Daily Archives: May 26, 2020

Creating an emergency ready cybersecurity program

A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company. Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site … More

The post Creating an emergency ready cybersecurity program appeared first on Help Net Security.

Maintaining the SOC in the age of limited resources

With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources. Limited SOC resources The SOC is a centralized team of analysts, engineers, and incident managers who are responsible for detecting, analyzing, and responding to incidents and keeping … More

The post Maintaining the SOC in the age of limited resources appeared first on Help Net Security.

23% of leading banks had an exposed database with potential data leakage

Reposify unveiled research findings of critical asset exposures and vulnerabilities in attack surfaces of the world’s leading multinational banks. Researchers measured the prevalence of exposed sensitive assets including exposed databases, remote login services, development tools and additional assets for 25 multinational banks and their 350+ subsidiaries. Banks deal with exposed database threat 23% of banks had at least one misconfigured database exposed to the internet resulting in potential data leakage issues 54% of the banks … More

The post 23% of leading banks had an exposed database with potential data leakage appeared first on Help Net Security.

Working from Home in 2020: How Cloud Use Changed

2020 has been a tumultuous year, with health and economic stability shattered for most of the world in just months. For those in a fortunate position to do so, working from home has become the new norm, and will likely be for the foreseeable future. Major companies in the tech sector have cemented the practice, with Google for example announcing that its global workforce can remain home until the end of the year. Twitter was the first to announce that employees can work from home forever, if that is their preference.

It is a sign of our times and technological development that this is possible. The pace of development for cloud services met this moment near-perfectly. Over the past few years, we’ve reached a critical mass of businesses and employees who are ramped up and comfortable using collaboration services like Zoom, Webex, Slack, and Microsoft Teams. Storage apps like Box and collaboration suites like Microsoft (Office) 365 have largely replaced the software, thumb drives, and network storage we used to manage files.

All of these services made our shift to working from home possible, and seamless for many. Companies that hadn’t ramped up yet on cloud-based collaboration and productivity apps are now on their way.

As a global provider of cloud security technology, we have a unique view into the use of cloud services and threats companies face in the cloud.  Using anonymized and aggregated metadata, we can derive trends across our vase base of 30 million enterprise cloud users.  The shift to working from home was a catalyst for us to dive into this data and uncover trends in how the world changed.

All of these findings are in our new report, the Cloud Adoption and Risk Report: Work from Home Edition. Grab the full copy below if you want to skip the preview here and go straight to the full set of findings.


First, use of all cloud services from every industry grew 50% overall from the start of 2020. However, some industries had to undergo more changes than others to enable working from home:

Manufacturing and education increased their cloud use by 144% and 114% respectively. Every parent of school-aged children has felt the shift in education practices over the past few months, with much of the burden falling to them to set up virtual classrooms or even teach their kids themselves. Manufacturing may be playing catch up – with less in-person meetings requiring immediate replacement by cloud-based tools.

Of all categories, collaboration services saw the largest increase in usage, up several hundred percent across the board. We all watched as the world restructured their social lives around Zoom, while enterprises increased their use of Webex even further, and ramped up on Slack and Teams to keep collaboration alive from a distance.

This increase in cloud use, particularly collaboration directly correlates to more data being stored in the cloud. We monitored not only these increases in service use, but also a new wave of threats targeting the wave of data entering the cloud.

We’ll dive into our threat research in part 2 of this series. To see our threat analysis before that blog is released, download the full report now.


The post Working from Home in 2020: How Cloud Use Changed appeared first on McAfee Blogs.

GDPR enforcement over the past two years

Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals. The GDPR’s first two years have been marked by … More

The post GDPR enforcement over the past two years appeared first on Help Net Security.

Patented algorithms predict, identify, diagnose and prevent abnormalities in complex systems

The COVID-19 pandemic has forced public health, supply chain, transportation, government, economic and many other entities to interact in real time. One of the challenges in large systems interacting in this way is that even tiny errors in one system can cause devastating effects across the entire system chain. Now, Purdue University innovators have come up with a possible solution: a set of patented algorithms that predict, identify, diagnose and prevent abnormalities in large and … More

The post Patented algorithms predict, identify, diagnose and prevent abnormalities in complex systems appeared first on Help Net Security.

Protecting Fleet Data from Security Threats

Big data is revolutionizing fleet management — specifically in the form of telematics. From engine diagnostics that track fuel efficiency and mileage to sensors that detect aggressive driving behavior and interior vehicle activity, this information is so valuable that we’re quickly approaching the point where connected technology will come standard in every vehicle. Telematics is […]… Read More

The post Protecting Fleet Data from Security Threats appeared first on The State of Security.

Akamai launches a new in-browser threat detection solution that uncovers compromised scripts

Akamai, the intelligent edge platform for securing and delivering digital experiences, announced the launch of Page Integrity Manager, an in-browser threat detection solution designed to uncover compromised scripts that could be used to steal user data or impact the user experience. Initially popularized by Magecart groups, and now being leveraged by other threat actors, the attack vector of malicious web page scripts is growing and has become a frequent source of data breaches. A typical … More

The post Akamai launches a new in-browser threat detection solution that uncovers compromised scripts appeared first on Help Net Security.

Zyxel unveils 5G Fixed Wireless Access portfolio to help service providers leverage 5G NR technology

Zyxel Communications announced its 5G Fixed Wireless Access (FWA) product portfolio is available for service providers and mass production will begin as soon as Q2 2020. Today’s subscribers expect robust bandwidth and low latency. Some households, however, are limited in terms of reliable broadband connections. The Zyxel FWA portfolio helps service providers leverage 5G NR technology to deliver high-capacity, premium broadband services, high-speed connectivity, enhanced network security, and deployment flexibility. With outdoor, indoor, and portable … More

The post Zyxel unveils 5G Fixed Wireless Access portfolio to help service providers leverage 5G NR technology appeared first on Help Net Security.

IAR Systems’ build tools now support Linux

IAR Systems, the future-proof supplier of software tools and services for embedded development, announces that its extensive product portfolio of embedded development tools is now extended with build tools supporting implementation in Linux-based frameworks for automated application build and test processes. Through the C/C++ compiler and debugger toolchain IAR Embedded Workbench, IAR Systems provides its customers with the market’s most diverse microcontroller support as well as adapted licensing options to fit different organizations’ needs. This … More

The post IAR Systems’ build tools now support Linux appeared first on Help Net Security.

Kingston Digital announces 7.68TB capacity additions to 3 data center SSDs

Kingston Digital, the Flash memory affiliate of Kingston Technology Company, a world leader in memory products and technology solutions, began shipping the 7.68TB model of the Data Center 500R (DC500R) and 450R (DC450R) SATA SSDs. The DC1000M 7.68TB U.2 NVMe ships in June. The SSDs provide additional storage and implement strict QoS ensuring predictable IO and low latency for data centers using both NVMe and/or SATA. DC500R VMware Ready SSD engineered for read-intensive applications such … More

The post Kingston Digital announces 7.68TB capacity additions to 3 data center SSDs appeared first on Help Net Security.

Sixgill Integrity 2.0: Making blockchain data integrity easy and practical for orgs

Sixgill, a leader in data automation and authenticity products and services, announced the release of Integrity 2.0, a powerful data authenticity solution that combines a practical permissioned blockchain with a public blockchain auditor in an industry-first “hybrid-hybrid” implementation that achieves absolute data integrity and veracity. Integrity 2.0 makes blockchain data integrity easy and practical so organizations can quickly solve the rising need for end-to-end, real-time data authenticity assurance. Organizations will be able to monitor and … More

The post Sixgill Integrity 2.0: Making blockchain data integrity easy and practical for orgs appeared first on Help Net Security.

Appdome joins Microsoft Intelligent Security Association to better defend against increasing threats

Appdome, a no-code mobile integration and solutions platform, announced that it has joined the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors that have integrated their solutions to better defend against a world of increasing threats. Appdome’s mission has always been to make integrating security and enhanced functionality into mobile apps fast and efficient with its no-code platform. Joining MISA is a natural extension of that mission. Appdome makes it easy to … More

The post Appdome joins Microsoft Intelligent Security Association to better defend against increasing threats appeared first on Help Net Security.

Breached Mathway App Credentials Offered on Dark Web

Over 25 million user logins and passwords from a popular math app are being offered for sale on the dark web following a data breach.

Mathway, a popular app for iOS and Android devices, recently uncovered evidence of the breach after a hacking group announced it was selling Mathway user data on the dark web for roughly $4,000 in Bitcoin. 

ShinyGroup, a hacking group notorious for selling compromised data, announced that they had breached Mathway in January 2020. It is currently unknown if the salts and hashes used to encrypt the passwords can be deciphered, but if they are the value of the data to hackers would increase significantly.

“We recently discovered that certain Mathway customer account data–emails and hashed and salted passwords–was acquired by an unauthorized party.  Upon learning of this, we retained a leading data security firm to investigate, address any vulnerabilities and remediate the incident,” Mathway announced after discovering the breach.

Mathway users are urged to update their account passwords and monitor their accounts for suspicious activity.

The post Breached Mathway App Credentials Offered on Dark Web appeared first on Adam Levin.

Adam Levin Discusses Online Extortion Scams on AZ Family

Adam Levin was featured on AZ Family / Phoenix CBS 5 where he discussed a recent extortion scam circulating on the internet.

“These are sextortion scams where they say to you, ‘we know you’ve been going to inappropriate sites, and bad news for you, we have malware on one of those sites. We took over your camera,'” Levin said.

See the news segment here.

The post Adam Levin Discusses Online Extortion Scams on AZ Family appeared first on Adam Levin.

Patriot One’s Xtract AI to work with Public Works and Government Services Canada

Patriot One Technologies wholly-owned subsidiary Xtract Technologies (Xtract AI) is pleased to announce it has secured a $157,000 contract with Canada’s Department of National Defence through the Public Works and Government Services Canada Division, as part of the Innovative Solutions Canada Program (ISC). The contract is for a project looking to provide better situational awareness for Canadian firefighters. The outcome will be a solution that will provide innovative devices, applications, personal protective equipment and technology … More

The post Patriot One’s Xtract AI to work with Public Works and Government Services Canada appeared first on Help Net Security.

Cool and Helpful McAfee Tech to Help Secure Your Online Life

These days, we’re all actively engaging onlineWhether it’s my kids scrolling through social media, my wife video chatting with her friends and online shopping, or me checking my emails, we’re all leveraging the devices in front of us to keep our lives moving forward.   

What many people don’t realize is that there are technologies that we can implement into our daily online routines that will not only help us achieve our digital tasks more effectively but safeguard our privacy as well. If there’s a way I can browse the internet more quickly and securely than before, I’m here for it!  

Tools Anyone Can Use

There are a lot of free and easy-to-use technologies out there that can benefit you – you just need to learn what they are first! With that, let’s explore cool technologies that not too many people may know about, which can positively impact your online life.  

Safe Browsing Solutions

The internet is a vast sea of content, both good and bad. And we’re all navigating that sea to learn, work, and socialize online. But when you’re trying to browse as efficiently as possible, it can be tricky to tell the safe websites from the suspicious ones. That’s where a security solution like McAfee® WebAdvisor comes in to play.  

McAfee® WebAdvisor can help keep you safe from online threats like malware and phishing attempts while you surf the web. For example, the tool places a checkmark next to all the safe links, making security decisions much easier for the everyday internet user, like my wife when she’s on a mission to shop online. And it is free too! 

Virtual Private Network (VPN)

Even the average internet surfer like you and me should consider using a Virtual Private Network (VPN), as it essentially allows you to send and receive data across a public network as if it were a private network. A VPN encrypts  or scrambles  your information so others cant read it, helping to safeguard your data. VPNs are especially handy for when you are working remote or if you want full access to the internet while you’re traveling, or if you simply want to protect your privacy. McAfee® Safe Connect is a great and affordable option (with a limited free version available too) for users who are looking for a solution that is not only easy to implement, but one that also provides bank-grade encryption and private browsing to protect all online activities 

Password Managers

Speaking of pesky passwords, another way to easily secure your online accounts is with a password manager. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically. Who says staying secure has to be complicated? 

While many password managers are free, its important users do their research and adopt password managers from companies they trust. Another option? Some password managers also come included in a comprehensive security solution, like McAfee® Total Protection. 

Robocall Blocking Apps

At one time or another, you’ve probably experienced a mysterious phone call from an “Unknown Caller.” If you’ve ever actually bothered to pick up one of these calls, you’ve likely heard a strange, robotic voice on the other end claiming to be from a certain organization or asking you to take action. Whether the call itself is just annoying or is coming from a criminal looking to scam consumers out of cash or information, one thing is certain – robocalls are a huge headache.  

Unfortunately, these pesky phone calls have shown no signs of slowing down. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. Luckily there are multiple robocall blocking apps and tools users can adopt to avoid phone spam. Additionally, you can register on the FCC’s National Do Not Call list for added protection. 

Multi-Factor Authentication

If you read my previous blog, you know that many of the common password habits that we use can lead to multiple security concerns. That said, passwords are just the first line of defense when it comes to securing online accounts – so what happens if a hacker makes it through that security barrier? Enter two-factor or multi-factor authentication.  

These days, most people have heard of two-factor authentication. To put it simply, the tech utilizes two checkpoints to verify the user’s identity. These could be answers to security questions, a one-time password texted to your smartphone, a fingerprint scan, or facial recognition. While two-factor authentication is a great starting point, there’s also multi-factor authentication – which, as it sounds, means a user must address multiple types of proof points before gaining access to an account or device. In fact, multi-factor authentication is becoming more and more intuitive thanks to artificial intelligence, as it can select a combination of authentication factors based on a user’s risk profile and habits.  

This technology is easy to integrate into your life, as it’s often a simple add-on to a lot of the things we already own. For example, you can activate face-ID on your iOS phone or fingerprint on your Android phone and boom, you’ve got two-factor authentication! 

Tools for Current McAfee Subscribers

Are you currently subscribed to McAfee® Total Protection or McAfee® LiveSafe? If so, there might be some cool tools within these solutions that you aren’t taking full advantage of that can help boost your security and improve your online experience. The more you know, right? 

For example, if you are a current McAfee® LiveSafe subscriber, you automatically have access to McAfee’s secure VPN and McAfee File Lock. If you are currently subscribed to McAfee® Total Protection, you have access to a whole host of security tools including a password manager and VPN. Additionally, McAfee® Total Protection gives you access to McAfee® Identity Theft Protectionwhich is a great tool for monitoring fraud. Finally, if you’re looking to delete some sensitive files, you can use McAfee® Shredder™ to completely ensure that no traces are left behind. By employing the full range of these tools, current McAfee subscribers can take their security to the next level and surf the internet without missing a beat.  

Cool Tech, Stronger Security

By taking advantage of these free, existing, and easily accessible tools, you can both improve every facet of your online life – whether that means social interactions, online shopping, or sending emails – and keep your information secure. You can have fun online and easily integrate security into your day-to-day which, in my opinion, is a win win. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Cool and Helpful McAfee Tech to Help Secure Your Online Life appeared first on McAfee Blogs.

Deepwatch appoints Corey Bodzin as Chief Technology Officer

deepwatch, a leading provider of intelligence driven managed security services, announced that Corey Bodzin has joined its senior leadership team as Chief Technology Officer. deepwatch delivers managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its unique, data-driven cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services. “Our innovation is a cornerstone of our rapid growth over the last five years,” … More

The post Deepwatch appoints Corey Bodzin as Chief Technology Officer appeared first on Help Net Security.

The GDPR, Year II

With children, reaching the age of two is usually the change from a beautiful newborn to a moving creature that has reached the terrible twos.

It may be that the same is happening to the General Data Protection Regulation as it approaches the mark of its second year of enforcement: Data Protection Authorities (DPAs) seem to be paralyzed by limited budgets, a lack of resources, and most DPAs consider that the GDPR is not fully enforced. The Brave report issued by the Brave Community, a forum where people who care about the internet and their browsing experience come to discuss with each other, typically shows that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.  Half of EU GDPR enforcers have limited budgets (under €5 million), leading some/many/advocates? to believe that European governments have failed to properly equip their national regulators to enforce the GDPR. Recently, Brave even called on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR, which provides that “Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers […]”.

Beyond enforcement challenges, the GDPR has gone through some major crises: first with Brexit and then with the outbreak of the COVID-19.

Though terrifying for many people, Brexit was handled relatively easily through a transition period, which goes until 31st December 2020, during which UK organisations are bound by two laws: the EU GDPR and the UK DPA (Data Protection Act 2018).

The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, in reality, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit, and with insignificant differences between the EU GDPR and the proposed UK GDPR. In short, organisations that process personal data should continue to comply with the requirements of the EU GDPR and doing so will meet the obligations in the UK as well. The only thing left to consider is to what extent the EU Commission will issue an adequacy decision in favour of the UK.

The second major crisis is the COVID 19 pandemic, which presented new challenges, among them new tracing apps,  the explosion of the use of remote workers at controllers, processors, and subprocessors, and questions about how employers ensure the health and safety of their workforce without compromising a data subjects privacy rights.  Additionally, hacker activity has been unprecedented, causing a sudden “mass exodus” home and (personal) data protection risks. “It’s like we’ve kicked over a hornet’s nest,” says Raj Samani, chief scientist at McAfee.

Data breaches are not limited to the ones resulting from hackers, but also by a simple data loss such as a corporate USB stick. Remote working weakens IT security for unprepared companies; vendors in some jurisdictions and in some roles did not have infrastructure in place to properly continue to offer their services after stay-at-home orders.

    • using inadequately secured private or mobile devices (lack of antivirus software, out-of-date operating system software, no encryption solutions, etc.) or using an unsecured Wi-Fi network;
    • using popular free messaging and meeting applications;
    • using social media platforms for business purposes;
    • not using VPN and other corporate solutions;
    • having no back-up plan;
    • lack of video surveillance
    • the proliferation of other people, Siri and Alexa and other listening/sensing devices

With respect to physically securing data

  • risk of loss during transfer of documents;
  • not adapting space at home for remote work purposes, making it possible to damage equipment or have sensitive documents stolen

With respect to the organization

  • having no fundamental business continuity measures in place and having no back-up equipment;
  • low awareness of employees where threats related to personal data protection were previously focused on risks present in normal work.

The threats are numerous, but mitigating the risk is not impossible and can still be done:

  • Draft (or update) a remote work policy and make sure there are processes around remote working. This might be a part of an existing Acceptable Use Policy or it might be a standalone document.
  • Inform your employees of the minimal security requirements for devices and networks they use, and have technical measures to ensure that your workforce is adhering to these requirements
  • Limit your employees to sanctioned messaging and meeting software and train your employees about how many popular applications may not provide for an adequate level of data protection and are usually not intended for business purposes.
  • Train your employees about why privacy and security are important generally.
  • Make sure the devices use the latest antivirus software and that employees have a VPN solution available when required by policy or their activities.

COVID-19 has marked the end of the World as we knew it before. Our lives may be impacted forever with new work styles, unprecedented cybersecurity issues, innovative policies, new hygiene rules and so on. The fight against COVID-19 is not just for the organisation, employees or customers but a joint effort from everyone. Obviously, organizations will need to rethink their cyber risk management in the Post COVID-19 and should not forget along the road the rules and the frame set by the GDPR whilst rebuilding the World After.

The GDPR has proved to be a robust tool to guide companies, officials and public health authorities in the response to the COVID-19 crisis and allocating the DPAs across the EU with increased financial and human resources will allow them to address the large number of complaints whilst it is up to the European Commission to ensure no human rights are violated.


The post The GDPR, Year II appeared first on McAfee Blogs.

Tim Adams joins BitSight as CFO, Jay Roxe as CMO

BitSight, the Standard in Security Ratings, announced it has appointed Tim Adams to Chief Financial Officer (CFO) and Jay Roxe to Chief Marketing Officer (CMO). Adams joins BitSight from biotechnology company ObsEva where he held the same role, while Roxe most recently served as Vice President of Product Marketing, Adoption and Operations at healthcare IT firm athenahealth. “Tim and Jay both bring a wealth of experience, leadership and proven track records of results in their … More

The post Tim Adams joins BitSight as CFO, Jay Roxe as CMO appeared first on Help Net Security.

Report: ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office

A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office, according to a new complaint filed with the government’s internal affairs division.

As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.

Florian Tudor (right) and his business associates at a press conference earlier this year. Image: Reforma.

Reforma said the complaint centers on Camilo Constantino Rivera, who heads the unit in the Mexican Special Prosecutor’s office responsible for fighting corruption. It alleges Rivera has an inherent conflict of interest because his brother has served as a security escort and lawyer for Floridan Tudor, the reputed boss of a Romanian crime syndicate recently targeted by the FBI for running an ATM skimming and human trafficking network that operates throughout Mexico and the United States.

Tudor, a.k.a. “Rechinu” or “The Shark,” and his ATM company Intacash, were the subject of a three part investigation by KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang which was rumored to be bribing and otherwise coercing ATM technicians into installing Bluetooth-based skimming devices inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

In 2018, 44-year-old Romanian national Sorinel Constantin Marcu was found shot dead in his car in Mexico. Marcu’s older brother told KrebsOnSecurity shortly after the murder that his brother was Tudor’s personal bodyguard but at some point had a falling out with Tudor and his associates over money. Marcu the elder said his brother was actually killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to make it look like he was slain in his car instead.

On March 31, 2019, police in Cancun, Mexico arrested 42-year-old Tudor and 37-year-old Adrian Nicholae Cosmin for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations. Two months later, a judge authorized the search of several of Tudor’s properties.

The Reforma report says Rivera’s office subsequently initiated proceedings against and removed several agents who investigated the crime ring, alleging those agents abused their authority and conducted illegal searches. The complaint against Rivera charges that the criminal protection racket also included the former chief of police in Cancun.

In September 2019, prosecutors with the Southern District of New York unsealed indictments and announced arrests against 18 people accused of running an ATM skimming and money laundering operation that netted $20 million. The defendants in that case — nearly all of whom are Romanians living in the United States and Mexico — included Florian Claudio Martin, described by Romanian newspapers as “the brother of Rechinu,” a.k.a. Tudor.

The news comes on the heels of a public relations campaign launched by Mr. Tudor, who recently denounced harassment from the news media and law enforcement by taking out a full two-page ad in Novedades, the oldest daily newspaper in the Mexican state of Quintana Roo (where Cancun is located). In a news conference with members of the local press, Tudor also reportedly accused this author of having been hired by his enemies to slander him and ruin his legitimate business.

A two-page ad taken out earlier this year in a local newspaper by Florian Tudor, accusing the head of the state police department of spying on businessmen in order to extort and harass them.

Obviously, there is no truth to Tudor’s accusations, and this would hardly be the first time the reputed head of a transnational crime syndicate has insinuated that I was paid by his enemies to disrupt his operations.

Next week, KrebsOnSecurity will publish highlights from an upcoming lengthy investigation into Tudor and his company by the Organized Crime and Corruption Reporting Project (OCCRP), a consortium of investigative journalists operating in Eastern Europe, Central Asia and Central America.

Here’s a small teaser: Earlier this year, I was interviewed on camera by reporters with the OCCRP, who at one point in the discussion handed me a transcript of some text messages shared by law enforcement officials that allegedly occurred between Tudor and his associates directly after the publication of my 2015 investigation into Intacash.

The text messages suggested my story had blown the cover off their entire operation, and that they intended to shut it all down after the series was picked up in the Mexican newspapers. One text exchange seems to indicate the group even briefly contemplated taking out a hit on this author in retribution.

The Mexican attorney general’s office could not be immediately reached for comment. The “contact us” email link on the office’s homepage leads to a blank email address, and a message sent to the one email address listed there as the main contact for the Mexican government portal (gobmx@funcionpublica.gob.mx) bounced back as an attempt to deliver to a non-existent domain name.

Further reading:

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico, Part II

Who’s Behind Bluetooth Skimming in Mexico?

Cyberthreats During the Pandemic Are on the Rise

With the sudden shift to digital that many businesses are facing in response to the pandemic, preventing cyberattacks is more important than ever. According to the FBI, attacks related to COVID-19 have increased 400 percent in recent months. And with data from Gartner showing that 74 percent of companies expect to maintain some level of remote workforce indefinitely, organizations can???t risk faltering when it comes to the health of their application security ??? both for their own business continuity and for the safety of their customer data.

The World Health Organization (WHO), which saw a staggering fivefold increase in attempts to target its own staff in April, warns that businesses and the general public alike are at an increased risk for email phishing attacks, which we know can lead to spoofing attacks. But it doesn???t stop there; malicious actors continue to exploit every angle possible, from brute force threats to manipulating services meant to help the general public. Businesses must be vigilant about how they???re handling security in this new normal, especially when issues with remote work arise. ツ?

The remote access conundrum

Chris Wysopal, Veracode???s co-founder and CTO, believes there may be even more risk on the horizon as organizations continue remote work through the course of the pandemic.

???I think we could definitely see more social engineering attacks with people pretending to be employees having problems with remote access. Also, new phishing attacks that take advantage of so many remote access procedures changing.ツ?Organizations hastily deploying remote access might not be securing it,??? Chris explains. ???There are a lot of companies that don???t make remote access a normal part of their business and may now need to do this.???

The rates we???re already seeing are staggering. Data from Atlas VPN shows a 350 percent increase in phishing sites detected by Google since January. And it???s no surprise that attackers are using a global event for financial gain; Verizon???s 2020 Data Breach Investigations Report highlights that 86 percent of surveyed breaches were financially motivated, with over 80 percent of hacking breaches involving brute force attacks or the use of stolen credentials through phishing.

Pandemic-related cyberattacks

The Verizon report also found that financially motived social engineering attacks are steadily increasing year over year, which means the global pandemic offers even more of an opportunity for threat actors. As everything has shifted to digital during the pandemic, these established trends present a virtual goldmine for malicious behavior. Here are some of the attacks we???ve seen that exploit this new normal:

Microsoft Teams: With increased remote work, organizations of all sizes are relying on communication tools like Microsoft Teams. Researchers from Abnormal Security discovered in April that attackers had been sending fake emails resembling Microsoft Teams notifications, phishing for employee credentials. The platform suffered two separate attacks, the first of which used URL redirects to send unsuspecting users to a domain hosting the attack. The second directed users to multiple YouTube pages before ultimately sending them to the phishing site where they may have exposed their credentials.

DocuSign: Researchers at Abnormal Security also discovered that a phishing email targeted 50,000 to 60,000 DocuSign users through Microsoft Office 365. The email, urging recipients to review a document about COVID-19, used a concealed malicious URL within the text, which brought users to a website phishing for credentials. Abnormal Security notes that this attack was particularly successful as DocuSign is an essential tool for signing online documents, especially at a time with dispersed workforces.

Instacart: As more people began using food delivery services to avoid grocery stores, they became a clear target for threat actors. A research firm recently alerted Instacart of a bug that would allow attackers to send malicious links to shoppers via text message. Attackers have also been sending malicious bots after browser extensions meant to help users grab coveted grocery delivery timeslots for services like Instacart.

10x Genomics: Healthcare organizations are at increased risk, too. In March, biotech research firm 10x Genomics was hit by an attack that resulted in stolen company data. The firm, which is compiling information related to COVID-19 to aid possible treatments, was able to isolate the attack quickly despite losing some sensitive information. Attackers reportedly leveraged REvil ransomware, which is also being used to exploit VPN and gateway vulnerabilities within healthcare organizations that are experiencing higher than usual strain due to the pandemic.

Protecting your business continuity

Malicious actors work hard to manipulate weak security protocols and unfixed vulnerabilities wherever possible, especially during times of widespread change and uncertainty. But there???s good news from Veracode: our Static Analysis scan numbers hit a record high in March and then hit another record high in April. Our customers are remaining vigilant about their security so they can continue to protect their data and the data of their own customers.

If you???re concerned about the state of your AppSec program or need guidance, we???re here to help ensure that you can maintain business continuity during the pandemic. Stay one step ahead of attackers by:

  • Shifting security left to the beginning of the software development lifecycle (SDLC) so that developers can write more secure code sooner rather than later.
  • Scanning earlier in the development process to catch flaws and scanning more often to reduce the risk that comes from security debt.
  • Utilizing penetration testing to locate information that may be used in social engineering or phishing attacks within your organization.
  • Using tools like Veracode Security Labs for hands-on training, and IDE Scan for real-time feedback that helps developers learn as they code.

Learn more about thwarting cyberattacks by future-proofing your application security.

StrandHogg 2.0 Android flaw affects over 1 Billion devices

Researchers disclosed a new critical vulnerability (CVE-2020-0096, aka StrandHogg 2.0) affecting the Android operating system that could allow attackers to carry out a sophisticated version of Strandhogg attack.

A group of Norwegian researchers disclosed a critical flaw, tracked as CVE-2020-0096, affecting Android OS that could allow attackers to carry out a sophisticated version of the Strandhogg attack.

In December, security experts atPromon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.


A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.

The same team of Norwegian researchers that discovered the Strandhogg now reported the CVE-2020-0096 flaw and called Strandhogg 2.0. The ‘Strandhogg 2.0,’ vulnerability affects all Android devices, except those running Android Q/10, this means that 80%-85% Android devices are exposed to hack.

The Strandhogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.

StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allow attackers “dynamically attack nearly any app on a given device simultaneously at the touch of a button,” all without requiring a pre-configuration for each targeted app.

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

“Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”

StrandHogg 2.0.

Targeted users could not spot the StrandHogg attack, which can be exploited without root access and works on all versions of Android.

The new flaw can be used for various types of phishing attack, such as displaying a fake login screen, gathering different types of sensitive information, denial of service, and/or collecting permissions
under the guise of the target app (such as SMS, GPS positioning and more).

Experts reported the flaw to Google in December, the tech giant released a security patch to manufacturing companies in April 2020, that are going to release security updates to their devices.

Below the PoC video released by the experts:

Pierluigi Paganini

(SecurityAffairs – StrandHogg 2.0 , hacking)

The post StrandHogg 2.0 Android flaw affects over 1 Billion devices appeared first on Security Affairs.

Durham College to participate in siberXchange Live summit

Durham College, a partner and sponsor of SiberX, is participating in the siberXchange Live Summit this week to showcase new opportunities in autonomous vehicle and cybersecurity research. 

Securing the Connected World with Support for The Shadowserver Foundation

If the first few months of 2020 have taught us anything, it’s the importance of collaboration and partnership to tackle a common enemy. This is true of efforts to fight the current pandemic, and it’s also true of the fight against cybercrime. That’s why Trend Micro has, over the years, struck partnerships with various organizations that share a common goal of securing our connected world.

So when we heard that one of these partners, the non-profit Shadowserver Foundation, was in urgent need of financial help, we didn’t hesitate to step in. Our new $600,000 commitment over three years will help to support the vital work it does collecting and sharing global threat data for the next three years.

What is Shadowserver?

Founded in 2004, The Shadowserver Foundation is now one of the world’s leading resources for reporting vulnerabilities, threats and malicious activity. Their work has helped to pioneer a more collaborative approach among the international cybersecurity community, from vendors and academia to governments and law enforcement.

Today, its volunteers, 16 full-time staff and global infrastructure of sinkholes, honeypots and honeyclients help run 45 scans across 4 billion IPv4 addresses every single day. It also performs daily sandbox scans on 713,000 unique malware samples, to add to the 12 Petabytes of malware and threat intelligence already stored on its servers. Thousands of network owners, including 109 CSIRTS in 138 countries worldwide, rely on the resulting daily reports — which are available free of charge to help make the digital world a safer place.

A Global Effort

Trend Micro is a long-time partner of The Shadowserver Foundation. We automatically share new malware samples via its malware exchange program, with the end goal of improving protection for both Trend Micro customers and Shadowserver subscribers around the world. Not only that, but we regularly collaborate on global law enforcement-led investigations. Our vision and mission statements of working towards a more secure, connected world couldn’t be more closely aligned.

As COVID-19 has brutally illustrated, protecting one’s own backyard is not enough to tackle a global challenge. Instead, we need to reach out and build alliances to take on the threats and those behind them, wherever they are. These are even more pronounced at a time when remote working has dramatically expanded the corporate attack surface, and offered new opportunities for the black hats to prosper by taking advantage of distracted employees and stretched security teams.

The money Trend Micro has donated over the next three years will help the Shadowserver Foundation migrate to the new data center it urgently needs and support operational costs that combined will exceed $2 million in 2020. We wish the team well with their plans for this year.

It’s no exaggeration to say that our shared digital world is a safer place today because of their efforts, and we hope to continue to collaborate long into the future

The post Securing the Connected World with Support for The Shadowserver Foundation appeared first on .

Verizon Data Breach Investigations Report Finds an Increase in Web Application Breaches

Verizon recently published its 2020 Data Breach Investigations Report (DBIR), which analyzed 32,002 security incidents in 16 different industries and four different world regions. Similar to last year???s findings, the majority of breaches ??? 86 percent ??? are financially motivated, and most ??? 70 percent ??? are caused by outsiders. Credential theft, social attacks (i.e., phishing and business email compromise), and errors are still causing the majority of breaches. As stated in the DBIR, ???These tactics prove effective for attackers, so they return to them time and again.???

Just as there are many similarities from last year???s DBIR, there are also many differences. An important change worth noting is that web applications were part of more than 43 percent of breaches, more than double the amount from last year. Stolen credentials were used in more than 80 percent of these incidents.

The DBIR found that the cause of the increase in web application breaches was a result of more people moving their workflows to the cloud. In light of the current pandemic, with more and more businesses undergoing digital transformations, the number of web application breaches will likely increase.

???As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO, Verizon Business.

Web application threats were found to be prevalent in all 16 industries, but especially in retail. The retail industry is seeing a major threat to their e-commerce applications ??? a trend that has carried over since 2019. It???s vital that retailers invest in a comprehensive application security (AppSec) program and scan their applications frequently.

Our recent State of Software Security (SOSS) report ツ?found that in the retail industry, 40 percent of applications are only scanned once a year. By increasing the number of scans, the retail industry could find and remediate more flaws and address security debt. Our analysis also found that there are two OWASP Top 10 vulnerabilities that should be on the retail industry???s radar: Code Injection and Credentials Management. Retail has a higher percentage of risks that fall into these categories. This is likely due to the fact that retailers need to authenticate users and handle input.ツ? Once again, more frequent scanning should help address these flaws.

To learn more about protecting web applications, check out our AppSec products and services.ツ?

Zero Trust Deployment Guide for devices

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we’re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you’ve configured your policy, share the following guidance to help users get their devices registered—new Windows 10 devices, existing Windows 10 devices, and personal devices.
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules for devices before granting access to corporate resources. We also recommend setting remediation actions for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.

Restricting access from vulnerable and compromised devices

Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.

  1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and/or compliant devices. These are baseline security requirements that every device will have to meet before access is granted.
  2. Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.
  3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:

Enforcing security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we want to control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint.

Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on.

Mobile Device Management (MDM)

  1. First, using Intune, let’s apply Microsoft’s recommended security settings to Windows 10 devices to protect corporate data (Windows 10 1809 or later required).
  2. Ensure your devices are patched and up to date using Intune—check out our guidance for Windows 10 and iOS.
  3. Finally, we recommend ensuring your devices are encrypted to protect data at rest. Intune can manage a device’s built-in disk encryption across both macOS and Windows 10.

Meanwhile, Intune MAM is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, MAM is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not MDM-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.

Mobile Application Management (MAM)

  1. To protect your corporate data at the application level, configure Intune MAM policies for corporate apps. MAM policies offer several ways to control access to your organizational data from within apps:
    • Configure data relocation policies like save-as restrictions for saving organization data or restrict actions like cut, copy, and paste outside of organizational apps.
    • Configure access policy settings like requiring simple PIN for access or blocking managed apps from running on jailbroken or rooted devices.
    • Configure automatic selective wipe of corporate data for noncompliant devices using MAM conditional launch actions.
    • If needed, create exceptions to the MAM data transfer policy to and from approved third-party apps.
  2. Next, we want to set up app-based Conditional Access policies to ensure only approved corporate apps access corporate data.
  3. Finally, using app configuration (appconfig) policies, Intune can help eliminate app setup complexity or issues, make it easier for end users to get going, and ensure better consistency in your security policies. Check out our guidance on assigning configuration settings.


We hope the above helps you deploy and successfully incorporate devices into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Deployment Guide for devices appeared first on Microsoft Security.

Deputy Sheriff Admits Cyberstalking Massachusetts Tween

Deputy Sheriff Admits Cyberstalking Massachusetts Tween

A former deputy sheriff has pleaded guilty to cyberstalking and sexually exploiting a teenage girl whom he met through playing Minecraft online. 

When 26-year-old Texan Pasquale T. Salas first encountered his victim in 2014, she was just 12 years old. 

Salas engineered a relationship with the child by sending her messages in private chat rooms. The former deputy sheriff with the Matagorda County Sheriff’s Office then systematically used Skype, Snapchat, and text messages to groom the little girl.

Authorities said that during their digital exchanges, Salas put repeated pressure on his tweenage victim to capture sexually explicit images of herself and send them to him. 

At his coercion, the victim sent hundreds of lewd videos and images of herself to Salas over a two-year period. Some of the images were sent as they communicated via Minecraft. 

In a sick attempt to make the exploitation appear like a genuine relationship, Salas sent his victim jewelry, Edible Arrangements, and iTunes gift cards and granted her access to his Amazon Prime account.

The exploited girl, who is from Worcester County, tried to break off contact with Salas in 2016. The self-confessed sexual predator responded by repeatedly threatening to send lewd images of the victim to her family and friends unless she kept communicating with him.

Salas used technology to control his victim. He manipulated her into granting him access to her Snapchat, then used a tracking option on the app to keep tabs on the girl's whereabouts. 

The girl was ordered to obey a list of rules written by Salas that dictated what she could wear and whom she could speak with. 

According to authorities, Salas threatened to harm the girl's sister if she disobeyed him. He also meted out punishments to his victim when she went against his wishes.

Salas told the girl, “You belong to me. You’re my property so I can treat you however I want, whenever I want.”

Authorities said a second female victim had been sexually exploited by Salas for four years. Victim number 2 was also aged 12 when she met Salas via Minecraft. 

Salas, who is in custody at the Donald W. Wyatt Detention Facility in Rhode Island, will be sentenced on September 3.

Britain Re-Evaluating Huawei’s Role in 5G Rollout

US Sanctions Against Chinese Technology Giant May Have Forced Britain's Hand
Britain is reconsidering whether Huawei's technology will be used its national 5G rollout as a result of increased White House sanctions against the Chinese telecommunications giant, which could result in Huawei having to source semiconductors from less reliable sources.

International Plea for Governments to Protect Healthcare from Cyber-Attacks

International Plea for Governments to Protect Healthcare from Cyber-Attacks

A plea from the Cyber Peace Institute for healthcare providers to be protected against cyber-threats has attracted international support.

Major players in cybersecurity, academics, and numerous political movers and shakers have backed the call for governments to work together "with civil society and the private sector" to defend hospital, healthcare, and medical research facilities from digital assaults. 

In a strongly worded plea published May 26, the Cyber Peace Institute asked governments to assert in unequivocal terms that the targeting of healthcare facilities by cyber-criminals is both "unlawful and unacceptable."

"We call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations," wrote the CPI. "To this end, governments should work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions."

The CPI highlighted recent cyber-assaults against healthcare providers around the world, cynically timed to coincide with the outbreak of COVID-19 in nearly every corner of the planet. 

"Over the past weeks, we have witnessed attacks that have targeted medical facilities and organizations on the frontlines of the response to the COVID-19 pandemic," wrote CPI. 

"These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients." 

While the rate of deaths caused by the novel coronavirus continues to fall in some countries, bringing hope that the pandemic is ebbing, the CPI's plea warns against complacency.

"With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever," wrote the CPI. "This will not be the last health crisis."

Political bigwigs who have signed the Institute's rally call include former presidents of the Soviet Union, Uruguay, Brazil, Liberia, Chile, Swiss Confederation, Mexico, Colombia, Denmark, Poland, and Slovenia, as well as former US secretary of state Madeleine Albright.

Signatories from the cybersecurity industry include Kaspersky CEO Eugene Kaspersky, Microsoft president Brad Smith, and Trend Micro CEO Eva Chen.

National Guard Helps Maryland with Cybersecurity

National Guard Helps Maryland with Cybersecurity

The National Guard has been working to keep Maryland safe from cyber-attacks.

Maryland governor Larry Hogan called in the National Guard by executive order on March 12 to bolster the state's COVID-19 pandemic response. In addition to assisting the Old Line State with its coronavirus testing and screening program, the Guard has been helping out with cybersecurity assessments.

Baltimore, Maryland's largest city, was rocked by a catastrophic ransomware attack last year that prevented government officials from performing even basic tasks like sending an email. 

In an interview with Federal Computer Week, Colonel Reid Novotny, Maryland National Guard's joint staff (J6) lead for IT and cyber, said that surviving a major attack did not make Baltimore invulnerable to cyber-criminals. 

"During this crisis, we are in daily contact with them [in] an elevated status," said Novotny. “There have been ransomware attacks that have affected hospitals that are treating COVID patients."

Novotny wouldn't specify which hospitals had been targeted but said that attacks had been observed in Baltimore and Baltimore County.

"Yes, that stuff has actually happened, and the department of IT has responded back, and the Guard has supported that response," he said.

"Patients and the residents of that county that went to that hospital were assured that everyone was up and working."

The state's chief information security officer, Chip Stewart, said that malicious activity against Maryland had increased since the outbreak of COVID-19. 

"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," said Stewart.

To counter the threats, Maryland has established a security operations center to monitor attacks on its digital infrastructure.

According to Stewart, the National Guard is supporting the state's efforts to thwart cyber-attackers by performing "routine external assessments of the state's websites and networks to identify issues proactively."

As of May 15, the Maryland National Guard has supplied over 3,000 hours of support to four different state agencies across four of Maryland's counties. Novotny said the commercial value of the Guard's cyber-support was roughly $1m.

Zero Trust and its role in securing the new normal

As the global crisis around COVID-19 continues, security teams have been forced to adapt to a rapidly evolving security landscape. Schools, businesses, and healthcare organizations are all getting work done from home on a variety of devices and locations, extending the potential security attack surface.

While we continue to help our customers enable secure access to apps in this “new normal,” we’re also thinking about the road ahead and how there are still many organizations who will need to adapt their security model to support work life. This is especially important given that bad actors are using network access solutions like VPN as a trojan horse to deploy ransomware and the number of COVID-19 themed attacks have increased and evolved.

Microsoft and Zscaler have partnered to provide a glimpse into how security will change in a post-COVID-19 world.

Accelerating to Zero Trust

“We’ve seen two years’ worth of digital transformation in two months.”
—Satya Nadella, CEO, Microsoft

With the bulk of end users now working remotely, organizations were forced to consider alternate ways of achieving modern security controls. Legacy network architectures route all remote traffic through a central corporate datacenter are suddenly under enormous strain due to massive demand for remote work and rigid appliance capacity limitations. This creates latency for users, impacting productivity and requires additional appliances that can take 30, 60, or even 90 days just to be shipped out.

To avoid these challenges many organizations were able to enable work from home by transitioning their existing network infrastructure and capabilities with a Zero Trust security framework instead.

The Zero Trust framework empowers organizations to limit access to specific apps and resources only to the authorized users who are allowed to access them. The integrations between Microsoft Azure Active Directory (Azure AD) and Zscaler Private Access embody this framework.

For the companies who already had proof of concept underway for their Zero Trust journey, COVID-19 served as an accelerator, moving up the timelines for adoption. The ability to separate application access from network access, and secure application access based on identity and user context, such as date/time, geolocation, and device posture, was critical for IT’s ability to enable remote work. Cloud delivered technologies such as Azure AD and Zscaler Private Access (ZPA) have helped ensure fast deployment, scalability, and seamless experiences for remote users.

Both Microsoft and Zscaler anticipate that if not already moving toward a Zero Trust model, organizations will accelerate this transition and start to adopt one.

Securing flexible work going forward

While some organizations have had to support remote workers in the past, many are now forced to make the shift from a technical and cultural standpoint. As social distancing restrictions start to loosen, instead of remote everything we’ll begin to see organizations adopt more flexible work arrangements for their employees. Regardless of where employees are, they’ll need to be able to securely access any application, including the mission-critical “crown jewel” apps that may still be using legacy authentication protocols like HTTP or LDAP and on-premises. To simplify the management of protecting access to apps from a now flexible working style, there should be a single policy per user that can be used to provide access to an application, whether they are remote or at the headquarters

Zscaler Private Access and Azure AD help organizations enable single sign-on and enforce Conditional Access policies to ensure authorized users can securely access specifically the apps they need. This includes their mission-critical applications that run on-premises and may have SOC-2 and ISO27001 compliance needs.

Today, the combination of ZPA and Azure AD are already helping organizations adopt flexible work arrangements to ensure seamless and secure access to their applications.

Secure access with Zscaler and Microsoft

Remote onboarding or offboarding for a distributed workforce

With remote and flexible work arrangements becoming a norm, organizations will need to consider how to best onboard or offboard a distributed workforce and ensure the right access can be granted when employees join, change or leave roles. To minimize disruption, organizations will need to enable and secure Bring Your Own Devices (BYOD) or leverage solutions like Windows Autopilot that can help users set up new devices without any IT involvement.

To ensure employees can access applications on day one, automating the provisioning of user accounts to applications will be critical for productivity. The SCIM 2.0 standard, adopted by both Microsoft and Zscaler, can help automate simple actions, such as creating or updating users, adding users to groups, or deprovisioning users into applications. Azure AD user provisioning can help manage end-to-end identity lifecycle and automate policy-based provisioning and deprovisioning of user accounts for applications. The ZPA + Azure AD SCIM 2.0 configuration guide shows how this works.

Powering security going forward

Security and IT teams are already under strain with this new environment and adding an impending economic downturn into the equation means they’ll need to do more with less. The responsibility of selecting the right technology falls to the security leaders. Together, Microsoft and Zscaler can help deliver secure access to applications and data on all the devices accessing your network, while empowering employees with simpler, more productive experiences. This is the power of cloud and some of the industry’s deepest level of integrations. We look forward to working with on what your security might look like after COVID-19.

Stay safe.

For more information on Microsoft Zero Trust, visit our website: Zero Trust security framework. Learn more about our guidance related to COVID-19 here and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust and its role in securing the new normal appeared first on Microsoft Security.

Is Cloud Computing Any Safer From Malicious Hackers?

Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. And certainly, moving resources to the cloud just has to be safer, right? The cloud provider is going to keep our data and applications safe for sure. Hackers won’t stand a chance. Wrong. More commonly than anyone should, I often hear this delusion from many customers. The truth of the matter is, without proper configuration and the right skillsets administering the cloud presence, as well as practicing common-sense security practices, cloud services are just (if not more) vulnerable.

The Shared Responsibility Model

Before going any further, we need to discuss the shared responsibility model of the cloud service provider and user.

When planning your migration to the cloud, one needs to be aware of which responsibilities belong to which entity. As the chart above shows, the cloud service provider is responsible for the cloud infrastructure security and physical security of such. By contrast, the customer is responsible for their own data, the security of their workloads (all the way to the OS layer), as well as the internal network within the companies VPC’s.

One more pretty important aspect that remains in the hands of the customer is access control. Who has access to what resources? This is really no different than it’s been in the past, exception being the physical security of the data center is handled by the CSP as opposed to the on-prem security, but the company (specifically IT and IT security) are responsible for locking down those resources efficiently.

Many times, this shared responsibility model is overlooked, and poor assumptions are made the security of a company’s resources. Chaos ensues, and probably a firing or two.

So now that we have established the shared responsibility model and that the customer is responsible for their own resource and data security, let’s take a look at some of the more common security issues that can affect the cloud.

Amazon S3 

Amazon S3 is a truly great service from Amazon Web Services. Being able to store data, host static sites or create storage for applications are widely used use cases for this service. S3 buckets are also a prime target for malicious actors, since many times they end up misconfigured.

One such instance occurred in 2017 when Booz Allen Hamilton, a defense contractor for the United States, was pillaged of battlefield imagery as well as administrator credentials to sensitive systems.

Yet another instance occurred in 2017, when due to an insecure Amazon S3 bucket, the records of 198 million American voters were exposed. Chances are if you’re reading this, there’s a good chance this breach got you.

A more recent breach of an Amazon S3 bucket (and I use the word “breach,” however most of these instances were a result of poor configuration and public exposure, not a hacker breaking in using sophisticated techniques) had to do with the cloud storage provider “Data Deposit Box.” Utilizing Amazon S3 buckets for storage, a configuration issue caused the leak of more than 270,000 personal files as well as personal identifiable information (PII) of its users.

One last thing to touch on the subject of cloud file storage has to do with how many organizations are using Amazon S3 to store uploaded data from customers as a place to send for processing by other parts of the application. The problem here is how do we know if what’s being uploaded is malicious or not? This question comes up more and more as I speak to more customers and peers in the IT world.


APIs are great. They allow you to interact with programs and services in a programmatic and automated way. When it comes to the cloud, APIs allow administrators to interact with services, an in fact, they are really a cornerstone of all cloud services, as it allows the different services to communicate. As with anything in this world, this also opens a world of danger.

Let’s start with the API gateway, a common construct in the cloud to allow communication to backend applications. The API gateway itself is a target, because it can allow a hacker to manipulate the gateway, and allow unwanted traffic through. API gateways were designed to be integrated into applications. They were not designed for security. This means untrusted connections can come into said gateway and perhaps retrieve data that individual shouldn’t see. Likewise, the API requests to the gateway can come with malicious payloads.

Another attack that can affect your API gateway and likewise the application behind it, is a DDOS attack. The common answer to defend against this is Web Application Firewall (WAF). The problem is WAFs struggle to deal with low, slow DDOS attacks, because the steady stream of requests looks like normal traffic. A really great way to deter DDOS attacks at the API gateway however is to limit the number of requests for each method.

A great way to prevent API attacks lies in the configuration. Denying anonymous access is huge. Likewise, changing tokens, passwords and keys limit the chance effective credentials can be used. Lastly, disabling any type of clear-text authentication. Furthermore, enforcing SSL/TLS encryption and implementing multifactor authentication are great deterrents.


No cloud service would be complete without compute resources. This is when an organization builds out virtual machines to host applications and services. This also introduces yet another attack surface, and once again, this is not protected by the cloud service provider. This is purely the customers responsibility.

Many times, in discussing my customers’ migration from an on-premises datacenter to the cloud, one of the common methods is the “lift-and-shift” approach. This means customers take the virtual machines they have running in their datacenter and simply migrating those machines to the cloud. Now, the question is, what kind of security assessment was done on those virtual machines prior to migrating? Were those machines patched? Were discovered security flaws fixed? In my personal experience the answer is no. Therefore, these organizations are simply taking their problems from one location to the next. The security holes still exist and could potentially be exploited, especially if the server is public facing or network policies are improperly applied. For this type of process, I think a better way to look at this is “correct-and-lift-and-shift”.

Now once organizations have already established their cloud presence, they will eventually need to deploy new resources, and this can mean developing or building upon a machine image. The most important thing to remember here is that these are computers. They are still vulnerable to malware, so regardless of being in the cloud or not, the same security controls are required including things like anti-malware, host IPS, integrity monitoring and application control just to name a few.


Cloud services make it incredibly easy to deploy networks and divide them into subnets and even allow cross network communication. They also give you the ability to lock down the types of traffic that are allowed to traverse those networks to reach resources. This is where security groups come in. These security groups are configured by people, so there’s always that chance that a port is open that shouldn’t be, opening a potential vulnerability. It’s incredibly important from this perspective to really have a grasp on what a compute resource is talking to and why, so the proper security measures can be applied.

So is the cloud really safe from hackers? No safer than anything else unless organizations make sure they’re taking security in their hands and understand where their responsibility begins, and the cloud service provider’s ends. The arms war between hackers and security professionals is still the same as it ever was, the battleground just changed.

The post Is Cloud Computing Any Safer From Malicious Hackers? appeared first on .

Why Endpoint Security Matters in Protecting Remote Workers – Part 1

As customers secure their remote workers, they tell us they are getting better visibility, better efficacy and getting time back!

Enabling your workforce to work securely on any endpoint, anywhere, at any time is more important now than ever before. And as such, Cisco has recently offered a new Cisco Secure Remote Worker solution that unifies user and endpoint protection at scale, making it easy to verify, enable secure access and defend remote workers at anytime from anywhere. Cisco AMP for Endpoints is a key component of and plays a critical role in this new solution.

To best describe this critical role, we recently conducted an endpoint survey to get our customer’s thoughts on the value that AMP for Endpoints brings to their business, and therefore to the Secure Remote Worker solution. This first blog of a 4 blog series summarizes the top 3 business values our customers highlighted. Later, in the next 3 blogs we will provide an in-depth look at each one of these values and demonstrate why they are so effective.

Now let’s look at these top 3 business values from the endpoint survey; each described in challenges, why it’s important to customers, the customer comments and how AMP for Endpoints helps.

Business Value #1: Better visibility into endpoints

Customer challenge:  My endpoints are under constant attack through phishing attempts, advanced persistent threats (APTs) and exploits. I want to arm my team with actionable insights.

Why it’s important: If you can’t see what’s in your endpoints, you really don’t know what malware exists or what malware type is there. If not, your team will spend an inordinate amount of time attempting to eradicate threats and be subject to lateral movement.

How Cisco helps: AMP for Endpoints, as part of the Cisco SecureX platform, provides seamless integration with other security technologies, backed by Talos threat intelligence, to help you block, detect, investigate, and respond to threats across your entire environment – not just at your endpoints.

Business Value #2: Better efficacy

Customer challenge:  I want tools refined enough and accurate enough so I can understand what malware may be on my endpoints so my team can take the appropriate action.

Why it’s important: I don’t want my team wasting time on false positives and I want to see accurate clear threat intelligence so my team can determine what the priority level is and what steps to take and feel confident about it. And clearly the process needs to be in sync with best practices such as the MITRE ATT&CK framework.

 How Cisco helps: Block known threats automatically using machine learning, exploit prevention, file reputation, antivirus, and a wide array of other attack prevention techniques that will stop both fileless and file-based attacks in their tracks – as proof of this Cisco AMP for Endpoints earned high marks in malware protection tests, while achieving the lowest false positives in the first AV Comparatives Business Main Test Series for 2020. You can count on AMP for Endpoint delivering consistent security efficacy, enabling you to get superior protection from advanced threats.

Business Value #3: Get time back

Customer challenge: I want my team to spend less time on each incident in their everyday workflows so they can do more with less effort.

Why it’s important: With better tools that are complementary to my security infrastructure and that actively leverage automation, enables my team to maximize our security investments, and respond faster to threats on my endpoints instead of spending time on manual, error prone tasks.

How Cisco helps: AMP for Endpoints, and the underlying platform, enable you to increase the efficiency and precision of your existing resources via automation. You can multiply your threat hunting capabilities by connecting your security infrastructure to get more value from your existing investments. This provides you with the best ability to orchestrate and automate your threat response capability in a timelier manner, and thus gives you time back to focus on more strategic efforts.

For the next entry in this series

In the next blog entry of this series we will provide a deep dive into the first of the 3 business values described above and demonstrate how our customers are getting the results they need.

In the meantime, please visit the TechValidate Survey to see examples of what our customer’s challenges were, and in their own words, express how they were able to achieve their business goals with Cisco AMP for Endpoints as part of the Cisco SecureX platform.

The post Why Endpoint Security Matters in Protecting Remote Workers – Part 1 appeared first on Cisco Blogs.

New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps

Remember Strandhogg? A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information. Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the

New Version of Turla Malware Poses Threat to Governments

New Version of Turla Malware Poses Threat to Governments

Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.

The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.

ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.

The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.

“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Webcast: Kerberos & Attacks 101

Join the BHIS Discord discussion server: https://discord.gg/aHHh3u5 We’re really excited to have a close member of our BHIS extended family, Tim Medin from Red Siege InfoSec, here for a webcast on Kerberos & Attacks 101. Tim is the creator of Kerberoasting. Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? […]

The post Webcast: Kerberos & Attacks 101 appeared first on Black Hills Information Security.

New Turla ComRAT backdoor uses Gmail for Command and Control

Researchers uncovered a new advanced variant of Turla’s ComRAT backdoor that leverages Gmail’s web interface as C2 infrastructure.

Cybersecurity researchers discovered a new version of the ComRAT backdoor, also known as Agent.BTZ, which is a malware that was employed in past campaigns attributed to the Turla APT group.

Earlier versions of Agent.BTZ were used to compromise US military networks in the Middle East in 2008.

The new variant leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.

ComRAT v4 appeared in the threat landscape in 2017 and is still used by threat actors, recently a new variant was used in attacks against two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.

ComRAT turla 2.png

This new version was developed from scratch and is far more complex than its predecessors. 

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

ComRAT is a sophisticated backdoor developed in C++, it could perform many malicious actions on the infected systems, such as executing additional payloads or exfiltrating files.

The backdoor uses a Virtual FAT16 File System formatted in FAT16, it is deployed using existing access methods, including the PowerStallion PowerShell backdoor.

ComRAT leverages the following C2 channels:

  • HTTP: It uses exactly the same protocol as ComRAT v3
  • Email: It uses the Gmail web interface to receive commands and exfiltrate data

The main components of the of the ComRAT v4 are:

  • an orchestrator, which is injected into explorer.exe process and is used to control most of ComRAT functions.
  • a communication module (a DLL), which is injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
  • a Virtual FAT16 File System, containing the configuration and the logs files.

“The main use of ComRAT is discovering, stealing and exfiltrating confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents.” reads the report published by the experts.

To evade detection, ComRAT files, with the exception of the orchestrator DLL and the scheduled task for persistence, are stored in a virtual file system (VFS). The default VFS container file is hardcoded in the orchestrator components that drops the first time it is executed.

The C&C “mail” mode was specific to the Gmail email provider.

The orchestrator reads the email address in /etc/transport/mail/mailboxes/0/command_addr by parsing the inbox HTML page (using Gumbo HTML parser) and the cookies to authenticate on Gmail in /etc/transport/mail/mailboxes/0/cookie.
The cookies have a limited lifetime so they should be updated from each interaction.

The Gmail parser could get the list of emails with subject lines that match those in a “subject.str” file in the VFS.

The comRAT backdoor downloads the attachments (e.g. “document.docx,” “documents.xlsx”) from each email that meets the above criteria, then it deleted the emails to avoid processing them twice.

Despite their extensions, the attachments are not Office documents, but rather encrypted blobs of data that include a specific command to be executed.

The backdoor creates an attachment containing the result of the commands, its name consists of 20 random digits and of the .jpg.bfe so-called double extension.

The analysis of the time of day that commands were sent in a one-month period reveals that the operators are working in the UTC+3 or UTC+4 time zone.

“Version four of ComRAT is a totally revamped malware family released in 2017,” ESET concludes. “Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Pierluigi Paganini

(SecurityAffairs – Tesla, hacking)

The post New Turla ComRAT backdoor uses Gmail for Command and Control appeared first on Security Affairs.

How the Cybercriminal Underground Has Changed in 5 Years

Cybercriminal Underground

The cybercrime economy is one of the runaway success stories of the 21st century — at least, for those who participate in it. Estimates claim it could be worth over $1 trillion annually, more than the GDP of many countries. Part of that success is due to its ability to evolve and shift as the threat landscape changes. Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, we’ve seen a major shift to new platforms, communications channels, products and services, as trust on the dark web erodes and new market demands emerge.

We also expect the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shifts in the underground

Our latest report, Shifts in the Cybercriminal Underground Markets, charts the fascinating progress of cybercrime over the past five years, through detailed analysis of forums, marketplaces and dark web sites around the world. It notes that in many product areas, the cost of items has dropped as they become commoditised: so where in 2015 you expected to pay $1000 per months for crypting services, today they may be as little as $20.

In other areas, such as IoT botnets, cyber-propaganda and stolen gaming account credentials, prices are high as new products spark surging demand. Fortnite logins can sell for around $1,000 on average, for example.

The good news is that law enforcement action appears to be working. Trend Micro has long partnered with Interpol, Europol, national crime agencies and local police to provide assistance in investigations. So it’s good to see that these efforts are having an impact. Many dark web forums and marketplaces have been infiltrated and taken down over the past five years, and our researchers note that current users complain of DDoS-ing and log-in issues.

Cybercriminals have been forced to take extreme measures as trust erodes among the community, for example, by using gaming communications service Discord to arrange trades, and e-commerce platform Shoppy.gg to sell items. A new site called DarkNet Trust was even created to tackle this specific challenge: it aims to verify cybercrime vendors’ reputations by analysing their usernames and PGP fingerprints.

What does the future hold?

However, things rarely stay still on the cybercrime underground. Going forward, we expect to see a range of new tools and techniques flood dark web stores and forums. AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals.

Some emerging trends are less hi-tech but no less damaging. Log-ins for wearable devices could be stolen and used to request replacements under warranty, defrauding the customer and costing the manufacturers dear. In fact, access to devices, systems and accounts is so common today that we’re already seeing it spun out in “as-a-service” cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.

Post-pandemic threats

Then there’s COVID-19. We’re already seeing fraudsters targeted government stimulus money with fake applications, sometimes using phished information from legitimate businesses. And healthcare organisations are being targeted with ransomware as they battle to save lives.

Even as the pandemic recedes, remote working practices are likely to stay in many organisations. What does this mean for cybercrime? It means more targeting of VPN vulnerabilities with malware and DDoS services. And it means more opportunities to compromise corporate networks via connected home devices. Think of it like a kind of Reverse BYOD scenario – instead of bringing devices into work to connect, the corporate network is now merged with home networks.

Tackling such challenges will demand a multi-layered strategy predicated around that familiar trio: people, process and technology. It will require more training, better security for home workers, improved patch management and password security, and much more besides. But most of all it will demand continued insight into global cybercriminals and the platforms they inhabit, to anticipate where the next threats are coming from.

Fortunately, this is where Trend Micro’s expert team of researchers come in. We won’t let them out of our sight.

The post How the Cybercriminal Underground Has Changed in 5 Years appeared first on .

Why Your Cyber Resilience Plan Doesn’t Include Windows 7

Reading Time: ~ 2 min.

Our 2020 Threat Report shows increasing risks for businesses and consumers still running Windows 7, which ceased updates, support and patches earlier this year. This creates security gaps that hackers are all too eager to exploit. In fact, according to the report, malware targeting Windows 7 increased by 125%. And 10% of consumers and 25% of business PCs are still using it.

Webroot Security Analyst Tyler Moffitt points out that a violation due to a data breach could cost a business $50 per customer per record. “For one Excel spreadsheet with 100 lines of records, that would be $50,000.” Compare that with the cost of a new workstation that comes pre-installed with Windows 10 at around $500, and you quickly realize the cost savings that comes with offloading your historic OS. 

Windows 10 also has the added advantage of running automatic updates, which reduces the likelihood of neglecting software patches and security updates. Continuing to run Windows 7 effectively more than doubles the risk of getting malware because hackers scan for old environments to find vulnerable targets. Making matters worse, malware will often move laterally like a worm until it finds a Windows 7 machine to easily infect. And in a time when scams are on the rise, this simple OS switch will ensure you’re not the weakest link.

While businesses are most vulnerable to Windows 7 exploits, consumers can hardly breathe easy. Of all the infections tracked in the 2020 Threat Report, the majority (62%) were on consumer devices. This does, however, create an additional risk for businesses that allow workers to connect personal devices to the corporate network. While employees work from home in greater numbers due to COVID-19, this particular security risk will remain even higher than pre-pandemic levels.

Layers are key

As Moffitt points out, no solution is 100% safe, so layering solutions helps to ensure your cyber resilience is strong. But there is one precaution that is particularly helpful in closing security gaps. And that’s security awareness training. “Ninety-five percent of all infections are the result of user error,” Moffitt says. “That means users clicking on something they shouldn’t thus infecting their computer or worse, a entire network.” Consistent training – 11 or more courses or phishing simulations over a four- to six-month period – can significantly reduce the rate at which users click on phishing simulations.

Also, by running simulations, “you get to find out how good your employees are at spotting scams,” Moffitt says. “If you keep doing them, users will get better and they will increase their efficacy as time goes on.”

Fight cyber-risks with cyber resilience

The best way to close any gaps in protection you may have is to deploy a multi-layered cyber resilience strategy, also known as defense-in-depth. The first layer is perimeter security that leverages cloud-based threat intelligence to identify advanced, polymorphic attacks. But since cyber resilience is also about getting systems restored after an attack, it’s also important to have backups that enable you to roll back the clock on a malware infection.

With so many people working from home amid the global coronavirus pandemic, it’s increasingly critical to ensure cyber resilient home environments in addition to business systems. Find out what major threats should be on your radar by reading our complete 2020 Threat Report.

The post Why Your Cyber Resilience Plan Doesn’t Include Windows 7 appeared first on Webroot Blog.

Bluetooth Vulnerability: BIAS

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device:

Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).

Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

News articles.

Life and work in the next normal: WFH redefined

Work from home - aka WFH - should give employees their autonomy​, not extend the company's authority into their private space. It should also give the company the opportunity to discontinue the use of the word "remote". Let's re-brand WFH to "Working From Here".

Updated AnarchyGrabber Steals Passwords, Spreads to Discord Friends

Researchers found an updated version of AnarchyGrabber that steals victims’ plaintext passwords for and infects victims’ friends on Discord. Detected as AnarchyGrabber3, the new trojan variant modified the Discord client’s %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file upon successful installation. This process gave the malware the ability to load JavaScript files. The AnarchyGrabber version flexed this new capability when its […]… Read More

The post Updated AnarchyGrabber Steals Passwords, Spreads to Discord Friends appeared first on The State of Security.

Customized Android Builds Drive Global Security Inequality

Customized Android Builds Drive Global Security Inequality

Security experts have warned that default regional settings and pre-loaded applications may be exposing Android devices in some countries to a greater risk of cyber-attack.

F-Secure claimed today that large numbers of pre-bundled apps can expand the attack surface of a device.

The impact is potentially worse when country-specific rules block access to Google Play, meaning that users have to rely on third-party stores curated by the phone manufacturers themselves.

F-Secure claimed it found multiple vulnerabilities in the Huawei AppGallery which could be used to “create a beachhead” to launch additional attacks, such as one targeting the Huawei iReader which could allow hackers to execute code and steal data from devices.

Meanwhile, a simple phishing email/message could be enough to compromise the default configuration on the Xiaomi Mi 9 for China, India, Russia and maybe other countries, the security vendor claimed.

In another case, the research team compromised a Samsung Galaxy S9 by exploiting the fact that the device changes its behavior according to which country issued the SIM inside it.

“To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi),” F-Secure explained.

“If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.

F-Secure warned that as the number of customized Android builds grows, the white hat community needs to double down on research.

“It’s important for vendors to consider the security implications when they’re customizing Android for different regions,” added senior security consultant, Toby Drew.

“People in one region aren’t more or less entitled to security than another, and if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks.”

Malware opens RDP backdoor into Windows systems

A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor. Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”. Sarwent’s new capabilities Sarwent … More

The post Malware opens RDP backdoor into Windows systems appeared first on Help Net Security.

Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

Hangzhou, one of the major tech hubs in China, is planning to permanently use the tracking system developed to fight the COVID-19 outbreak.

The city’s health commission declared that the permanent version of the contact tracing system would be a “‘firewall’ to enhance people’s health and immunity” after the COVID-19 pandemic.

The contact tracing app was developed by Tencent and Alibaba and is mandatory, it implements a “triage” system based on the travel history of the citizen.

The app is currently mandatory and assigns users green, yellow, or red status. Residents who visited COVID-19 hot spots or that were in contact with infected individuals, would be given a red code and be asked to quarantine for 14 days. Residents in good health status and had no contact with infected individuals cases are given a green code and could move without any restriction around the city.

COVID-19 contact tracing system

The app is already used by one billion people and the codes it generates have been scanned more than nine billion times.

“According to Qiu Yuepeng, vice president of Tencent and President of Tencent Cloud, since the official version of the health code was launched on February 9, Tencent’s health code has covered more than 20 provinces and more than 400 cities and counties in the country, covering more than 1 billion people.” reads the post published by Tencent. “The total number of visits exceeded 26 billion, and the cumulative number of code visits exceeded 9 billion.”

The Hangzhou’s Health Commission aims to permanently use the system that would assign users a health score ranging from 0 to 100 based on different factors, such as their medical records, physical examinations, and habits (e.g. steps they walk, or hours they sleep or make sport daily).

Clearly privacy advocates fear that the contact tracing system could improve the dragnet surveillance implemented by the Chinese government to monitor its citizens.

Facial recognition technology is widely adopted in China where the government already uses the social credit system to monitor citizen’s online behaviour and assigns a “citizen score.”

Pierluigi Paganini

(SecurityAffairs – COVID-19, contact tracing system)

The post Hangzhou could permanently adopt COVID-19 contact-tracing app appeared first on Security Affairs.

New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data

Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail's web interface to covertly receive commands and exfiltrate sensitive data. "ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020," cybersecurity firm ESET said in a report shared with

Data on 29 Million Indian Jobseekers Leaked

Data on 29 Million Indian Jobseekers Leaked

The personal details of over 29 million Indian jobseekers have been posted to a dark web site, free for anyone to access.

Cybersecurity firm Cyble, which discovered the trove on an unnamed hacking forum, has in turn added the compromised information to its breach notification site AmIBreached.

It claimed to have found the posting during a regular sweep of the dark and deep web. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer and other details on job-hunters from all over India.

“Cyber-criminals are always on the lookout for such personal information to conduct various nefarious activities such as identity thefts, scams and corporate espionage,” said Cyble.

The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.

It continues to investigate these claims.

In the meantime, it spotted another threat actor posting nearly 2000 Aadhar identity cards for free onto a hacking forum. They appear to originate from Madhya Pradesh state.

Also over the weekend, Cyble claimed that three hacking forums have themselves been breached, exposing user details and private chats.

The firm said it had been able to obtain databases related to Sinful Site, SUXX.TO and Nulled.

“All these hacking forums are based on general discussion and sharing of related resources. It is a place where users can find lots of great data leaks, hacking and cracking tools, software, tutorials, and much more. Along with that, over here the users can also take part in active discussions and make new friends,” it explained.

Specifically, the firm now has detailed info on users of SUXX.TO and Nulled, which were dumped on May 20, and private messages from Sinful Site, which were leaked on May 15.

Lawyers Aim £18bn Class Action Suit at easyJet

Lawyers Aim £18bn Class Action Suit at easyJet

A specialist in group litigation has filed a potential £18bn class action claim against easyJet in London’s High Court, following the firm’s major data breach disclosure last week.

International law firm PGMBM said it had been contacted by “numerous affected people” and is urging more to come forward to join the case, which would pay out £2000 per impacted customer. 

It clarified that Article 82 of EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.

Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks.

Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.

PGMBM has also claimed that the exposure of customers’ travel plans could pose security risks to those individuals, as well as being a gross invasion of privacy.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” argued managing partner, Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”

The case highlights the potentially serious financial repercussions of a major data breach, on top of the large fines GDPR regulators can theoretically impose.

The ICO has come in for some criticism recently after reports emerged that it may be considering a significantly lower fine than the £183.4m figure posted in a notice of intent last summer, in response to a major breach at British Airways.

Samsung’s new security chip is a standalone turnkey security solution

Samsung Electronics introduced a standalone turnkey security solution comprised of a Secure Element (SE) chip (S3FV9RR) and enhanced security software that offers protection for tasks such as booting, isolated storage, mobile payment and other applications. The latest security chip is Common Criteria Evaluation Assurance Level (CC EAL) 6+ certified, the highest level acquired by a mobile component. “In this era of mobility and contact-less interactions, we expect our connected devices, such as smart phones or … More

The post Samsung’s new security chip is a standalone turnkey security solution appeared first on Help Net Security.

Bugs in open-source libraries impact 70% of modern software

70 percent of mobile and desktop applications that today we use are affected at least by one security flaw that is present in open-source libraries.

According to the Veracode’s annual State of Software Security report, 70 percent of mobile and desktop applications being used today have at least one security flaw that is the result of the use of an open-source library.

Experts pointed out that every library could be affected by one o more issues which will be inherited from all the applications that use them.

According to Veracode’s annual State of Software Security report, almost any modern application includes open source libraries that implement functionality that would be extremely tedious to write from scratch.

The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.

The use of open-source libraries is quite common, for example most JavaScript applications contain hundreds of libraries.

“Our research found that most JavaScript applications contain hundreds of open source libraries – some have over 1,000 different libraries. In addition, most languages feature the same set of core libraries.” reads the post published by Veracode. “JavaScript and PHP in particular have several core libraries that are in just about every application.”

Most of the vulnerabilities affecting the applications analyzed by the researchers were present in the Swift, .NET, Go, and PHP open-source libraries.

“But not all flaws are equal. Some security issues are relatively exotic
or difficult to exploit while others may be much more significant to
their application. It’s this sorting of the zebras from the horses to
which we now turn.”
continues the report.

Swift is widely used in the Apple ecosystem, it has the highest density of vulnerabilities, but it has an overall low percentage of flawed libraries.

.NET has the lowest percentage of flawed libraries on a population that is more than 17 times larger than Swift.

Go has a high percentage of libraries with flaws, the good news is that it has an overall low number of flaws per individual library. Compared with Go, PHP has a higher rate of flawed libraries, but more double the density of flaws in a given library.

open-source libraries flaws

Cross-site scripting (XSS) is the most common vulnerability affecting open-source libraries, it is present in 30 percent of them. Other major issues are insecure deserialization (23.5 percent) and broken access control (20.3 percent). Insecure deserialization was a rare issue flaw among in-house applications.

“The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).” continues the post.

Experts pointed out that addressing security vulnerabilities in open-source libraries is so difficult.

“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.

“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”

Pierluigi Paganini

(SecurityAffairs – open-source libraries flaws, hacking)

The post Bugs in open-source libraries impact 70% of modern software appeared first on Security Affairs.

Everything You Wanted to Know About IP Address Hacking

A lot of people think that they can do whatever they want on the Internet and remain anonymous. However, we all can leave a trial on the web thanks to our Internet Protocols (IP addresses). Basically, your IP is the physical address of your computer. Every single computer in the world has its own unique IP address. It allows computers to receive and send information within a particular network.

Needless to say, your internet protocol can say a lot of things about you. If you are curious to learn more about your IP address and user privacy, just keep reading:

Your IP address can get stolen

Government institutions, companies, and even your nerdy neighbor can spy on your IP address. You might say that it is not a big deal in case random people learn where your computer located, especially if you don’t do anything wrong.

The truth is that you don’t have to be an IT god to sniff out someone’s Internet Protocol without the owner’s permission. Let’s be honest, you don’t want some weirdos to know where you live and work.

It gets even better.

Companies are more than interested in capturing their customers’ IP addresses since it allows them to send personalized ads. Also, you can be blocked from accessing specific types of content. You have probably already seen a message: “This content is not available in your country.”

With your IP address, the law enforcement can also get your exact home address and even hack into your emails. So, if you are planning on doing something illegal, you’d better be smart!

So, how exactly can your IP address get stolen?

  1. By opening a spam email.

Some junk emails include images that hide a little HTML bug (a piece of code ) that can steal your IP address. That’s why it is better to use a spam filter and delete junk emails altogether from time to time.

  1. By landing your device to a friend.

In case you give a password to your computer to someone, they can easily find your IP address by typing on Google: What is my IP address? It will pop right away. Don’t give your personal computer to people you don’t trust.

  1. By joining a forum.

Joining a forum to share some ideas and ask a few questions is not dangerous, is it? The thing is that the forums’ administrator can easily identify your Internet Protocol address once you register and accept the website’s terms and conditions.

Most sites try to protect their users’ data. However, better safe than sorry – don’t post sensitive information about yourself on the Internet. You might change your name on the forum, but it will not help you to prevent data leaks.

  1. Though social media.

Who doesn’t use Facebook, Instagram, and Twitter these days?

Although most social media sites will not reveal your IP address to other users, they can still collect it for their own benefits.

How to protect yourself from IP address hacking?

The good news is that it is possible to protect your privacy while browsing the web. The first and most important step is to create a unique, strong password on your device. That’s how you can be sure that your IP address won’t be decoded while you take a break and leave your computer for awhile.

It is recommended to use a password that is a mix of characters and numbers. Try to avoid common substitutions and memorable keyboard paths.

Secondly, start using a virtual private network (VPN) on a daily basis. You will be able to change IP address to another country and protect yourself from data leaks.

Another thing that you can do to protect yourself is to restrict all your apps. PC and mobile phone applications are considered a major source of hacking. When installing the apps, make sure to choose the private mode.

Other than that, be careful with opening unknown emails, especially the attachments to them.

Last but not least, consider adding an extra protective layer by getting the latest version of antivirus software.

The antivirus software can detect danger when you are browsing the Internet and intercept viruses before they do any harm to your files.

You should understand that good behavior on the web (not downloading pirated software or visiting porn sites) will not protect you from hacking. That’s why having decent antivirus software is a must.

The bottom line

IP address hiking is nothing pleasant. These days, people lose their personal data all the time. If you don’t want to become a victim of a random IT guy, make sure to take necessary measures to protect yourself from IP address hacking.

The post Everything You Wanted to Know About IP Address Hacking appeared first on .