Monthly Archives: June 2020

How Entertaining Ourselves at Home Has Become a Risky Business

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk?

Aussies Love TV

There is no doubt that us Aussies love our TV and the statistics confirm this. With over three-quarters of Aussies watching TV and over two-thirds browsing the internet to pass the time during lockdown, we are clearly a country of screen-time professionals. And with just under a million new Aussies gaining access to a streaming service in their household, it seems everyone is doing their bit to support the entertainment industry!

But streaming isn’t cheap and can add up fast (particularly when you have multiple accounts) prompting many of us to look for free alternatives. And our desire to save a buck or two when trying to find our next binge-watching project hasn’t escaped the attention of cybercriminals who have a knack for crafting convincing scam strategies that are in sync with consumer trends.

What’s the Most Targeted Show to Search For?

McAfee analysed over 100 of the top ‘talked about’ entertainment titles available across the leading streaming providers here in Australia and identified the 10 most targeted shows (both TV and film) to search for.

The series Unorthadox and movie Ace Ventura took the top place in their respective categories as having the highest ‘web search risk’ which means cybercriminals have put a lot of effort into developing scams around these titles. Scams could include websites offering free downloads of these titles – which require you to enter your personal information – or, pirated videos that contain malware which could access the private data on your device.

Here are the top 10 riskiest shows in both categories:

Series – Australian Top 10 Most Targeted

  1. Unorthadox
  2. You
  3. Family Guy
  4. Big Mouth
  5. Homeland
  6. The Vampire Diaries
  7. Dynasty
  8. Lost
  9. Brooklyn Nine-Nine
  10. Stranger Things

Movies – Australian Top 10 Most Targeted

  1. Ace Ventura
  2. Green Book
  3. John Wick
  4. Machinist
  5. Annihilation
  6. Ex Machina
  7. A Star Is Born
  8. Fyre
  9. Lady Macbeth
  10. Bird Box

Horror and Thriller Films seem to be the trend!

It appears as though our love for horror and thriller films may be putting us in danger, with five of the top ten films most targeted by cybercriminals falling into these genres. With social distancing restrictions in place, Aussies are clearly seeking to add some thrill back into their lives which has opened up new opportunities for cybercriminals. Consumers need to be careful when it comes to searching for stimulating content to escape reality to ensure it doesn’t translate to real-life malware horror.

How You Can Stay Safe While Binge-Watching At Home

Now, I want to make it very clear – this news doesn’t mean you need to give up nights on the couch. Not at all! Instead, just follow a few simple steps and you can continue binge-watching till your heart is content!

Here are my top tips for staying safe:

  1. Be Careful What You Click –if you are looking to catch up on the latest season of You or A Star is Born, please only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from sources like iTunes or Amazon, instead of downloading a “free” version from a website that could contain malware.
  2. Do NOT use Illegal Streaming Sites – this is not negotiable! Many illegal streaming sites are riddled with malware disguised as pirated video files. Malware could cause you a world of pain. Not only could it cause your device to freeze or crash, it could steal sensitive information and give cybercrims unauthorized access to system resources. So, do your device a favor and stream your favourite show from a reputable source.
  3. Protect your Online Life with a Cybersecurity Solution –why not send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

So, when you are looking for your next binge-watching project, please take a moment before you download. Ensure the site you are accessing content from is legit (have you heard of it before? is it offering something for free when every other streaming service has a fee?) and if you are even a little unsure that it doesn’t look professional then DON’T click! The last thing you want is a bonus virus to interrupt your night in on the couch!

Happy Watching!!

Alex xx

 

 

 

 

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

How do I select a SIEM solution for my business?

A Security Information and Event Management (SIEM) solution collects and analyzes activity from numerous resources across your IT infrastructure. A SIEM can provide information of critical importance, but how do you find one that fits your organization? To select an appropriate SIEM solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals in order to get insight to help you get started. Jae Lee, Senior Director, … More

The post How do I select a SIEM solution for my business? appeared first on Help Net Security.

Scamming Your Through Social Media

You may be aware that cyber attacks will try to trick you over the phone or through email using phishing attacks, but do you realize they may try to attack you also over Social Media, such as through Snapchat, Twitter, Facebook or LinkedIn? Just like in email, if you get any Social Media messages that are highly urgent or too good to be true, it may be an attack.

Ransomware attacks are increasing, do you have an emergency plan in place?

39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before, Ontrack reveals. Cyberattacks and data breaches can have serious implications for organizations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to … More

The post Ransomware attacks are increasing, do you have an emergency plan in place? appeared first on Help Net Security.

Surge in unique clients reporting brute-force attack attempts

There’s a significant uptick in the number of unique clients who have reported brute-force attack attempts, ESET reveals. Trend of RDP attack attempts against unique clients (per day) detected by ESET The trend has been observed since the onset of the global pandemic. The COVID-19 crisis has radically changed the nature of everyday work, forcing employees to manage large parts of their jobs via remote access. Cybercriminals exploiting remote work Cybercriminals – especially ransomware operators … More

The post Surge in unique clients reporting brute-force attack attempts appeared first on Help Net Security.

Organizations need an agile response to unexpected risks

The average $5 billion company incurs delays of roughly 5 weeks per year in new product launches due to missed risks, with a $99 million opportunity cost, according to Gartner. Opportunity costs from missing risks A survey of more than 382 strategic initiative leaders quantified the cost of missing risks in strategic initiatives. For an average $5 billion revenue company it amounts to $99 million annually in opportunity cost from delayed new product launches alone. … More

The post Organizations need an agile response to unexpected risks appeared first on Help Net Security.

The CSA IoT Security Controls Framework

Building the Case for IoT Security Framework The Internet of Things (IoT) is growing in technical, social, and economic significance. ENISA defines the increasingly complex IoT systems as “cyber-physical ecosystem[s] of interconnected sensors and actuators, which enables intelligent decision making.” These technologies collect, exchange and process data in order to dynamically adapt to a specific […]… Read More

The post The CSA IoT Security Controls Framework appeared first on The State of Security.

Realizing cybersecurity risks does not mean sticking to the rules

72% of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints, Trend Micro reveals. The study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee security … More

The post Realizing cybersecurity risks does not mean sticking to the rules appeared first on Help Net Security.

D-Link’s PoE surveillance switch series is designed for surveillance in homes and small offices

D-Link announced its new PoE surveillance switch series, which includes the 9-Port PoE Unmanaged Surveillance Switch (DSS-100E-9P) and the 18-Port PoE Unmanaged Surveillance Switch (DSS-100E-18P). Supporting long range PoE delivery, DSS-100E switches are a cost-effective solution that provide a versatile and reliable surveillance network. Long-reach PoE connection that can reach 250 meters enables the switch to power devices in far-reaching or remote network deployments. Combined with the DPE-302GE PoE Extender, the connection can reach 650 … More

The post D-Link’s PoE surveillance switch series is designed for surveillance in homes and small offices appeared first on Help Net Security.

SafeGuard 7.6: Improved threat visibility, defense and protection across social platforms

SafeGuard Cyber announced the release of new capabilities within its flagship collaboration, chat, and social media security platform. SafeGuard 7.6 now performs threat analysis on managed social and digital accounts to detect and remediate malware, including zero day exploits and associated messaging, file attachments, and links that are shared on these channels. Rapid adoption of social collaboration channels, coupled with the quick migration to work-from-home during the COVID pandemic, has created a broad attack surface … More

The post SafeGuard 7.6: Improved threat visibility, defense and protection across social platforms appeared first on Help Net Security.

SevOne Data Insight 3.0: Ensuring continuous performance for hybrid networks

SevOne announced the launch of Data Insight 3.0, an integrated component of the SevOne Network Data Platform. This release of Data Insight 3.0 and availability of solutions for SD-WAN, Wi-Fi, and SDN completes the product transformation from a network monitoring appliance to an integrated network data platform to ensure continuous network performance. To advance their digital transformations, enterprises, CSPs and MSPs are moving from their old, static, hardware-centric architectures to dynamic networks. In these new, … More

The post SevOne Data Insight 3.0: Ensuring continuous performance for hybrid networks appeared first on Help Net Security.

Zyxel Nebula update enhances WiFi security and opens API for use by MSPs

Zyxel Networks announced the release of the latest update to its Nebula Cloud Networking Solution. The upgrade, which is available now as a free firmware release for Zyxel Nebula managed access points, switches and security gateways, incorporates key features that enhance WiFi security and enable vertical partners to incorporate the delivery of new value-add services. WiFi access management made easy and secure A new feature included in the Nebula update makes the management of Wifi … More

The post Zyxel Nebula update enhances WiFi security and opens API for use by MSPs appeared first on Help Net Security.

A Boxcryptor audit shows no critical weaknesses in the software

More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed. During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation. “All these … More

The post A Boxcryptor audit shows no critical weaknesses in the software appeared first on Help Net Security.

Siemens adopts the Everbridge CEM Platform to safeguard people and operations

Everbridge announced that Siemens will adopt the Everbridge CEM Platform to help protect Siemens’ workforce and operations against critical events of all kinds, from the COVID-19 pandemic and political unrest to sudden economic changes and more. The two companies have also formed a technology alliance in which Siemens will share domain know-how, artificial intelligence (AI) and machine learning technology to enhance Everbridge capabilities. “We are very excited about our shared vision of combining Everbridge’s top-of-class … More

The post Siemens adopts the Everbridge CEM Platform to safeguard people and operations appeared first on Help Net Security.

Cloud Security Alliance and ISSA unite to build, support, and strengthen the cybersecurity community

The Cloud Security Alliance (CSA) and the International Systems Security Association (ISSA) announced that the two parties have signed a memorandum of understanding (MOU) to collaborate on a variety of initiatives with the goal of both supporting and strengthening the cybersecurity profession. “Our partnership with ISSA heralds an exciting opportunity for both organizations to collaborate and bring our strengths and unique sets of expertise to the table to benefit cloud and cybersecurity professionals across the … More

The post Cloud Security Alliance and ISSA unite to build, support, and strengthen the cybersecurity community appeared first on Help Net Security.

Upwork and Citrix team up to power flexible work

Upwork is teaming with Citrix Systems to power flexible work. Upwork announced the launch of the Upwork Talent Solution with Citrix Workspace, a unique offering designed to deliver a best-in-class secure remote infrastructure for companies to boost efficiency and productivity as the world increasingly adopts the benefits of remote, on-demand talent. Research shows businesses are increasingly moving to more remote and flexible workforces. According to Gartner, nearly a quarter of CFOs said they will move … More

The post Upwork and Citrix team up to power flexible work appeared first on Help Net Security.

Adriana Gil Miner joins Qumulo as chief marketing officer

Qumulo announced the appointment of Adriana Gil Miner as chief marketing officer (CMO). In this role, Gil Miner will be responsible for leading Qumulo’s global marketing and brand strategy as the company helps customers innovate faster and leverage the power of cloud data services. Gil Miner brings more than 20 years of experience as a results-driven marketing executive, elevating brands and introducing new products and services in high growth markets. Most recently, she was Senior … More

The post Adriana Gil Miner joins Qumulo as chief marketing officer appeared first on Help Net Security.

Why Should You Pay for a Security Solution?

Safe Online Dating

Do you ever go a single day without using a digital device? The answer is probably not. According to the Digital 2019 report by Hootsuite and We Are Social, users spend almost 7 hours a day online. And due to the recent stay-at-home orders, that number has only increased (internet hits recently surged between 50% to 70%). What’s more, U.S. households are now estimated to have an average of 11 connected devices – that’s almost 3 devices per person in my family!  

As the use of devices, apps, and online services increases daily, so do the number of online threats consumers face. That’s why it is important users consider what the best method is for securing their digital life 

My advice? Use a comprehensive security solution (and I’m not only saying this because I work for McAfee). Here’s why. 

The Limitations of Free Security Tools

Let’s be real – we all love free stuff (Costco samples anyone?). However, when it comes to my family’s security, am I willing to risk their safety due to the limitations of free solutions?  

Free tools simply don’t offer the level of advanced protection that modern technology users need. Today’s users require solutions that are as sophisticated as the threats they face, including everything from new strains of malware to hacking-based attacks. These solutions also quite literally limit consumers’ online activity too, as many impose limits on which browser or email program the user can leverage, which can be inconvenient as many already have a preferred browser or email platform (I know I do).  

Free security solutions also carry in-app advertising for premium products or, more importantly, may try to sell user data. Also, by advertising for premium products, the vendor indirectly admits that a free solution doesn’t provide enough security. These tools also offer little to no customer support, leaving users to handle any technical difficulties on their own. What’s more, most free security solutions are meant for use on only one device, whereas the average consumer owns over three connected devices. 

Security should provide a forcefield that covers users in every sense of the word – the devices they use, where they go online, how they manage and store information, and their personal data itself 

Connected Consumers Need Comprehensive Solutions

Today’s users need more than just free tools to live their desired digital life. To truly protect consumers from the evolving threat landscape, a security solution must be comprehensive. This means covering not only the user’s computers and devices, but also their connections and online behaviors. Because today’s users are so reliant on their devices and connections to bridge the gap between themselves and the outside world, security solutions must work seamlessly to shield their online activity – so seamlessly that they almost forget the solution is there. This provides the user with the protection they need without the added distractions of in-app advertising or the constant worry that their subpar solution might not secure them from common online threats.  

Why McAfee Matters

Free security products might provide the basics, but a comprehensive solution can protect the user from a host of other risks that could get in the way of living their life to the fullest. McAfee knows that users want to live their digital lives free from worry. That’s why we’ve created a line of products to help consumers do just that. With McAfee® Total Protection, users can enjoy robust security software with a comprehensive, yet holistic approach to protection.  

First, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats – specifically protecting the device and web browsing. The software’s detection capabilities are constantly being updated and enhanced, without compromising the performance of users’ devices.  

McAfee also provides users with protection while surfing the web, where they can face a minefield of malicious ads or fraudulent websites. These pesky threats are designed to download malware and steal private information. That’s why McAfee® LiveSafe and McAfee® Total Protection include McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. They also include McAfee® Identity Theft Protection, which helps users stay ahead of fraud with Dark Web monitoring and SSN Trace to see if personal information has been put at risk 

Finally, we can’t forget about the importance of mobile threat detection, given that consumers spend nearly half of their online time via their mobile devices. Hackers are fully aware that we live in a mobile world, and coincidentally they’ve stepped up mobile attacks. That’s why McAfee solutions provide multi-device protection so you can safely connect while on the go.  

With robust, comprehensive security in placeyour family’s devices will be consistently protected from the latest threats in the ever-evolving security landscape. With all these devices safeeveryone’s online life is free from worry.   

Stay Updated

To stay updated on all things  McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Why Should You Pay for a Security Solution? appeared first on McAfee Blogs.

Ransomware Targets Mac Users

Malwarebytes Says Malware Hidden in Fake Installer for 'Little Snitch' App
A ransomware strain targeting Mac users is spreading via a fake installer for Little Snitch - a host-based application firewall for macOS - according to the security firm Malwarebytes, which says the malware is poorly designed.

IDEMIA appoints Pierre Barrial as President and CEO of the Group

The supervisory board of IDEMIA has appointed Pierre Barrial as the new President & CEO of the Group, replacing Yann Delabrière who resumes his previous role as Chairman of the Board. Matthew Cole, who has joined the Group, has taken on Pierre Barrial’s previous position as head of the Secure Enterprise Transactions (SET) division. Over the last 18 months, IDEMIA has restored its growth and cash generation performance after the creation and successful integration of … More

The post IDEMIA appoints Pierre Barrial as President and CEO of the Group appeared first on Help Net Security.

Introducing Cisco AMP for Endpoints – Premier

With the SecureX Threat Hunting feature, organizations can add an active, managed threat hunting practice to their environment 

As advanced threats continue to proliferate throughout an organizations’ IT infrastructure, threat hunting has become an important part of the overall security strategy.  Threat hunting has typically been saved for the most mature environments where skilled personnel leverage knowledge and tools to formulate and investigate hypotheses relating to their organization’s security across the threat landscape. Fortunately, with technology advancements and automation, threat hunting is now within the reach for every organization. 

There are five key challenges that organizations face when trying to implement a threat hunting practice on their own. 

  • Limited Resources – Organizations are struggling in sourcing talented threat hunters. They are also challenged with their limited capability, legacy infrastructure and architecture 
  • Alert Prioritization – There are floods of alerts daily and it is difficult to prioritize investigations, compounded by the fact that it is difficult to identify the source of the threat 
  • Effective Intel Usage – It is difficult to operationalize threat intelligence and many sources are often unreliable and out-of-date 
  • Internet-wide threat visibility – Organizations struggle with how to identify where attackers stage attacks and how domains, IPs, ASNs, and malware are connected 
  • Threat Hunting has a maturation journey – When organizations begin threat hunting practice, they typically start with only the lowlevel IOCs hunts and have to advance to higher levels, which takes time 

SecureX Threat Hunting, a feature of Cisco AMP for Endpoints, uniquely identifies threats, alerting organizations before they can cause further damage by: 

  • Uncovering hidden threats faster across the attack surface – Using MITRE ATT&CK™ and other industry best practices 
  • Improving security posture instantly – Adding an established threat hunting practice to significantly advance your security maturation 
  • Reducing alert fatigue – Through SecureX Threat Hunting your organization receives fewer, high confidence, and high impact actionable alerts 

Our new threat hunting feature combines our Orbital Advanced Search feature with expertise from elite threat hunters to proactively find more sophisticated threats. Once threats are detected, customers are notified within their AMP Console, so they can begin remediation. The AMP Console features a Threat Hunting report that shows the new findings with all of the relevant context and events mapped to MITRE ATT&CK™ TTP’s, together with recommendations for incident responders on what to do next to further investigate or remediate based on the findings. 

Threat Hunting is critical because legacy security tools fail to stop advanced threats, sophisticated attackers make detection extremely difficult, and even artificial intelligence and machine learning techniques may fall short in stopping all attacks. 

Cisco SecureX Threat Hunting is an analyst-centric process that uncovers hidden advanced threats, missed by automated and detective controls in our customers’ environments. Our threat hunting adds significant value to their organizations through: 

  • Reduction in dwell time (infection to detection) 
  • Reduction in breakout time (initial compromise to lateral movement) 
  • Increased exfiltration detection (data detected leaving your organization) 
  • Decreased time to containment (detect/ prevent spread or lateral movement) 

One of our beta SOC Manager customers was quoted after our threat hunting delivered a high-fidelity alert active in their environment as saying, “We were working on that computer that evening, when we got a notification from Cisco. I love this product (SecureX Threat Hunting), I love the remediation steps, the backend intelligence on correlation and what the campaign is, and how to handle it, and how to remediate. It is exactly a product we want, makes sense of all alerts, and tells us what to do exactly”. 

Click here to learn more about this offering as well as to see a package comparison of all the AMP for Endpoints offerings. You can also sign up for our virtual Threat Hunting Workshop, or request a free trial. 

The post Introducing Cisco AMP for Endpoints – Premier appeared first on Cisco Blogs.

APTs will exploit Palo Alto Networks’s PAN-OS flaw soon, US Cyber Command says

U.S. Cyber Command believes foreign APTs will likely attempt to exploit the recently addressed flaw in Palo Alto Networks’s PAN-OS firewall OS.

Recently Palo Alto Network addressed a critical vulnerability, tracked as CVE-2020-2021, affecting the PAN-OS operating system that powers its next-generation firewall. The flaw could allow unauthenticated network-based attackers to bypass authentication, it has has been rated as critical severity and received a CVSS 3.x base score of 10.

According to Palo Alto Networks the vulnerability impacts PAN_OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue doesn’t affect PAN-OS 7.1.

The company confirmed that the vulnerability cannot be exploited if SAML is not used for authentication and if the ‘Validate Identity Provider Certificate’ option is enabled (checked) in the SAML Identity Provider Server Profile.

“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” reads the security advisory published by the company. “The attacker must have network access to the vulnerable server to exploit this vulnerability.” “In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies,” 

In attacks against PAN-OS and Panorama web interfaces, this vulnerability could be exploited by an unauthenticated attacker with network access to log in as an administrator and perform administrative actions.

CERT/CC analyst Will Dormann noticed that some identity service providers suggest customers use configuration that could be exploited by attackers to trigger the issue.

The good news is that Palo Alto Networks is not aware of attacks in the wild exploiting this vulnerability.

Admins could determine if their installs are vulnerable following the instructions provided by the company in a knowledge base article.

The USCYBERCOM believes that nation-state actors will likely attempt to exploit the vulnerability in Palo Alto Networks’ firewall very soon.

“Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use,” US Cyber Command said in a tweet.

“Foreign APTs will likely attempt [to] exploit soon.”

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto Networks)

The post APTs will exploit Palo Alto Networks’s PAN-OS flaw soon, US Cyber Command says appeared first on Security Affairs.

Brute-Force Attacks Targeting RDP on the Rise

ESET Researchers: Attacks Open the Door to Lauching Ransomware, Planting Cryptominers
Since the start of the COVID-19 pandemic, the number of brute-force attacks targeting RDP connections has steadily increased, spiking to 100,000 incidents per day in April and May, according to the security firm ESET. These attacks pave the way for launching ransomware attacks and planting cryptominers.

Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Faulty Windows drivers are to blame for many attacks against ATM and point-of-sale (POS) devices, according to research from Portland, Oregon–based hardware security research company Eclypsium. In a report released this week, it built on previous research highlighting how attackers can exploit poorly designed third-party drivers to gain control over the kernel of Microsoft's operating system and the underlying device firmware. It went on to explain how people can exploit these vulnerabilities to target highly regulated devices.

The researchers found a vulnerable Windows driver exposing a Diebold Nixdorf ATM to attack after acquiring the computer used in the ATM, which controls critical components, including the cash cassettes. The hardware driver provided arbitrary access to I/O ports on the system, enabling it to access devices connected via the PCI interface. The system also used the driver to update the device's BIOS firmware, which could enable it to install a boot kit, they warned. The ATM vendor has already worked with Eclypsium to fix the problem, the report said.

This is not an isolated problem, the researchers warned. "These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analyzed, they are likely to contain undiscovered vulnerabilities," the report said.

Eclypsium drilled down into the specific driver problems that create problems for the Windows kernel in previous research. It named several vendors that had released vulnerable drivers for their devices.

For a long time, there was no way for Windows to mitigate these problems. That changed with the introduction of hypervisor-enforced code integrity (HVCI), which protects Windows from malicious code using built-in virtualization features. The problem is that this feature requires newer processors and isn't yet supported by many third-party drivers, they warned.

ATM hardware doesn't get replaced all that often, meaning that many of them won't be equipped with HVCI. Regulations also slow down the driver patching process, the researchers added. If a device is certified to external security standards, then any change that a vendor makes to its software or firmware could result in delays as it goes through the certification process again, they said.

Other security companies have also highlighted problems with patching ATM software. In a 2019 white paper about ATM security challenges, Fortinet pointed out that manual processes for patching ATMs might fall outside the scope of corporate patch management systems that banks use for conventional IT equipment. That can make it difficult for IT administrators to patch thousands of ATMs across a distributed infrastructure, it warned.

Attacks on ATM hardware (as opposed to the use of add-on skimming devices) are a perennial problem for banks. In September 2019, malware from the Lazarus Group was discovered targeting ATMs in Indian banks. Cash-out crews have also reportedly been targeting US ATMs with 'jackpotting' attacks, in which malware forces devices to continually dispense cash, since 2018.

Unauthorized Data Sharing Puts Companies at Risk

Unauthorized Data Sharing Puts Companies at Risk

Inappropriate data sharing continues to be a problem for companies, according to a survey from data discovery and auditing software vendor Netwrix. Although most companies have designated secure storage areas for their data, many find it leaking into insecure areas, its research found.

A quarter of companies have discovered data stored outside designated secure locations in the past year, according to the vendor's "2020 Data Risk & Security" report. It took them considerable time to discover the stray data, with 23% reporting that it lay undiscovered for weeks.

This data seems to make its way into insecure storage because employees don't follow data sharing policies, if they exist at all. According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.

Many companies don't keep tabs on user data access privileges, the survey found. He reported that a little over half of all organizations don't review these access privileges regularly.

This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organizations are confident that employees are sharing data without the IT department's knowledge. Of those, 29% cannot track employee data sharing at all, making their claims difficult to prove.

The survey examined all stages of the data life cycle from creation through to disposal. It found poor practices at the data-creation stage that have direct implications for other stages such as data sharing. Nearly two-thirds of the survey respondents said that they couldn't confirm they only collect the minimum amount of customer data required. Of those, 34% are subject to the GDPR, which limits the amount of data they are allowed to collect. Companies that collect more customer data than they need to and fail to manage it properly later on compound their security risk.

The survey covered 1,045 IT professionals around the world, with the largest proportion (48%) coming from North America, followed by 26% from the EMEA region. Half the companies had 1,000 employees or fewer.

The psychology of social engineering—the “soft” side of cybercrime

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.

US Government Warns of Palo Alto Vulnerability

US Government Warns of Palo Alto Vulnerability

The US government has warned of a critical flaw in Palo Alto Networks equipment that could enable attackers to take over its devices with minimal skill.

The warning, issued by US Cyber Command, urged people to patch all devices affected by the vulnerability immediately. It said that foreign advanced persistent threat actors will attempt to exploit it soon.

As a user of these products, US Cyber Command would have reason to worry about foreign nation-states targeting its networks and those of its partners. It is one of eleven unified commands at the US Department of Defense, and oversees the US military's cyberspace operations.

The vulnerability, CVE-2020-2021, concerns the authentication process in PAN-OS, which is the operating system driving Palo Alto firewalls. When authentication using the Security Assertion Markup Language (SAML) is enabled and the 'Validate Identity Provider Certificate' option is unchecked, the system doesn't verify signatures properly, enabling someone to gain unauthenticated access to protected resources over a network.

Although it has a severity of 10—the highest possible—this is not a remote code execution vulnerability. It would, however, allow an unauthenticated attacker with network access to web interfaces to log into its firewalls as administrator. The bug affects its PA and VM series next-generation firewalls, the company said in the vulnerability announcement.

This attack could be particularly damaging to customers now because they rely heavily on firewall and VPN access to serve employees working remotely during the COVID-19 pandemic.

The security hardware vendor said that it is not aware of any malicious attempts to exploit the vulnerability thus far.

Administrators can patch the vulnerability today by upgrading to new versions of the software. It has patched versions 8.0, 8.1, 9.0, and 9.1 with point releases to fix the problem. Alternatively, they can simply disable SAML authentication to eliminate the issue until they get the chance to fix it with a point upgrade, meaning that they would have to switch to another form of authentication.

This advisory comes almost exactly a year after Palo Alto announced a remote code execution flaw in its GlobalProtect Portal and Gateway interface products. That vulnerability, rated High with a CVSS score of 8.1, allowed attackers to execute arbitrary code without authentication. In April 2019, CMU-CERT also warned that the company's VPN software was storing cookies insecurely in log files.

System hardening in Android 11

In Android 11 we continue to increase the security of the Android platform. We have moved to safer default settings, migrated to a hardened memory allocator, and expanded the use of compiler mitigations that defend against classes of vulnerabilities and frustrate exploitation techniques.

Initializing memory

We’ve enabled forms of automatic memory initialization in both Android 11’s userspace and the Linux kernel. Uninitialized memory bugs occur in C/C++ when memory is used without having first been initialized to a known safe value. These types of bugs can be confusing, and even the term “uninitialized” is misleading. Uninitialized may seem to imply that a variable has a random value. In reality it isn’t random. It has whatever value was previously placed there. This value may be predictable or even attacker controlled. Unfortunately this behavior can result in a serious vulnerability such as information disclosure bugs like ASLR bypasses, or control flow hijacking via a stack or heap spray. Another possible side effect of using uninitialized values is advanced compiler optimizations may transform the code unpredictably, as this is considered undefined behavior by the relevant C standards.

In practice, uses of uninitialized memory are difficult to detect. Such errors may sit in the codebase unnoticed for years if the memory happens to be initialized with some "safe" value most of the time. When uninitialized memory results in a bug, it is often challenging to identify the source of the error, particularly if it is rarely triggered.

Eliminating an entire class of such bugs is a lot more effective than hunting them down individually. Automatic stack variable initialization relies on a feature in the Clang compiler which allows choosing initializing local variables with either zeros or a pattern.

Initializing to zero provides safer defaults for strings, pointers, indexes, and sizes. The downsides of zero init are less-safe defaults for return values, and exposing fewer bugs where the underlying code relies on zero initialization. Pattern initialization tends to expose more bugs and is generally safer for return values and less safe for strings, pointers, indexes, and sizes.

Initializing Userspace:

Automatic stack variable initialization is enabled throughout the entire Android userspace. During the development of Android 11, we initially selected pattern in order to uncover bugs relying on zero init and then moved to zero-init after a few months for increased safety. Platform OS developers can build with `AUTO_PATTERN_INITIALIZE=true m` if they want help uncovering bugs relying on zero init.

Initializing the Kernel:

Automatic stack and heap initialization were recently merged in the upstream Linux kernel. We have made these features available on earlier versions of Android’s kernel including 4.14, 4.19, and 5.4. These features enforce initialization of local variables and heap allocations with known values that cannot be controlled by attackers and are useless when leaked. Both features result in a performance overhead, but also prevent undefined behavior improving both stability and security.

For kernel stack initialization we adopted the CONFIG_INIT_STACK_ALL from upstream Linux. It currently relies on Clang pattern initialization for stack variables, although this is subject to change in the future.

Heap initialization is controlled by two boot-time flags, init_on_alloc and init_on_free, with the former wiping freshly allocated heap objects with zeroes (think s/kmalloc/kzalloc in the whole kernel) and the latter doing the same before the objects are freed (this helps to reduce the lifetime of security-sensitive data). init_on_alloc is a lot more cache-friendly and has smaller performance impact (within 2%), therefore it has been chosen to protect Android kernels.

Scudo is now Android's default native allocator

In Android 11, Scudo replaces jemalloc as the default native allocator for Android. Scudo is a hardened memory allocator designed to help detect and mitigate memory corruption bugs in the heap, such as:

Scudo does not fully prevent exploitation but it does add a number of sanity checks which are effective at strengthening the heap against some memory corruption bugs.

It also proactively organizes the heap in a way that makes exploitation of memory corruption more difficult, by reducing the predictability of the allocation patterns, and separating allocations by sizes.

In our internal testing, Scudo has already proven its worth by surfacing security and stability bugs that were previously undetected.

Finding Heap Memory Safety Bugs in the Wild (GWP-ASan)

Android 11 introduces GWP-ASan, an in-production heap memory safety bug detection tool that's integrated directly into the native allocator Scudo. GWP-ASan probabilistically detects and provides actionable reports for heap memory safety bugs when they occur, works on 32-bit and 64-bit processes, and is enabled by default for system processes and system apps.

GWP-ASan is also available for developer applications via a one line opt-in in an app's AndroidManifest.xml, with no complicated build support or recompilation of prebuilt libraries necessary.

Software Tag-Based KASAN

Continuing work on adopting the Arm Memory Tagging Extension (MTE) in Android, Android 11 includes support for kernel HWASAN, also known as Software Tag-Based KASAN. Userspace HWASAN is supported since Android 10.

KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and use-after-free bugs in the Linux kernel. Its Software Tag-Based mode is a software implementation of the memory tagging concept for the kernel. Software Tag-Based KASAN is available in 4.14, 4.19 and 5.4 Android kernels, and can be enabled with the CONFIG_KASAN_SW_TAGS kernel configuration option. Currently Tag-Based KASAN only supports tagging of slab memory; support for other types of memory (such as stack and globals) will be added in the future.

Compared to Generic KASAN, Tag-Based KASAN has significantly lower memory requirements (see this kernel commit for details), which makes it usable on dog food testing devices. Another use case for Software Tag-Based KASAN is checking the existing kernel code for compatibility with memory tagging. As Tag-Based KASAN is based on similar concepts as the future in-kernel MTE support, making sure that kernel code works with Tag-Based KASAN will ease in-kernel MTE integration in the future.

Expanding existing compiler mitigations

We’ve continued to expand the compiler mitigations that have been rolled out in prior releases as well. This includes adding both integer and bounds sanitizers to some core libraries that were lacking them. For example, the libminikin fonts library and the libui rendering library are now bounds sanitized. We’ve hardened the NFC stack by implementing both integer overflow sanitizer and bounds sanitizer in those components.

In addition to the hard mitigations like sanitizers, we also continue to expand our use of CFI as an exploit mitigation. CFI has been enabled in Android’s networking daemon, DNS resolver, and more of our core javascript libraries like libv8 and the PacProcessor.

The effectiveness of our software codec sandbox

Prior to the Release of Android 10 we announced a new constrained sandbox for software codecs. We’re really pleased with the results. Thus far, Android 10 is the first Android release since the infamous stagefright vulnerabilities in Android 5.0 with zero critical-severity vulnerabilities in the media frameworks.

Thank you to Jeff Vander Stoep, Alexander Potapenko, Stephen Hines, Andrey Konovalov, Mitch Phillips, Ivan Lozano, Kostya Kortchinsky, Christopher Ferris, Cindy Zhou, Evgenii Stepanov, Kevin Deus, Peter Collingbourne, Elliott Hughes, Kees Cook and Ken Chen for their contributions to this post.

Connected Car Standards – Thank Goodness!

Intelligent transportation systems (ITS) require harmonization among manufacturers to have any chance of succeeding in the real world. No large-scale car manufacturer, multimodal shipper, or MaaS (Mobility as a Service) provider will risk investing in a single-vendor solution. Successful ITS require interoperable components, especially for managing cybersecurity issues. See https://www.trendmicro.com/vinfo/us/security/news/intelligent-transportation-systems for a set of reports on ITS cybersecurity.

The good news is we now have a standard for automotive cybersecurity, ISA/SAE 21434. This standard addresses all the major elements of connected car security including V2X, reaching from the internals of ECUs and communications busses including CAN to the broader issues of fleet management and public safety. See https://www.iso.org/standard/70918.html for the current draft version of this standard.

Intelligent transport systems rely on complex, contemporary infrastructure elements, including cloud (for data aggregation, traffic analysis, and system-wide recommendations) and 5G (for inter-component networking and real-time sensing). ITS also rely on aging industrial control systems and components, for vehicle detection, weather reporting, and traffic signaling, some dating back forty years or more. This profound heterogeneity makes the cybersecurity problem unwieldy. Automotive systems generally are the most complex public-facing applications of industrial IoT. Any information security problems with them will erode public trust in this important and ultimately critical infrastructure.

Robert Bosch GmbH began working on the first automotive bus architecture in 1986. Automobiles gained increasing electronic functions (smog controls, seat belt monitors, electric window controls, climate controls, and so on). With each new device, the manufacturers had to install additional point-to-point wiring to monitor and control them. This led to increasing complexity, the possibility for error, extended manufacturing time, more costly diagnosis and repair post-sales, and added weight. See Figure 1 for details. By replacing point-to-point wiring with a simple bus, manufacturers could introduce new features connected with one pair of wires for control. This simplified design, manufacturing, diagnosis, and improved quality and maintainability.

Figure 1: CAN Networks Significantly Reduce Wiring (from National Instruments https://www.ni.com/en-us/innovations/white-papers/06/controller-area-network–can–overview.html)

The bus was simple: all devices saw all traffic and responded to messages relevant to them. Each message has a standard format, with a header describing the message content and priority (the arbitration IDs), the body which contains the relevant data, and a cyclic redundancy check (CRC), which is a code to verify that the message contents are accurate. This CRC uses a mathematical formula to determine if any bits have flipped, and for small numbers of errors can correct the message, like a checksum. This is not as powerful as a digital signature. It has no cryptographic power. Every device on the bus can use the CRC algorithm to create a code for messages it sends and to verify the data integrity of messages it receives. Other than this, there is no data confidentiality, authentication, authorization, data integrity, or non-repudiation in CAN bus messages – or any other automotive bus messages. The devices used in cars are generally quite simple, lightweight, and inexpensive: 8-bit processors with little memory on board. Any device connected to the network is trusted. Figure 2 shows the layout of a CAN bus message.

Figure 2: The Standard CAN Frame Format, from National Instruments

Today’s automobiles have more sophisticated devices on board. The types of messages and the services the offer are becoming more complex. In-vehicle infotainment (IVI) systems provide maps, music, Bluetooth connectivity for smartphones and other devices, in addition to increasingly more elaborate driving assistance and monitoring systems all add more traffic to the bus. But given the diversity of manufacturers and suppliers, impeding security measures over the automotive network. No single vendor could today achieve what Robert Bosch did nearly forty years ago. Yet the need for stronger vehicle security is growing.

The ISO/SAE 21434 standard describes a model for securing the supply chain for automotive technology, for validating the integrity of the development process, detecting vulnerabilities and cybersecurity attacks in automotive systems, and managing the deployment of fixes as needed. It is comprehensive. ISO/SAE 21434 builds on decades of work in information security. By applying that body of knowledge to the automotive case, the standard will move the industry towards a safer and more trustworthy connected car world.

But the standard’s value doesn’t stop with cars and intelligent transport systems. Domains far beyond connected cars will benefit from having a model for securing communications among elements from diverse manufacturers sharing a common bus. The CAN bus and related technologies are used onboard ships, in aircraft, in railroad management, in maritime port systems, and even in controlling prosthetic limbs. The vulnerabilities are common, the complexity of the supply chain is equivalent, and the need for a comprehensive architectural solution is as great. So this standard is a superb achievement and will go far to improve the quality, reliability, and trustworthiness of critical systems globally.

What do you think? Let me know in the comments below or @WilliamMalikTM.

The post Connected Car Standards – Thank Goodness! appeared first on .

New Cybersecurity Standard for IoT Devices Established By ETSI

New Cybersecurity Standard for IoT Devices Established By ETSI

A new standard for cybersecurity in the Internet of Things (IoT) has been unveiled today by the ETSI Technical Committee on Cybersecurity. It establishes a security baseline for internet-connected consumer products and for future IoT certification schemes. It is hoped the standard, titled ETSI EN 303 645, will help prevent large-scale, prevalent attacks taking place against smart devices.

Developed in collaboration with industry, academics and government, the standard aims to restrict the ability of cyber-criminals to control devices across the globe and launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. This has become a major concern for the cybersecurity industry due to the growing prevalence of smart devices in households, many of which have security weaknesses.  

Earlier this month, for example, an investigation by Which? found that 3.5 million wireless indoor security cameras across the world potentially have critical security flaws that make them vulnerable to hacking.

ETSI EN 303 645 outlines 13 provisions for the security of a wide range of IoT consumer devices and their associated services. These include children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances and smart home assistants.

Five specific data protection provisions for consumer IoT are also set out in the standard.

Mahmoud Ghaddar, CISO Standardization, commented: “Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”

A number of manufacturers and IoT stakeholders have already developed products and certification schemes according to ETSI EN 303 645. Juhani Eronen, chief specialist at Traficom, added: “To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”

Android Apps Stealing Facebook Credentials

Google has removed 25 Android apps from its store because they steal Facebook credentials:

Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.

The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.

According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games.

The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground.


Microsoft launches global skills initiative to help 25 million people acquire digital skills

Microsoft this morning announced the launch of a global skills initiative aimed at delivering digital skills to 25 million people. Expanded access to digital skills, especially in the wake of COVID-19, is an important step in the economic recovery process, especially for the people and business hardest hit by job losses, Microsoft said in a…

COVID-19 ‘Breach Bubble’ Waiting to Pop?

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.

The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data.

An ad for a site selling stolen payment card data, circa March 2020.

That’s according to Gemini Advisory, a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen payment card data.

Stas Alforov, Gemini’s director of research and development, said that since the beginning of 2020 the company has seen a steep drop in demand for compromised “card present” data — digits stolen from hacked brick-and-mortar merchants with the help of malicious software surreptitiously installed on point-of-sale (POS) devices.

Alforov said the median price for card-present data has dropped precipitously over the past few months.

“Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world,” he told KrebsOnSecurity.

Meanwhile, the supply of card-present data has remained relatively steady. Gemini’s latest find — a 10-month-long card breach at dozens of Chicken Express locations throughout Texas and other southern states that the fast-food chain first publicly acknowledged today after being contacted by this author — saw an estimated 165,000 cards stolen from eatery locations recently go on sale at one of the dark web’s largest cybercrime bazaars.

“Card present data supply hasn’t wavered much during the COVID-19 period,” Alforov said. “This is likely due to the fact that most of the sold data is still coming from breaches that occurred in 2019 and early 2020.”

A lack of demand for and steady supply of stolen card-present data in the underground has severely depressed prices since the beginning of the COVID-19 pandemic. Image: Gemini Advisory

Naturally, crooks who ply their trade in credit card thievery also have been working from home more throughout the COVID-19 pandemic. That means demand for stolen “card-not-present” data — customer payment information extracted from hacked online merchants and typically used to defraud other e-commerce vendors — remains high. And so have prices for card-not-present data: Gemini found prices for this commodity actually increased slightly over the past few months.

Andrew Barratt is an investigator with Coalfire, the cyber forensics firm hired by Chicken Express to remediate the breach and help the company improve security going forward. Barratt said there’s another curious COVID-19 dynamic going on with e-commerce fraud recently that is making it more difficult for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops.

“One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”

Banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe, a basic anti-fraud process known as “common point of purchase” or CPP analysis. But ironically, this analysis can become more challenging when there are fewer overall transactions going through a compromised merchant’s site, Barratt said.

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”

Barratt says there’s a suspicion that hackers may have established beachheads [breachheads?] in a number of these smaller online merchants and are simply biding their time. If and when transaction volumes for these merchants do pick up, the concern is then hackers may be in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts.

“These intruders may have a beachhead in a number of small and/or middle market e-commerce entities and they’re just waiting for the transaction volumes to go back up again and they’ve suddenly got the capability to have skimmers capturing lots of card data in the event of a sudden uptick in consumer spending,” he said. “They’d also have a diverse portfolio of compromise so could possibly even evade common point of purchase detection for a while too. Couple all of that with major shopping cart platforms going out of support (like Magento 1 this month) and furloughed IT and security staff, and there’s a potentially large COVID-19 breach bubble waiting to pop.”

With a majority of payment cards issued in the United States now equipped with a chip that makes the cards difficult and expensive for thieves to clone, cybercriminals have continued to focus on hacking smaller merchants that have not yet installed chip card readers and are still swiping the cards’ magnetic stripe at the register.

Barratt said his company has tied the source of the breach to malware known as “PwnPOS,” an ancient strain of point-of-sale malware that first surfaced more than seven years ago, if not earlier.

Chicken Express CEO Ricky Stuart told KrebsOnSecurity that apart from “a handful” of locations his family owns directly, most of his 250 stores are franchisees that decide on their own how to secure their payment operations. Nevertheless, the company is now forced to examine each store’s POS systems to remediate the breach.

Stuart blamed the major point-of-sale vendors for taking their time in supporting and validating chip-capable payment systems. But when asked how many of the company’s 250 stores had chip-capable readers installed, Stuart said he didn’t know. Ditto for the handful of stores he owns directly.

“I don’t know how many,” he said. “I would think it would be a majority. If not, I know they’re coming.”

Under the Hood of a Security Platform

When you walk into a car showroom to buy a new vehicle, you don’t expect to walk out holding a set of brakes, or a steering wheel. You want the whole car. Too often in the security industry, customers’ needs are met with a single component that solves a single problem. It’s like an industry of potential car owners all walking out of showrooms with bags full of disparate tools, trying to figure out how many auto mechanics they will have to hire to put all the components together.

The experience of using a security platform should be more like entering a car showroom than a repair shop. June marks the general availability of our platform, Cisco SecureX. As the industry learns to define what we should all expect from a platform, let’s consider what we think it is, and perhaps, just as importantly, what it’s not:

The following might be confused with a security platform:

  • An interface added as a new UI to one or two point products. Two products do not make a platform!
  • Something that needs to be manually integrated by customers over the span of several months.
  • Another product that adds cost and complexity to an already overburdened security organization.
  • A SIEM or a SOAR.

Conversely, a true security platform should:

  • Bring together an established, comprehensive set of security capabilities that are made better through integration.
  • Include strong, out-of-the-box integrations that require minimal or no effort on the part of customers.
  • Be free or low cost, and help to manage vendor sprawl instead of add to it.
  • Go well beyond the functionality of existing products like SIEM or SOAR, enabling security teams to gain unified visibility and also take coordinated action through the platform.

It may seem like a tall order, but Cisco SecureX does all of that – and more. Here’s how…

The industry’s broadest, most integrated security platform

We are by no means starting from scratch with Cisco SecureX. Our platform is the culmination of over a decade of work building some of the most comprehensive, effective security solutions on the market. Our broad set of technologies protects against all threat vectors across your network, users and endpoints, cloud, and applications. Cisco SecureX unites an already strong, robust set of capabilities – allowing them to work together to bring you better visibility, greater automation, and stronger defenses.

The front end of our platform – which we began working on several years ago with Cisco Threat Response – enables you to visualize your integrated solutions in one place and use them in concert to solve your biggest security challenges. And in addition to operational metrics, the platform delivers ROI metrics so you can evaluate how your security is performing along the way.

Other companies claim to be offering a security platform, but what they’re really offering you is a dashboard. On the other hand, Cisco is offering you the whole car – and all of the various parts that go into it to make your business run. There’s a reason why we protect 100% of the Fortune 100. So when you’re offered a platform, make sure you check under the hood to see what’s really in there.

Does the platform bring together the capabilities of next-generation firewalls, email security, secure access, and threat detection? What about endpoint detection and response? Malware protection, cloud and application security, and web security? Does it deliver in-depth security analytics from across your entire infrastructure? And is it underpinned by one of the world’s largest threat intelligence organizations? Unfortunately, there are so many different inroads to your environment these days, and so many varied tactics for getting in, that you have to make sure whoever is trying to sell you a security platform has them all covered.

Stronger integrations than any other vendor

While Cisco’s enterprise cybersecurity portfolio is the broadest in the industry, we realize that we can’t do everything, and that you will inevitably have to work with other vendors to get the job done. That’s why, in addition to extensive integrations across our own portfolio, we’ve built an open ecosystem of 170+ partners that allows you to seamlessly connect with third-party technologies. And we will continue to add more integrations as time goes on.

According to our 2020 CISO Benchmark Report, 81% of organizations find it challenging to manage a multi-vendor environment. With Cisco SecureX, you can gain a unified view of your various security technologies from both Cisco and other companies through a single, cloud-native platform. And you can use these technologies together to investigate and remediate threats, without having to manually swivel between various interfaces – or integrate them yourself.

“Of all the vendors we evaluated, Cisco had the most mature integrations to bring security visibility together,” said Alan Zaccario, vice president of IT and cybersecurity at New Castle Hotels and Resorts. “But it’s not just about the platform — it has to be manageable by a small shop like ours if we’re going to use it.”

To further reduce complexity, Cisco SecureX includes built-in playbooks, and the ability to create custom playbooks, so you can easily use multiple technologies together for a specific workflow – such as threat hunting, or combating a phishing attack, for example. This functionality helps streamline the often onerous process of detecting, identifying, and containing threats.

Cisco SecureX also draws from our worldwide leadership in networking to integrate with core network and infrastructure solutions. That way, the platform not only benefits the security team, but also the IT and networking teams as they all collaborate to safeguard assets and keep organizations up-and-running.

Cisco SecureX is not a product, and it costs no extra

Cisco SecureX is available at no extra cost to any Cisco customer that owns one of our security products. Because that’s how it should be. Organizations are already struggling to manage too many vendors and products, and budgets are strained. A security platform should not be adding to these costs and complexity.

Instead, Cisco SecureX builds off what you already have. It makes your existing security capabilities better by allowing them to share intelligence and take automated, coordinated actions to mitigate threats or update security policies. In our recent CISO Benchmark Report, we learned that 77% of respondents are planning to increase their security automation to speed up response times – and we are confident that SecureX can spearhead this mission.

In addition to making day-to-day tasks easier, a security platform should also be simple to set up. You shouldn’t have to spend days or even hours to get it to work. And you shouldn’t have to buy a bunch of other products to see value from it. Customers can realize value from Cisco SecureX in under 15 minutes. Less than the time it takes to go out and grab a cup of coffee!

So much more than a SOAR

SOARs (and their predecessors, SIEMs) are designed to bring together disparate security information from different systems to help streamline threat analysis and incident response. However, they are not equivalent to a security platform. While they can be useful for aggregating information, they are a separate product not typically designed to be integrated with anything else.

The information they provide is not necessarily presented in an actionable format, and the onus of making sense of the data and defining corresponding mitigation actions often falls on the security team itself. On the other hand, Cisco SecureX draws upon multiple security products to provide cohesive, actionable information and also enable automated remediation all from one place.

Unlike our platform, which can be up-and-running and used with ease within minutes, SOARs are often difficult to deploy, learn, and use. And, they typically only account for security operations, providing little to no value to the IT and networking teams.

So, bottom line, if you have a SOAR, don’t fret. Just know that it’s not the same as a platform. Rather, it’s a type of security product that can be integrated into a platform like Cisco SecureX.

Get started with Cisco SecureX

So there you have it. If you want a car, don’t settle for a bag of components. And check under the hood to make sure it’s more than a dashboard you’re getting.

As the biggest security company in the world, we’re uniquely positioned to help you evolve the way you protect your business now and into the future. “Since implementing all of our Cisco security tools, up until now, we haven’t had any serious incidents or compromises,” said Don Bryant, CISO at The University of North Carolina at Pembroke. “We feel very well protected.”

Get started with Cisco SecureX today, and discover all the capabilities that power our platform.

The post Under the Hood of a Security Platform appeared first on Cisco Blogs.

Foundational Cybersecurity Guidance for IoT Device Manufacturers: NISTIR 8259 Overview

On June 30, NIST will host a virtual-only event, Foundational Cybersecurity Guidance for IoT Device Manufacturers: NISTIR 8259 Overview. On May 29, NIST released final NISTIRs 8259 and 8259A, representing a major milestone in IoT cybersecurity. The publications present six foundational activities and a core baseline of IoT device cybersecurity capabilities for manufacturers as a starting point towards building more securable devices. NIST is now adapting NISTIRs 8259 and 8259A to formulate a federal profile that defines the cybersecurity device capabilities needed to enable federal agency

CISA: Nation-State Attackers Likely to Exploit Palo Alto Networks Bug

An authentication-bypass vulnerability allows attackers to access network assets without credentials when SAML is enabled on certain firewalls and enterprise VPNs.

How To Stop Ransomware?

You have been hacked! Pay ransom!

Have you ever come across these phrases? Well, if you are here, you must have, or you just want to protect yourself from the ransomware attack.

Either way, you are in the correct place! Ransomware attacks have become quite common these days, and no business is immune to these attacks. Ransomware is malicious software that locks your system to extort money from victims. These attacks encrypt your files and hold your precious data for ransom.  

It works by tempting users into downloading an attachment or opening a link. By downloading the file, you are installing malware on your device. Seems simple? But it is not!

When your system is under attack, it can be a challenging and frightening situation to manage. One it enters your system, it can lock you out of your own data.

So, it’s important to know everything about ransomware removal and ransomware protection and how to stop ransomware.

This post sheds light on all of these topics. Here you will learn about how you can prevent yourself from these threatening ransomware attacks. 


  1.   Never Open Untrusted Links Or Attachments

Ransomware gets into your computer through email attachments. So, make it a habit, not open email from unknown senders, and do not download anything from unverified links.

Before opening an email, confirm that the address is correct. Even if the attachment looks genuine, make sure to verify it first. Also, don’t open links or attachments that ask you to enable macros to access them.

Therefore, pay attention to website’s name you are about to enter or what links you are accessing.


  1.   Never Share Your Personal Data

Sharing your personal data gives access to malicious software. If you ever receive a call, text, or email from an unverified or untrusted source, do not share your personal information.  

Cybercriminals planning an attack may have access to your personal information and leverage it in phishing emails to target you specifically.


  1.   Always Use A VPN When Using Public Wi-Fi

Being careful with public Wi-Fi is also a great preventive measure against ransomware protection. It is a great and reasonable safeguard against ransomware removal. To stay protected, make sure to use a secure VPN whenever you are using public Wi-Fi.

This is because, when we use public Wi-Fi, our system and desktops are more vulnerable to attack. So, if you are using Wi-Fi for confidential transactions, it is always a great thing to use VPN.


  1.   Keep Your Security Software Up To Date

Yes, you must have the latest version of antivirus on your system. However, having security software installed on your system is not enough. Regular updating is essential.

Cyber ​​attacks are skilled and modified from time to time, so a security system or antivirus should also be at par. Regular updates help provide the highest level of protection, which is updated!

Each update is crucial because it maximizes your security software against ransomware attacks and makes your organization less vulnerable. Select the option to update your security software now automatically!


  1.   Backup Your Data

Having up-to-date and secure data backups of your critical business information is basic protection, especially against ransomware. In the event that the ransomware compromises particular devices, a recent backup suggests that you can reestablish and restore this data and be back fully operational rapidly.

Be that as it may, it is essential to grasp where this basic information is really kept. It isn’t a great idea to have a backup if you save the wrong and inappropriate things and save them so inconsistently that they are pointless.

You can never be a victim of ransomware attack if you back up automatically every night before sleeping.

Conclusion

One thing is for sure; ransomware is not going anywhere. We just need to keep ourselves protected from this malware. In this era of cybercrimes and data breaches, organizations need to stay vigilant.

Learn the appropriate steps to detect prevent and recover from ransomware attacks. With the proper knowledge and tips, you can minimize the impact of ransomware on your business. So, pay heed to the above tips to keep your company’s data safe and protected. 

Along with the preventive measures, make sure you have a functional cybersecurity team, which will help you build a strong defense and not let ransomware attacks do significant damage to your system.

The post How To Stop Ransomware? appeared first on Hacker Combat.

How Do You Get Ransomware?

You must have known enough that ransomware has emerged as the most prevalent malicious software that kidnaps your data, locks your file, and denies access to your computer. All this to extort money from you.

However, do you know the different ways and loopholes that allow ransomware to infect your computer?

No, right?

We knew it. Do not worry; we have your back.

You must have wondered why companies create a fuss over a ransomware attack. You will know about it once you get a flashing message on your screen that access is denied, and files have been encrypted.

These words are enough to give a panic attack.

We know we are harsh with our word, but so is the ransomware – HARSH. They demand an anonymous online cryptocurrency payment to recover your files and regain access.

You should know enough about the entryways of ransomware infection in case you want to fend off. These cybercriminals are very skilful and build very sophisticated ransomware.

Here, we will tell you what ransomware is and how it enters your computer because you need to be knowledgeable to avoid these attacks.
And this is the right time because even in these uncertain times of coronavirus, susceptibility has increased, and cyber thieves have planned to attack millions of users. Read on to avoid being one of them.

What Is Ransomware? – Simple

Ransom malware is malicious software that infects your computer system and denies admin access to the files by locking up the data and encrypting the files. To regain access to your own computer, they will squeeze a hefty amount of money from your pocket.

The cyber thieves are encouraged and highly motivated to stoop down to this measure as a hobby or even as a profession. Hence, they are professional cyber thieves.

This malicious software has been infecting PCs and troubling lives since the late 1980s. There is no stoppage since then, but just augmented cases.

How Do You Get Ransomware?

There are many resorts for ransomware to infect your computer. The most common is through phishing emails with malicious links and attachments.

Let us see how ransomware attacks your computer systems via different routes and tools.

Channel #1: Spam Emails

This is the most common route of entry for malware, and we believe you already knew it. However, just you thorough you up, the cyber attackers send or spam out emails that contain malicious attachment or link. These links have the potential to infect your computer with ransomware and make you a potential victim.

Mostly these messages or email will land up in the spam box, thanks to the various filters. However, there is a slight probability of these entering your inbox. All you need to do is avoid clicking on these links or opening theses suspicious mails, whether they come from a reliable or known source.

Channel #2: Exploit Kits

In contrast to vindictive messages, Exploit Kits needn’t require to click any email or any attachment to spread out ransomware infection.
This attacking toolkit can compromise a website, link, hardware, or browser by coding up malicious software. It can also infect any running software to spread the ransomware.

Channel #3: Pay per install

Pay per install is also a popular method used by cyber-attackers to infect your computers that are already an existing part of a botnet (a group of infected computers under the control of cyber criminals called bot-masters). This deepens and worsens the damage by further infecting the other connected or liable PCs with other malware. Bot herders are cyber thieves who wait and lookup for security vulnerabilities as paid to catch these opportunities.

Channel #4: Drive-by downloads

Drive-by downloads are a freeway for ransomware. The malicious software gets installed when a user clicks on a compromised or malicious websites’ link. Cyber researchers have found an increase in the use of drive-by downloads. In particular, users of some streaming video portals are most commonly hit.

Conclusion

Therefore, now you know the infecting routes and how do you get ransomware. To sum it all, Crypto ransomware is regularly spread through phishing emails that contain pernicious connections or through drive-by downloading. Drive-by downloading happens when a client unwittingly visits a tainted site, and after that, malware is downloaded and introduced without the user’s information. Furthermore, more current strategies of ransomware contamination have been watched.

If you do not pay heed to these ways, you make your company’s PC prone to these attacks. Do not invite these infections.

KEEP CALM
And
DO NOT CLICK!
This accurate information will guide you to avoid these attacks.

The post How Do You Get Ransomware? appeared first on Hacker Combat.

How Technology Affects Students Cheating?

In this modern age, technology and plagiarism go hand in hand. In fact, a survey shows that 95% of students admitted to cheating, 58% admitted to relying on plagiarism to create content, while 64% only cheated on tests.

Simply put, students are not afraid to cheat. They often rely on plagiarism or other methods to get the work done. Some don’t even bother to use a free checker to make sure they did a good job. As a result, professors usually rely on a plagiarism checker to spot all the bad assignments. Having the ability to check plagiarism online can be helpful when you want to be certain you are grading unique content.

The question is, why student cheating is such a predominant problem? Why is plagiarism considered cheating?

Let’s take a closer look at why keeping academic integrity has become a serious issue for most students in Canada and all around the world. Including, how students cheat and the ways schools and colleges can counter that.

What Technologies Do Students Use for Cheating?

According to experts, students are using very advanced ways to cheat, sometimes even resorting to virtual networks where they protect their own activities. But, some of the most popular ways are:

  •       Text messages
  •       Storing notes
  •       Apps & websites
  •       Social media

Here are some of the more interesting facts about cheating in school people should know about.

Text Messages

Text message cheating is the quickest and most convenient way to get answers. Students text other students or people outside the classroom to help them get good grades. This is basically the modern-day version of note passing.

Storing Notes

Instead of writing notes by hand, students store the information they need on their cellphones. There are plenty of guides online that will show them the ropes to proper, undetectable cheating.

Apps & Websites

There are countless apps, particularly math apps that can solve complex or simple algebra problems. The students just scan the test and wait for the app to solve it in a jiffy.

Social Media

Though it may seem unlikely, social media cheating is popular. A student takes a picture of the test and posts it online. This is mostly the case for students who are taking the exam before another group. They post the questions online so that the next group will know the answers ahead of the exam.

How Technologies Increase the Amount of Plagiarism in Academic Writings? 

To understand how plagiarism affects students, you first need to understand the impact technology has.

Technology and plagiarism work in sync. Ever since the latest technological software became widely available, it made cheating at school very easy. All the how-to-cheat videos and aids for cheating are just a click away.

With the internet, students no longer need to do hefty research or scour books for the content they need. They just open up the first related article and copy-paste the entire text. It’s easy, convenient, and a fast way to do homework.

Why It Is Important to Always Check Your Paper for Plagiarism Before Submitting?

Plagiarized assignments lack originality. They also indicate a different level of knowledge. For example, a ninth-grader can’t write a perfectly polished essay. If you submit that kind of work, it will be a pure giveaway.

Besides, every professor uses a plagiarism tool to check the quality of the assignment. If they spot any similarities with other websites, you will, without a doubt, fail your assignment. That’s why it’s super important to use a free plagiarism checker before you submit your paper.

What Technologies Exist to Counter Cheating and How Schools and Colleges Use Them?

The old-fashioned anti-cheating methods no longer work. Students don’t abide by honor codes and are prone to rely on cheating to pass an exam. Instead of encouraging students to not cheat or forbid them to use phones, some teachers are relying on technology to counter cheating.

According to U.S. News, the best method for grading original assignments is anti plagiarism software. It immediately spots paragraphs or sentences that are copy-pasted from other websites. This kind of approach has proven effective for spotting original assignments and discouraging those unprepared from submitting their poor work.

But, Chinese educational institutions have taken more drastic measures to cope with the problem. Some are using metal detectors, signal jammers, and drones to ensure students don’t cheat. While it may seem over the top, authorities in China believe it is the best approach and demotivates children from cheating.

Conclusion

With the latest technological advances, students get more and more creative with cheating at school. The best way to counter that is to use “fire with fire” or in this case, technology. Know their crafty methods and come up with the ideal counter-strategy. All the information we listed here can help you stay on track with the latest tech-cheating trends. 

The post How Technology Affects Students Cheating? appeared first on Hacker Combat.

Couchbase joins the cloud database party

Couchbase is going live with its new managed cloud database service based on a modern Kubernetes cloud-native architecture. While offering the cloud-neutral flexibility of K8s, the new Couchbase service needs refinements to make it accessible to a wider audience.

Risk Decisions in an Imperfect World

Risk decisions are the foundation of information security. Sadly, they are also one of the most often misunderstood parts of information security.

This is bad enough on its own but can sink any effort at education as an organization moves towards a DevOps philosophy.

To properly evaluate the risk of an event, two components are required:

  1. An assessment of the impact of the event
  2. The likelihood of the event

Unfortunately, teams—and humans in general—are reasonably good at the first part and unreasonably bad at the second.

This is a problem.

It’s a problem that is amplified when security starts to integration with teams in a DevOps environment. Originally presented as part of AllTheTalks.online, this talk examines the ins and outs of risk decisions and how we can start to work on improving how our teams handle them.

 

The post Risk Decisions in an Imperfect World appeared first on .

Personal data of thousands of users from the UK, Australia, South Africa, the US, Singapore exposed in bitcoin scam

Group-IB discovered thousands of personal records of users from multiple countries exposed in a targeted multi-stage bitcoin scam.

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered thousands of personal records of users from the UK, Australia, South Africa, the US, Singapore, Spain, Malaysia and other countries exposed in a targeted multi-stage bitcoin scam. Victim’s phone numbers, which in most cases came with names and emails, were contained in personalized URLs used to redirect people to websites posing as local news outlets with fabricated comments of prominent local personalities about cryptocurrency investment platform that “helped them build a fortune”. The source of the leak has not been established yet. The information has been provided to relevant authorities in the affected countries.  

A joint investigation of Group-IB’s Threat Intelligence and Brand Protection teams revealed 248,926 sets of personally identifiable information exposed in what turned to be a complex three-stage fraud designed to drag people into a shady bitcoin investment scheme.

The analysis of the exposed phone country codes showed that most of the victims were from the UK (147,610), followed by Australia (82,263), South Africa (4,149), the US (4,147), Singapore (3,499), Malaysia (2,491), Spain (2,420), and other countries. 

The new scheme is similar to the “Bitcoin Evolution” scam, that Group-IB reported on in Feb. 2020, with one big difference – this time a massive amount of victim’s sensitive info was exposed. Group-IB’s team was able to identify all the stages of the fraud from its entry point to the last phase. 

First, a victim receives a text message. Group-IB specialists managed to retrieve 4 samples of SMS. Scammers sometimes send out phishing messages using the name of a recognized media outlet as the sender.

Every message contained a unique short link. Further analysis of the URLs revealed that a short link takes a victim to another URL which already demonstrates their personal data, such as the phone number, first or/and last name, and sometimes an email address, and used for redirects to fake websites masquerading as a local media outlet. Group-IB researchers have run the exposed info through data breach repositories and have analyzed several underground marketplaces for the presence of this data but have not found any traces of the exposed info. The experts believe that the personal information info could have been obtained by fraudsters through a separate fraudulent scheme or simply bought from a third party.  

The content a user would see often depends on their location. For example, users from the UK would be demonstrated a website disguised as the Sun or the Mirror, the Australians would likely see a fake ABC Australia website. However, all the websites feature similar made-up interviews and fabricated comments attributed to local celebrities whose names were hijacked by the scammers: Bryan Wong, Chris Brown, Andrew Forrest, Travers ‘Candyman’ Beynon, Gina Rinehart, and others. All these fake articles allege that famous people made a fortune thanks to the new cryptocurrency investment platform. All the fake pages discovered are almost identical in terms of design, but the URL and the page code are unique every time and contain users’ personal records. If a victim decides to click any link in the article, they are taken to a bitcoin investment platform website, where their data, contained in the URL, would already be pre-filled in the registration form without a user’s consent. Later a victim would be asked to add to their account balance in BTC. 

Group-IB researchers spotted 6 active domains featuring the same bitcoin investment platform that operates under different names: Crypto Cash, Bitcoin Rejoin, Bitcoin Supreme, and Banking on Blockchain. Group-IB has shared its findings with the relevant organizations in the affected countries for further investigation. 

“The bitcoin investment scams have been around for quite a while and we regularly detect new instances of crypto fraud, says Ilya Sachkov, CEO of Group‑IB. “This time however the scheme was significantly upgraded, and a tremendous amount of personal information was leaked. The bad guys got smarter in a bid to increase the success rate of their fraudulent operations. Using personal data allows them to carry out targeted attacks and make a victim’s journey easier and smoother, which levels up the overall effectiveness of the scheme. In general, many people tend to underestimate the risks of their names, phones or emails circulating online until bad things happen. In fact, such a huge amount of sensitive data in the wrong hands opens up a whole new world of opportunities for fraudsters. This data can be sold further, or they can push a new round of fraud.”

Group-IB urges online users to stay vigilant. A couple of simple rules: If you spot a long redirect chain, it’s a red flag. Always double-check the domain name, website registration date when entering personal information or payment data. The Singapore government has also launched the Do Not Call registry under the PDPA for consumers who do not wish to receive telemarketing messages via phone call, SMS or fax.

However, regular users are not the only ones who suffer here. Media brands and celebrities whose names were hijacked by fraudsters suffer reputational damage. According to market researchers, nearly 64% of users who have faced brand abuse online will never return to that brand — their trust in it has been undermined. For celebrities, these cases can cause significant loss in the audience’s trust which affects the sustainability of business relationships with their advertisers. Complete visibility of the scheme is the key to eradicate this type of fraud. Media and celebrity names are mentioned on separate stages of the scheme and blocking them will not have an effect. Just like with the Rabbit Hole fraud, the crooks can quickly rebuild the blocked parts and continue their fraudulent operations. Effective monitoring and blockage should involve the automated machine-learning powered brand protection system fueled by the regularly updated knowledge base about cybercriminals’ infrastructure, tactics, and tools.

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations.

Pierluigi Paganini

(SecurityAffairs – hacking, bitcoin scam)

The post Personal data of thousands of users from the UK, Australia, South Africa, the US, Singapore exposed in bitcoin scam appeared first on Security Affairs.

Fake “DNS Update” emails targeting site owners and admins

Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain. Scam emails lead to fake login pages The scam was spotted by Sophos researchers, when the admin(s) of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation (see screenshot above). The link took them to a “surprisingly believable” phishing … More

The post Fake “DNS Update” emails targeting site owners and admins appeared first on Help Net Security.

DoH Is Here to Stay: Why Businesses Should Embrace It

Reading Time: ~ 3 min.

While the proliferation of encrypted DNS is being driven by consumer privacy, businesses will want to take notice. Encrypted DNS – also known as DNS over HTTPS, or DoH – obscures internet traffic from bad actors. But it also has the potential to decrease visibility for IT admins whose responsibility it is to manage DNS requests for their organizations. So, what’s the solution? Strangely, DoH.

As previously mentioned, DoH is now the default for Mozilla Firefox. It’s also available in Google Chrome and other Chromium-based browsers. This is a win for consumers, who have newfound control over who can see where they’re going on the internet.

However, by surrendering control over DNS requests to the browser, IT administrators lose the ability to apply filtering to DNS requests. Encrypted DNS that skirts the operating system eliminates the visibility that IT admins need to ensure security for internet traffic on their networks. It also prevents the business from being able to run threat intelligence against DNS requests and identify dynamic malware that could circumvent consumer DoH implementations. This leads to gaps in security that businesses can’t afford.

Staying ahead of the curve

There is a way to ensure privacy over DNS requests while maintaining control and visibility into network activity. The solution is to apply DoH across the entire system, not just browser activity. By wresting control over DNS requests from the browser, the agent can instruct Firefox not to engage its DoH feature. The same holds true for Chrome users running DoH. These requests are passed back through the operating system, where the DNS solution can manage them directly. This helps support both filtering and visibility.

An advanced agent will manage DNS requests on the device securely through DoH so the requests go directly to the server with no other entity having visibility into them. At the same time, the agent can apply threat intelligence to ensure requests aren’t resolving to malicious destinations. Admins have visibility into all DNS requests, and the requests are encrypted.

When the agent detects a prohibited resource, it returns the IP address of a block page. So, if there’s a virus on the system and it’s trying to access a command and control server to deliver a malicious payload, it won’t be able to. It also prevents botnets from being able to connect since they also leverage DNS. For any process that requests something from the internet, if it doesn’t get the resource that it’s requesting, it’s not going to be able to act on it.

Privacy plus security

The novel coronavirus didn’t start the mobile workforce phenomenon, but it certainly has accelerated it. The traditional perimeter firewall with all systems and devices living behind it no longer exists. Modern networks extend to wherever users connect to the internet. This includes the router someone bought from a kid down the street, and the home network that was set up by a consulting company 10 years ago and hasn’t been patched or updated since.

When someone on their home network opens a browser and goes to their favorites, they’re not expecting to get phished. But if they’re resolving to an alternative IP address because DNS is not being managed, is broken or is being redirected, they may be exposed to phishing sites. Enter encrypted DNS as another layer of protection within your cyber resilience portfolio. It starts working against a higher percentage of threats when you stack it with other layers, reducing the likelihood of being infected. It also addresses a blind spot that allows exploits to go undetected.

Embracing DoH

Privacy is the main driver for DoH adoption by consumers, while business agendas are generally driven by security. As a business, controlling DNS requests allows you to protect both the business and the user. If you don’t have that control and visibility, the user is potentially more exposed. And, if you don’t apply threat intelligence and filtering to DNS requests, a user can more easily click on malware or land on a phishing site.

To learn more about encrypted DNS read the whitepaper.

The post DoH Is Here to Stay: Why Businesses Should Embrace It appeared first on Webroot Blog.

US Cyber Command Alert: Patch Palo Alto Networks Products

'Critical' Authentication Bypass Risk Posed by Easy-to-Exploit PAN-OS Software Flaw
Palo Alto Networks product alert: All users should immediately patch a "critical" flaw in Pan-OS that can be remotely exploited to bypass authentication and take full control of systems or gain access to networks, U.S. Cyber Command and the Cybersecurity Infrastructure and Security Agency warn.

Indian Government Bans TikTok and 50+ Chinese Apps

Indian Government Bans TikTok and 50+ Chinese Apps

The Indian government has banned over 50 Chinese-made smartphone apps including popular social title TikTok over concerns they may be stealing user data.

The 59 titles also include Twitter-like platform Weibo and WhatsApp clone WeChat, as well as a range of other browser, camera, news, entertainment and communications apps.

A government statement noted that the decision was taken due to fears that the apps were “prejudicial to sovereignty and integrity of India, defense of India, security of state and public order.”

These concerns were linked to fears over users’ data security and privacy.

“The Ministry of Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India,” it said.

Although the concerns may be genuine, the timing appears to be deliberate, coinciding with a period of heightened tensions between the two Asian giants after recent border clashes left 20 Indian soldiers dead.

According to the BBC, India is TikTok’s biggest foreign market with an estimated 120 million users.

However, the app has come in for criticism not only in India. In the US, the Pentagon banned its use by soldiers early this year on security concerns related to its Beijing-based owner ByteDance.

The Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. If this becomes a full-blown investigation it could even put the sale of the title, which was originally a US app called Musical.ly, in jeopardy.

Concerns also swirl over the extent to which TikTok is influenced by Beijing, after it appeared to censor content linked to pro-democracy protesters in Hong Kong.

ProPrivacy digital privacy expert, Ray Walsh, argued that although New Delhi’s decision was probably taken for geopolitical reasons, it doesn’t mean it has no basis in privacy best practice.

“The decision will drastically reduce the amount of data passing from Indian citizens to Chinese authorities, via seemingly innocuous and hugely popular apps such as TikTok. These apps are known to harvest huge amounts of data from their users, resulting in covert international surveillance for the Chinese government,” he argued.

“Although the ban is likely to be controversial among Indian citizens, it may well cause other world leaders to consider whether they could or should impose similar sanctions.”

It remains to be seen how easy it is to enforce such a ban in practice.

InFraud Cybercrime Gang Member Pleads Guilty to Charges

InFraud Cybercrime Gang Member Pleads Guilty to Charges

A leading figure in a notorious cybercrime organization has pleaded guilty before a Nevada court to racketeering charges.

Russian national Sergey Medvedev — aka “Stells,” “segmed” and “serjbear” — pleaded guilty to conspiracy charges under the Racketeer Influenced and Corrupt Organizations Act (RICO), according to the Department of Justice (DoJ).

According to the indictment, the InFraud group he was a member of was founded in 2010 by 34-year-old Ukrainian Svyatoslav Bondarenko to be an expert in “carding” — the online trafficking of stolen personal and financial information.

“Under the slogan, ‘In Fraud We Trust,’ the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware and other illicit goods,” the DoJ said. 

“It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information and other contraband were permitted to advertise to members.”

By March 2017 there were an estimated 10,900 registered members of InFraud. The DoJ claimed that during its seven-year history it made over $568m from its victims — financial institutions, merchants and individuals.

The group was finally taken down in early 2018 after police in Australia, the UK, France, Italy, Kosovo and Serbia swooped on 13 individuals thought to have key roles in InFraud. An indictment was subsequently released charging 36 suspected members.

Medvedev, 33, was extradited from Thailand after being arrested there during the 2018 international police crackdown.

The news comes just days after another Russian national, Aleksei Burkov, was sentenced to nine years behind bars for operating the Cardplanet website, which sold stolen card data.

Critical flaw opens Palo Alto Networks firewalls and VPN appliances to attack, patch ASAP!

Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible. The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon. Please patch all devices affected by CVE-2020-2021 immediately, especially if … More

The post Critical flaw opens Palo Alto Networks firewalls and VPN appliances to attack, patch ASAP! appeared first on Help Net Security.

US Suspends Sensitive Tech Exports to Hong Kong

US Suspends Sensitive Tech Exports to Hong Kong

The US government has said it will suspend export of sensitive defense technologies to Hong Kong after China passed a controversial national security law in the Special Administrative Region (SAR).

In a brief statement on Monday, commerce secretary Wilbur Ross argued that the new law meant that sensitive US tech may find its way into the hands of the People’s Liberation Army (PLA) or the fearsome Ministry of State Security (MSS), both of which are prolific sources of cyber-attacks on foreign targets.

“Commerce Department regulations affording preferential treatment to Hong Kong over China, including the availability of export license exceptions, are suspended,” he continued.

“Further actions to eliminate differential treatment are also being evaluated. We urge Beijing to immediately reverse course and fulfill the promises it has made to the people of Hong Kong and the world.”

The controversial law was passed unanimously today by China’s rubber-stamp parliament, the National People’s Congress.

It seeks to criminalize activities such as secession and collusion with foreign forces, but many see it as an attempt to muzzle political activists and protesters in the region. The law also flies in the face of the binding “one country, two systems” agreement between China and the UK which intended the SAR to retain its autonomy for 50 years after the handover in 1997.

Judging by Ross’s remarks, the ban on exports of sensitive technologies to Hong Kong is likely to presage a wider revocation of the SAR’s special status under US law, by which it is granted certain preferential economic and trading rights over China.

On Friday, the State Department also imposed visa restrictions on Chinese Communist Party officials accused of undermining Hong Kong’s autonomy.

Beijing’s opaque political system is such that no Hong Kongers have yet even been able to see and read for themselves exactly what the legislation entails.

However, reports suggest it will carry a maximum sentence of life.

New privacy-preserving SSO algorithm hides user info from third parties

Over the last few decades, as the information era has matured, it has shaped the world of cryptography and made it a varied landscape. Amongst the myriad of encoding methods and cryptosystems currently available for ensuring secure data transfers and user identification, some have become quite popular because of their safety or practicality. For example, if you have ever been given the option to log onto a website using your Facebook or Gmail ID and … More

The post New privacy-preserving SSO algorithm hides user info from third parties appeared first on Help Net Security.

#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Fraudsters are continuing to exploit self-employed people with advancements in already-established COVID-related HMRC phishing scams.

Uncovered by Griffin Law, the latest variation of this attack is now targeting the passport details of self-employed people, along with other information including personal and bank details.

According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”

The bogus site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.

So far, Griffin Law has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.

Stav Pischits, CEO of Cynance, said: “The COVID-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC.

“All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur.”

It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future, he added.

Chris Ross, SVP, Barracuda Networks, warned that cyber-criminals will continue to exploit any situation to harvest financial data from individuals and see the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information.

“Security awareness is key within the workforce, and it’s vital that all employees are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”

Businesses Lack a Workable Ransomware Recovery Strategy

Businesses Lack a Workable Ransomware Recovery Strategy

More than a third of businesses do not have a ransomware emergency plan in place, or are not aware if one exists within their company.

According to research from Ontrack of 484 organizations, 39% either did not have or were not unaware of a ransomware strategy, while 26% admitted they couldn’t access any working backups after an attack.

“The threat of ransomware has never been greater” said Philip Bridge, president of Ontrack. “The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customers’ data.

“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” added Bridge.

As the third anniversary of the NotPetya attacks were marked at the weekend, David Grout, CTO of EMEA at FireEye, said NotPetya highlighted the need for resiliency, backup and preparation, as well as the importance of being able to track and identify the perpetrators and understand their motives.

“In terms of what can be done to mitigate the effects of these attacks, primarily, it is essential that patches are made available quickly and that they are widely adopted. If a discovered vulnerability can be exploited, it is highly likely that threat groups will use it, and continue to do so until it is fixed, inflicting untold damage,” he said.

“The NotPetya attack could have been mitigated by ensuring updates to software were regularly conducted, as well as thorough assessments of a given organization’s security, especially through simulated cyber-breaches.”

Speaking to Infosecurity, BH Consulting CEO Brian Honan said, with ransomware becoming an increasing concern for many organizations, he is seeing more businesses take steps to tackle the threat.

“However, many of these steps focus very much on the preventive aspect of security controls and in particular on ensuring effective anti-virus software is in place. While this is an important element in protecting against ransomware, organizations do need to take a more holistic approach to protecting their businesses and ensuring they can continue to function and recover from an attack should it happen.”

Honan recommended having robust data backup and data recovery strategies in place. “The key is to ensure business resilience in the event of a ransomware attack,” he said. “To achieve this, organizations should incorporate their incident response processes, for all cyber-attacks and not just for ransomware attacks, with their business continuity plan so they can continue to operate, while looking to recover from secure backups.

“A good backup strategy that is regularly reviewed, secured and tested to ensure the data can be recovered is one of the most effective defenses against ransomware.”

Advanced StrongPity Hackers Target Syria and Turkey with Retooled Spyware

Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes. The advanced persistent threat behind the operation, called StrongPity, has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker

UCSF paid a $1.14 Million ransom to decrypt files after Ransomware attack

The University of California San Francisco (UCSF) revealed that it paid roughly $1.14 million to cybercriminals to recover data after a ransomware attack.

Late last week, the University of California San Francisco (UCSF) admitted having paid roughly $1.14 million to cybercriminals to recover data encrypted during a ransomware attack that took place on June 1.

In response to the attack, the IT systems within the School of Medicine were quarantined.

UCSF said that it immediately contained the threat, but certain systems were affected. The USCF and the campus networks were not impacted, the organization pointed out that patient care delivery and COVID-19 operations were not impacted too. The University believes the attack was opportunistic and that did not target specific systems or data within the organization.

“While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible,” reads a statement published by the UCSF.

“The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed,”

Threat actors accessed part of academic work and encrypted it, but due to the importance of the documents, the university decided to pay a portion of the ransom, approximately $1.14 million, to decrypt it.

UCSF has been working with a leading cyber-security consultant and other outside experts to investigate the incident and prevent similar attacks in the future. The university expects to fully restore the affected servers soon.

At the time of writing the organization has yet to provide details on the attack, but experts believe the systems were infected by the NetWalker ransomware operators.

“A form of ransomware known as NetWalker added two more colleges to its list of victims Wednesday by claiming to have stolen files from Columbia College in Chicago and the University of California, San Francisco, according to screenshots posted on a blog maintained by the hackers behind the attacks.” reported the website edscoop.com.

“This incident reflects the growing use of malware by cyber-criminals around the world seeking monetary gain, including several recent attacks on institutions of higher education. We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share while we continue with our investigation.” the statement concludes.

Pierluigi Paganini

(SecurityAffairs – hacking, UCSF)

The post UCSF paid a $1.14 Million ransom to decrypt files after Ransomware attack appeared first on Security Affairs.

Palo Alto Networks fixes a critical flaw in firewall PAN-OS

Palo Alto Networks addressed a critical flaw in the PAN-OS of its next-generation firewalls that could allow attackers to bypass authentication.

Palo Alto Networks addressed a critical vulnerability, tracked as CVE-2020-2021, in the operating system (PAN‑OS) that powers its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication.

“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” reads the security advisory published by the company. “The attacker must have network access to the vulnerable server to exploit this vulnerability.”

The CVE-2020-2021 vulnerability has been rated as critical severity and received a CVSS 3.x base score of 10.

According to Palo Alto Networks the vulnerability impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue doesn’t affect PAN-OS 7.1.

The company confirmed that the vulnerability cannot be exploited if SAML is not used for authentication and if the ‘Validate Identity Provider Certificate’ option is enabled (checked) in the SAML Identity Provider Server Profile.

“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies,” Palo Alto Networks explains.

“There is no impact on the integrity and availability of the gateway, portal, or VPN server. An attacker cannot inspect or tamper with sessions of regular users.”

In attacks against PAN-OS and Panorama web interfaces, this vulnerability could be exploited by an unauthenticated attacker with network access to log in as an administrator and perform administrative actions.

The good news is that Palo Alto Networks is not aware of attacks in the wild exploiting this vulnerability.

Admins could determine if their installs are vulnerable following the instructions provided by the company in a knowledge base article.

Customers could inspect the authentication logs, the User-ID logs, ACC Network Activity Source/Destination Regions (Leveraging the Global Filter feature), Custom Reports (Monitor > Report), and GlobalProtect Logs (PAN-OS 9.1.0 and above) to determine if their installs have been compromised.

The presence of unusual usernames or source IP addresses in the logs and reports are indicators of a compromise.

The vulnerability was reported to Palo Alto Networks by Salman Khan from the Cyber Risk and Resilience Team and Cameron Duck from the Identity Services Team at Monash University.

Pierluigi Paganini

(SecurityAffairs – hacking, PAN-OS)

The post Palo Alto Networks fixes a critical flaw in firewall PAN-OS appeared first on Security Affairs.

200% increase in invoice and payment fraud BEC attacks

There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend. Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020. Larger dollar amounts are involved During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to … More

The post 200% increase in invoice and payment fraud BEC attacks appeared first on Help Net Security.

Data security matters more than ever in the new normal

Even before lockdowns, there was a steady migration toward more flexible workforce arrangements. Given the new normal of so many more people working from home—on top of a pile of evidence showing that productivity and quality of life typically go up with remote work—it is inevitable that many more companies will continue to offer those arrangements even as stay-at-home orders are lifted. Unfortunately, a boom in remote access goes hand-in-hand with an increased risk to … More

The post Data security matters more than ever in the new normal appeared first on Help Net Security.

Remote employees encounter 59 risky URLs per week

Working remotely from home has become a reality for millions of people around the world, putting pressure on IT and security teams to ensure that remote employees not only remain as productive as possible, but also that they keep themselves and corporate data as secure as possible. Achieving a balance between productivity and security is even harder, given that most organizations do not have adequate visibility or control over what their employees are doing on … More

The post Remote employees encounter 59 risky URLs per week appeared first on Help Net Security.

Cloud IT infrastructure spending grows, non-cloud investments plunge

Vendor revenue from sales of IT infrastructure products (server, enterprise storage, and Ethernet switch) for cloud environments, including public and private cloud, increased 2.2% in the first quarter of 2020 (1Q20) while investments in traditional, non-cloud, infrastructure plunged 16.3% year over year, according to IDC. Pandemic as the major factor driving infrastructure spending The broadening impact of the COVID-19 pandemic was the major factor driving infrastructure spending in the first quarter. Widespread lockdowns across the … More

The post Cloud IT infrastructure spending grows, non-cloud investments plunge appeared first on Help Net Security.

Researchers create tool for protecting children’s online privacy

A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children’s online privacy. Dr. Kanad Basu, assistant professor of electrical and computer engineering in the Erik Jonsson School of Engineering and Computer Science and lead author of the study, along with colleagues elsewhere, developed a tool that can determine whether an Android game or other mobile app complies with the federal Children’s … More

The post Researchers create tool for protecting children’s online privacy appeared first on Help Net Security.

McAfee MVISION Insights: Stopping threats before the attack

McAfee, the device-to-cloud cybersecurity company, announced general availability of McAfee MVISION Insights, the industry’s first proactive security solution that changes the cyber security paradigm by helping to stop threats before the attack. MVISION Insights provides actionable and preemptive threat intelligence by leveraging McAfee’s cutting-edge threat research, augmented with sophisticated Artificial intelligence (AI) applied to real-time threat telemetry streamed from over 1 billion sensors. The integration of MVISION Insights significantly enhances the capabilities of McAfee’s award … More

The post McAfee MVISION Insights: Stopping threats before the attack appeared first on Help Net Security.

D-Link announces new 5G solutions to elevate mobile internet connectivity

D-Link announced their new 5G solutions that create a world of wireless possibilities whether at home, at the office, or on the go. 5G networks elevate mobile internet connectivity and enhance IoT technology and devices to a level that has never been experienced before. Delivering supercharged performance and extreme reliability, 5G will redefine and transform industries and completely change the way people live. D-Link enables enhanced broadband capacity, extremely low latency, super high bandwidth, and … More

The post D-Link announces new 5G solutions to elevate mobile internet connectivity appeared first on Help Net Security.

Kyoto Semiconductor develops high-speed photodiode with 400Gbps transmission speed

Kyoto Semiconductor has developed a high-speed photodiode KP-H KPDEH12L-CC1C to support 400Gbps transmission systems that use PAM4 (Pulse Amplitude Modulation 4) inside and between data centers. With the introduction of this InGaAs photodiode, the company is continually supporting the increasing speeds and capacity requirements for transmission systems in 5G networks and beyond. Mass production will start in November, 2020. KP-H KPDEH12L-CC1C main features High-speed – The size of the carrier on which the PD is … More

The post Kyoto Semiconductor develops high-speed photodiode with 400Gbps transmission speed appeared first on Help Net Security.

Thought Machine Vault now runs on Google Cloud, AWS, Microsoft Azure and IBM Cloud

Thought Machine, the cloud native core banking technology firm, has announced that its core banking platform Vault now runs on every major cloud infrastructure provider including Google Cloud Platform, Amazon Web Services, Microsoft Azure and IBM Cloud. In addition, Vault can be deployed on either the bank’s choice of cloud provider, on premise, in a hybrid cloud using OpenShift from Red Hat, or as a SaaS product. Thought Machine’s expanded compatibility enables banks to migrate … More

The post Thought Machine Vault now runs on Google Cloud, AWS, Microsoft Azure and IBM Cloud appeared first on Help Net Security.

RingCentral Cloud PBX for Microsoft Teams: Enhanced user productivity across the platform

RingCentral announced RingCentral Cloud PBX for Microsoft Teams enabling Direct Routing integration. With RingCentral Cloud PBX for Microsoft Teams users will have access to more robust cloud PBX capabilities without ever having to leave the Teams interface on mobile, web, and desktop. RingCentral also provides broader integrations with Microsoft Teams that enhance user productivity across the platform. “Today’s modern workforce wants the flexibility to communicate using their preferred channels, both within and outside their organization,” … More

The post RingCentral Cloud PBX for Microsoft Teams: Enhanced user productivity across the platform appeared first on Help Net Security.

NETSCOUT and Oracle help customers gain real-time visibility into risks from apps and digital services

NETSCOUT SYSTEMS announced that it is collaborating with Oracle to help customers gain end-to-end visibility for service assurance and security of mission-critical applications and services across their hybrid cloud infrastructures. NETSCOUT is a Gold level member of the Oracle PartnerNetwork (OPN). NETSCOUT’s vSTREAM and virtual nGeniusONE are now available from the Oracle Cloud Marketplace, offering Oracle Cloud customers best-in-class application visibility and the ability to leverage authentic information contained in application and network traffic for … More

The post NETSCOUT and Oracle help customers gain real-time visibility into risks from apps and digital services appeared first on Help Net Security.

Codefresh raises $27M to invest into open source, continuous delivery, and more

Codefresh announced $27M in new funding led by Red Dot Capital Partners with participation from Shasta Ventures and existing investors. Total funding for Codefresh has now more than doubled to $42M. Codefresh CEO Raziel Tabib shared details of how this new round of funding will be used to make “big investments into open source, continuous delivery, and more”. Codefresh launched as the first continuous integration and delivery (CI/CD) platform for Kubernetes and has grown dramatically … More

The post Codefresh raises $27M to invest into open source, continuous delivery, and more appeared first on Help Net Security.

McAfee XDR: Taking Threat Detection and Response to a New Level

In the battle to protect digital data, the stakes have never been higher, and the outcome has never been more uncertain.

Enterprises face ever-changing threats to their digital assets both inside and outside the traditional network perimeter from sophisticated threat actors, who use a changing assortment of techniques to find ways to skirt traditional security controls.

It’s also increasingly difficult for SOC teams to stay ahead of the attackers. Too often, they rely on an assortment of disconnected security tools and data sets supplied by different vendors. This is a flawed approach that requires multiple tools and consoles, driving up cost and the resources to make sense of the sea of data, leaving organizations with less visibility and manageability.

Many organizations still rely on EDR systems to get information about attacks against their endpoints that may be undetected or unclassified by traditional EPP solutions. However, enterprises nowadays require an extended protective umbrella that can defend not just legacy endpoints, but also mobile, and cloud workloads – all without overburdening in-house staff or requiring even more resources. Detecting today’s advanced threats requires more than a collection of point solutions. SOCs need a platform that intelligently reveals advanced adversaries leading to better, faster security outcomes.

The Rise of XDR

Companies simply can’t afford not to have full visibility into who’s trying to attack them. Here is where the deployment of Extended Detection and Response (XDR) can have a powerful security impact. XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform.

Gartner defines XDR as a SaaS-based, security threat detection and incident response tool that natively integrates different security products into a cohesive security operations system. That’s a mouthful, but in practice, XDR makes the job of defenders easier by delivering a full complement of security capacities – everything from asset discovery and threat detection to vulnerability assessment, investigation and response. We see how detection efficacy drops when multiple platforms and consoles are required to identify and remediate threats. But with XDR, defenders have a single pane view into their environment across different platforms, both on-prem as well as in the cloud.

It also changes the nature of threat-hunting. Consider an organization that’s using a SIEM. While the system collects information in batches – typically from non-endpoint data sources and security countermeasures –  that isn’t the same as delivering real-time results. Even if SOC teams try to get faster answers by stitching together custom tools to correlate data, they still lag behind the attackers.

By contrast, an XDR platform will offer access in real time to all necessary telemetry to conduct a hunt and retrieve results in seconds. That helps defenders streamline the process of triage and investigation and unlock insights that were previously unimaginable using previous security tools.

Making a Difference

XDR is not a bullet-point discussion. We’re talking about different needs, delivered in different ways, and for different customers and leveraging a unique set of multi-vendor sensors and countermeasures for each.

This is where a trusted partner with a broad portfolio makes all the difference in that customer journey. As cybercriminals and groups acting on behalf of nation-states step up their nefarious activities, the outcome of this struggle against bad actors turns on speed, reliability, and predictable security outcomes.

An innovator in this field, McAfee is particularly suited to help customers to meet that challenge with a sophisticated intelligence-driven security platform. As Gartner noted earlier this year in a wide-ranging report on XDR, McAfee’s approach leverages a deep technological understanding of the relationships in the underlying data to help speed rapid out-of-the box integration.

McAfee’s XDR also benefits from a rich security legacy and a deep product portfolio. We’re also uniquely equipped to provide actionable intelligence on security threats because we can access over one billion global sensors across devices, networks and in the cloud.

The mobilization of that full complement of security capabilities delivers more complete threat detection, investigation, and response than any other security provider. For instance, when enterprises implement the security products that comprise McAfee’s XDR solution, they also benefit from the following:

  • AI and Expert System Security Analytics
  • A single interface for detections at the endpoint, sandbox, network, Internet perimeter/edge/gateway, and cloud
  • Accurate threat prioritization that helps predict potential impact as well as any countermeasures to foil an attack – the only solution that does this in a concurrent manner
  • Combined threat and detection data from your environment for richer, more meaningful alerts as well as prescriptive configuration suggestions to improve protection efficiency
  • More context and intelligent correlation leading to faster detection and higher fidelity alerts

The upshot is that McAfee XDR dramatically reduces the time defenders need to detect, contain, and respond to threats. Our AI and Big Data analytics capabilities supplies SOCs with threat and campaign insights before an attack changes course, so they avoid wasting time chasing false positives. Defenders get fewer and more meaningful alerts, making it easier to prioritize their response based on the severity and potential impact of a threat.

In a nutshell: McAfee XDR delivers a complete platform that provides SOCs visibility into how threats are impacting your key business processes, prioritization of response and delivers a full-integrated platform of security technologies.

While it may still not be ready for prime time,  XDR is poised to become an important part of the unfolding security story this year and beyond as more enterprises move their information to the cloud. It’s also why having an experienced partner by your side to help unlock the full benefits of a cohesive, unified security incident detection and response platform has never been more important.

For more information visit: mcafee.com/XDR

The post McAfee XDR: Taking Threat Detection and Response to a New Level appeared first on McAfee Blogs.

UCSF Pays $1.14m Ransomware Fee

UCSF Pays $1.14m Ransomware Fee

The University Of California San Francisco finally confirmed that it had forked over $1.14m to ransomware thieves last week, less than a month after discovering that critical academic data related to its COVID-19 research had been encrypted.

The university said in a statement on Friday that it had detected a security incident affecting some of its School of Medicine servers on June 1. It had quarantined the affected IT systems at the time. The attackers managed to encrypt some of the university's systems with ransomware and demanded a payment. Although the university believed that no patient's medical records were affected, the data was important enough that it was forced to play ball with the criminals. It said:

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF was one of three higher education establishments to be targeted in a single week at the start of June by the Netwalker ransomware gang.

The BBC received a tip that enabled it to drop in on a chat session between UCSF and the criminal gang on the dark web. According to the chat transcript, Netwalker originally asked for a $3m ransom, but UCSF countered, asking them to accept $780,000. The two parties kept haggling, until they agreed on a final sum of $1,140,895. That equated to 116.4 bitcoins, which the university transferred the following day.

Universities are difficult places to protect because the networks are vast and geared toward open information sharing. In September 2019, the UK's National Cybersecurity Center reported that UK universities were at particular risk from nation-state attacks, although most fail to pay much attention. In May last year, Moody's Investors Service warned that universities have numerous campuses and thousands of students along with budgetary constraints, making their cybersecurity effort especially difficult. Its research, sponsored by IBM Security, revealed 101 confirmed data disclosures at US universities in 2017, up from just 15 in 2014.

Researchers Find New Calendar-Based Phishing Campaign

Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.

The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject "Fault Detection from Message Center," from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.

When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft's SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.

Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.

This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites' built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser's address bar.

Criminals Exploit Pandemic with Brute-Force RDP Attacks

Criminals Exploit Pandemic with Brute-Force RDP Attacks

ESET is the latest security company to notice a sharp spike in RDP-based hacks over the last few months. The anti-malware company spotted a rise in the number of brute-force attacks using the remote access protocol, and said that cyber-criminals have been using it to distribute ransomware.

The Remote Desktop Protocol is a proprietary Microsoft protocol that allows people to access Windows from outside the network. Companies often leave their RDP ports open without taking proper security measures, ESET warned. That can lead to malware infections.

The company has tied the spike in attacks to the COVID-19 pandemic. With lots of office workers forced to log in from home, RDP has become a common way for them to access machines back at the office, it explained. It distributed a graph showing daily attacks against unique clients rising from just under 30,000 in December to over 100,000 during May.

ESET created a new detection layer that spots repeated login attempts from external environments. It adds offending IP addresses to a blacklist that it uses to protect all of its clients. For that to work, though, companies must enable the Network Level Authentication (NLA) RDP option on their servers. This is something that Microsoft has already recommended in the past as a protection against the BlueKeep worm that emerged last year, which exploited a vulnerability in RDP.

Other things you can do to protect yourself against RDP include disabling it altogether if you don't need it, the company says, or at least creating access control lists that limit the number of users allowed to connect directly over the internet. Use strong, complex passwords for all accounts, along with multi-factor authentication, it advises. If possible, use a VPN gateway to broker all connections from outside your local network. We covered some protection techniques in April.

ESET isn't the only company to have noticed a rise in RDP-based attacks. In March, Shodan noticed an uptick in the number of devices exposing RDP to the internet. A month later, Kaspersky reported the same thing, warning that the number of Bruteforce.Generic.RDP attacks had "rocketed across almost the entire planet" since March.

Exposed RDP problems are so bad that the FBI even warned about it in 2018, and reportedly sent out another warning this month to K–12 schools in the US about an increase in RDP-based ransomware attacks during the pandemic.

At least 31 US Businesses targeted with WastedLocker Ransomware

Tens of organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

The malicious code was first documented by researchers from the NCC Group’s report and later Symantec published its own analysis.

Security experts from Symantec reported that at least 31 organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

According to the experts, the malware was developed by the Russian cybercrime crew known as Evil Corp, which was behind the Dridex Trojan, and multiple ransomware like Locky , Bart, Jaff, and BitPaymer.

WastedLocker ransomware was used in highly targeted attacks against selected targets, threat actors also used SocGholish fake update framework and a custom version of the Cobalt Strike loader to spread the malware.

“WastedLocker is a relatively new breed of targeted ransomware, documented just prior to our publication by NCC Group, while Symantec was performing outreach to affected networks. WastedLocker has been attributed to the notorious “Evil Corp” cyber crime outfit.” reads the analysis published by Symantec. “The attacks begin with a malicious JavaScript-based framework known as SocGholish, tracked to more than 150 compromised websites, which masquerades as a software update. “

Once compromised the target networks, the attackers were attempting to deploy the ransomware to demand a multimillion-dollar ransom.

The threat actors use SocGholish JavaScript-based framework for malware deployment, the experts were able to track it to over 150 compromised websites, where it was masqueraded as a software update.

Once the attackers gained access to the target’s network, they use the Cobalt Strike malware along with other living-off-the-land tools to steal credentials, escalate privileges, and make lateral movements to deploy the WastedLocker ransomware on the largest number as possible computers.

The attackers mainly targeted major corporations, including many household names. The list of victims includes large private organizations, along with 11 listed companies, eight of which are part of the Fortune 500.

Only one out of the 31 targeted organizations was not U.S. owned.

Most of the victims belong to the manufacturing industry, followed by IT and media and telecommunications sectors.

WastedLocker ransomware targets by industry sector

“Organizations in a diverse range of sectors were attacked. Manufacturing was the sector most affected, accounting for five targeted organizations. This was followed by Information Technology (four) and Media and Telecommunications (three).” concludes the report that also includes indicators of compromise (IoCs) for these attacks. “Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains.”

Pierluigi Paganini

(SecurityAffairs – hacking, WastedLocker ransomware)

The post At least 31 US Businesses targeted with WastedLocker Ransomware appeared first on Security Affairs.

Fxmsp Hackers Behind AV Source Code Heist: Still Operating?

Remote-Access Vendor Promised to Make Buyers 'Invisible God of Networks'
Is the Fxmsp hacking operation still in business? Experts say Fxmsp earned $1.5 million in illicit profits, thanks to a botnet-based business model that enabled the group to sell remote access to hacked networks. But then it advertised source code allegedly stolen from three anti-virus vendors.

Hacking Timeline: Fxmsp’s Rise and Apparent Fall

Group Refined Network Intrusions and Malware to Build a Better Botnet, Experts Say
How long does it take to become a reliable, trusted seller in the cybercrime-as-a-service ecosystem? For the Fxmsp hacking collective, experts say the answer is about a year. The group built a botnet that facilitated network intrusions and data exfiltration, but it was driven off cybercrime forums.

Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms

With the dawn of the COVID-19 pandemic, state and federal agencies around the globe were looking at ways to modernize data intake for social services recipients. The government of a country of about 40 million citizens reached out to Microsoft and asked us to assist in this endeavor. Going paperless eliminates waiting in line at an agency office, and lowers the chance of COVID-19 transmission. The ability to make requests or apply for federal or local assistance online makes the process safer and more efficient, as once data is collected citizens should start receiving funds more accurately and quickly.

Security is a major concern of not only major governments but of other entities using Microsoft Power App intake forms. Organizations and agencies needed to be certain that Microsoft Power App intake forms could not be used to collect data from large, sensitive databases containing personal information like names, addresses, Social Security or national security identification numbers, telephone numbers, or bank account information for direct deposit. If internet-facing forms collect personal information, and are not securely implemented, bad actors can use those forms to cleverly gain access to millions—if not billions—of personal records.

We authored this white paper specifically for those agencies and organizations who are transforming data intake to partially or 100-percent paperless. Microsoft wants to ensure that customers are implementing our technologies with the most secure approach possible, and adhering to compliance with all data privacy laws. Microsoft is also making recommendations in the white paper regarding the best way to implement the NIST Cybersecurity Framework in order to identify, protect, detect, respond, and recover from cybersecurity attacks.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms appeared first on Microsoft Security.

Meaningful Context for Your Endpoint Threat Investigations

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, that while 64% of companies say they have threat-intelligence programs, only 36% believe they would catch a sophisticated attacker, according to an Ernst & Young report on cyber threat intelligence What is causing the disconnect in effectiveness of those TI programs? 

A significant portion of the problem with TI is that the human analysts must absorb the global TIprioritize it for their organization, and then locally-operationalize any intelligence relevant to their company – and that’s not easy! Having access to TI is only the first step on the road to adding context to events that your team is seeing inside the network. Turning external threat feeds or data from a Threat Intelligence Program (TIP) into useful context for security teams – and then connecting that context to individual actions and projects – takes time and resources to produce results. The process is often slow and resource-intensivefurther delaying detection. Less than 20% of breaches are stopped in a timely fashion (e.g. in a matter of hours), according to VerizonWorse than that, knowing about a threat before you encounter it (e.g. a Campaign) and then being breached while you’re still working on proactively tuning your countermeasures against that threat would be disastrousA lack of timely, actionable context from TI is therefore a main contributor to NOT being proactively prepared for an attackIs there any way to produce actionable context, appropriate for your organization, in a timely and resource-efficient manner? Is there any way to expand that context to threats NOT in your environment but are headed your way?  

Threat Intelligence Context: Leverage EDR or not? 

As companies continue to deploy endpoint detection and response (EDR) on users’ machines, security teams are recognizing that the technology can detect anomalous behavior on the endpoint. But determining the degree to which those activities constitute a real threat that matters to you requires more context. Without the context to interpret whether an activity on the system is malicious or benign, companies are limited in their ability to do Threat Hunting[Sidebar] Define Threat Hunting: Threat hunting is the practice of proactively searching for cyber threats that are hidden, undetected, in an organization’s environment. 

Without context sensitive threat intelligence integrated with EDR, SOC teams are reduced to endlessly searching for endpoint events for known IOCs associated with adversaries and then manually doing cross-correlation to external TI. They have no way to automatically cross-correlate these events with known adversarial activities or known adversarial TTPs (e.g. like knowing the C&C IP address), and they end up having a very low signal-to-noise (SN) ratio where they waste lots of time investigating things that turn out to be a nothing- because they miss all the TI correlationsHaving a way to incorporate TI in a contextual manner would really improve the signal-to-noise ratio and make the SOC team much more effective 

That’s where effective TI integration comes into play and separates effective TI programs from ineffective TI programs. With properly integrated TI, you should have easy access into things like crowdsourced attack data that identifies Tactics, Techniques and Procedures (TTPs.) Once new TTPs have been identified by the Cyber Intelligence Community, this gives threat hunters an easy, high-fidelity way to look for specific attack behaviors in the organization’s environment, knowing what attacks those TTPs are related toWith this kind of TI integration, the Security Operations Center (SOC) can more quickly identify threats and be able to dramatically improve the signal-to-noise ratio for accurately prioritized investigations. However, I would argue that this is just table stakes. What and how can we take TI integration to the next level?  

A truly superior TI Integration would additionally provide prioritization of known threats based on things like whether the threat is targeting your industry sector and geography and most-importantly, predict  the risk of your environment getting impacted by the threat. This actionable TI would offer countermeasures and prescribe what you need to do if the countermeasures are predicted to be ineffective. With this next level of TI integration, the Security Operations Center (SOC) can actually move to being more proactive, by automating the analysis of threats that haven’t even been encountered by the organization. The organization is now prepared for attacks that EDR hasn’t even seen yet!  

Reality check here, how many organizations have this level of context and integration on threats? Not many.  

The ones I am aware of today, are the current McAfee customers who participated in our Joint Development Program for MVISION Insights this past quarter.  

McAfee has created its MVISION Insights service to provide a superiorintegrated TI so that security teams can prioritize and predict threats by cross-correlating known campaigns using industry and geographical threat activity with one’s own  security posture derived from their security telemetry, and prescribe the mosteffective way of dealing with the threat. This kind of solution empowers the SOC to move beyond manual TI cross-correlation and move to much more easily prioritizing threats that matter and moving from being reactive to being a lot more proactive.  

MVISION Insights empowers McAfee MVISION EDR for the SOC analyst on many fronts by offering more actionable context to the SOC to be more proactive 

This kind of TI integration can reduce the unnecessary investigations that a SOC does and can also improve the speed and accuracy of the investigations that have resources assignedBy having the context of a threat (e.g. by having organized, curated TTPs for Campaigns, knowing the attack operation and objective, list of IOCs, etc.) the SOC analyst can leverage this context on a current investigation and really reduce the time and effort to complete the investigation. Additional context like this can both eliminate unnecessary investigations and accelerate the investigation to decisive resolution. 

TI Context is King But… 

We have seen that as EDR capabilities become adopted more widely, it is becoming increasingly clear that knowing what is happening on the endpoint and ‘looking for clues’ is not enough. Without meaningful and automated context from a properly integrated TI capability, companies are slower to identify malicious events, may not prioritize attack investigations for threats headed their way, and could take the wrong steps to remediate threatsThe problem is that time is critical: An attacker can use a couple of days to do really bad things in your network. Having effective automated signal-to-noise improvement through a properly integrated TI program can help you quickly detect and hunt down attackers and be proactive against threats headed your way but are not in your environment. 

Context is not just a brief writeup from a TIP or External Threat Intelligence FeedTypically, a human must read and interpret and analyze that feed, often leading to a significant delay in incorporating the information into the SOC response. In most cases, TI products do not offer enough remediation guidance, they just provide the threat profile.   

Properly integrated TI project can solve these problems and a superior TI integration can move the SOC to being proactiveMcAfee’s MVISION Insights delivers actionable intelligence and context in an automated way that can augment and speed investigations and make the SOC proactive with respect to threats that haven’t even been detected in the organization. By freeing up analysts from manual analysis of intelligence feeds, companies can catch more attacks more quickly and be proactive against threats targeting them. 

Moreover, the insight does not come from a few instances or open-source feeds, but from the entire McAfee customer base across the globe from over 1B sensors 

Many companies are delivering machine learning and artificial intelligence applications to security orchestration, automation and response. Very few possess the data and context from a customer base as large as ours.

Having right TI context from a well-respected source with statistical reach and a threat analysis that is actionable gives organizations confidence to address a sophisticated attacker before their attack, elevates this TI context to new heights while shifting cyber security to be more proactive.    

For more on McAfee Insights, check out our webinar.  

Get Ahead of the Adversary with Proactive Endpoint Security  

The post Meaningful Context for Your Endpoint Threat Investigations appeared first on McAfee Blogs.

PROMETHIUM extends global reach with StrongPity3 APT

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year.
Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).
Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This leads us to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a CitizenLab report from 2018. This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked PROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.

Read more >>>

The post PROMETHIUM extends global reach with StrongPity3 APT appeared first on Cisco Blogs.

11 Weeks of Android: Privacy and Security

This blog post is part of a weekly series for #11WeeksOfAndroid. For each #11WeeksOfAndroid, we’re diving into a key area so you don’t miss anything. This week, we spotlighted Privacy and Security; here’s a look at what you should know.

mobile security illustration

Privacy and security is core to how we design Android, and with every new release we increase our investment in this space. Android 11 continues to make important strides in these areas, and this week we’ll be sharing a series of updates and resources about Android privacy and security. But first, let’s take a quick look at some of the most important changes we’ve made in Android 11 to protect user privacy and make the platform more secure.

As shared in the “All things privacy in Android 11” video, we’re giving users even more control over sensitive permissions. Throughout the development of this release, we have engaged deeply and frequently with our developer community to design these features in a balanced way - amplifying user privacy while minimizing developer impact. Let’s go over some of these features:

One-time permission: In Android 10, we introduced a granular location permission that allows users to limit access to location only when an app is in use (aka foreground only). When presented with the new runtime permissions options, users choose foreground only location more than 50% of the time. This demonstrated to us that users really wanted finer controls for permissions. So in Android 11, we’ve introduced one time permissions that let users give an app access to the device microphone, camera, or location, just that one time. As an app developer, there are no changes that you need to make to your app for it to work with one time permissions, and the app can request permissions again the next time the app is used. Learn more about building privacy-friendly apps with these new changes in this video.

Background location: In Android 10 we added a background location usage reminder so users can see how apps are using this sensitive data on a regular basis. Users who interacted with the reminder either downgraded or denied the location permission over 75% of the time. In addition, we have done extensive research and believe that there are very few legitimate use cases for apps to require access to location in the background.

In Android 11, background location will no longer be a permission that a user can grant via a run time prompt and it will require a more deliberate action. If your app needs background location, the system will ensure that the app first asks for foreground location. The app can then broaden its access to background location through a separate permission request, which will cause the system to take the user to Settings in order to complete the permission grant.

In February, we announced that Google Play developers will need to get approval to access background location in their app to prevent misuse. We're giving developers more time to make changes and won't be enforcing the policy for existing apps until 2021. Check out this helpful video to find possible background location usage in your code.

Permissions auto-reset: Most users tend to download and install over 60 apps on their device but interact with only a third of these apps on a regular basis. If users haven’t used an app that targets Android 11 for an extended period of time, the system will “auto-reset” all of the granted runtime permissions associated with the app and notify the user. The app can request the permissions again the next time the app is used. If you have an app that has a legitimate need to retain permissions, you can prompt users to turn this feature OFF for your app in Settings.

Data access auditing APIs: Android encourages developers to limit their access to sensitive data, even if they have been granted permission to do so. In Android 11, developers will have access to new APIs that will give them more transparency into their app’s usage of private and protected data. The APIs will enable apps to track when the system records the app’s access to private user data.

Scoped Storage: In Android 10, we introduced scoped storage which provides a filtered view into external storage, giving access to app-specific files and media collections. This change protects user privacy by limiting broad access to shared storage in many ways including changing the storage permission to only give read access to photos, videos and music and improving app storage attribution. Since Android 10, we’ve incorporated developer feedback and made many improvements to help developers adopt scoped storage, including: updated permission UI to enhance user experience, direct file path access to media to improve compatibility with existing libraries, updated APIs for modifying media, Manage External Storage permission to enable select use cases that need broad files access, and protected external app directories. In Android 11, scoped storage will be mandatory for all apps that target API level 30. Learn more in this video and check out the developer documentation for further details.

Google Play system updates: Google Play system updates were introduced with Android 10 as part of Project Mainline. Their main benefit is to increase the modularity and granularity of platform subsystems within Android so we can update core OS components without needing a full OTA update from your phone manufacturer. Earlier this year, thanks to Project Mainline, we were able to quickly fix a critical vulnerability in the media decoding subsystem. Android 11 adds new modules, and maintains the security properties of existing ones. For example, Conscrypt, which provides cryptographic primitives, maintained its FIPS validation in Android 11 as well.

BiometricPrompt API: Developers can now use the BiometricPrompt API to specify the biometric authenticator strength required by their app to unlock or access sensitive parts of the app. We are planning to add this to the Jetpack Biometric library to allow for backward compatibility and will share further updates on this work as it progresses.

Identity Credential API: This will unlock new use cases such as mobile drivers licences, National ID, and Digital ID. It’s being built by our security team to ensure this information is stored safely, using security hardware to secure and control access to the data, in a way that enhances user privacy as compared to traditional physical documents. We’re working with various government agencies and industry partners to make sure that Android 11 is ready for such digital-first identity experiences.

Thank you for your flexibility and feedback as we continue to build an increasingly more private and secure platform. You can learn about more features in the Android 11 Beta developer site. You can also learn about general best practices related to privacy and security.

Please follow Android Developers on Twitter and Youtube to catch helpful content and materials in this area all this week.

Resources

You can find the entire playlist of #11WeeksOfAndroid video content here, and learn more about each week here. We’ll continue to spotlight new areas each week, so keep an eye out and follow us on Twitter and YouTube. Thanks so much for letting us be a part of this experience with you!

Industry Experts Weigh in on McAfee’s Proactive Cybersecurity

Recently Forbes shared an accurate depiction of McAfee in its articleMcAfee Finally On The Right PathLet me extend their innovation story and share with you the leadership path McAfee continues to blaze in cybersecurity 

Imagine if organizations knew of high severity threats targeting their industry sector and geographies before they encountered such threats, with precise knowledge if their countermeasures could stop the threat?  Also imagine if the countermeasures could not stop the threats, and they knew what they should do to improve those countermeasures so that the threat would be stopped? Doing all these actions, before an attack impacts you, is referred to as “shifting left on the attack lifecycle.  Gartner and many other analyst firms have openly expressed that shifting left is something a lot of vendors are trying to achieve. I am excited to announce that McAfee has found a way to do it. 

So, how did we do it? Enter McAfee MVISION InsightsWe previewed this innovation at MPOWER in October 2019 – an unique solution helping organizations become more proactive MVISION Insights is a cloud-native solution that provides highly predictive security analytics  These analytics enable proactive management and remediation against advanced attacks.  

 News of MVISION Insights created quite a buzz among industry influencers when we briefed them. The resounding point of view was that McAfee MVISION Insights is in a class of its own. and “ahead of the market”.  

A highly reputed analyst cast MVISION Insights at the same level of high esteem as McAfee’s highly acclaimed unified management solution, ePolicy Orchestrator 

“In the same way ePO is the gold standard for management consoles, Insights can be the same for the threat/analytics platform” 

– Top Tier Analyst Firm  

Yet other analysts called out the lack of immediate competition.   

“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” 

Omdia research. 

‘You are forward leaning and a differentiator in this space.  And it is even more impressive you did this organically while your competitors are trying to piece together with partnerships’ 

– Top Tier Analyst Firm 

Many vendors are making big claims about all the data they have access to and their rich telemetry, but they don’t weave the pieces together with why it is relevant to an organization’s environment. MVISION Insights not only prioritizes the threats based on prevalence in the organization’s geography and industry sector but also  takes the prioritized threat analysis and assesses your local security posture to see how it will stack up against the threat.  This value of the local security posture assessment against the threat was also called out, “…a key value point here is the local security posture assessment with the vast threat intelligence and analytics.”.   

ESG recognized “With the exposure of any new security attack, CISOs, CEOs, and corporate boards immediately ask whether they are at risk.  MVISION Insights from McAfee can help automate answers to this question.  This gives organization the ability to think globally, act locally, and respond quickly to cyber-attacks.” 

It’s not just threat analysis paralysis but prioritized actionable insights. 

With MVISION Insightsorganizations can answer critical questions quickly: Are they at risk? What is their priorityWill their protections hold? What do they need to do to be protected?  Take a closer look at MVISION Insights coming soon. Soon I plan to share the customer feedback we are receiving with organizations accessing the early solution. You don’t want to miss it.  

The post Industry Experts Weigh in on McAfee’s Proactive Cybersecurity appeared first on McAfee Blogs.