Daily Archives: May 20, 2020

The missing link in your SOC: Secure the mainframe

How confident are you that your security visibility covers every critical corner of your infrastructure? A good SIEM solution will pull data across firewalls, servers, routers, and endpoint devices. But what if there is even one gap—one piece of equipment that can’t be monitored but contains business critical data? That sounds like a glaring hole in the vision of your SOC, doesn’t it? Especially if it can be exploited by hackers, malicious insiders, or simply … More

The post The missing link in your SOC: Secure the mainframe appeared first on Help Net Security.

What do IGA solutions have in common with listening to music anywhere?

Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time. History clearly shows that the iPod and a few of its competitors … More

The post What do IGA solutions have in common with listening to music anywhere? appeared first on Help Net Security.

Virtual Private Networks

Virtual Private Networks (VPN) create encrypted tunnels when you connect to the Internet. They are a fantastic way to protect your privacy and data, especially when traveling and connecting to untrusted or unknown networks, such as at hotels or coffee shops. Use a VPN whenever possible, both for work and personal use.

How secure are open source libraries?

Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software … More

The post How secure are open source libraries? appeared first on Help Net Security.

Understanding How Bitcoin Mining Poses Security Risks

The value of Bitcoin has had its ups and downs over the past several years, but continues to attract interest in the midst of a chaotic market. The rapid growth of this alternate currency has dominated headlines and ignited a cryptocurrency boom that left consumers everywhere wondering how to get a slice of the Bitcoin pie. For those that want to join the craze without trading traditional currencies like U.S. dollars, a process called “Bitcoin mining” appears to be a great way to get involved. However, Bitcoin mining introduces a number of security risks.

What is Bitcoin mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. “Miners”, as they are called, essentially upkeep and help secure Bitcoin’s decentralized accounting system.

Each time there’s a transaction it’s recorded in a digital ledger called the “blockchain.” Miners help to update the ledger by downloading a special piece of software that allows them to verify and collect new transactions to be added to the blockchain. Then, they must solve a mathematical puzzle to be able to add a block of transactions to the chain. In return, they earn Bitcoins, as well as transaction fees.

What are the security risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning a user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power.

This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices to mine for Bitcoin.  Such an event happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors were using this time to access the users’ laptops for mining.

In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. In fact, this has become such a widespread problem, that over 1 billion devices are believed to be slowed down by web-based mining. And slowing your device down is not even the worst thing that could happen. A device that is “cryptojacked” could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

Now that you know a little about Bitcoin mining and the risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

  • Avoid public Wi-Fi networks—These networks often aren’t secured, opening your device and information up to a number of threats.
  • Use a VPN— If you’re away from your secure home or work network, consider using a virtual private network (VPN). This is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee Safe Connect can help safeguard your online privacy no matter where you go.
  • Secure Your Devices—New threats like Bitcoin malware are emerging all of the time. Protect your devices and information with comprehensive security software, and keep informed on the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Understanding How Bitcoin Mining Poses Security Risks appeared first on McAfee Blogs.

Only 36% of critical infrastructures have a high level of cyber resilience

Greenbone Networks revealed the findings of a research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack. The cyber resilience of critical infrastructures The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of … More

The post Only 36% of critical infrastructures have a high level of cyber resilience appeared first on Help Net Security.

COVID-19 is driving diverging perspectives as enterprises decide which technologies to focus on

Technology executives, C-suite leaders and senior executives in areas such as IoT, DevOps, security, and embedded development—from both the U.S. and China are realigning their focus during the COVID-19 pandemic, Wind River reveals. Seismic events can disrupt our focus and thinking and force reassessment of drivers of future business success. The current pandemic is one of those major events producing a worldwide impact, especially given its reverberations on the two largest global economies, the U.S. … More

The post COVID-19 is driving diverging perspectives as enterprises decide which technologies to focus on appeared first on Help Net Security.

ExtraHop Reveal(x) 360: Improving security posture without compromising availability

ExtraHop, the leader in cloud-native network detection and response, announced the general availability of Reveal(x) 360, the first SaaS-based network detection and response (NDR) solution providing on-demand, unified visibility across multicloud and hybrid workloads, as well as distributed workforces and operations. With ExtraHop Reveal(x) 360, security operations teams can harness the power of the cloud to improve security posture without compromising availability or core business objectives. Organizations around the world have experienced massive disruption as … More

The post ExtraHop Reveal(x) 360: Improving security posture without compromising availability appeared first on Help Net Security.

Strategies for successfully reopening after COVID-19

The thoughtful CIO will give priority to planning for fully reopening the organizations after the COVID-19 pandemic has subsided. The new normal in the new world will not be the old normal. The changes will go well beyond customer and staff expectations for personal safety in places of business. Successful organizations in the post COVID-19…

COVID-19 accelerates telehealth adoption

The meteoric growth in telehealth adoption during the COVID-19 pandemic is a case study in how a crisis can trigger overcoming barriers to the adoption of technology and process improvements. The issues and solutions are applicable to most information technology implementation projects. Telehealth is the use of information and communications technology to deliver health care…

RedisAI and RedisGears address challenges customers have as they move AI into production

Redis Labs, the home of Redis and provider of Redis Enterprise, announced the general availability of RedisAI and RedisGears. Together, RedisAI and RedisGears transform Redis Enterprise into a low-latency, real-time data platform for infinite processing capabilities across any data model, while simultaneously inferencing artificial intelligence (AI) requests all within Redis. According to Gartner, “Through 2024, the shift from pilot to production artificial intelligence (AI) will drive a 5x increase in streaming data analytics infrastructure.” The … More

The post RedisAI and RedisGears address challenges customers have as they move AI into production appeared first on Help Net Security.

AppNeta c50: Expanding cloud visibility with container-based monitoring

AppNeta, the leader in actionable, 4-Dimensional network performance monitoring, announces the introduction of their latest monitoring point, the c50, which is entirely built upon container technology to enable enterprises to gain seamless, comprehensive visibility into their critical cloud and container-based environments. With more businesses turning to the cloud and leveraging containers to drive success as they undergo rapid digital transformation, performance insight into these connections is now an essential component of any enterprise-grade network monitoring … More

The post AppNeta c50: Expanding cloud visibility with container-based monitoring appeared first on Help Net Security.

Radisys introduces open and disaggregated PON solution to bring innovation to fiber rollouts

Radisys, a global leader of open telecom solutions, introduced Connect Open Broadband, a carrier-grade, Tier 1 network-hardened, scalable and secure software-defined Passive Optical Network (PON) distribution based on open standards and web-scale architecture to drive rapid innovation and economies of scale. The disaggregated PON solution gives Communications Service Providers (CSPs) deployment flexibility, scalable network growth, and increased service agility with optimized CapEx and OpEx. The demand for high-speed broadband services such as internet, video calling … More

The post Radisys introduces open and disaggregated PON solution to bring innovation to fiber rollouts appeared first on Help Net Security.

FireEye enables orgs to respond to security incidents faster with flexible and customizable modules

FireEye, the intelligence-led security company, introduced a new Innovation Architecture behind FireEye Endpoint Security, including the availability of several new modules for protection, investigation and response. Through this approach, FireEye is enabling organizations with an efficient way to deploy advanced features. “The rate at which new threats emerge is outpacing response. And traditionally, the time that the industry took to respond with the creation, testing and deployment of new features has been too long,” said … More

The post FireEye enables orgs to respond to security incidents faster with flexible and customizable modules appeared first on Help Net Security.

KIOSK KNECT IoT provides enhanced dashboard features, scalability, and IoT alert campaign automation

KIOSK Information Systems is announcing KNECT IoT, an enhanced remote monitoring application for real-time visibility of an unattended kiosk deployment. Since 2016, KIOSK’s Managed Services Team has offered cloud-based remote monitoring capabilities, providing instantaneous machine dialogue tied to system connectivity, software application status, and component level visibility. KIOSK president Kim Kenney notes, “The new features within KNECT IoT raises the standards on what customers can expect from their Remote Management System (RMS) when they deploy … More

The post KIOSK KNECT IoT provides enhanced dashboard features, scalability, and IoT alert campaign automation appeared first on Help Net Security.

ProcessUnity incorporates industry risk intelligence into third-party risk processes

ProcessUnity, a leading provider of cloud-based applications for risk and compliance management, extended its Vendor Risk Management automation platform with new capabilities to incorporate industry risk intelligence into third-party risk processes. The ProcessUnity Vendor Intelligence Suite uses program automation to seamlessly integrate cyber ratings, financial health data, watchlist ratings and more into ProcessUnity Vendor Risk Management to provide organizations with a comprehensive view into the health of their vendor ecosystem. “The ProcessUnity Vendor Intelligence Suite … More

The post ProcessUnity incorporates industry risk intelligence into third-party risk processes appeared first on Help Net Security.

PCI Geomatics announces Geomatica Cloud on the cloudeo marketplace

PCI Geomatics, a world leading developer of remote sensing and photogrammetric software and systems, announced the availability of Geomatica Cloud on the cloudeo marketplace. “PCI Geomatics offers leading edge technology to extract information from UAV, aerial, satellite optical and SAR imagery. Improving access to this technology is a key focus of our business transformation. “The cloudeo marketplace represents exciting opportunities to expose our technology to more customers and partners who conduct their day to day … More

The post PCI Geomatics announces Geomatica Cloud on the cloudeo marketplace appeared first on Help Net Security.

Ericom Connect 9.3: Secure access for remote and work-from-home users

Ericom Software, a leader in secure web and application access solutions, announced the release of Ericom Connect 9.3, the latest version of its browser-based secure remote application and desktop access solution. With the new release, IT admins can enable enterprise users to securely access corporate resources and in-office desktops, without having to install software directly on either in-office desktops or user’s remote devices. The ability to implement work-from-home initiatives without IT admins having physical access … More

The post Ericom Connect 9.3: Secure access for remote and work-from-home users appeared first on Help Net Security.

Verint integrates recording and compliance with Microsoft Teams calling and meeting experience

Verint Systems, The Customer Engagement Company, announced the availability of its new Microsoft Teams recording integration which helps businesses across industries centrally capture, retain, analyze, and retrieve all communications from Microsoft Teams calling and meeting scenarios – including voice calling, chat, online meetings, screen sharing and more. Verint’s native integration with Microsoft Teams helps businesses leverage the latest digital collaboration channels while remaining compliant with evolving regulations. Verint will showcase the Microsoft Teams integration in … More

The post Verint integrates recording and compliance with Microsoft Teams calling and meeting experience appeared first on Help Net Security.

SS8 announces EPC integration on AWS for CSPs and Law Enforcement Agencies

SS8 Networks, a leader in Lawful Intercept and Monitoring Center platforms, announces the first Evolved Packet Core (EPC) integration of their Lawful Intelligence platform on Amazon Web Services (AWS) for Communication Service Providers (CSPs) and Law Enforcement Agencies. This SS8 Lawful Intelligence solution supported on AWS provides carrier-grade network integration with EPCs that can support millions of mobile subscribers while meeting high availability and scalability requirements. Almost anywhere in the globe, CSPs have a new … More

The post SS8 announces EPC integration on AWS for CSPs and Law Enforcement Agencies appeared first on Help Net Security.

Aqua Security raises $30M to boost the expansion of its cloud native security platform

Aqua Security, the market leader in protecting container-based, serverless and cloud native applications, announced that it has closed a Series D round of $30M led by Greenspring Associates, with participation by Aqua’s existing investors – Insight Partners, Lightspeed Venture Partners, and TLV Partners. This investment brings Aqua’s total venture funding raised to more than $130M. “Aqua has made impressive strides building its customer base and establishing itself as a market leader in securing cloud native … More

The post Aqua Security raises $30M to boost the expansion of its cloud native security platform appeared first on Help Net Security.

Gagan Singh joins NortonLifeLock as chief product officer

NortonLifeLock, a global leader in consumer Cyber Safety, announced the appointment of Gagan Singh to chief product officer. In this newly created role, Singh will drive NortonLifeLock’s Cyber Safety product strategy and oversee the company’s overall customer experience, product management and product design. Singh will report to NortonLifeLock President Samir Kapuria. “Our mission is to be everyone’s trusted partner who protects and enables consumers’ digital lives with our industry leading portfolio of Cyber Safety solutions,” … More

The post Gagan Singh joins NortonLifeLock as chief product officer appeared first on Help Net Security.

Octo hires Rob Albritton as Senior Director of its AI Center of Excellence

Octo has announced the hiring of award-winning artificial intelligence (AI) and machine learning (ML) authority Rob Albritton as Senior Director of its AI Center of Excellence. Albritton will guide and shape Octo’s AI capability and offerings, set long-term AI strategy and vision, and develop the company’s AI Center of Excellence through its research and development center, oLabs. “Octo is serious about AI,” said Chief Executive Officer Mehul Sanghani. “It is transforming the way our customers … More

The post Octo hires Rob Albritton as Senior Director of its AI Center of Excellence appeared first on Help Net Security.

VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director

VMware has addressed a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, that affects its Cloud Director product.

VMware has patched a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, in its Cloud Director product.

The vulnerability is a code injection issue that could be exploited by an authenticated attacker to send malicious traffic to Cloud Director, which could allow executing arbitrary code.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the security advisory published by VMware.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.”

According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

The vulnerability impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware vCloud Director 9.1.0.4, 9.5.0.6, 9.7.0.5 and 10.0.0.2 addresses the issue. VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.

The vulnerability was discovered by Tomáš Melicher and Lukáš Václavík of Citadelo.

A couple of weeks ago, VMware addressed vulnerabilities impacting the vRealize Operations Manager (vROps) product, including two recently disclosed Salt issues.

Earlier this month, VMware has addressed a critical information disclosure flaw, tracked as CVE-2020-3952, that could be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.

The CVE-2020-3952 vulnerability has received a CVSSv3 score of 10, it resides in the vCenter Server version 6.7 on Windows and virtual appliances.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-3956, hacking)

The post VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director appeared first on Security Affairs.

Adam Levin Discusses Covid-19 Scams on CNBC

Adam Levin was featured on CNBC where he discussed how the Covid-19 pandemic has created an ideal environment for scammers.

“We are working with our children and home schooling. We’re sharing devices with our children. We’re trying to juggle work and family. But to a hacker, we are their day job,” said Levin.

The post Adam Levin Discusses Covid-19 Scams on CNBC appeared first on Adam Levin.

Michigan Launches Cybercrime Hotline

Michigan Launches Cybercrime Hotline

Michigan victims of cybercrime now have a dedicated phone line to call for free round-the-clock support and advice. 

The Cybercrime Victim Support Initiative is available free of charge to residents in 13 northern Michigan counties, including Antrim, Benzie, Grand Traverse, Kalkaska, and Leelanau. 

Residents who have been targeted by cyber-criminals can call or text 211 from any phone to report the crime and receive tips on how to recover their personal information and funds. 

Calls will be handled by a center in Grand Rapids staffed by trained advisors from United Way, an organization that brings donors, volunteers, and community organizations together to solve critical problems.

In addition to offering practical guidance on what to do after a crime has taken place, the advisors will offer tips on how to avoid being caught in the cyber-criminal's net.

Data collected by the advisors will be stored in a central database and used to warn Michigan residents of all the latest scams doing the rounds. 

Seth Johnson, president of the United Way of Northwest Michigan, said that while most people are aware of old scams like the phishing email that appears to be sent by a Nigerian prince, some of the newer nefarious schemes, including ruses to con Americans out of their COVID-19 stimulus checks, are not common knowledge. 

"More and more of us are online and so more and more of us are vulnerable," Johnson said. 

As cybercrime grows ever more sophisticated, the hotline has been established as a place to which residents can turn for clear and reliable guidance. 

Johnson said: "This is meant to be a 24/7 resource where they can get the information they need." 

The initiative was launched by the Cybercrime Support Network and Heart of West Michigan United Way in partnership with the Heart of Florida United Way. Funding for the hotline was provided via a Department of Justice Office for Victims of Crime Vision 21 Grant. 

Leelanau County Sheriff Mike Borkovich said the hotline is a valuable resource for victims of cybercrime. 

Borkovich, who has seen an increase in the number of reported cybercrime incidents since the outbreak of COVID-19, said: "People have no scruples when it comes to things like that. They'll take advantage of senior citizens and try to rip them off."

Bart Gellman on Snowden

Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.

It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)

One paragraph in the excerpt struck me:

Years later Richard Ledgett, who oversaw the NSA's media-leaks task force and went on to become the agency's deputy director, told me matter-of-factly to assume that my defenses had been breached. "My take is, whatever you guys had was pretty immediately in the hands of any foreign intelligence service that wanted it," he said, "whether it was Russians, Chinese, French, the Israelis, the Brits. Between you, Poitras, and Greenwald, pretty sure you guys can't stand up to a full-fledged nation-state attempt to exploit your IT. To include not just remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff. That's my guess."

I remember thinking the same thing. It was the summer of 2013, and I was visiting Glenn Greenwald in Rio de Janeiro. This was just after Greenwald's partner was detained in the UK trying to ferry some documents from Laura Poitras in Berlin back to Greenwald. It was an opsec disaster; they would have been much more secure if they'd emailed the encrypted files. In fact, I told them to do that, every single day. I wanted them to send encrypted random junk back and forth constantly, to hide when they were actually sharing real data.

As soon as I saw their house I realized exactly what Ledgett said. I remember standing outside the house, looking into the dense forest for TEMPEST receivers. I didn't see any, which only told me they were well hidden. I assumed black-bag teams from various countries had been all over the house when they were out for dinner, and wondered what would have happened if teams from different countries bumped into each other. I assumed that all the countries Ledgett listed above -- plus the US and a few more -- had a full take of what Snowden gave the journalists. These journalists against those governments just wasn't a fair fight.

I'm looking forward to reading Gellman's book. I'm kind of surprised no one sent me an advance copy.

Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Boston cybersecurity firm Cygilant has announced plans to create 65 jobs at its new European security operations center (SOC) in Northern Ireland's capital city, Belfast. 

Cygilant, which employs 80 people globally, established the SOC in February 2020 with the support of Invest NI, the economic development agency for Northern Ireland. 

Already, 25 employees have been recruited to work at the new center, which is based in the Centrepoint Building next to the BBC on Ormeau Avenue. Now the company has pledged to create a further 40 jobs at the center over the next couple of years, with wages averaging around £43,000.

While lockdown measures introduced to slow the spread of COVID-19 in Northern Ireland remain in place, the SOC is being operated on a remote basis. 

But despite the difficulties created by the outbreak of the novel coronavirus, Cygilant's chief executive Rob Scott said that around ten new staff had been recruited for the center since lockdown measures were imposed. 

Invest NI has offered Cygilant a generous £455,000 in funding toward the creation of new jobs in Northern Ireland. 

Former Formula 1 race-car driver Scott said the investment played a key part in the company's decision to site their European operations in the Emerald Isle. 

The Mancunian and lifelong Manchester United Football Club fan explained: “Opening this SOC is our first foray into the European market and thanks to the support of Invest NI, we made the decision to invest here in Belfast.”

Scott also cited Belfast's local talent as a determining factor. He said: “There are between 18 and 20 cybersecurity companies, so it’s becoming a major hub for that technology. It’s because there’s already a pool of people and on top of that, there are the universities, which have great cyber-security programs.”

Economy Minister Diane Dodds said that the 65 jobs created by the US company will eventually contribute £2.8m in annual salaries.

“In these challenging times it is welcome news to be able to announce new cybersecurity jobs for Northern Ireland," Dodds told The Irish News.

“This is an important endorsement of Northern Ireland’s growing reputation for excellence in cybersecurity.”

Success in security: reining in entropy

Your network is unique. It’s a living, breathing system evolving over time. Data is created. Data is processed. Data is accessed. Data is manipulated. Data can be forgotten. The applications and users performing these actions are all unique parts of the system, adding degrees of disorder and entropy to your operating environment. No two networks on the planet are exactly the same, even if they operate within the same industry, utilize the exact same applications, and even hire workers from one another. In fact, the only attribute your network may share with another network is simply how unique they are from one another.

If we follow the analogy of an organization or network as a living being, it’s logical to drill down deeper, into the individual computers, applications, and users that function as cells within our organism. Each cell is unique in how it’s configured, how it operates, the knowledge or data it brings to the network, and even the vulnerabilities each piece carries with it. It’s important to note that cancer begins at the cellular level and can ultimately bring down the entire system. But where incident response and recovery are accounted for, the greater the level of entropy and chaos across a system, the more difficult it becomes to locate potentially harmful entities. Incident Response is about locating the source of cancer in a system in an effort to remove it and make the system healthy once more.

Let’s take the human body for example. A body that remains at rest 8-10 hours a day, working from a chair in front of a computer, and with very little physical activity, will start to develop health issues. The longer the body remains in this state, the further it drifts from an ideal state, and small problems begin to manifest. Perhaps it’s diabetes. Maybe it’s high blood pressure. Or it could be weight gain creating fatigue within the joints and muscles of the body. Your network is similar to the body. The longer we leave the network unattended, the more it will drift from an ideal state to a state where small problems begin to manifest, putting the entire system at risk.

Why is this important? Let’s consider an incident response process where a network has been compromised. As a responder and investigator, we want to discover what has happened, what the cause was, what the damage is, and determine how best we can fix the issue and get back on the road to a healthy state. This entails looking for clues or anomalies; things that stand out from the normal background noise of an operating network. In essence, let’s identify what’s truly unique in the system, and drill down on those items. Are we able to identify cancerous cells because they look and act so differently from the vast majority of the other healthy cells?

Consider a medium-size organization with 5,000 computer systems. Last week, the organization was notified by a law enforcement agency that customer data was discovered on the dark web, dated from two weeks ago. We start our investigation on the date we know the data likely left the network. What computer systems hold that data? What users have access to those systems? What windows of time are normal for those users to interact with the system? What processes or services are running on those systems? Forensically we want to know what system was impacted, who was logging in to the system around the timeframe in question, what actions were performed, where those logins came from, and whether there are any unique indicators. Unique indicators are items that stand out from the normal operating environment. Unique users, system interaction times, protocols, binary files, data files, services, registry keys, and configurations (such as rogue registry keys).

Our investigation reveals a unique service running on a member server with SQL Server. In fact, analysis shows that service has an autostart entry in the registry and starts the service from a file in the c:\windows\perflogs directory, which is an unusual location for an autostart, every time the system is rebooted. We haven’t seen this service before, so we investigate against all the systems on the network to locate other instances of the registry startup key or the binary files we’ve identified. Out of 5,000 systems, we locate these pieces of evidence on only three systems, one of which is a Domain Controller.

This process of identifying what is unique allows our investigative team to highlight the systems, users, and data at risk during a compromise. It also helps us potentially identify the source of attacks, what data may have been pilfered, and foreign Internet computers calling the shots and allowing access to the environment. Additionally, any recovery efforts will require this information to be successful.

This all sounds like common sense, so why cover it here? Remember we discussed how unique your network is, and how there are no other systems exactly like it elsewhere in the world? That means every investigative process into a network compromise is also unique, even if the same attack vector is being used to attack multiple organizational entities. We want to provide the best foundation for a secure environment and the investigative process, now, while we’re not in the middle of an active investigation.

The unique nature of a system isn’t inherently a bad thing. Your network can be unique from other networks. In many cases, it may even provide a strategic advantage over your competitors. Where we run afoul of security best practice is when we allow too much entropy to build upon the network, losing the ability to differentiate “normal” from “abnormal.” In short, will we be able to easily locate the evidence of a compromise because it stands out from the rest of the network, or are we hunting for the proverbial needle in a haystack? Clues related to a system compromise don’t stand out if everything we look at appears abnormal. This can exacerbate an already tense response situation, extending the timeframe for investigation and dramatically increasing the costs required to return to a trusted operating state.

To tie this back to our human body analogy, when a breathing problem appears, we need to be able to understand whether this is new, or whether it’s something we already know about, such as asthma. It’s much more difficult to correctly identify and recover from a problem if it blends in with the background noise, such as difficulty breathing because of air quality, lack of exercise, smoking, or allergies. You can’t know what’s unique if you don’t already know what’s normal or healthy.

To counter this problem, we pre-emptively bring the background noise on the network to a manageable level. All systems move towards entropy unless acted upon. We must put energy into the security process to counter the growth of entropy, which would otherwise exponentially complicate our security problem set. Standardization and control are the keys here. If we limit what users can install on their systems, we quickly notice when an untrusted application is being installed. If it’s against policy for a Domain Administrator to log in to Tier 2 workstations, then any attempts to do this will stand out. If it’s unusual for Domain Controllers to create outgoing web traffic, then it stands out when this occurs or is attempted.

Centralize the security process. Enable that process. Standardize security configuration, monitoring, and expectations across the organization. Enforce those standards. Enforce the tenet of least privilege across all user levels. Understand your ingress and egress network traffic patterns, and when those are allowed or blocked.

In the end, your success in investigating and responding to inevitable security incidents depends on what your organization does on the network today, not during an active investigation. By reducing entropy on your network and defining what “normal” looks like, you’ll be better prepared to quickly identify questionable activity on your network and respond appropriately. Bear in mind that security is a continuous process and should not stop. The longer we ignore the security problem, the further the state of the network will drift from “standardized and controlled” back into disorder and entropy. And the further we sit from that state of normal, the more difficult and time consuming it will be to bring our network back to a trusted operating environment in the event of an incident or compromise.

The post Success in security: reining in entropy appeared first on Microsoft Security.

Stanford University Tops List of US Cybersecurity Degree Providers

Stanford University Tops List of US Cybersecurity Degree Providers

The cybersecurity degree offered by Stanford University has been ranked the best in the United States by independent educational organization Cyber Degrees Edu.

Private California university Stanford topped a list of America's 55 best cybersecurity degree providers published by Cyber Degrees Edu on May 18. In second and third place respectively were Carnegie Mellon University in Pennsylvania and the University of California, Davis

Of the three top degree providers, Stanford has the lowest student-to-faculty ratio with 5 students to every 1 faculty member. At Carnegie Mellon, the ratio doubles to 10 to 1, while at the University of California, Davis, the ratio is an even higher 20 to 1. 

A proprietary ratings system was used to rank the various colleges and universities offering cybersecurity bachelor’s and master’s degree programs. 

The criteria used to determine the rankings included the school’s rates of acceptance and graduation. Researchers also compared educational establishments by their retention rate, which is the number of first-time students who return to the university the following year.

Stanford boasts the highest graduation rate with 94% of students leaving the university with a degree. At Carnegie Mellon, the rate is slightly lower at 89%, while at University of California, Davis, 86% of students graduate. 

Researchers also looked at the costs of studying, the grants and scholarships available, and which colleges specialized in cybersecurity with a variety of degree programs.

"All schools on the list are either high quality or very affordable and are located across the country," said a spokesperson for Cyber Degrees Edu. "While the list provides some of the best schools for cybersecurity, Cyber Degrees EDU also recognizes that it is important for students to find the best school for their particular needs and so these rankings aim to provide the information needed for students to make the best possible choice for them."

When weighing up which degree provider was best, researchers looked beyond the school's overall reputation to its alumni.

Cyber Degrees Edu said: "What matters most is the reputation of the individual cybersecurity program. That is why knowing which schools were attended by the best cybersecurity professionals is so vital."

AMD 400 series motherboards to support ‘Zen 3’ processors

After receiving waves of backlash from its users, AMD announced support for its upcoming processors based on the Zen 3 microarchitecture for the X470 and B450 series motherboards, retracting an earlier decision to omit these platforms for these future products.

In a Reddit thread, AMD said that it’s working with motherboard partners to develop basic input-output systems (BIOS) versions that would enable support for Zen 3 processors on X470 and B450 motherboards.

Once flashed onto the motherboard, the new BIOS would disable support for older generation Ryzen processors to free up space for new BIOS codes. The upgrade is one-way, meaning that users cannot revert back to an older BIOS version once the upgrade is complete. To avoid a “no-boot” situation, users would need to provide proof that they’ve purchased a Zen 3 desktop processor and a 400 series motherboard before they can download the BIOS.

Earlier this month, AMD published a blog post announcing that the fourth generation Ryzen processors would not be compatible with 400 series motherboards despite using the same AM4 socket. The company had previously promised to support the AM4 socket “until 2020”, but never specified an exact date for its retirement.

In the initial blog post, AMD cited BIOS size constraints to be the limiting factor. The blogpost explained that at a maximum of 16MB, the read-only memory (ROM) used to store the BIOS is too small to hold the code necessary to support the new processors.

The hardware community immediately criticized the move. Users who had hoped to upgrade in the future were especially vocal. Because AMD delayed its affordable mainstream B550 motherboard chipset, many new entrants to AMD had to purchase 400 series motherboards as it’s the most affordable entry point to the platform. In addition, many blamed AMD for failing to communicate that new processor support would be a feature for 500 motherboards and that it would have affected their purchasing decision.

Furthermore, many dismissed AMD’s reasonings and argued that motherboard manufacturers could simply add more ROM. Others called for the company to trim support for older processors to make room for the new codes.

AMD noted that the availability of the new BIOS will vary and may not coincide with the Zen 3 processor launch.

Adobe fixed several memory corruption issues in some of its products

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush05/19/202005/19/2020
APSB20-28 Security update available for Adobe Audition05/19/202005/19/2020
APSB20-27 Security update available for Adobe Premiere Pro05/19/202005/19/2020
APSB20-25 Security update available for Adobe Character Animator 05/19/202005/19/2020

The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.

Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure. 

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution. 

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.

Pierluigi Paganini

(SecurityAffairs – memory corruption flaws, hacking)

The post Adobe fixed several memory corruption issues in some of its products appeared first on Security Affairs.

Are you working at home or sleeping at work?

Are you starting to feel more tired than usual at work from home? Are you afraid that your anxiety and fatigue might get discovered? You are not alone. We can all use boundaries, routines, and rituals as a wake-up call in finding joy and peace of mind while working from home.

How CISOs Can Achieve Better Network Visibility

Cybersecurity Adviser Ed Moyle on the Need to Keep Up With Security Architecture Changes
To achieve better network visibility, security practitioners must improve their knowledge of tools that support web services, containers and the evolution of development practices, says Ed Moyle, co-founder of the cybersecurity advisory firm Security Curve.

LinkedIn’s Workforce Confidence Index shows company size plays a big role in remote work satisfaction – LinkedIn

Remote work is here for the long haul. Even one of the world’s most paper-dominated industries is getting cozy with going digital. The Supreme Court of Canada held its annual meeting recently and confirmed it was going to hold its upcoming four cases in June virtually. But how do Canadian workers really feel about remote…

Cybersecurity best practices to implement highly secured devices

Almost three years ago, we published The Seven Properties of Highly Secured Devices, which introduced a new standard for IoT security and argued, based on an analysis of best-in-class devices, that seven properties must be present on every standalone device that connects to the internet in order to be considered secured. Azure Sphere, now generally available, is Microsoft’s entry into the market: a seven-properties-compliant, end-to-end product offering for building and deploying highly secured IoT devices.

Every connected device should be highly secured, even devices that seem simplistic, like a cactus watering sensor. The seven properties are always required. These details are captured in a new paper titled, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere. It focuses on why the seven properties are always required and describes best practices used to implement Azure Sphere. The paper provides detailed information about the architecture and implementation of Azure Sphere and discusses design decisions and trade-offs. We hope that the new paper can assist organizations and individuals in evaluating the measures used within Azure Sphere to improve the security of IoT devices. Companies may also want to use this paper as a reference, when assessing Azure Sphere or other IoT offerings.  In this blog post, we discuss one issue covered in the paper: why are the 7 properties always required?

Why are the seven properties applicable to every device that connects to the internet?

If an internet-connected device performs a non-critical function, why does it require all seven properties? Put differently, are the seven properties required only when a device might cause harm if it is hacked? Why would you still want to require an advanced CPU, a security subsystem, a hardware root of trust, and a set of services to secure a simple, innocuous device like a cactus water sensor?

Because any device can be the target of a hacker, and any hacked device can be weaponized.

Consider the Mirai botnet, a real-world example of IoT gone wrong. The Mirai botnet involved approximately 150,000 internet-enabled security cameras. The cameras were hacked and turned into a botnet that launched a distributed denial of service (DDoS) attack that took down internet access for a large portion of the eastern United States. For security experts analyzing this hack, the Mirai botnet was distressingly unsophisticated. It was also a relatively small-scale attack, considering that many IoT devices will sell more than 150,000 units.

Adding internet connectivity to a class of device means a single, remote attack can scale to hundreds of thousands or millions of devices. The ability to scale a single exploit to this degree is cause for reflection on the upheaval IoT brings to the marketplace. Once the decision is made to connect a device to the internet, that device has the potential to transform from a single-purpose device to a general-purpose computer capable of launching a DDoS attack against any target in the world. The Mirai botnet is also a demonstration that a manufacturer does not need to sell many devices to create the potential for a “weaponized” device.

IoT security is not only about “safety-critical” deployments. Any deployment of a connected device at scale requires the seven properties. In other words, the function, purpose, and cost of a device should not be the only considerations when deciding whether security is important.

The seven properties do not guarantee that a device will not be hacked. However, they greatly minimize certain classes of threats and make it possible to detect and respond when a hacker gains a toehold in a device ecosystem. If a device doesn’t have all seven, human practices must be implemented to compensate for the missing features. For example, without renewable security, a security incident will require disconnecting devices from the internet and then recalling those devices or dispatching people to manually patch every device that was attacked.

Implementation challenges

Some of the seven properties, such as a hardware-based root of trust and compartmentalization, require certain silicon features. Others, such as defense in-depth, require a certain software architecture as well as silicon features like the hardware-based root of trust. Finally, other properties, including renewable security, certificate-based authentication, and failure reporting, require not only silicon features and certain software architecture choices within the operating system, but also deep integration with cloud services. Piecing these critical pieces of infrastructure together is difficult and prone to errors. Ensuring that a device incorporates these properties could therefore increase its cost.

These challenges led us to believe the seven properties also created an opportunity for security-minded organizations to implement these properties as a platform, which would free device manufacturers to focus on product features, rather than security. Azure Sphere represents such a platform: the seven properties are designed and built into the product from the silicon up.

Best practices for implementing the seven properties

Based on our decades of experience researching and implementing secured products, we identified 19 best practices that were put into place as part of the Azure Sphere product. These best practices provide insight into why Azure Sphere sets such a high standard for security. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere, for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions.

We hope that the discussion of these best practices sheds some additional light on the large number of features the Azure Sphere team implemented to protect IoT devices. We also hope that this provides a new set of questions to consider in evaluating your own IoT solution. Azure Sphere will continue to innovate and build upon this foundation with more features that raise the bar in IoT security.

To read previous blogs on IoT security, visit our blog series:  https://www.microsoft.com/security/blog/iot-security/   Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity

The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

Go Agentless – Increase flexibility and prevent comprise from mobile devices in real time with ISE and Frontline.Cloud

This post was authored by Sanjay Raja from Frontline.Cloud 

When determining risk, IT security often has a gaping hole around the assessment of mobile devices. It is challenging to include them in regular vulnerability management (VM) programs for a few reasons, including the fact that they frequently connect and disconnect with networks.

However, it is critical that these devices be included in any security assessment. Threat actors continue to develop new malware designed to exploit even the smallest flaws in mobile devices. In addition, most legacy vulnerability assessment solutions, unfortunately, are not able to assess vulnerability and threat risk before these devices can connect to the network.

Also, leveraging Network Access Control (NAC) with a solution that can provide a real-time understanding of risk can take advantage of policies that restrict access to high-risk or under attack assets. The ability to share greater contextual information, risk posture, and endpoint detection across security and network management platforms can provide IT security and network administrators with better controlling access to sensitive resources.

Effectively Assessing Risk for Mobile Devices Without Agents

One of the most significant challenges to securing mobile devices is installing agents on the device. Too many agents claim to be “lightweight” but end up with a significant negative impact on device performance. Many vulnerability management providers talk about how their agent is stripped down or customized to work on mobile devices. However, they are do not have comprehensive coverage and are still intrusive. This also does not change the fact you are managing yet another agent. Effective scanning of these devices for vulnerabilities and threats requires an agentless design that tracks devices even as they continually connect and disconnect from the network.

Digital Defense offers agentless vulnerability and threat management via the Frontline.CloudTM platform. Through an integration with Cisco Identity Services Engine (ISE) and leveraging the Cisco Platform Exchange Grid (pxGrid) framework, Frontline.Cloud can perform automated risk and threat posture assessment across multiple platforms, including dynamic assets and mobile devices, to limit the impact of high-risk or infected systems onto the network.

How it Works

Frontline.Cloud consumes mobile device information from Cisco ISE and combines it with vulnerability information already in the platform. Cisco ISE works with major MDM vendors and queries customer MDM servers for the necessary device attributes to create ACLs that provide network access control. In doing so, Cisco can make decisions on whether to deny or allow mobile devices access to the network based on authorized access policy. Cisco ISE can even classify mobile devices with limited access to certain network resources.

Cisco ISE can also obtain needed information from automatic scanning when a device connects to the network for the first time. Cisco ISE validates the information against existing device profiles and applies the appropriate security policies.

Proactive Device Scanning

The Cisco ISE/Frontline.Cloud integration offers a policy to allow Cisco ISE to request an immediate vulnerability scan when a new mobile device comes onto the network. That same policy can restrict access for the given device until Cisco ISE has received the data from Frontline.Cloud. It would then fall to other policies to determine what actions to take based on the findings. With Cisco ISE and Frontline. Cloud, real-time scanning intelligence data adds a level of granularity that allows the system to restrict access of a mobile device that may potentially introduce risk into the network.

To learn more about Cisco ISE/Frontline.Cloud and how it can help you with identifying and managing mobile device security risks click here.

 


Sanjay Raja runs field marketing and strategic technical partnerships for Digital Defense, Inc, a provider of next generation SaaS vulnerability management and threat assessment solutions. Prior to Digital Defense, Sanjay was Chief Marketing Officer for Lumeta Corporation, where he led the company to a successful acquisition in two years. Sanjay brings over 20 years of marketing, product management, partnerships, and engineering experience in cybersecurity, networking, performance management and cloud technologies. Sanjay has also held leadership roles in product marketing, product management, strategic alliances and engineering at RSA Netwitness, Cisco, HP Enterprise Security, Crossbeam Systems (acquired by Bluecoat Systems), Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.E.E and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP and Certified Product Manager via Pragmatic Marketing.

The post Go Agentless – Increase flexibility and prevent comprise from mobile devices in real time with ISE and Frontline.Cloud appeared first on Cisco Blogs.

Israel is suspected to be behind the cyberattack on Iranian port

Israel is likely behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

A couple of weeks ago, Iranian officials announced that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas.

Bandar Abbas is the capital of Hormozgān Province on the southern coast of Iran, on the Persian Gulf. The city occupies a strategic position on the narrow Strait of Hormuz, and it is the location of the main base of the Iranian Navy. Bandar Abbas is also the capital and largest city of Bandar Abbas County.

Iranian officials did not reveal details of the cyber attack that took place on May 9, two days before Iranian officials disclosed the incident.

Local authorities, including the Ports and Maritime Organization (PMO) in the state of Hormozgan, confirmed that operations at the port were impacted by the cyber attack.

Initially, officials denied the cyber-attack, but due to media pressure that later admitted the cyber intrusion.

The authorities did not attribute the attack to a specific threat actor, Iran’s Deputy Minister of Roads and Urban Development stated that he did not have any information about the origin of the attack.

“Currently, the distribution of cargo in northern ports is good; although the performance of all southern ports is negative.” Mohammad Rastad.

Rastad told Fars News Agency that the attack was carried out by a foreign governenment.

Now a foreign government security official said the attack was “highly accurate” and the damages caused to the Iranian infrastructure were greater than described in official Iranian accounts.

The news was reported by The Washington Post, which blamed Israel for the cyber attack that was launched in retaliation for an earlier cyberattack on rural water distribution systems in Israel.

In April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.

Earlier May, Israel’s security cabinet discussed alleged Iranian cyberattack on Israeli water and sewage facilities that fortunately did not cause serious damage. The attack demonstrates an escalation by the Iranians, because they targeted civilian infrastructure.

“This was a very unordinary cyberattack against civilian water facilities which is against every ethic and every code even in times of war,” a senior Israeli official told Channel 13. “We didn’t expect this even from the Iranians. It is just not done.”Iran reported three cyberattacks within one week back in December. At least one of the attacks was allegedly “state-sponsored.”

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

The recent attack could be a response of the Israeli cyber army against the wave of attacks that targeted Israely water sector.

“Israel appears to be behind a cyberattack earlier this month on computers at Iran’s Shahid Rajaee port that caused massive backups on waterways and roads leading to the facility, the Washington Post reported on Monday.” reads the report published by the Reuters.

“Citing unnamed U.S. and foreign government officials, the Post said the May 9 disruption of Iranian computers was presumably in retaliation for an earlier attempted cyberattack on rural water distribution systems in Israel.”

The Reuters agency contacted the Israeli Embassy in Washington for a comment by it has yet to respond.

In December 2019, Iran foiled two massive cyber-attacks in less than a week, the country’s telecommunications minister Mohammad Javad Azari-Jahromi revealed.

The news was reported by both the ISNA and Mehr news agencies, the Iranian minister defined the attacks as “really massive” and attributed them to a nation-state actor.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Israel is suspected to be behind the cyberattack on Iranian port appeared first on Security Affairs.

[Guide] Finding Best Security Outsourcing Alternative for Your Organization

As cyberattacks continue to proliferate in volume and increase in sophistication, many organizations acknowledge that some part of their breach protection must be outsourced, introducing a million-dollar question of what type of service to choose form. Today, Cynet releases the Security Outsourcing Guide (download here), providing IT Security executives with clear and actionable guidance on

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues. Chrome 83: New and improved security and privacy features The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites. “Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained. “Turning on Enhanced Safe Browsing will … More

The post Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check appeared first on Help Net Security.

SecureKey’s authentication network service Concierge processing 800 transactions per second during pandemic

Launched in partnership with Canada’s major financial institutions in 2019, Verified.Me’s digital identity authentication and verification service last week celebrated one full year of operations. SecureKey, creators of the network, is built on the goal of simplifying consumer access to online services and applications in a secure way. Verified.Me uses blockchain technology to securely and…

NHS Contact Tracing App Security Issues Detailed

NHS Contact Tracing App Security Issues Detailed

New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.

The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:

  • In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation
  • In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
  • Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
  • The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
  • The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days

The researchers praised the “cryptographic protocol of the UK’s app [that] includes a much better effort at mitigation of most external attacks” and said there are admirable aspects of the implementation and the open availability of the source code.

“However, the messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data and no sunsetting of the data retention or usage, risk undermining the trust that has been earned,” they added.

The number of risks were varied, Culnane told BBC News, explaining that, terms of the registration issues, “it's fairly low risk because it would require an attack against a well protected server, which we don't think is particularly likely.” However, he did warn that the risk surrounding the unencrypted data is higher, “because if someone was to get access to your phone, then they might be able to learn some additional information because of what is stored on that.”

David Grout, CTO for EMEA at FireEye, said: “The mounting security concerns and doubts attached to the trailed NHS app are stemming from registration issues and the use of unencrypted data within the app which can be exploited by cyber-criminals. One of the biggest concerns is attached to the fact it’s based on a ‘centralized’ model.

“Just yesterday, France defended its own centralized model where contact-matching happens via a computer service, as opposed to the decentralized model which uses the people’s phone to make the match. The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely.”

The research came as Serco apologized after an employee accidentally shared the email addresses of almost 300 contact tracers when they were cc’d (rather than bcc’d) in an email to inform new trainees about training details.

Also, a group of civil society organizations, privacy advocates and academic researchers have written an open letter to Health Secretary Matt Hancock, asking questions about the contact tracing data store.

Signed by the likes of the Open Rights Group, Big Brother Watch, Privacy International and Liberty, they urged Hancock to “provide the public with more information and take appropriate measures to reduce the risk of data sharing and keep the aggregated data under democratic control.”

Vulnerability in Qmail mail transport agent allows RCE

Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution. The Qmail RCE flaw and other vulnerabilities In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still … More

The post Vulnerability in Qmail mail transport agent allows RCE appeared first on Help Net Security.

Announcing Cisco Tetration SaaS Offering Available in Europe

No one could have imagined that our fast-paced lives would change so significantly.  With half of the planet on lockdown, these are some unprecedented times and we need to do whatever it takes to protect what is important to us in our personal as well as business lives. This also means as we shift ‘where’ we work from, security risks and threats are also shifting and unfortunately increasing.

18 months ago, we launched Cisco Tetration SaaS and ever since, we have only accelerated the journey to secure our customers application workloads. More than half of our customers now use SaaS for their workload security needs. The ease of deployment, no operational overhead and the ability to expand to rapidly support the growth and needs of your business, are some of the reasons why our customers prefer SaaS.  That flexibility combined with Tetration’s comprehensive visibility, automated policy discovery and enforcement, and advanced security analytics is a winning combination for your business.

Expansion in this new region will enable opportunities to drive security solutions, closer to customers.

While Cisco Tetration SaaS is available globally, our customers data resided in the United States. Data stored in region is critical for European customers with data residency requirements and regulations, such as those operating in healthcare, financial services and government.  In order to support those needs, and to meet the growing demands, we decided to expand our reach. With our expansion into Europe, customers will be able to store their data locally with the assurance that it will not move unless they choose to move it.

Here is how our customers and partners will benefit from Cisco Tetration SaaS in region:

“Securing our customers data is a top priority. We are doing our part to ensure our applications and access to it, is secure and compliant,” said Steve Erzberger, CTO Frankfurter Bankgesellschaft (Switzerland) AG. “Cisco Tetration SaaS offering available in region will enable us to secure our applications workloads and help us with our segmentation project, meeting GDPR requirements.”

“As more and more organizations embrace digital transformation, SasS offerings are essential to meet the demands of customers,” said Alain Kistler,Chief Managed Services Officer,  Netcloud. “Partnering with Cisco Tetration opens up new market opportunities to provide workload security for multi-cloud environments for the commercial markets locally.”

Organizations from Europe – enterprise, public sector, and startups now have a SaaS based workload security solution in their region and do not have to worry about data crossing the borders. It enables organizations of all forms and sizes, to take advantage of the security, scalability, ease of use and reliability of Cisco Tetration SaaS platform – to be able to innovate. iterate faster, and securely.

Cisco Tetration SaaS for European customers will now have an option to host data in Germany, with disaster recovery and data backup in Amsterdam, Netherlands. Both the POPs are in completely different fault domains and availability zones, so with something as minor as a link outage or big as a natural calamity, we got our customers workload security needs covered 24 x7.

These are unchartered territories and despite that, Tetration team worked round the clock to operate and expand their SaaS footprint in order to support customers who need their applications running securely. As some of our customers in healthcare, financial, manufacturing and other industries work – day and night – to meet the new demands of today, securing their application is one less thing they need to worry about, with Cisco Tetration.

New region in Europe is live with active customers and is ready to secure your workloads, no matter where they are.

To learn how we handle your data, visit:

Click here to learn how Tetration can help you.

The post Announcing Cisco Tetration SaaS Offering Available in Europe appeared first on Cisco Blogs.

Verizon DBIR 2020: Cloud Apps, Stolen Credentials, and Errors

It’s DBIR season! Put down your pens, stop watching “The Last Dance” and get to reading the key findings of the 13th edition of the annual Verizon Data Breach Investigations Report! If “experience is merely the name men gave to their mistakes,” as Oscar Wilde puts it in The Picture of Dorian Gray, then the […]… Read More

The post Verizon DBIR 2020: Cloud Apps, Stolen Credentials, and Errors appeared first on The State of Security.

Researchers disclose five Microsoft Windows zero-days

Security experts have disclosed five unpatched vulnerabilities in Microsoft Windows, four of which rated as high-risk severity.

Security experts from Trend Micro’s Zero Day Initiative (ZDI) have published information on five unpatched vulnerabilities in Microsoft Windows.

Four vulnerabilities are classified as high-risk severity, three of them are zero-day vulnerabilities tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915. The flaws could allow an attacker to escalate privileges on the affected system, they received a CVSS score of 7.0.

The vulnerabilities affect in the user-mode printer driver host process splwow64.exe, and is caused by the lack of validation for user-supplied input being dereferenced as a pointer. 

The fourth issue affecting the user-mode printer driver host process splwow64.exe, tracked as CVE-2020-0915, is a low severity information disclosure vulnerability.

The issue is caused by the lack of validation of a user-supplied value before being dereferenced as a pointer.

ZDI reported the issue to Microsoft in December 2019, but the tech giant failed to address them with May 2020 Patch Tuesday.

The last zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative (ZDI) is a privilege escalation vulnerability in the handling of WLAN connection profiles.  

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the advisory published by Trend Micro.

“The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.”

Pierluigi Paganini

(SecurityAffairs – Microsoft Windows, hacking)

The post Researchers disclose five Microsoft Windows zero-days appeared first on Security Affairs.

FBI finally unlock shooter’s iPhones, Apple berated for not helping

The FBI's Apple problem.

Criminals and the Normalization of Masks

I was wondering about this:

Masks that have made criminals stand apart long before bandanna-wearing robbers knocked over stagecoaches in the Old West and ski-masked bandits held up banks now allow them to blend in like concerned accountants, nurses and store clerks trying to avoid a deadly virus.

"Criminals, they're smart and this is a perfect opportunity for them to conceal themselves and blend right in," said Richard Bell, police chief in the tiny Pennsylvania community of Frackville. He said he knows of seven recent armed robberies in the region where every suspect wore a mask.

[...]

Just how many criminals are taking advantage of the pandemic to commit crimes is impossible to estimate, but law enforcement officials have no doubt the numbers are climbing. Reports are starting to pop up across the United States and in other parts of the world of crimes pulled off in no small part because so many of us are now wearing masks.

In March, two men walked into Aqueduct Racetrack in New York wearing the same kind of surgical masks as many racing fans there and, at gunpoint, robbed three workers of a quarter-million dollars they were moving from gaming machines to a safe. Other robberies involving suspects wearing surgical masks have occurred in North Carolina, and Washington, D.C, and elsewhere in recent weeks.

The article is all anecdote and no real data. But this is probably a trend.

New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks

Israeli cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites. Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker's choice,

Ukrainian Police Arrest Hacker Who Tried Selling Billions of Stolen Records

The Ukrainian police have arrested a hacker who made headlines in January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. In an official statement released on Tuesday, the Security Service of Ukraine (SBU) said it identified the hacker behind the pseudonym "Sanix

Online Retailers Brace for #COVID19 Fraud Surge

Online Retailers Brace for #COVID19 Fraud Surge

Most UK retailers are expecting a surge in online fraud due to the current COVID-19 pandemic, with many customers having already experienced account takeover (ATO) attacks, according to Riskified.

The fraud-screening firm polled 1000 consumers and over 120 e-commerce professionals to better understand their challenges during the current crisis.

It found that a fifth (20%) of customers have suffered an account takeover attack over the past year. This is often done via phishing or credential stuffing, where reused logins are tried over numerous accounts and sites simultaneously by fraudsters.

Once inside, they could steal personal information and card details stored in the account, use it to fraudulently pay for goods, or sell access to the account on the dark web.

Despite the significant numbers of customers already affected, and the fact that 52% of retailers think fraud will increase during the pandemic, over a quarter (26%) admitted to having no measures in place to tackle ATO.

This is a concern, not just because of the extra fraud losses it could incur but also in terms of the long-term customer relationships. More than half (51%) of respondents said they’d stop shopping with a retailer if they suffered ATO and a similar number claimed they’d delete their account. Over a third (37%) would go to a competitor.

Part of the problem is that detecting ATO is difficult because the attacker effectively looks like a legitimate customer. This might account for the fact that just 4% of consumers that suffered ATO learned their accounts were compromised from the retailer.

Riskified warned that mandating two-factor authentication or long-and-strong passwords for improved account security would cause extra friction that may put shoppers off.

Instead, retailers need systems that can check for things like device and network details, proxy usage and previous logins as well as subsequent purchasing behavior, it said.

UK e-commerce fraud losses on cards are said to have topped £359 million last year, but fraud often rises during recessions.

African Fraud Gang Files for Millions in #COVID19 Payments

African Fraud Gang Files for Millions in #COVID19 Payments

A notorious West African BEC gang may have made millions defrauding the US government out of COVID-19 business compensation payments, according to Agari.

The security company said it had been tracking the Scattered Canary group for over a year and has now briefed the Secret Service of its findings.

The group — which has been involved in BEC, social security fraud and student aid fraud schemes in the past — has targeted at least eight states so far: Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.

In Washington state, it has filed at least 174 fraudulent claims for unemployment benefit since April 29. Agari calculated that these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Plus, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week up to July 31.

This amounts to a potential windfall for the cybercrime gang of $4.9 million in this one state alone, assuming all claims are approved.

Between April 15 and April 29, Scattered Canary filed at least 82 fraudulent claims for CARES Act Economic Impact Payments, 30 of which were accepted by the IRS, explained Agari founder Patrick Peterson.

The scammers are using a tactic first revealed by Agari last year to scale their operations. Namely, they take advantage of a little-known feature in Gmail which means that a single user controls all “dotted versions” of their email address.

Thus, they can register multiple addresses for separate claims payments which are effectively the same address with dots in different places. They will then all redirect to a single inbox.

“As a result of our analysis, we have identified 259 different variations of a single email address used by Scattered Canary to create accounts on state and federal websites to carry out these fraudulent activities,” explained Peterson.

The group is also taking advantage of Green Dot prepaid cards to cash out its fraudulently obtained government payments. These cards are able to receive direct payments and government benefits up to four days before they’re due to be officially paid, meaning they have obvious benefits for fraudsters.

“It shouldn’t be a surprise that scammers are trying to get a piece of the billions of dollars that has flooded the system to try and provide relief to millions of people who have been impacted by the pandemic,” concluded Peterson.

“Based on what we’ve seen from Scattered Canary’s 10-year history of scamming, they will continue to expand their portfolio of cybercrime to try and find new ways to con individuals, businesses, and governments out of as much money as they can.”

EasyJet data breach: 9 million customers affected

British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach. The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed. How did the attackers manage to breach EasyJet? EasyJet did not share in their official notice about the incident when … More

The post EasyJet data breach: 9 million customers affected appeared first on Help Net Security.

Three flaws in Nitro Pro PDF reader expose businesses to hack

Two vulnerabilities in the Nitro Pro PDF editor could be exploited by threat actors to execute code remotely on vulnerable hosts.

Security experts from Cisco Talos have discovered three vulnerabilities in the Nitro Pro PDF editor, two of which rated as critical (CVSS score of 8.8) could be exploited by attackers for remote code execution.

Nitro Pro is a PDF application designed for creating, reading, editing, signing, converting, and protecting PDFs. The software is part of Nitro Software’s suite of enterprise tools, used by tens of thousands of organizations.

nitro pro Nitro

The first issue, tracked as CVE-2020-6074, is a nested pages remote code execution vulnerability that resides the PDF parser of Nitro Pro. An attacker could exploit the vulnerability by tricking the victims into opening a specially crafted PDF to trigger a use-after-free condition.

“An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.” reads the advisory published by the company.

The second vulnerability, tracked as CVE-2020-6092, is an object code execution vulnerability that resides in the way Nitro Pro 13.9.1.155 parses Pattern objects. An attacker could exploit the flaw by tricking the victims into opening a specially crafted PDF and trigger an integer overflow and then achieve remote code execution.

“An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. A victim must open a malicious file to trigger this vulnerability” continues the advisory.

The third flaw is a Javascript XML error handling information disclosure vulnerability, tracked as CVE-2020-6093.

The information disclosure vulnerability exists in the way the version 13.9.1.155 handles XML errors,e it could be exploited by an attacker by tricking the victims into opening a specially crafted PDF document that can cause uninitialized memory access and consequent information disclosure.

Cisco security researchers also identified an information disclosure vulnerability in the application. Tracked as CVE-2020-6093 and carrying a CVSS score of 6.5, the bug is related to the way Nitro Pro does XML error handling.

In early May, the software vendor released a security update that address the above vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – PDF, hacking)

The post Three flaws in Nitro Pro PDF reader expose businesses to hack appeared first on Security Affairs.

Ukrainian Police Arrest Suspected Combo List Mastermind

Ukrainian Police Arrest Suspected Combo List Mastermind

Ukrainian intelligence officers have arrested a man they believe to be Sanix, a notorious cyber-criminal responsible for selling billions of log-ins online.

In concert with cyber police, agents from the Secret Service of Ukraine (SBU) swooped on the individual, who lived in the Ivano-Frankivsk region.

They seized 2TB of stolen user information, mobile phones “with evidence of illegal activities” and cash from illegal transactions amounting to around 190,0000 hryvnias ($7100) and more than $3000.

Officers also took from the arrested man’s apartment PINs for bank cards, cryptocurrency wallets, PayPal account details, and “information about computers hacked for further use in botnets and for organizing DDoS attacks.”

Sanix is widely believed to have been responsible for selling the “Collection” combo lists of email usernames and passwords that first emerged in January 2019.

The first data dump, dubbed “Collection #1,” contained 772 million unique email addresses, the largest single trove to be fed into the HaveIBeenPwned breach notification site, and more than 21 million unique passwords.

It subsequently emerged that this collection contained data that was two or three years old, gathered from multiple sources. However, the person trying to sell them, dubbed “Sanixer” on Telegram, told Brian Krebs at the time that the other packages up for sale were more current.

Together, he claimed they amounted to around 4TB of data, or many billions of records.

Such lists are typically bought and used in credential stuffing attacks, where they’re fed into an automated program and tried simultaneously on multiple sites and accounts in a bid to crack them open.

The reason cyber-criminals have success with this tactic is that computer users continue to reuse their passwords across multiple services.

The SBU said it found evidence of Collection #1 on Sanix’s machine along with “at least seven similar databases” of stolen and cracked/decrypted passwords.

Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials

The Ukrainian Secret Service (SSU) has arrested a hacker known as Sanix, who was selling billions of stolen credentials on hacking forums and Telegram channels.

The popular hacker Sanix has been arrested by the Ukrainian Secret Service (SSU). The man is known in the cybercrime underground for selling billions of stolen credentials. The officials did not disclose the man of the cybercriminals, they only said that the man has been arrested in Ivano-Frankivsk, Ukraine.

“The Security Service of Ukraine has identified and detained a hacker known as Sanix. Early last year, it caught the attention of global cybersecurity experts by posting on one of the forums the sale of a database with 773 million e-mail addresses and 21 million unique passwords.” reads a press release published by the SSU.

“SBU cyber specialists recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, information about computers hacked for further use in botnets and for organizing DDoS attacks”

The man was known for aggregating data, including users’ credentials, in lists that were offered for sale via Telegram (where he used the nickname Sanixer) or in hacking forums.

Sanix was identified by the investigator Brian Krebs as the source of Collection 1 in January 2019. Some of the most popular collections sold in the past by the same hacker are known as Collection #1, #2, #3, #4, #5, Antipublic, and others.

Collection #1

Sanix has been active on the cybercrime underground at least since 2018, he focuses in the sale of stolen data from organizations.

It has been estimated that the man amassed billions of unique username-password combinations.

Stolen credentials were bought by fraudsters, hackers, and scammers to carry out a broad range of malicious activities, such as launching malspam campaign or take over users’ accounts.

During searches at his residence, SSU officers seized computer equipment containing two terabytes of stolen information, phones with evidence of illegal activities and cash from illegal transactions in the amount of almost 190,000 Ukrainian hryvnias (roughly $7,000) and more than $3000.

Pierluigi Paganini

(SecurityAffairs – Sanix, hacking)

The post Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials appeared first on Security Affairs.

The MITRE ATT&CK Framework: Collection

The Collection tactic outlines techniques an attacker will undertake in order to find and gather the data they need to meet their actions on objectives. I see most of these techniques as being useful for describing what a piece of malware or threat actor is up to rather than looking to them for guidance on […]… Read More

The post The MITRE ATT&CK Framework: Collection appeared first on The State of Security.