Daily Archives: November 17, 2020

How do I select a security assessment solution for my business?

A recent research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58% of companies. Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don’t have professional programming skills or experience in reverse engineering. To select a suitable security assessment solution for … More

The post How do I select a security assessment solution for my business? appeared first on Help Net Security.

CISOs say a distributed workforce has critically increased security concerns

73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals. The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic. Digital transformation creating the perfect storm To protect employees from COVID-19, enterprises rapidly shifted to make work from home possible and maintain business productivity. Forced to accelerate digital transformation initiatives, this created the perfect storm. … More

The post CISOs say a distributed workforce has critically increased security concerns appeared first on Help Net Security.

Multi-cloud environments leaving businesses at risk

Businesses around the globe are facing challenges as they try to protect data stored in complex hybrid multi-cloud environments, from the growing threat of ransomware, according to a Veritas Technologies survey. Only 36% of respondents said their security has kept pace with their IT complexity, underscoring the need for greater use of data protection solutions that can protect against ransomware across the entirety of increasingly heterogenous environments. Need to pay ransoms Typically, if businesses fall … More

The post Multi-cloud environments leaving businesses at risk appeared first on Help Net Security.


Privacy is more than just settings in your Social Media account or using the Tor Browser. Your data and actions are collected in a variety of ways. The more aware you are of just how much of your data is collected, the better you can protect it.

Network traffic and consumption trends in 2020

As COVID-19 lockdown measures were implemented in March-April 2020, consumer and business behavioral changes transformed the internet’s shape and how people use it virtually overnight. Many networks experienced a year’s worth of traffic growth (30-50%) in just a few weeks, Nokia reveals. By September, traffic had stabilized at 20-30% above pre-pandemic levels, with further seasonal growth to come. From February to September, there was a 30% increase in video subscribers, a 23% increase in VPN … More

The post Network traffic and consumption trends in 2020 appeared first on Help Net Security.

CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024

Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2010. This surge eclipsed the total number of attacks against organizations’ industrial […]… Read More

The post CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024 appeared first on The State of Security.

Ransomware still the most common cyber threat to SMBs

Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals. More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches. The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly … More

The post Ransomware still the most common cyber threat to SMBs appeared first on Help Net Security.

3 Ways to Prepare Your Enterprise’s Data Security for a Future of Advanced Attacks

One significant negative implication of technology’s continual evolution is proportional advancement in nefarious internet activities, particularly cyber attacks. The past few years have seen a rising sophistication in cyber attacks at levels never experienced before. The worst fact is that attacks will likely only continue to get more advanced. To fight them, enterprises need to […]… Read More

The post 3 Ways to Prepare Your Enterprise’s Data Security for a Future of Advanced Attacks appeared first on The State of Security.

Sysdig launches zero trust network security for Kubernetes to cut miscrosegmentation time

Sysdig announced the launch of zero trust network security for Kubernetes. This launch expands Sysdig’s runtime security to add network visibility and segmentation. With total network visibility and automated rule creation, Sysdig reduces the time to implement network security from weeks to hours. Sysdig also announced the expansion of IBM Cloud Monitoring with Sysdig to include Sysdig Secure. The best strategy for network security is to use native controls, such as Kubernetes network policies, to … More

The post Sysdig launches zero trust network security for Kubernetes to cut miscrosegmentation time appeared first on Help Net Security.

D-Link unveils four Wi-Fi 6 access points across its network management solutions

D-Link unveiled four new Wi-Fi 6 access points across its Nuclias Connect and Nuclias Cloud network management solutions. These access points incorporate the latest Wi-Fi 6 standard and are designed to solve connectivity issues better than ever before for key business sectors such as education, hospitality, and retail/SMBs that are experiencing a growing number of users and devices. D-Link’s new AX3600 Wi-Fi 6 access points (DAP-X2850, and DBA-X2830P) and AX1800 Wi-Fi 6 access points (DAP-X2810 … More

The post D-Link unveils four Wi-Fi 6 access points across its network management solutions appeared first on Help Net Security.

Magnite supports Unified ID 2.0 to create a common transaction fabric for digital advertising

Magnite announces its support of the open-source, interoperable identity solution, Unified ID 2.0, in collaboration with The Trade Desk and other companies across the digital advertising industry. Magnite will adopt Unified ID 2.0, an open source framework for hashing and encrypting email addresses, in order to create a common transaction fabric for digital advertising. Magnite’s endorsement will also further promote publisher adoption of the solution. “Magnite and The Trade Desk share the common belief that … More

The post Magnite supports Unified ID 2.0 to create a common transaction fabric for digital advertising appeared first on Help Net Security.

Farsight DNSDB and Cortex XSOAR help gain context for all connected DNS-related digital artifacts

Farsight Security announced that Farsight DNSDB, a DNS intelligence database, is now integrated with Palo Alto Networks Cortex XSOAR, an extended security orchestration, automation and response platform that empowers security teams by simplifying and harmonizing security operations across their enterprise. Through this integration, Farsight DNSDB and Cortex XSOAR enable security analysts to uncover and gain context for all connected DNS-related digital artifacts, from domain names and IP addresses to nameservers and MX records, in seconds. … More

The post Farsight DNSDB and Cortex XSOAR help gain context for all connected DNS-related digital artifacts appeared first on Help Net Security.

Qualys CloudView app to power Armor Anywhere cloud security posture management capabilities

Qualys announced that Armor is integrating the Qualys CloudView app, which includes Cloud Inventory and Cloud Security Assessment, into Armor Anywhere, a cloud security platform. Armor Anywhere with Cloud Security Posture Management (CSPM) lets clients continuously inventory and assess the security and compliance of their public cloud services as per industry standard benchmarks and regulatory mandates (e.g. NIST, FEDRAMP, CIS). The Qualys CloudView app extends Qualys’ relationship with Armor. Qualys Cloud Agents are already embedded … More

The post Qualys CloudView app to power Armor Anywhere cloud security posture management capabilities appeared first on Help Net Security.

Trump fires CISA boss Chris Krebs

Rumors that President Trump was planning to fire CISA's top official started circulating last week after the White House discovered that CISA officials have been debunking "election fraud" rumors often started by the President.

Netskope expands the Netskope NewEdge network with a new data center in Seoul, South Korea

Netskope announced the expansion of the Netskope NewEdge network with a new data center in Seoul, South Korea. Serving millions of enterprise users around the world, Netskope NewEdge is a carrier-grade, security private cloud network that is reserved exclusively for Netskope customers. With South Korea representing a ‘top five’ economy in Asia and ‘top 15’ globally, the addition of the Seoul data center enhances the NewEdge infrastructure and demonstrates an increased investment in the region. … More

The post Netskope expands the Netskope NewEdge network with a new data center in Seoul, South Korea appeared first on Help Net Security.

PingCAP raises $270M to develop core technologies and advance global expansion of its offerings

PingCAP announced the closing of $270 million in Series D funding. The funding was jointly led by GGV Capital, Access Technology Ventures, Anatole Investment, Jeneration Capital, and 5Y Capital (formerly known as Morningside Venture Capital). Coatue, Bertelsmann Asia Investment Fund (BAI), FutureX Capital, Kunlun Capital, Trustbridge Partners, and existing investors Matrix Partners China and Yunqi Partners also participated in this round. “We are committed to building the database of the future—a one-stop solution that will … More

The post PingCAP raises $270M to develop core technologies and advance global expansion of its offerings appeared first on Help Net Security.

​Artmotion​ invests in Citadelo​ to help enterprises secure their technology infrastructure

​Artmotion​ announced that it’s entering the ethical hacking space by acquiring 58% shares in Citadelo​ and becoming a board member. The European cybersecurity firm currently operates offices in Slovakia and the Czech Republic. From now on, Citadelo will actively grow its footprint in Switzerland and across Europe to help enterprises secure their technology infrastructure in the current threat landscape. Why did Artmotion choose Citadelo? Artmotion was looking to boost its cloud security offering by adding … More

The post ​Artmotion​ invests in Citadelo​ to help enterprises secure their technology infrastructure appeared first on Help Net Security.

Happy birthday, Security Affairs celebrates its ninth Anniversary today

Happy BirthDay Security Affairs! Nine years together! I launched Security Affairs for passion in November 2011 and since then the blog read by millions of readers. Thank you!

Nine year ago I launched Security Affairs, a blog that over the years obtained important successes in the cyber security community, but the greatest gift is your immense affect and support.

I started with a single post per day, nine years later I’m still the only contributor and I do all my best to cover the most important news in the cyber security landscape.

The interest in cyber security has surged in the last years, cyber security plays a crucial role in modern society. Security affairs blog is today an important place of aggregation for passionates, cyber security experts, and executives.

I’m very happy and proud to be here with you for the ninth year.

Let me thank you for the support and interest in the subject. Nine years passed away,

I started by joke saying that “Security is everyone’s responsibility”, this is my idea of cybersecurity that is becoming the spot of government organizations worldwide.

Security Affairs happy birthday

I’ll continue to spread awareness, information sharing is a pillar of any cyber security strategy, spreading and sharing the information on cyber threats is possible to mitigate the risk of exposure.

I have many ideas to improve our experience, but the time seems to be not enough 😉

I really appreciate your suggestions, you can get in touch with me at pierluigi.paganini@securityaffairs.co.

I wish all the best for you and your families

Sincerely, Thank you!


Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Happy birthday, Security Affairs celebrates its ninth Anniversary today appeared first on Security Affairs.

Defining Security Policies to Manage Remote Insider Threats

This is the time to define the new normal; having well-defined policies in place will help businesses maintain its security posture while bolstering the security of the ever-increasing work-from-home population.

ThreatList: Pharma Mobile Phishing Attacks Turn to Malware

After the breakout of the COVID-19 pandemic, mobile phishing attacks targeting pharmaceutical companies have shifted their focus from credential theft to malware delivery.

Expert publicly discloses PoC code for critical RCE issues in Cisco Security Manager

Cisco released multiple advisories related to security issues in Cisco Security Manager (CSM) that affect the recently released 4.22 version.

Cisco published multiple security advisories related to critical vulnerabilities affecting the Cisco Security Manager (CSM), including the recently released version 4.22.

Cisco Security Manager provides a comprehensive management solution for CISCO devices, including intrusion prevention systems and firewall.

On December 16th, the researcher Florian Hauser (aka @frycos) from security firm Code White publicly released the proof-of-concept (PoC) exploit code for 12 security flaws in the web interface of CSM.

According to a tweet published by the researcher, he reported the flaws to the vendor 120 days ago, on July 13.

The vulnerabilities in the web interface of the Cisco Security Manager could be exploited by an unauthenticated attacker to achieve remote code execution (RCE).

Hauser decided to publicly disclose the vulnerability because Cisco PSIRT did not address the flaw with the recent release 4.22.

“Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn’t state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.” explained the expert.

The vulnerabilities could be triggered to upload and download arbitrary files in the context of the highest-privilege user account “NT AUTHORITY\SYSTEM,” giving the attacker access to all files in a specific directory.

Cisco published a security advisory for Java Deserialization Vulnerabilities in Cisco Security Manager that could have allowed an unauthenticated, remote attacker with system privileges to execute arbitrary commands on an affected device.

“Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the advisory published by Cisco.

“These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host.”

These flaws affect CSM releases 4.22 and earlier, the IT giant has not released software updates to address them.

Cisco plans to fix the flaws with the release of Cisco Security Manager Release 4.23.

The Product Security Incident Response Team (PSIRT) is aware of public announcements about these flaws, but it is not aware of attacks in the wild that exploited them.

A Cisco spokesman told TheHackerNews website that Cisco has released free software updates to address the flaws in the CSM path traversal vulnerability advisory and the CSM static credential vulnerability advisory.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco Security Manager)

The post Expert publicly discloses PoC code for critical RCE issues in Cisco Security Manager appeared first on Security Affairs.

More Ransomware-as-a-Service Operations Seek Affiliates

Lure of Massive Profits, RaaS Newcomers Join Long List of Operators
Over the past five years, ransomware-as-a-service offerings have largely evolved from putting automated toolkits into the hands of subscribers to recruiting affiliates and sharing profits. To maximize revenue, some larger operators are also seeking affiliates with more advanced IT and hacking skills.

Privacy Group Files Complaint Over iOS Tracking

Max Schrems' NOYB Organization Says Default on iPhone Breaks EU Privacy Laws
NOYB, a privacy group run by Austrian Max Schrems, has filed complaints against Apple with Spanish and German data protection regulators alleging the company's Identifier for Advertisers breaks EU privacy laws by allowing Apple and all apps on the iPhone to track a user without consent.

Verizon Releases First Cyber-Espionage Report

Verizon Releases First Cyber-Espionage Report

American telecommunications company Verizon today released its first ever data-driven report on cyber-espionage attacks. 

The 2020 "Cyber Espionage Report" (CER) draws from seven years of Verizon "Data Breach Investigations Report" (DBIR) content and more than 14 years of the company's Threat Research Advisory Center (VTRAC) Cyber-Espionage data breach response expertise. 

Verizon said that it published the CER to serve as a guide for cybersecurity professionals searching for ways to improve their organization’s cyber-defense posture and incident response (IR) capabilities.

Key findings of the report are that for cyber-espionage breaches, 85% of actors were state affiliated, 8% were nation-state affiliated, and just 4% were linked with organized crime. Former employees made up 2% of actors. 

The industries most impacted by cyber-espionage breaches in the previous seven years were the public sector, manufacturing, professional, information, mining and utilities, education, and the financial industry.

Of the three most-targeted industries, the public sector bore the brunt of the breaches (31%), while manufacturing and professional were hit by 22% and 11%, respectively. 

The top compromised asset varieties in cyber-espionage breaches were desktop or laptop (88%), cell phone (14%), and web application (10%). For all breaches, the top asset varieties were web application (43%), desktop or laptop (31%), and email (21%).

Of the attributes most commonly compromised in cyber-espionage breaches, 91% involved software installation and 73% were secrets. The top compromised data varieties were credentials (56%), secrets (49%), internal (12%), and classified (7%).

The report found that while an organization can be compromised in seconds, discovering the breach can take years. Time to compromise was seconds to days (91%), time to exfiltration was minutes to weeks (88%), time to discovery was months to years (69%), and time to containment was days to months (79%). 

The most common types of breaches were web application (27%), miscellaneous errors (14%), and "everything else" (14%), with cyber-espionage making up 10% of breaches. 

Researchers noted: "Because cyber-espionage is a difficult incident pattern to detect, the numbers may be much higher. The kinds of data stolen in Cyber-Espionage breaches (e.g., secrets, internal or classified) may not fall under the data types that trigger reporting requirements under many laws or regulatory requirements."

Nibiru ransomware variant decryptor

Nikhil Hegde developed this tool.

Weak encryption

The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string “Nibiru” to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.

Read more

Cybercrime to Drain $44bn from Russian Economy in 2020

Cybercrime to Drain $44bn from Russian Economy in 2020

A state-owned Russian banking and financial services company has estimated that the Russian economy will lose $44bn to cybercrime in 2020. 

Reuters reports that the estimate was published on Tuesday by Sberbank, which has held the title of Russia's largest bank since 2014. 

From its headquarters in Moscow, Sberbank said that the shift away from store-based cash transactions to digital payments triggered by the outbreak of COVID-19 had exacerbated security concerns. 

With the novel coronavirus still raging around the world and lockdowns being reimposed, the bank's predictions for 2021 are glum. Sberbank, which has nearly 100 million active clients, predicted that the economic fallout from cybercrime could double in the year ahead. 

“On average, we have to deal with 26 billion cybersecurity events every day,” said Stanislav Kuznetsov, deputy chairman of Sberbank’s executive board.

Speaking to Russia's parliament, the Duma, in March of this year, President Vladimir Putin called for a crackdown on internet-enabled crime. 

Interior ministry data released in October revealed that the number of crimes linked to bank cards in Russia had increased by 500% in 2020.

"I'm asking for a system, a set of measures to reduce the number of such crimes," said Putin.

Later that month, Russia's Federal Security Service, the FSB, announced that as part of a joint operation with the Ministry of Internal Affairs, it had detained over 30 individuals across 11 regions of the country and charged 25 of them with selling stolen credit and debit card data online. 

Authorities said that the individuals had created more than 90 online stores through which they sold stolen data. 

In 2019, Russia’s minister of internal affairs, Alexander Kolokoltsev, said that cybercrimes in Russia had increased dramatically while other types of crimes had diminished.  

"In the last few years Internet crime has seen a 16-fold surge," Kolokoltsev told a meeting of the Ministry's Social Council. 

"This number is huge, despite the fact that crime in general is subsiding, felonies included. It’s precisely here, where we can concentrate and unite our efforts."

Kolokoltsev added that the increase in cybercrime could be partly due to a lack of awareness of online scams and fraudulent schemes among Russia's vulnerable citizens.  

Does Protection Help As Much As We Think In Security?

I love it when data surprises me.

In cybersecurity, we’re good at researching how things can go wrong, but it’s harder to figure out when things are going right. Most of our prescriptive advice starts to sound obvious after all these years: least privilege. Patch all the things. Segmentation. Redundancy. Resilience. And always, always, encryption. But which practices actually lead to a successful security program?

This year we decided to take a new strategy, with the help of the Cyentia Institute, founded by some of the data scientists who created the Verizon Data Breach Investigations Report. We tried to determine which security practices, or factors, appeared to correlate most with the desired outcomes of a security program. The resulting report, dubbed the Cisco Security Outcomes Study, will be released on December 1 – sign up to be the first to know when it comes out.

In the meantime, here’s a little amuse-bouche to whet your appetite, one of the many findings that we didn’t have room for in the main report. It has to do with the NIST Cybersecurity Framework, that guiding beacon that helps us describe the many security practices that make up a program. Those practices are broken down into the functions Identify, Protect, Detect, Respond, and Recover, and we sorted the practices in this year’s survey the same way. Wade Baker, partner and co-founder of Cyentia, has more to say specifically about the research and its results below.

We asked respondents about where their security programs place the greatest priority in terms of investment, resources, and effort. We used the high-level security functions defined in NIST Cybersecurity Framework for this. Respondents rated their level of priority for each function.

The figure below lists NIST functions from top to bottom based on their strength of correlation with the respondent claiming to have a highly successful security program. The bars and values indicate the expected increase in probability of overall program success associated with firms placing higher priority on each function. Because of statistical variation, that increase is expressed as a range of probability. The middle value marks the average (and most likely) increase in the likelihood of program success.

NIST security functions most strongly correlated with overall security program success

The surprising thing about this chart is that it’s telling us that the Identify, Detect, and Respond functions contribute to a successful security program more than Protect. We don’t see this as “protection isn’t important” (it contributes to many outcomes, per the next figure), but rather that the best programs invest in a well-rounded set of defenses to identify, protect, detect, respond, and recover from cyber threats. The cybersecurity field has long been protection-heavy; this says that protection alone is not the most effective strategy.

NOTE: There’s another factor at play here and that’s statistics. Most organizations place high priority on Protect, and the success of those organizations varies substantially. Because so many firms are Protect-heavy, the statistical analysis is less likely to see it as a key differentiator.

The number of outcomes that correlate (strongly) with identification is unexpected. It speaks to the importance of this security cornerstone – know what you’re protecting and protecting against. The next two, Detect and Respond, seem to echo the common “when, not if” mantra for security incidents. Because it’s impossible to prevent every threat, the distinguishing mark of a successful program is detecting incidents when they do occur and responding effectively.

NIST high-level functions correlated with each security program outcome

The value and shading at the intersection of each function and outcome can be interpreted in this way: “Function X correlates with a Y% increase in firms reporting they’re successfully achieving outcome Z.”

Here we see that Identify isn’t equally effective for all outcomes, but it’s usually the strongest. But there is some variation here, so pay attention to the patterns (e.g., Respond seems particularly relevant to ‘Gaining executive confidence’).

So what’s going on here? My own opinion about why Protect doesn’t seem to be a power player echoes Wade’s warning about statistical effects. Everyone does a lot of Protect; in fact, that’s one of the first functions that developed as dedicated security products, so if you buy something for your organization (and who doesn’t?), it’s most likely to be firewalls, antivirus, encryption, MFA, and similar controls. It doesn’t mean that “protection is dead,” or that “protection eventually fails.” It means that because of the way we tried to research this question of practices correlating with outcomes, it looks from the data as if even those organizations that said they weren’t doing as well as they’d like were getting something out of that function. If everyone’s doing it, it’s not special.

Why is Identify the one to correlate most strongly with more outcomes? I believe that for one thing, it’s a prerequisite for the other functions: if you don’t know you have it, you can’t protect it, detect attacks on it, respond to those attacks, and recover from them. Just because it’s a basic, it doesn’t mean it’s easy to do, however, and when organizations report that they’re prioritizing Identify as a function, the added capability there may influence their success overall. Identify doesn’t just mean locating all your assets one time; in a dynamic environment, you have to keep up with changes — and isn’t that pretty much the same as Detection? I suspect that prioritizing the Identify function builds up security muscles that bring added value to all the other practices in a program.

But don’t take my word for it; let’s look at what someone else thinks. Sounil Yu, former chief security scientist at Bank of America and now CISO-in-Residence at YL Ventures, has thought a lot about the NIST CSF functions and how their use has changed over time. In his Cyber Defense Matrix work, he describes not only how the proportions of technology, people, and process change between functions, but how the emphasis on different functions changes as an organization’s security strategy shifts from a risk-averse posture to one that is more comfortable with business risk.

A risk-taking strategy involves putting less emphasis on Protect, as those types of security controls may be more likely to constrain business and technology functions. If you build up visibility along with your Detect and Respond capabilities, you can take advantage of more speed and agility. This might explain why the respondents in our survey who claimed more successful outcomes in their security program also reported prioritizing more than just Protect.

We could spend a lot of time speculating about why we got these results, or we could simply grab a shovel and dig deeper. If this is a side effect of the statistical analysis we used, we could try different methods in a future survey; a lot rests on how you ask a particular question and how you compare the answers. If it really means that you can protect all you want, but if you really want to succeed at cybersecurity, you need to pay equal attention to the other functions, then we can learn more so that we can make specific recommendations.

I hope you’ve enjoyed this early look at some intriguing data, and stay tuned for the main report, coming out on December 1! In the meantime, here is a good conversation with Wade Baker, Jason Wright from ThreatWiseTV and myself as we discussed this topic.

Sign up and be the first to know when the Security Outcomes Study comes out and join us on December 1 for our live broadcast: Proven Factors for your Security Program, as we discuss the most surprising findings of the Security Outcomes Study.

Druva Acquires sfApex

Druva Acquires sfApex

Texas Salesforce developer tool and data migration service provider sfApex has been acquired by California software company Druva.

The acquisition, carried out to bolster Salesforce data protection and governance, was announced on November 17.

The deal will allow Druva to offer customers an integrated solution that combines advanced data protection with sandbox management and data governance, delivered via a cloud-native SaaS platform.

SaaS-based CRM Salesforce discontinued its own recovery feature in July of this year. The new combination of Druva and sfApex says it will deliver comprehensive SaaS data protection and management for Salesforce with granular backup and data recovery as well as streamlined and automated migrations and improved tools for developers. 

“Salesforce is critical to every organization: the data stored within it fuels growth, ensures strong customer relationships, and helps identify opportunities to expand relationships,” said Jaspreet Singh, founder and CEO, Druva. 

“Given its sensitivity and potential business impact, keeping this data available and compliant is a business critical function."

Singh said that by welcoming sfApex into the family, Druva will ensure that Salesforce customers never have to "worry about the lights going out." 

In addition to enhanced backup and recovery for Salesforce data, customers are set to benefit from data protection and governance support for Salesforce sandboxes. The integrated solution aims to make it easier for customers to manage CRM data effectively, reducing risk to production environments.

Druva said that users will be able to accelerate Salesforce developer cycles by up to 40% thanks to automated testing and developer sandbox creation and the ability to mask existing data in order to remain compliant with privacy requirements. 

Kashyap Patel, one of the founders of sfApex, has joined Druva as senior director of product management. 

“After years as a developer on Salesforce, in 2012 my co-founders and I recognized an opportunity to improve the platform’s data protection and governance for sandbox environments,” said Patel.

“Since then, the power of Salesforce data has only grown, and we are incredibly excited to join the Druva family and expand these capabilities even further. 

"Combining the strengths of sfApex with Druva’s extensive resources and industry leadership, we are committed to bringing a best-in-class experience and innovations to protect Salesforce customers’ most critical data.”

Blockchain for Voting: A Warning From MIT

Researchers Say Blockchain Introduces More Problems Than It Solves
Blockchain technology has been floated as a solution to enable remote, electronic voting. But MIT researchers say today's paper-based systems, while imperfect, are still the most reliable way to prove to voters that their selections have been accurately cast and tallied.

Twitter Hires Famed Hacker ‘Mudge’ as Security Head

Peiter Zatko Will Help Social Media Firm That Faces Security Concerns
Twitter has hired network security expert Peiter Zatko to serve in the newly created position of head of security following a series of high-profile cyber incidents. Zatko, known as "Mudge," gained fame as a member of the ethical hacking group "Cult of the Dead Cow" and worked for the government and Google.

McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements

Today’s U.S. government is in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape. To support these efforts, McAfee has pursued and received a Federal Risk and Authorization Management Program (FedRAMP) Authorization designation for McAfee MVISION for Endpoint at the moderate security impact level.

This FedRAMP Moderate designation is equivalent to DoD Impact Level 2 (IL2) and certifies that the McAfee solution has passed rigorous security requirements for the increasingly complex and expanding cloud environments of the U.S. government. The FedRAMP Moderate authorization validates the McAfee solution’s implementation of the baseline 325 NIST 800-53 controls, allowing users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).

By achieving FedRAMP Moderate Authorization for MVISION for Endpoint, McAfee can provide the command and control cyber defense capabilities government environments need to enable on-premise and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.

McAfee MVISION for Endpoint consists of three primary components: McAfee MVISION Endpoint Detection and Response (EDR), McAfee MVISION ePolicy Orchestrator (ePO) and McAfee Endpoint Security Adaptive Threat Protection with Real Protect (ENS ATP):

  • McAfee MVISION EDR simplifies investigation and response to sophisticated threat campaigns with unified detection and response (EDR) capabilities that include continuous monitoring, multi-sensor telemetry, AI-guided investigations, MITRE ATT&CK mapping and real-time hunting.
  • McAfee MVISION ePO provides a cloud-native single-pane-of-glass console to manage both McAfee and other security controls, automating workflows and prioritizing risk assessment to reduce the time and tasks required to triage, investigate and respond to security incidents.
  • McAfee ENS ATP prevents advanced malware from infecting the endpoint with integrated next-gen AV capabilities that include behavioral blocking, exploit prevention, machine learning and file-less threat defense. ENS can also diminish the impact of an attack with enhanced remediation capabilities, which, for example, can roll back the destructive effect of a ransomware attack by restoring affected files and negating the need for system reimaging.

Together, these solutions provide today’s U.S. government agencies the AI-guided endpoint threat detection, investigation and response capabilities they need to confront today’s ever evolving threats across a wide variety of devices. This important FedRAMP milestone is the latest affirmation of McAfee’s long-standing commitment to providing U.S. government agencies advanced, cloud-based cyber defenses to help them meet whatever mission they may confront today and in the future.

Other recent McAfee public sector achievements include:

  • McAfee MVISION Cloud became the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB). This designation certified that chief information officers from the DoD, the General Services Administration (GSA) and the Department of Homeland Security (DHS) have evaluated and approved MVISION Cloud for their increasingly complex cloud environments.
  • The DoD’s Defense Innovation Unit (DIU) selected McAfee to develop a Secure Cloud Management platform around McAfee MVISION Unified Cloud Edge (UCE), which integrates its Next-Generation Secure Web Gateway, CASB and data loss prevention capabilities into one cloud-native platform.
  • McAfee is working with the DoD’s Defense Information Systems Agency (DISA) to achieve DoD compliance at Impact Levels 4 and 5 to simplify how DoD agencies can procure secure systems with confidence.

Please see the following for more information on McAfee’s efforts in the FedRAMP mission:

The post McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements appeared first on McAfee Blogs.

Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA here 

Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies.

With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber-attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.

How CyberProof is working with Microsoft to solve these challenges

CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection, and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.

With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft’s cloud-native SIEM, Azure Sentinel, CyberProof’s built-in virtual analyst, SeeMo, automates up to 80 percent of tier one and two activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.

Key Layers to Building a Smarter SOC

We recommend that security operations center teams implement the following three key layers of a smarter system on a chip (SOC) architecture when looking to generate continuous value from your Azure security stack with managed security services.

Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar—which we ran in collaboration with Microsoft’s Chief Security Advisor EMEA, Cyril Voisin.

1. Data collection and integration layer—enrichment of security data from multiple sources

This is particularly useful for enterprise-grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here’s how log collection, normalization, and analysis work:

  1. Integration: An organization identifies the assets, tools, technologies, and applications that need to be integrated.
  2. Data normalization: Enterprise SOCs need to parse data before it enters the data lake—to tag and filter it—so the right information is being fed into the SOC in the most efficient way.
  3. Data collection and analysis: Using a solution such as Microsoft’s Azure Monitor Log Analytics and scalable storage such as Azure Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.

At CyberProof, we leverage Azure Monitor Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer’s existing Microsoft investments—including on-premises, SaaS, and Azure assets—and existing Microsoft security controls that generate alerts across identities, endpoints, data, and email, and cloud apps.

2. Security analytics layer—generating contextual alerts and minimizing false positives

The traditional on-premises SIEM architecture has limited scalability—such as, infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be a time-consuming endeavor when having to correlate rules and create clear reporting.

The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial “needle in the haystack”—and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by implementing security in the cloud.

That’s where Azure Sentinel comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Azure Sentinel uses machine learning to proactively find anomalies hidden within acceptable user behavior and generate alerts.

Microsoft Azure Sentinel is fully integrated with CyberProof CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.

3. Orchestration, automation, and collaboration layer—facilitating faster threat detection and response

Forrester’s recent assessment of midsized MSSPs notes that orchestration and security automation plays a vital role for overburdened SOC staff.

By automating tier one and two activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service—helping customers avoid the expenditure necessary to develop their own IP for a next-generation SOC.

The CDC platform gives customers a “single pane of glass” view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.

The CDC platform’s benefits include:

  • Orchestration: Integrates external intelligence sources, enrichment sources, the IT service management system, and more into a single view.
  • Automation: Leverages CyberProof virtual analyst, SeeMo, who uses our Use Case Factory—a catalog of attack uses cases consisting of prevention, detection rules, and response playbooks all aligned to the MITRE ATT&CK framework—to continuously update playbooks.
  • Collaboration: Facilitates real-time communication with our nation-state level analysts to help remediate incidents.
  • Hybrid engagement: Supports collaboration of CyberProof experts with the customer’s team to remediate incidents and upskill the customer’s team.

Customers can start benefiting now

CyberProof solution, used in tandem with Azure Sentinel provides 24/7 security monitoring, which frees up SOC teams to focus on critical incidents.

The platform’s use of machine learning and behavioral analysis can reduce alert fatigue and false positives by up to 90 percent. It offers large-scale collection and correlation of data from the endpoint, cloud network, and users—facilitating high-context alerts.

These capabilities, as well as the platform’s high-level collaboration abilities and up-to-date response playbooks, contribute to greater efficiency in threat detection and in responding to validated incidents.

Yet, it doesn’t take a lot of time to transition to CyberProof solution. CyberProof has a defined onboarding process that’s based on each customer’s requirements.

As a managed service provider, we find that we can help customers get through the transition much more quickly than they would have on their own—accelerating the process and shortening the time needed to start reaping the benefits of the solutions.

Want more information? Check out our Azure Security Services page and the CDC platform from CyberProof. Or contact us to learn more about how we can help you transition to a smarter SOC.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the Microsoft Intelligent Security Association website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services appeared first on Microsoft Security.

#ISC2Congress: The #COVID19 Cyber-Threat Landscape for Businesses

#ISC2Congress: The #COVID19 Cyber-Threat Landscape for Businesses

The cyber-threats faced by businesses in 2020 have not varied a significant amount in 2020, despite the major changes to working practices brought about by COVID-19, according to Graham Cluley, cybersecurity blogger and researcher, speaking during a keynote session at the virtual (ISC)2 Security Congress.

“Most of the attacks we’re seeing during 2020 are variations on a theme that we’ve seen many times, such as phishing attacks, ransomware and business email compromise (BEC),” he explained. “They haven’t disappeared into thin air during the COVID-19 pandemic; they’ve multiplied and continued to target unprepared users and ill-prepared organizations.”

However, companies are much more vulnerable to these common tactics now, with employees operating at home where they are often heavily distracted and without easy access to IT support. Cluley noted: “We’re still being expected to determine if a link can be trusted or not and we’re sometimes making big mistakes as a result.”

He added that these attempts to trick users into clicking malicious links are becoming increasingly sophisticated, easily mistaken for something legitimate, such as appearing to be Google docs.

Another big issue is that there is now no longer a single building that can be fortified to protect companies, with their infrastructure spread out across multiple homes and networks. This means an individual falling prey to a phishing scam at home can lead to major consequences for organizations. Cluley outlined: “It’s presence may not be noticed for weeks, and stealing information and credentials, learning about your business.” Therefore, protecting against unauthorized access, such as through using more multi-factorial authentication (MFA), critical in this new environment.

Organizations also need to consider the threats posed by additional physical access into people’s homes and therefore their work environments. This can include cleaners or tradesmen. “Sometimes these people can be on a low wage and might be looking for additional ways to boost their income,” he said.

The stakes of ransomware attacks have been ramped-up over recent times, according to Cluley, and he outlined the phenomenon whereby some news organizations are willing to pay for stolen information and publicize anything “juicy” uncovered. He stated: “The exfiltration of data, from a ransomware-attacked company, can be monetized by the hacker, either by offering to sell it on the dark market to other hackers, or they can simply use it as leverage and say ‘we are going to embarrass you as a company and reveal your secrets.’”

In addition, BEC remains a huge danger, with businesses being “attacked more than ever” via this method. Cluley explained that this generally occurs following extensive research into organizations by cyber-criminals, who then pose as genuine suppliers to trick finance departments into wiring them money. He cited FBI figures which estimate businesses globally have lost $12bn from these types of scam, which don’t require any programming knowledge.

He highlighted a recent case in which $90m was successfully scammed after the French government defense minister was impersonated using a silicon mask on a web cam requesting a loan from people to pay a ransom. The use of video to conduct scams could prove to be especially effective during the COVID-19 pandemic. “The chances are people are more trusting of a conversation they are having over a Zoom call than they would over email,” observed Cluley.

Despite the growing threat phishing, ransomware and BEC attacks pose to home workers, Cluley believes there are reasons for positivity. “It hasn’t actually resulted in a surge in breaches,” said Cluley, noting that “an increase in attacks does not necessarily mean an increase in breaches.”

Goodbye PIPEDA? Canada’s privacy commissioner to gain power to recommend stiff fines under proposed legislation

This morning, the Canadian government announced that the federal privacy commissioner will gain the ability to recommend companies be fined for not complying with updated and stiffer privacy legislation.

Innovation Minister Navdeep Bains told reporters the commissioner will have broad order-making powers under the proposed new Consumer Privacy Protection Act (CPPA), including the ability to force an organization to comply with requests and order a company to stop collecting data or using personal information. If passed, the CPPA would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).

Bains said the commissioner will be able to recommend fines to a new body called the Personal Information and Data Protection Tribunal. The fines that the tribunal could levy would be the strongest among G7 nations —  up to 5 per cent of global revenue or CAD$25 million, whichever is greater, for the most serious offences, he explained. For less serious offences the maximum fines could be up to 3 percent of global revenue or CAD$10 million.

By comparison, the maximum fine levied under the European Union’s General Data Protection Regulation (GDPR) is up to 4 per cent of a company’s global revenue.



Canada has ‘clearly fallen behind’ other countries in privacy law, says privacy commissioner 


Bains talked in general terms to reporters about the proposed legislation, which had just been introduced to Parliament and wasn’t publicly available for detailed examination. For example, it wasn’t immediately known how the tribunal will be constituted. It could be similar to the federal Competition Bureau Tribunal, an independent enforcement agency that enforces the Competition Act.

Bains said the CPPA would ensure that when Canadians go online and are asked to give consent to have their personal data used, it will be in “plain simple language” and not a 30-page legal document. “It will mean greater transparency. That means Canadians will better understand how their data is collected and how that data is used.”

Canadians will also be able to demand an organization let them take the personal data it has collected and transfer or share it elsewhere– from one bank to another, for example. They will also have a chance to demand that an organization delete or destroy personal information if they withdraw consent.

Bains tried to portray the new legislation as good for business, suggesting it will improve Canadian residents’ confidence to buy goods and services online.

“It enables businesses to have the predictability they need to pursue responsible innovation. And because Canadians will have more trust [online] that will enable businesses to make investments, they need to leverage the data in a meaningful way to grow their businesses, create jobs, access markets and become more competitive and productive.”

The proposed CPPA also has new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about using such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.

The legislation will clarify that de-identified information (data that doesn’t have a person’s name) must be protected and that it can be used without an individual’s consent only under certain circumstances.

The CPPA would give Canadians the ability to demand that their information on social media platforms be permanently deleted. When consent is withdrawn, or information is no longer necessary, Canadians can demand that their information be destroyed. The privacy commissioner will have the ability to order a social media company to comply and even order it to stop collecting data or using personal information.

The new legislation and changes to existing legislation are wrapped up under a new Digital Charter Implementation Act.

In an interview Halifax privacy lawyer David Fraser of the McInnes Cooper law firm said it’s fair to separate the Privacy Commissioner’s fine-making ability from a tribunal, which would actually levy fines and give reasons. That would make it similar to the Competition Bureau Tribunal, he said.



The post Goodbye PIPEDA? Canada's privacy commissioner to gain power to recommend stiff fines under proposed legislation first appeared on IT World Canada.

Chinese APT FunnyDream targets a South East Asian government

Researchers spotted a new China-linked APT, tracked as FunnyDream that already infected more than 200 systems across Southeast Asia.

Security experts at BitDefender have uncovered a new China-linked cyber espionage group, tracked as FunnyDream that has already infected more than 200 systems across Southeast Asia over the past two years.

According to Kaspersky Lab, FunnyDream has been active at least since 2018 and targeted high-profile entities in Malaysia, Taiwan and the Philippines. Most of the victims were in Vietnam, the group focuses on foreign government organizations of countries in Southeast Asia. 

The group is still active and aims at ensure persistence in the victims’ network for as long as possible, to spy on victims’ activities and to exfiltrate sensitive documents, with a special interest in national security and industrial espionage.

“The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PCShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chineseactor.” reads the report published by BitDefender. “Some of these open source Remote Access Trojans (RATs) are known to be of Chinese origin, along with some other resources set to Chinese.”

The name of the group comes from a powerful backdoor employed in the attacks of the APT group.

The attacks analyzed by Bitdefender researchers employed three malware payloads tracked as Chinoxy, PCShare, and FunnyDream,

The attackers followed the same killchain in the attack that begins with the execution of the Chinoxy backdoor to gain persistence in the victim’s system after initial access.

The Chinoxy dropper uses a digitally signed binary (Logitech Blutooth Wizard Host Process) to evade detection and exploit a Side Loading attack to load the backdoor dll into the memory.

Then the backdoor deploys the open source Chinese RAT called PcShare, it was used for gathering intelligence from the infected hosts.

FunnyDream is a custom-made backdoor that supports advanced persistence and communication capabilities, it was used by the APT group to gathering intelligence and data exfiltration.

“The attackers used the backdoor prevalently as DLL files, but we observed an executable to be used as well.” continues the report. “The files we found implement many persistence mechanisms, their droppers and loaders use many different file names for the payload, all of that suggesting that the backdoor is custom made.”

The analysis of the tool usage timeline revealed that threat actors initially started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later developed its own killchain that employed the three malware.

funnydream timeline backdoors

The researchers were able to identify the C2 architecture because the domains or IP addresses of command and control servers are hardcoded in binary files. Most of the servers are located in Hong Kong, except for three ones that were in in Vietnam, China and South Korea respoectively.

“It’s likely that relying on a locally deployed C&C infrastructure would bring several advantages to the APT group. For instance, it could be easier to manage and control, while at the same time the C&C IPs wouldn’t be flagged as suspicious, as they would be part of the same regional internet infrastructure. Opting for a command and control infrastructure deployed anywhere else in the world would have potentially raised some security alarms.” concludes the report. “During this analysis, some forensic artefacts seem to suggest a Chinese-speaking APT group, as some of the resources found in several binaries had a language set to Chinese, and the Chinoxy backdoor used during the campaign is a Trojan known to have been used by Chinese-speaking threat actors. While we’re constantly monitoring for APT-like activity around the world, not all APT-style attacks can be attributed to a known APT group, mostly because some of the used the tools are sometimes share between multiple groups.”

Pierluigi Paganini

(SecurityAffairs – hacking, FunnyDream)

The post Chinese APT FunnyDream targets a South East Asian government appeared first on Security Affairs.

#ISSE2020: ‘Real’ Digital Identity Can Exist with New Technology

#ISSE2020: ‘Real’ Digital Identity Can Exist with New Technology

Speaking as part of the virtual ISSE Conference, panelists discussed the concept of whether “real digital identity” can exist. Chaired by Heather Flanagan, principle at Spherical Cow Consulting, the panel proposed ways in which digital identities can exist, and what is required to make them work.

Pamela Dingle, director of identity standards at Microsoft, said businesses need to encourage sharing and collaboration in order to help employees get their job done, but two issues tend to stand in the way: friction and fraud. “We are told to not allow crime to occur and to make users successful, so how do we be successful and collaborate without causing chaos and devastating action?”

Dingle said that we are in a situation where fraud “is so brutal” that users are pushed into a position of friction, and “you cannot resist friction if you’re pulled into fraud.” She argued organizations can choose to give up everything and try new things, or try new things you’re not doing today and embrace where automation help you.

Kim Cameron, CIO of Convergence Technology, suggested the idea of a global identity concept, where the user owns their own identity and other “realms” connect into that. “Realms are not identity systems, but authentication systems,” he said.

“So my way of thinking on how to solve the problem is for a mechanism for people to have their own identity and realms should recognize them, and you don’t need to give them keys,” Cameron said.

“It should work to any realm, but not be a super cookie. It should allow services to recognize you, not correlate you.”

As for who provides this digital identity, Cameron said this “wallet” doesn’t contain any personally identifiable information, and is managed by your identity service provider, as the wallet manages your universal identity. “The idea is the wallet can live on mobile device and also live in cloud.”

Calling this “something optimistic and within our reach,” he said the common issue is that businesses mix new concepts with “old technology stacks” and that doesn’t solve the problems.

Zero Trust for Workloads: Knowledge is Key

Zero trust is such a popular term in the security space today.  Everyone is talking zero trust, Cisco included. The interesting point is it’s not new – the original architecture model was released in 2010, and the important guidelines have been part of good security practices for years; think about your important assets and develop secure perimeters around them.  What has changed today is the design of security controls as it relates to secure perimeters.  A secure perimeter with robust security controls can no longer exist at the network edge in today’s complex, cloud-based, heterogeneous environments.  Disparate technologies, lack of integration, rapidly expanding threat surfaces and changing threat landscapes make the job of security difficult.  That’s why zero trust is a process that begins first at the point of understanding your environment.

In today’s world, assets must be untrusted until network traffic and application behavior can be validated. Security controls must be driven down to the application workload level to be effective since applications are so critical to business today.  This means extending your traditional security infrastructure with new technologies; network access needs to focus on the workload. 

Protection starts with security closer to your applications using a new firewall type of enforcement that surrounds each workload.  Enhance this with real-time visibility to map workload communications and application behaviors, and environmental context to determine whether they should be trusted.  Then effective policy controls can be put in place to establish secure perimeters – micro-segmentation – at the workload level for stateful and consistent micro-segmentation across multi-cloud data centers at scale.  This also allows you to minimize lateral movement in case of security incidents.  Continual validation of trust is important to automatically update those policies based on changes to application dependencies and communication patterns.   But the first step for a zero trust model for your application workloads is understanding your environment.

The Cisco answer to solve this problem is Tetration.  Cisco Tetration provides east-west traffic firewalling capability along with policy discovery and management; no matter where your workloads are located, on-premise, or hybrid/multi cloud. By providing a single pane of glass to define a context-based workload inventory in an automated way, Tetration auto-discovers application context and collects rich workload telemetry, Using this context and telemetry, Cisco Tetration automates zero trust policy discovery to help you understand what your policy needs to be.  Without that level of understanding, you will struggle to effectively deploy zero trust (micro-segmentation) policy enforcement at the workload level.  Enforcement without this level of understanding limits your zero trust policy effectiveness.

For more information on a comprehensive zero trust strategy, here are couple of valuable resources

Cisco Patches Critical Flaw After PoC Exploit Code Release

A critical path-traversal flaw (CVE-2020-27130) exists in Cisco Security Manager that lays bare sensitive information to remote, unauthenticated attackers.

Employees Have Access to an Average of 10 Million Files

Employees Have Access to an Average of 10 Million Files

The average employee has access to around 10.8 million files, with larger organizations having around 20 million files accessible.

According to new research by Varonis, 64% of financial services organizations have more than 1000 sensitive files open to every employee. “Securely transitioning to remote work and locking down exposed data to mitigate the risk of remote logins were two of the highest security priorities for IT teams in financial services,” Varonis said.

“Mobilizing without proper security controls exponentially increases the risk posed by insiders, malware and ransomware attacks, and opens companies up to possible non-compliance with regulations such as SOX, GDPR and PCI.”

Inside financial services, the average number of folders open to all access is 1.3 million in large organizations, although this drops to 778,045 in medium organizations and 101,717 in small firms.

Brandon Hoffman, CISO at Netenrich, said restricting access to sensitive data is a foundational security step, but unfortunately, many organizations don’t do it.

He said: “They don’t because there are a few steps you need to take to ensure it is actually restricted. These steps can be daunting but they are critical to success in cyber. First, you need to classify all the data in the business and determine prioritization relative to risk. You then need to ensure that identity of users is organized and limited. The third, and most crucial step, is to put controls in place that limit access to and manipulation of high priority data by specific users. This does not only solve the challenge of users stealing or mishandling data, but will drive efficiency and security in several other areas.

“It does not come as a surprise then to find out that this is not being done as we continue to see the leakage/breach of personal data year-over-year.”

Heather Paunet, senior vice-president at Untangle, told Infosecurity she found it surprising that so many employees, especially at content-sensitive workplaces such as financial institutions, continue to have a depth of access to millions of files.

“To streamline network access, safeguard files and address vulnerable access points within the network, businesses and IT leaders should establish a set of criteria during any employee onboarding process in relation to their network access,” she said.

“Defining which positions have access to specific information creates layers of access that are not easily broken. For example, a marketing team member should not have the same access to employee information as an HR manager, and neither should have the same access as a member of the finance team dealing with sensitive business information.”

She recommended routinely auditing this access, especially in times of high turnover or during a large-scale transition to working from home, to allow IT teams to address any unauthorized access points or redefine access policies as needed.

“If employees should need additional access to systems or data, formal requests can be made, creating a procedure for opening access to specific employees for an approved amount of time,” Paunet said. 

“Hopefully, businesses now understand that it takes a single access point to wreak havoc on an entire network, and minimizing these access points is one of the best ways to compliment any network security solution in place.”

Be Very Sparing in Allowing Site Notifications

An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters.

Notification prompts in Firefox (left) and Google Chrome.

When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.

But many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that’s already installed on the device.

This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.

Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications. In many cases, the notification approval requests themselves are deceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to distinguish automated bot traffic from real visitors.

An ad from PushWelcome touting the money that websites can make for embedding their dodgy push notifications scripts.

Approving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to display whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those messages include misleading notifications about security risks on the user’s system, prompts to install other software, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.

That’s according to a deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity firm based in Portland, Ore. Frank Angiolelli, vice president of security at Indelible, said rogue notifications can be abused for credential phishing, as well as foisting malware and other unwanted applications on users.

“This method is currently being used to deliver something akin to adware or click fraud type activity,” Angiolelli said. “The concerning aspect of this is that it is so very undetected by endpoint security programs, and there is a real risk this activity can be used for much more nefarious purposes.”

Sites affiliated with PushWelcome often use misleading messaging to trick people into approving notifications.

Angiolelli said the external Internet addresses, browser user agents and other telemetry tied to people who’ve accepted notifications is known to PushWelcome, which could give them the ability to target individual organizations and users with any number of fake system prompts.

Indelible also found browser modifications enabled by PushWelcome are poorly detected by antivirus and security products, although he noted Malwarebytes reliably flags as dangerous publisher sites that are associated with the notifications.

Indeed, Malwarebytes’ Pieter Arntz warned about malicious browser push notifications in a January 2019 blog post. That post includes detailed instructions on how to tell which sites you’ve allowed to send notifications, and how to remove them.

KrebsOnSecurity installed PushWelcome’s notifications on a brand new Windows test machine, and found that very soon after the system was peppered with alerts about malware threats supposedly found on the system. One notification was an ad for Norton antivirus; the other was for McAfee. Clicking either ultimately led to “buy now” pages at either Norton.com or McAfee.com.

Clicking on the PushWelcome notification in the bottom right corner of the screen opened a Web site claiming my brand new test system was infected with 5 viruses.

It seems likely that PushWelcome and/or some of its advertisers are trying to generate commissions for referring customers to purchase antivirus products at these companies. McAfee has not yet responded to requests for comment. Norton issued the following statement:

“We do not believe this actor to be an affiliate of NortonLifeLock. We are continuing to investigate this matter. NortonLifeLock takes affiliate fraud and abuse seriously and monitors ongoing compliance. When an affiliate partner abuses its responsibilities and violates our agreements, we take necessary action to remove these affiliate partners from the program and swiftly terminate our relationships. Additionally, any potential commissions earned as a result of abuse are not paid. Furthermore, NortonLifeLock sends notification to all of our affiliate partner networks about the affiliate’s abuse to ensure the affiliate is not eligible to participate in any NortonLifeLock programs in the future.”

Requests for comment sent to PushWelcome via email were returned as undeliverable. Requests submitted through the contact form on the company’s website also failed to send.

While scammy notifications may not be the most urgent threat facing Internet users today, most people are probably unaware of how this communications pathway can be abused.

What’s more, dodgy notification networks could be used for less conspicuous and sneakier purposes, including spreading fake news and malware masquerading as update notices from the user’s operating system. I hope it’s clear that regardless of which browser, device or operating system you use, it’s a good idea to be judicious about which sites you allow to serve notifications.

Unixfreaxjp at #R2CON2020 presented shellcode basics for radare2

Shellcode play an essential role in cyber attacks, the popular expert Unixfreaxjp explained how to utilize radare2 for variation of shellcode analysis

Shellcode is having an important part in cyber intrusion activities and mostly spotted to be executed during the process/thread injection or during the exploitation of memory space that mostly related to a vulnerability. Either way, the purpose of shellcode is to utilize a small executable size so it can run and can trigger further steps of actions in a specifically targeted environment.

Depends on the nature of the shell code itself it can be made for a good purpose or bad one. The analysis of a shellcode requires know-how of which system library and functions will be invoked to help its execution, and depends on the operating system it can be a wide variation of commands from direct calls to an OS functions calls to the hash of the API of certain OS libraries. A good analysis tool can help you dissect a shellcode if the low-level language analysis operation is supported, as any shellcode is coded in assembly language. radare2 is one example of those tools.

In this presentation, I explain how to utilize radare2 for variation of shellcode analysis and will lead you as a tutorial from a basic know-how in analyzing shell code with multiple demonstrations.

I also state the definition of the shellcode to avoid misleading and adding up some samples on interesting cases that can help you to see how they can be utilized for any kind of (bad) purpose that is explaining the importance for all of us in learning how to analyze them. I was having only 30 minutes to present this rich content so I condensed the material in the video of the presentation so please read the slides and pause the video while you are watching, I hope you can learn something from this presentation.

Below the Q&A video published by Unixfreaxjp:


About the author: Unixfreaxjp

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Unixfreaxjp at #R2CON2020 presented shellcode basics for radare2 appeared first on Security Affairs.

Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs

The role of the Windows PC and trust in technology are more important than ever as our devices keep us connected and productive across work and life. Windows 10 is the most secure version of Windows ever, built with end-to-end security for protection from the edge to the cloud all the way down to the hardware. Advancements like Windows Hello biometric facial recognition, built-in Microsoft Defender Antivirus, and firmware protections and advanced system capabilities like System Guard, Application Control for Windows and more have helped Microsoft keep pace with the evolving threat landscape.

While cloud-delivered protections and AI advancements to the Windows OS have made it increasingly more difficult and expensive for attackers, they are rapidly evolving, moving to new targets: the seams between hardware and software that can’t currently be reached or monitored for breaches. We have already taken steps to combat these sophisticated cybercriminals and nation state actors with our partners through innovations like secured-core PCs that offer advanced identity, OS, and hardware protection.

Today, Microsoft alongside our biggest silicon partners are announcing a new vision for Windows security to help ensure our customers are protected today and in the future. In collaboration with leading silicon partners AMD, Intel, and Qualcomm Technologies, Inc., we are announcing the Microsoft Pluton security processor. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.

Our vision for the future of Windows PCs is security at the very core, built into the CPU, where hardware and software are tightly integrated in a unified approach designed to eliminate entire vectors of attack. This revolutionary security processor design will make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs.

Pluton design redefines Windows security at the CPU

Today, the heart of operating system security on most PCs lives in a chip separate from the CPU, called the Trusted Platform Module (TPM). The TPM is a hardware component which is used to help securely store keys and measurements that verify the integrity of the system. TPMs have been supported in Windows for more than 10 years and power many critical technologies such as Windows Hello and BitLocker. Given the effectiveness of the TPM at performing critical security tasks, attackers have begun to innovate ways to attack it, particularly in situations where an attacker can steal or temporarily gain physical access to a PC. These sophisticated attack techniques target the communication channel between the CPU and TPM, which is typically a bus interface. This bus interface provides the ability to share information between the main CPU and security processor, but it also provides an opportunity for attackers to steal or modify information in-transit using a physical attack.

The Pluton design removes the potential for that communication channel to be attacked by building security directly into the CPU. Windows PCs using the Pluton architecture will first emulate a TPM that works with the existing TPM specifications and APIs, which will allow customers to immediately benefit from enhanced security for Windows features that rely on TPMs like BitLocker and System Guard. Windows devices with Pluton will use the Pluton security processor to protect credentials, user identities, encryption keys, and personal data. None of this information can be removed from Pluton even if an attacker has installed malware or has complete physical possession of the PC.

This is accomplished by storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helping to ensure that emerging attack techniques, like speculative execution, cannot access key material. Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.

The Pluton security processor complements work Microsoft has done with the community, including Project Cerberus, by providing a secure identity for the CPU that can be attested by Cerberus, thus enhancing the security of the overall platform.

Graphic showing the Microsoft Pluton security processor

One of the other major security problems solved by Pluton is keeping the system firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread patching issues.  Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.

The fusion of Microsoft’s OS security improvements, innovations like secured-core PCs and Azure Sphere, and hardware innovation from our silicon partners provides the capability for Microsoft to protect against sophisticated attacks across Windows PCs, the Azure cloud, and Azure intelligent edge devices.

Innovating with our partners to enhance chip-to-cloud security

The PC owes its success largely to an immensely vibrant ecosystem with OS, silicon, and OEM partners all working together to solve tough problems through collaborative innovation. This was demonstrated over 10 years ago with the successful introduction of the TPM, the first broadly available hardware root of trust. Since that milestone, Microsoft and partners have continued to collaborate on next generation security technologies that take full advantage of the latest OS and silicon innovations to solve the most challenging problems in security. This better together approach is how we intend to make the PC ecosystem the most secure available.

The Microsoft Pluton design technology incorporates all of the learnings from delivering hardware root-of-trust-enabled devices to hundreds of millions of PCs. The Pluton design was introduced as part of the integrated hardware and OS security capabilities in the Xbox One console released in 2013 by Microsoft in partnership with AMD and also within Azure Sphere. The introduction of Microsoft’s IP technology directly into the CPU silicon helped guard against physical attacks, prevent the discovery of keys, and provide the ability to recover from software bugs.

With the effectiveness of the initial Pluton design we’ve learned a lot about how to use hardware to mitigate a range of physical attacks. Now, we are taking what we learned from this to deliver on a chip-to-cloud security vision to bring even more security innovation to the future of Windows PCs (more details in this talk from Microsoft BlueHat). Azure Sphere leveraged a similar security approach to become the first IoT product to meet the “Seven properties of highly secure devices.”

The shared Pluton root-of-trust technology will maximize the health and security of the entire Windows PC ecosystem by leveraging the security expertise and technologies from the companies involved. The Pluton security processor will provide next generation hardware security protection to Windows PCs through future chips from AMD, Intel, and Qualcomm Technologies.

“At AMD, security is our top priority and we are proud to have been at the forefront of hardware security platform design to support features that help safeguard users from the most sophisticated attacks. As a part of that vigilance, AMD and Microsoft have been closely partnering to develop and continuously improve processor-based security solutions, beginning with the Xbox One console and now in the PC. We design and build our products with security in mind and bringing Microsoft’s Pluton technology to the chip level will enhance the already strong security capabilities of our processors.” – Jason Thomas, head of product security, AMD

“Intel continues to partner with Microsoft to advance the security of Windows PC platforms. The introduction of Microsoft Pluton into future Intel CPUs will further enable integration between Intel hardware and the Windows operating system.” – Mike Nordquist, Sr. Director, Commercial Client Security, Intel

“Qualcomm Technologies is pleased to continue its work with Microsoft to help make a slew of devices and use cases more secure. We believe an on-die, hardware-based Root-of-Trust like the Microsoft Pluton is an important component in securing multiple use cases and the devices enabling them.” – Asaf Shen, senior director of product management at Qualcomm Technologies, Inc.

We believe that processors with built-in security like Pluton are the future of computing hardware. With Pluton, our vision is to provide a more secure foundation for the intelligent edge and the intelligent cloud by extending this level of built-in trust to devices, and things everywhere.

Our work with the community helps Microsoft continuously innovate and enhance security at every layer. We’re excited to make this revolutionary security design a reality with the biggest names in the silicon industry as we continuously work to enhance security for all.

The post Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs appeared first on Microsoft Security.

#ISSE2020: Look to Decentralized (Rather than Legacy) Identity Approvals

#ISSE2020: Look to Decentralized (Rather than Legacy) Identity Approvals

A robust onboarding system that works for users and businesses should be built, as current systems “struggle to know who users are” which leads to frustration.

Speaking as part of the virtual ISSE Conference, John Erik Setsaas, VP identity and innovation at Signicat, said the infrastructure “we thought we had” takes longer and longer to work, and “we don’t want to bequeath to our children an identity onboarding system.” He argued there is a need for a robust onboarding system that knows the people that need to be involved in the system.

“We have had the same problem for the last 20 years, it [an identity system] struggles to know who you are,” he said, citing an example of how hard it was to access a bank from a different country due to the required levels of authentication.

Displaying survey results, Setsaas said 41% of respondents were unable to access financial services during the COVID-19 pandemic, and 63% had abandoned onboarding in financial services.

Showing other statistics, just over 10% of respondents abandoned onboarding due to “confusing language,” between 15-20% abandoned due to it taking too long and requiring too much personal information, and just over 20% left as they “changed their mind.”

He said: “Most people say it is a difficult process, but we need to think like the new generation.”

David Rihak, digital identity director, ADUCID, asked if the issue of identity is “even solvable,” as if it is not, “what are we doing wrong?”

He claimed that applications expect us to create an identity, and that has been accepted by society, so when looking at secure identity, we need to look at it from point of secure recovery. “We need to work with cryptography, as that is how the internet works, and how to bind it to users and scenarios where needed,” he said.

Katryna Dow, CEO, Meeco, discussed “decentralized identity,” as it is more important to think about the customer and their role than to think about any sort of technology, and she advised  to not “get hung up on what flavor” of technology you are using.

She said identity and access management technology had evolved, but decentralized identity “is often seen as a fad or not catching on.” However, she said there is more confidence in how to marry existing infrastructure with new capabilities, and that is where decentralized can be an enabler “as it allows ecosystems to form without the need for tight integration.”

She concluded that technology and emerging standards can help with trust and onboarding, and these additional tools “represent a way to bring these together in a way where everyone wins.”

Twitter hires veteran hacker Mudge as head of security

Peiter Zatko’s appointment follows mass attack on social media platform in July

Twitter has appointed one of the world’s most respected hackers as its new head of security in the wake of a humiliating mass attack in July.

The company has placed Peiter Zatko in charge of protecting its platform from threats of all varieties, poaching him from the payments startup Stripe. Zatko is better known as Mudge, his handle for more than 20 years of operation on both sides of the information security arena.

Related: Why are public thinkers flocking to Substack? | Sean Monahan

Continue reading...

#ISC2Congress: Modern Security Pros Are Much More than Technologists, Says Bruce Schneier

#ISC2Congress: Modern Security Pros Are Much More than Technologists, Says Bruce Schneier

Speaking in the opening keynote of the virtual (ISC)2 Security Congress, renowned security technologist and best-selling author Bruce Schneier discussed the public-interest aspects of technology.

In particular, he explored the ethics of data privacy and security, whilst also outlining how today’s cybersecurity professionals are more than technologists; the work they do affects society as a whole.

“In cybersecurity, government access to encrypted communications has been the subject of a 25-year long debate. On the one side, there are police claiming they are going dark and need access to encrypted data in order to solve crimes. On the other side, security experts say it is impossible to provide that access without making systems insecure.”

Schneier explained that both sides of the argument are relevant, with various ongoing discussions held globally as to which angle of the issue is more important.

“However, here’s the problem,” he added. “Almost no policy-makers are discussing this issue from a technologically-informed perspective.

“Technology is deeply intertwined with society [today] – it is literally creating our world. It is no longer sustainable for technology and policy to be in different worlds.”

Therefore, modern information security professionals must become “public-interest technologists,” Schneier argued, adding that they must align technologically focused thought processes with issues of societal policy.

“Today, technology has become de facto policy. Companies have effective control over free speech, censorship and freedoms, regardless of what national laws are.”

This has led to the creation of terms such as algorithmic discrimination, digital divide and surveillance capitalism, Schneier added, and “this means that internet policy is no longer a separate thing.

“Technology is remaking the world, and we will never get the policy right if policy-makers get the tech wrong.”

Addressing the issue requires two key things, he explained. Firstly, policy-makers must understand technology. “What we want is for policy-making discussions to be informed by the relevant technologists.”

Secondly, more technologists (security pros) need to get involved with policy. “The world needs more public-interest technologists,” Schneier said.

Consumer-targeted phishing and fraud are rising in time for a COVID holiday season

Black Friday and the holiday shopping season are on the horizon, and the spammers are already at work. Customers receive an email “advertising” a special limited offer, encouraging them to click links leading to websites pretending to be well-known retail chains or e-commerce brands. 

The tactic isn’t exactly earth-shattering. We’ve seen this type of scam during past holiday shopping seasons. What makes it different this year is COVID-19. The majority of people will be doing most of their holiday shopping online this year. Many of those folks are still working from home, effectively doing everything online. Folks are more distracted than usual, and therefore more vulnerable. They need help, and they need it from the retail chains and commerce brands themselves.

To read this article in full, please click here

What’s the deal with security product testing anyway?

Reading Time: ~ 4 min.

It’s common for savvy online shoppers to check third-party reviews before making an online purchasing decision. That’s smart, but testing the efficacy of security software can be a bit more difficult than determining if a restaurant had decent service or if clothing brand’s products are true to size.

So, with the arguably more significant consequences of antimalware testing, how can shoppers be sure that the product they choose is up to the task of protecting their family from malware? Which reviews are worthy of trust and which are just fluff?

Red flags in antimalware testing

Grayson Milbourne is the security intelligence director at Webroot and actively involved in improving the fairness and reliability of antimalware testing. While acknowledging that determining the trustworthiness of any single test is difficult, some factors should sound alarm bells when looking to honestly evaluate antimalware products.

These include:

The pay-to-perform model

In any test, the humans behind the product being evaluated have a vested interest in the performance. How far they go to influence those results, however, varies. One extreme way to positively influence results is to fund a test designed for your product to succeed. Often, the platform on which a test appears can be a sign of whether this is the case.

“YouTube tests are almost always commissioned,” warns Milbourne. “So, if you see things on YouTube, know that there is almost always someone paying for the test who’s working the way the test comes out. I try to avoid those.”

If only one product aces a test, that’s another sign that it may have been designed unfairly, maybe with the undisputed winner’s strengths in mind.

Every vendor acing a test

Tests in which all participants receive high scores can be useless in evaluating product efficacy. Because we know catching malware is difficult, and no single product is capable of doing it effectively 100 percent of the time, tests where every product excels are cause for concern.

“If every product aces the test, maybe that test is a little too easy,” says Milbourne. No product is perfect, so be wary of results that suggest so.

Failing to test in “the big picture”

No one piece of software can stop all the threats a user may face all of the time. But many vendors layer their preventative technologies—like network, endpoint and user-level protection—to most effectively protect against cyberthreats.

“Testers are still very worried about what happens when you encounter a specific piece of malware,” says Milbourne. “But there’s a lot of technology focused on preventing that encounter, and reactive technology that can limit what malware can do, if it’s still unknown, to prevent a compromise.”

In addition to how well a product protects an endpoint from malware, it’s also important to test preventative layers of protection which is lacking in 3rd party testing today.

The problem with the antimalware testing ecosystem

For Milbourne, the fact that so few organizations dedicated to efficacy testing exist, while the number of vendors continues to grow, is problematic.

“There are about five well-established third-party testers and another five emerging players,” he says. But there are well over a hundred endpoint security players and that number is growing.”

These lopsided numbers can mean that innovation in testing is unable to keep up with both innovation in security products as well as the everchanging tactics used by hackers and malware authors to distribute their threats. Testing organizations are simply unable to match the realities of actual conditions “out in the wild.”

 “When security testing was first being developed in the early 2000s, many of the security products were almost identical to one another,” says Milbourne. “So, testers were able to create and define a methodology that fit almost every product. But today, products are very different from each other in terms of the strategies they take to protect endpoints, so it’s more difficult to create a single methodology for testing every endpoint product.”

Maintaining relationships in such a small circle was also problematic. Personal relationships could easily be endangered by a bad test score, and a shortage of talent meant that vendors and testers could bounce between these different “sides of the aisle” with some frequency.

Recognizing this problem in 2008, antimalware vendors and testing companies came together to create an organization dedicated to standardizing testing criteria, so no vendor is taken off guard by the performance metrics tested.

The Anti-Malware Testing Standards Organization (AMTSO) describes itself as “an international non-profit association that focuses on addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies.”

Today, its members include a number of antivirus and endpoint security vendors and testers, normally in competition against one another, but here collaborating in the interest of developing more transparent and reliable testing standards to further the fair evaluation of security products.

“Basically, the organization was founded to answer questions about how you test a product fairly,” says Milbourne.

Cutting through the antimalware testing hype

Reputation within the industry may be the single most important determinant of a performance test’s trustworthiness. The AMTSO, which has been working towards its mission for more than a decade now, is a prime example. Its members include some of the most trusted names in internet security and its board of directors and advisory board are made up of seasoned industry professionals who have spent entire careers building their reputations.

While none of this is to say there can’t be new and innovative testing organizations hitting the scene, there’s simply no substitute for paying dues.

“There are definitely some new and emerging testers which I’ve been engaging with and am happy to see new methodologies and creativity come into play, says Milbourne, “but it does take some time to build up a reputation within the industry.”

For vendors, testing criteria should be clearly communicated, and performance expectations plainly laid out in advance. Being asked to hit an invisible target is neither reasonable nor fair.

“Every organization should have the chance to look at and provide feedback on a tests’ methodology because malware is not a trivial thing to test and no two security products are exactly alike. Careful review of how a test is meant to take place is crucial for understanding the results.”

Ultimately, the most accurate evaluation of any antimalware product will be informed by multiple sources. Like reviews are considered in aggregate for almost any other product, customers should take a mental average of all the trustworthy reviews they’re able to find when making a purchasing decision.

“Any one test is just one test,” reminds Milbourne. “We know testing is far from perfect and we also know products are far from perfect. So, my advice would be not to put too much stock into any one test, but to look at a couple of different opinions and determine which solution or set of solutions will strengthen your overall cyber resilience.”

The post What’s the deal with security product testing anyway? appeared first on Webroot Blog.

Zoom Releases New Security Features to Counter Zoombombing

Zoom released new security features to help its users counter disruptive meeting intrusions, otherwise known as “Zoombombing.” Matt Nagel, security & privacy PR lead at the American communications technology company, announced in a blog post on November 16 that Zoom had released two new anti-Zoombombing features over the previous weekend. The first new feature enables […]… Read More

The post Zoom Releases New Security Features to Counter Zoombombing appeared first on The State of Security.

Pentester’s Guide to Evaluating OAuth 2.0 — Authorization Code Grants

Everything required to test a novel OAuth 2.0 implementation.

You’ve been assigned to your next gig and the primary focus is to evaluate a custom OAuth 2.0 implementation. You’ve heard of OAuth as a third-party authorization delegation service, but need a set of test cases and some context.

I’ll explain everything you need to know about OAuth from a security standpoint and provide a clear list of test cases so you can report high severity issues on your next engagement.

This guide will cover the Authorization Code Grant flow. After reading this article, you should have enough context to devise your own test cases for the remaining authorization flows. Future articles will discuss the remaining authorization flows in further detail.

246869 Windows systems are still vulnerable to the BlueKeep flaw

In May 2019, Microsoft disclosed the BlueKeep vulnerability, more than a year later over 245,000 Windows systems still remain unpatched.

Over a year ago Microsoft Patch Tuesday updates for May 2019 addressed nearly 80 vulnerabilities, including the BlueKeep flaw.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

A year and a half after the flaw was disclosed, more than 245,000 Windows systems have yet to be patched and are vulnerable to attacks.

In May 2019, just after the disclosure of the flaw, the popular expert Robert Graham has scanned the Internet for vulnerable systems and discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

Now security researcher Jan Kopriva has performed a new scan using the Shodan search engine for machines vulnerable to specific CVEs.

“To this end, I’ve put together a list of about a hundred high-impact vulnerabilities, which were discovered before 2020 and which might potentially be scanned for by Shodan. The list was mostly made up of relevant vulnerabilities from different “Top CVEs” lists[3,4] and vulnerabilities I found to be interesting in my previous searches.” wrote Kopriva. “The list was therefore far from comprehensive, but I do believe the results for the top 10 most common vulnerabilities it included are worth a look.”

CVENumber of affected systemsCVSSv3
CVE-2015-1635374113N/A, CVSSv2 10.0

The number of systems still vulnerable to CVE-2019-0708 is 246869, around 25% of the 950,000 systems that were initially discovered during a first scan in May 2019.


Kopriva also discovered that more than 103,000 Windows systems are still vulnerable to SMBGhost.

Unfortunately, Kopriva discovered that there are still millions of internet-accessible systems affected by major remotely-exploitable flaws.

“Although, as the chart shows, there has been a significant absolute as well as relative decline in the number of BlueKeep-affected machines accessible from the internet, there still appear to be over 240 000 of them.” concludes the expert. “Given how dangerous and well known BlueKeep is, it rather begs the question of how many other, less well-known critical vulnerabilities are still left unpatched on a similar number of systems.”

Pierluigi Paganini

(SecurityAffairs – hacking, BlueKeep)

The post 246869 Windows systems are still vulnerable to the BlueKeep flaw appeared first on Security Affairs.

Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs

Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system. Those are part of a batch of twelve vulnerabilities flagged in July 2019 by Florian Hauser, a security researcher and red teamer at Code White. About the Cisco Security Manager vulnerabilities Cisco Security Manager is a security management application that provides insight into and control of … More

The post Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs appeared first on Help Net Security.

Over 80,000 ID Cards and Fingerprint Scans Exposed in Cloud Leak

Over 80,000 ID Cards and Fingerprint Scans Exposed in Cloud Leak

A US-based used electronics retailer has exposed over 2.6 million files, including ID cards and biometric images, after a misconfigured AWS S3 bucket was discovered.

Researchers at Website Planet traced the instance back to California-based TronicsXchange, previously trading as GreenElectronicsExchange (GEEx).

A random scan for server vulnerabilities led to the discovery of the wide open S3 bucket on October 12 2020. The company itself appeared to be shuttered, with an invalid contact email and its website offline, but Website Planet contacted AWS two days later and the issue was eventually remediated.

Of the millions of files found in the database, perhaps the most damaging for customers was the 80,000 or so images of personal identification cards such as driver’s licenses, and 10,000 fingerprint scans.

Each driver’s license photo exposes multiple pieces of information about that individual, including license number, full name, birthdate, home address, gender, hair and eye color, height and weight, and a photo of the individual, among other things.

According to the report, seen exclusively by Infosecurity, the leaked data mostly relates to Californians who visited TronicsXchange stores in 2012-15.

It’s unclear if any malicious actors found the exposed data store before Website Planet, but doing so is increasingly easy thanks to automated tools. The researchers warned that the personal data could have been used to apply for credit cards or open bank accounts.

“TronicsXchange’s misconfigured bucket contained an extensive set of personal information including personal identifiable information that can be harnessed by nefarious hackers to cause severe financial, social and reputational damage to those affected by the leak,” they argued.

“Furthermore, given the fact that government-issue documents were exposed, nefarious users could potentially conduct identity fraud across different platforms and institutions. Users’ true likenesses, copies of official documentation and contact details could be harnessed to conduct identity theft.”

How to speed up malware analysis

Today malware evolves very fast. Loaders, stealers, and different types of ransomware change so quickly, so it’s become a real challenge to keep up with them. Along with that analysis of them becomes harder and more time-consuming. But cybersecurity specialists can’t waste their time, waiting can cause serious damage. So, how to avoid all of that and speed up malware analysis? Let’s find out. Malware analysis The goal of malware analysis is to research a … More

The post How to speed up malware analysis appeared first on Help Net Security.

UK Firms Least Likely to Pay Ransom Globally

UK Firms Least Likely to Pay Ransom Globally

Two-fifths of UK firms have been hit by ransomware over the past year, and although they were the least likely to pay a ransom globally, those that did paid out some of the highest sums, according to CrowdStrike.

The security vendor polled 2200 senior IT decision makers and IT security professionals globally, including 200 in the UK, to compile its 2020 Global Security Attitude Survey.

The large numbers infected by ransomware over the past year could be a result of the pandemic, which has created security gaps as organizations focused on digital transformation to support remote workers.

In fact, 63% of UK respondents agreed that they’re at greater risk of attack due to the crisis. The average amount of time it takes UK organizations to detect a security incident increased by 56% from 2019 to 61 hours, giving attackers a bigger head start.

It’s also notable that nearly half (48%) of UK respondents said COVID-19 has accelerated their digital plans by six months, the third highest in Europe. These efforts can also expand the corporate attack surface, especially when only a fifth (21%) said they had modernized their security tools accordingly.

The good news is that just 13% of attacked firms in the UK pay a ransom, the lowest of any country and less than half the global average (27%).

CrowdStrike’s EMEA CTO, Zeki Turedi, claimed this may be a reflection of the improved incident response capabilities of British firms.

“In the UK, we have a very mature process when it comes to handling cyber-incidents,” he told Infosecurity.

“Companies are more likely to contact their insurance provider or legal team who will work with a pre-approved incident response company to help them investigate and remediate the threat.”

However, the average penalty paid by British firms was £940,000, significantly more than in France (£560,000), Germany (£800,000) and Italy (£300,000).

This could be a reflection of the relative wealth of these victim companies, or the growing trend for attackers to steal sensitive corporate data whilst encrypting files.

“E-crime actors have started using data extortion as part of their tactics. One example is PINCHY SPIDER, which will extort confidential and sensitive information before deploying REvil. Recently we have also seen the same actor auction off stolen information in cases when they could not retrieve payment,” continued Turedi.

“The thinking and approach to ransomware has to change. It is no longer just about being able to recover from an attack, but making sure it does not happen in the first place."

The full report can be found here.

Hashtag Trending – Right-to-repair Teslas; Surveillance tech buzz; SpaceX is turning heads

Tesla repairs are fundamentally changing in Massachusetts, social media is buzzing about how employers are using surveillance for COVID-19 tracking, and SpaceX has its eyes on tourism.

The post Hashtag Trending - Right-to-repair Teslas; Surveillance tech buzz; SpaceX is turning heads first appeared on IT World Canada.

Capcom Ransomware Breach May Have Hit 350,000

Capcom Ransomware Breach May Have Hit 350,000

A leading gaming company has revealed that a security breach announced earlier this month is much worse than first thought, with data on potentially hundreds of thousands of customers, employees and others compromised.

Nearly two weeks ago, Resident Evil developer Capcom revealed the breach, believed to be a ransomware attack, happened on November 2. At the time it said: “there is no indication that any customer information was breached.”

However, in an update post yesterday, the Osaka-headquartered firm admitted that some personal and corporate information had been taken.

Although at present Capcom could only confirm the compromise of data on five former employees, four employees and some sales and financial info, much more may have been taken.

Some 350,000 individuals may be at risk of data compromise. This includes: 134,000 customers who used the video game support help desk in Japan, 14,000 Capcom Store members in North America, 4000 Esports website members in North America, 40,000 shareholders, 153,000 former employees, their families and applicants and 14,000 employees “and related parties” taken from HR.

The potentially compromised information varies slightly by category, but includes names, home and email addresses, birthdates, shareholder numbers, phone numbers and photos.

Also at risk is an unspecified quantity of corporate information including sales data, business partner information, and sales and development documents.

“None of the at-risk data contains credit card information. All online transactions etc. are handled by a third-party service provider, and as such Capcom does not maintain any such information internally,” the notice continued.

“As the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.”

Jon Niccolls, EMEA and APAC incident response lead at Check Point Software, claimed that so far this year over 500 organizations per week have been hit by ransomware which also attempts to steal sensitive data.

“To protect against these attacks, companies need to combine technology and processes: solutions that can prevent stealthy attacks and prevent data leaks, and educate employees about the risks of phishing emails, as this is how many ransomware attacks are launched,” he added.

Chinese APT Hackers Target Southeast Asian Government Institutions

Cybersecurity researchers today unveiled a complex and targeted espionage attack on potential government sector victims in South East Asia that they believe was carried out by a sophisticated Chinese APT group at least since 2018. "The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PcShare RAT and FunnyDream backdoor binaries, with

VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves

Boffins devised a new attack, dubbed VoltPillager, that can break the confidentiality and integrity of Intel SGX enclaves by controlling the CPU core voltage.

A group of six researchers from the University of Birmingham has devised a new attack technique, dubbed VoltPillager, that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves by controlling the CPU core voltage.

The attack leverage a low-cost tool that is used to inject Serial Voltage Identification (SVID) packets on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard.

The injected packets allowed the researchers to fully control the CPU core voltage and perform fault-injection attacks.

“we have built VoltPillager, a low-cost tool for injecting messages on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard. This allows us to precisely control the CPU core voltage.” reads the paper published by the researchers. “We leverage this powerful tool to mount fault-injection attacks that breach confidentiality and integrity of Intel SGX enclaves.”

The researchers discovered that on a standard motherboard there is a separate Voltage Regulator (VR) chip that generates and controls the CPU voltage. The experts devised VoltPillager tool to connect to the interface of the VR chip, which is not protected, and control that voltage.

The experts were able to mount fault-injection attacks that breach confidentiality and integrity of Intel SGX enclaves, and present proof-of-concept key-recovery attacks against cryptographic algorithms running inside SGX.

The microcontroller-based board VoltPillager devised by the researchers is based on the Teensy 4.0 microcontroller board, it is a low-cost device that can be built for $30.

The attack devised by the researchers requires full control over the BIOS and operating system.

Experts pointed out that the patches for the CVE-2019-11157 vulnerability (Plundervolt) don’t protect against VoltPillager because they simply disable the software undervolting interface, but the hardware interface remains active.

“We have proven that this attack vector is practical by recovering RSA keys from an enclaved application, and have shown that other fundamental operations such as multiplication and memory/cache writes can be faulted as well.” continues the paper. “These lead to novel memory safety vulnerabilities within SGX, which are not detected by SGX’s memory protection mechanisms,”

Experts presented the results of their study to Intel on March 13, 2020, but the company doesn’t plan to fix the problem because the SGX threat model does not include hardware hardware-based attacks.

“… opening the case and tampering of internal hardware to compromise SGX is out of scope for SGX threat model. Patches for CVE-2019-11157 (Plundervolt) were not designed to protect against hardware-based attacks as per the threat model,” states the Intel’s reply.

“The results in this paper, together with the manufacturer’s decision to not mitigate this type of attack, prompt us to reconsider whether the widely believed enclaved execution promise of outsourcing sensitive computations to an untrusted, remote plat-form is still viable,” the researchers conclude.

Pierluigi Paganini

(SecurityAffairs – hacking, VoltPillager)

The post VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves appeared first on Security Affairs.

“At-Risk Meeting Notifier Zoom” feature alerts meeting organizers of Zoombombing risk

The popular video conferencing application Zoom implemented the new “At-Risk Meeting Notifier” feature to warn of Zoombombing threat.

Zoom announced the launch a new feature dubbed “At-Risk Meeting Notifier” to warn conference organizers of potential Zoombombing attacks.

The feature scans the web for links to Zoom meetings that have been posted online and warn organizers of the risk of Zoombombing attack.

“The At Risk Meeting Notifier scans public posts on social media sites and other public online resources for Zoom meeting links. When it finds publicly posted meeting information that indicates a given meeting may be at high risk of being disrupted, we notify account owners and admins by email.” reads the Zoom’s announcement.

The idea behind the “At-Risk Meeting Notifier” feature is that threat actors use to arrange Zoombombing attacks by sharing links to the targeted meeting on public posts on social media and other public sites.

When At-Risk Meeting Notifier finds a Zoom meeting URL, it sends an email to the organizers with a warning that attackers may disrupt their meeting.

The number of Zoombombing attacks surged with the increased popularity of the video conferencing platform since the beginning of COVID-19 pandemic.

The FBI and Spokane police recently announced an investigation into the hack of Gonzaga University Black Student Union. The hackers broke into a Zoom meeting and bombarded participants with racial and homophobic slurs.

Media reported numerous Zoombombing attacks that disrupted the meeting by hurling insults, playing pornographic content, or threatening other participants.

Organizers that will receive the alert from the At Risk Meeting Notifier should take the following actions to make their future meetings private:

  1. Remove or report the public post.
  2. Delete the existing meeting.
  3. Schedule a new meeting.
  4. Enable these security settings:
  5. Send the new meeting information only to people that you know.

Organizers that would like to keep their meeting public are recommended to convert their meeting to a webinar, because a webinar will them control over who participates with video, audio, chat, and screen sharing.

Pierluigi Paganini

(SecurityAffairs – hacking, Zoom)

The post “At-Risk Meeting Notifier Zoom” feature alerts meeting organizers of Zoombombing risk appeared first on Security Affairs.

Netiquette Rules: Definition and 10 Basic Rules To Dramatically Improve your Safety [Updated 2020]

What is netiquette, and how do we define it. Before we talk about netiquette rules we need to determine its definition. Netiquette Shorthand for network etiquette, and is the set of rules that determines how to properly communicate and browse the web. One important part of netiquette concerns your online safety. By following these basic rules […]

The post Netiquette Rules: Definition and 10 Basic Rules To Dramatically Improve your Safety [Updated 2020] appeared first on Heimdal Security Blog.

Researcher Discloses Critical RCE Flaws In Cisco Security Manager

Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager (CSM) a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The development comes after Code White researcher Florian Hauser (frycos) yesterday publicly disclosed proof-of-concept (PoC) code for as many as 12 security vulnerabilities affecting the

Qualys provides out-of-the-box support for Google Cloud Artifact Registry

Qualys announced it has worked with Google Cloud to provide out-of-the-box support for Google Cloud Artifact Registry for its Container Security solution. The new integration allows security and DevOps teams to set up automated security scans of container artifacts in Artifact Registry, now generally available. Qualys Container Security scanning will assess all images for software inventory, vulnerabilities and misconfigurations, and provide a unified view across multiple Google Cloud regions. Customers can then leverage the Qualys … More

The post Qualys provides out-of-the-box support for Google Cloud Artifact Registry appeared first on Help Net Security.

Group-IB’s CyberCrimeCon goes online for the first time

Group-IB’s Threat Hunting and Intelligence conference, CyberCrimeCon, will for the first time dive online to literally remove the borders and bring together over 2,000 cybersecurity experts from all around the world. As cybercrime rate is skyrocketing year after year and tensions between states are escalating, including in cyberspace, Group-IB provides a platform for universal dialogue, in which cybersecurity thought leaders, ideologists and practitioners exchange data and make public outcomes of their research work. The eighth … More

The post Group-IB’s CyberCrimeCon goes online for the first time appeared first on Help Net Security.