018, the company was able to decrypt unauthorized communications between an internal server and an external machine and discovered further compromise.

NEC announced it has taken steps to improve the security of its infrastructure and prevent future intrusions.

Recently another Japanese multinational electronics giant disclosed a data breach, last week Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

Trend Micro has now addressed the vulnerability, but we cannot exclude that the hackers have exploited the same issue in attacks against other targets. After the security firm patched the CVE-2019-18187 flaw in October, it warned customers that the issue was being actively exploited by hackers in the wild.

Pierluigi Paganini

(SecurityAffairs – NEC, hacking)

The post Hackers penetrated NEC defense business division in 2016 appeared first on Security Affairs.

6 Suspects Arrested in Maltese Bank Hacking Heist

Malware-Wielding Gang Moved $14 Million to US, UK, Hong Kong and Czech Accounts
Police in the United Kingdom have arrested six suspects as part of a money laundering investigation tied to the February 2019 theft of $14 million from one of Malta's largest banks. Officials say malware-wielding attackers moved money to accounts in the U.S., U.K., Czech Republic and Hong Kong.

Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

DLL Abuse Techniques Overview

Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using this technique, read through our whitepaper.

DLL hijacking occurs when an attacker is able to take advantage of the Windows search and load order, allowing the execution of a malicious DLL, rather than the legitimate DLL.

DLL side-loading and hijacking has been around for years; in fact, FireEye Mandiant was one of the first to discover the DLL side-loading technique along with DLL search order hijacking back in 2010. So why are we still writing a blog about it? Because it’s still a method that works and is used in real world intrusions! FireEye Mandiant still identifies and observes threat groups using DLL abuse techniques during incident response (IR) engagements. There are still plenty of signed executables vulnerable to this, and our red team has weaponized DLL abuse techniques to be part of our methodology. For detection and preventative measures on DLL abuse techniques, see the “Detection and Preventative Measures” section in this blog post.

Even though DLL abuse techniques are not new or cutting edge, this blog post will showcase how the FireEye Mandiant red team uses FireEye Intelligence to expedite the research phase of identifying vulnerable executables, at scale! We will also walk you through how to discover new executables susceptible to DLL abuse and how the FireEye Mandiant red team has weaponized these DLL abuse techniques in its DueDLLigence tool. The DueDLLigence tool was initially released to be a framework for application whitelisting bypasses, but given the nature of unmanaged exports it can be used for DLL abuse techniques as well.

Collecting and Weaponizing FireEye Intelligence

A benefit of being part of the red team at FireEye Mandiant is having access to a tremendous amount of threat intelligence; Our organization’s incident response and intelligence consultants have observed, documented, and analysed the actions of attackers across almost every major breach over the past decade. For this project, the FireEye Mandiant red team asked the FireEye Technical Operations and Reverse Engineering Advanced Practices (TORE AP) team to leverage FireEye Intelligence and provide us with all DLL abuse techniques used by attackers that matched the following criteria:

  1. A standalone PE file (.exe file) was used to call a malicious DLL
  2. The .exe must be signed and the certificate not expire within a year
  3. The intelligence about the technique must include the name of the malicious DLL that was called

Once the results were provided to the red team, we started weaponizing the intelligence by taking the approach outlined in the rest of the post, which includes:

  1. Identifying executables susceptible to DLL search order hijacking
  2. Identifying library dependencies for the executable
  3. Satisfying API’s exported in the library
DLL Search Order Hijacking

In many cases it is possible to execute code within the context of a legitimate Portable Executable (PE) by taking advantage of insecure library references. If a developer allows LoadLibrary to resolve the path of a library dynamically then that PE will also look in the current directory for the library DLL. This behavior can be used for malicious purposes by copying a legitimate PE to a directory where the attacker has write access. If the attacker creates a custom payload DLL, then the application will load that DLL and execute the attacker’s code. This can be beneficial for a red team: the PE may be signed and have the appearance of trust to the endpoint security solution (AV/EDR), it may bypass application white listing (AWL) and can confuse/delay an investigation process.

In this section we will look at one example where we identify the conditions for hijacking a PE and implement the requirements in our payload DLL. For this test case we will use a signed binary PotPlayerMini (MD5: f16903b2ff82689404f7d0820f461e5d). This PE was chosen since it has been used by attackers dating back to 2016.

Identifying Library Dependencies

It is possible to determine which libraries and exports a PE requires through static analysis with tools such as IDA or Ghidra. The screenshot shown in Figure 1, for example, shows that PotPlayerMini tries to load a DLL called “PotPlayer.dll”.

Figure 1: Static Analysis of DLL's loaded by PotPlayerMini

Where static analysis is not feasible or desirable it may be possible to use a hooking framework such as API Monitor or Frida to profile the LoadLibrary / GetProcAddress behavior of the application.

In Figure 2 we used API Monitor to see this same DLL loading behavior. As you can see, PotPlayerMini is looking for the PotPlayer.dll file in its current directory. At this point, we have validated that PotPlayerMini is susceptible to DLL search order hijacking.

Figure 2: Dynamic Analysis of DLL's loaded by PotPlayerMini

Satisfying Exports

After identifying potentially vulnerable library modules we need to apply a similar methodology to identify which exports are required from the module PE. Figure 3 shows a decompiled view from PotPlayerMini highlighting which exports it is looking for within the GetProcAddress functions using static analysis. Figure 4 shows performing this same analysis of exports in the PotPlayerMini application, but using dynamic analysis instead.

Figure 3: Static Analysis of exports in PotPlayerMini DLL

Figure 4: Dynamic Analysis of exports in PotPlayerMini DLL

In our case the payload is a .NET DLL which uses UnmanagedExports so we have to satisfy all export requirements from the binary as shown in Figure 5. This is because the .NET UnmanagedExports library does not support DllMain, since that is an entry point and is not exported. All export requirements need to be satisfied to ensure the DLL has all the functions exported which the program accesses via GetProcAddress or import address table (IAT). These export methods will match those that were observed in the static and dynamic analysis. This may require some trial and error depending on the validation that is present in the binary.

Figure 5: Adding export requirements in .NET DLL

Once we execute the binary, we can see that it successfully executes our function as shown in Figure 6.

Figure 6: Executing binary susceptible to DLL abuse

DLL Hijacking Without Satisfying All Exports

When writing a payload DLL in C/C++ it is possible to hijack control flow in DllMain. When doing this it is not necessary to enumerate and satisfy all needed exports as previously described. There also may be cases where the DLL does not have any exports and can only be hijacked via the DllMain entry point.

An example of this can be shown with the Windows Media Player Folder Sharing executable called wmpshare.exe. You can copy the executable to a directory out of its original location (C:\Program Files (x86)\Windows Media Player) and perform dynamic analysis using API Monitor. In Figure 7, you can see that the wmpshare.exe program uses the LoadLibraryW method to load the wmp.dll file, but does not specify an explicit path to the DLL. When this happens, the LoadLibraryW method will first search the directory in which the process was created (present working directory). Full details on the search order used can be found in  the LoadLibraryW documentation and the CreateProcess documentation.

Figure 7: Viewing LoadLibrary calls in wmpshare.exe

Since it does not specify an explicit path, you can test if it can be susceptible to DLL hijacking by creating a blank file named “wmp.dll” and copying it to the same directory as the wmpshare.exe file. Now when running the wmpshare executable in API Monitor, you can see it is first checking in its current directory for the wmp.dll file, shown in Figure 8. Therefore, it is possible to use this binary for DLL hijacking.

Figure 8: Viewing LoadLibrary calls in wmpshare.exe with dummy dll present

Figure 9 shows using the wmpshare executable in a weaponized manner to take advantage of the DllMain entry point with a DLL created in C++.

Figure 9: Using the DllMain entry point

Discovering New Executables Susceptible to DLL Abuse

In addition to weaponizing the FireEye intelligence of the executables used for DLL abuse by attackers, the FireEye Mandiant red team performed research to discover new executables susceptible to abuse by targeting Windows system utilities and third-party applications.

Windows System Utilities

The FireEye Mandiant red team used the methodology previously described in the Collecting and Weaponizing FireEye Intelligence section to look at Windows system utilities present in the C:\Windows\System32 directory that were susceptible to DLL abuse techniques. One of the system utilities found was the deployment image servicing and management (DISM) utility (Dism.exe). When performing dynamic analysis of this system utility, it was observed that it was attempting to load the DismCore.dll file in the current directory as shown in Figure 10.

Figure 10: Performing dynamic analysis of Dism utility

Next, we loaded the DISM system utility into API Monitor from its normal path (C:\Windows\System32) in order to see the required exports as shown in Figure 11.

Figure 11: Required exports for DismCore.dll

The code shown in Figure 12 was added to DueDLLigence to validate that the DLL was vulnerable and could be ran successfully using the DISM system utility.

Figure 12: Dism export method added to DueDLLigence

Third-Party Applications

The FireEye Mandiant red team also targeted executable files associated with common third-party applications that could be susceptible to DLL abuse. One of the executable files discovered was a Tortoise SVN utility (SubWCRev.exe).  When performing dynamic analysis of this Tortoise SVN utility, it was observed that it was attempting to load crshhndl.dll in the current directory. The export methods are shown in Figure 13.

Figure 13: Performing dynamic analysis of SubWCRev.exe

The code shown in Figure 14 was added to DueDLLigence to validate that the DLL was vulnerable and could be ran successfully using the Tortoise SVN utility.

Figure 14: SubWCRev.exe export methods added to DueDLLigence

Applying It to the Red Team

Having a standalone trusted executable allows the red team to simply copy the trusted executable and malicious DLL to a victim machine and bypass various host-based security controls, including application whitelisting. Once the trusted executable (vulnerable to DLL abuse) and malicious DLL are both in the same present working directory, the executable will call the corresponding DLL within the same directory. This method can be used in multiple phases of the attack lifecycle as payload implants, including phases such as establishing persistence and performing lateral movement.


In this example, we will be using the Windows system utility Dism.exe discovered in the Windows System Utilities section as our executable, along with a DLL generated by DueDLLigence in conjunction with SharPersist to establish persistence on a target system. First, the DISM system utility and malicious DLL are uploaded to the target system as shown in Figure 15.

Figure 15: Uploading payload files

Then we use SharPersist to add startup folder persistence, which uses our DISM system utility and associated DLL as shown in Figure 16.

Figure 16: Adding startup folder persistence with SharPersist

After the target machine has been rebooted and the targeted user has logged on, Figure 17 shows our Cobalt Strike C2 server receiving a beacon callback from our startup folder persistence where we are living in the Dism.exe process.

Figure 17: Successful persistence callback

Lateral Movement

We will continue using the same DISM system utility and DLL file for lateral movement. The HOGWARTS\adumbledore user has administrative access to the remote host in this example. We transfer the DISM system utility and the associated DLL file via the SMB protocol to the remote host as shown in Figure 18.

Figure 18: Transferring payload files to remote host via SMB

Then we setup a SOCKS proxy in our initial beacon, and use Impacket’s to execute our payload via the Windows Management Instrumentation (WMI) protocol, as shown in Figure 19 and Figure 20.

proxychains python -nooutput DOMAIN/user:password:@x.x.x.x C:\\Temp\\Dism.exe

Figure 19: Executing payload via WMI with Impacket’s

Figure 20: Output of executing command shown in Figure 19

We receive a beacon from the remote host, shown in Figure 21, after executing the DISM system utility via WMI.

Figure 21: Obtaining beacon on remote host

Detection and Preventative Measures

Detailed prevention and detection methods for DLL side-loading are well documented in the whitepaper and mentioned in the DLL Abuse Techniques Overview. The whitepaper breaks it down into preventative measures at the software development level and goes into recommendations for the endpoint user level. A few detection methods that are not mentioned in the whitepaper include:

  • Checking for processes that have unusual network connectivity
    • If you have created a baseline of normal process network activity, and network activity for a given process has become different than the baseline, it is possible the said process has been compromised.
  • DLL whitelisting
    • Track the hashes of DLLs used on systems to identify discrepancies.

These detection methods are difficult to implement at scale, but possible to utilize. That is exactly why this old technique is still valid and used by modern red teams and threat groups. The real problem that allows this vulnerability to continue to exist has to do with software publishers. Software publishers need to be aware of DLL abuse techniques and know how to prevent such vulnerabilities from being developed into products (e.g. by implementing the mitigations discussed in our whitepaper). Applying these recommendations will reduce the DLL abuse opportunities attackers use to bypass several modern-day detection techniques.

Microsoft has provided some great resources on DLL security and triaging a DLL hijacking vulnerability.


Threat intelligence provides immense value to red teamers who are looking to perform offensive research and development and emulate real-life attackers. By looking at what real attackers are doing, a red teamer can glean inspiration for future tooling or TTPs.

DLL abuse techniques can be helpful from an evasion standpoint in multiple phases of the attack lifecycle, such as persistence and lateral movement. There will continue to be more executables discovered that are susceptible to DLL abuse and used by security professionals and adversaries alike.

REvil Ransomware Crew Sponsors Underworld Hacking Competition

REvil Ransomware Crew Sponsors Underworld Hacking Competition

A notorious Russian threat group famed for its devastating ransomware attacks has funded a hacking competition being run on a dark web forum. 

Sodinokibi—the creators of the REvil ransomware—stumped up $15,000 in prize money for the illegal hacking contest, which requires competitors to write original articles containing proof-of-concept videos or original code. 

Articles can be submitted on five different topics, including APT attacks, developing exploits for searching for 0day and 1day vulnerabilities, and how to hack other people's crypto algorithms.

Along with the prize money, Sodinokibi offered the competition's overall winner an opportunity to "work with" the threat actors under "mutually beneficial conditions." 

The competition was announced via the XSS forum, which counts several Sodinokibi representatives among its members.

News of the competition and its nefarious sponsors was published today in a report by researchers at Digital Shadows. While black hat hacking competitions on dark web forums like Exploit and XSS are nothing new, the researchers noted a significant increase in the number of high-stakes prizes on offer recently.

“Since its relaunch as XSS [in 2018], the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds,” the researchers noted.

By contrast, a 2010 competition that challenged participants to design a graphic that best represented the Russian-language segment of the internet (the "Runet") had as its prize a single iPad.

Digital Shadows’ research indicates that groups like Sodinokibi have taken an interest in these competitions to foster technical skills among forum members, increase awareness of the availability of ransomware on the forum in a savvy sales move, and gain valuable intelligence for future malware development.

For the forums, such high-prize competitions are a way to grow or sustain their membership. 

Researchers wrote: "Cybercriminal forums need to attract and retain members in order to survive and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw."

Currently, the prize money up for grabs in legal white hat competitions outstrips what can be won on the dark web, but based on Digital Shadows' research, that situation could one day change.

Windows 7 End of Support: What Does It Mean for Your Organizations?

As you may already know, Windows 7 has officially hit its end of support. Starting with January 14, Microsoft will no longer be providing updates, security patches or new features to what was once the most popular operating system in history, that was outpaced by Windows 10 only in early 2019.

For organizations that are still running Windows 7, this is a serious matter of concern, since generally, legacy software and systems quickly become highly attractive targets for cybercriminals. Thus, in this case, it would be reasonable to suppose that Windows 7 machines are going to be attacked by malicious actors in the near future.

According to a Spiceworks report released in June 2019, 79% of organizations still ran at least one instance of Windows 7, and many of these businesses responded they would procrastinate in their migration efforts. In fact, the data showed that 67% of businesses running Windows 7 were planning to migrate all their machines off of Windows 7 prior to the end of service date, but 25% planned to migrate after the deadline.

A brief history of Windows 7

Windows 7, the successor to Windows Vista, was released in October 2009 in conjunction with Windows Server 2008 R2, its server counterpart. It was based on Windows Vista’s underlying code and technology, with various enhancements added to its speed, user interface, and the addition of Internet Explorer 8, to name a few.

Windows 7 met the needs of both consumers and enterprises, bringing Home Basic, Home Premium, Professional, and Ultimate to individual users, and Windows 7 Enterprise Edition to businesses. Shortly, it became the fastest-selling operating system in history, with 240 million licenses being sold in the first year alone. We witnessed its adoption peek back in 2013 when Windows 7 accounted for over 60% of all Windows operating systems.

However, since Windows 7 did have its faults, Windows 8 was released shortly after (in 2012) and was followed by Windows 10 a few years later. Aiming to increase the adoption of Windows 10, Microsoft even pushed it as a free upgrade to Windows 7 users. However, according to ZDNet, you can still get a free Windows 10 upgrade, so check out their guide if you’d be interested.

This exercise to increase the adoption of Windows 10 proved to be successful, and by early 2018, it had taken its place as the dominant desktop operating system.

Windows 7 has reached its end of support

A Windows 7 out of support notification

The Windows 7 end of life has not been received well by everyone. Some voices behind the free software movement are demanding Windows 7 to be released as free software and given to the community “to study, modify, and share”. The request has been made in exchange for proof that Microsoft values “users and user freedom, and aren’t just using those concepts as marketing when convenient.”

Windows 7 end of support – How does this affect your organization?

What does Windows 7 end of support mean for your business? Basically, after January 2020, your machines that are running Windows 7 will no longer receive security updates. At the same time, Microsoft’s customer service will not be available to provide technical support anymore. Also, certain software and apps compatible with Windows 7 with gradually be discontinued.

Below you can read a section of Microsoft’s statement:

Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. This 10-year period has now ended, and Microsoft has discontinued Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 was January 14, 2020. Technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.

Is Windows 7 still available?

Yes, Windows 7 still works. However, it is strongly recommended that you do not keep using it due to security flaws that may be discovered and exploited by cybercriminals.

Windows 7 support has ended – What are the next steps for your business?

Now that Windows 7 is no longer being given support, it’s time for you to take a look at your options. This operating system is more than ten years old, and you definitely need a plan to move your workloads to something more modern.

It would not really make sense to consider migrating to Windows 8.1 since you’ll only get just a few more years of support anyway. So, your safest bet would be to switch to Windows 10 (or Windows as a Service, the SaaS approach introduced by Microsoft with Windows 10 to deploy and update the OS). You should follow this approach especially if you’re a company that has invested heavily in Microsoft’s stack and switching to a different system, like macOS or Linux, would end up being too expensive.

So, below are a few steps to consider and aspects to keep in mind when migrating to Windows 10.

#1. Start a plan to migrate as soon as possible to Windows 10

It’s best that you prioritize your migration to Windows 10 to avoid the security risks involved. Studies have shown that unpatched systems account for the majority of data breaches. Remember the WannaCry ransomware attack, that devastated the UK’s National Health Service? Experts were arguing that this disastrous ransomware infection could have been prevented, had security patches been applied to protect the Windows 7 systems, that were common throughout the NHS.

Here at Heimdal, we can’t stop focusing on the importance of patching. If you are interested to learn more about the common practices and vulnerabilities related to software patching, feel free to check out the insightful guide published by one of my colleagues.

#2. Do a fresh installation of your software and apps on your new Windows 10 PCs

After you’ve completely switched to Windows 10, it’s time to deploy the tools your business needs. A solution like X-Ploit Resilience helps you easily install and manage your software and even automate the updating process, by scheduling software and system updates whenever you want.

Should your employees require to install certain software on their own, you can now free your system administrators from the burden of manual installation of software. Be sure to check out a Privileged Access Management (PAM) tool like Thor AdminPrivilege. And the best part is you don’t need to worry about malware infections that abuse admin rights – our product automatically de-escalates elevated privileges if a machine shows any signs of infection.

#3. Be careful to whom you grant admin rights

Since I’ve mentioned the PAM concept, make sure you are up to date with the latest best practices in regards to what defines a good Privileged Access Management strategy. I also encourage you to take a look at the guides my colleagues and I have published around this topic:

#4. Train your users

If your users have grown accustomed to using Windows 7 only, you may need to do a training session, just to get everyone on the same page. Even though there are many similarities between Windows 10 and Windows 7, your employees may experience difficulties when it comes to the control panel setting locations, wireless networks, or quickly using the Start menu.

Microsoft has provided a lot of helpful information on their website, offering you guidance on how to communicate about your migration, and also guides on how to connect printers, how to use the desktop, and more.

#5. Beware of tech support scams

Unfortunately, Microsoft tech support scams are a never-ending story. Since the Windows 7 end of support date has already passed, new opportunities for Windows tech support scammers will now unfold.

According to BBB Scam Tracker reports, malicious actors are trying to trick Windows users into paying to upgrade their current Windows 7 operating system to Windows 10, by informing them their license has expired. Scammers might try to convince targets to pay some fake annual fees or request remote access to their computers to “solve” their issues. This does not only result in financial loss, but also in the risk of sensitive information theft.

Quick Note: If you absolutely must keep using Windows 7 for a prolonged period of time now that its support has ended, you do have another alternative. Microsoft will still offer security updates through January 2023 (obviously, in exchange for a fee). Here you can find answers to any questions on Extended Security Updates for Windows 7 you may have.


Migrating to Windows 10 is no small matter. However, the good news is that Windows 10 has been released for a while now, many of its flaws have been fixed, and it has become more stable. Switching from Windows 7 to Windows 7 may feel like a chore, but in the long run, it will prove to be the best decision.

Are you still using Windows 7 in your organization? If you are, when are you planning to migrate to a supported operating system?

The post Windows 7 End of Support: What Does It Mean for Your Organizations? appeared first on Heimdal Security Blog.

What is Transport Layer Security (TLS)? Strengths and Vulnerabilities Explained

Every online ‘novitiate’ begins with an exercise in security. By now, you must have stumbled upon alien-like concepts such as “SSL”, “TLS”, “handshake protocol”, “AES”, or “MD5-SHA-1”. To call them perplexing, would be a major understatement – unless you’ve majored in computer sciences or cryptography, of course. In seeing how many sysadmins or even simple users get bogged down by the intricacies of security protocols, in today’s article we will be tackling one of the gold standards of secure communication: The Transport Layer Security or TLS.

1.0. What is Transport Layer Security?

According to the RFC 5246 whitepaper, published on IETF’s (Internet Engineering Task Force) website, TLS is a cryptographic protocol, designed to safeguard the communication between a client and a server. Virtually everything we know about the Internet revolves around the concept of secure communications, regardless if it’s web surfing, sending an instant message over a dedicated platform (i.e. WhatsApp), emailing your manager, or communicating over a VoIP application.

TLS gets its name from the rather peculiar way it differentiates itself from the single-layer model, ascribed to the OSI (Operation System Interconnection)[1] and the TCP/IP models. Given the fact that TSL is security and not a transport protocol, it’s designed to run on top of some type of transport protocol; TCP is an as good example as any. However, in practice, there are some types of applications that ‘override’ TLS’ security functions, employing it as a transport medium.

The Transport Layer Security protocol has a long-winded history, but everyone agrees (to disagree!) that it was a ‘necessary evil’, in the sense that its creators wanted to find a way to overcome the shortcomings of SSL (Secure Sockets Layers), TLS’s predecessor. To fully understand why the adoption of TSL was imperative, let’s take a closer look at the chronology.

1.1. SSL to TSL Shift – Highlights

Here are the events that led to the adoption of TSL and the deprecation of SSL.

1986 Project Secure Data Network System (SDNS) is set in motion. Several governmental and non-governmental agencies participate. Among them are NSA, National Bureau of Standards, and the Defense Communication Agency. The purpose of Project SDNS was to revamp the existing approach to secure the computer comm over the network.

1987 – Project SNDS’ highlights and innovations are presented during the 10th  National Computer Science Security Conference.  Both TLS and SSL are being pushed as standards for secure network communication.

1993 – Research into the transport layer security variant begins. The SNP (Secure Network Programming) API is created. Scientists believe that APIs could facilitate the effort to secure existing network applications.

1994 – Taher Elgamal, Netscape’s chief scientist, comes up with the version 1.0 of the Secure Socket Layer protocol. The first version would go unpublicized, due to various security flaws.

1995 – SSL version 2.0 is released. Poised to die in harness, as early results indicated that SSL 2.0 is as flawed as its predecessor.

1996 – SSL version 3.0 is released. Undergoes complete retrofitting. The same year, SSL 3.0’s anointed the next cryptologic gold standard. Will eventually be published on IETF’s website, under the name of RFC 6176.

1999 – Dierks and Allen of the Consensus Development publish their joint paper on TLS version 1 (RFC 2246).

2006 – TLS version 1.0 receives its first update. TLS 1.1 to get its historical document (RFC 4346).

2008 – Overhaul of TLS 1.1. Version 1.2 to be published in IETF, under RFC 5246.

2011 – SSL 2.0 is deprecated.

2015 – SSL 3.0 is deprecated.

2018 – TSL 3.0 is released.

2020 – Major software market players, including Mozilla, Microsoft, Apple, and Google announced that TLS 1.0 and TLS 1.1 will be deprecated until the end of the year.

1.2. SSL to TSL timeline at a glance 

Since TSL is a security & cryptographical protocol, it’s primary function remains to safeguard data integrity and privacy. To ensure that both conditions are met, any TLS forwarding has to meet several existential criteria. First, and foremost, there’s the privacy concern – data being transmitted to and fro the server to the client must be secured.

This is achieved through a method called symmetric encryption[2]. But even this method calls for cryptographical keys, which are generated at the beginning of each connection. Symmetric encryption key generation is done via the so-called shared secret[3]. This form of negotiation starts at the beginning of each secure communication session. The entire negotiation process between the client and the server also bears the name of the TSL handshake. I will provide you with more insight on TSL handshake in the section dedicated to TLS in network security.

Following this phase, the identity of both parties is being established. Although some cryptologists argue that this step’s more of a formality and should, therefore, be optional, practice dictates that at least one of the party’s identity (client or server, usually the latter) should be disclosed via a public-key exchange.

Finally, connection reliability remains to be established. To check the strength of the signal, both parties exchange a message authentication code (MAC).

The TLS protocol can be further broken down into two smaller protocol: the TLS handshake and the TLS record. Let’s take a closer look at both of them.

1.2.1 How the TLS Handshake works

As I’ve explained, the TLS handshake (as the name suggests) is how the client and server ‘talk turkey’.  During this step – which happens in the blink of an eye – several things occur:  the two entities kick it off by swapping messages. I’ll get to that later. This step is necessary to confirm that both parties say they are who they are.

Next comes the verification stage, followed closely by a little ‘chat’ about what type of encryption algorithms this type of secure communication will be using. The chat is concluded when both parties agree on session keys. This would be the TSL handshake at a glance. However, there are far more things happening behind the scenes. Let’s take a peek and see what we can learn.

a) ‘Hello, server!’

The client (i.e. user’s web browser) initiates the TLS handshake via a very friendly “hello” sent to the server. Type of info transmitted during the client “hello”:  TLS version supported by the client, a list of ciphers that the clients support, and the so-called “client random”[4].

b) “Hello, client!”

The server relays a similar “hello” message to the user in order to establish its identity. Type of info transmitted during “server hello”: SSL certificate, the “server’s random” (similar to the “client random”), and its own list of supported ciphers.

c) Authentication

During this phase, after having received the SSL certificate from the server, the client cross-references with the official list issued by the certificate authority, in a bid to establish its authenticity.

d) Transmitting the premaster secret

To further strengthen privacy, the client sends a “premaster secret”. In cryptography, a premaster secret refers to a unique and random string of bytes transmitted to the server for decryption. This string is encrypted with a public key obtained from the SSL certificate which was previously transmitted by the server (see the “hello, client!” phase).

e) Private key decryption

Once the client transmits the premaster secret, the server will begin decrypting it.

f) Establishing session-specific keys

During this phase, another privacy layer is added. This is achieved by creating session-specific keys. Bear in mind that these keys are generated by both the client and the server. The process involves a ‘mix’ of cryptographical elements: server + client random and, of course, the premaster secret. As for the method of transmission, the session-specific keys are sent and received at the same time (client-server, server-client).

g) “Thank you, server!”

Once all of the above-mentioned conditions are met, the client pipes through a “finished/thank you” message to the server. The message itself is encrypted by a session key.

h) “Thank you, client!”

In a mirror darkly, as the saying goes – the server sends a “finished/thank you” message to the client, which is also encrypted by a session key.

i) Secure communication is established.

After completing the TLS handshake, the client and server can now proceed with communicating over a secure channel.

Note: the model I’ve described is using the asymmetric encryption model, supported by the RSA key exchange algorithm.

Unfortunately, further research has discovered that comms encrypted by the RSA algorithm are highly vulnerable to Man-in-the-Middle attacks.

This is the very reason why the asymmetric encryption method is far more leveraged compared to the symmetric ones.  In asymmetrically-encrypted TLS communications, RSA is augmented by something called an ephemeral Diffie-Hellman key exchange.

Here’s how the TSL handshake looks like within the boundaries of the D-H model.

a) “Hello, server!”

The client ‘waves’ to the server. In this phase, the client sends the supported ciphers list, the client random, and, of course, protocol version.

b) “Hello, client!”

In addition to the client’s random, supported ciphers list, and SL certificate, the server will also send the confirmation for its digital signature. What that means is that the server encrypts its data functions with a unique digital signature. This will tell the client that the server holds the private key that matches the public key ‘stamped’ on the SSL certificate.

c) Establishing the server’s identity

Upon receiving the digital signature from the server, the client will begin decrypting it to validate the server’s identity. In return, the client will transmit its D-H parameters to the server.

d) Computing the premaster secret

Instead of generating the premaster secret based on the SSL certificate, in DH, the client and server calculate the premaster secret on their own, in a bid to find a common denominator.

e) Generating session keys

After the client and server agree on a premaster secret, they generate and exchange session keys.

Note: the steps that follow are identical to those described by the RSA model.

1.2.2. What is the TLS Record?

TLS’s second sub-protocol, which is called the TLS Record, is one gigantic (and very virtual) piece of carbon paper. Basically, every bite, every operation, connection attempt, approval, rejection, message, key exchange is recorded by this sub-protocol.

Similar to the TLS protocolary dichotomy (handshake and record), this second sub-protocol can also be broken down into several sub-sections, each governing a very specific area of the secure communication process.

I won’t go into too many details since I don’t want to drift too far from the main topic, but I will say this much – the TLS Record encloses hexadecimal info pertaining to cipher changes, alerts, handshake types, applications, MAC exchange and padding, type of messages displayed during the handshake, warning, errors, and the length of the application data.

To see The Transport Layer Security in action, check out the video below.

TLS in Network Security. Strengths and Vulnerabilities.

The Transport Layer Security protocol has a wide range of applications: from software that require data encryption, all the way to web browsers, with the emphasis being on the latter. As I’ve pointed out earlier in the article, the TLS protocol usually ‘piggybacks’ on a TCP (Transmission Control Protocol).

To further facilitate the implementation of TLS and, therefore, enhance the privacy of secure communications, TLS protocols are usually intermeshed with UDPs (User Datagram Protocols) and DCCPs (Datagram Congestion Control Protocols). Moreover, TLS protocols are usually employed to secure the data in the most used ‘over-the-air’ protocols such as FTP, HTTP, NNTP, and XMPP.

As far as TLS implementation is concerned, although TLS version 1.3 is considered, by far, the most secure encryption protocol, website adoption lags far behind.

According to SSL Pulse’s assessment, as of January 2020, only 22% of interviewed websites (around 30,000) support TLS 1.3.

On the other end of the spectrum, TLS 1.2 has been implemented across 96,6% of websites (around 135,000). One possible explanation would be that the 1.3 is relatively new compared to v.1.2 and 1.1, being somewhat more difficult to integrate into the existing network architecture. However, considering the decision to deprecate everything below the TLS version 1.0.

From a sysadmin standpoint, it stands to reason that all your communications should be secured by a strong encryption protocol.

In praxis, the best symmetric key encryption is without a doubt AES-256 and RSA – 4096 for public-key encryption. Other algorithms are available, but implementation is quite difficult.

Why should you use TLS for your secure communications? Here’s a short, yet very compressive list of advantages and disadvantages of employing TLS.

TLS advantages:

  • Prevents tampering and eavesdropping. TLS encryption prevents malicious actors from interposing itself between the web browser and the client.
  • Data integrity. Enforcing TLS ensures that all the data transmitted over a secure medium will reach its destination without any losses.
  • Brand awareness and improving customers’ trust. Sites secured by TLS will instill a feeling of trust in your customers. A client is far more likely to conduct transactions over your website if the connection’s secured.
  • MAC authentication in TLS is far more secure compared to SSL since the latter uses HMAC (Key-Mashing Authentication Code) a cryptographical method that prevents a potential malicious actor from tampering with TLS record while in transit.
  • Granular control over what goes on during the session. TLS’s alert system is far more advanced and reactive compared to that employed by SSL. If something happens during transit, the user will immediately be alerted.

TLS disadvantages:

  • Higher latency compared to other secure encryption protocols. A StackPath study revealed that connections encrypted by TSL have a 5ms latency compared to those that have not been encrypted. Furthermore, the machines on which the ‘stress tests’ were conducted on showed a 2% CPU spike on processing TLS-encrypted comms.
  • Older TSL versions still vulnerable to MiM attacks. TLS versions 1.0 through 1.2 have still found to be susceptible to Man-in-the-Middle attacks, as well as other forms of cyber aggression: POODLE, DROWN, and SLOTH.
  • Few platforms support TLS 1.3. There are a handful of platforms that support the latest TLS version: Chrome (version 67+), Firefox (version 61+), and Apple’s Mac OS 10.3 (iOS 11). Microsoft is still struggling with the implementation process.

Closing thoughts on network security

As always, the sysadmin is the one who has the final say in what goes on in the area of cybersecurity. Before we part ways, I would very much like to leave you with a couple of tips that may (or not) help you devise an effective cyber-defense strategy or, in the very least, convince your CEO why sometimes the best defense is a devastating offense.

#1. Find a suitable tool to automate the certificate deployment process

A CISCO study pointed out that although all companies are striving to implement a better and more secure protocol, a whopping 80% of them are still relying on manual input. Automating the certificate deployment process can save a lot of resources, freeing up the department for other tasks. It would be for the best to start implementing the TLS as soon as possible, since DoH has started to gain even more ground in the area of privacy.

#2. Make sure to account for all attack vectors

By quickly implementing TLS version 1.3, you significantly reduce the risk associated with eavesdropping attacks. However, a DNS filtering solution is also warranted in this case to cover all foreseeable attack vectors. Thor Foresight Enterprise, Heimdal Security’s award-winning traffic-filtering solution actively scans the entire network for any signs associated with malware penetration from malicious infrastructure.


TLS is by far, one of the most secure comm encryption methods. Version 1.3 brings many security-wise improvements but also makes implementation more difficult compared to other versions. We look forward to seeing more websites and sysadmins deploying TLS.


[1] Overview of the telecommunication hierarchy. OSI features two types of layers: media (physical, data link, network) and host (transport, session, presentation, and application).

[2] Practice involving the use of the same encryption key for both the plaintext and the cyphertext.

[3] Information known only to both parties, usually before the start of each secure communication.

[4] A random string of bytes used “client hello” in order to establish the client’s identity.

The post What is Transport Layer Security (TLS)? Strengths and Vulnerabilities Explained appeared first on Heimdal Security Blog.

US County’s Computers Still Down Nine Days After Ransomware Attack

US County's Computers Still Down Nine Days After Ransomware Attack

A county in the Pacific Northwestern state of Oregon is yet to fully recover from a ransomware attack that happened over a week ago.

Cyber-criminals hit Tillamook County in a targeted attack last Wednesday, January 22. As a result, all internal computer systems under the county government, which 250 county employees rely on, went down.

The Tillamook County website, which hosts numerous departments, was also taken out in the incident. Other network connections were disabled to contain the spread of the malware.

The Emergency Communications District’s dispatch and 911 services were not affected; however, the County Sheriff's Office has experienced some issues with its phone system and email.

County Commissioner Mary Faith Bell said that the attack was initially thought to be a storage system technical issue. It was later identified as a ransomware attack despite no initial ransom demands being made by the attackers. 

The day after the incident occurred, county officials contracted a forensic computer firm, Arete Incident Response, to investigate the attack. 

Though the potential cost of the ransom is yet to be revealed, the actions of the county earlier this week hint that the attackers may have finally issued a demand. 

On Monday, January 27, Tillamook County commissioners voted unanimously to negotiate with the cyber-attackers for an encryption key in a bid to regain control of the government's computer systems. 

Addressing the board, Information Technology Director Damian Laviolette said: "At this time, we are looking to Arete to potentially begin the process of negotiation for an encryption key for the remainder of the systems we have been unable to protect or retain the integrity of."

Bell acknowledged that paying a ransom could not guarantee the security or safe return of the data. She said: “I think the lesson is to backup absolutely everything because I think this kind of thing will become more common. There are places in the world where people are just doing this for a living.”

To keep functioning, the county has had to revert to non-digital workarounds. 

“A lot of the things like the library, we are checking books out by paper the old-fashioned way,” said Tillamook County Emergency Manager Gordon McCraw.

County phone lines were restored earlier in the week; however, no timeline has been given for when Tillamook's computers will be back up and running.

Best Practices and Practical Steps to Guide Your AppSec Journey

Imagine that you are tasked with planning a vacation for you and your family. For your ideal trip, you would jet off to a five-star resort on a private island for a month of pampering and fine dining. But, since you have two children, a limited budget, and only one week of paid time off, you settle for a three-star, theme park resort with a spa and outdoor pool. Your family has a great time on the vacation and, using your new-found trip planning skills, you start preparing and saving for your dream getaway.

Spearheading an application security (AppSec) program can sometimes feel a little like that type of vacation planning ??? you can see an ideal state, but it can feel unattainable. Just like planning a vacation, creating an AppSec program is also dependent on time and money, as well as an organization???s staff expertise, culture, and executive support.

Below, we look at both the best practices, and some practical first steps you can take that will prepare your AppSec program for improvements in the future. In other words, keep your eye on the private island AppSec, while moving forward with the theme park AppSec.

Best Practice #1: Use More Than One Application Security Testing Type

When you visit the doctor with an ailment, you undergo several tests to determine the diagnosis. There is no magic test that detects all illnesses. The same goes for AppSec tests ??? there is no one test that detects every vulnerability. So, to make sure that your application is fully secure, the best practice is to use as many testing types as possible.

Practical Advice: Start with What Makes the Most Sense, Then Add More Later

Develop an AppSec strategy to determine where you need AppSec solutions the most. Start by implementing the tests that will have the most impact, in the shortest amount of time, for the least amount of money. From there, you can start adding on more tests.

There are several factors that will help determine which tests will have the most impact. For example, if you have multiple applications, rank the applications based on the criticality of their risks, and test the applications with the most critical risks first. Another thing to consider is programming languages. If you leverage less-mainstream programming languages, there are limitations regarding the AppSec tests you can use. So start with tests that are not specific to language, like dynamic or penetration testing.

Best Practice #2: Shift Security Left

In today???s fast-paced world, enterprises are moving from yearly product releases to monthly, weekly, or daily releases. To keep up with this change, security testing needs to be woven into the development cycle instead of after the development cycle. That way, when it is time to release the product, security testing will not stand in the way.

Practical Advice: Shift Security Culture Left

Moving security testing into the development cycle means that developers will play a bigger security role. Since most development and security teams have never worked together, ???shifting security left??? can be a significant cultural change.

Before making this change, a good first step is to help security understand how development works and to build a relationship. Understanding how development works involves learning their tools and process, as well as how they build software, so that security testing can be integrated organically. When security is organically weaved into the development process, developers are more likely to be receptive of security, making it easier to forge trusting relationships.

You should also look for ways to automate security testing into the CI/CD pipeline. By integrating automated security tools into the CI/CD pipeline, you can incorporate testing without handing off code to another team, making it easier for developers to fix issues immediately.

Best Practice #3: Fix Everything Fast

Finding vulnerabilities is only half of the battle. You need to have a solid plan in place to fix them once they are discovered. Automating security testing in CI/CD pipelines allows organizations to not only find flaws faster, but it also speeds up the remediation process.

Practical Advice: Prioritize Fixes While Creating Fewer Vulnerabilities

As much as we would love to fix all flaws instantaneously, it is not possible. A practical first step in remediation is prioritizing. When prioritizing your flaws, do not just concentrate on defect severity, also consider the criticality of the application and how easy it would be to exploit the flaw.

Best Practice #4: Embed Security Champions into Development Teams

Most developers do not have a security background. This makes it very challenging when you try to implement security tests in the development lifecycle. A way to help fill this knowledge gap is to select interested volunteers from the development teams to become security champions. Security champions learn about security testing and can reiterate important security messages back to their teams.

Practical Advice: Build Up Your Security Champions Capabilities

Building a team of security champions takes time. Start by making sure your organization???s security, development, and leadership teams are all on board with the security champions concept. Once everyone agrees with the idea, help the security and development teams build a relationship. If developers and security personnel are on good terms, you have a much better chance of developers agreeing to become security champions.

Next, identify your champions. Security champions should be selected based on a demonstrated or perceived interest in learning more about security. If you select developers who do not have an interest in security, there is a high probably that they will not be successful in the role. Lastly, nurture your identified champions by giving them the appropriate tools and support, like additional training in security concepts and code reviews, needed for success.

Best Practice #5: Measure Your AppSec Results

It???s critical to be able to measure and report on the success of an AppSec program in metrics. Identify which metrics are most important to your organization???s key decision-makers, then display the metrics in an easy-to-understand, actionable manner.

Practical Advice: Focus on Your Policy Metric

Bringing too many metrics to your executives early on can be overwhelming and, quite frankly, unnecessary. Start by presenting one metric: how your AppSec program is complying with your internal AppSec policy. From here, you can start sharing other valuable metrics.

Remember, just like saving for your dream getaway, creating the perfect AppSec program takes time. But taking practical steps and looking toward the big picture will help you get closer to perfect sooner.

Learn more about the steps you can take to achieve AppSec maturity in our recent guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start.

Breach at Indian Airline Affects 1.2 Million Passengers

Breach at Indian Airline Affects 1.2 Million Passengers

A data breach at Indian airline SpiceJet has exposed the personal information of over a million passengers.

Access to the airline's computer system was gained last month by a security researcher, who went on to report the breach to TechCrunch.

Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet last month. According to the ethical hacker, the password protecting the data was easily guessable.  

Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.  

According to the researcher, the database file was easily accessible for anyone who knew where to look, leaving the budget airline vulnerable to cyber-attackers. 

After successfully gaining unauthorized access to SpiceJet's passenger data, the researcher contacted the airline to warn them that a breach had occurred. The researcher said that their efforts to reach out to the airline elicited no meaningful response from SpiceJet. 

The researcher went on to notify India's computer emergency response team (CERT-In) of the breach. The government-run agency confirmed that the breach had occurred and went on to issue an alert to SpiceJet.

While SpiceJet has now taken steps to secure the exposed database, the airline has declined to confirm CERT-In's findings.

A spokesperson for the airline said in a statement: “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”

SpiceJet is one of the country's largest privately-owned airlines, commanding an approximate 13% market share in India. The airline, which is headquartered in Gurgaon, flies over a million passengers a month and puts more than 600 planes in the air every day. 

The security researcher who detected the security lapse has chosen to remain anonymous.

US continues to press UE members to ban Huawei and Chinese 5G technologies

The United States appreciated European Union’s new rules on 5G networks, but pressed them to ban China’s Huawei technology.

The EU’s executive Commission this week presented a set of rules and technical measures aimed at reducing cybersecurity risks from the adoption of 5G networks. The Commission’s recommendations include blocking high-risk equipment suppliers from “critical and sensitive” components of 5G infrastructures, such as the core.

“As many critical services will depend on 5G, ensuring the security of our networks is of high strategic importance for the entire European Union,” the EU’s executive vice president overseeing digital strategy, Margrethe Vestager, said at a press briefing in Brussels.

The EU’s executive Commission did not explicitly mention companies, but a clear reference is to the Chinese firm Huawei.

On Tuesday, the British Government agreed to assign a limited role for Huawei in the country’s 5G network, but highlighted that “high risk vendors” would be excluded from the building of “sensitive” core infrastructure.

The decision to do not completely ban Huawei doesn’t satisfy the US Government that believe the decision will give a significant advantage to the Chinese Government.

“We call on our European allies and partners to implement the EU recommendations by adopting strong, risk-based security measures that exclude high-risk suppliers from all parts of their 5G networks,” reads a statement from the Secretary of State Mike Pompeo.

Pompeo confirmed the intetention of the US Government in baning Chinese firms Huawei and ZTE because both were “subject to the direction of the Chinese Communist Party.”

“It is misguided to think that the risks associated with installing equipment from suppliers subject to control by authoritarian regimes with a track record of malign cyber behavior can be mitigated,” Pompeo added.

Anyway, we cannot underestimate that Huawei is a leading technology company with a deep knowledge of 5G network, and thanks to its commercial strategy is widely adopted in many states of the European Union.

Pierluigi Paganini

(SecurityAffairs – 5G, hacking)

The post US continues to press UE members to ban Huawei and Chinese 5G technologies appeared first on Security Affairs.

What Is the Country with Highest Digital Quality of Life?

The Digital Quality of Life, or DQL, study examines the gaps between citizens’ online experiences on a society-to-society basis. In almost every aspect of life, the digital world impacts everyone. From day-to-day commutes to workplace computing, smartphones and computers are everywhere.

Some countries stand out from the norm, however, in terms of Internet security, speed and ease-of-access. While it’s wise to use a reliable VPN service when traveling, you’ll probably be safer when visiting some countries over others. Still, not all nations perform well where the digital space is considered.

The Highest Digital Quality of Life: Australia

Despite being a ‘third-world’ broadband country, Australia has an incredibly prosperous digital environment. Not only does it have affordable mobile Internet—but it’s also overcome a relatively slow network delivery time by assuring quality e-government services.

What Defines DQL?

When it comes to Digital Quality of Life, it can be difficult to identify what, exactly, makes a country’s Internet valuable. After years of data analytics, many researchers have covered the digital experiences of over 5.5 billion people.

These studies were conducted with open-source databases provided by the World Bank, United Nations, International Telecommunication Union and Freedom House—and, in most cases, every bit of information provided by any of these sources was compared to collected data at large.

Where DQL is considered, researchers tend to rate a country’s digital ‘quality’ based upon the most important features of Internet use in today’s digital landscape. These include, but expand upon, the following:

  • Connection speed
  • Affordability
  • Cybersecurity
  • E-government service quality

Each of these qualities are expandable, of course. Cybersecurity, for example, covers data protection law availability—as well as public WiFi safety. In Australia’s case, affordability—specifically of mobile data—has propelled it to the top of the DQL list.

Mobile Data Affordability in Australia

Researchers have found that, while Australia’s broadband Internet is slow, its mobile Internet is quite fast. It’s so fast, in fact, that it’s quicker than the country’s broadband! Australia might not have the speediest online experience around, but its mobile Internet landscape, alone, has allowed it to pass 65 other countries in the 2019 DQL index.

It’s important to note Australia’s slow broadband, of course. Broadband in Australia has similar speeds to societies ranking at the bottom of the DQL list—landing at the 42nd spot, just behind Uruguay. Not only is Australia’s Internet slow, but it’s also quite expensive.

This is because residents of countries with lower DQL scores benefit from the cheaper broadband Internet—as the high-DQL Internet is considered to be more ‘valuable.’ In Australia, citizens need to work for approximately an hour and 21 minutes to maintain the country’s cheapest of broadband Internet services.

The NBN Network and 5G Data

Several of Australia’s Internet experts have weighed in on the broadband issue—particularly how it’s influenced the country’s quality of mobile data usage. The National Broadband Network, recently, has created an increasingly problematic digital divide between those with poor Internet connections and those benefiting from fast Internet access.

The NBN itself is a mixed-technology network, costing about $51 billion in taxpayer dollars. About five million businesses and homes currently use the NBN across seven different service plans—each of which tends to be inconsistent.

It’s suggested that the NBN’s unreliability has made it somewhat of a “lottery,” causing issues for everything from high-end video consumption to medical diagnoses. Australia’s placement as a third-world broadband country is symptomatic of this, yet the recent 5G mobile data network has picked up the weight.

Australia’s usage of 5G is highly optimized. While 5G isn’t a replacement for the NBN, it’s certainly capable of being one of Australia’s hearts of Internet access. From societal and economic perspectives, 5G’s technical capabilities are highly effective for infrastructure management—existing as a sort of “soft” wireless Internet foundation.

High-Quality E-Government Services

Mobile data affordability and speed aren’t the only areas Australia excels in. It also ranks seventh out of 65 countries in the DQL index in terms of e-government service quality. Above Australia were South Korea, the United Kingdom, France, the United States and Singapore. Denmark won the first-place spot.

Digital quality of life measured by government e-service quality covered service accessibility online. Specifically, accessibility capable of saving citizens time and money was analyzed. The DQL’s -government service quality ranks gauged the scope of each government service individually, utilizing the United Nations’ Online Service Index—or OSI.

OSI Measurement in Australia

The OSI gauges the quality of a government’s digital services, stating that high OSI ratings indicate Internet provisions that maintain high degrees of safety without sacrificing feasibility or cost. The United Nations’ Online Service Index is frequently updated to maintain high-quality examinations of Internet usage, making it one of the most reliable services around.

In the DQL, a country’s OSI is multiplied by a 0.16 weight factor—procuring a final e-government service index number augmented for relation to other digital quality measurements. E-government services have a large multiplier, in comparison to other DQL aspects, as it’s considered to have one of the biggest impacts on day-to-day Internet use comfort and safety.

Integrated E-Government Services

E-government service quality has increased steadily over the years—experiencing a particularly strong growth spurt following the 2016 DDoS attacks on its Census and Centrelink’s debt recovery system. Deloitte Access Economics estimates that Australia’s federal governments conduct about 811 million digital citizen transactions every year—and Australia itself achieves only moderate performance compared to other countries when it comes to money management online.

As a result, data’s importance as new business fuel in Australia has become a forefront factor to consider. According to the OECD, Australia’s adoption of data-driven decision-making processes in recent years can result in a five to six-percent output increase in digital productivity.

A High Degree of Tech Knowledge Transfer

Australia’s data utilization and management shifts have enabled skills and knowledge transfer on a broad economy scale, benefiting the country from technology take-up productivity changes. A higher degree of digital technology adoption across Australia’s economy can add as much as $66 billion to the country’s GDP within a five-year time-span, further increasing e-government service potential.

Less Time with Direct Government Engagement

Integrated e-government services also benefit the country’s citizens with lesser government engagement times. As digital signatures make transactions simpler, government services across the digital world are becoming streamlined via digital signatures governing transactions.

Submitting applications and signing contracts can be done in moments, and day-to-day hassles when navigating jurisdictions—such as with license transfers—may become a problem of the past. Currently, Australia already has a number of user-friendly Internet portal resources available—and it’s planning on incorporating more citizen-centric services in the future to positively impact business engagement.

More Secure Digital Identities, Key to a Digital Quality of Life

Australia’s Trusted Digital Identity Framework is also in good shape. Outlining a persistent, consistent approach to online identity security, the Digital Identity Framework is expected to become a vital component of integrated online services in the near future.

From 2018 to 2019, it received $92 million in funding, resulting in great growth as well as the underpinning of Govepass—an eID. This eID duplicates the Australia Post’s Digital iD, offering several positive changes to benefit the public.

Australia’s Open Data Movement

The City of Sydney has contributed to the Country’s open data movement which makes data format diversity much easier to handle. In its contribution, Sydney provided made several data ranges, ever-growing, accessible to the public. Each dataset includes information on transport, environmental sustainability, facilities, arts, culture and more.

Opened data facilitates the management, and even creation, of open services for the community and private sectors alike—stimulating the economy and increasing transparency. It also decreases the number of information requests, directly reducing workloads across administrations.

Decentralized Approaches to Data Security

Another inspiring quality of Australia’s data management structure is the country’s decentralized approach to data sharing, management and security. Promoting the use of secure data exchanges doesn’t necessarily require the use of a single database—or superdatabase—which handles data from numerous databases.

In fact, such single-database usage poses some serious security risks. Decentralized database usage, meanwhile, empowers IT solutions across Australia’s three government tiers. Such an adoption has given each tier the ability to communicate with each other with a high degree of security, solving several database integration issues.

This movement is underpinned by the pre-identification of both data senders and recipients. Data is encrypted, so as to ensure it’s unreadable in the event of interception. All data transactions are timestamped, and legal electronic logging and archiving audits are performed often.

Addressed Privacy Concerns

Privacy risks are persistent in any country, but Australia’s approach to mitigating cybersecurity risks also makes it a top-contending digital provider. Here, the country puts citizens in the driver’s seat, allowing them to help conduct the e-government model.

Every time a government agency accesses a citizen’s personal data, for example, the user can examine the access via extensive logs. They’re able to contest the usage if they deem it improper, and those wanting to stay away from digital identity services entirely can opt to use a physical service center.

Australia is also planning to create an opt-in approach to digital identity management, yet the framework is still being developed so as to assure the integrity of its usage across private-sector organizations.

Australia as a Leading Digital Provider

The country’s overall usage of data highlights it as one of the safest and most accessible Internet providers of today. While its broadband connections may be slow, they’re incredibly secure.

Meanwhile, Australia’s mobile networks are only growing in popularity for their ease-of-accessibility and speed. In the digital world, Australia’s high digital quality of life is prevalent over other countries. So much so, in fact, it’s expected to become a leading example of digital implementations in the future.

Author Bio: This post was written by Cristopher Nichols.

The post What Is the Country with Highest Digital Quality of Life? appeared first on Heimdal Security Blog.

This Week in Security News: Over 2,000 WordPress Accounts Compromised and Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, over two thousand WordPress sites were compromised using a malicious script that redirects visitors to scam websites. Also, read about how Facebook has agreed to pay $550 million to Illinois users to settle a class action lawsuit filed over the use of its face-tagging technology.

Read on:

Security Analysis of Devices that Support SCPI and VISA Protocols

The Standard Commands for Programmable Instruments (SCPI) protocol, now 30 years old, was initially designed for sensors communicating over serial lines to make adoption via different languages and hardware interfaces easier. Today, these devices are being exposed to the internet as more networks get connected, but they have never been designed for it and network administrators might not be aware that this is happening.

The Rich Are Different, but their Smartphones Aren’t

After Jeff Bezos’ phone was hacked, it raised the question of how high-profile people protect their cybersecurity. In this article, Mark Nunnikhoven, vice president of cloud research at Trend Micro, explains that the rich and famous can’t buy phones that are more secure than the average.

Malicious Script Plagues Over 2,000 WordPress Accounts, Redirects Visitors to Scam Sites

Besides leading visitors to scam websites, the malicious script can also gain unauthorized admin access to affected WordPress sites, allowing attackers to inject malware and apply modifications. Sucuri reported that the attackers gained access to the affected sites by exploiting plugins such as the vulnerable versions of the “CP Contact Form with PayPal” and the “Simple Fields” plugins.

Avast Winds Down Jumpshot, Cites User Data Sale Privacy Concerns

Avast is winding down its subsidiary Jumpshot following an explosive investigation into the sale of user data to third parties that may pose a risk to consumer privacy. The antivirus vendor said the unit will no longer have access to user information harvested from users of Avast products and services will eventually be fully terminated.

Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers

An unsecured Amazon S3 bucket owned by cannabis retailer THSuite was found leaking the data of more than 30,000 individuals. Discovered by a vpnMentor research team during a large-scale web mapping project, the unsecured bucket exposed 85,000 files that included records with sensitive personally identifiable information (PII).

Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition

Facebook has agreed to pay $550 million to Illinois users to settle a class action lawsuit filed over the use of its face-tagging technology to collect facial-recognition data on its social media platform. The suit stems from a class-action proceeding from Facebook users in Illinois over a feature called Tag Suggestions, which identifies Facebook users in photos based on biometric identification technology.

Google, Mozilla Crack Down on Malicious Extensions and Add-ons

The Google security team has temporarily disallowed the publishing or updating of paid extensions that use the Chrome Web Store payments due to an influx of fraudulent transactions performed via the extensions. Mozilla banned 197 suspicious Firefox add-ons that executed malicious code, ran codes from a remote server, stole user data, collected user search terms and obfuscated source code.

Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers

Cybersecurity researchers at Check Point disclosed details of two recently patched vulnerabilities in Microsoft Azure services that are potentially dangerous and, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure.

3 Indonesian Hackers Arrested for Global Magecart Attacks, Other Members Still at Large

The International Criminal Police Organization (Interpol), together with the Indonesian National Police, recently publicized the arrest of three Indonesian men suspected of being behind intercontinental Magecart attacks. Known targets of this attack include online shops, hotel chains, advertising companies and even schools.

Inside the World’s Highest-Stakes Industrial Hacking Contest

Pwn2Own Miami, held at the S4 industrial control system security conference, has focused its participants’ skills for the first time exclusively on industrial control software (ICS). Every target is an application that touches physical machinery. The compromises could have catastrophic effects, from blackouts to life-threatening industrial accidents. In this article, read more about the inaugural Pwn2Own Miami competition.

Over 30 Million Stolen Credit Card Records Being Sold on the Dark Web

Cybercriminals were found selling more than 30 million credit card records on the dark web, purportedly from a data breach suffered by a U.S.-based gas station and convenience store chain last year. The breach was caused by a PoS malware attack and affected 860 convenience stores, of which 600 were also gas stations.

What are your thoughts on the class action lawsuit over Facebook’s facial recognition technology? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Over 2,000 WordPress Accounts Compromised and Facebook to Pay $550M to Settle Class Action Case Over Facial Recognition appeared first on .

Did Jony Ive jump or was he pushed?

Jony Ive is a brilliant designer. He helped bring Apple back from a near death experience with the original iMac and iBooks and, later, MacBooks. But he also accounted for a number of costly flops, that, while Apple would never admit it, would have sunk even more accomplished executives.

UK High Court Approves Freezing Injunction on $1M Ransomware Payment

The UK High Court of Justice approved a freezing injunction on over $1 million paid by an English insurance company to ransomware actors. The Honorable Mr. Justice Bryan announced his approved judgement in a decision released for publication by the High Court of Justice on January 17, 2020. As relayed in the judgement, a Canadian […]… Read More

The post UK High Court Approves Freezing Injunction on $1M Ransomware Payment appeared first on The State of Security.

Ottawa should follow allies in public-private collaboration, says cyber industry group

Fed up with what it believes is a federal government that doesn’t work closely enough with the private sector on cybersecurity-related acquisitions, an industry association has called on Ottawa to look at other countries for models of public-private co-operation.

In a report issued this week, the Canadian Association of Defence and Security Industries (CADSI) says the United States, the U.K. and Australia offer strategies the government here should pick up on to improve this country’s cyber defence.

The association believes the pace of federal decision-making on software and hardware procurement pick up with better collaboration. Unlike the public sector, the report says pointedly, cyber firms are “the engine driving the relentless pace of cyber innovation” and “are not burdened by years-long or decades-long acquisition and deployment processes. Instead, they can field a new, fully-functioning technology solution in months or weeks.”

The report is a follow-up to one released last year by the association with a similar complaint. But the latest report suggests best practices from other countries Ottawa could use as models to kick decision-making here to a higher gear.

For example, it cites the U.K.’s Industry 100 program, which enables industry experts to work directly with the National Cyber Security Center (NCSC) in short-term placements. This gives them an opportunity to understand and challenge the way the government thinks and, tests innovative ideas inside the government environment.

“Overall, Industry 100 promotes greater mutual understanding of cybersecurity, better cyber policy, improves the delivery of
programs, helps both government and industry identify systemic vulnerabilities, and reduces the future impact of cyberattacks,” says the report.

By comparison, Canadian national security agencies “seem exceptionally reticent” to have private-sector contractors work on sensitive government networks, the report says.

The report does praise the new Cyber Security Co-operation Program launched last fall by Public Saftey Canada, which funds cyber research projects. as signalling the government’s intent to experiment with new arrangements. But ultimately it wants the government to place responsibility for the development and delivery of cyber solutions in the hands of the private sector, supported by the government with controls to ensure appropriate implementation.

“Collaboration between government and domestic industry on cyber has become second nature to our allies,” CADSI CEO Christyn Cianfarani said in a release accompanying the report. “But our own government is not leveraging the industry to its full potential. It’s estimated that 98 per cent of Canadian cyber infrastructure is owned and operated by private firms, so we need to be at the table.”

The report recommends a series of steps that the Canadian government can take within the next one to three years, including:

    • Establishing an Economic Strategy Table dedicated to cyber. The government has already created ESTs in other areas, pairing industry execs with senior bureaucrats to jointly tackle pressing problems.
    • Opening the door to public/private sector talent exchanges, like the U.K. Industry 100 program.
    • Setting up a classified operational network for threat information sharing with the private sector and testing solutions. The government said in its last budget it plans to do this.

The report intentionally avoids suggesting what it calls complex, machinery-of-government overhauls, Cianfarani said.

“Deep institutional change is hard, and we acknowledge that. But most of these solutions have already been road-tested by our allies and can be implemented in relatively short timelines.”

CADSI represents some 900 companies that sell defence and cybersecurity solutions, ranging from IT technologies to aircraft.

Make your own security key with Google’s OpenSK

Google has open-sourced OpenSK, firmware that, combined with an affordable chip dongle, allows you to make your own security key to use for authentication purposes. About OpenSK OpenSK isan open-source implementation for security keys that supports both FIDO U2F and FIDO2 standards. “Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security,” Elie Bursztein, Google’s Security & Anti-abuse Research Lead, and … More

The post Make your own security key with Google’s OpenSK appeared first on Help Net Security.

Avast Stops Using Security Software to Track Browsing Data

Czech Anti-Virus Giant Faced Outcry Over Privacy Risks Posed by Data Tracking
Anti-virus giant Avast is shuttering Jumpshot, its data-collecting side business that has been funneling detailed internet browsing activity from the company's security products and browser extensions to marketers, after a probe by PCMag and Motherboard found the company was failing to fully anonymize data.

U.S. Department of Interior Grounding All Drones

The Department of Interior is grounding all non-emergency drones due to security concerns:

The order comes amid a spate of warnings and bans at multiple government agencies, including the Department of Defense, about possible vulnerabilities in Chinese-made drone systems that could be allowing Beijing to conduct espionage. The Army banned the use of Chinese-made DJI drones three years ago following warnings from the Navy about "highly vulnerable" drone systems.

One memo drafted by the Navy & Marine Corps Small Tactical Unmanned Aircraft Systems Program Manager has warned "images, video and flight records could be uploaded to unsecured servers in other countries via live streaming." The Navy has also warned adversaries may view video and metadata from drone systems even though the air vehicle is encrypted. The Department of Homeland Security previously warned the private sector their data may be pilfered off if they use commercial drone systems made in China.

I'm actually not that worried about this risk. Data moving across the Internet is obvious -- it's too easy for a country that tries this to get caught. I am much more worried about remote kill switches in the equipment.

British Council Blocked Over 10 Million Malicious Emails in 2019

British Council Blocked Over 10 Million Malicious Emails in 2019

The British Council, which promotes wider knowledge of the UK and English language in over 100 countries worldwide, was hit by over 10 million malicious email attacks in 2019, according to official figures.

The data was obtained by Nimbus Hosting under the Freedom of Information Act and showed that the British Council blocked a total of 10,336,631 emails last year. Of those, 190,155 emails were intercepted or blocked because of suspected malware such as worms, Trojan horses and ransomware.

Furthermore, the organization also blocked 14,317 suspected phishing emails, whilst a further 10,132,159 emails were intercepted and logged as spam, many of which would have had the potential to contain viruses.

Tim Dunton, MD, Nimbus Hosting, said: “These figures are another reminder that cyber-criminals will continually bombard organizations with scam emails, hoping to trick employees into handing over private data, to breach the organization’s security systems or steal personal information. All it takes is for one hoax email to fall through an email systems’ imperfect filtration system before an organization must face the consequences of a severe breach of customer information.”

Moving forward, he added, it’s vital that all organizations like the British Council have the necessary anti-virus systems in place, as well as robust security procedures to keep hackers at bay.

Financial tech firms disagree on ban of customer data screen-scraping

They use it to offer things like budgeting apps. It puts passwords and privacy at risk, but some say they can't afford to build APIs instead.

NIST Tests Forensic Methods for Getting Data From Damaged Mobile Phones

Crooks sometimes damage their mobile devices to destroy evidence, NIST tests forensic methods for getting data from damaged mobile phones

Criminals sometimes damage their mobile phones in an attempt to destroy evidence. They might smash, shoot, submerge or cook their phones, but forensics experts can often retrieve the evidence anyway. Now, researchers at the National Institute of Standards and Technology (NIST) have tested how well these forensic methods work.

A damaged phone might not power on, and the data port might not work, so experts use hardware and software tools to directly access the phone’s memory chips. These include hacking tools, albeit ones that may be lawfully used as part of a criminal investigation. Because these methods produce data that might be presented as evidence in court, it’s important to know if they can be trusted.

“Our goal was to test the validity of these methods,” said Rick Ayers, the NIST digital forensics expert who led the study. “Do they reliably produce accurate results?”

The results of the NIST study will also help labs choose the right tools for the job. Some methods work better than others, depending on the type of phone, the type of data and the extent of the damage. 

The study addresses methods that work with Android phones. Also, the study covered only methods for accessing data, not decrypting it. However, they can still be useful with encrypted phones because investigators often manage to get the passcode during their investigation.

To conduct the study, NIST researchers loaded data onto 10 popular models of phones. They then extracted the data or had outside experts extract the data for them. The question was: Would the extracted data exactly match the original data, without any changes?

For the study to be accurate, the researchers couldn’t just zap a bunch of data onto the phones. They had to add the data the way a person normally would. They took photos, sent messages and used Facebook, LinkedIn and other social media apps. They entered contacts with multiple middle names and oddly formatted addresses to see if any parts would be chopped off or lost when the data was retrieved. They added GPS data by driving around town with all the phones on the dashboard.   

After the researchers had loaded data onto the phones, they used two methods to extract it. The first method takes advantage of the fact that many circuit boards have small metal taps that provide access to data on the chips. Manufacturers use those taps to test their circuit boards, but by soldering wires onto them, forensic investigators can extract data from the chips. This is called the JTAG method, for the Joint Task Action Group, the manufacturing industry association that codified this testing feature.

Chips connect to the circuit board via tiny metal pins, and the second method, called “chip-off,” involves connecting to those pins directly. Experts used to do this by gently plucking the chips off the board and seating them into chip readers, but the pins are delicate. If you damage them, getting the data can be difficult or impossible. A few years ago, experts found that instead of pulling the chips off the circuit board, they could grind down the opposite side of the board on a lathe until the pins were exposed. This is like stripping insulation off a wire, and it allows access to the pins. 

“It seems so obvious,” said Ayers. “But it’s one of those things where everyone just did it one way until someone came up with an easier way.”

The chip-off extractions were conducted by the Fort Worth Police Department Digital Forensics Lab and a private forensics company in Colorado called VTO Labs, who sent the extracted data back to NIST. NIST computer scientist Jenise Reyes-Rodriguez did the JTAG extractions.

After the data extractions were complete, Ayers and Reyes-Rodriguez used eight different forensic software tools to interpret the raw data, generating contacts, locations, texts, photos, social media data, and so on. They then compared those to the data originally loaded onto each phone.
The comparison showed that both JTAG and chip-off extracted the data without altering it, but that some of the software tools were better at interpreting the data than others, especially for data from social media apps. Those apps are constantly changing, making it difficult for the toolmakers to keep up.

The results are published in a series of freely available online reports. This study, and the resulting reports, are part of NIST’s Computer Forensics Tool Testing project. Called CFTT, this project has subjected a wide array of digital forensics tools to rigorous and systematic evaluation. Forensics labs around the country use CFTT reports to ensure the quality of their work.

“Many labs have an overwhelming workload, and some of these tools are very expensive,” Ayers said. “To be able to look at a report and say, this tool will work better than that one for a particular case — that can be big advantage.”

This research was funded by NIST and the Department of Homeland Security’s Cyber Forensics Project. Background information is available on the CFTT website, and the JTAG and chip-off reports are available on the DHS website.

The official announcement is available here:

Pierluigi Paganini

(SecurityAffairs – NIST, hacking)

The post NIST Tests Forensic Methods for Getting Data From Damaged Mobile Phones appeared first on Security Affairs.

Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack

Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware

Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told.

Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting.

Continue reading...

US Defense Contractor Hit by Ryuk Ransomware

US Defense Contractor Hit by Ryuk Ransomware

A US government technology contractor has become the latest major target taken down by a ransomware attack.

Electronic Warfare Associates (EWA) counts the Department of Defense, Department of Justice and Department of Homeland Security among its clients. It describes itself as a veteran-owned business with a track record dating back over four decades.

The firm currently claims to be working on cutting-edge projects in areas such as blockchain, anti-drone capabilities, location tracking and quantum technology. However, its own tech credentials appear to have taken a knock with this latest ransomware attack.

At the time of writing, its websites for subsidiaries EWA Government Systems and electronic deadbolt producer Simplicikey are down, but there’s no word on how widespread the attack was and how it has impacted the organization.

Its government customers will want to know if the ransomware hackers have also stolen sensitive corporate information, as is increasingly the case in such attacks.

Late last year new malware with data theft capabilities dubbed “Ryuk Stealer” was discovered. Keywords found in the code including “military,” “engineering,” “defense,” “government” and “restricted” raised suspicions that the authors may be gearing up to target the stealer at organizations like EWA and its clients.

Alexander García-Tobar, CEO and co-founder of Valimail, claimed that a phishing email was the likely attack vector.

“Phishing is implicated in more than 90% of all cyber-attacks, and it is the preferred vector used by the Ryuk ransomware that hit EWA servers,” he added. “Therefore, it’s likely that email played a role in delivering this attack. Additionally, impersonation-based techniques are leveraged in the majority of phishing attempts, so as to convince the target the fraudulent message is from a trusted source.”

Ransomware attacks targeting municipalities caused a trail of chaos across the US last year, but this is the first major raid against a federal government contractor.

Microsoft invites gamers and researchers to new Xbox bug bounty program

Gamers, security researchers, and technologists have been invited to identify security vulnerabilities in Xbox network and services and report them to Microsoft. Bounty rewards will range from $500 to $20,000 USD. Why? Microsoft runs a number of bug bounty programs and has now decided that their Xbox offerings need extra attention from security researchers. “The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct … More

The post Microsoft invites gamers and researchers to new Xbox bug bounty program appeared first on Help Net Security.

AlphaBay Moderator Faces 20 Years Jail Time

AlphaBay Moderator Faces 20 Years Jail Time

A Colorado man who worked as a moderator on the infamous AlphaBay marketplace is facing two decades behind bars after pleading guilty to racketeering charges this week.

Bryan Connor Herrell, 25, worked on the now-shuttered dark web site settling disputes between buyers and sellers of illicit goods, according to a Department of Justice (DoJ) notice.

Known by the online pseudonyms “Penissmith” and “Botah,” he’s said to have settled over 20,000 such disputes on the site whilst also monitoring transactions for signs of fraud.

It appears Herrell’s identity may have become known to police after FBI, DEA and Royal Thai Police officers raided the home of AlphaBay founder Alexandre Cazes in 2017. At the time they seized an open laptop which contained “the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.”

While Cazes subsequently died in prison, of suspected suicide, investigations into his former colleagues continue.

AlphaBay is thought to have been the world’s largest dark web marketplace of its kind when it stepped up to fill the gap left by Silk Road.

However, it suffered the same fate as its predecessor after police managed to infiltrate and shut it down. Announced alongside the takedown of Hansa in July 2017, the site is said to have reached over 200,000 users and 40,000 vendors.

According to Europol, the site hosted over 250,000 listings for illegal drugs and over 100,000 for stolen and fake ID documents, malware, hacking tools, counterfeit goods and more.

The policing organization estimated that at least $1bn flowed through the marketplace since it was launched in 2014.

Herrell was paid in Bitcoin for his efforts, and likely received a handsome remuneration. However, after he pleaded guilty to conspiring to engage in a “racketeer-influenced corrupt organization,” he faces a maximum of 20 years in prison.

Weekly Update 176

Weekly Update 176

Well that's the audio issues fixed - mostly. The Zoom H6 is an awesome recorder, I just can't quite work out the right adaptors for the mic. I've got a couple of Saramonic SR-XLM1 lav mics and the guy at the DJ store I bought the Zoom from was convinced we'd be fine with just with 3.5mm to 6.35mm jack converters which appears to be incorrect. Someone else hen said we'd need a TRRS to TRS adaptor so we grabbed a couple of Rode SC3s which also didn't solve the problem. So, keeping in mind we have no idea what we're doing (and missing), can someone explain the gap here and what's required to fill it?

In other news, we're at the tail end of NDC London where we've wrapped up our individual and joint talks. Scott's talking a lot about the history of crypto and where we now are with SSL Labs changing ratings when older TLS versions are found and browsers deprecating support for them. Oh - and incidentally, Cloudflare does enable you to no longer support older versions of TLS and I've had my things set at a minimum of 1.2 for quite some time now. I'm back on the plane to Aus in just a few hour's time so the next update will be from somewhere sunny - with good audio!

Weekly Update 176
Weekly Update 176
Weekly Update 176
Weekly Update 176


  1. SSL Labs is changing the grade for websites still supporting TLA 1.0 or 1.1 (this'll cap a bunch of sites rating well today at "B" once it hits)
  2. The DHS cyber chief uses Have I Been Pwned to monitor his breach exposure (it's always cool to see use cases like this 😎)
  3. Legacy TLS is being deprecated in the browsers (that's Scott's latest blog post, interesting reading if you're not supporting new versions of TLS)
  4. Scott played "hand model" whilst the BBC filmed his implant (clip there from when he got it fitted)
  5. Sponsored by: SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

UK Cyber Sector Tops £8bn as Brexit Looms

UK Cyber Sector Tops £8bn as Brexit Looms

New figures cited by the UK government claim the country’s cybersecurity sector has achieved double-digit growth over the past two years, but Brexit threatens to undo much of the good work by making cross-border recruitment and sales harder.

Based on research from Queen’s University Belfast, the sector is now worth £8.3bn, with revenues from UK firms having increased 46% from 2017-19. The number of cybersecurity firms located in the UK also grew significantly over the period, by 44% from 846 in 2017 to over 1200 at year-end 2019.

In addition, investment into the industry was a record £348m last year, and topped £1.1bn over the past four years, the paper claimed.

The university argued that government-backed initiatives like HutZero, Cyber101 and the London Office for Rapid Cyber Security Investment (LORCA) have played a key role in helping start-ups and SMEs develop new products and services.

Andy Harcup, VP EMEA at Absolute Software, welcomed the news, arguing that it’s a reflection of the growing market demand for products designed to mitigate cyber-risk.

“However, whilst it’s great to see that cybersecurity has grown in priority on the corporate agenda as companies are spending more than ever on security, it must be mentioned that the threat landscape is developing even faster,” he added.

“Therefore, we must witness continued dedicated commitment from all organizations to tackle this problem head on. This involves the use or introduction of security tools that not only mitigate risk, but help the organization to respond, recover and actually fix the things that are breaking.”

The news comes as the UK officially leaves the European Union at midnight tonight. Experts and IT security professionals have warned that Brexit could have a “chilling” effect on the country’s nascent cybersecurity industry, by making cross-border intelligence sharing harder, and impacting jobs.

The world is already experiencing a cybersecurity skills shortage in excess of four million positions, with shortfalls in Europe having soared by over 100% from 2018-19.

It is predicted that Brexit will discourage many skilled job-seekers from coming to the UK, while the pipeline from UK universities remains weak.

Over 90% of UK IT professionals told RedSeal last year they believe Brexit will make chronic industry skills shortages even worse.

There are also question marks over UK sales to the continent. Boris Johnson’s government has refused to consider remaining in the single market, meaning likely trade restrictions that will hinder firms’ growth prospects.

Number of Web Certs Up, More Public Education Needed

Number of Web Certs Up, More Public Education Needed

The number of deployed Extended Validation (EV) SSL certificates has increased, with new measures by browsers to promote “secure” websites.

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that EV certificates are still important, but acknowledged that there is a need for more education around them.

One idea he discussed was to create a whitelist of sources that use an EV certificate, and allow all certificate authorities (CAs) to access the whitelist to improve validation. Another was to establish a minimum amount of time it could take to allow an EV certificate to be issued, but Coclin acknowledged that this was not popular as it may affect new companies who want an EV cert for their domain.

Another idea was to add “validated trademarks” into the certificate as they are recognizable and distinguishable, “and if we put these into the certificates, people would have an extra way of validating that the certificate is authentic.” These will have been validated by the CA, using a standard set of validations and rules.

The last option is to add a requirement that the CA checks the record to see what sort of certificate should be issued for a domain. “If you say you don’t want an EV certificate to be issued for a domain, and someone in a different location tries to issue a certificate, the CA could look at the record and see that they cannot issue one for that domain.”

Looking at the number of TLS certificates issues, Coclin said that around 78 million trusted web certificates are on websites globally, an increase by almost two million since last month, and DigiCert has issued 13 million since the beginning of the year.

For the individual certificates, Coclin said DigiCert had issued 27.4% of the domain validation (DV) certificates (the most was by Lets Encrypt with 49.7%), while DigiCert had issued 59.7% of the EV certificates and 96% of the organization validation (OV) certificates.

Pointing out that the number of TLS certificates had increased in recent years, Coclin said that this was about the move by browsers to highlight those websites not using HTTPS. “No website wants their domain to be seen as not secure, so certificates have increased,” he said.

The next step will be a red line through the address bar to show that a site is not secure, after that there will be an intermediate page saying that the page is not secure with a question of “do you really want to go to it?” The next step will be the same intermediate page saying “the following web page is not secure.”

He added: “Now who wants a website that you cannot get to? That should take us to 100% encryption on the web.”

Looking forward, Coclin predicted that the number of TLS certificates will increase, as well as Verified Mark Certificates in email as DMARC is further deployed. “EV is not going away, it has moved, but I think it is going to change again – maybe for the better or worse – but there are discussions going on and improvements being made, and we’ll see where that goes,” he concluded.

“We used to tell people ‘look for the lock’ but you cannot just do that anymore, as hackers know that is what we were told as they are getting free EV certificates and putting them on their sites and getting verified for 24-48 hours.”

Need for “Big Data Biology” as Users Create More Data

Need for “Big Data Biology” as Users Create More Data

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that “identity data is created on us all of the time,” but asked how protected it is.

He said that as we browse we create more and more data every day, and this data is about us and we should be sure it is “kept secure and in the right format.” Now with more devices available, cloud computing and IoT, we have ended up with the situation where we have big data, but not the “big data biology” on how it should be managed.

He said: “It is my data, not your data, and what is generated should be known by me and not some other company.” Citing the introduction of the GDPR in Europe in 2018 and the California Consumer Privacy Act (CCPA) this month in the USA, Coclin also referred to other legislations that had not passed, including the New York Privacy Act, which he said was “stronger than CCPA and gave private right of action.” However, he added that this failed in a legislative session, and he suspected that other proposed privacy laws would not pass in the current political climate.

Focusing on anonymity on the web, he said that there is a push to be more anonymous on the web, and particularly in the case of electronic voting “as you don’t want people to know who you voted for.”

Elsewhere, he said it was the same with email and IoT, that with the former you want to know that who has emailed you is actually that person, and with IoT, you want to know which devices are trusted and authorized to join your network.

On the other side, there are those “who do not want to be identified and cases where identity is important” and that is where Tor is important.

“Ideally for consumers, a strong privacy law is something that they need,” he argued. “For companies trying to comply, an over-arching privacy law, whether at state, federal or country level or global level would be even better, would be fantastic.”

Quantum Computing is Here, Look to a Post Quantum Future

Quantum Computing is Here, Look to a Post Quantum Future

Data is the new oil, but advances in quantum computing could be breaking encryption faster in the future.

Speaking at the DigiCert Security Summit in San Diego, Dr Michio Kaku, futurist and theoretical physicist, talked of the rise of quantum computing and its deployment in modern society.

Saying that after we built the world wide web, television, radio, radar and microwaves “and everything you see in a doctor’s office” the next step will be quantum. “If the first wave was about steam power, the second on electricity, the third on high tech, what will the fourth and fifth be about? The fourth wave we are now entering, it is physics at the molecular level, such as AI, nano and bio technology; then we will see the fifth wave of technology which will be dominated by physics at the atomic level.”

Kaku predicted the end of silicon, saying it “cannot compute at a quantum level” and now millions are being spent on this computing. However, while this technology is in its infancy, the threat is there. 

In a press conference, Kaku said that we will head to a post silicon era and that the use of atoms can be used to break any encryption, so governments are getting ahead of the game “as there is much at stake, so now the race is on for the post quantum era where we want to find defenses against methods used by quantum computers to break codes.”

He added that today’s mainframes will be replaced by quantum computers, but mobile phones will not be replaced due to the need for a cooling infrastructure for the atoms. 

Referring to Google’s announcement about its creation of a quantum computer, Kaku noted it was “premature” as while the computer was workable, it did not have any practical application for the consumer and it was compared with a modern super computer. “IBM said that because of that and not using such a fast super computer, their announcement was not such a big deal.”

However, he praised Google’s efforts, as he said that the tide has shifted, as people are no longer saying that this is a possibility for the future.

He also said that as the industrial age was powered by oil, the fourth and fifth wave will be powered by data. “Data will be the energy source of the future,” he claimed, “but data has to be processed. Oil has to go to refineries, in the same way data has to be raw, then processed. In the future, every aspect of human behavior, every aspect of human endeavor and every aspect of human enterprise will be reduced to data.”

However, this data can be hacked, and needs to be protected by encryption – and this can be broken with advanced quantum computing.

Kaku concluded by saying that all human activity will be digitized as data is wealth, and companies will want that information “and this means that data is vulnerable, and new ways to do encryption have to be devised.”

He also said that the arrival of quantum computing is not an immediate threat, but one for the coming years and decades so it is time to prepare and consider converting now. “Don’t do anything yet, but think about it and study the question” as it may take years for the conversion to take place.

He recommended four things you can do now:

  1. Increase the length of your keys, and you can make it more difficult for a quantum computer to crack things
  2. Consider symmetric, rather than asymmetric encryption, as symmetric gives you an extra layer of encryption
  3. Use increasingly complex trapdoor functions, such as lattice and elliptic curve technologies
  4. Use quantum cryptography, use quantum to fight quantum

Change Is Inevitable: Tripwire File Analyzer

One of the only things that is constant in life is change. It’s the same with cybersecurity. There are different types of changes to consider. Changes that we accept Changes that are good Changes that are bad A lot of changes in our everyday life are out of our control. It can be hard to […]… Read More

The post Change Is Inevitable: Tripwire File Analyzer appeared first on The State of Security.

2019’s biggest month-wise cyberattacks

Estimated reading time: 3 minutes

Enterprise cybersecurity leaders Seqrite have been taking stock of the year that has just gone by with the Annual Threat Report 2020 speaking comprehensively about malware statistics for 2019. Notably, the previous year also witnessed an array of malicious attacks, with huge businesses and entire countries affected. Here were some of the most significant cyberattacks in each month for 2019 –

German politicians’ details leaked in mass attack – January

German politicians, including Chancellor Angela Merkel, found themselves at the receiving end of a major cyberattack where private details like contacts and private chats were leaked.

Toyota Australia cyberattack – February

Automotive giant Toyota’s Australian office was driven offline by a cyber attack in February. The website went offline for a period of time before Toyota responded with a statement which confirmed an attack but stated that no private employee or customer data was accessed.

LockerGoga – March

The LockerGoga ransomware was first detected in January when it was used in an attack on Altran Technologies in France. It came into the limelight in March when it was used in an attack on Norwegian aluminium manufacturer Norsk Hydro, forcing some plants to switch to manual operations. Seqrite has done a detailed article on LockerGoga and how the ransomware operates.

Facebook faces another crisis – April

The biggest social media platform by the number of users, Facebook continued to be in the limelight in 2019. In April, it was reported that a total of 540 million records of Facebook users were exposed to the internet in a data breach, reminiscent of the Cambridge Analytica situation.

Canva security breach – May

Popular online graphic design platform Canva had a torrid time in May when data for nearly 139 million users was compromised in a breach by a hacker known as GnosticPlayers. The data included details such as usernames, real names, email addresses and city & county information.

Images of travellers compromised in an attack on US Customs and Border Protection – June

Concerns about government surveillance and the dangers it can cause has gained a new dimension in June when a sub-contractor of the US Customs and Border Protection (CBP) agency was hit by a malicious attack with images of travellers stolen in the hack. The New York Times reported that close to 100,000 people had their information compromised.

Hacker accesses 100 million Capital One credit card applications – July

While the actual hack itself happened on March, American bank Capital One determined on July 10th 2019 that a hacker had gained access to data from approximately 100 million US citizens and 6 million Canadian citizens.

Cybercrime in space – August

Cybercrime crossed the final frontier in August 2019 when NASA astronaut Annie McClain was accused of committing the first cybercrime from space when she accessed the bank account of her estranged partner from the International Space Station.

Facebook…again – September

Facebook just couldn’t stop being out of the headlines —the social media giant confirmed that close to 419 million phone numbers were exposed in an open online database that was not password protected.

A cyberattack on an Indian nuclear plant – October

This was a major incident which captured all the headlines in Indian media in October 2019 and Seqrite dedicated a section to it in its Annual Threat Report 2020. The incident raised huge questions on the preparedness of critical security infrastructure against cyberattacks of this extent.

Disney+ credential stuffing attack – November

Disney’s much-hyped new streaming platform Disney+ didn’t get off to the greatest of starts when, just hours after the launch, it was hit by a credential stuffing attack and customers started complaining that they were being locked out of their accounts.

City of New Orleans cyberattack – December

The City of New Orleans in the US suffered a cyberattack that was so serious that the city’s mayor had to declare an emergency. Recently in January 2020, the mayor announced that the attack on its network cost more than seven million dollars and that it would take months to recover.

The post 2019’s biggest month-wise cyberattacks appeared first on Seqrite Blog.

Report: Threat of Emotet and Ryuk

Experts at cyber security firm Cypher conducted a study on Portuguese domains during 2019 and concluded that Emotet and Ryuk were the most active threats

Emotet, the most widespread malware worldwide and Ryuk, a ransomware type, are growing threats and real concerns for businesses and internet users in 2020. This is the conclusion of a study by Cipher Portugal, which studied Portuguese domains during 2019.

This study also concludes that a total of 377 Portuguese domains to spread different types of malware in the same period.

Analyzing the general distribution of the compromised domains, grouped by category, it is possible to verify that the most affected were as follows: professional/companies (20.2%), personal (13.5%), retail (12.7%) and industry (11.9%).

Social media/communication organizations, health care and non-profit organizations were less impacted. It was also possible to conclude that Emotet was the most widespread Malware worldwide and it has been enhanced with new capabilities that include the Ryuk Ransomware. This enhancement appeared in the middle of September 2019.

Ryuk infects computers by encrypting all local and shared files, not allowing the user’s access without paying the ransom. This ransomware is difficult to stop and does not have known execution flaws at the present time.

“We live in an era where we increasingly hear about malware and the impact it has on companies and people. The term malware has been gaining prominence as a result of the wave of malware and phishing campaigns that anyone is subject to”, says Cipher. “Portugal still lacks information about compromised Portuguese domains (.pt) and the kind of the malware used to perform these attacks. This report pretends to show how the .pt domains were used in malware campaigns, through the analysis of the first to the third quarter of 2019,” he concludes.

Malware is malicious software intended to wreak havoc and damage on target networks and systems, having the ability to spread on these systems while remaining undetectable, avoiding antivirus detection, causing changes and critical damage to the infected systems or networks.


For additional technical studies, visit Cipher Labs.

Pierluigi Paganini

(SecurityAffairs – malware, hacking)

The post Report: Threat of Emotet and Ryuk appeared first on Security Affairs.

Iran-linked APT34 group is targeting US federal workers

Iran-linked APT34 group has targeted a U.S.-based research company that provides services to businesses and government organizations.

Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations.

“Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting Westat employees, or United States organizations hiring Westat services.” reads the analysis published by Intezer.

The experts believe that the attacker was launched by the cyber-espionage group APT34 (aka OilRig or Helix Kitten). APT34 is an Iran-linked APT group that has been around since at least 2014, it mainly targeted organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware.

According to Intezer, the attackers used a phishing document masquerading as an employee satisfaction survey for employees at the US government contractor Westat.

The survey distributed via email as Excel spreadsheets. Once the macros inside the were enabled, the malicious code downloaded and installed the TONEDEAF backdoor and the VALUEVAULT password stealer.

“The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”.” continues the analysis.

“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.”

Both malware used in this campaign (tracked as TONEDEAF 2.0 and VALUEVAULT 2.0) were also employed in the campaign observed in July 2019, but they include major updates that changes were developed for this specific attack.

The C2 domain (manygoodnews[.]com) is still active and was created 4 months ago, experts added that a certificate was issued for the website just a month ago, a circumstance that suggests the campaign is still ongoing.

The TONEDEAF backdoor communicates with its C&C via HTTP, but version 2.0 uses a revamped communication protocol. The new variant of the malware only implements shell execution capabilities.

TONEDEAF 2.0 was improved to evade detection and implements dynamic importing, string decoding, and a new technique to deceive its victims into believing it is a legitimate, broken app.

TONEDEAF 2.0 used HTTP for C2 communication, but experts noticed it is using a custom encoding and handshake mechanisms.

The experts believe that attackers also employed VALUEVAULT implant in this campaign, they noticed that a user from Lebanon uploaded to VirusTotal versions of the bait document leading to VALUEVAULT and TONEDEAF 2.0.

“This VALUEVAULT takes a more minimalistic approach than its predecessor. Many functionalities and strings were stripped from the new binary in order to lower its noise. Only Chrome password dumping is now supported, although interestingly the use of the file “fsociety.dat” as a password data store under the “AppData\Roaming” directory stayed the same.” states the experts.

Another evidence collected by the researchers is that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.

“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally off,” concludes Intezer.

Pierluigi Paganini

(SecurityAffairs – APT34, hacking)

The post Iran-linked APT34 group is targeting US federal workers appeared first on Security Affairs.

New infosec products of the week: January 31, 2020

Swimlane 10.0: Reducing mean time to detect and response for security incidents The newest release has yielded up to 35X performance improvement in alarm ingestion rates and up to a 60X improvement in search query response and display rates. Both achievements set new benchmarks for SOAR platforms, significantly reducing mean time to detect and response for security incidents. RiskSense Ransomware Dashboard automatically reveals exposure to specific attacks RiskSense announced a Ransomware Dashboard that automatically reveals … More

The post New infosec products of the week: January 31, 2020 appeared first on Help Net Security.

80% of successful breaches are from zero-day exploits

Organizations are not making progress in reducing their endpoint security risk, especially against new and unknown threats, a Ponemon Institute study reveals. 68% IT security professionals say their company experienced one or more endpoint attacks that compromised data assets or IT infrastructure in 2019, an increase from 54% of respondents in 2017. Zero-day attacks continue to increase in frequency Of those incidents that were successful, 80% were new or unknown, zero-day attacks. These attacks either … More

The post 80% of successful breaches are from zero-day exploits appeared first on Help Net Security.

Secure 5G networks: EU toolbox of risk mitigating measures

EU Member States have identified risks and vulnerabilities at national level and published a joint EU risk assessment. Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures. Toolbox measures and supporting actions “Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology – our industry is already well off the … More

The post Secure 5G networks: EU toolbox of risk mitigating measures appeared first on Help Net Security.

93% of attempted mobile transactions in 2019 were fraudulent

93 percent of total mobile transactions in 20 countries were blocked as fraudulent in 2019 according to a report on the state of malware and mobile ad fraud released by Upstream. The number of malicious apps discovered in 2019 rose to 98,000, up from 63K in 2018. These 98,000 malicious apps had infected 43 million Android devices. Android is the most vulnerable OS With Android devices now accounting for an estimate 75-85% of all smartphone … More

The post 93% of attempted mobile transactions in 2019 were fraudulent appeared first on Help Net Security.

Researchers develop new optical stealth encryption technology

The first all optical stealth encryption technology that will be significantly more secure and private for highly sensitive cloud-computing and data center network transmission, has been introduced by BGN Technologies. Time is running out on security and privacy “Today, information is still encrypted using digital techniques, although most data is transmitted over distance using light spectrum on fiber optic networks,” says Prof. Dan Sadot, Director of the Optical Communications Research Laboratory, who heads the team … More

The post Researchers develop new optical stealth encryption technology appeared first on Help Net Security.

Kanguru Remote Management Console: Managing and monitoring encrypted USB devices

Managing sensitive data in today’s environment can be a daunting task for IT Security Administrators and organizations. Kanguru Remote Management Console (KRMC) offers a robust solution for IT Security Admins looking to meet high-end security demands by allowing administrators to easily manage and monitor their encrypted USB devices containing sensitive data around the world. Organizations from diverse industries have trusted Kanguru’s secure solutions for over 25 years. KRMC is ideal for protecting data, enabling administrators … More

The post Kanguru Remote Management Console: Managing and monitoring encrypted USB devices appeared first on Help Net Security.

Slice Labs’ new services help insurers protect carriers, businesses, and consumers from risk

Slice Labs, the first on-demand insurance platform, announced four new AI-powered Slice Mind services enabling insurers to more proactively and intelligently protect carriers, businesses, and consumers from risk. Industry prediction It represents the first commercialized approach in the insurance industry using data driven technology to enable insurers to classify client business activity that serves as the foundation for evaluating potential risk. The business context service provides classification based on a website, keywords, or a single … More

The post Slice Labs’ new services help insurers protect carriers, businesses, and consumers from risk appeared first on Help Net Security.

myDevices’ new panic button technology eliminates the dead zone problem

In 2018, the American Hotel & Lodging Association (AHLA) announced a new workplace safety initiative designed to provide emergency communications and location-based services for employees in the hospitality industry. Backed by major hotels – including Marriott International, InterContinental, Hilton, and Hyatt – the 5-Star Promise has committed to providing panic buttons to hospitality workers across the United States. Unfortunately, while 4G LTE signals from all carriers freely propagate in open areas, inside buildings, it’s severely … More

The post myDevices’ new panic button technology eliminates the dead zone problem appeared first on Help Net Security.

Semtech releases LoRa-based Asset Tracking Reference Kit

Semtech, a leading supplier of high performance analog and mixed-signal semiconductors and advanced algorithms, announced the release of its Asset Tracking Reference Kit to accelerate the adoption of asset tracking solutions based on LoRa devices and the LoRaWAN protocol, and facilitate the confirmation of the business value of such solutions. According to IHS Markit LPWAN market report 2019, worldwide connections in asset management have grown from 15 million in 2017 to more than 50 million … More

The post Semtech releases LoRa-based Asset Tracking Reference Kit appeared first on Help Net Security.

Concentric launches with a deep learning approach to fixing broken file permissions

Concentric announced the availability of a new approach to the most significant security challenge facing the enterprise today – business-critical unstructured data, stored on-premises or in the cloud, that is impossible to identify and protect manually. Enterprise customers using Concentric have already found millions of unprotected or inappropriately shared documents accessible by thousands of employees, which could have led to data breaches and costly fines. To combat this significant threat, Concentric is the first company … More

The post Concentric launches with a deep learning approach to fixing broken file permissions appeared first on Help Net Security.

Univa Navops Launch 2.0 helps enterprises easily extend HPC workloads to the cloud

Univa, a leading innovator of enterprise-grade workload management and optimization solutions, announced the general availability of Navops Launch 2.0, its flagship cloud-automation platform, designed to help enterprises simplify the migration of HPC and AI workloads to their choice of cloud. The GA release helps enterprises easily extend HPC workloads to the cloud, boosting efficiency and productivity, and dramatically improving cloud ROI while reducing cloud-related spending by 30-40 percent. Navops Launch 2.0 achieves these substantial efficiency … More

The post Univa Navops Launch 2.0 helps enterprises easily extend HPC workloads to the cloud appeared first on Help Net Security.

Fusion Risk Management unveils Fusion Connector for Everbridge Risk Intelligence

Fusion Risk Management, a leading provider of business continuity and risk management software and services, announced the launch of its Fusion Connector for Everbridge Risk Intelligence – powered by NC4, further extending its long-time partnership with Everbridge, the global leader in critical event management. The Connector provides a managed integration between Fusion’s risk management, business resilience, and crisis management SaaS solution and Everbridge’s Risk Intelligence Monitoring Center (RIMC), formerly NC4. The result for enterprise crisis … More

The post Fusion Risk Management unveils Fusion Connector for Everbridge Risk Intelligence appeared first on Help Net Security.

ThreatStack partners with Tevora to streamline cloud security and compliance initiatives

Threat Stack, the leader in cloud security and compliance for infrastructure and applications, announced a partnership with Tevora, a specialized management consultancy focused on cybersecurity, risk, and compliance services. Together Threat Stack and Tevora will help customers seamlessly migrate and scale in the cloud without increasing risk or sacrificing compliance. Tevora works closely with Chief Information Security Officers (CISOs) across industries to help them secure their organizations’ digital assets and equip them with the information, … More

The post ThreatStack partners with Tevora to streamline cloud security and compliance initiatives appeared first on Help Net Security.

ServiceNow acquires Passage AI to advance deep learning AI capabilities

ServiceNow, the company making work, work better for people, announced it has signed an agreement to acquire Passage AI, a Mountain View, Calif.-based conversational AI platform company. The transaction will advance ServiceNow’s deep learning AI capabilities and will accelerate its vision of supporting all major languages across the company’s Now Platform and products, including ServiceNow Virtual Agent, Service Portal, Workspaces and emerging interfaces. “Work flows more smoothly when people can get things done in their … More

The post ServiceNow acquires Passage AI to advance deep learning AI capabilities appeared first on Help Net Security.

Omnitracs to further support the work of Truckers Against Trafficking

Omnitracs, the global pioneer of fleet management solutions to transportation and logistics companies, announced an event dedicated to supporting the mission of Truckers Against Trafficking (TAT), a non-profit organization that educates, equips and empowers truck drivers to recognize and report instances of human trafficking. Created by Advocates for Women in Technology (AWT), the Omnitracs women’s employee resource community, and in partnership with TAT, the goal of Human Trafficking Awareness Day is to raise awareness in … More

The post Omnitracs to further support the work of Truckers Against Trafficking appeared first on Help Net Security.

Arceo appoints Mike Convertino as CSO

Mike Convertino, the former CISO of Twitter, Crowdstrike and F5 Networks as well as CTO of the Security Product Group at F5, has joined Arceo as Chief Security Officer and he is on a mission. Mike, and a growing tribe of CISO’s from major enterprises, have begun a self-styled “CISO Revolution” not only to change how CISOs themselves are treated, but also fundamentally to alter the way companies perceive and support cyber security. Collectively, the … More

The post Arceo appoints Mike Convertino as CSO appeared first on Help Net Security.

O’Reilly and Formulatedby announce new conference about smart cities and mobility industries

O’Reilly, the premier source for insight-driven learning on technology and business, and Formulatedby announced a new conference focused on how machine learning is transforming the future of urban communities and mobility industries around the world. Rapid technological advancements are challenging cities and the mobility industry with new business models, methodologies in development and manufacturing, unprecedented levels of automation, and the need for new infrastructure. From predictive analytics to policy, the Smart Cities & Mobility Ecosystems … More

The post O’Reilly and Formulatedby announce new conference about smart cities and mobility industries appeared first on Help Net Security.

Daniel Kollberg joins SentinelOne as VP of EMEA

SentinelOne, the autonomous endpoint protection company, announced the appointment of Daniel Kollberg as Vice President EMEA. The appointment supports SentinelOne’s record growth across the globe on the journey of becoming the next great cybersecurity company, through helping organizations use AI to defend against every attack at every stage. Over the last six months, SentinelOne has more than tripled its EMEA business fueled by enterprise wins in Southern Europe, the United Kingdom, and the Middle East. … More

The post Daniel Kollberg joins SentinelOne as VP of EMEA appeared first on Help Net Security.

Interior Dept. Grounds Drones Over Cybersecurity Concerns

Department Says Several Concerns Must Be Addressed
The U.S. Department of the Interior this week announced that it has temporarily grounded all drone operations, except for emergencies, citing concerns over national security and cybersecurity. The agency is joining the U.S. Army and Navy in raising concerns about unmanned aircraft made in China.

Solving common enterprise data challenges takes a collaborative approach

According to IDC, we’re only using about 8% of the data that we generate today. So if we’re not going to use our data to help us make better, faster decisions and give us a competitive advantage, why do we have it? That was the key question discussed at a recent CIO Roundtable hosted by…

Check Point detailed two flaws in Microsoft Azure that could have allowed taking over cloud servers

Check Point detailed two recently patched vulnerabilities in Microsoft Azure services that could have allowed hackers to take over cloud services.

Check Point researchers have published technical details of two recently fixed flaws in Microsoft Azure that could have allowed hackers to take over cloud services.

Azure App Service allows users to build and host multi-platform web apps, mobile back ends, and RESTful APIs in the programming language of their choice, without managing infrastructure. It enables automated deployments from GitHub, Azure DevOps, or any Git repo.

The first flaw, tracked as CVE-2019-1234, is a request spoofing issue that affects the Microsoft Azure Stack cloud computing software solution.

A spoofing vulnerability exists when Azure Stack fails to validate certain requests. An attacker who successfully exploited the vulnerability could make requests to internal Azure Stack resources.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by sending a specially crafted request to the Azure Stack user portal.”

A remote attacker could exploit the flaw to access screenshots and sensitive information of any virtual machine running on Azure infrastructure, even on isolated virtual machines.

Experts explained that the Service Fabric Explorer is a web tool pre-installed in the machine that takes the role of the RP and Infrastructure Control Layer (AzS-XRP01). It allows viewing the internal services which are built as Service Fabric Applications (located in the RP Layer). Trying to access the URLs of the services from the Service Fabric Explorer, experts discovered that some of them don’t require authentication.

The vulnerability is exploitable through Microsoft Azure Stack Portal.

The experts demonstrated that using the API they were able to get the virtual machine name and ID, hardware information, and other info, and then use them with another unauthenticated HTTP request to grab screenshots.

“The GetStringAsync function sends an HTTP GET request to the templateUri and returns the data as JSON. There is no validation on whether the host is internal or external (and it supports IPv6). Therefore, this method is a perfect candidate for SSRF. Although this allows only GET requests, as we’ve seen above, it’s sufficient for accessing the DataService.” reads the advisory published by CheckPoint.

“So let’s use an example. We want to get a screenshot from a machine whose ID is f6789665-5e37-45b8-96d9-7d7d55b59be6  with the 800×600 dimensions:”

Azure Cloud Infrastructure flaw 1

The second vulnerability, tracked as CVE-2019-1372, is a remote code execution flaw that affected the Azure App Service on Azure Stack. The vulnerability could be exploited to take complete control over the entire Azure server and consequently take control over an enterprises’ business code.

“A remote code execution vulnerability exists when Azure Stack fails to check the length of a buffer prior to copying memory to it.” reads the advisory published by Microsoft.

“An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.”

The flaw resides in the way the DWASSVC service, which is responsible for managing and running tenants’ apps and IIS worker processes.

The experts discovered that the Azure Stack did not check the length of a buffer before copying memory to it, this means that an attacker could have exploited the issue by sending a specially crafted message to DWASSVC service that exceeded the buffer dimension. This trick could have allowed the attacker to execute malicious code on the server as the highest NT AUTHORITY/SYSTEM privilege.

“The workerItemSize is calculated to 108 and the workerItem->dataLength is 0. In this case, the allocation with the size 0 succeeds and then a memcpy is performed on the allocated area with the size of 108, resulting in a heap based overflow with controlled content and size!” reads the analysis published by Check Point.

“So how can an attacker send a message to DWASSVC (DWASInterop.dll)? By design, when running the C# Azure function, it runs in the context of the worker (w3wp.exe),” “This lets an attacker the possibility to enumerate the currently opened handles. That way, he can find the already opened named pipe handle and send a specially crafted message.”

Chaining the two flaws, an attacker could create a free user account with Azure Cloud and run malicious functions on it or sending unauthenticated HTTP requests to the Azure Stack user portal.

Both flaws were reported by the Check Point researcher Ronen Shustin last year, and Microsoft awarded the expert with 40,000 USD under its Azure bug bounty program.

Pierluigi Paganini

(SecurityAffairs – Azure, hacking)

The post Check Point detailed two flaws in Microsoft Azure that could have allowed taking over cloud servers appeared first on Security Affairs.

Bezos, WhatsApp Cyberattacks Show Growing Mobile Sophistication

The recently disclosed Jeff Bezos phone hack and other incidents show that mobile devices are being increasingly targeted by sophisticated nation-state attackers.

Cisco Patches Two High-Severity Bugs in its Small Business Switch Lineup

Vulnerabilities allow unauthenticated remote attackers to access sensitive device information and launch denial of service attacks.

Avast Announces Termination of Data Collection Subsidiary

Avast will phase out Jumpshot, a subsidiary that sells user browsing data gleaned from its antivirus and security products. 

“I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect,” Avast CEO Ondrej Vlcek announced in a blog, going on to say “that the data collection business is not inline with our privacy priorities in a company in 2020 and beyond.”

Avast’s sudden about-face regarding the sale of user data came just days after a joint exposé published by Motherboard and PCMag that revealed the depth and scope of its user data tracking. The article resulted in a torrent of negative publicity for the company, especially for its promise to deliver data on “every search. Every click. Every buy. On every site.” to companies such as Pepsi, Google, Microsoft, Yelp, Condé Nast, and Home Depot.

The controversy surrounding Avast’s business practices all drew the ire of U.S. Senators Bernie Sanders, Mark Warner, and Ron Wyden.

“No reasonable person would expect antivirus software to be selling off their private browsing data to the highest bidder,” said a spokesperson for Sanders. 

The post Avast Announces Termination of Data Collection Subsidiary appeared first on Adam Levin.

Changing the Monolith—Part 3: What’s your process?

In my 25-year journey, I have led security and privacy programs for corporations and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.

Here are a few tips to create teams unified around a common mission:

1. Define the mission and implement it like any other business plan

First, you must know what you are trying to achieve. Are you protecting trade secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer “All the above?” Define an order of risk magnitude.

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as “We want 100 percent security.” Explain what is realistic and offer your approach as a business plan.

2. Define success—be able to articulate what it is and how it can be measured

When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization’s reputation.

However, success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.

3. Leverage a methodology and make it part of the game plan

Think of the methodology as a game plan. There aren’t enough people, not enough time, and a finite amount of money. Attempting to do everything all at once is a fool’s errand. The moment you know what you’re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.

A popular methodology right now is the Zero Trust model, which has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?

Zero Trust

Reach the optimal state in your Zero Trust journey.

Learn more

4. Market the plan

One of the main hurdles I constantly witness is that the larger the organization, the more isolated the business units—especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few, there are application development, user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.

In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, start by building a plan and define your message. Repeat the message often enough so it’s recognized, and people are energized to help drive the mission forward.

5. Teamwork in the form of governance

Once “inter-IT” and business relationships are established, governance can commence—that ultimately means creating process and policy. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.

Take for example a mobile device policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.

Cybersecurity, privacy, compliance, and risk management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.

Stay tuned

Stay tuned for the next installment of my series, Changing the Monolith: People, Process, and Technology. In the meantime, check out the first two posts in the series, on people:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 3: What’s your process? appeared first on Microsoft Security.

Say hello to OpenSK: a fully open-source security key implementation

Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of OpenSK, an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Photo of OpenSK developer edition: a Nordic Dongle running the OpenSK firmware on DIY case

By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.

With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a custom, 3D-printable case that works on a variety of printers.

“We’re excited to collaborate with Google and the open source community on the new OpenSK research platform,” said Kjetil Holstad, Director of Product Management at Nordic Semiconductor. “We hope that our industry leading nRF52840’s native support for secure cryptographic acceleration combined with new features and testing in OpenSK will help the industry gain mainstream adoption of security keys.”

While you can make your own fully functional FIDO authenticator today, as showcased in the video above, this release should be considered as an experimental research project to be used for testing and research purposes.

Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. TockOS, with its sandboxed architecture, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our flash-friendly storage system and patches, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.

How to get involved and contribute to OpenSK 

To learn more about OpenSK and how to experiment with making your own security key, you can check out our GitHub repository today. With the help of the research and developer communities, we hope OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.


We also want to thank our OpenSK collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Dominic Rizzo, Fabian Kaczmarczyck, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek

Fake Exec Tricks New York City Medical Center into Sharing Patient Info

Fake Exec Tricks New York City Medical Center into Sharing Patient Info

An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility's executives. 

The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff. 

VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.

In a Notice of Data Privacy Incident statement published on VCRN's website, the company stated: "The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information."

Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients. 

VCRN said: "Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event."

The medical center said that they weren't aware of any personal patient information having been misused as a result of this event.

Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.

The center said: "We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures."

VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident. 

The data breach has been reported to law enforcement and to the relevant regulatory authorities. 

VCRN advised patients "to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution."  

What Our Data Reveals About Security Debt

It???s a habitual practice we learn from an early age; keeping track of loans and credit card bills reduces overall debt and makes it easier to bring debt down quickly, avoiding those pesky spikes in interest. That very same practice applies to software security testing. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that???s increasingly difficult to reduce the longer you wait.

Often, the solution is reprioritizing flaws and improving fix rates to reduce liability over time. In our 10th annual State of Software Security (SOSS X) report, we discuss how some of our findings from over 85,000 application scans correlate with mounting security debt???and why you should pay attention.

Debt dwindles with frequent scanning

Just as making consistent payments on your credit card reduces debt over time, a frequent scanning cadence can lower the amount of debt your organization carries. When surveying the findings in our SOSS X report, we saw that frequent scanners (300+) have 5x less debt than infrequent scanners and they see a 3x reduction in median time to remediation (MedianTTR), or the amount of time it takes to fix flaws.

Scanning Cadence

Misaligned remediation priorities add to interest

In SOSS X, we talk about how some developers operate on LIFO (Last In, First Out) or FIFO (First In, First Out) methods for fixing flaws. Standard remediation procedures are not one size fits all???what works for your organization may not work for another. But the data we studied shows the likelihood of a flaw being fixed in the first month is only about 22 percent. That number drops down to 10 percent for the second month and 3 to 5 percent as time goes on.

Remediation Time

It???s clear from this data that developers are prioritizing the most recently found flaws above all else. The problem with this process is that it doesn???t take into account what is actually increasing risk. Ultimately, an older Cross-Site Scripting vulnerability is just as dangerous as a more recently discovered one. However, this chart sheds light on the relationship between scanning cadence and security debt; if we???re paying more attention to recently discovered flaws, frequent scanning means additional newer flaws to address. Boosting your scanning cadence and sitting down as a team to figure out your approach to prioritizing flaws can help set you on the right path. 

Some industries are more prone to debt than others

Security debt doesn???t discriminate. It shows up in every industry, though some are more likely to accrue debt than others depending on how they prioritize fixes over time, as previously discussed. Data from SOSS X shows us that the Manufacturing and Government/Education industries carry more debt on average than other prominent industries.

Security Debt by Industry

What???s most important to note, though, are the trends over time. For example, we can see that around month four, organizations in Government and Education have an uptick in average fix rates. While Retail doesn???t carry much debt overall, companies tend to remediate the bulk of their flaws by month six or seven and contribute to debt reduction.  

Security needs vary (capturing quick payment information versus storing robust patient histories and treatment plans, for example), but data from your specific industry will help you keep a pulse on average fix rates for security debt. You and your team can then review this data on a consistent basis when creating long-term plans for eliminating flaws.

PHP and C++ build up debt the fastest

Your plans for fixing flaws and reducing debt should factor in the languages you???re using. Why? The average security debt for PHP and C++ is huge and tends to grow over time, especially when compared to .NET, Android, Java, Android, and JavaScript.

Language Flaw Debt

Issues with these two languages are the results of simplicity and age: PHP is suited for beginners and is thus susceptible to insecure coding, while C++ is a powerful language that requires some hands-on management of memory and stack control ??? vulnerabilities that are easier to introduce in C++ than in more common languages.

It???s difficult for most teams to change the language they???re using at work, but it???s important to keep in mind which languages easily add to security debt. Carrying this awareness and understanding changes in language trends will help you prepare efficient security processes throughout your career.

Cross-Site Scripting carries the heaviest liability for debt

When we look at the layers of flaw percentage by application age, it???s apparent that Cross-Site Scripting (A7-XSS) carries the largest amount of debt across applications. There???s also a slight rise in percentage as we inch closer to the 7-month mark, which tells us that XSS (among others) is a notable contributor to security debt.

Cross-site Scripting

XSS attacks occur when a malicious script is injected into a webpage and it alters the way that page behaves, opening the site up to damaging security holes open to unwanted activity, like bypassing authentication or stealing sensitive information. This prominent flaw is not picky when it comes to language, either, with notable findings in .NET, iOS, Java, JavaScript, PHP, and Python. Spanning languages with prevalence and risk, XSS is one to keep an eye on as you work towards reducing your security debt.

Read the full SOSS X report

Want more info? Check out our SOSS X page for the full report and additional data to absorb as we head into 2020. You can also listen to our podcast series with IDG, in which three of the episodes dig into security debt to drill down on different industries, why security debt grows deeper, and what's behind the buildup of unfixed flaws. 


Will UK’s Huawei Decision Become a 5G Rollout Blueprint?

Chinese Tech Giant Pushes Other Countries for Non-Core Network Access
Will Britain's Huawei decision serve as a blueprint for other nations' 5G infrastructure rollouts? High-risk vendors, including Huawei, won't be allowed anywhere near that nation's most sensitive networks, British officials say. But the risks go beyond the threat of espionage.

Wawa Breach: Hackers Put 30 Million Stolen Payment Card Details for Sale

Remember the recent payment card breach at Wawa convenience stores? If you're among those millions of customers who shopped at any of 850 Wawa stores last year but haven't yet hotlisted your cards, it's high time to take immediate action. That's because hackers have finally put up payment card details of more than 30 million Wawa breach victims on sale at Joker's Stash, one of the largest

Cybersecurity Firm to Create 164 New Jobs in Virginia

Cybersecurity Firm to Create 164 New Jobs in Virginia

Cybersecurity firm Expel Inc. has announced a $1.4m investment to expand its operations in Fairfax County, Virginia. 

The huge injection of cash will be used to increase the size of the company's Herndon headquarters and to create 164 new jobs in the company's engineering, customer experience, IT, marketing, and sales departments over the next three years.

News of the planned expansion was announced by the governor of Virginia, Ralph Northam, on Tuesday. 

“Virginia has emerged as a national leader in cybersecurity and continues to be at the forefront of workforce development in this rapidly-evolving industry, thanks to companies like Expel, Inc.,” said Northam. 

“We are thrilled to support this homegrown Northern Virginia business as they grow and expand and look forward to their ongoing success in Herndon.”

Victor Hoskins, president and CEO of the Fairfax County Economic Development Authority (FCEDA), voiced his support for the scheme.

“The security-focused industry cluster and the talent pool around it make Fairfax County and Northern Virginia a great location for Expel, and I am delighted that my office has had the opportunity to help the company expand its footprint in the Town of Herndon. 

“We appreciate the company's vote of confidence in Herndon and Fairfax County and look forward to its continued growth here.”

The FCEDA and the Town of Herndon worked with the Virginia Economic Development Partnership to secure the project for Virginia and will support the company’s job creation through the Virginia Jobs Investment Program (VJIP). 

Expel's co-founder and CEO Dave Merkel described Fairfax County as a prime location in which to grow the business.

“There's a fantastic pool of tech talent located in Northern Virginia, and we have close proximity to strong education institutions and major tech companies,” said Merkel.

Expel offers round-the-clock cybersecurity monitoring, providing transparent managed security both on-premises and in the cloud. The company was founded by Dave Merkel, Yanek Korff, and Justin Bajko in a barn in Virginia in 2015.

The company currently has 171 employees and 14 strategic partners, including Amazon Web Services, Microsoft Azure, CISCO, Crowdstrike, Palo Alto, and Carbon Black.

Cisco Small Business Switches affected by DoS and information disclosure flaws

Cisco addressed high-severity flaws in Small Business Switches that can be exploited to access sensitive device data and to trigger a DoS condition.

Cisco released security patches to addressed high-severity vulnerabilities in Small Business Switches that can be exploited to access sensitive device data and to trigger a DoS condition.

Both issues could be exploited by remote, unauthenticated attackers, they were reported by Ken Pyle of DFDR Consulting.

The first vulnerability, tracked as CVE-2019-15993, is an information disclosure issue that is caused by the lack of proper authentication controls. The vulnerability can be exploited by attackers by sending specially crafted HTTP requests to the user interface of vulnerable Cisco Small business Switches.

“A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to access sensitive device information.” reads the security advisory published by Cisco. “The vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device. A successful exploit could allow the attacker to access sensitive device information, which includes configuration files.”

The second vulnerability is a DoS issue tracked as CVE-2020-3147 that is caused by improper validation of requests sent to the web interface. An attacker could exploit the issue by sending to the vulnerable devices specially crafted requests that will force the switches to reload and enter a DoS condition.

“A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.” reads the advisory published by Cisco.

“The vulnerability is due to improper validation of requests sent to the web interface. An attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition.”

Cisco is not aware of any attacks exploiting the vulnerabilities in the wild.

This week Cisco has also addressed a high-severity flaw in the Cisco Webex video conferencing platform (CVE-2020-3142) that could be exploited by a remote, unauthenticated attacker to enter a password-protected video conference meeting.

In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business Switches, hacking)

The post Cisco Small Business Switches affected by DoS and information disclosure flaws appeared first on Security Affairs.

Cost of Insider Threats Rises 31%

Cost of Insider Threats Rises 31%

New research released yesterday by the Ponemon Institute reveals a dramatic increase in both the frequency of insider threats and their financial cost to businesses since 2018.  

The report, "2020 Cost of Insider Threats: Global," shows that the average global cost of insider threats rose by 31% in two years to $11.45m, and the frequency of incidents spiked by 47% in the same time period.

To gather data for the study, researchers talked to 964 IT and security practitioners at 204 organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific. All the individuals who contributed worked at a company with a global headcount of 1,000 or more. 

Researchers learned that across all organizations in the past 12 months a total of 4,716 incidents had occurred that had been caused by an insider threat. 

For a more detailed analysis, researchers split the incidents into three different categories of threat: those caused unintentionally by negligent employees or contractors, those perpetrated by credential thieves bent on using insiders' login information to gain unauthorized access to applications and systems, and those instigated by criminal and malicious insiders out to damage an organization from within. 

Of the three profiles, credential thieves caused the most damage per incident, costing organizations an average of $871,000 per incident—three times more per incident than a negligent insider. However, the frequency of credential theft was 25% of all incidents, which limited the average annual cost to $2.79m per year.

Negligent employees or contractors, who were found to have caused 62% of insider threats, created the highest financial burden of the profiles, costing an average of $4.58m per year. 

Malicious criminal insider threats were found to have occurred with the least frequency, making up just 14% of incidents. The financial ramifications of this rarer threat type were still significant, with researchers recording a per-incident cost of $756K and annual losses of $4.08m.

Proving the old adage "a stitch in time saves nine," researchers found that the longer an insider threat lingers the costlier it is to rectify. Incidents that took more than 90 days to contain cost organizations $13.71m on an annualized basis, while incidents that lasted less than 30 days cost roughly half, at $7.12m.

The study was sponsored by ObserveIT, a Proofpoint company, and IBM.

Collating Hacked Data Sets

Two Harvard undergraduates completed a project where they went out on the Dark Web and found a bunch of stolen datasets. Then they correlated all the information, and then combined it with additional, publicly available information. No surprise: the result was much more detailed and personal.

"What we were able to do is alarming because we can now find vulnerabilities in people's online presence very quickly," Metropolitansky said. "For instance, if I can aggregate all the leaked credentials associated with you in one place, then I can see the passwords and usernames that you use over and over again."

Of the 96,000 passwords contained in the dataset the students used, only 26,000 were unique.

"We also showed that a cyber criminal doesn't have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria," Metropolitansky said.

For example, in less than 10 seconds she produced a dataset with more than 1,000 people who have high net worth, are married, have children, and also have a username or password on a cheating website. Another query pulled up a list of senior-level politicians, revealing the credit scores, phone numbers, and addresses of three U.S. senators, three U.S. representatives, the mayor of Washington, D.C., and a Cabinet member.

"Hopefully, this serves as a wake-up call that leaks are much more dangerous than we think they are," Metropolitansky said. "We're two college students. If someone really wanted to do some damage, I'm sure they could use these same techniques to do something horrible."

That's about right.

And you can be sure that the world's major intelligence organizations have already done all of this.

Over 200K WordPress sites potentially exposed to hack due to Code Snippets flaw

Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.

A high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.

The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.

Code Snippets also implements a graphical interface, similar to the Plugins menu, for managing snippets. Snippets can can be activated and deactivated, just like plugins. 

This CSRF vulnerability could be exploited by attackers to forge a request on behalf of an administrator and inject code on a vulnerable site, potentially allowing remotely execute arbitrary code on WordPress installs running vulnerable Code Snippets installation.

“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” reads the advisory published by Wordfence. “This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch one day later.”

The Code Snippets plugin currently has more than 200,000 active installs, on January 25, the development team has released the version 2.14.0.

Wordfence researchers explained that the developers have protected nearly all endpoints of this plugin with WordPress “nonces,” except the plugin’s import function that lacked that CSRF protection. An attacker could craft a malicious request to trick an administrator into compromising their own site, for example by creating a new administrative account on the site, exfiltrating sensitive information, and infect site users.

“This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless.” continues the advisory. “An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”

Experts published a video proof of concept of the attack.

Experts will published a proof-of-concept (PoC) exploit on February 12, for this reason, it is essential to update the plugin asap.

At the time of writing, more than 50K users have downloaded and installed the latest version of the plugin, but other 150K are still exposed to attacks.

Pierluigi Paganini

(SecurityAffairs – Code Snippets plugin, hacking)

The post Over 200K WordPress sites potentially exposed to hack due to Code Snippets flaw appeared first on Security Affairs.

UN hacked: Attackers got in via SharePoint vulnerability

In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN,” The New Humanitarian reported on Wednesday. The UN, unfortunately, did not share that discovery with the authorities, the public, or even the potentially affected staff, and we now know about it only because TNH … More

The post UN hacked: Attackers got in via SharePoint vulnerability appeared first on Help Net Security.

The NHS has suffered only six ransomware attacks since the WannaCry worm, investigation reveals

An investigation claims that the UK’s National Health Service, which was hit hard by the notorious WannaCry worm in 2017, has seen a marked fall in ransomware attacks since. A report published by Comparitech, based upon Freedom of Information requests, reveals the somewhat surprising news that since WannaCry there have only been six recorded ransomware […]… Read More

The post The NHS has suffered only six ransomware attacks since the WannaCry worm, investigation reveals appeared first on The State of Security.