Daily Archives: November 16, 2020

Why biometrics will not fix all your authentication woes

As the number of data breaches shows no signs of decreasing, the clamor to replace passwords with biometric authentication continues to grow. Biometrics are becoming widely incorporated to secure organizations from unauthorized access and the growing appeal of these security solutions is expected to create a market worth $41.8 billion by 2023, according to MarketsandMarkets. Password reuse is the fundamental reason why data breaches continue to happen. In recent years biometrics have increasingly been lauded … More

The post Why biometrics will not fix all your authentication woes appeared first on Help Net Security.

Christmas Shopping 2020

How To Stay Safe While Shopping Online This Holiday Season

I’m pleased to report that I’ve achieved a number of personal bests in 2020 but the one I’m most proud about is my achievement in the highly skilled arena of online shopping. I’ve shopped online like I’m competing in the Olympics: groceries, homewares, clothing – even car parts! And my story is not unique. Living with a pandemic has certainly meant we’ve had to adapt – but when it came to ramping up my online shopping so we could stay home and stay safe – I was super happy to adapt!

And research from McAfee shows that I am not alone. In fact, over 40% of Aussies are buying more online since the onset of COVID-19 according to the 2020 Holiday Season: State of Today’s Digital e-Shopper survey. But this where it gets really interesting as the survey also shows that nearly 1/3 of us (29%) are shopping online 3-5 days a week, and over one in ten consumers (11%) are even shopping online daily!! But with many online retailers offering such snappy delivery, it has just made perfect sense to stay safe and stay home!

Santa Isn’t Far Away…

With just over a month till Santa visits, it will come as no surprise that many of us are starting to prepare for the Holiday season by purchasing gifts already. Online shopping events such as Click Frenzy or the Black Friday/Cyber Monday events are often very compelling times to buy. But some Aussies have decided they want to get in early to secure gifts for their loved ones in response to warnings from some retailers warning that some items may sell out before Christmas due to COVID-19 related supply chain issues. In fact, McAfee’s research shows that 48% of Aussies will be hitting the digital links to give gifts and cheer this year, despite 49% feeling cyber scams become more prevalent during the holiday season.

But What About The Risks?

McAfee’s research shows very clearly that the bulk of us Aussies are absolutely aware of the risks and scams associated with online shopping but that we still plan to do more shopping online anyway. And with many of us still concerned about our health and staying well, it makes complete sense. However, if there was ever a time to take proactive steps to ensure you are minimizing risks online – it is now!

What Risks Have McAfee Found?

McAfee’s specialist online threat team (the Advanced Threat Research team) recently found evidence that online cybercrime is on increase this year, with McAfee Labs observing 419 threats per minute between April to June 2020 – an increase of almost 12% over the previous quarter.

And with many consumers gearing up to spend up big online in preparation for the Holiday season, many experts are worried that consumers are NOT taking these threats as seriously as they should. McAfee’s research showed that between April to June 2020, 41% of 18-24 year olds have fallen victim to an online scam and over 50% of the same age group are aware of the risks but have made no change to their online habits.

My Top Tips To Stay Safe While Shopping Online

At the risk of sounding dramatic, I want you to channel your James Bond when you shop online this holiday period. Do your homework, think with your head and NOT your heart and always have your wits about you. Here are my top tips that I urge you to follow to ensure you don’t have any unnecessary drama this Christmas:

  1. Think Before You Click

Click on random, unsafe links is the best way of falling victim to a phishing scam. Who wants their credit card details stolen? – no one! And Christmas is THE worst time for this to happen! If something looks too good to be true – it probably is. If you aren’t sure – check directly at the source – manually enter the online store address yourself to avoid those potentially nasty links!

  1. Turn On Multi-Factor Authentication Now

This is a no-brainer – where possible, turn this on as it adds another lay of protection to your personal data and accounts. Yes, it will add another 10 seconds to the log-in process but it’s absolutely worth it.

  1. Invest in a VPN

If you have a VPN (or Virtual Private Network) on your laptop, you can use Wi-Fi without any concern – perfect for online purchases on the go! A VPN creates an encrypted tunnel between your device and the router which means anything you share is protected and safe! Check out McAfee’s Safe Connect which includes bank-grade encryption and private browsing services.

  1. Protect Yourself – and Your Device!

Ensuring all your devices are kitted out with comprehensive security software which will protect against viruses, phishing attacks and malicious website is key. Think of it as having a guardian cyber angel on your shoulder. McAfee’s Total Protection software does all that plus it has a password manager, a shredder and encrypted storage – and the Family Pack includes the amazing Safe Family app – which is lifechanging if you have tweens and teens!

So, yes – please make your list and check it twice BUT before you dive in and start spending please take a moment to ask yourself whether you are doing all you can to minimise the risks when online shopping this year. And don’t forget to remind your kids too – they may very well have their eye on a large gift for you too!

Happy Christmas Everyone

Alex xx

 

 

The post Christmas Shopping 2020 appeared first on McAfee Blogs.

2021 predictions for the Everywhere Enterprise

As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise? We will see the rush to the cloud continue The pandemic saw more companies than ever move … More

The post 2021 predictions for the Everywhere Enterprise appeared first on Help Net Security.

Accept your IT security limits and call in the experts

For many employees, the COVID-19 pandemic brought about something they dreamed of for years: the possibility to eschew long commutes, business attire and (finally!) work from their home. Companies were forced to embrace the work-from-home switch and many are now starting to like the cost savings and the possibility to hire employees from a wider, non-localized pool of applicants. But for IT security teams, the switch meant even more work and struggling finding new ways … More

The post Accept your IT security limits and call in the experts appeared first on Help Net Security.

‘Sleigh’ Holiday Shopping by Protecting Your Online Security

Holiday Shopping Online

‘Sleigh’ Holiday Shopping by Protecting Your Online Security

And just like that, the holiday shopping season is among us! Like consumers everywhere, you may be trying to plan ahead when it comes to picking out gifts for your friends and family, scouring far and wide to cross items off your list. This year, however, will likely be different than past holiday shopping seasons.

While more than 124 million consumers shopped in-store during the 2019 holiday shopping weekend, findings from McAfee’s 2020 Holiday Season: State of Today’s Digital e-Shopper survey revealed that consumers plan to do more shopping online – and earlier – this holiday season. But how will this increase in online activity impact users’ digital lives?

Let’s explore what this online shopping trend means for consumer security this holiday shopping season.

Gearing Up For Shopping Season? So Are Holiday Hackers

The onset of the global health emergency caused users everywhere to live, work, play, and buy through their devices – maybe more than ever before. McAfee’s survey shows that general shopping activity has increased, with 49% of respondents stating they are buying online more since the onset of COVID-19. As one could predict, researchers expect these online shopping habits to bleed into the holiday shopping season. In fact, 36% of Americans note that they plan on using digital links to give gifts and spread cheer this year. However, this increase in online activity doesn’t exactly mean an increase in online safety.

Hackers love to take advantage of online trends, so it’s no surprise that they see an increase in online activity as more opportunities to spread threats.  In fact, McAfee Labs observed an almost 12% increase in online threats per minute in Q2 2020 compared to the previous quarter.

Increased online activity serves as the perfect opportunity for hackers to interrupt consumers’ merriment and spread malicious misdeeds.  And 36% of consumers noted that their online buying habits will increase this holiday season, even though they are aware of cyber risks.  This lack of concern is troublesome, especially as hackers get stealthier in how they scam consumers. Take Black Friday and Cyber Monday discounts, for example. Forty-three percent of survey respondents admitted to not checking the authenticity of these so-called deals when going through their emails and text messages. By not taking proper security precautions, users potentially open themselves up to a blizzard of cyberthreats.

Holiday Shopping Scams
The 2020 e-Shoppers Guide

Spread Holiday Cheer Without Fear

While these survey results confirm that cyber-grinches are using their tricks to interrupt the merriment, that doesn’t mean consumers can’t still have a holly, jolly shopping experience. By taking the necessary steps to protect themselves – and their loved ones – this holiday season, consumers can continue to live their digital lives with confidence. To help ensure hackers don’t put a damper on your festive celebrations, follow these security tips:

Employ multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers.

Go directly to the source

Instead of clicking on a link in an email or text message, it’s always best to check directly with the source to verify a Black Friday or Cyber Monday offer or track a package’s shipment.

Browse with caution

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Protect your identity

Hackers often use consumers’ personally identifiable information to make fraudulent purchases – a trick that would certainly interrupt a holiday shopping spree. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post ‘Sleigh’ Holiday Shopping by Protecting Your Online Security appeared first on McAfee Blogs.

Cyber Monday is Coming – 10 Tips to Protect You From Online Shopping Scams

Cyber Monday

Cyber Monday is Coming – 10 Tips to Protect You and Your Family from Online Shopping Scams

You’re not the only one looking forward to the big holiday sales like Black Friday and Cyber Monday. Hackers are too. As people flock to retailers big and small in search of the best deals online, hackers have their shopping scams ready.

So while you already know how to spot a great deal, here are ways you and your family can steer clear of online scams so you can keep your finances safer this shopping season:

1.) Don’t open email attachments from retailers and shippers

A common scam hackers use is introducing malware via email attachments, and during the holiday sale season, they’ll often send malware under the guise of offer emails and shipping notifications. Know that retailers and shipping companies won’t send things like offers, promo codes, and tracking numbers in attachments. They’ll clearly call those things out in the body of an email instead.

 2) Carefully review links and email addresses

A classic scammer move is to “typosquat” phony email addresses and URLs that look awfully close to legitimate addresses of legitimate companies and retailers. They often appear in phishing emails and instead of leading you to a great deal, these can in fact link you to scam sites that can then lift your login credentials, payment info, or even funds should you try to place an order through them.

3) Watch out for copycat deals and sites

A related scammer trick that also uses typosquatting tactics is to set up sites that look like they could be run by a trusted retailer or brand but are not. These sits may tout a special offer, a great deal on a hot holiday item or whatnot, yet such sites are one more way cybercriminals harvest personal and financial information. A common way for these sites to spread is by social media, email, and other messaging platforms. Be skeptical of any links you see there—it’s best to go to the site directly and look for the deal there.

4) Use protection while you shop

Using a complete security software suite can offer layers of extra protection while you shop, such as web browser protection that will block malicious and suspicious links that could lead you down the road to malware or a financial scam.

5) Diversify and protect your passwords

Using the same narrow set of passwords only helps hackers. If they hack one account, they can then hack others—simply because that same password is in use over and over. Use a password manager that can create strong passwords and store them securely as well. That’ll save you some hassle and keep you safer in the process.

6) Use two-factor authentication on your accounts

Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, put it into place.

7) Use a VPN if you’re shopping on public Wi-Fi

Public Wi-Fi in coffee shops and other public locations can expose your private surfing to prying eyes because those networks are open to all. Using a virtual private network (VPN) encrypts your browsing, shopping, and other internet traffic, thus making it secure from attempts at intercepting your data on public Wi-Fi and harvesting information like your passwords and credit card numbers.

8) Use a credit card instead of your debit card

Specific to the U.S., the Fair Credit Billing Act offers the public protection against fraudulent charges on credit cards, where citizens can dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Note that many credit card companies have their own policies that improve upon the Fair Credit Billing Act as well. However, debit cards aren’t afforded the same protection under the Act. Avoid using those while shopping online and use your credit card instead.

9) Consider getting a virtual credit card

Another alternative is to set up a virtual credit card, which is a proxy for your actual credit card. With each purchase you make, that proxy changes, which then makes it much more difficult for hackers to exploit. You’ll want to research virtual credit cards further, as there are some possible cons that go along with the pros, such as in the case of returns where a retailer will want to use the same proxy to reimburse a purchase.

10) Keep a close eye on your credit reports

With all the passwords and accounts we keep, this is important. Checking your credit will uncover any inconsistencies or outright instances of fraud. From there, you can then take steps to straighten out any errors or bad charges that you find. In the U.S., you can run a free credit report once a year with the major credit reporting agencies. Just drop by the Federal Trade Commission (FTC) website for details on your free credit report.

Shop happy! (Don’t give in to stress and scarcity.)

One aspect of cybercrime that deserves a fair share of attention is the human element. Crooks have always played on our feelings, fears, and misplaced senses of trust. It’s no different online, particularly during the holidays. We all know it can be a stressful time and that we sometimes give into the pressure of finding that hard-to-get gift that’s so hot this year. Crooks do too, and they’ll tailor their attacks around those.

So, while you’re shopping online this year, take a deep breath before you dive in. Double-check those deals that may look almost too good to be true. They may be a scam waiting to spring—and indeed be too good to be true after all.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cyber Monday is Coming – 10 Tips to Protect You From Online Shopping Scams appeared first on McAfee Blogs.

Explosion in digital commerce pushed fraud incentive levels sky-high

A rise in consumer digital traffic has corresponded with a rise in fraud attacks, Arkose Labs reveals. As the year progresses and more people than ever are online, historically ‘normal’ online behavioral patterns are no longer applicable and holiday levels of digital traffic continue to occur on a near daily basis. Fraudsters are exploiting old fraud modeling frameworks that fail to take today’s realities into account, attempting to blend in with trusted traffic and carry … More

The post Explosion in digital commerce pushed fraud incentive levels sky-high appeared first on Help Net Security.

Risk professionals expect a dynamic risk environment in 2021

A majority of audit and risk professionals believe the risk environment will continue to be dynamic and unpredictable in 2021, rather than returning to more stable pre-pandemic conditions, an AuditBoard survey finds. The top risk they cited for the coming year was of “economic conditions impacting growth,” followed closely by “cybersecurity threats.” The responses also illustrate the long-term changes audit and risk professionals will experience in their roles as a result of the pandemic, and … More

The post Risk professionals expect a dynamic risk environment in 2021 appeared first on Help Net Security.

LexisNexis Emailage: Reimagining fraud detection by using email intelligence as a core risk identifier

LexisNexis Risk Solutions announced the availability of LexisNexis Emailage, a powerful fraud risk scoring solution fueled by email intelligence to help companies balance a seamless user experience with robust fraud detection and prevention capabilities. This solution helps solve both of these challenges by allowing organizations to confidently assess risk, approve transactions faster and more effectively outsmart quickly changing fraud tactics within digital transactions. LexisNexis Emailage reimagines fraud detection by using email intelligence as a core … More

The post LexisNexis Emailage: Reimagining fraud detection by using email intelligence as a core risk identifier appeared first on Help Net Security.

VMware launches Modern Network framework to help businesses adapt to a new normal

VMware unveiled the Modern Network framework to enable businesses, and their IT and application development teams, to accelerate adapting to a new normal. To help customers realize a modern network of their own, VMware also announced further enhancements to its virtual networking products and services. For businesses today, the ability to rapidly and cost effectively respond to change is paramount. Application developers need to quickly deploy, test, and iterate applications. The infrastructure powering applications needs … More

The post VMware launches Modern Network framework to help businesses adapt to a new normal appeared first on Help Net Security.

Masergy boosts its SD-WAN Secure solution with SASE capabilities

Masergy announced that it is strengthening its SD-WAN Secure solution to offer Secure Access Service Edge (SASE) capabilities. Masergy is taking a best-of-breed approach to SASE, combining security technologies from leaders in their respective Gartner, Inc. Magic Quadrants to deliver a converged network and security solution. The need for corporations to deliver a secure and agile IT environment continues to grow each year, and yet those benefits can only be realized if the network and … More

The post Masergy boosts its SD-WAN Secure solution with SASE capabilities appeared first on Help Net Security.

TrilioVault for Kubernetes 2.0: Managing data protection and migration across clouds

Trilio announced TrilioVault for Kubernetes v2.0, including a new management console to discover, control and manage data protection for Kubernetes applications across hybrid- and multi-cloud environments. As part of the latest TrilioVault for Kubernetes release, Trilio also announced enhanced enterprise-grade Kubernetes backup and restore capabilities, including comprehensive application support, certification of new distributions and multi-cloud enablement use cases. New TrilioVault management console for multi-cloud data protection The TrilioVault Management Console allows users to easily discover … More

The post TrilioVault for Kubernetes 2.0: Managing data protection and migration across clouds appeared first on Help Net Security.

Zyxel adds enhancements and two new firewalls to its USG FLEX family of mid-range firewalls for SMBs

Zyxel Networks expanded and strengthened their comprehensive family of security solutions for businesses with the launch of two new USG FLEX mid-range firewalls and the release of firmware ZLD 4.60. Armed with key enhancements provided by the new firmware, Zyxel security firewalls provide businesses with the power and flexibility to protect themselves against more sophisticated cyberthreats and ensure business continuity in the rapidly-evolving business environment. USG FLEX series gains entry-level and high-end firewalls Zyxel has … More

The post Zyxel adds enhancements and two new firewalls to its USG FLEX family of mid-range firewalls for SMBs appeared first on Help Net Security.

Mastercard adds A2A payments functionality to Mastercard Track Business Payment Service

Mastercard continues to deliver on its multi-rail strategy with the addition of Account-to-Account (A2A) payments functionality to Mastercard Track Business Payment Service. This launch represents the next phase in Mastercard’s journey to modernize business payments by solving persistent pain points that Buyers and Suppliers experience today. Building on the success of card payments within Mastercard Track Business Payment Service, businesses can now have a similar experience for A2A payments – exchanging data with greater efficiency … More

The post Mastercard adds A2A payments functionality to Mastercard Track Business Payment Service appeared first on Help Net Security.

Avanan announces availability of its security application for Microsoft Teams

Avanan announced that their protection for Microsoft Teams is now available in full prevent mode. Following Microsoft’s announcement of the Teams API, Avanan is announcing general availability of its security application for Teams, enabling Avanan customers to apply additional remediation actions on malicious content and data leakage in the Teams environment. As business communication continues to expand from email to additional platforms, Avanan extends the security layers of anti-phishing, malware and DLP protection to Teams. … More

The post Avanan announces availability of its security application for Microsoft Teams appeared first on Help Net Security.

Codefresh GitOps 2.0: Helping companies confidently ship code faster

Codefresh launched a new initiative – GitOps 2.0 – which seeks to solve limitations that have existed in GitOps and promote best practices for the future. Codefresh’s support for the new standard includes several new tools aimed at improving the experience and speed of continuous integration and delivery (CI/CD) with GitOps, all to help companies confidently ship code faster. The goal of GitOps 2.0 is to provide patterns and standards that improve software delivery and … More

The post Codefresh GitOps 2.0: Helping companies confidently ship code faster appeared first on Help Net Security.

Tanium and IBM join forces to create a security and compliance monitoring solution for hybrid cloud

Tanium announced it is working with IBM to create a security and compliance monitoring solution for hybrid cloud, creating an easy path to verify and validate compliance for highly regulated industries such as healthcare, financial services and government. IBM Cloud customers can access Tanium-delivered compliance monitoring for continuous, real-time visibility across endpoints everywhere. This collaboration is designed to enable customers to manage and protect their mission-critical workloads in a distributed hybrid cloud environment. Agility is … More

The post Tanium and IBM join forces to create a security and compliance monitoring solution for hybrid cloud appeared first on Help Net Security.

Dating Site Bumble Leaves Swipes Unsecured for 100M Users

Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.

Unprotected database exposed a scam targeting 100K+ Facebook accounts

Researchers discovered an ElasticSearch database exposed online that contained data for over 100000 compromised Facebook accounts.

Researchers at vpnMentor discovered an ElasticSearch database exposed online that contained an archive of over 100.000 compromised Facebook accounts. The archive was used by crooks as part of a global hacking campaign against users of the social network.

“We discovered the scam via an unsecured database used by the fraudsters to store private data belonging to 100,000s of their victims.” reads the analysis published vpnMentor.

“The people running the scam were tricking Facebook users into providing login credentials for their private accounts via a tool pretending to reveal who was visiting their profiles.”

Facebook scam

The fraudsters used the stolen login credentials to access Facebook accounts and share spam comments on posts. The comments all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250.

“By including links to fake news websites, the fraudsters hoped to bypass and confuse Facebook’s fraud and bot detection tools,” said researchers. “If the hacked accounts only posted the same links to a Bitcoin scam over and over, they’d quickly be blocked by the social network.”

Fraudsters were tricking Facebook users into providing their account login credentials by providing a tool that pretended to reveal who was visiting their profiles. Personally Identifiable Information (PII) data included in the archive also included emails, names, and phone numbers for the victims who’d registered at a fraudulent Bitcoin site also run by the fraudsters. Experts also discovered tens of domains employed by the fraudsters in this scam campaign.

The archive also included technical information about how the cybercriminals had automated their processes.

It is not clear if the exposed data was accessed or leaked by other third parties.

The size of the archive was over 5.5 GB and contained a total of 13,521,774, it remained open between June and September of this year. According to the experts at least 100,000 Facebook users were exposed in the Facebook scam.

vpnMentor pointed out Facebook accounts were not hacked, the exposed database belonged to a third party using it to process account login credentials obtained illegally via a group of scam websites targeting Facebook users

The researchers notified the social network of their discovery, they also confirmed that the database was live and real.

The day after the discovery of the unsecured database, it was likely targeted by a Meow attack, which wiped its data, them the database went offline. Since July, experts observed dozens of unsecured Elasticsearch and MongoDB instances exposed online that were inexplicably wiped by threat actors as part of a campaign tracked as Meow attack.

“If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately.” concludes the report.

“Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking. We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically.”

Below the investigation timeline:

  • Database discovered: 21st September, 2020
  • Date Facebook contacted: 21st September, 2020
  • Database server closed*: 22nd September, 2020

Pierluigi Paganini

(SecurityAffairs – hacking, scam)

The post Unprotected database exposed a scam targeting 100K+ Facebook accounts appeared first on Security Affairs.

Balancing Fraud Prevention, User Experience

Mike Slaugh of USAA Discusses Effective Strategies
COVID-19 has accelerated the shift to digital banking. Now financial organizations must balance robust fraud prevention with a frictionless user experience, says Mike Slaugh, executive director of financial crimes management at USAA, which offers insurance, banking and investment services.

Java Crypto Catchup

In 2017, we started a blog series talking about how to securely implement a crypto-system in java. How to Get Started Using Java Cryptography Securely touches upon the basics of Java crypto, followed by posts around various crypto primitives Cryptographically Secure Pseudo-Random Number Generator (CSPRNG), Encryption/Decryption, and Message Digests. We also released a Java Crypto Module for easier dockerization of injectable modules exposing Crypto services via an API.

The last time we spoke about this, we were in Java 8 world. In just 3.5 years we have 7 new Java versions released! Let's revive this series by first catching up on the latest and greatest happenings in the wider cryptographic community and how that maps to newer Java versions in this post. In the following posts, we will be talking about how to securely write some of the more commonly used cryptographic schemes.

Special thanks to my awesome coworkers Jess Garrett and Andrew Shelton for contributing important sections in this post.

TL;DR

Generic to entire Java Cryptography Architecture (JCA)

Looking at what we discussed in How to Get Started Using Java Cryptography Securely post, the central theme of Java Cryptography Architecture (JCA)[11]ツ?defining abstract engine classes for different cryptographic services and having independent implementations thru different providers hasn't changed.

Highlighting the most notable changes in JCA:

1. Probably the best enhancement for lazy people like me would be that we no longer need to include the Unlimited strength jurisdiction file. Unlimited strength in algorithms (for example using 256 key sizes for symmetric algorithms) comes out of the box. It is enabled by default in theツ?java.security file, with property crypto.policy=unlimited.
2. The security configuration file (java.security) will now be found under theツ?$JAVA_HOME/Contents/Home/conf/security/ folder.
3. Third party provider jar files are now treated as libraries rather than extensions. Thus, like any other library jar files, provider jar files will be placed on $CLASSPATH, and not as extensions under $JAVA_HOME/Contents/Home/jre/lib/ext folder.

Secure Random

As we discussed in theツ?CSPRNG post, Java already provides algorithms (*PRNG) to safely generate a CSPRNG. To add support for the NIST specified[13] algorithms, Java provides a new algorithm named DRBG.

Why Should You Use DRBG?

The primary reason to use DRBG is that it is government standardized. Also, the DRBG algorithm specification provides more granular configurations of how the underlying algorithm should work. It still sources entropy from the underlying operating system, in case you were wondering.

HowTo: Design and Code It

Some of the extra algorithm-specific configurations and our recommendations are:

  • DRBG mechanism: Underlying mechanism being used should be either Hash or HMAC. Defaults to Hash_SHA256, which is perfectly safe.
  • Security Strength: Default is 128 bits, can be increased.
  • Prediction Resistance: In an event, if the internal state of CSPRNG is compromised, future DRBG outputs won't be impacted. Enable this.
  • Reseeding: This will periodically reseedツ?to avoid too many outputs from a single seed. Enable this.
  • Personalization String: This is a recommended but not required hardcoded string, which plays a role while seeding but not while adding entropy.

All this can be configured using DrbgParameter.

The most secure way to configure a SecureRandom object using DRBGツ?the algorithm would be:

SecureRandom drbgSecureRandom = SecureRandom.getInstance("DRBG" , 
       DrbgParameters.instantiation(256,  // Required security strength
            PR_AND_RESEED,  // configure algorithm to provide prediction resistance and reseeding facilities
            "any_hardcoded_string".getBytes() // personalization string, used to derive seed not involved in providing entropy.
        )
    );

Refer: Complete code example of Secure Random using DRBG

Encryption/Decryption

There are some exciting advances in Java Cryptography since version 8, and also in the cryptographic community at large since we last spoke about this in Encryption/Decryption. With Java it is usually about adding support for newer and shinier algorithms (ChaCha20, Elliptic Curves) which is great, but rarely about deprecating insecure (DES, RC2, etc.) algorithms.

Symmetric Encryption

It's 2020 and most of our data is going to be online. To safeguard ourselves against any chosen cipher text attacks, we should only be focused on using Authenticated Encryption schemes. Java offers twoツ?authenticated encryption schemes: AES-GCM and ChaCha20-Poly1305. Let's see what's going on with each of these:

AES-GCM Cipher Scheme

We spoke in length about this in our encryption/decryption post. The only thing that changed since then is how we specify the padding scheme.

Internally, GCM mode is basically a stream cipher where padding is not relevant. Transformation string definition is made consistent with throwing an exception for any other padding except NoPadding[3]. Thus,

// This is the only transformation string that would work.
// AES/GCM/PKCS5Padding will throw an exception.
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

Refer: Complete working example of AES-GCM

ChaCha20-Poly1305 Cipher Scheme

Why another Authenticated Encryption Cipher Scheme?

While AES-GCM is the gold standard in authenticated symmetric encryption, imagine a world where, due to advances in cryptoanalysis, AES is broken. This would mean theツ?internet and several other protocols (Bluetooth, Wi-Fi, etc.) would be broken and the worst world won't even have a fully vetted backup plan. Luckily, the wider industry is preparing for such a standby cipher by adopting ChaCha20 stream cipher[14].

One other reason for ChaCha20-Poly1305 adoption would be its speed. To run faster AES needs dedicated hardware, which is not always possible in smaller, lower-cost hardware devices such as IoT or smartphones.

Google, Cloudflare, and major browsers such as Chrome and Firefox are already using this in their TLS protocols[17,18].

HowTo: Design and Code It?

It is nice to see Java providing Authenticated Encryption cipher construction out of the box in terms of theツ?ChaCha20-Poly1305 algorithm. With this scheme, we can encrypt data of up to 256 GB. This is sufficient enough for any online communication needs but may not work for file/disk encryptions.

HowTo: Chooseツ?the Right Algorithm and Authenticator?

AES is a block cipher, where the mode of operation and padding parameters are relevant. ChaCha20 is a stream symmetric cipher, where these parameters are not relevant. In AES, using GCM mode provides authentication. In ChaCha20 ciphers, Poly1305 provides authenticator services. Accordingly, the transformation string to be used is as under:

Cipher cipher = Cipher.getInstance("ChaCha20-Poly1305");

HowTo: Generate Keys?

Symmetric Keys are still generated with theツ?KeyGenerator class using theツ?ChaCha20ツ?algorithm. Keys should be 256 bits long. Thus,

KeyGenerator keyGenerator = KeyGenerator.getInstance("ChaCha20") ; // Key generator initialized to generate a Symmetric key for use with ChaCha20 algorithm
keyGenerator.init(256 , new SecureRandom); // Generate a 256 bit key
SecretKey chachaKey = keyGenerator.generateKey(); // Generate and store it in SecretKey

HowTo: Configure the Initialization Vector

Just like AES-GCM mode, we would need to get into transparent specifications using IvParameterSpec to configure the initialization vector. Chacha20 ciphers need an initialization vector of size 96 bits (12 bytes).

byte iv[] = new byte[12]; // 96 bits IV for ChaCha20, byte array needs size in terms of bytes.
SecureRandom secRandom = ecureRandom.getInstance("DRBG" , 
                    DrbgParameters.instantiation(256, PR_AND_RESEED, "any_hardcoded_string".getBytes()));
secRandom.nextBytes(iv); // DRBG SecureRandom initialized using self-seeding
IvParameterSpec chachaSpec = new IvParameterSpec(iv);

Refer: Complete working example of ChaCha20-Poly1305

Asymmetric Encryption

A big leap here is support for elliptic curve cryptography (ECC) for various asymmetric encryption applications. This comes with out-of-the-box, clean, and simplified API support served on a silver platter.

Why Is the Industry Even Moving Towards Embracing Elliptic Curves?

Well, RSA has for decades been the defacto algorithm used in asymmetric cryptographic applications,ツ?such as key agreement protocols and digital signing. However, despite its popularity, RSA is a bit fragile which makes its usage more nuanced than it might initially appear. Subtle complexities in generating prime numbers make it difficult to use RSA library implementations securely. Additionally, it has been subject to numerous well-documented padding oracle attacks over the years, many of which continue to impact modern systems[19].

ECC has been around the block for the past 25 years, providing promising cryptoanalysis and future-proofing our applications. Over the years, many curves have been proposed and implemented. Not all are secure. We will discuss which are secured and should be used and which to avoid.

If you are using RSA don't lose sleep over it, but perhaps validate your code against Encryption/Decryption post. For any new applications, we would strongly encourage using ECC-based APIs.

Let's briefly look at some of the most commonly used public key applications whose APIs are enhanced by later JDK versions:

Digital Signature

In addition to the already matured support for NIST approved elliptic curves, I am most excited about Edward curves support in Java 15 for Digital Signatures as well as Key Agreement engine classes. We will talk in detail about secure ways of using Digital Signatures in a dedicated upcoming post.

If you are too eager, you can refer to complete working examples of using Digital Signatures using Edward curves and NIST curves.

Key Agreement

Key Agreement engine class is equipped with ECC implementations of its classic counterparts protocols of Diffie Hellman and MQV. It comes with support for NIST curves in ECDH and ECMQV algorithms and Edward Curves in XDH, X25519, & X448 algorithms.

Encryption/Decryption

JDK does provide support for encrypting using elliptic curves thru support for ECIES (Integrated Encryption Scheme). This is sort of a hybrid algorithm between symmetric-asymmetric mechanisms. Elliptic Curves for encryption/decryption is rarely used due to its limitation around the amount of data it can safely handle at a time.

Hashing

In addition to what we discussed in ourツ?Message Digests, aka Hashing Functions post, the SHA3 Family of algorithms are now government approved hashing algorithms. These are not to be viewed as a replacement of SHA2 family algorithms despite the naming. There is nothing insecure about the SHA2 family.

Support for SHA3 algorithms is provided by MessageDigest engine class. You can refer to the complete code of using SHA3 algorithms for computing Message Digests.

At this point, we cobbled together notable enhancements in the last 3.5 years of Java releases. You can experiment with various secure Java Cryptography Libraries being discussed in this series. Going forward, we will just be focusing on the latest version. Next, we will start discussing different cryptographic applications using these building blocks. Keep watching this space!

TL;DR

  • No extra configurations or setup is required for using Unlimited Strength cryptographic algorithms.
  • Security Configuration file (java.security) would be located under theツ?$JAVA_HOME/Contents/Home/conf/security/ folder.
  • Third party provider jar files should be placed on $CLASSPATH.
  • Support for ChaCha20-Poly1305, promising backup plan for AES-GCM Authenticated Encryption.
  • Embrace Elliptic curves usage in public key cryptography applications. Support available across all application APIs.
  • Support for SHA3 Family of algorithms thru MessageDigest engine class.

References

Oracle/Java Documentation:

1. JEP 273: DRBG-Based SecureRandom Implementations
2. JEP-329: ChaCha20 and Poly1305 Cryptographic Algorithms
3. JDK-8180392: GCM mode supports only NoPadding
4. Java 15 Release Notes
5. Java 14 Release Notes
6. Java 13 Release Notes
7. Java 12 Release Notes
8. Java 11 Release Notes
9. Java 10 Release Notes
10. Java 9 Release Notes

Java Architectural Documentations:

11. Java Cryptographic Architecture
12. Java Security Standard Algorithm Names

Standards:

13. SP 800-90A DRBG Recommendations
14. ChaCha20-Poly1305 standard
15. Digital Signature Standard NIST 186-4
16. SP 800-57 Recommendation for Key Management

Blogs:

17. AES Is Great...But We Need A Fall-back: Meet ChaCha and Poly1305 - Prof Bill Buchanan
18. It takes two to ChaCha (Poly) - CloudFlare Blog Post.
19. Seriously Stop Using RSA

How display solutions can drive collaboration and virtual engagement

By Deidre Deacon The majority of businesses today are well entrenched in either a completely remote or hybrid workforce model. As these approaches continue to take shape, there is much more that can be done to improve the experience for increasingly mobile and geographically dispersed workers – starting with collaboration and content creation tools. With…

The post How display solutions can drive collaboration and virtual engagement first appeared on IT World Canada.

State of Software Security v11: How to Use the Findings

As a security professional reading through version 11 of our State of Software Security (SOSS) report, the first statistic that probably stands out to you is that 76 percent of applications have security flaws. It???s encouraging to see that only 24 percent of those security flaws are high-severity, but ultimately, having security flaws in more than three-fourths of applications means there is still work to be done.

How can you better secure your applications?

For this year???s SOSS report, we decided to look at the effects of ???nature?????? factors we can???t change like application size or age ??? versus ???nurture??? ??? factors we can change like scan frequency ??? to see how they impact application security. The findings, if put into practice, can significantly improve the security health of your applications.

Change in half-life

1. Use DAST with SAST.

SOSS research shows that when using dynamic application security testing (DAST) in conjunction with static application security testing (SAST), organizations are able to find and fix flaws almost 25 days faster. Why is this? Perhaps because dynamic scanning highlights to developers that a vulnerability does, in fact, have ???real-world??? risk.

2. Scan frequently and on a regular cadence.

SOSS v11 found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of flaws in 2 months. Likewise, organizations that scan their applications on a steady cadence reduced their time to remediation by 15.5 days. To improve scan frequency and cadence, consider automating application security (AppSec) scans into developers existing processes.

Scan frequency

3. Integrate security testing with the API.

Those scanning via API ??? and therefore in an integrated and automated way ??? address half their security findings 17.5 days faster than those not scanning via API.

4. Use SCA with SAST.

Just as we highlighted the benefits of using DAST with SAST, it???s important to use software composition analysis (SCA) with SAST. Why? First, this year???s SOSS report found that 97 percent of the typical Java application is made up of third-party libraries and that almost one-third of applications have more security findings in third-party libraries than native codebase. If you only employ SAST, your attack surface is a lot bigger than you think. In addition, this year???s research found that those scanning with both static analysis and software composition analysis improve time to remediation by an average of 6 days.

What flaw types should you keep an eye on?

As a security professional, you???re likely familiar with the OWASP Top 10 and SANS 25 vulnerability lists. But something you might be surprised to know is just how common these severe flaws are in applications. For example, the first flaw on the OWASP Top 10 list is injection flaws. Did you realize that 65 percent of applications have CRLF injection flaws and 28 percent have SQL injection flaws? Some of the other common flaws in applications include information leakage, cryptographic issues, and code quality. By knowing the most common flaws, as well as the most severe flaws, you can create a better plan of action for prioritizing and remediating flaws.

Top flaw types

For more detailed information on our SOSS v11 findings, including regional differences, download the full report.

Check, Please! Adding up the Costs of a Financial Data Breach

Guest article by Andrea Babbs, UK General Manager at VIPRE

Reliance on email as a fundamental function of business communication has been in place for some time. But as remote working has become a key factor for the majority of business during 2020, it’s arguably more important than ever as a communication tool. The fact that roughly 206.4 billion emails are sent and received each day means we’re all very familiar with that dreaded feeling of sending an email with typos, with the wrong attachment, or to the wrong contact. But this can be more than just an embarrassing mistake – the ramifications could, in fact, be catastrophic. 
Check Please! Within the financial services, layered cybersecurity strategy is essential to keep sensitive information secure
In particular, for the financial services industry that deals with highly sensitive information including monetary transactions and financial data, the consequences of this information falling into the wrong hands could mean the loss of significant sums of money. Emails of this nature are the Holy Grail for cybercriminals. So how can financial services organisations keep their confidential information secure to safeguard their data and reputation? 

How much?
According to research from Ponemon Institute in its Cost of a Data Breach Report 2020, organisations spend an average of $3.85 million recovering from security incidents, with the usual time to identify and contain a breach being 280 days. Accenture’s 2019 Ninth Annual Cost of Cybercrime found that financial services incurred the highest cybercrime costs of all industries. And while examples of external threats seem to make the headlines, such the Capital One cyber incident, unintentional or insider breaches don’t always garner as much attention. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in confirmed data disclosure.

Costs will be wide-ranging depending on the scale of each breach, but at a minimum, there will be financial penalties, costs for audits to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening in the future. There could also be huge costs involved for reimbursing customers who may have been affected by the breach in turn.

Priceless damage
The fallout from data breaches goes far beyond that of financial penalties and costs. Financial services businesses have reputations to uphold in order to maintain a loyal customer base. Those that fail to protect their customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously impede the organisation as a whole. Within such a highly competitive market, it doesn’t take much for customers to take their money elsewhere – customer service and reputation is everything.

Check, please!
Within the financial services sector, the stakes are high, so an effective, layered cybersecurity strategy is essential to mitigate risk and keep sensitive information secure. With this, there are three critical components that must be considered: 
  1. Authentication and encryption: Hackers may try to attack systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Adding a dedicated email to email encryption service to your email security arsenal increases your protection in this area. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries. 
  2. Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive financial information are essential, as well as clear steps to follow when a security incident happens. Employees must undergo cybersecurity awareness training when they join the organisation and then be enrolled in an ongoing programme with quarterly or monthly short, informative sessions. This training should also incorporate ongoing phishing simulations, as well as simulated phishing attacks to demonstrate to users how these incidents can appear, and educate them on how to spot and flag them accordingly. Moreover, automated phishing simulations can also provide key metrics and reports on how users are improving in their training. This reinforcement of the secure messaging, working in tandem with simulated phishing attacks ensures that everyone is capable of spotting a phishing scam or knows how to handle sensitive information as they are aware and reminded regularly of the risks involved. 
  3. Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. Fully technical solutions such as machine learning can go so far to prevent breaches, but it is only the human element that can truly decipher between what is safe to send, and what is not. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support to users – or it will stop nothing. Rather than disabling time-saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, DLP solutions do not impede the working practices of users but instead give them a critical second chance to double-check.
It is this double-check that can be the critical factor in an organisation’s cybersecurity efforts. Users can be prompted based on several parameters that can be specified. For example, colleagues in different departments exchanging confidential documents with each other and external suppliers means that the TO and CC fields are likely to have multiple recipients in them. A simple incorrect email address or a cleverly disguised spoofed email cropping up with emails going back and forth is likely to be missed without a tool in place to highlight this to the user, to give them a chance to double-check the accuracy of email recipients and the contents of attachments.

Conclusion
Email remains a risky, yet essential tool for every business. But with a layered security strategy in place consisting of training, authentication tools and DLP solutions, organisations can minimise the risks involved and take a proactive approach to their cyber defences.

Given the nature of the industry, financial services organisations are a prime target for cybercriminals. The temptation of personal information and financial transactions for hackers is never going to dwindle, so financial institutions must prioritise cybersecurity, regularly assessing risks, deploying innovative, human-led solutions and educating workforces to provide the best defence possible.

Healthcare Data Breaches to Triple in 2021

Healthcare Data Breaches to Triple in 2021

Data breaches in the healthcare industry are likely to triple in volume in the coming year, according to a new report by Black Book Market Research.

The "2020 State of the Healthcare Cybersecurity Industry" report is based on a survey of 2,464 security professionals from 705 provider organizations. Respondents were asked to identify gaps, vulnerabilities, and deficiencies in security that make hospitals and physicians susceptible to data breaches and cyber-attacks. 

The survey results suggest that 1,500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300% increase over 2020.

Nearly threequarters (75%) of health system, hospitals and physician organizations surveyed reported that their infrastructures are unprepared to respond to attacks. Almost all (96%) felt that data attackers are outpacing their medical enterprises, placing providers at a disadvantage.

A further Black Book survey of 291 healthcare industry human resources executives found that the talent shortage of cybersecurity professionals far exceeds the demand by health systems. Researchers found that cybersecurity roles in health systems take, on average, 70% longer to fill when compared to other IT jobs.

"The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position," said Brian Locastro, lead researcher on the "2020 State of the Healthcare Cybersecurity Industry" study.

Locastro added that the industry's response to ransomware attacks had spurred cyber-criminals on.

He said: "The willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records."

The survey of security professionals found that 75% of the 66 CISOs at health systems who responded agreed that experienced cybersecurity pros were unlikely to pursue a career in the healthcare industry. 

The reason given for this was that CISOs in healthcare, more than in other industries, are held responsible for data breaches and their impact on an organization's finances and reputation while at the same time having extremely limited authority over decision-making, technology, or policy.

Furthermore, the study revealed that 90% of health system and hospital employees who are now working remotely due to the outbreak of COVID-19 were not given any updated security guidelines or training on accessing sensitive patient data.

SOTI launches SOTI Aerospace in collaboration with Ryerson University

Business mobility and IoT firm SOTI today announced a $20 million investment in Canada’s technology ecosystem to fund its new aerospace division, SOTI Aerospace, in the country.

The post SOTI launches SOTI Aerospace in collaboration with Ryerson University first appeared on IT World Canada.

Teen Wins Peace Prize for Fighting Cyber-Bullying

Teen Wins Peace Prize for Fighting Cyber-Bullying

A tech-minded teenager from Bangladesh has won an international peace prize for inventing an application that supports young victims of cybercrime.

Sadat Rahman's thoughtful Cyber Teens app helps young people report incidences of online crime, including cyber-bullying, in the western district of Narail. 

Judges at the KidsRights Foundation were so impressed with the 17-year-old's creation that they awarded him the 2020 International Children’s Peace Prize. 

Rahman's award was presented by Pakistani female education activist and Nobel Prize laureate Malala Yousafzai, who described the teen as "a true change maker." The award ceremony was held virtually and hosted by Netherlands-based KidsRights Foundation.

So far, Rahman's Cyber Teens app has been downloaded over 1,800 times and has supported 300 young victims of cyber-bullying. 

The app puts children in contact with a team of young volunteers that includes Rahman and lets them report crimes confidentially. The team then contacts local law enforcement officers and social workers to secure help for the victims. 

Helpful hints and tips about online safety, including a guide to spotting and avoiding sexual predators, can also be accessed via the app.

Rahman's team of volunteers has successfully resolved nearly 60 cybercrimes and resulted in eight arrests by local police. Some complaints involved children being sent inappropriate messages and pornographic content by adults. 

“Serious action needs to be taken right now," said Rahman. "Teenagers continue to remain vulnerable to online crime and cyberbullying, particularly in the times we live in."

Rahman was inspired to invent the app after learning about the tragic consequences of one particular case of cyber-bullying.

“The idea started after a 15-year-old girl committed suicide because of online bullying,” said Rahman. 

“I decided that teenagers needed help and that we should take action to try to avoid other children facing the same tragedy.”

In addition to the app, Rahman has created Cyber Clubs in every school in his local area to educate young people in digital literacy and safety.

Rahman's win came with $118,000 in prize money that he intends to use to roll out the app across Bangladesh and to other countries. 

#ISC2Congress: How 5G is Expanding the Attack Surface

#ISC2Congress: How 5G is Expanding the Attack Surface

Speaking at the virtual (ISC)2 Security Congress Kevin McNamee, director of threat intelligence at Nokia, explored the security implications surrounding the introduction of 5G mobile technology, outlining five key ways 5G is expanding the attack surface.

“5G is bringing a lot to the table in terms of new security features, but I also [want to] mention the downside – the attack surface,” he said.

The first way in which 5G is widening the attack surface is the huge growth of IoT devices, McNamee continued.

“IOT devices are [often] vulnerable, unprotected and unpatched, and with 5G, more are coming. If they are out there and they are vulnerable and visible to different parts of the network, they are going to be hacked and cause problems.”

The next 5G security issue that McNanee cited was what he coined “multi-access edge computing.”

With multi-access edge computing, “you’ve got millions of devices accessing data centers or spread over the city, and it can become quite a challenge in terms of management, monitoring and incident response.

“So whoever’s operating these multi-access edge clouds has to consider how they’re managed and monitor them to make sure they are functioning properly and not being abused,” McNamee added.

Then there is the abuse of 5G bandwidth via DDoS attacks, McNamee explained. “If you’re running a huge number of mobile devices, there’s the potential for attackers to expand their DDoS attack bandwidth.

“It raises the bar with regards to how we defend against DDoS attacks when there are so many devices out there.”

The fourth security issue that McNamee referred to is the potential visibility of the 5G IP address space.

“With 5G, if we switch to IPv6 default, there’s the potential to open up visibility. If a device is visible from the internet and the network, it makes the attack surface bigger. So visibility becomes a critical thing.”

The last way in which 5G is increasing the attack surface relates to the potential targeting of ‘slicing’ – a modern way of segregating/isolating user and application communities – in attacks. “Slicing does focus the attention on certain parts of the network,” and that can be exploited by cyber-attackers, McNamee concluded.

Crooks use software skimmer that pretends to be a security firm

Security experts from Sucuri analyzing a software skimmer that is abusing its brand name in order to evade detection.

Researchers at Sucuri analyzed a software skimmer that is using their brand name in order to evade detection. The e-skimmer is a base64-encoded JavaScript blob that attackers inject into target webpages.

During a routine investigation, the researchers found the web skimmer that pretends to be related to Sucuri, the malicious code was injected into the database of a Magento site.

The analysis of the software skimmer revealed that the first 109 lines in its code don’t contain any content, while line #110 contains a base64-encoded Javascript ( eval(atob(… ). With this trick, attackers likely attempted to avoid detection.

software skimmer magento

The skimmer is added to the onclick event of the checkout button and onunload event of the web page.

Upon execution, the code gathers any data from form fields, such as credit card and billing details, and exfiltrates it to a remote gateway using a GET request with plaintext parameters.

“The payment data exfiltration takes place via an <img> tag whose src parameter is changed to hxxps://terminal4.veeblehosting[.]com/~sucurrin/i/gate.php, with relevant GET parameters such as card number, CVV, and expiration date stored in plain text.” reads the analysis published by Sucuri.

terminal4.veeblehosting[.]com is neither a malicious site nor a hacked site. It’s a host name of some shared servers (108.170.55.202, 108.170.55.203) belonging to the Dutch hosting provider Veeble.”

This gateway is hosted on Dutch hosting provider Veeble and operated under the account name “sucurrin.”

The skimmer works on a site that belongs to the “sucurrin” Veeble account that resembles the name of Sucuri. Experts noticed that terminal4.veeblehosting[.]com/~sucurrin/ redirected to the legitimate Sucuri website (https://sucuri.net/) to avoid raising suspicion.

According to X-Force Threat Intelligence, the same software skimmer was injected into at least three website belonging to Harley-Davidson Military, Nappy Land National Childcare Supplier, and Soccer4All.

At the time it not clear if the skimmers are still active on this site.

“To filter out bad actors masquerading as known brand and mitigate the risk of malicious credit card skimmers, consider employing integrity control and security monitoring on your website to mitigate an attack. A good website firewall can help to minimize the risk of infection in the first place.” concluded Sucuri.

Pierluigi Paganini

(SecurityAffairs – hacking, software skimmer)

The post Crooks use software skimmer that pretends to be a security firm appeared first on Security Affairs.

Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years and a payback of less than 6 months

2020 has been a transitional year, ushering in broad changes in how, and where, we work. Security operations (SecOps) teams face more significant challenges than ever as they protect the organization in this rapidly changing environment. These teams need a flexible, cost-effective, and efficient solution to empower their employees, improve security, and optimize costs against rapidly-changing demands. As a unified, scalable, cloud-native, security information event management (SIEM), Forrester Consulting found that Azure Sentinel delivers on these needs. Providing alert detection, threat visibility, proactive hunting, and threat response across your enterprise, the commissioned study, The Total Economic Impact of Microsoft Azure Sentinel, conducted by Forrester Consulting shows that Azure Sentinel delivers:

  • A three-year 201 percent return on investment (ROI) with a payback period of less than six months.
  • A 48 percent reduction in costs compared to legacy SIEM solutions, saving on expenses like licensing, storage, and infrastructure costs.
  • A 79 percent reduction in false positives and 80 percent reduction in the amount of labor associated with investigation, reducing mean time to resolution (MTTR) over three years.
  • A 67 percent decrease in time to deployment compared to legacy on-premises SIEMs.

The Forrester study provides an accessible framework for organizations wanting to evaluate the financial impact of Azure Sentinel relative to an on-premises cybersecurity solution. Forrester concluded that Azure Sentinel reduces SIEM costs at scale, simplifies SIEM management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).

Organizational benefits

Forester interviewed four organizations who, before switching to Azure Sentinel, were using an on-premises SIEM or an internal, custom-built solution with a managed service provider (MSP) to replicate SIEM infrastructure. These four organizations serve global markets in the industries of IT services, big data, financial services, and e-commerce. To give readers a clear comparison, Forrester aggregated the results for all four into a single composite organization. According to the aggregated data, Azure Sentinel demonstrated:

  • Increased SOC efficiency by cutting false positives up to 79 percent and reducing the amount of labor needed for advanced investigations by 80 percent—leading to $2 million in efficiency gains.
  • A 48 percent reduction in costs compared to the legacy SIEM solution, including savings on licensing, storage, and infrastructure totaling $4.9 million.
  • Reduced management efforts by 56 percent, saving $1.2 million. Automatic updates, an intuitive centralized platform, and reduced maintenance meant organizations could shift talent away from servicing infrastructure and concentrate on value-adding initiatives.
  • Accelerated deployment by 67 percent with out-of-the-box functionality, simple connections to data sources, and pre-built SIEM content saving $602K.

Cost savings

Most vendors offer annual or multi-year contracts with capped ingestion and storage limits. This forces organizations to choose between paying more for capacity or putting a cap on the amount of data ingested, limiting visibility into their network.

By moving to Azure Sentinel’s cloud-based SIEM, organizations could eliminate their legacy SIEM vendor, reducing licensing expenditures and eliminating costly on-premises infrastructure needed to store security log data. And with Azure Sentinel’s flexible, consumption-based pricing, they were no longer locked into long-term contracts or capacity limits.

Azure Sentinel users experienced cost savings of $4.9 million when moving from legacy SIEM—a 48 percent decrease. Forrester found that an organization experienced benefits of $8.7 million over three years versus costs of $2.9 million. As mentioned earlier, this adds up to an ROI of 201 percent with payback in less than 6 months. Management efficiencies saved $1.2 million, with Azure Sentinel’s reduced time to deploy saving an additional $602K.

“If you take costs for Azure Sentinel and compare it to the costs that we had to simply run our legacy solution, we are seeing a 15 percent savings with Azure Sentinel and we are getting more.”—Sr. Director of Security Technology and Operations, IT services

Efficiency gains

The organizations in Forrester’s study reported that, with legacy SIEM solutions, alerts were previously not well correlated; meaning, a single event could trigger multiple others with no easy way for the SOC analyst to resolve false positives.

With Azure Sentinel, SOC teams can view all security logs, alerts, and incidents through a single pane of glass. Azure Sentinel’s AI-powered correlation engine and user-behavior analytics give analysts a prioritized view of the alerts, elevating high-priority threats and reducing false positives—enabling the SOC team to respond more efficiently.

Azure Sentinel’s cloud-based SIEM reduces the size and complexity of on-premises infrastructure. This enabled organizations in the study to reallocate infrastructure professionals and legacy solution specialists, reducing management efforts by 56 percent while freeing staff to serve business interests with value-added tasks.

“Thanks to the management efficiencies with Azure Sentinel, I was able to reprogram the work effort of around four FTEs. They no longer had to be firefighters—and we got to cancel a managed operations and maintenance contract simply because we now have the resources to do it ourselves.”—Senior VP of Global Threat Management, financial services

Ease of deployment

All four organizations reported that deploying Azure Sentinel was faster and easier than deploying legacy SIEM. Because Azure Sentinel features a pre-built playbook, queries, and data connections—along with free ingestion for Office 365 audit logs, Azure activity logs, and alerts from Microsoft Threat Protection (MTP) solutions—most organizations can start for free and scale up.

Using Azure Sentinel, organizations were able to add more data connections and sources, allowing them to ingest more data faster, covering a larger percentage of their network compared to legacy solutions. Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including Check Point, Cisco, F5, Fortinet, Palo Alto Networks, and Symantec, as well as ecosystem partners such as ServiceNow.

 “Azure Sentinel today covers far more, 400 percent more of our network than our legacy solution ever did.”—CISO, e-commerce

Modernize your security operations today

Azure Sentinel helps defenders to combat rapidly evolving threats with increased efficiency. Its performance across all metrics deployed in the Forrester TEI study lets us know we’re executing on our vision to streamline and strengthen our customers’ security. Getting started with Azure Sentinel is easy. If you are not using Azure Sentinel, we welcome you to start a trial.

More recently, we shared our unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and Extended Detection and Response (XDR) solutions from a single vendor. With this combination, you get the best of both worlds—end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on Microsoft’s deep understanding of specific resources with AI that stitches that signal together; and coordinated action across the organization.

To help you take advantage of this integrated security approach, Microsoft is currently running a new Azure Sentinel benefit for Microsoft 365 E5 customers.

From November 1, 2020, through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can get Azure credits for the cost of up to 100MB per user per month of included Microsoft 365 data ingestion into Azure Sentinel. Data sources included in this benefit include:

  • Azure Active Directory (Azure AD) sign-in and audit logs.
  • Microsoft Cloud App Security shadow IT discovery logs.
  • Microsoft Information Protection logs.
  • Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs).

With these credits, a standard 3,500 seat deployment can see estimated savings of up to $1,500 per month1. This offer is available to new and existing customers who have Enterprise (EA) or Enterprise Subscription (EAS) Agreements and Enrollments, and you can begin accruing credits in your first month of eligibility. You can learn more about the offer here.

Download the full Forrester Total Economic Impact of Microsoft Azure Sentinel study. Get started and learn more about Azure Sentinel.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1 Calculation based on pay-as-you-go prices for Azure Sentinel and Azure Monitor Log Analytics for US East region.

The post Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years and a payback of less than 6 months appeared first on Microsoft Security.

IT Leaders Reliant on Data for Threat Insight

IT Leaders Reliant on Data for Threat Insight

Almost three-quarters of IT leaders rely on data to make business decisions, while a third believe the value of data has permanently increased since the beginning of the COVID-19 pandemic.

According to a survey of IT leaders by Druva, as organizational reliance on data continues to rise, 73% of businesses rely on data while 33% believe there has been an impact due to COVID-19. The 2020 Value of Data Report also found that 73% of respondents were more concerned with protecting their organizational data from ransomware than they were before the pandemic.

Also, while 79% see data management and protection as a competitive business advantage, 41% say the data they collect is not readily available or accessible when needed for decision making.

In an email to Infosecurity, BH Consulting CEO Brian Honan said the impact of the COVID-19 pandemic has highlighted to organizations the value that timely and accurate data can provide.

“Organizations quickly adapted and adopted systems to facilitate the rapid sharing of data to enable them to survive through the initial waves of the pandemic,” he said. “However, it is important to remember, that for data to be effective information that a business can rely on, that data and information needs to be accurate and available. As a result, securing that data becomes even more critical to organizations.”

He went on to say that the type of data being shared and accessed needs to be managed in line with regulatory requirements. “In particular, any personal data belonging to EU residents needs to be protected in line with the requirements of the GDPR.”

Jaspreet Singh, founder and CEO, Druva, said: “The rapid move to remote work has permanently changed the way businesses operate, accelerated digital transformation and increased the value of data as a business asset.

“As companies realize that business resilience is data resilience, more and more are turning to Druva to protect and unlock its full value. Tomorrow as we bring together the industry’s most innovative leaders, our goal is for all organizations to realize the promise of the cloud era for their customers and communities.” 

Cyber-criminal Fined $300k for Pipeline Attacks

Cyber-criminal Fined $300k for Pipeline Attacks

A man from New Hampshire has been fined nearly $300,000 after admitting his role in cyber-attacks targeting the construction of a 1,172-mile-long pipeline spanning three American states. 

Joseph Earl Thomas Aubut of Conway confessed to being part of a hacking group that launched a series of Distributed Denial of Service (DDoS) attacks in 2016 in an attempt to prevent the Dakota Access Pipeline from being built. 

Construction of the $3.78bn pipeline that passes under Lake Oahe began in June 2016, and its first oil was delivered in May 2017. In 2016, protests over the pipeline's impact on the environment and on sacred indigenous sites resulted in the largest gathering of Native Americans in the past hundred years. 

According to records filed in the United States District Court in Concord, Aubut and other members of the hacker-collective Anonymous targeted an unnamed company based in Houston, Texas, with cyber-attacks. 

In 2016, Anonymous began Operation No Dakota Access Pipeline (OpNoDAPL), launching a series of DDoS attacks, posting personal details of people involved with the pipeline project, and threatening their families and employees if construction wasn't halted.

“We decided to stand with the Native Americans whose land you raped, whose sacred lands you destroyed,” said Anonymous in a 2016 video message to North Dakota's governor. “We know where you live. Everyone you know. And everything there is to know about you.”

Court documents state that Walmart clerk Aubut began recruiting members of Anonymous in the summer of 2016 to attack the unnamed company with DDoS attacks that used malware to overwhelm the victim's website with large volumes of traffic. 

Aubut reportedly made YouTube videos, posted under the pseudonym Sergeant Anonymous, to attract cyber-criminals to carry out the attacks. He also threatened to dox (publicly reveal the personal data) of at least one executive who worked at the victim company, the governor of North Dakota, and a law enforcement officer. 

Aubut pleaded guilty to federal charges, including one count of conspiracy to transmit information that damages a protected computer. He was ordered to pay $299,000 restitution to the victim company that hired consultants and invested in cyber-security in order to thwart the attacks.

Ticketmaster Fined $1.7 Million for Data Security Failures

Following Alerts of Potential Fraud, Ticketmaster Took 9 Weeks to Spot Big Breach
Ticketmaster UK has been fined $1.7 million by Britain's privacy watchdog for its "serious failure" to comply with the EU's General Data Protection Regulation. Its failure to properly secure chatbot software led to attackers stealing at least 9.4 million payment card details.

On Blockchain Voting

Blockchain voting is a spectacularly dumb idea for a whole bunch of reasons. I have generally quoted Matt Blaze:

Why is blockchain voting a dumb idea? Glad you asked.

For starters:

  • It doesn’t solve any problems civil elections actually have.
  • It’s basically incompatible with “software independence”, considered an essential property.
  • It can make ballot secrecy difficult or impossible.

I’ve also quoted this XKCD cartoon.

But now I have this excellent paper from MIT researchers:

“Going from Bad to Worse: From Internet Voting to Blockchain Voting”
Sunoo Park, Michael Specter, Neha Narula, and Ronald L. Rivest

Abstract: Voters are understandably concerned about election security. News reports of possible election interference by foreign powers, of unauthorized voting, of voter disenfranchisement, and of technological failures call into question the integrity of elections worldwide.This article examines the suggestions that “voting over the Internet” or “voting on the blockchain” would increase election security, and finds such claims to be wanting and misleading. While current election systems are far from perfect, Internet- and blockchain-based voting would greatly increase the risk of undetectable, nation-scale election failures.Online voting may seem appealing: voting from a computer or smart phone may seem convenient and accessible. However, studies have been inconclusive, showing that online voting may have little to no effect on turnout in practice, and it may even increase disenfranchisement. More importantly: given the current state of computer security, any turnout increase derived from with Internet- or blockchain-based voting would come at the cost of losing meaningful assurance that votes have been counted as they were cast, and not undetectably altered or discarded. This state of affairs will continue as long as standard tactics such as malware, zero days, and denial-of-service attacks continue to be effective.This article analyzes and systematizes prior research on the security risks of online and electronic voting, and show that not only do these risks persist in blockchain-based voting systems, but blockchains may introduce additional problems for voting systems. Finally, we suggest questions for critically assessing security risks of new voting system proposals.

You may have heard of Voatz, which uses blockchain for voting. It’s an insecure mess. And this is my general essay on blockchain. Short summary: it’s completely useless.

Lazarus malware delivered to South Korean users via supply chain attacks

North Korea-linked Lazarus APT group is behind new campaigns against South Korean supply chains that leverage stolen security certificates. 

Security experts from ESET reported that North-Korea-linked Lazarus APT (aka HIDDEN COBRA) is behind cyber campaigns targeting South Korean supply chains. According to the experts the nation-state actors leverage stolen security certificates from two separate, legitimate South Korean companies. 

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.

In August, F-Secure Labs experts observed a spear-phishing campaign targeting an organization in the cryptocurrency industry.

In campaigns spotted by ESET, Lazarus attackers attempted to deploy their malware via a supply-chain attack in South Korea.

“In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.” reads the analysis published by ESET.

The attackers are attempting to exploit the need to install additional security software when South Korean users visit government or financial services websites. 

The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains.

WIZVERA VeraPort is used to digitally sign and verify downloads.

Websites that support the WIZVERA VeraPort software contain a server-side component, specifically some JavaScripts and a WIZVERA configuration file. The configuration file is base64-encoded XML containing multiple parameters, including the website address, the list of software to install, and download URLs. Attackers can replace the software to be delivered to users via WIZVERA VeraPort from a legitimate, compromised website

“These configuration files are digitally signed by WIZVERA. Once downloaded, they are verified using a strong cryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up their own fake website.” continues the report. “However, the attackers can replace the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used.”

WIZVERA Lazarus

Lazarus threat actors were able to obtain code-signing certificates from two South Korean security companies in order to carry out supply chain attacks.

The experts pointed out that WIZVERA VeraPort only verifies the signature for the downloaded binaries, without checking to whom it belongs.

This behavior opens the door to attacks, for this reason, Lazarus APT leverages on valid, but stolen digital certificates to deliver their malware.

Experts detected two malware samples that were delivered with this technique as legitimate, South Korean software. The software appears to be legitimate, it uses similar names, icons, icons, and VERSIONINFO resources as legitimate South Korean software often delivered via WIZVERA VeraPort. 

When a victim visits a compromised website, the WIZVERA VeraPort will serve a dropper for the Lazarus malware, which extracts a downloader and configuration files. 

Then the malware connects to the attacker’s command-and-control (C2) server and the final payload, which is a Remote Access Trojan (RAT), is deployed on the victim’s machine.

“It’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack,” ESET concludes. “Owners of such websites could decrease the possibility of such attacks, even if their sites are compromised, by enabling specific options (e.g. by specifying hashes of binaries in the VeraPort configuration).”

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

The post Lazarus malware delivered to South Korean users via supply chain attacks appeared first on Security Affairs.

Hashtag Trending – HP removes free tier from payment plan; Massive data breach in Texas; Chaos at Ubisoft Montreal

People are not happy about HP’s latest decision to remove its print-free-for-life plan, nearly 28 million licensed Texas drivers have been hit by data breach, and a claim of hostage-taking at  Ubisoft Montreal turns out to be a hoax.

The post Hashtag Trending - HP removes free tier from payment plan; Massive data breach in Texas; Chaos at Ubisoft Montreal first appeared on IT World Canada.

The best Alexa devices for your home office

Do you seriously need more automation in the office? Isn't it enough that Alexa turns on your lights for you? No. No it isn't. If there's something we can automate, if there's some form of laziness we can encourage, we're here for you. And by "we're here" we really mean "Alexa is there." Read on.

[Updated 2020] Hacked Email Account: What to Do If It Happens to You or Your Business

We invite you to do a little exercise:  open your email and take a look at everything that you keep on it, both sent and received conversations, on both personal and company accounts. Scan all of them, every attachment you ever sent or received, every personal and work conversation, every email draft. We keep it […]

The post [Updated 2020] Hacked Email Account: What to Do If It Happens to You or Your Business appeared first on Heimdal Security Blog.

Cybercrime Moves to the Cloud to Accelerate Attacks Amid Data Glut

A report on the underground economy finds that malicious actors are offering cloud-based troves of stolen data, accessible with handy tools to slice and dice what's on offer.

Cyber Security Today – Retailer North Face hacked, Facebook users tricked and a warning from BlackBerry

Today's podcast reports on a hack at outdoor retailer North Face, how Facebook users are being tricked and a warning from BlackBerry about a hacker-for-hire group

The post Cyber Security Today - Retailer North Face hacked, Facebook users tricked and a warning from BlackBerry first appeared on IT World Canada.

Lazarus Group Used Supply Chain Attack to Target South Korean Users with Malware

The Lazarus group leveraged a supply chain attack to target users located in South Korea with custom malware. On November 16, ESET disclosed that the Lazarus group conducted its supply chain attack by abusing WIZVERA VeraPort. This application helps users in South Korea manage the installation of additional computer security software when they visit a […]… Read More

The post Lazarus Group Used Supply Chain Attack to Target South Korean Users with Malware appeared first on The State of Security.

Lessons from Teaching Cybersecurity: Week 7

As I had mentioned previously, this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their […]… Read More

The post Lessons from Teaching Cybersecurity: Week 7 appeared first on The State of Security.

Crypto Firm Offers $200,000 Bug Bounty to Hacker Who Stole $2m

Crypto Firm Offers $200,000 Bug Bounty to Hacker Who Stole $2m

A cryptography borrowing and savings company has offered an attacker $200,000 as a bug bounty in return for the $2m in funds they stole late last week.

Gibraltar-based Akropolis was attacked on Thursday, when an individual exploited a bug in the deposit logic of its SavingsModule smart contract to make off with a little over two million in DAI virtual currency.

However, the firm’s security company PeckShield claimed to have located the attacker’s Ethereum account, where the funds were transferred to, and said it is monitoring it for any further movement.

This could make it more challenging for the attacker to launder those funds, which might be why Akropolis published an open letter to them over the weekend.

“We have not contacted any form of law enforcement to pursue a criminal investigation. We would like to propose that you return the funds of our community members within 48 hours and in return we will offer a $200,000 USD bug bounty. We will take measures to protect your identity as required,” it said.

“If you decide not to co-operate we will pursue criminal action and contact law enforcement. We hope that we can work together towards a resolution, thank you for your time.”

In the meantime, Akropolis said it has fixed the issue at a contract level, performed an internal investigation with auditors and an external one with investors and exchange partners.

An attack on another decentralized finance (DeFi) protocol firm, Harvest Finance, at the end of October led to the theft of $24m. On that occasion the firm offered a $100,000 reward for the first person to contact the attacker and help them return the funds.

Russian and North Korean Groups Still Targeting #COVID19 Vaccine Firms

Russian and North Korean Groups Still Targeting #COVID19 Vaccine Firms

Microsoft has urged governments to act after revealing that three state-sponsored threat groups have been targeting seven companies currently developing COVID-19 vaccines and treatments.

VP for customer security and trust, Tom Burt, pointed the finger at the Russian military Strontium group (aka APT28, Fancy Bear) and North Korea’s Zinc (aka Lazarus) and Cerium groups.

The pharma and vaccine companies being targeted were not named, but Microsoft said they hailed from Canada, France, India, South Korea and the US, and have vaccines and COVID-19 tests in clinical trials.

“Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt explained.

“Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using COVID-19 themes while masquerading as WHO representatives. The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.”

Such companies have been targeted throughout the year. Back in May reports suggested state-backed APT attacks on the UK’s leading vaccine contender, being developed by AstraZeneca and Oxford University.

The same month, the US authorities blamed Chinese actors for trying to steal valuable virus research IP from domestic companies.

A couple of months later, Russia’s APT29 or Cozy Bear group were detected targeting vaccine developers in the UK, US and Canada in a campaign the National Cyber Security Centre (NCSC) branded “despicable.”

At the Paris Peace Forum on Friday, Microsoft’s Brad Smith urged governments to respond.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Burt.

“We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

Trojanized Security Software Hits South Korea Users in Supply-Chain Attack

Cybersecurity researchers took the wraps off a novel supply chain attack in South Korea that abuses legitimate security software and stolen digital certificates to distribute remote administration tools (RATs) on target systems. Attributing the operation to the Lazarus Group, also known as Hidden Cobra, Slovak internet security company ESET said the state-sponsored threat actor leveraged the

Scammers Expose Facebook Data Haul of 13 Million Records

Scammers Expose Facebook Data Haul of 13 Million Records

Security researchers have uncovered a major Facebook scam exploiting hundreds of thousands of users, after the scammers left an Elasticsearch server unsecured.

Among the 5.5GB haul discovered by vpnMentor on September 21, was 150,000-200,000 Facebook usernames and passwords, and personal info including emails, names and phone numbers for hundreds of thousands who had fallen victim to a Bitcoin scam.

The two datasets are part of the same operation: the first group were tricked into handing over their account log-ins by a fake app promising to reveal who had recently visited their profile. With these log-ins, the scammers hijacked the victims’ accounts and posted comments on their Facebook posts, with links directing individuals to a Bitcoin fraud scheme.

In total, the exposed database contained 13.5 million records, also including domains used in the scheme and text outlines related to the Facebook comments the fraudsters would post.

Although the data came from a relatively short window, June-September 2020, there are fears the scheme may have originally been much bigger. At the time it was registered by Shodan, the database contained 11GB of data relating to the scheme, rather than 5.5GB, meaning many more victims may have been affected.

The database was then wiped by the Meow attack the day after vpnMentor discovered it. New data immediately started to appear again before those in charge finally secured the server.

With access to users’ Facebook accounts, the cyber-criminals behind this campaign have a highly monetizable resource for posting malicious links to scams, launching follow-on phishing or identity fraud attempts, blackmail and credential stuffing of other accounts, vpnMentor warned.

“If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately. Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” the firm said.

“We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically. Never provide usernames and passwords for Facebook, email or financial accounts to external websites.”

What Is SCM (Security Configuration Management)?

The coronavirus 2019 (COVID-19) pandemic shifted the cybersecurity landscape. According to a PR Newswire release, the FBI tracked as many as 4,000 digital attack attempts a day during the pandemic. That’s 400% more than what it was prior to the pandemic. In response to these attacks, 70% of CISOs told McKinsey that they believed their […]… Read More

The post What Is SCM (Security Configuration Management)? appeared first on The State of Security.

New skimmer attack uses WebSockets to evade detection

Experts spotted a new skimmer attack that used an alternative technique to exfiltrate payment information from payment cards.

Researchers from Akamai discovered a new skimmer attack that is targeting several e-stores with a new technique to exfiltrate data.

Threat actors are using fake credit card forum and WebSockets to steal the financial and personal information of the users.

“Online stores are increasingly outsourcing their payment processes to third-party vendors,  which means that they don’t handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application’s checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path.” reads the post published by Akamai.

Hackers use a software skimmer to inject a loader into the page source as an inline script. Once executed, a malicious JavaScript file is requested from the a C2 server (at https[:]//tags-manager[.]com/gtags/script2).

Upon loading the script from the external server, the skimmer stores in the browser’s LocalStorage its generated session-id and the client IP address.

Attackers leverage Cloudflare’s API to obtain the user’s IP address, then use a WebSocket connection to exfiltrate sensitive information from pages involving the checkout, login, and new account registration pages.

The distinctive aspect of this attack is the use of WebSockets, instead of HTML tags or XHR requests, to extract the information from the compromised site that makes this technique more stealth. The use of WebSockets allows bypassing a lot of CSP policies.

web skimmer

Experts noticed that for those e-stores that handle the payment process through a third-party provider, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor.

“Akamai sees new and subtly modified web application client-side attacks, such as this example, on nearly a weekly basis. Given the obfuscated nature and supply chain origination of in-browser attacks, traditional CSP-reliant approaches miss most of these types of attacks.” concludes the company.

“Our security portfolio has embraced and invested in bringing to market a web skimming protection product called Page Integrity Manager, which focuses on the script execution behavior with unprecedented visibility into the runtime environment. It collects information about the different scripts that run in the web page, each action they take, and their relation to other scripts in the page. Pairing this data with our multilayered detection approach — leveraging heuristics, risk scoring, AI, and other factors — allows Page Integrity Manager to detect different types of client-side attacks, with a high focus on data exfiltration and web skimming attacks.”

Pierluigi Paganini

(SecurityAffairs – hacking, web skimmer)

The post New skimmer attack uses WebSockets to evade detection appeared first on Security Affairs.

New Jupyter information stealer appeared in the threat landscape

Russian-speaking threat actors have been using a piece of malware, dubbed Jupyter malware, to steal information from their victims.

Researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims.

The Jupyter malware is able to collect data from multiple applications, including major Browsers (Chromium-based browsers, Firefox, and Chrome) and is also able to establish a backdoor on the infected system.

“Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” reads the analysis published by Morphisec. “These include:

  • a C2 client
  • download and execute malware
  • execution of PowerShell scripts and commands
  • hollowing shellcode into legitimate windows configuration applications.”

The experts spotted the new threat during a routine incident response process in October, but according to forensic data earlier versions of the info-stealer have been developed since May.

The malware was continuously updated to evade detection and include new information-stealing capabilities, the most recent version was created in early November.

The attack chain starts with downloading a ZIP archive containing an installer (Inno Setup executable) masqueraded as legitimate software (i.e. Docx2Rtf). Experts pointed out that the installers have maintained a VirusTotal detection rate of 0 over the last 6 months.

The initial installers pose as Microsoft Word documents and use the following names:

  • The-Electoral-Process-Worksheet-Key.exe
  • Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe
  • Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe
  • Sample-Letter-For-Emergency-Travel-Document

Upon executing the installer, a .NET C2 client (Jupyter Loader) is injected into the memory using a process hollowing technique. The injected process is a .NET loader that acts as the client for the command and control server.

“The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation.” continues Morphisec. “These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.”

The author of the malware replaced the process hollowing with a PowerShell command to run the payload in memory.

The latest versions the installer also rely on the PoshC2 framework to establish persistence on the machine by creating a shortcut LNK file and placing it in the startup folder. The experts collected multiple evidence that linked the malicious code to Russian threat actors.

Morphisec’s researchers discovered that many of the C2 Jupyter servers were located in Russia, some of them are currently inactive.

The experts also noticed that a typo that is consistent with the Jupyter name converted from Russian and found images of the Jupyter’s administration panel on a Russian-language forum.

Jupyter admin-panel

The experts believe that threat actors behind the Jupyter malware will implement new features to keeps it under the radar and to gather more information from the victims’ machines.

Morphisec provided more technical details about the Jupyter attack in a report that could be downloaded here.

Pierluigi Paganini

(SecurityAffairs – hacking, info-stealer)

The post New Jupyter information stealer appeared in the threat landscape appeared first on Security Affairs.